Last week, amidst the whirlwind surrounding the firing of FBI Director James Comey, President Donald Trump signed his long-promised executive order on federal government cybersecurity. While many of the other orders issued by Trump have been politically fraught, this one is not; it’s possibly the least controversial document to be adorned with the president’s signature since his inauguration.
In fact, aside from some of the more Trumpian language in the order, this Executive Order could have easily been issued by the Obama administration. That’s because it largely is based on policies and procedures that were spearheaded by President Obama’s staff.
“My initial reaction to the order is, ‘this is great,'” former National Security Council Director for Cybersecurity Policy Ben Flatgard told Ars. “Trump just endorsed Barack Obama’s cybersecurity policy.” Flatgard was one of the principal authors of the Obama administration’s Cyber National Action Plan (CNAP), published in February of 2016.
The new Trump order, officially entitled “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” builds largely on existing policies and initiatives, and it pushes forward many of the key points of the CNAP. The order also draws directly on the Obama administration’s policies on protecting critical infrastructure, as well as standards for risk management set in the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, also known as the NIST Cybersecurity Framework.
Flatgard said that the order “is directionally sound in many regards. It gives you incremental improvements and progress and some consolidation of stuff we’ve already put in place.” However, he added, “for a new administration, this doesn’t represent big, ambitious plans to really leap forward in terms of how we address cyber threats.”
Philip Reitinger, president and CEO of the Global Cyber Alliance, agreed that the Trump order was at most an incremental step. “I don’t know that I see anything extremely new,” he told Ars. Still, Reitinger said that this executive order is still important—in that it puts the force of a presidential signature behind those policies and initiatives, and it “doubles down” on some past approaches. Trump’s order also adds a level of detail that “shows the degree to which the language of cybersecurity has percolated to the upper levels of government,” Reitinger explained.
Ars requested an interview with a White House official about the executive order; so far, there has been no response.
In many respects, the absence of big, ambitious plans may be a good thing. Despite Trump’s campaign bluster about “the cyber,” the federal government was already making significant steps forward in the wake of the Office of Personnel Management breach and the “cyber-sprint” that followed. The adoption by the Trump order of the direction set by the Obama administration is, in part, indicative of how non-political federal government cybersecurity policy is (or at least should be).
But the level of detail in the order, compared to the draft order that was nearly signed back in early February, is also an indication of just how far the Trump administration has come in the past two months.
The initial draft executive order, leaked in February, consisted largely of a call for a series of reports from federal agencies—some of them within 60 days. The order was pulled back the day it was scheduled to be signed, based on feedback from agency heads who weren’t consulted in advance, according to several government sources Ars spoke with.
The pulled order was also drafted before the White House had even filled positions on the National Security Council’s cybersecurity policy staff. Despite naming former New York City Mayor Rudolph Giuliani as head of an ill-defined cyber task force, the Trump administration struggled early on to fill policy roles on the National Security Council.
Joshua Steinman, a Navy Reserve officer who left the Defense Department to work at a cyber-security firm, was brought on as a cybersecurity director for NSC in January, just days after the inauguration. It’s not clear what role Steinman played in the initial draft of the order or who else was on the cybersecurity policy team at the NSC. A source who participated in a NSC cybersecurity briefing told Ars that, in February, most of the roles on the team were being filled by recent college graduates.
An NSC spokesperson declined to provide Ars with information on the NSC’s cybersecurity directorate staff. Since then, all queries have gone ignored. A webpage on the White House site for the NSC, which previously listed key staffers, is still blank.
There was no further forward motion on the order for over a month, likely because other problems within the NSC needed to be dealt with. The role of White House cybersecurity policy coordinator was finally filled on March 15 when the administration announced that the job would be taken by Rob Joyce, the former chief of the National Security Agency Tailored Access Office.
The final order goes into much greater depth on policy goals and the means to achieve them. Reitinger said it’s clear that a great deal of feedback from Department of Homeland Security, Department of Justice, and Department of Commerce officials is reflected in the final order.