COMMENTARY: Where's the cyber EO among all the Trump executive orders?
Gettyimages.com/ gorodenkoff
While the White House pushes for government efficiency, federal agencies and contractors await critical cybersecurity guidance.
The Trump administration has moved swiftly to issue numerous executive orders in its first several weeks, but one critical topic remains absent: cybersecurity.
While the Department of Government Efficiency has been tasked with “modernizing federal technology and software to maximize government efficiency and productivity,” little direction has been provided on cybersecurity priorities. Without clear federal cyber guidance, agencies and industry partners are left without a roadmap, potentially increasing their vulnerability to evolving threats and creating uncertainty around strategies and budgets.
The Current Threats Agencies Face
Cyber threats are growing and becoming more sophisticated. A recent study found that 88 percent of organizations experienced one or more ransomware attacks in the past three to 12 months. Agencies are not isolated from such attacks. According to a recent hearing from the House Committee on Homeland Security, federal agencies were the third-most targeted sector for ransomware attacks in 2023.
The current administration itself was a target of a cyber incident during their campaign. To keep pace with adversaries, agencies must have guidance in place now, not tomorrow and certainly not a year or two.
The administration has demonstrated their ability to drive change rapidly – since Jan. 20 they have taken a blowtorch to the slow, glacial pace of how government typically operates. That same sense of urgency must be applied to cybersecurity.
Simultaneously, as the administration focuses on efficiency, it’s important they foster an environment that allows agencies to work efficiently on their cybersecurity strategies. Without clear guidance, agencies risk misallocating resources, pursuing misaligned objectives, or even taking a “wait and see” approach. The administration needs to provide clarity on existing cybersecurity directives: Should agencies continue current initiatives, expect modifications, or prepare for an entirely new security framework?
Consequently, the Trump administration has taken cybersecurity seriously in the past. The first Trump administration published EO13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which outlined ways to reduce national cybersecurity risk and modernize federal IT infrastructure. This order was carried through the Biden administration and played a role in shaping agencies cybersecurity strategies. The question remains: Does the Trump administration have different cybersecurity priorities for its second term?
The Budgetary Impact
The lack of cybersecurity guidance also has direct budgetary implications. Federal cybersecurity funding has long been inconsistent, with agencies struggling to secure dedicated resources for modernization. Without a clear direction from the administration, agencies may delay cybersecurity investments, leading to additional inefficiencies and increased threat exposure. There's also the risk of wasteful spending, as agencies might invest in solutions that later require replacement to comply with new directives. Long-term budget planning becomes particularly challenging without understanding strategic priorities.
Furthermore, cyber is absent in the Senate budget framework – leaving agencies in the dark and potentially creating a ripple effect across both government and industry.
Navigating the Uncertainty
Industry partners and contractors are also experiencing challenges. Some contractors have already experienced disruptions through contract terminations and stop work orders. Should the administration implement guidance that significantly diverges from previous directives, contractors may face additional delays due to shifting priorities.
However, there are still steps that agencies, industry partners, and contractors can take to mitigate cyber risks. At a time where tensions are high, and resources limited, continuing with cyber hygiene basics is more important than ever.
Practicing cyber hygiene through regular data backups, device updates, continuous network visibility, multi-factor authentication, and fostering cyber literacy is instrumental in reducing risk exposure and proactively defending against cyberattacks.
Industry partners and contractors should continue to collaborate with agencies on maintaining basic cybersecurity measures such as, real-time visibility, identifying vulnerabilities, blocking known ransomware points, and strategic asset segmentation – just to name a few.
Lastly, it’s crucial that agencies, industry partners, and contractors become adaptable and pivot to the new administration’s changing needs and priorities. They must remain updated on the impacts future guidance has on their work and identify opportunities that enable mission readiness and cyber resilient.
Agencies Must Remain Proactive
The administration has emphasized modernization and efficiency across government operations. For agencies and industry to align with these efforts, well-defined federal cyber guidance is essential.
In the interim, agencies and their industry partners must remain proactive in protecting our national security. The threats are not waiting, and neither should our cybersecurity efforts.
Gary Barlet is the public sector chief technology officer at Illumio, where he works with government agencies, contractors and the broader ecosystem to incorporate Zero Trust Segmentation, or microsegmentation, as a strategic enabler of Zero Trust architecture.