Editor’s note: This article will be updated as developments unfold.
President Donald Trump hadn’t yet signed it at the time of this writing, but details have emerged regarding his planned executive order on cybersecurity.
Speculation has increased in recent days as to what Trump will do, and he has certainly gotten plenty of advice from security practitioners. Now we have some more insight into his plans, in the form of this executive order draft, which was obtained by The Washington Post.
The executive order includes provisions to:
- Have the US military review what schools are teaching students about cybersecurity
- Consolidate responsibility for protecting the government by giving ultimate control to the White House Budget and Management office. (Note: every government agency is currently in charge of defending itself. This has proved problematic in recent years, because each agency now has different procedures for individual networks instead of a more uniform program.)
- Place blame for any network security incident squarely on the shoulders of the affected agency’s head.
“I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organization,” Trump told reporters yesterday.
A review of all government networks
The draft order calls for a total review of the most critical vulnerabilities in US military, intelligence and civilian government computer networks. This would include examining networks of internet service providers, private-sector companies used by the government and data centers. The White House wants “initial recommendations” within 60 days of the order’s signing.
Meanwhile, the administration wants the Department of Education to start sharing information with the Department of Defense and the Department of Homeland Security on what children are learning about cybersecurity, math and computer science in general. The draft says the goal is “to understand the full scope of US efforts to educate and train the workforce of the future”.
Trump said yesterday that son-in-law and senior advisor Jared Kushner will lead the effort along with former New York Mayor Rudolph Giuliani and homeland security adviser Tom Bossert.
What security experts think
Naked Security reached out to security experts for their initial take on the draft order.
Mike Bailey, a senior Red Team engineer at one of the world’s largest banks, said the plan is very ambitious, particularly the part consolidating complete oversight into one group.
It seems like a great idea, but as most things go in the government sector, it will more than likely just cause strife and infighting between agencies. Long overdue is the need to work with the commercial and private world to secure our nations IT infrastructures. As everyone in the industry is aware, the private sector is far outpacing government efforts, so I applaud the recognition of the need to reach out and work together.
As with most of the things this administration has done so far, Bailey said the plan is grandiose and disruptive, but that it appears some serious thought was put into it and that it will “hopefully have a bit of teeth”.
Lawrence M Walsh, CEO and chief analyst at New York-based business strategy firm the 2112 Group, said his concern is that this latest push for better cybersecurity will turn into another money grab where government agencies throw cash to companies that are eager to sell a product.
“Previous iterations of this approach resulted in a lot of money being spent and little improvement in government security posture,” Walsh said, adding that security without a defined goal, standards and plan will almost always come up short of expectations.
At the time of writing, there was no word on when President Trump would sign the order.
Dean Bushmiller
what we should do: three simple steps: 1 convince the federal government to do oversight like they do on Public Safety for seatbelts applying the same principles to Internet activity. 2. Balance the requirements for responsibility and security between the consumer, the vendor of products also known as hosts, and the ISPs for allowing inappropriate traffic. 3. Used three key technologies exclusively and band or limit the proir protocols over time : dnsec, IPv6, x.509 certificates.
TonyG
If the private sector is way ahead of the public sector, how does getting the US Military to review what schools are teaching help? Shouldn’t it be the other way round – reward the brightest kids to find the flaws in military security in order to strengthen it?
Also, holding the agencies to account will encourage hackers to hack agencies in order to force heads to roll?
Jim
Being fired isn’t the only consequence available. In fact, in many cases, the right steps were taken, but the breach occurred through “new” channels. They would have to take this on a case-by-case basis.
But, I think it’s VERY good that they’re not instantly blaming the technical officer in the group. Just like in business, if the CIO screws up, that’s on the CEO. If the CIO does his job, but the CFO or CEO balk at the cost, again, that’s on the CEO. The president is just making sure they understand that HE is not going to be looking at firing some career IT guy; he’s going right to the top.
A VERY good business plan, IMO. No passing the buck down.
Bryan
how does getting the US Military to review what schools are teaching help?Tony, I took that to mean the military would learn from the leading schools for better training within.
Alexander Cardosa
This is Trump its all about playing soldier and grandiose ideas. I can imagine a flow of tallent leaving for the private sector soon enough.