More than three months after President Trump was expected to sign a cyber security executive order he finally took pen to paper on this important topic. Unfortunately, it was not worth the wait, as this executive order does not seem to do much – if anything – to actually protect our national infrastructure and interests from cyber attacks.
Instead, it instructs agency heads to use the existing Commerce Department framework to manage risk to their systems, and to create and submit reports detailing how they plan to do that. And it calls for a review of the U.S. general vulnerabilities; a review of one of the country’s main cyber security adversaries; reports to be conducted on the cyber capabilities of the Department of Dense, of Homeland Security, and of the National Security Agency (News - Alert); and it talks about the need for further research on the need to train cyber security professionals. (And, in case you’re wondering, it doesn’t say anything about cyber security risks to elections.)
Here is an excerpt from the executive order:
Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.
Here’s another excerpt:
The Secretary of Homeland Security and the Director of OMB, consistent with chapter 35, subchapter II of title 44, United States Code, shall jointly assess each agency's risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate.
The Director of OMB, in coordination with the Secretary of Homeland Security, with appropriate support from the Secretary of Commerce and the Administrator of General Services, and within 60 days of receipt of the agency risk management reports outlined in subsection (c)(ii) of this section, shall submit to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the following:
(A) the determination; and
(B) a plan to:
(1) adequately protect the executive branch enterprise, should the determination identify insufficiencies;
(2) address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;
(3) establish a regular process for reassessing and, if appropriate, reissuing the determination, and addressing future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise;
(4) clarify, reconcile, and reissue, as necessary and to the extent permitted by law, all policies, standards, and guidelines issued by any agency in furtherance of chapter 35, subchapter II of title 44, United States Code, and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and
(5) align these policies, standards, and guidelines with the Framework.
President Obama made similar suggestions during his time in office. And the fact that Trump’s executive order doesn’t go beyond prescribing more reports and studies upset Sen. John McCain, R-Arizona, chairman of the Armed Services Committee.
“We do not need more assessments, reports, and reviews,” NBC quoted McCain as saying.
“The threat is growing,” McCain added, “Yet we remain stuck in a defensive crouch forced to handle every event on a case-by-case basis and woefully unprepared to address these threats.”