Last month marked the one-year anniversary since President Donald J. Trump signed Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In the EO, the President directed departments and agencies to develop multiple reports to further our understanding of the cybersecurity risks to the Nation and focus on opportunities to mitigate those risks.
President Trump emphasized four core areas: securing and modernizing federal networks, protecting the critical infrastructure that maintains the American way of life, deterring America’s adversaries in cyberspace, and building a stronger cybersecurity workforce. Departments and agencies have completed all EO-directed reports, and the reports are informing our strategies, policies, and actions.
The development of the reports required extensive collaboration across the executive branch. Industry and the public also provided crucial input about how the Nation can improve the cybersecurity of critical infrastructure, enhance the resilience of the Internet and communications infrastructure, and strengthen our Nation’s cybersecurity workforce.
The EO and the reports it directed provide the Nation’s priorities for cybersecurity. The Administration used information contained in some of the reports commissioned by the EO to inform the National Security Strategy’s (NSS) significant content on cyber policy. A central element of the NSS is the imperative to safeguard Americans and American businesses in the realm of cyberspace. Without leadership from the United States and other likeminded countries to promote economic prosperity that prioritizes innovation, communication, and openness while respecting privacy and guarding against disruption, fraud, and theft, the Internet will become a volatile medium through which competing economic, political, and social models clash.
The NSS emphasizes that “[a] strong, defensible cyber infrastructure fosters economic growth, protects our liberties, and advances our national security.” Accordingly, it is the Administration’s policy to enhance the defensive capabilities of systems critical to political integrity, economic security, and national security of the United States. The Administration has substantially increased the cyber defense budget to support defensive efforts. President Trump has increased executive accountability for cybersecurity risk management by directing department and agency heads to actively manage risks within their respective organizations, and they are now more effectively managing risk based on that direction.
The Administration’s policy is to promote an open, interoperable, secure, and reliable Internet. Active engagement with our counterparts around the world to align our strategic efforts with partners and build capacity that supports those efforts is key to our strategy. It is also the Administration’s policy that all instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States. These instruments include diplomatic, military, financial, intelligence, information sharing, and law enforcement capabilities.
As stated in the NSS, “[w]hen faced with the opportunity to take action against malicious actors in cyberspace, the United States will be risk informed, but not risk averse, in considering our options.” The United States will hold countries accountable for their own malicious cyber activity as well as any unchecked malicious cyber activity that originates from their territory. We “will impose swift and costly consequences on foreign governments, criminals, and other actors who undertake significant malicious cyber activities.” To change future behavior, we must not only expose transgressions quickly and publicly, but also take swift action to impose costs on the transgressor. Altering the behavior of malicious cyber actors can only be achieved if we change the calculus of the countries that permit such activities and the people who direct and engage in them.
The EO and the reports it directed will continue to influence U.S. Government policy for years to come. Departments and agencies are making public as much information from the reports as possible to drive a national discussion on how we can work better together to manage cybersecurity risk and deter malicious cyber activity. For more specific information and conclusions, please refer to information departments and agencies are making available:
- Federal Cybersecurity Risk Determination Report and Action Plan and IT Modernization Report Update
- Support to Critical Infrastructure at Greatest Risk and Supporting Transparency in the Marketplace
- Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats
- Assessment of Electricity Disruption Incident Response Capabilities
- Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats and to Protect American Cyber Interests through International Engagement
- Growing and Sustaining the Cybersecurity Workforce
Authors Grant Schneider and Josh Steinman are Senior Directors for the National Security Council’s Cyber Directorate.