Trump releases sweeping order on cybersecurity prioritizing IT modernization

Dive Brief:

President Donald Trump signed an executive order on cybersecurity Thursday in an effort to protect federal networks, critical infrastructure and national cybersecurity. Prioritizing cybersecurity as an issue of national security, Trump plans to hold agency and department heads accountable for managing cyber risk in their organizations.
Decrying the executive branch's history of accepting "antiquated and difficult-to-defend IT," the order encourages federal agencies to undergo technology modernization efforts with planned and coordinated systems maintenance and improvement. The president is also mandating agency heads adhere to the NIST framework on cybersecurity to help manage risk. Within 90 days of the order, each agency head is expected to deliver a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget.
The president is mandating agencies identify authorities and capabilities that are required to ensure the cybersecurity of critical infrastructure, an area that is at the "greatest risk," because an attack could result in "catastrophic regional or national effects on public health or safety, economic security, or national security," according to the order.

Dive Insight:

The executive order on cybersecurity tackles much of what critics have long called for: A coordinated defense and the upgrade of back-end systems. The order centers around the idea of IT modernization to allow for better cyber defense, outlining steps agencies must take to ensure they do not suffer a crippling cyberattack.

The order has been a long time coming. During the campaign, Trump promised to address cybersecurity, but initial actions were delayed. A draft of the original proposed order on cybersecurity began circulating in January, but the administration held it to seek more input from agency heads and private sector experts. The executive order released Thursday goes a lot farther than previous versions, getting to the heart of cybersecurity concerns.

Rather than simply calling for agencies to help install better cybersecurity in the private and public sector, the order addresses the root of the problem, which is dated technology and a relaxed approach to cybersecurity measures. It even takes on workforce development, which the order says will provide the U.S. with a "long-term cybersecurity advantage." The order takes private sector best practices on cybersecurity and works to implement them at the federal level.

Putting agency heads on notice may be a bit redundant, as executives at all levels are now becoming security stakeholders. But the promise to hold agency heads accountable will place emphasis on ensuring cybersecurity.

One of the key issues with the order is that it's easy to task agency heads with modernizing IT, however agencies require resources to make that happen. Right now, the government spends 75% of the $80 billion federal IT budget on operations and maintenance of legacy systems. Unless agencies have access to more resources, ensuring cybersecurity is a pipe dream.