President Donald Trump has finally signed a long-awaited executive order on cybersecurity, and he called for the U.S. government to move more into the cloud and modernize its IT infrastructure.
The order, signed on Thursday, is designed to “centralize risk” and move the government’s agencies toward shared IT services, White House homeland security adviser Tom Bossert said in a press briefing
“We’ve got to move to the cloud, and try to protect ourselves, instead of fracturing our security posture,” he said.
Too much time and money have been spent protecting old federal IT systems, some of which store U.S. citizens’ data, he said. In response, Trump’s executive order demands that all agency heads “show preference” for shared IT services when procuring new IT services.
The planned modernization also includes transitioning government agencies to one or more consolidated networks. Bossert said the goal is to view “our IT as one federal enterprise network.”
“If we don’t do so, we will not be able to adequately understand what risk exists and how to mitigate it,” he said.
Government agencies will also implement the NIST framework, voluntary guidance that the U.S. National Institute of Standards and Technology first published in 2014 to protect organizations from cyberthreats.
“It is something we have asked the private sector to implement, and not forced upon ourselves,” Bossert said. “From this point forward, departments and agencies shall practice what we preach.”
Security experts said the executive order is a good start toward safer IT systems and moves toward tackling a whole host of cybersecurity issues facing the U.S.
For instance, it calls on the government to release reports over the next months, detailing how it can bolster the U.S. cybersecurity work force, protect the country from hacks, and work with foreign countries to stop cyber-related threats.
“This order is more of a plan for a plan,” Michael Daniel, former White House cybersecurity coordinator, said in an email.
“I think the main question is whether these reports will be studies or presenting options, and hopefully it will be more of the latter,” added David Simon, a former special counsel at the U.S. Department of Defense and partner at legal firm Mayer Brown.
Trump signed the order after questions arose over its delay. Bossert said there were concerns with parts of the order, one of which called on industry stakeholders to help stop DDoS attacks from botnets, which are armies of hacked computers.
Some had worried the executive order would force private companies to stop botnets, but Bossert said any action would occur voluntarily.
Thursday’s executive order was also timed to coordinate with another Trump effort to modernize the U.S. government’s IT infrastructure, which the White House announced earlier this month.