President Donald Trump on Thursday signed a long-delayed cybersecurity executive order that launches sweeping reviews of the federal government’s digital vulnerabilities and directs agencies to adopt specific security practices.
The directive is Trump’s first major action on cyber policy and sets the stage for the administration’s efforts to secure porous federal networks that have been repeatedly infiltrated by digital pranksters, cyber thieves and government-backed hackers from China and Russia.
Story Continued Below
“The trend is going in the wrong direction in cyberspace, and it’s time to stop that trend and reverse it on behalf of the American people,” White House Homeland Security Adviser Tom Bossert told reporters during a Thursday afternoon briefing.
Cyber specialists say the order breaks little new ground but is vastly improved over early drafts, which omitted input from key government policy specialists. The final version, cyber watchers say, essentially reaffirms the gradually emerging cyber policy path of the past two administrations.
But Bossert said that while the Obama administration made “a lot of progress” on cyber, that it didn’t do “nearly enough.”
As POLITICO first reported in late April, the executive order creates a bevy of reviews, including an assessment of the cyber risks at every agency. The executive fiat also orders a review of current efforts to protect vital infrastructure like power plants and hospitals, as well as a report on building the cyber workforce, which is facing significant shortages of well-trained employees.
As part of the executive order’s IT upgrade initiative, administration officials will study the feasibility of transitioning to shared IT services and networks across the government. An estimated 80 percent of the $80 billion federal IT budget goes toward taking care of aging systems.
If the government doesn’t start to use joint IT services — such as cloud computing — Bossert said “we’re going to be behind the eight-ball for a long time.”
Senior Trump adviser Jared Kushner’s Office of American Innovation will play a significant role in the federal IT modernization effort, multiple people tracking the efforts have told POLITICO. Earlier this month, Trump signed an executive order creating the American Technology Council, with Kushner as director, to help coordinate that effort.
A senior administration official told reporters in a background briefing that the tech council would have “the responsibility for managing” the “very difficult implementation process” of modernizing federal IT systems.
Thursday’s signing is the most concrete step Trump has taken to follow through on the numerous vows he made during the campaign and after his November victory regarding cybersecurity.
Once an obscure technical issue far from the political spotlight, cybersecurity has slowly gained prominence in recent years as digital crooks and cyber spies breached major companies like Target and Sony, as well as federal agencies like the Office of Personnel Management, which houses sensitive background check forms.
Trump has also been under pressure to take action after suspected Russian-backed hackers rattled the 2016 presidential election, infiltrating Hillary Clinton’s campaign and strategically leaking documents in what U.S. intelligence officials believe was an attempt to help install Trump in the Oval Office. The FBI is currently conducting an investigation into whether Trump aides coordinated with Moscow at all on the interference campaign.
During the transition between administrations, Trump vowed to get to the bottom of Russia’s alleged digital assault. But so far, Trump has failed to put together a promised team to investigate the hacking, and he has repeatedly suggested that parties other than Moscow may have been responsible.
Trump has also come under fire from both Democrats and some Republicans for his decision to fire FBI Director James Comey earlier this week amid the bureau’s ongoing counterintelligence investigation into whether the Trump campaign colluded at all with the Kremlin on its 2016 hacking operation.
But Thursday’s executive order — which comes as the White House tries to contain the fallout from Comey’s dismissal — does not address Russia’s election-year meddling.
Instead, it follows through on Trump’s campaign promises to examine the digital defenses protecting both the government and private sector, and to establish a plan for better locking down networks that have often left treasure troves of data exposed to hackers.
Bossert told reporters that developing the order “wasn’t a Russian-motivated issue. It was a United States-motivated issue.”
The directive has been in the works for at least three months. It was first set to receive Trump’s signature back in January, but the administration abruptly canceled the signing at the last minute.
The highly anticipated order then underwent several rewrites as Trump filled key jobs — like his cybersecurity coordinator Rob Joyce, the head of the National Security Council’s cyber directorate — and replaced his national security adviser.
Bossert noted that the White House solicited input from a number of cyber-centric Republican lawmakers, including House Homeland Security Chairman Michael McCaul (Texas) and Senate Intelligence Chairman Richard Burr (N.C.). He also said Democratic Sen. Sheldon Whitehouse (R.I.) played a key role, as did former New York Mayor Rudy Giuliani, who is leading an outside commission to gather cyber advice from the private sector.
The order has been finished since early April, and the plan was to release it alongside the directive establishing the Kushner-backed American Technology Council, according to one person familiar with the administration’s planning. But Kushner presented the ATC order to Trump first, and the president signed it, frustrating the NSC’s cyber wing, according to this person.
In addition to the wide-ranging reviews, the latest draft of the order also includes specific cybersecurity directions for government agencies. That draft requires each department chief to adopt the digital defense standards laid out in a cyber framework developed by experts at the National Institute of Standards and Technology, a tech standards-setting agency.
In their individual reports, agency leaders must explain “the strategic, operational, and budgetary considerations” that led to their security choices. The administration believes this section will lead to more accountability among agency heads for their department’s cybersecurity failures.
The order will also create a report on the threat from botnets — armies of remotely hijacked computers that malicious hackers use to debilitate targets with floods of traffic.
The senior administration official said the botnet provision seeks “voluntary” cooperation from the private sector “to reduce significantly botnet attacks.”
There is also a section on improving the country’s ability to deter cyberattacks and working with international partners to build cyber norms.
Bossert said the failure to create such a “deterrence posture” was a major shortcoming of the Obama administration.
“I think the last administration should have done that, had an obligation, and didn’t,” he told reporters, echoing criticisms leveled by many on Capitol Hill.
The order has been widely seen as an opening salvo in the fight to lock down government networks. Amit Yoran, the CEO of cybersecurity firm Tenable, called it an “important step” that “has the potential to force federal agencies to rethink their security strategies.”
Still, Thursday’s signing is unlikely to quell all doubts from cyber specialists that the White House is up to the daunting task of securing the government’s aging networks. Outside experts are particularly worried that the administration still lacks appointees in key cyber posts at DHS and elsewhere.