Trump abruptly punts on order to hold Cabinet accountable for cyber failures – Politico

10_donald_trump_9_gty_1160.jpg

President Donald Trump will sign an executive order establishing the directive “in the near future.” | Getty

01/31/17 11:38 AM EST

Updated 01/31/17 06:31 PM EST

Confusion reigned Tuesday as the Trump administration abruptly delayed an executive order meant to put the onus on Cabinet officials to secure data at their respective agencies.

But the White House insisted the president will sign the order “in the near future,” citing a last-minute schedule change as the reason for the holdup.

Story Continued Below

Once it’s official, the order will give a high-level view of how the Trump administration wants to approach cybersecurity. It’s an order that cyber specialists say breaks little new ground, but appropriately continues the slowly developing cyber path of the past two administrations.

A Department of Homeland Security official told POLITICO that the agency’s senior cyber experts helped develop the order’s wording, a notable inclusion given ongoing concerns that Trump’s team is evading normal bureaucratic channels.

Trump outlined the goals of the directive after a Tuesday meeting of senior government officials and outside experts.

“I will hold my Cabinet secretaries and agency heads accountable, totally accountable, for the cybersecurity of their organizations, which we probably don’t have as much — certainly not as much as we need,” Trump said.

“We must protect federal networks and data,” the president added. “We operate these networks on behalf of the American people, and they are very important and very sacred.”

The missive will be Trump’s first move to lock down the country’s networks after an election rattled by cyberattacks.

But the directive will not address the alleged Russian digital assault that roiled the 2016 presidential election and undermined Democrats, including Trump’s rival Hillary Clinton.

Instead, the order is meant to bolster the government’s own networks, which have been repeatedly breached in recent years by countries believed to include Russia and China.

While Trump and his team stressed that some of the changes were “long overdue,” it is not immediately clear how, exactly, the order will change the Obama administration’s cyber policy.

Several former Obama cyber officials pointed out that federal law already makes agency heads responsible for data security strategy and implementation at their organizations, and that former President Barack Obama had sent similar messages to his Cabinet.

They noted Trump’s team might not be prepared to issue anything more fulsome, given staffing gaps in top cyber positions within the White House’s National Security Council.

“The prior administration had a well-staffed NSC and had identified Cabinet folks and their subordinates, who were in place at this point,” said Megan Stifel, who served as the NSC’s director for international cyber policy from 2013 to 2014. “This administration doesn’t have that, [nor do they have] the second- and third-layer policymakers in place.”

But digital specialists agreed it is important to have the new president put his Cabinet members on notice that their jobs may hinge on digital security, even if the order itself is mostly an extension of an approach that started with former President George W. Bush.

“It feels like it’s a continuation of a policy framework that has now carried through three presidents,” said Jake Olcott, a former cyber-focused congressional aide for the Senate Commerce Committee and House Homeland Security Committee.

Still, he added, such an order is “really important,” and “a good way of just setting the groundwork.”

A DHS official told POLITICO that the agency was both consulted and helped craft the directive, which appears to have changed significantly from an early draft that circulated last week.

The DHS involvement stands out given questions about how much notice the agency was given before Trump issued his recent order restricting immigration.

As part of the cyber order, the Office of Management and Budget will conduct a government-wide study of federal data security and make recommendations for upgrades. The senior administration official said the OMB directive is an attempt to get away from an agency-by-agency assessment of cybersecurity risks.

“This will be critical,” a senior administration official told reporters in an early Tuesday briefing, “and it’s a long overdue step.”

Additionally, the executive fiat will direct agencies to implement a cybersecurity framework created in recent years by the National Institute of Standards and Technology, which establishes expert guidelines.

The framework proselytizes a risk-based security approach, encouraging organizations to direct resources to the systems most at risk of being infiltrated. The Obama administration long encouraged its adoption across both the government and private sector.

Trump’s order will also direct the DHS secretary to work more closely with the private-sector owners of the nation’s critical infrastructure, such as the financial sector and hospitals.

“We will protect our critical infrastructure such as power plants and electrical grids,” Trump told reporters at the cyber meeting. “The electrical grid problem is a problem, but we’ll have it solved relatively soon.”

Notably, the directive will include “a section discussing the attempts and the Cabinet’s recommendations on [maintaining] a free and open internet from foreign attack and anyone that would seek to undermine the internet’s viability or corrupt its awesomeness,” according to the senior administration official, who did not provide specifics.

The executive order will not ask Congress to create new legislation or to allocate new funding for upgraded computer systems. But the official said it was “fair to say that Congress will be a key partner on” implementing the executive order, “especially modernization of IT.”

In preparing Trump’s new directive, the White House studied recent cyber recommendations from Obama’s cybersecurity commission, the Center for Strategic and International Studies and other groups.

“We have taken some of those recommendations,” the official said.

The administration is also not reversing former DHS Secretary Jeh Johnson’s controversial decision to dub the election system “critical infrastructure.” Johnson’s 11th-hour directive, issued at the end of 2016, riled some state election officials who saw it as federal overreach.

But the move is “not contemplated” in the executive order, the official said. Newly confirmed DHS Secretary John Kelly “inherited that responsibility, and that will remain.”

“I don’t want this to sound like a pre-baked campaign promise,” the official told reporters. “This was President Trump, and then-President-elect Trump, pointing out the obvious, and that is that cyberattacks … have clearly increased in terms of their appearance” in public life.

Cory Bennett and Tim Starks contributed to this report.

Comments

Write a Reply or Comment:

You must be logged in to post a comment.