Thursday’s executive order, then, was the subject of much anticipation—and the product of several missed deadlines. As Trump’s first major policy action pertaining to cybersecurity, it marks an important milestone in an era when cyberattacks have become a trademark of the geopolitical landscape. Still, the final product is far from revelatory. Cyber experts say the executive order is a natural progression from the policies of the Obama and Bush administrations, with White House Homeland Security Adviser Tom Bossert telling reporters that the document sought to improve upon efforts made under Obama.
While cybersecurity specialists criticized previous drafts for lacking input from federal agencies and policy experts, reviews of the latest executive order were largely positive. Speaking to Reuters, Michael Daniel, an Obama-era White House cybersecurity coordinator, expressed his approval, but highlighted the need for further action, calling the executive order “a plan for a plan.”
So, what does the new order realistically accomplish? For the most part, it focuses on reviews of government agencies and outdated IT networks. The order calls for the heads of federal agencies to adopt a framework developed by the National Institute of Standards and Technology, which hopes to hold agencies accountable for their assessment and mitigation of cyber risk. Within 90 days, agencies must deliver a risk-management report outlining their plan for implementing the framework and explaining the “strategic, operational, and budgetary considerations” that informed their previous decisions. The administration will also conduct reviews of the cybersecurity risks for each agency.
The order also includes an IT-upgrade initiative, which aims to sync information technology services and networks across government agencies. Most importantly, the administration seeks to modernize aging federal IT systems. A May 2016 report from the U.S. Government Accountability Office found that the federal government spent 75 percent of its 2015 budget for IT—around $61 billion—on operations and maintenance.
In addition to these savings, the executive order establishes a review of current efforts to protect America’s infrastructure—including power plants, hospitals, and the financial sector—from cyberattacks. The order also hopes to expand America’s cyber workforce and engage the private sector in protecting against botnets, or remote networks of private computers controlled by cybercriminals.
Curiously, the executive order makes no mention of Russia’s election interference, despite it being one of the most concerning breaches of national cybersecurity in U.S. election history. While Trump has acknowledged the existence of Russian hacking, he has long maintained that it played no role in the 2016 U.S. election. Even after his meeting with intel officials in January, Trump seemed convinced that information regarding Russia’s role in the election was nothing more than a “political witch hunt.”