President Donald Trump was supposed to sign a sweeping cybersecurity executive order last month, but delayed its release shortly after meeting with senior national security leaders and industry experts. Since then the focus has been on trying to predict when Trump will hold the signing ceremony.
But worrying about the timing of the final order is far less important than the changes that are likely being made to the content of the order. Those changes—whatever they may be—may very well be the product of Trump’s meeting with senior government and industry cybersecurity professionals. I tend to think changes are being made to restructure a poorly written draft that suffered from lack of interagency coordination.
The draft order, titled “Strengthening U.S. Cyber Security and Capabilities,” calls for several 60- and 100-day assessments of the state of U.S. cybersecurity and the identification of areas of improvement. This largely follows the approach taken by President Barack Obama, who ordered his own 60-day cyberspace review shortly after assuming office.
The most glaring problem with Trump’s order was the complete absence of the FBI—the lead agency responsible for investigating cyber crimes, espionage activities, and attacks against Federal networks. Under Obama’s Presidential Policy Directive 41, the Justice Department and the FBI have been given key roles in national cybersecurity response.
“In view of the fact that significant cyber incidents will often involve at least the possibility of a nation-state actor or have some other national security nexus, the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, shall be the Federal lead agency for threat response activities,” states PPD-41, signed in 2016.
Another agency notably left out of the draft order is the State Department. It seems highly unusual for Trump’s first executive order on cybersecurity not to address international coordination and policy issues given the high-profile attacks against U.S. agencies and political organizations that have been traced back to Russia and China.
As many expected, the draft order delegates much of the power and influence over national cybersecurity efforts to the secretary of defense and, to a lesser extent, the secretary of homeland security. Although the secretaries of defense and homeland security are given authority over the reviews of national security systems and civilian agency systems, respectively, there are a couple of notable concerns.
First, the draft order calls upon the director of national intelligence to conduct a review of cyberspace adversary capabilities. But the review would not be a pure intelligence community product. The president’s national security adviser, Michael Flynn, would have a role, as would the secretaries of homeland security and defense.
Second, the order focuses rightly on the national imperative to improve the education system and increase the number of students pursuing science, technology, engineering, and mathematics (STEM) disciplines with an eye toward recruiting new cybersecurity talent to protect Federal networks. But strangely enough, the draft order puts the secretary of defense in charge of making workforce development recommendations to the president.
“The Secretary of Defense shall make recommendations as he sees fit in order to best position the U.S. educational system to maintain its competitive advantage into the future,” the draft order states.
“This order was clearly written by people who don’t necessarily have a handle on what an executive order is yet,” a former CIA cybersecurity professional said, speaking on condition of anonymity. “That said, executive orders are interpretations of existing law and are not meant to be drafted tightly. They want some vagueness in there.”
As for the apparent ascendancy of the Defense Department in national cybersecurity, the CIA officer said it comes as no surprise. “Flynn is going to put the military in front. DHS is going to get washed out of cyber.”
The large role for the Defense Department in the draft order may also be part of the administration’s world view, vis-à-vis Russia and China. And that may mean it is less likely that the final order will diminish the role of the Pentagon. “They may be sending a signal,” the former CIA officer said.