WASHINGTON — President Trump signed a long-awaited executive order on Thursday designed to improve the nation's cybersecurity.
As U.S. government officials and networks have been hacked in recent years, Trump's homeland security adviser Tom Bossert said the order is designed to fulfill the president's pledge to "keep America safe, including in cyberspace."
"I think the trend is going in the wrong direction in cyberspace and it's time to stop that trend and reverse it on behalf of the American people," Bossert said.
The executive order outlines three key priorities for the Trump administration's efforts in cyberspace: Protecting federal networks, updating antiquated and outdated systems, and directing all department and agency heads to work together "so that we view our federal I.T. as one enterprise network," Bossert said.
Cybersecurity is a real issue with federal agencies. According to a report from cybersecurity company Thales, 34% of federal agencies experienced a data breach in the last year, and 65% experienced a data breach at some point in the past. Almost all agencies – a whopping 96% – reported that they considered themselves “vulnerable” to cyberattack, with 48% said they were “very” or “extremely” vulnerable.
The highly anticipated executive order comes months after a hack-filled election season. The U.S. intelligence community accused Russia of orchestrating a campaign of cyberattacks against Democratic political organizations and leaking them to websites such as WikiLeaks to undermine Hillary Clinton's campaign and public confidence in the democratic process.
Trump signed the order in the midst of FBI and congressional investigations into both the Russian cyberattacks and the possibility Trump's campaign associates colluded with the Russians.
But the election hacks were only one inspiration for the new order, Bossert said.
"The Russians are not our only adversary on the internet," he said. "The Russians, the Chinese, the Iranians, other nation-states are motivated to use cyber capacity and cyber tools to attack our people and our government and their data."
The U.S. government made cybersecurity a major priority especially after the hack on the Office of Personnel Management in 2014, one of the most significant cyberattacks in American history. The hack, widely believed to have been carried out by China, exposed the personal records of millions of government and former government workers.
Yet a deeper look at Trump's executive order shows it not exactly instill groundbreaking new policies to combat nation-state hackers.
It essentially calls a list of reports the White House wants various portions of the government to write, about whether the country is adequately prepared to defend itself against cyberthreats.
What's more, creating these reports and the revamping security procedures won’t come cheap, noted Ken Spinner, vice president of field engineering at Varonis Systems, a cybersecurity company based in New York City.
“This will cost money — lots of it," he says. "We’ll have to see how this Congress deals with new budget requests."
The primary reports the order demands include an assessment of the nation’s critical infrastructure, the electrical grid and the Department of Defense’s warfighting capabilities.
Different agencies and organizations are given different timelines for when these reports must be completed, but most are due within the next 90 to 240 days. The majority of the reports will be filed with the Department of Homeland Security, though the reports relating to national security through the Secretary of Defense and the Director of National Intelligence. Those may be classified.
The executive order specifically calls out the need to secure the country's electrical grid.
The secretary of Energy and the secretary of Homeland Security must now assess the potential for a “prolonged power outage associated with a significant cyber incident” and whether the United States is ready to manage the consequences.
That report is one of the faster turnarounds, and is required to be provided to the President with 90 days and may be classified “in full or in part,” the order says.
The Edison Electric Institute, the association that represents all U.S. investor-owned electric companies, praised the order for its goal of improving the security of the electric power industry. “EEI and its member companies appreciate President Trump making cybersecurity for critical infrastructure a top priority, and we look forward to working with the Administration to ensure that industry and government continue to work closely together to protect the energy grid," EEI president Tom Kuhn said in a statement.
Finally, with a massive global shortage of skilled cybersecurity workers, the order asks the Secretary of Commerce, together with DHS, to review the nation’s training programs and ability to field the necessary workers in the years go come.
The agency has 120 days to write an assessment of whether the U.S. is training enough skilled cybersecurity workers to deal with the expected demand – and provide recommendations for how the nation can grow and sustain the necessary workforce for both the private and public sector, given the growing importance of this kind of protection.
It also asks the agency to review how other nations are developing their cybersecurity workforces and whether those might affect “long-term United States cybersecurity competitiveness.”
The executive order also specifically call out the problem of botnets, automated attacks run using enslaved digital devices such as the one that knocked many sites offline in October of last year.
These botnets, or robot networks, are increasingly being deployed to attack networks and systems. With the rise of smart Internet of Things devices such as security cameras, thermostats, routers and even refrigerators, these botnets can all-too-easily be created and deployed.
The executive orders asks the Secretaries of Commerce and of Homeland Security to lead a process that will improve the resilience of the Internet against such attacks and dramatically reduce the threat such botnets pose to the nation’s communications. A report on the effort is due within one year.
Overall, Trump's order doesn’t fundamentally change the U.S. approach to cybersecurity that began in the Bush administration and ran through the Obama administration, said Michael Daniel, president of the Cyber Threat Alliance and former special assistant to President Obama and cybersecurity coordinator for the White House.
The order is more “a plan for a plan,” he said, though he acknowledged the reports it demands will be helpful for administration officials to have on hand.
Others in the cybersecurity community also saw the executive order as a positive step because it follows the general trajectory of previous administrations. “It treats cybersecurity as a non-partisan issue. This demonstrates that the administration is viewing this as a continuity issue,” said Ryan Gillis, vice president of cybersecurity strategy and global policy for Palo Alto Networks, and a former legislative director for the Department of Homeland Security and the National Security Council.
Trump has repeatedly stressed that cybersecurity is a big priority of his administration. But the executive order, which has been expected for months, has been consistently delayed.
© 2018 USATODAY.COM