On May 12, 2017 the WannaCry ransomware attack made world-wide headlines, and affected thousands of private entities and government agencies, including the National Health Services of the United Kingdom, and wide-ranging targets in China and Russia. The day before the WannaCry attack started, President Trump signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Executive Order) in an attempt to improve the state of cybersecurity in the US government and across the nation’s critical infrastructure industries. The Executive Order subjects US federal agencies to some of the same cybersecurity controls being deployed by private industry. The Executive Order includes three substantive sections covering cybersecurity for federal networks, critical infrastructure, and national preparedness.
In its first section, the Executive Order requires that all federal agencies immediately adopt the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST). This flexible framework is widely respected and is gaining traction with cybersecurity professionals. In another change, section one of the Executive Order holds heads of federal agencies directly accountable for managing cybersecurity risk to their enterprises – much as a CEO is responsible for data breaches at a company. Previously, responsibility was often assumed by an agency’s IT director.
Section one also mandates eventual movement of federal information technology to the cloud and its centralization into a single enterprise network, relying on shared cybersecurity controls. “We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture,” said Homeland Security adviser Tom Bossert. “If we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.” A number of bills before Congress would create funding for actions taken to modernize and implement federal systems based on this Executive Order.
The second section addresses federal support for the owners and operators of the nation’s critical infrastructure, as defined in President Obama’s Presidential Policy Directive 21, which includes utility distribution, financial and healthcare services, and telecommunications systems. The Secretary of Homeland Security has 180 days to report on vulnerabilities and proposed defenses. The Secretary will also consider how private sector companies can help reduce the threat of widespread malware attacks. On this topic, the Secretary has 240 days to issue a preliminary report and one year to issue a final report. In addition, various secretaries have 90 days to issue a joint report on the cybersecurity risks facing the defense industrial base, including its supply chain, and U.S. military platforms, systems, networks, and capabilities – along with recommendations for mitigating these risks.
The third part of the Executive Order calls for a report on policies to protect and promote a safer Internet, and to develop a skilled cybersecurity workforce to help defend the nation from future attacks, and maintain a strategic long-term advantage.