President Donald Trump’s executive order on cybersecurity this month tracks the recommendations of a presidential commission that late last year urged federal agency heads to identify and fix weaknesses in the government’s information technology systems.
But cybersecurity experts say it’s less the action many are looking for and more of an indication that the government is still studying the problem.
The order gives agency heads 90 days to file reports and plans with the Homeland Security Department and the Office of Management and Budget, which will come up with a government-wide assessment, including plans to “address immediate budgetary needs necessary to manage risk to the executive branch enterprise.”
Boiled down to its essence, the signing of the order mainly starts the clock on a slew of reports with no specific budget, personnel or timeline for accomplishing those plans.
“Sounds good, but where is the budget?” says David Zetoony, a partner at Bryan Cave who specializes in cybersecurity and data privacy. “There may be many criticisms surrounding the security of various federal agencies, but few believe that agencies didn’t care about security. The question has always been how do you get from point X to point Y given limited budgets, numerous information systems and aging infrastructure.”
Still, the executive order won applause from private sector observers for its pledge to address botnets — a type of attack using web cameras or other easily hacked online devices — and other systematic attacks against the “internet and communications ecosystem.”
It calls for the Commerce and Homeland Security departments to create an “open and transparent process” with interested parties to collaborate on “dramatically reducing threats” from automated, distributed attacks. A preliminary plan is due to the president in 240 days, with a final report to be filed within one year.
For some, the executive order’s most significant directive is the expressed intent to go on the cyber-offensive. The Defense Department and other Cabinet agencies are directed to report to the president within 90 days “on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”
“Defense isn’t enough, either for the government or the private sector,” argues Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman.
“A real strategy has to be developed and implemented to start suppressing the number of attacks hitting U.S. targets,” Finch says. “Without that, we are stuck with half measures.”