President Donald Trump on Thursday signed a long-delayed cybersecurity executive order that is expected to launch sweeping reviews of the federal government’s digital vulnerabilities and directs agencies to adopt specific security practices.
The directive is Trump’s first major action on cyber policy and sets the stage for the administration’s efforts to secure porous federal networks that have been repeatedly infiltrated by digital pranksters, cyber thieves and government-backed hackers from China and Russia.
“It’s high time we hold the federal government to the same standard that we’ve been preaching to the private sector, and the president agrees,” a senior administration official told reporters in a briefing. “From a security perspective, it’s imperative that we do this, but it’s also an efficiency and a benefit for the American people.”
While the White House has yet to publish the finished order, POLITICO first obtained a draft in late April that was believed to be the final product.
Cyber specialists who have studied that version said the order breaks little new ground but is vastly improved over early drafts, which omitted input from key government policy specialists. The final version, cyber watchers say, essentially reaffirms the gradually emerging cyber policy path of the past two administrations.
According to the April draft, the executive order will create a bevy of reports, including an assessment of the cyber risks at every agency. That version also orders a review of current efforts to protect vital infrastructure like power plants and hospitals, as well as a report on building the cyber workforce, which is facing significant shortages of well-trained employees.
As part of the executive order’s IT upgrade initiative, administration officials will study the feasibility of transitioning to shared IT services and networks across the government. An estimated 80 percent of the $80 billion federal IT budget goes toward taking care of aging systems.
Senior Trump adviser Jared Kushner’s Office of American Innovation will play a significant role in the federal IT modernization effort, multiple people tracking the efforts have told POLITICO. Earlier this month, Trump signed an executive order creating the American Technology Council, with Kushner as a member, to help coordinate that effort.
The senior administration official said that the tech council would have “the responsibility for managing” the “very difficult implementation process” of modernizing federal IT systems.
“In the last few months, we’ve shortened the pretty long learning curve that other governments have taken years to learn,” the official said. “Instead of rolling out innovation and modernization without thinking through risk and security, we’re actually rolling out both together.”
Thursday’s signing is the most concrete step Trump has taken to follow through on the numerous vows he made during the campaign and after his November victory regarding cybersecurity.
Once an obscure technical issue far from the political spotlight, cybersecurity has slowly gained prominence in recent years as digital crooks and cyber spies breached major companies like Target and Sony, as well as federal agencies like the Office of Personnel Management, which houses sensitive background check forms.
Trump has also been under pressure to take action after suspected Russian-backed hackers rattled the 2016 presidential election, infiltrating Hillary Clinton’s campaign and strategically leaking documents in what U.S. intelligence officials believe was an attempt to help install Trump in the Oval Office. The FBI is currently conducting an investigation into whether Trump aides coordinated with Moscow at all on the interference campaign.
During the transition between administrations, Trump vowed to get to the bottom of Russia’s alleged digital assault. But so far, Trump has failed to put together a promised team to investigate the hacking, and he has repeatedly suggested that parties other than Moscow may have been responsible.
Trump has also come under a barrage of criticism from both Democrats and some Republicans for his decision to fire FBI Director James Comey earlier this week amid the bureau’s ongoing counterintelligence investigation into whether the Trump campaign colluded at all with the Kremlin on its 2016 hacking operation.
But Thursday’s executive order — which comes as the White House tries to contain the fall out from Comey’s dismissal — does not address Russia’s election-year meddling.
Instead, it follows through on Trump’s campaign promises to examine the digital defenses protecting both the government and private sector, and to establish a plan for better locking down networks that have often left treasure troves of data exposed to hackers.
The directive has been in the works for at least three months. It was first set to receive Trump’s signature back in January, but the administration abruptly canceled the signing at the last minute.
The highly anticipated order then underwent several rewrites as Trump filled key jobs — like his cybersecurity coordinator Rob Joyce, the head of the National Security Council’s cyber directorate — and replaced his national security adviser.
The order has been finished since early April, and the plan was to release it alongside the directive establishing the Kushner-backed American Technology Council, according to one person familiar with the administration’s planning. But Kushner presented the ATC order to Trump first, and the president signed it, frustrating the NSC’s cyber wing, according to this person.
In addition to the wide-ranging reviews, the latest draft of the order also includes specific cybersecurity directions for government agencies. That draft requires each department chief to adopt the digital defense standards laid out in a cyber framework developed by experts at the National Institute of Standards and Technology, a tech standards-setting agency.
In their individual reports, agency leaders must explain “the strategic, operational, and budgetary considerations” that led to their security choices. The administration believes this section will lead to more accountability among agency heads for their department’s cybersecurity failures.
The order will also create a report on the consequences of “a power outage associated with a significant cyber incident,” as well as a review of efforts to reduce the threat from botnets, which are armies of remotely hijacked computers that malicious hackers use to debilitate targets with floods of traffic.
The senior administration official said the botnet provision seeks “voluntary coordination among private owners and operators to reduce significantly botnet attacks in the United States of America.”
There is also a section on working with international partners to build cyber norms.
The order has been widely seen as an opening salvo in the fight to lock down government networks. Amit Yoran, the CEO of cybersecurity firm Tenable, called it an “important step” that “has the potential to force federal agencies to rethink their security strategies.”
Still, Thursday’s signing is unlikely to quell all doubts from cyber specialists that the White House is up to the daunting task of securing the government’s aging networks. Outside experts are particularly worried that the administration still lacks appointees in key cyber posts at DHS and elsewhere.