While President Donald Trump is using his pen on hyperdrive signing all of his executive orders, he’s adding cybersecurity to the mix to fend off hackers today. It will commission a review of the federal government defenses and abilities in this area which is something that Barack Obama did when he took office.
As can be seen in the draft of the order below, this gives a summary of review measures that Trump would like federal agencies to use, but it also raises many more questions about his new policy on cybersecurity than it actually answers.PDF Embedder requires a url attribute
One noticeable area is with voting systems. With Trump crying ‘voter fraud’ so much, you would have thought that they would have been included under the area of critical infrastructure, but it’s oddly missing.
Trump questioned intelligence community reports that the Russian government ordered hacking campaigns designed to influence the outcome of the election, and has alternately claimed that the election that landed him in office was not tampered with or claimed that 3 million people voted illegally.
The order also does not contain clues about whether the Trump administration will attempt to regulate private internet companies on cybersecurity issues or take a more hands-off approach. During the campaign season, Trump backed the FBI in its battle with Apple over creating a backdoor to its own devices. But the draft order does not address encryption, merely noting, “The Internet is a vital national resource.”
A lingering question left over from the Obama administration also goes unanswered in Trump’s first significant action on cybersecurity: What should the norms of escalation in cyberspace be? Obama was criticized for doing too little, too late when he sanctioned Russian officials and businesses in December, but the former president cautioned that he did not want to trigger an “arms race.” The State Department and the United Nations have been working to develop rules of engagement, and it remains uncertain what position Trump will take on the question.
Trump’s order will give the Department of Defense 60 days to conduct a review of national security systems for vulnerabilities and 60 days for the Department of Homeland Security to review “protection of the most critical civilian Federal Government, public, and private sector infrastructure.” The Director of National Intelligence will conduct a review of cyber adversaries — it will be interesting to see the role Russia plays in this report — and the Department of Commerce will review its efforts to encourage businesses to adopt better cybersecurity practices.
The draft executive order does not assign a role to the Federal Bureau of Investigation, Lawfare notes. The FBI assumed significant cybersecurity responsibilities under the Obama administration. “Perhaps this is an omission that will be corrected in a later draft,” Lawfare writes. “However, if the FBI remains absent from this EO, they will be the agency with the most to lose out of this process.”
President Donald Trump is planning to sign an executive order aimed at improving the government’s ability to protect its computer networks and fend off hackers.
The move puts the head of the Office of Management and Budget in charge of cybersecurity efforts within the executive branch and directs federal agency directors to develop their own plans to modernize their infrastructure.
Such a review has become a familiar move for an incoming administration wanting to put its own stamp on cybersecurity. But this year, the push follows allegations of election-season hacking by the Russian government.
U.S. intelligence officials have told Trump that Moscow tried to influence voters by hacking Democratic emails and trolling social media sites. Trump has sought to downplay the role Russia played in the election.
“The executive order is the first step the president is taking to address new security challenges of the 21st century,” White House spokesman Sean Spicer told reporters Tuesday.
President Barack Obama directed his own comprehensive 60-day, “clean slate” cyberspace policy review in 2009. That review built on President George W. Bush’s aims laid out in 2003, to create a cybersecurity response system, called for establishing a threat and vulnerability reduction program, better cybersecurity training and the securing of the government’s systems.
But in other ways, it was another turn at reinventing the wheel, cybersecurity experts say.
The previous administration also conducted a 30-day “cyber sprint,” requiring agencies to assess their security after more than 21 million people had their personal information stolen from the Office of Personnel Management in what the U.S. believes was a Chinese espionage operation. The Office of Management and Budget also worked on an analysis of agencies’ “high-value assets” in 2015.
Experts say such information will still be valuable.
“They ought to fully leverage all of that information that’s already done (to) accelerate their review,” said retired Air Force Gen. Greg Touhill, who was picked by Obama to serve as the nation’s first federal chief information security officer.
Former U.S. officials and cybersecurity experts say cybersecurity has become more urgent as more people, objects such as cars and homes, and critical infrastructure are connected to the internet. At the same time, it’s become easier and cheaper for hackers to attack networks from anywhere in the world.