Trump's cybersecurity executive order met with mixed reviews

The order asks for a full review of all cyber capabilities in an effort to strengthen federal systems, but that might be tough — if not impossible — given the timeline.
Written by Zack Whittaker, Contributor

Trump signs an executive order earlier this year. (Image: file photo)

NEW YORK -- President Trump has signed a long-delayed executive order, which sets up a number of cybersecurity reviews across the federal government, but does not make any immediate sweeping changes to US policy.

The order instructs agency and department heads to use cybersecurity best practices from the private sector to further secure their departmental systems, ahead of a wider effort to modernize cybersecurity across government.

The order doesn't spell out immediate changes to the government's approach to cybersecurity or offensive capabilities, but instead calls for a thorough review of all cyber capabilities and vulnerabilities in order to determine recommendations for strengthening federal systems.

White House Homeland Security advisor Tom Bossert said at a press briefing Thursday that the order aimed to build on similar efforts made by the prior administration. Bossert said the Obama administration had made "a lot of progress," but it was "not enough."

According to the text of the order: "The executive branch has for too long accepted antiquated and difficult-to-defend IT. Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity."

Government agencies and departments now have 90 days to carry out the risk management report.

"It's just not feasible," said Dan Tentler, founder of security firm Phobos Group, in an earlier phone call. (Tentler recently made headlines for finding a slew of vulnerable servers at the Pentagon.)

"The government is largely full of old, antiquated gear which the National Security Agency (and now basically anybody who can Google hard enough) has exploits for," he said. "Unless they decide to be a bit more specific regarding risk, any 'risk report' that comes from a high level division of the government will probably be a picture of a guy with his head on fire, and 600 pages of screaming."

The director of Office of Management and Budget along with other senior government officials will have a further three months to submit a report to the president, which among other things outlines the government's plan to "adequately protect the executive branch enterprise."

"They're going to find themselves in a situation where they have zero intel on a chunk of the government and are faced with coming up with a written plan to fix problems," said Tentler.

"They won't know what the problems are and without that there's no way to draw up an actionable plan on how to fix anything," he added.

"At best, we'll see a kind of haphazard, patchwork of fixes made of band-aids, superglue, and those little plastic bag ties from grocery store bread," he said. "The most likely outcome, I wager, is that the executive branch gets a glimpse at just how ancient some of this gear is and they'll have to re-issue this executive order," he said.

"There's just no way this can be done in 90 days," he said.

That said, there are some more positive elements to the order.

The Sunlight Foundation, a non-profit focusing on open government, in a tweet praised part of the order's effort to immediately begin following the National Institute of Standards and Technology's framework for risk management.

Mike Overly, a privacy and data security lawyer at Foley & Lardner LLP, who was involved in the executive order early on, said the framework is "designed to address critical infrastructure entities, such as governmental agencies, power distribution, banking," and "can provide guidance to other types of organizations, but needs to be scaled accordingly."

The order will also examine the possibility of transitioning shared IT systems and networks across the federal government.

A provision in the order also tasks the domestic-focused Homeland Security and the Commerce Dept. to "jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce."

From campaign promise to presidential decree, it's taken three months to get to Trump signing the order.

Trump almost signed an earlier draft of Thursday's order just days after taking office in January, but the effort was pulled back in order to solicit more details and feedback from agencies and experts.

Sister-site CBS News reported in late January that prior to signing the order, the president held a "listening session," which included Trump's national security and homeland security advisors.

Former New York mayor Rudy Giuliani was involved in setting up the meeting, though his private sector cybersecurity business interests remain unclear. Homeland Security advisor Bossert praised Giuliani's assistance during the press conference Thursday.

The full text of the order can be found below.

Editorial standards