On March 19, the White House issued the first executive order (EO) to directly address cybersecurity policies under Trump’s second term. The order, “Achieving Efficiency Through State and Local Preparedness,” pushes down to state and local governments an elevated responsibility for emergency preparedness “supported by a competent, accessible, and efficient Federal Government.”
“Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyberattacks, wildfires, hurricanes, and space weather,” the EO states. “When States are empowered to make smart infrastructure choices, taxpayers benefit.”
Within this executive order, Bob Kolasky, SVP of critical infrastructure at Exiger and founding director of CISA’s National Risk Management Center, sees “a new way of looking at what the priorities are for critical infrastructure security for cyberattacks,” he says.
“There’s an element of talking about shifts in roles and responsibilities and who owns certain elements of the burdens,” he tells CSO. “That’s certainly part of the overall state-local change where it’s trying to say, ‘Okay, the role of state and local governments is to get us prepared.’”
But, according to experts, the order also raises questions about how cash-strapped state and local governments can pay for the increased responsibilities.
Moreover, local CISOs and CIOs who have participated in state and local cybersecurity information-sharing organizations might have nowhere to go to discuss many of the EO’s objectives following the Trump administration’s cutback or elimination of federal organizations that previously facilitated these discussions.
What the EO requires
The EO outlines five broad actions to facilitate states and local governments taking on a more significant role in critical infrastructure resilience and preparedness. These actions include:
Creating a national resilience strategy
The EO requires the assistant to the President for national security affairs (APNSA), in coordination with the assistant to the President for economic policy and the heads of relevant executive departments and agencies, to publish within 90 days (by June 17) a National Resilience Strategy that articulates the priorities, means, and ways to advance the resilience of the nation.
Creating a national critical infrastructure policy
The order says that within 180 days (by Sept. 15) the APNSA, in coordination with the director of the Office of Science and Technology Policy and the heads of relevant agencies, should review all critical infrastructure policies and recommend to the President the revisions, “recissions, and replacements necessary to achieve a more resilient posture.”
It also suggests the new posture should shift critical infrastructure policy from an all-hazards approach to a risk-informed approach and move beyond information sharing to action. Although the EO deals with all emergencies, this shift in approach may impact cybersecurity-related emergencies the most.
“We do exercises and plan for earthquakes and windstorms and asteroid strikes and wildfires and hurricanes, all that stuff,” Mike Hamilton, CISO of Lumifi Cyber and former CISO of Seattle, tells CSO. “That’s an all-hazards approach and stretches resources if you’re trying to worry about all those things.”
But, he says, “Going to a risk-based approach means you have to concentrate on the thing that is most likely to happen and its impact. The most likely thing to happen is not an earthquake, although that will happen someday. The most likely thing to happen is a cyberattack against critical infrastructure that is destabilizing and disruptive.”
Creating a national continuity policy
Under the EO, within 180 days (by Sept. 15) the APNSA, in coordination with the heads of relevant agencies, must review all national continuity policies and propose recommended changes to develop a new national continuity policy.
Developing new preparedness and response policies
The order directs APNSA, in coordination with the heads of relevant agencies and informed by the reports and findings of the Federal Emergency Management Agency (FEMA) Council, within 240 days (by Nov. 14) to revise or replace national preparedness and response policies as needed in order to reformulate the process and metrics for federal responsibility, move away from an all-hazards approach, and implement the National Resilience Strategy.
Creating a national risk register
Under the order, within 240 days, the APNSA, in coordination with the director of the Office of Management and Budget (OMB) and the heads of relevant agencies, must work together to create a national risk register that “identifies, articulates, and quantifies natural and malign risks to our national infrastructure, related systems, and their users.” The register will inform the intelligence community, private sector investments, state investments, and federal budget priorities, according to the EO.
No funding for local cyber emergencies
The EO is silent, however, on how states and local governments will pick up the costs of their new responsibilities. “It looks like an unfunded mandate,” Lumifi’s Hamilton says. “There’s an enumeration of a whole bunch of federal policies, standards, etc., and it says, ‘States, you got to do all this stuff that the federal government has been doing,’ but there’s no mention of funding in there.”
“This EO devolves the risk and the management to states and local entities,” Munish Walther-Puri, former director of cyber risk for the city of New York Cyber Command and currently adjunct faculty at the Center for Global Affairs at NYU, tells CSO. “That would be fine in a world where they also had the resources and the capacity to execute on that risk management. But they don’t.”
Walther-Puri says that at one level, it’s logical to push emergency preparedness down to the local level because disasters are local. But he says, “Where there’s a mismatch is that these state and local governments don’t have those resources, and they’re not getting funding or investment. State and local entities are already outgunned and underfunded, especially against nation-states.”
He adds, “As this federal safety net is taken away, state and local governments are left to navigate this on their own with fewer and fewer lifelines. Therefore, we should not be surprised when there are greater consequences of those local cyber emergencies.”
The loss of information-sharing groups could hamper the process
The EO comes on the heels of a $10 million funding cut that hits the operations of the Multi-State Information Sharing and Analysis Center (MS-ISAC). It also follows the severing of support for the Elections Infrastructure Information Sharing and Analysis Center (E-ISAC). Both groups were operated by the nonprofit organization the Center for Internet Security (CIS).
These cutbacks came after Homeland Security Director Kristi Noem’s decision to eliminate the Critical Infrastructure Partnership Advisory Council (CIPAC), which enabled the free flow of sensitive information between government and industry without fear of disclosure.
All three of these groups served as forums to support federal government communications with state and local entities. However, the cooperative agreement between CISA and CIS, which operates the MS-ISAC, is still in place. CISA currently has allocated $25 million to CIS, which represents just over 70% of the initial planned and nothing is stopping CIS from allocating funds to get the EI-ISAC going again.
Nevertheless, experts say that new mechanisms should be mounted if the EO is to attain its objectives.
“There needs to be a state and local information-sharing mechanism,” Kolasky says. “If it’s not the MS-ISAC, something needs to be established in its place, even if it’s not federally funded. But if that doesn’t happen, state and local governments will be on their back foot for cybersecurity,” he says.
Without some replacement for the MS-ISAC and CIPAC, local CIOs and CISOs might be left out in the cold. “The MS-ISAC was an effective coordinating structure with state and local CIOs and CISOs,” Kolasky says. “Absent the MS-ISAC in place, I don’t know what the existing coordinating structure for a broad set of state and local CISOs and CIOs would be.”
Unless the feds re-create new information-sharing groups, states must mount “that information-sharing mechanism so that state governments and the private sector are talking, sharing information, sharing threat intel,” Hamilton says. “We’re going to have to replace the fact that the federal government was doing that for us.”
“CISA will work with state and local officials to ensure they have the information and support they need to make these decisions and improve their resilience,” a spokesman for CISA tells CSO.
See also:
- White House exempts cyber pros from mass layoffs; Judge reinstates CISA firings
- Trump nominates cyber vet Sean Plankey for CISA chief amid DOGE cuts and firings
- US Cybercom, CISA retreat in fight against Russian cyber threats: reports
- Trump disbands Cyber Safety Review Board, Salt Typhoon inquiry in limbo