President Donald Trump signed an executive order Thursday targeting the federal government's notorious vulnerability to cyber threats, mandating one set of standards and making the heads of each government agency responsible for security.
"The United States invented the internet and we need to better use it," Tom Bossert, Trump's homeland security adviser, said at a briefing on the order for reporters. "There will always be risk, and we need to address that risk."
Trump had been scheduled to sign the order on Jan. 31, but that signing was postponed without explanation.
The new order puts responsibility for cybersecurity squarely on the shoulders of the director of every federal agency, making it more difficult for executives to pass the buck to their information technology staffs every time a new breach is discovered.
"Risk management decisions made by agency heads can affect the risk to the executive branch as a whole," according to the order. "Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources."
Drafts of the order have been widely circulated for months, but the version Trump signed Thursday includes a major and unexpected initiative: moving as much of the government's cyberdefense system to "the cloud" as possible.
That provision effectively establishes a single structure centralizing all federal IT networks.
"We've got to move to the cloud and try to protect ourselves instead of fracturing our security posture," Bossert said, adding: "If we don't move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts."
Specifically, the order directs all federal agencies to adopt cybersecurity policies drawn up by the National Institute of Standards and Technology — policies that were issued years ago but that the government itself has never adopted.
"From this point forward, departments and agencies shall practice what we preach," Bossert said.
Most of the order, however, is taken up with directives for further studies and reviews:
- One review on the United States' general vulnerabilities.
- One on the country's main cybersecurity adversaries.
- One on the cyber capabilities of the Defense Department, the Homeland Security Department and the National Security Agency.
- Yet another on training the next generation of cybersecurity professionals.
Sen. John McCain, R-Arizona, chairman of the Armed Services Committee, expressed exasperation at the number of reviews mandated in the order, saying it's far past time to take significant action.
"We do not need more assessments, reports and reviews," McCain said in a statement, insisting that the priority should be "the urgent business of formulating a strategy to deter, defend against and respond to cyberattacks on our nation."
At an Armed Services hearing on cybersecurity Thursday, McCain said: "The threat is growing. Yet we remain stuck in a defensive crouch forced to handle every event on a case-by-case basis and woefully unprepared to address these threats."
James Clapper, the former director of national intelligence, testified at the hearing that new policies are fine, but only if they're adequately enforced and funded.
Clapper spoke alongside other former officials in testimony before the Senate Armed Services Committee on cyber policy and strategy Thursday morning.
Clapper said he believes the Trump administration understands the importance of strengthening cybersecurity and emphasizing accountability.
"What I expect is, though, that the accompanying authorities and resources will not match these bold goals," he said.
Michael Daniel, former President Barack Obama's cybersecurity coordinator, told Reuters that the order was a good idea philosophically, but he noted it was largely "a plan for a plan."
But Bossert, who was a homeland security official in the administration of former President George W. Bush, appeared to put the blame on Obama.
"A lot of progress was made in the last administration, but not nearly enough," he told reporters.