Cybersecurity community lauds executive order
President Trump’s cybersecurity executive order has earned positive reviews from the cybersecurity community, who see it as a valuable starting point towards strengthening cyber defenses.
“It’s a good first step for cybersecurity,” said James Norton, a former deputy assistant secretary in the George W. Bush administration who now works at cybersecurity firm Play-Action Strategies.
“But there will be more steps, including more guidance and funding.”
The executive order had been hotly anticipated since drafts started to leak in the early days of the administration. Though most cybersecurity experts agreed each successive draft improved on the last, people with vested interests in cybersecurity were impatient for a final release.
While the final draft contained few major surprises based on earlier drafts, its basic components already impressed experts.
“The President’s early focus on cyber is good for the public and private sector,” Kevin Davis, a vice president at cybersecurity firm Splunk, said in a written statement. “Improving cybersecurity is one of the few items both sides of the aisle can reach across and agree on.”
Trump garnered praise from industry members for taking common sense steps in cybersecurity to protect agencies, including requiring agencies to use guidance developed by the National Institute for Standards and Technology that’s meant to be adaptable for any organization.
“The alignment of federal agency security around the framework’s risk-based approach builds off of NIST’s successful collaboration with industry during the last administration,” said Christopher Padilla, IBM vice president of Government and Regulatory Affairs.
Other parts of the order that earned positive responses included shifting the ultimate responsibility for cybersecurity to agency heads, rather than allowing them to delegate responsibilities to agency IT staffs.
“The reality is that there have been many cybersecurity reports by the federal government that all basically say the same thing. The problem isn’t a direction, it’s implementation and accountability,” said John Bambenek, threat research manager at Fidelis Cybersecurity.
“With agency heads jobs’ on the line, they now have an incentive to do things that they should have been doing all along, like risk management of their critical assets and information.”
Putting responsibility at the top of an organizational chart is “something that has been driven home in the private sector by regulatory agencies,” said Stephen Lilley, a partner at the law firm Mayer Brown and former chief counsel for the Senate Judiciary subcommittee on Crime and Terrorism.
Lilley also praised the bill for making changes without entirely upending agencies’ cybersecurity infrastructure.
“There’s a lot of continuity with the Obama administration,” he said, “Clients tell me, ‘This looks like something we can work with, it has the same players.’”
An earlier leaked draft shifted much of the government’s cybersecurity responsibility to the Department of Defense, including many roles that had previously belonged to Department of Homeland Security.
“Overall, this [executive order] continues the general approach to cybersecurity that started in the Bush Administration and ran through the Obama Administration. I concur that the signed version is an improvement over previous drafts,” said Michael Daniel, a former Obama administration cybersecurity coordinator who now runs the Cyber Threat alliance industry group, said in a statement.
“[I]n general, I don’t see anything unusual or that really goes in a different policy direction,” he added.
Others gave cautious praise for the order’s call to modernize federal IT, while noting that the modernization requires funds that can’t be secured through an executive order.
“The single biggest opportunity facing the new administration is modernization, which requires smart investments in security technologies that can help government agencies understand and reduce their cyber risk,” said Amit Yoran, chief executive of Tenable Security.
Congress is already trying to finding funding for the modernization. A bipartisan bill spearheaded by Rep. Will Hurd (R-Texas) would provide a modernizing fund and incentivize agencies to pay for new IT from their own budgets.
When the executive order fails, according to cybersecurity experts, it’s because it calls for more study instead of providing definitive solutions.
Much of the executive order, including developing military plans, protecting critical infrastructure and increasing the cybersecurity workforce, tells agencies to develop new plans instead of providing a strategy itself.
“It’s great to have leadership and guidance from the president, great to build bipartisan support for the budget the order is going to need, but this only sets the stage for more concrete steps in a lot of important areas,” said Mark Kuhr, the founder of the testing firm Synack.
Kuhr said he also would have liked to see a section on public-private partnerships, building information sharing between the intelligence community and private business.
After the wait for the first executive order, Kuhr said he wouldn’t mind seeing another.