President Donald Trump has signed a long-awaited executive order designed to strengthen the cybersecurity of critical infrastructure and the federal government’s computer networks. It is the White House’s first action at defending the US against hackers.
“The trend is going in the wrong direction in cyberspace, and it’s time to stop that trend and reverse it on behalf of the American people,” White House Homeland Security Adviser Tom Bossert said at the daily White House press briefing, announcing that the president had already signed the executive order.
There are three main thrusts of the order: strengthening the cybersecurity of federal networks, of critical infrastructure and for the country overall. It contains the word “cyber” 39 times.
On the federal side, each government agency has 90 days to create a plan to fit the criteria outlined in the National Institute of Standards and Technology’s 2013 cybersecurity framework (and any subsequent updates to the document), among other tasks. It also calls for all 190 federal agencies to move onto a centralized IT network.
“If we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts,” Bossert said. “We spend a lot of time and inordinate money trying to protect antiquated systems.”
In total, the government currently spends about $80 billion annually on IT.
Agencies will also be required to identify risks to their networks and share that information with the White House. The goal is to prevent a recurrence of the 2014 data breach at the Office of Personnel Management, in which hackers stole personal information of an estimated 21.5 million people.
For infrastructure, the executive order tasks the secretary of homeland security with reporting to Trump how vulnerable utility, financial, healthcare and telecommunications systems are to terrorist attacks.
The third part of the executive order calls for developing a set of policies to protect Americans on the internet.
“We need to establish the rules of the road for proper behavior on the internet, then deter those who don’t abide by the rules,” Bossert said, adding that the executive order is among the ways that Trump is “going to keep his promise that he has made to the American people to keep America safe, including in cyberspace.”
The secretaries of homeland security and commerce will also look at private sector companies that could help reduce the threat of botnets ‒ networks of hijacked devices that launch attacks ‒ and distributed denial-of-service (DDoS) attacks, which use automated bots to flood a site with so much traffic that it temporarily shuts down.
When asked if the executive order was in response to alleged Russian cyber interference in the 2016 presidential election, Bossert denied a link.
“It wasn’t a Russian-motivated issue. It was a United States of America-motivated issue,” he said.
The signing was long-anticipated. In early January, in response to the intelligence community’s assessment of Russian interference, Trump promised to put together a cybersecurity team that would be tasked with giving him a plan on how to “aggressively combat and stop cyberattacks… within 90 days of taking office,” he said in a statement.
Other than appointing former New York City Mayor Rudy Giuliani as an adviser on cybersecurity in the private sector, which happened in mid-January, Trump had taken no action towards that goal.
During congressional hearings this week, intelligence agency heads complained about the lack of a cybersecurity plan.
“We’re still trying to figure out the right way forward,” Admiral Mike Rogers, the head of US Cyber Command and the NSA director, told the Senate Armed Services Committee on Tuesday.
“All of us would agree we need a cyber doctrine,” Director of National Intelligence Dan Coats told the Senate Intelligence Committee on Thursday.
The executive order, which Trump signed on his 111th day in office, is the first official step in creating that doctrine.