On May 11, 2017 President Donald Trump signed an executive order to bolster the government's cybersecurity and protect critical infrastructure from cyber-attacks, marking his first significant action to address what he had previously called a top priority.
The order seeks to improve the often-maligned network security of U.S. government agencies, from which foreign governments and other hackers have gained access to millions of personal records and other forms of sensitive data in recent years. The Office of Management and Budget stated in its annual cybersecurity report to the Congress that federal agencies faced almost 31,000 “cyber incidents” in fiscal 2016 that led to “compromise of information or system functionality.” Moreover, 16 of these incidents met the threshold for a major incident, a designation that triggers a series of mandatory steps for agencies, including reporting certain information to Congress.
The White House said the order also aimed to enhance protection of infrastructure such as the energy grid and financial sector from sophisticated attacks that officials have warned could pose a national security threat or cripple parts of the economy. The directive, which drew largely favorable reviews from cyber experts and industry groups, also lays out goals to develop a more robust cyber deterrence strategy, in part by forging strong cooperation with U.S. allies in cyberspace. White House homeland security adviser Tom Bossert said the order sought to build on efforts undertaken by the former Obama administration.
Among the notable changes, heads of federal agencies must use a framework developed by the National Institute of Standards and Technology to assess and manage cyber risk, and prepare a report within 90 days documenting how they will implement it. Although the Obama administration had encouraged the private sector to adopt the voluntary NIST framework, it did not require government agencies to do so.
The order also calls for an examination of the impact of moving agencies toward a shared information technology environment, such as through cloud computing services. Additionally, it urges voluntary cooperation with the private sector to develop better strategies to fend off and reduce attacks from botnets, or networks of infected devices.
Before taking office, President Trump said he intended to make cybersecurity a priority of his administration. Thus, it will be interesting to see what additional steps he takes in strengthening the country’s cybersecurity. Moreover, with the recent enactment by New Mexico, there are now 48 states with their own data protection/notification laws. Thus, President Trump may also consider proposing a uniform federal law regarding data protection and notification to affected citizens.