President Trump signed a executive order today commanding a review of the United States’ cybersecurity capabilities. Trump was initially set to sign the order shortly after his inauguration in January and held a press conference on the issue, but ultimately delayed the signing.
The version of the order signed today bears some similarity to the earlier draft, but does contain some notable changes. For instance, the order puts responsibility for cybersecurity risk on the heads of federal agencies. Agencies are required to follow the standards established by the National Institute for Standards and Technology in assessing their risk, and submit reports on their risks within 90 days.
A report on cybersecurity concerns regarding critical infrastructure is due within six months. Earlier drafts of the order did not include the FBI in the critical infrastructure review, and observers questioned why the agency had been omitted. In the final version of the order, the FBI is included in this review.
The executive order places greater responsibility for federal cybersecurity with the military, a move rejected by the Obama administration. “Civil society organizations in the United States have fought hard against the militarization of the domestic internet,” Access Now’s U.S. policy manager and global policy manager Amie Stepanovich said, noting that the shift could lead to increased surveillance. “Any role of the Department of Defense in cybersecurity should be explicitly and firmly limited.”
The order calls for a review of the threat posed by botnets, which target websites with automatically-generated spam traffic. The Mirai botnet was responsible for significant internet outages last year. But Access Now says the order should also address the government’s process for vulnerability disclosure and its response to data breaches.
While Trump’s executive order calls for workforce development that will fill government with competent cybersecurity workers, the president’s hiring freeze has hindered other federal programs that encourage cybersecurity students to take government jobs after graduating college.
In a press briefing, White House homeland security advisor Tom Bossert said that the order built on recommendations made by the Obama administration and downplayed Russia’s role as a cybersecurity adversary.
“A lot of progress was made in the last administration, but not nearly enough,” Bossert said. He later distanced the signing of the order from ongoing concerns about Russia’s involvement in political hacking campaigns. “”The Russians are not our only adversary on the internet,” he said, according to Reuters.