President Trump's executive order on cybersecurity, signed on Thursday, was months in the making. It orders several broad reviews of the cybersecurity apparatuses of federal agencies, and pushes them to use a certain standards for managing their cybersecurity.
Why it matters: Federal agencies are fighting an uphill battle when it comes to data security. Most of them are using very old systems and have tight budgets, yet they are prime cyber-crime targets.
By the numbers: According to a recent federal edition of Thales Data Threat Report, 34% of federal respondents experienced a data breach in the last year and 65% experienced a data breach in the past. Almost all (96%) consider themselves 'vulnerable', with half (48%) stating they are 'very' or 'extremely' vulnerable.
Here are some key takeaways from cybersecurity experts we talked to:
- The administration took its time. "The original deadline was to turn this around in 90 days," said Daniel Castro, Vice President of the Information Technology and Innovation Foundation, said in an email. "And now that the executive order is out, we see that it is mostly a plan for a plan." But he also said the order is "a much more mature draft than the one we saw back in late January."
- It doesn't tap private sector expertise. "I think the biggest weakness of it might be that is is really drawing heavily from government to implant the plan," said Castro in an interview, noting in his email that the "policies in this order lean heavily on the government for ideas and implementation rather than a public-private partnership approach." The private sector has its place in the order, though. The administration says it will look to companies for help with botnets and the order references the new American Technology Council.
- Calls for IT modernization: "Trying to implement security on old, often obsolete technology is both difficult and expensive, and with limited IT talent available would be throwing good money after bad," said Steve Grobman, McAfee's Chief Technology Officer.
- Consistency with previous plans: "It's great that we're not seeing a massive sway in policy from one administration to another. That continuity, and building upon areas that had gaps, is consistent with bipartisan approaches since the Bush administration," said Ryan Gillis, VP of Cybersecurity Strategy and Global Policy at Palo Alto Networks.
- Tall order for agencies: "Moving government agencies to shared services and IT modernization alone are huge action items," Gillis said.
- Cultural shift in approach to cyber: "We've never had an executive order require all federal agencies to apply NIST [standards] to their entire organization" and build a comprehensive risk and mitigation report, said Mike Shultz, CEO of Cybernance. "The 90-day deadline is a huge lift for an order that requires a cultural shift down to the DNA level of how we view cyber risk."
- Budget uncertainty: Who's going to foot the bill for taking additional cybersecurity steps? "The right words are in there — that agencies should align budget planning with risk assessments — but the devil will begin the details," said Rear Admiral (ret.) David Simpson, cybersecurity consultant and former FCC Public Safety and Homeland Security Bureau Chief. "At least we'll be having adult conversations about the gap between what agency officials say and where they're actually putting their money."
The bottom line: Like most executive orders, this one didn't lay out a comprehensive plan. Still, it's a starting point with direction that feds had been waiting for from the White House as they deal with mounting cybersecurity challenges.