The Trump administration's long awaited cyber-security executive order is finally here, and while it adds a number of new reporting requirements and includes the Office of American Innovation, run by Trump son-in-law Jared Kushner as a major player in the cyber-security build-up, it doesn't have the ability to actually implement changes.
New steps taken by the EO include a change in the accountability of agencies of the executive branch by making agency heads personally accountable for their organization's security performance. This eliminates a previous practice of agency heads delegating the responsibility to their IT department, thus leaving the agency head free of commitment.
The EO also includes an effort to modernize the executive branch IT systems, to encourage workforce development, to adhere to national standards and to help develop protections for critical infrastructure.
Critical infrastructure planning and reporting includes an effort to work with the companies that own and operate such things as power generation facilities to help them protect themselves against attackers. In addition, it requires detailed reports of the consequences of a successful attack, including a requirement to analyze widespread power outages that could last for weeks.
However, the primary requirement in the EO is a series of reports with varying deadlines that appear to be designed to create a baseline to broadly coordinate security efforts throughout the executive branch. In that sense, the order is descriptive rather than prescriptive. Actual changes will have to come in a subsequent EO.
The EO that was finally finished in April and presented on May 11 had been through a number of drafts, some of which had leaked and had created consternation in the security industry. The final version, however, has been widely accepted because it moves the ball forward in a number of areas mentioned above. While the EO doesn't specifically include help from the private sector, it does at least make important strides in the government.
The change in accountability, for example, is very important. Previous cyber-security orders allowed agency heads to delegate the task to people in the IT department who had neither the authority nor the staff to enforce it. This change would mean that the head of an agency such as the Office of Personnel Management would now be responsible in a situation where their failure to provide adequate security led to a major breach.
You may have noticed that when such breaches have happened in the past, heads didn't roll because the responsibility had been delegated away. This EO would change that.
The EO also changes the rules for procurement of IT systems by the executive branch by requiring that they meet modernization goals. Unfortunately, a depressingly large percentage of the computer systems in use by the executive branch are so antiquated that modernization is an impossible dream. Some of those systems were old when I was a young naval officer working at the Defense Logistics Agency decades ago, and they're still in use.