Editor’s note: This article will be updated as developments unfold.
President Donald Trump hadn’t yet signed it at the time of this writing, but details have emerged regarding his planned executive order on cybersecurity.
Speculation has increased in recent days as to what Trump will do, and he has certainly gotten plenty of advice from security practitioners. Now we have some more insight into his plans, in the form of this executive order draft, which was obtained by The Washington Post.
The executive order includes provisions to:
- Have the US military review what schools are teaching students about cybersecurity
- Consolidate responsibility for protecting the government by giving ultimate control to the White House Budget and Management office. (Note: every government agency is currently in charge of defending itself. This has proved problematic in recent years, because each agency now has different procedures for individual networks instead of a more uniform program.)
- Place blame for any network security incident squarely on the shoulders of the affected agency’s head.
“I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organization,” Trump told reporters yesterday.
A review of all government networks
The draft order calls for a total review of the most critical vulnerabilities in US military, intelligence and civilian government computer networks. This would include examining networks of internet service providers, private-sector companies used by the government and data centers. The White House wants “initial recommendations” within 60 days of the order’s signing.
Meanwhile, the administration wants the Department of Education to start sharing information with the Department of Defense and the Department of Homeland Security on what children are learning about cybersecurity, math and computer science in general. The draft says the goal is “to understand the full scope of US efforts to educate and train the workforce of the future”.
Trump said yesterday that son-in-law and senior advisor Jared Kushner will lead the effort along with former New York Mayor Rudolph Giuliani and homeland security adviser Tom Bossert.
What security experts think
Naked Security reached out to security experts for their initial take on the draft order.
Mike Bailey, a senior Red Team engineer at one of the world’s largest banks, said the plan is very ambitious, particularly the part consolidating complete oversight into one group.
It seems like a great idea, but as most things go in the government sector, it will more than likely just cause strife and infighting between agencies. Long overdue is the need to work with the commercial and private world to secure our nations IT infrastructures. As everyone in the industry is aware, the private sector is far outpacing government efforts, so I applaud the recognition of the need to reach out and work together.
As with most of the things this administration has done so far, Bailey said the plan is grandiose and disruptive, but that it appears some serious thought was put into it and that it will “hopefully have a bit of teeth”.
Lawrence M Walsh, CEO and chief analyst at New York-based business strategy firm the 2112 Group, said his concern is that this latest push for better cybersecurity will turn into another money grab where government agencies throw cash to companies that are eager to sell a product.
“Previous iterations of this approach resulted in a lot of money being spent and little improvement in government security posture,” Walsh said, adding that security without a defined goal, standards and plan will almost always come up short of expectations.
At the time of writing, there was no word on when President Trump would sign the order.