US president Donald Trump signed an executive order on cybersecurity Thursday (May 11), which calls for many federal agencies to review the state of their computer security within 90 days. The order was originally scheduled to be signed at the end of January, but that was called off, presumably to give the administration more time to work out its details.
Drafts of the order had already been leaked online and to the press, and although some language is changed in the version published today, it’s roughly what the security community had anticipated. Here’s what you need to know:
After massive data breaches at the Internal Revenue Service and the Office of Personnel Management, the leaders of those agencies were able, at least to some extent, to point the finger at IT staff. According to this executive order, that will no longer be acceptable.
“The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises,” the order says.
Steve Grobman, CTO at computer security firm McAfee, said this is a good move.
“Holding agency and department heads accountable is key,” Grobman said in a statement emailed to Quartz. “This is no different than the paradigm we see in corporate organizations where, although the CEO is not a cybersecurity expert, he or she is ultimately responsible for implementing a cybersecurity plan that mitigates risk to the business.”
The executive order requires that all federal agencies adopt the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST). The framework was developed by experts with input from the private sector, as well as the public, and is described as “a common language for understanding, managing, and expressing cybersecurity risk both internally and externally.”
The framework is widely respected and used in the private sector, and is made to be flexible enough for any organization to use.
It’s well known that government technology has fallen woefully behind the times. And those old systems can make hackers’ jobs easier. The executive order asks for a report from several departments that will spell out what it will take to upgrade the government’s IT infrastructure. That report is likely to produce a very hefty price tag for those improvements, and former director of national intelligence James Clapper said at a Senate committee hearing today that he doesn’t expect the money to materialize.
“The Trump administration understands preparing a new executive order and strengthening the cybersecurity of federal networks and critical infrastructure, emphasizes accountability, managing government IT architectures,” Clapper said. “What I expect is, though, that the accompanying authorities and resources will not match these bold goals.”
There are currently not enough computer security experts in the United States. It’s true in the private sector and it’s especially true in the government. The shortage in the workforce, according to Grobman, is “predicted to reach 1.8 million by 2022.” The executive order asks several government agencies and agency heads to “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education.”
“Machines and automation will compensate for some of the deficit,” Grobman said, “but we will still need skilled analysts for the most sophisticated, high-level tasks.”