The Washington Post recently published what they claim is a draft of President Trump’s executive order on cybersecurity1
, which reports say he’s expected to sign this afternoon2 (at a press briefing on Tuesday, January 31, Press Secretary Sean Spicer suggested that the executive order would not be signed on Tuesday).
There’s little-to-nothing that’s particularly controversial about the order as drafted — which is somewhat surprising in itself. The draft order acknowledges a broad data security problem, requests an assessment of that problem, and solicits recommendations for taking action.
The objective of President Trump’s executive order on cybersecurity
The order aims to improve the defense of U.S. interests in cyberspace stating: “Criminals, terrorists, and state and non-state actors are engaging in continuous operations that impose significant costs on the U.S. economy and significantly harm vital national interests.”
In summary, the order calls for a review of data security vulnerabilities in U.S. infrastructure, a review of the U.S.’s cyber adversaries, a review of the U.S.’s cyber capabilities (including a workforce development review), and finally a report on how to incentivize the private sector to adopt effective data security measures.
The draft order requests reviews of vulnerabilities of both critical infrastructure and the “national security system,” which are defined as follows:
- Critical infrastructure – physical or virtual systems and assets that if incapacitated or destroyed would debilitate security, national economic security, national public health or safety, or any combination
- National security system – any telecommunications or information systems operated by the government or contractors on its behalf that involves:
- Intelligence activities
- Cryptologic activities related to national security
- Command and control of military forces
- Equipment that is an integral part of a weapon or weapons system
- Direct fulfillment of military or intelligence missions (but not systems used for routine administrative and organization applications)
In general, the draft order sounds like just plain good practice, and/or the start of a generic framework for most enterprise cyber security programs:
- Inventory IT assets
- Assess vulnerabilities in those assets
- Understand threat actors that might target those assets and the methods they might employ (i.e., model the threats)
So far, so good. It makes sense to assess the current situation before deciding where to apply investment and resources. The draft requests that vulnerability and adversary reviews begin immediately with initial recommendations and reports due to the president within 60 days of the date of the order.
Review of cyber vulnerabilities and adversaries
The initial report on vulnerabilities will include recommendations for the following:
- Securing U.S. national security systems
- Enhancing security of critical civilian infrastructure
- Ensuring that responsible agencies are appropriately organized, tasked, resourced, and legally authorized to fulfill their mission
The initial report on adversaries will include information about the identities, capabilities, and vulnerabilities of the U.S.’s cyber adversaries.
Review of cyber capabilities
Upon the completion of the vulnerability and adversary reviews, a review of U.S. cyber capabilities will commence. That review will identify an initial set capabilities that need improvement and result in recommendations for making sure responsible agencies have what they need to make those improvements. What that might entail could get interesting. For example, will there be recommendations for increased surveillance, offensive activities, or changes to the military’s approach to cybersecurity and attacks?
The review will also assess the state of the U.S. workforce and its ability to ensure a “cyber capability advantage” by gathering and reviewing information from the Department of Education about computer science, mathematics, and cybersecurity education from primary through higher education.
Cybersecurity incentives for the private sector
Finally, the draft of the executive order calls for a report on how to incentivize the private sector to adopt effective cybersecurity measures. That report is due to the president within 100 days of the date of the order and will identify ways to:
- Induce private owners and operators of the U.S.’s critical infrastructure to enhance protections
- Incentivize investment in enterprise risk management tools and services
- Encourage adoption of best practices that increase the sharing and response to cyber threat information
Whether those incentives might be tax breaks or penalties seems open to discussion at this point.
Will these reviews and reports differ from previous ones?
Like me, you might be wondering how this review will be any different from similar efforts of previous administrations. The order mentions “the increasing interdependencies between the networks and the operations of infrastructure and key economic institutions, and the continuously evolving nature of cyberattacks and attackers.” An assessment can go stale fast. Frequent reviews help account for new technology, new attack vectors, new attack methods, and new ways of defense.
Nothing’s particularly shocking in the draft of the order. What remains to be seen is how much information about the U.S.’s vulnerability might be made public, exactly whom the U.S. government considers cyber adversaries, and finally, what can or will be done to combat the threat.
To get industry news updates like this from NowSecure via e-mail, subscribe now using the NowSecure Subscription Center.