Trump Signs a Long-Awaited Cybersecurity Order

Experts are calling the executive order a success, but it makes no mention of Russian interference in the 2016 U.S. presidential election.

Andrew Harnik / AP

President Donald Trump signed an executive order on Thursday that aims to protect the U.S. from cybersecurity risks, including computer hacking. The news comes just days after Trump fired the nation’s former FBI director, James Comey, who was conducting an investigation into the alleged Russian hacking of the Democratic party and its 2016 candidate, Hillary Clinton. In March, Comey revealed the FBI was also investigating whether the Trump campaign had colluded with Russian intelligence officials in an effort to influence the election. The Trump campaign has denied any wrongdoing, insisting that the president fired Comey over the director’s poor handling of the investigation.

Trump, meanwhile, has vowed to make the issue of foreign hacking a top priority for his administration. Following a January meeting with senior U.S. intel officials, including Comey, Trump said he would appoint a team to review America’s cybersecurity efforts within 90 days of assuming office. On the day of the deadline, White House spokeswoman Lindsey Walters said the president had “appointed a diverse set of executives with both government and private sector expertise” to develop a cybersecurity plan, but produced no evidence that a plan was in fact forthcoming. The president was originally scheduled to sign an executive order on cybersecurity following a panel on January 31, but the signing was cancelled without explanation.

Thursday’s executive order, then, was the subject of much anticipation—and the product of several missed deadlines. As Trump’s first major policy action pertaining to cybersecurity, it marks an important milestone in an era when cyberattacks have become a trademark of the geopolitical landscape. Still, the final product is far from revelatory. Cyber experts say the executive order is a natural progression from the policies of the Obama and Bush administrations, with White House Homeland Security Adviser Tom Bossert telling reporters that the document sought to improve upon efforts made under Obama.

While cybersecurity specialists criticized previous drafts for lacking input from federal agencies and policy experts, reviews of the latest executive order were largely positive. Speaking to Reuters, Michael Daniel, an Obama-era White House cybersecurity coordinator, expressed his approval, but highlighted the need for further action, calling the executive order “a plan for a plan.”

So, what does the new order realistically accomplish? For the most part, it focuses on reviews of government agencies and outdated IT networks. The order calls for the heads of federal agencies to adopt a framework developed by the National Institute of Standards and Technology, which hopes to hold agencies accountable for their assessment and mitigation of cyber risk. Within 90 days, agencies must deliver a risk-management report outlining their plan for implementing the framework and explaining the “strategic, operational, and budgetary considerations” that informed their previous decisions. The administration will also conduct reviews of the cybersecurity risks for each agency.

The order also includes an IT-upgrade initiative, which aims to sync information technology services and networks across government agencies. Most importantly, the administration seeks to modernize aging federal IT systems. A May 2016 report from the U.S. Government Accountability Office found that the federal government spent 75 percent of its 2015 budget for IT—around $61 billion—on operations and maintenance.

In addition to these savings, the executive order establishes a review of current efforts to protect America’s infrastructure—including power plants, hospitals, and the financial sector—from cyberattacks. The order also hopes to expand America’s cyber workforce and engage the private sector in protecting against botnets, or remote networks of private computers controlled by cybercriminals.

Curiously, the executive order makes no mention of Russia’s election interference, despite it being one of the most concerning breaches of national cybersecurity in U.S. election history. While Trump has acknowledged the existence of Russian hacking, he has long maintained that it played no role in the 2016 U.S. election. Even after his meeting with intel officials in January, Trump seemed convinced that information regarding Russia’s role in the election was nothing more than a “political witch hunt.”

In a statement on January 6, Trump admitted that “Russia, China, other countries, outside groups, and people are consistently trying to break through the cyber infrastructure of our governmental institutions, businesses, and organizations, including the [Democratic] National Committee.” Still, he said, these security breaches had “absolutely no effect on the outcome of the election, including the fact that there was no tampering whatsoever with voting machines.” On Thursday, Trump signed another executive order to investigate possible instances of voter fraud in federal elections.