We’ve kept a close eye on the anticipated Cyber Security Executive Order, and on May 11, 2017, it was signed. You can find the full text on the official White House web page. But we’ve done your homework for you and have four important things you should know about the “Presidential Executive Order on Strengthening the Cyber Security of Federal Networks and Critical Infrastructure.”
1. It Finally Names Who Does What
The United States has suffered from a lack of a unified federal cyber defense structure, creating a disadvantage on the global cyber security playing field. In some ways, this new executive order attempts to rectify that. In fact, a tremendous number of officials have some sort of responsibility outlined in the document, including:
- The Director of National Intelligence
- The Secretary of Energy
- The Director of the FBI
- The Attorney General
- The Secretary of Homeland Security
- The Office of Management and Budget (OMB)
- The Secretary of Labor
- The Secretary of Education
- The Department of Defense Warfighting Capabilities and Industrial Base
That’s not even an exhaustive list!
The important thing, in terms of the future of cyber security, isn’t even just that it names who does what, but it also specifically requires the heads of executive departments and agencies to be directly responsible for the cyber security of their department or agency.
That means no more passing the buck to IT departments.
2. It’s a Plan for a Plan
While the document contains a few requirements, such as updating unsupported infrastructure (goodbye Windows XP!), mostly it is a plan for a plan. Timelines are given for each task, such as a timeline to report to the president and then a timeline to implement changes recommended in that report.
The main plan that will (possibly) finally go into effect is known as The Framework, specifically “The Framework for Improving Critical Infrastructure Cyber Security” developed by the National Institute of Standards and Technology. If that rings a bell, it’s probably because that document was created at the request of President Obama and issued February 12, 2014. It just never got implemented.
3. It Calls for Centralized Infrastructure
As it stands, individual government agencies handle their own acquisitions, IT, even threat assessment, mitigation, and response. (Remember the breach at the Office of Personnel Management: antiquated IT infrastructure).
Under this new order, centralization will occur in a couple of ways:
- Department heads: now each department head is tasked with leading “integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.” That broad, cross-training perspective will be key to the future of federal cyber security.
- IT services: soon, agencies will share centralized infrastructure, according to the plan, including utilizing shared cloud services and email.
4. It Names Educational Objectives
Professionals in every capacity in or around cyber security understand a growing and looming emergency: a lack of qualified personnel. As the types of security threats, both in scope and variety, continue to grow, the United States has been ill-prepared to respond in a unified fashion, hence the need for this executive order.
The future of cyber security for both US companies and government bodies will require a workforce with the education and skill set necessary to meet those threats.
This executive order promises to “support the growth and sustainment of a workforce that is skilled in cyber security and related fields.” The first step in the document is merely to require an assessment of curricula, training, and apprenticeship programs. Presumably, then, at some point, we may see greater federally-sponsored incentives for cyber curricula and programs.
So it may be a plan for a plan, but it’s a promising beginning for a transparent and unified cyber infrastructure.