President Donald Trump today signed a long-awaited executive order aimed at beefing up cybersecurity at federal government agencies – with a shift of computer capabilities to the cloud as a key part of the strategy.
“We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture,” Homeland Security Adviser Tom Bossert told reporters during a White House briefing.
The executive order gives the lead role in managing the cloud shift to the director of the White House’s newly established American Technology Council, which is due to meet for the first time next month.
Although the council’s full roster of members has not yet been announced, the director is said to be Chris Liddell, who formerly served as chief financial officer at Microsoft and General Motors.
Some agencies already have begun shifting data resources to cloud computing services, including Amazon Web Services and Microsoft Azure. Carson Sweet, CTO and co-founder of San Francisco-based CloudPassage, said the emphasis on the cloud “makes sense” and builds on a trend that began during the Obama administration.
“The question now will be how well the administration does with identifying and eliminating the obstructions agencies are facing as they consider adopting cloud / shared services,” Sweet told GeekWire in an email.
The executive order also calls upon all federal agencies to implement the NIST Cybersecurity Framework, a set of best practices developed by the National Institute of Standards and Technology for the information technology industry. And it calls on Cabinet secretaries to develop plans to protect critical infrastructure, ranging from utilities to the health care system to the financial system.
Bossert said the measures build on the efforts made by the Obama administration. “A lot of progress was made in the last administration, but not nearly enough,” he said.
As an example of past failures, Bossert pointed to 2015’s data breach at the Office of Personnel Management, which exposed millions of sensitive employment records to hackers. He said such records are the “crown jewels” of the government’s data assets and require enhanced protection.
Bossert noted that Trump’s budget blueprint sets aside $1.5 billion for cybersecurity.
Back in January, Trump vowed to come up with a “major report on hacking defense” within 90 days, but some observers said the executive order didn’t meet the target.
Drew Mitnick, policy counsel at Access Now, said in a statement that the measures “will serve as incremental changes to existing policies, while the Trump administration has otherwise either ignored or undermined pressing digital security threats internet users face.”
“The action does not touch several critical areas, like the insecurity of ‘Internet of Things’ devices, data breaches, or vulnerability disclosure,” Mitnick said.
During the briefing, one reporter asked whether shifting the federal government’s data to the cloud might heighten rather than reduce cybersecurity risks. Bossert said it’s better to centralize risk, rather than having 190 federal agencies come up with separate measures.
“I don’t think that’s a wise risk,” Bossert said.
Another reporter asked whether concerns over Russia’s online meddling with last year’s presidential campaign had any effect on the executive order.
“The Russians are not our only adversary,” Bossert replied. “The Russians, the Chinese, the Iranians, other nation-states are motivated to use cybersecurity and cyber tools to attack our people and our governments and their data. And that’s something we can no longer abide.”
He declined to say what type of cyber attack might constitute an act of war, other than to say that “if somebody does something to the United States of America that we can’t tolerate, we will act.”
Trump was reportedly on the verge of signing an executive order on cybersecurity back in January, but held off. Bossert said there was nothing unusual behind the delay. He noted that between then and now, the White House had the chance to lay out a budget blueprint and announced the formation of the technology council – two developments that set the stage for the executive order.
Bossert also acknowledged that some tech companies expressed concerns that they’d be compelled to take actions to head off distributed denial-of-service attacks, also known as botnet attacks. He emphasized today that the anti-botnet initiative would be voluntary.
The executive order calls on Commerce Secretary Wilbur Ross and Homeland Security Secretary John Kelly to file a preliminary report on the anti-botnet campaign within 240 days.
Bossert declined to confirm a claim that federal computers are hit by tens of thousands of hacking attempts daily, but he acknowledged that attempted data break-ins – and successful intrusions – are on the rise.
“The trend line is going in the wrong direction,” he told reporters.
Correction for 1:50 p.m. PT May 13: An earlier version of this report incorrectly referred to Chris Liddell as the former chief technology officer of Microsoft and GM. He has served as chief financial officer for those and other companies.