US President Donald Trump will order a 60-day report on the state of the nation's cybersecurity, complete with recommendations on whether new legal powers are required.
That's according to a draft executive order leaked to The Washington Post and posted online.
For the most part, the draft [PDF] reflects the persistent position of the US government – namely that cyberspace is a vital national resource, a source of significant innovation and economic value, and the government should ensure its security and actively defend it.
The executive order also notes that the internet is "currently vulnerable to attacks from both state and non-state actors" "that impose significant costs on the US economy and significantly harm vital national interests" and could lead to "significant property damage and loss of life."
Where the order starts to veer away from the policies of the previous administration, however, comes in the degree of importance placed on the internet strategically, and by extension the amount of influence that the US government should be given over the internet – which remains a global network of largely private servers communicating with one another.
From the draft order:
Cyberspace has emerged as a new domain of engagement, comparable in significance to land, sea, air, and space, and its significance will increase in the years ahead ... The Federal Government has a responsibility to defend America from cyberattacks that could threaten US national interests or cause significant damage to Americans' personal or economic security. That responsibility extends to protecting both privately and publicly operated critical networks and infrastructure.
The Obama Administration recognized the fact that the vast majority of the internet lies in private hands, and so stressed the need for cooperation between companies and the government (a cooperation that stumbled after the Snowden revelations that the NSA was specifically targeting internet companies' data centers).
The Trump Administration seems to be taking a more authoritarian approach. "The executive departments and agencies tasked with protecting civilian government networks and critical infrastructure are not currently organized to act collectively/collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions," the draft order notes – the implication being that government agencies should be given greater resources and more legal power over such networks.
While the federal government does run significant computer networks and should be expected to protect them as much as possible – particularly given the furor over hacking of highly sensitive networks by the Russian government during the recent election – the executive order may seek to extend that authority beyond government-run networks.
"Critical infrastructure" is defined within the order as:
The term 'critical infrastructure' means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
The big question is whether that definition of "security" and "national economic security" would include private networks like Google's email servers or Amazon's cloud servers. The order isn't clear.
What is clear is that there will be a review with recommendations. The order calls for a "review of the most critical US cyber vulnerabilities" to begin immediately, with initial recommendations supplied in 60 days.
Those recommendations are to cover "the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure, other than US national security systems." Again the recommendations are expected to cover whether government agencies are "appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to fulfill their missions."
All of which may mean little, or a lot, depending on what the report finally shows and how much the president decides to try to implement the recommendations.
As ever, the reason that the executive order has raised concerns is due to statements made by President Trump during the election campaign, as well as congressional investigations into Russian hacking and ongoing calls for an independent investigation into that hacking.
When it comes to the internet, Trump has said little in policy terms beyond suggesting that it be possible to turn off parts of it, amid a widely mocked suggestion that he contact Bill Gates about how to do so.
In the past, there have also been frequent calls from some lawmakers to introduce an "internet shutoff" for the United States' internet infrastructure – an approach that has been aggressively criticized and even mocked as impossible – but one that many believe is still possible, given the increasingly frequent use of shutdowns by countries including Brazil, Cameroon, Egypt, India, Iraq, Morocco and Saudi Arabia.
It is unlikely that a cybersecurity review would include a recommendation to add shutoff controls for the United States' internet infrastructure – one of the largest and most complex in the world – but it is possible that it could be used to insist on access to data in those networks under the pretext of national security. Only time will tell. ®