President Donald Trump signed an executive order Thursday targeting the federal government’s notorious vulnerability to cyber threats, mandating one set of standards and making the heads of each government agency responsible for security.
“The United States invented the internet and we need to better use it,” Tom Bossert, Trump’s homeland security adviser, said at a briefing on the order for reporters. “There will always be risk, and we need to address that risk.”
Trump had been scheduled to sign the order on Jan. 31, but that signing was postponed without explanation.
The new order puts responsibility for cybersecurity squarely on the shoulders of the director of every federal agency, making it more difficult for executives to pass the buck to their information technology staffs every time a new breach is discovered.
“Risk management decisions made by agency heads can affect the risk to the executive branch as a whole,” according to the order. “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.”
Drafts of the order have been widely circulated for months, but the version Trump signed Thursday includes a major and unexpected initiative: moving as much of the government’s cyberdefense system to “the cloud” as possible.
That provision effectively establishes a single structure centralizing all federal IT networks.
More from NBC News:
“We’ve got to move to the cloud and try to protect ourselves instead of fracturing our security posture,” Bossert said, adding: “If we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”
Specifically, the order directs all federal agencies to adopt cybersecurity policies drawn up by the National Institute of Standards and Technology — policies that were issued years ago but that the government itself has never adopted.