On May 11, 2017, the White House issued an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order mandates that federal department and agency heads take an active role in reviewing, improving, and modernizing cybersecurity risk management, and stands as major action toward enhancement of cybersecurity in the wake of high profile federal agency breaches such as that of the Office of Personnel Management and of the IRS in 2015, and an election riddled with headlines of hackers releasing sensitive information taken directly from government agencies.
A hallmark of the Order is that it places cybersecurity responsibility squarely on department and agency leaders, laying out a series of reporting and reviewing deadlines that synthesize and build upon the Cybersecurity Framework and other measures first implemented by previous administrations. The Order seems poised to prioritize modernization in the area by moving away from “antiquated” and “difficult-to-defend” IT systems and exploring the possibility of upgrading to shared IT services and use of the cloud. It also emphasizes the importance of training and educating in the field of cybersecurity, to help prepare for and combat future threats.
Overall, the order is seen by many as a big step towards holding federal agencies responsible for the same cybersecurity assessments and measures that they expect and require of the entities they regulate. Despite government vulnerability to cyberattacks, generally government agencies have not previously been held as accountable for the same vulnerabilities they investigate in the private sector. By not only requiring that federal agencies now utilize the cybersecurity framework promulgated by The National Institute of Standards and Technology (“NIST”) in the prior administration, but also by requiring department and agency heads to take an active role in reviewing and reporting on compliance with the framework, the Order focuses on holding agencies accountable and, as one White House spokesperson put it—asking them to practice what they preach.
Some commentators feel that the order does not go far enough, with one Senator calling it simply a “plan for a plan,” which prioritizes further review and reporting over actual action against real time threats. What also remains to be seen is whether the short, ninety day reporting timeframes mandated by the order are workable, and whether the changes that will result from the report and review periods will be financially feasible for the agencies, and also for the private sector companies that do business with them and will likely be subject to increased scrutiny as well. Other concerns voiced center on the provisions directing that the Secretary of Defense, as well as the Directors of National Intelligence and the FBI, will be involved in efforts to support the cybersecurity risk management of owners and operators of the Nation’s critical infrastructure, and the impact that will have on privacy of personal information maintained by the various agencies.
In the meantime, the Order serves as an important step to hold the federal government responsible for its own cybersecurity and to prioritize cybersecurity in a time that it is clearly needed.