Security

Trump's cybersecurity order: Out with 'antiquated systems'

The executive order aims to improve US systems by protecting federal networks, critical infrastructure and Americans online.

trump-order.jpg

President Trump (seated) signs the executive order on cybersecurity as he is joined (from left) by Josh Steinman, Rob Joyce and Tom Bossert.

The White House

President Donald Trump has signed a long-awaited executive order on improving the United States' cybersecurity.

In January, Trump promised to develop a plan to improve US cybersecurity by his 90th day in office. The executive order signing came on Trump's 111th day in office on Thursday. A White House press briefing revealed some details about the order before it was made publicly available.

The order comes as hacking and cybersecurity continues to loom over politics. Trump's presidential campaign, and now his administration, have been caught up in a probe of Russian cybermeddling, including charges that Russian hackers broke into the Democratic National Committee. The NSA chief, meanwhile, alerted France to Russians breaching their election infrastructure ahead of recent presidential voting there. Like the US, the UK has also made efforts to ramp up its national firewalls.

During the press briefing, Homeland Security adviser Tom Bossert previewed the order and said it was focused on three US cybersecurity priorities: protecting federal networks, critical infrastructure and the public online. The White House released the order on Thursday afternoon.

"We spend a lot of time and inordinate money trying to protect antiquated systems," Bossert said, pointing at the Office of Personnel Management hack in 2015. "We've got to move to the cloud to try to protect ourselves instead of fracturing our security posture."

The government spends about $80 billion a year on its fractured federal IT budget currently.

Time to upgrade

All of the US's 190 federal agencies could be moving onto one centralized IT network to reduce confusion.

"The single biggest opportunity facing the new administration is modernization, which requires smart investments in security technologies that can help government agencies understand and reduce their cyber risk," said Amit Yoran, CEO of Tenable Network Security, in an email.

Starting Thursday, the federal government will be abiding by the National Institute of Standards and Technology's cybersecurity framework. The US government came up with the framework for private companies in 2013, but never followed itself.

"If we don't move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts," Bossert said.

Theresa Payton, the White House chief information officer during George W. Bush's presidency, said the executive order should be an opportunity to create the framework for the US's future cybersecurity.

"The modernization and cybersecurity processes go hand in glove and must be pursued in tandem," Payton, now at Fortalice Solutions, said in an email.

Infrastructure

The second section of the executive order focuses on protecting the America's critical infrastructure, including utilities grids like electricity and water, as well as financial, health care and telecommunications systems. The secretary of Homeland Security will be reporting to Trump on how vulnerable those infrastructures are to cyberattacks.

The secretary of Commerce and secretary of Homeland Security will be looking at private sector companies that could help reduce the threat of botnets under the order. Botnets are vast networks of hijacked connected devices used by hackers to launch attacks.

Americans online

In the third part of the cybersecurity executive order, Trump calls for developing a set of policies to protect US citizens on the internet. The US will also be looking to recruit more cybersecurity experts to help defend the nation from hacks and develop a long-term advantage.

Bossert indicated that Trump's executive order will rely on the private sector to help the nation defend itself from Distributed Denial of Service (DDoS) attacks and botnets. The executive order seeks to establish policies for deterring foreign nations from targeting American citizens in cyberattacks.

"We need to establish the rules of the road for proper behavior on the internet, then deter those who don't abide by the rules," Bossert said. "It wasn't a Russian-motivated issue. It was a United States of America-motivated issues."

The Homeland Security adviser also indicated that the government would be working with the private sector more closely to prevent cyberattacks following the executive order.

"It will be interesting to see whether the deterrence report and the international strategy will say anything new -- but in general, I don't see anything unusual or that really goes in a different policy direction," said Michael Daniel, president of Cyber Threat Alliance and former cybersecurity coordinator for the White House during the Obama administration.

Special Reports: CNET's in-depth features in one place.

First published May 11, 11:18 a.m. PT.
Updated at 12:05 pm: To include more details on the executive order on cybersecurity after it released at 12:41 pm to include insights from former White House administrations and at 1:11 pm to add context behind the order.