WASHINGTON (Reuters) - U.S. President Donald Trump signed an executive order on Thursday to bolster the government’s cyber security and protect critical infrastructure from cyber attacks, marking his first significant action to address what he has called a top priority.
The order seeks to improve the often-maligned network security of U.S. government agencies, from which foreign governments and other hackers have pilfered millions of personal records and other forms of sensitive data in recent years.
The White House said the order also aimed to enhance protection of infrastructure such as the energy grid and financial sector from sophisticated attacks that officials have warned could pose a national security threat or cripple parts of the economy.
The directive, which drew largely favourable reviews from cyber experts and industry groups, also lays out goals to develop a more robust cyber deterrence strategy, in part by forging strong cooperation with U.S. allies in cyberspace.
White House homeland security adviser Tom Bossert said the order sought to build on efforts undertaken by the former Obama administration.
Among the notable changes, heads of federal agencies must use a framework developed by the National Institute of Standards and Technology to assess and manage cyber risk, and prepare a report within 90 days documenting how they will implement it.
The Obama administration had encouraged the private sector to adopt the voluntary NIST framework. But it did not require government agencies to do so, which opened it up to criticism as it frequently scrambled to respond to major hacks, such as the theft of more than 20 million personnel records from the Office of Personnel Management.
Government agencies would now “practice what they preach,” Bossert told reporters during a White House briefing. “A lot of progress was made in the last administration, but not nearly enough.”
Michael Daniel, who served as White House cyber security coordinator under former Democratic President Barack Obama, generally praised the order but said it was largely “a plan for a plan.”
Trump, a Republican, has also asked agencies to review their federal workforce’s cyber talent, an area where the government has faced a growing shortfall of qualified personnel in recent years.
The order calls for an examination of the impact of moving agencies toward a shared information technology environment, such as through cloud computing services. It also urges voluntary cooperation with the private sector to develop better strategies to fend off and reduce attacks from botnets, or networks of infected devices.
Trump nearly signed a cyber security measure just days into his presidency in January, but it was pulled back to allow for more input from federal agencies and consultation with experts.
Before taking office, Trump said he intended to make cyber security a priority of his administration. But he has raised alarm among cyber security experts by frequently using a personal Twitter that could be hacked by an adversary. His scepticism of the conclusion by U.S. intelligence agencies that Russia hacked Democratic emails during the election to help him win has drawn criticism.
Russia has repeatedly denied assertions it used cyber means to meddle in the U.S. election.
Bossert said Russia’s alleged hacks were not a motivation for the order, adding that “the Russians are not our only adversary on the internet.”
Reporting by Dustin Volz; Editing by David Gregorio and Peter Cooney