<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>White House now runs cyber security<br>
</p>
Promises to hold agency heads responsible for slipups
<p><a class="moz-txt-link-freetext" href="https://www.theregister.co.uk/2017/05/11/trump_cybersecurity_exec_order/">https://www.theregister.co.uk/2017/05/11/trump_cybersecurity_exec_order/</a>
<br>
</p>
<p><br>
</p>
<div class="byline"> <span class="dateline"> 11 May 2017 at 22:05,
</span> <a href="https://www.theregister.co.uk/Author/2395"
title="Read more by this author" class="alt_colour dcl">Iain
Thomson</a> </div>
<p>President Trump has signed his long-promised Executive Order on
cybersecurity and it says the Executive Branch will now be taking
overall command of securing the nation's critical IT systems.</p>
<p>During his campaign, Trump promised a missive on cybersecurity
within 90 days of taking office, but <a target="_blank"
href="https://www.theregister.co.uk/2017/01/31/trump_delays_cybersecurity_signing/">delayed
the signing</a> in late January. Now, 111 days after swearing to
protect and uphold the constitution of the United States, the
order has been signed, and it signals that Trump intends his staff
to take command.</p>
<p>"The President will hold heads of executive departments and
agencies (agency heads) accountable for managing cybersecurity
risk to their enterprises," <a target="_blank" rel="nofollow"
href="https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal">the
order</a> begins.</p>
<p>"In addition, because risk management decisions made by agency
heads can affect the risk to the executive branch as a whole, and
to national security, it is also the policy of the United States
to manage cybersecurity risk as an executive branch enterprise."</p>
<p>All federal agencies (of which there are hundreds) will have to
enforce the National Institute of Standards and Technology <a
target="_blank"
href="https://regmedia.co.uk/2017/05/11/cybersecurity-framework-for-fcsm.pdf">guidance
document</a> [PDF] and will report on their progress in the next
90 days.</p>
<p>The Secretary of Homeland Security and the Director of the Office
of Management and Budget will then assess the reports and present
the information to the President 60 days later. They will also
produce a plan to protect the executive branch if there are holes
in its security.</p>
<p>In addition, the Director of the American Technology Council will
ask each agency for a feasibility plan for combining IT
infrastructure for departments within 90 days. Agency heads will
also, henceforth, give preference in IT spending to shared systems
architecture.</p>
<p>The Secretary of Defense and the Director of National
Intelligence aren't spared the report writing either. They will
have 150 days to come up with a plan to protect national security
IT systems and deliver it to the Assistant to the President for
National Security Affairs.</p>
<p>But the US government can only do so much. Over 80 per cent of IT
systems classified as part of the US critical infrastructure are
in private hands. Trump wants the Secretary of Homeland Security,
the Secretary of Defense, the Attorney General, the Director of
National Intelligence, and the Director of the FBI (once he has
decided who that will be) to report on strengthening these systems
within 180 days.</p>
<h3>Getting specific</h3>
<p>Trump also wants a report, again within 90 days, on how to
promote transparency in government security purchasing agreements.
But the president also concentrated on specific threats.</p>
<ul>
<li>He wants reports on the threats posed by botnets within 240
days from the Secretary of Commerce and the Secretary of
Homeland Security. Up to a year later the report will be
published, after possible revision, so the public can learn how
the US intends to combat the threat.</li>
<li>The Secretary of Energy and the Secretary of Homeland Security
also have 90 days to report on the threat by hackers (but <a
target="_blank"
href="https://www.theregister.co.uk/2017/01/19/biggest_danger_to_power_grid_is_squirrels/">not
squirrels</a>) on the nation's electrical system.</li>
<li>The Secretaries of Defense and Homeland Security and the head
of the FBI have a similar period to review the resilience of the
nation's military and industrial base to attack.</li>
<li>"To ensure that the internet remains valuable for future
generations, it is the policy of the executive branch to promote
an open, interoperable, reliable, and secure internet that
fosters efficiency, innovation, communication, and economic
prosperity, while respecting privacy and guarding against
disruption, fraud, and theft," the report states, without using
the term net neutrality. To ensure this, Trump wants (you
guessed it) a report on how to secure the internet in the next
(I'm not giving you odds on this) <i>90 days</i>, this time
from the Secretaries of State, the Treasury, Defense, Commerce,
Homeland Security, the Attorney General, the United States Trade
Representative, and the Director of National Intelligence.</li>
<li>He also wants a report in the next 45 days on how the US can
work with other countries to secure the internet. This will be
produced by the Secretaries of State, the Treasury, Defense,
Commerce, and Homeland Security, in coordination with the
Attorney General and the Director of the FBI.</li>
<li>Domestic training ideas are wanted within 120 days from the
Secretaries of Commerce, Homeland Security, Defense, Labor,
Education, the Director of the Office of Personnel Management,
and maybe some other agencies. To secure the skills to do this,
the Director of National Intelligence has 60 days to produce a
report analyzing other countries' efforts to train an IT
security workforce. He'll also work with the Secretaries of
Defense, Commerce, and Homeland Security to report in 150 days
on how to maintain the US' position in cybersecurity.</li>
</ul>
<p>There was no mention of encryption, or any plans to allow law
enforcement to install backdoors. Nor were there any direct plans
for action – at this stage it's reports only, please.</p>
<p>So basically: expect no movement on cybersecurity over the next
three to six months. The players will have their hands full
preparing the hundreds of reports the Executive Order demands, and
will be far too busy to cope with anything else. ®</p>
<p><a class="moz-txt-link-freetext" href="https://www.theregister.co.uk/2017/05/11/trump_cybersecurity_exec_order/">https://www.theregister.co.uk/2017/05/11/trump_cybersecurity_exec_order/</a>
<br>
</p>
<p><br>
</p>
<p>Ken</p>
<p><br>
</p>
<p><br>
</p>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br />
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link" target="_blank" style="color: #4453ea;">www.avast.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>