The White House Indicates Potential First Steps on Strengthening Cyber Security

President Trump promised to take action on strengthening the nation’s cyber security posture early in his administration and a related executive order (EO) to strengthen U.S. cyber security and capabilities was expected on Tuesday.

A draft of the executive order (EO) was obtained by the Washington Post before days before. The draft order calls for reviews in three major areas and a report on private sector cyber incentives. Here are some of the salient details in the draft (emphasis added.)

Cyber Vulnerabilities Review:

The vulnerabilities review will be co-chaired by the Secretaries of Defense and Homeland Security, the Director of National Intelligence, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.

• Secretary of Defense to submit initial recommendations for protection of national security systems within 60 days.
• Secretary of Homeland Security to submit initial recommendations for enhanced protections of civilian federal government, public and private sector infrastructure and national security systems with 60 days of the order.
• The recommendations are to include steps to ensure agencies are “organized, tasked, and resourced, and provided with adequate legal authority necessary to fulfill their missions.”

Cyber Adversaries Review:

The adversaries review will be co-chaired by the Director of National Intelligence, the Secretaries of Defense and Homeland Security, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.

• The DNI will submit a first report on identities, capabilities and vulnerabilities of the principal cyber adversaries within 60 days.

U.S. Cyber Capabilities Review:

The capabilities review will be co-chaired by the Secretaries of Defense and Homeland Security, and the Director of the National Security Agency.

• Review existing cyber capabilities at the respective departments and agency based on the results of the other reviews.
• Identify initial sets of capabilities needing improvement to adequately protect U.S. critical infrastructure.
• Recommendations are to include steps to ensure that the responsible agencies are “organized, tasked, and resourced, and provided with adequate legal authority necessary to fulfill their missions.”
• The Defense and DHS Secretaries will also gather and review information from the Secretary of Education about computer science, math, and cyber security education from primary through higher education to understand U.S. workforce development efforts.
• The Defense Secretary shall make recommendations on ways the U.S.’s educational system can maintain its competitive advantage going forward.

Report on Private Sector Infrastructure Incentives:

The incentives group will be co-chaired by the Secretaries of Commerce, Treasury, Homeland Security, and the Assistant to the President for Economic Affairs. The Chairs of the Security and Exchange Commission and Federal Trade Commissions may also be invited.

• Report on options to incentivize private sector adoption of effective cyber security measures within 100 days.

Postponed for Now

While the order was expected Tuesday, the White House decided to postpone its issuance after the president met with cyber security experts at the White House. Reports in the press suggest the new administration is building on the work of NIST’s Commission on Enhancing National Cybersecurity, which was ordered by President Obama in February 2016 and which reported findings in December.