Trump signs cyber order

President Donald Trump finally signed his long-anticipated cybersecurity executive order on May 11. The measure is broadly similar to drafts that have been circulating for months.

The order directs federal agencies to adopt the National Institute of Standards and Technology cybersecurity framework, and includes recommendations from a number of other high-level reports.

The document focuses on increasing cybersecurity of federal networks, securing critical infrastructure, deterring cyber threats and building international alliances are the pillars of the Trump administration's cyber strategy.

"It is something we have asked the private sector to implement and not forced upon ourselves," said Tom Bossert, White House homeland security and counterterrorism advisor said at a White House briefing announcing the execution of the order. "From this point forward departments and agencies shall practice what we preach." 

The order directs agency heads to assume responsibility for cybersecurity at their agencies and to provide the White House and Department of Homeland Security with risk mitigation assessments as part of a new federal enterprise risk management approach. Agencies will be required to identify both existing risk and known unmitigated risk.

"DHS and Secretary [John] Kelly will play a large and leading role in this effort," Bossert said of the effort to move to a federal enterprise view. He added that, "from this point forward, the president has issued a preference from today forward in federal procurement of federal IT for shared services." 

Innovation and modernization will take place in parallel with risk management and cybersecurity. "We can't promote innovation without first thinking through risk reduction," he said.

"There's always going to be risk," Bossert said about moving to cloud. "I'm not here to promote for you that the president has signed an executive order and created a cyber secure world and a fortress U.S.A.  That's not the answer, but if we don't move secure services and shared services, we're going to be behind the eight-ball for a very long time."

The modernization effort will be led by the newly created American Technology Council, based at the White House.

The second chapter of the order focuses on protecting critical infrastructure.

"The executive order not only requires [DHS] departments and agencies to help those critical infrastructure owners and operators…but to do it in a proactive sense," said Bossert.

Bossert argued that past administrations had commissioned reports and received recommendations, but had not acted. This executive order is "tilt towards action," he said.

"A lot of progress was made in the last administration but not nearly enough," said Bossert. "I think we're going to change that."

The order went through several drafts in recent months, and one provision caused concern when it initially leaked -- a call for the private sector to take steps to eliminate botnets.

Some in industry reacted with concern that the order was going to mandate action to eliminate botnets, but Bossert stated the language in the order calls for voluntary action.

The third section of the executive order focuses on creating a deterrence policy and developing international partnerships and norms.

"We need to establish the rules of the road for proper behavior on the internet, but we also then need to deter those who don't want to abide by those rules," and that deterrence policy needs to be formalized said Bossert.

"I think the last administration should have done that, had an obligation to do that and didn't," he said.