The latest draft of a cybersecurity executive order to be signed by President Trump has become an unusually precise, report-ordering extravaganza.
Executive orders – even those signed by Trump – tend to be relatively short and quite vague, with general policy goals listed and expected to be interpreted by others.
The new cybersecurity order is none of those. At over 2,200 words it is very long. It is also very precise, listing individuals and giving them specific tasks. Rather than focus on a particular goal – the creation of a new taskforce or the development of a singular report – the order calls for the production of no fewer than 10 reports, six of which will go direct to the President, on a range of aspects of cybersecurity.
(By comparison, even though President Obama put out a very lengthy executive order on cybersecurity, running to 3,000 words, it only asked for three reports to be created.)
To understand how what was originally a restatement of US policy toward cybersecurity with a call for a single report has evolved into an extensive work plan, you need to look at the unusual events of nine days ago.
Trump was expected to sign the cybersecurity order on January 31. To that end, a series of meetings were held at the White House during the day and it was supposed to end with the signing in the Oval Office in the late afternoon. But at the last minute, without explanation, the decision to sign was pulled.
Ban the bomb
That decision, we now know, was as a direct result of the disastrous rollout of the immigration ban that caused chaos at airports nationwide. Such was the fallout that President Trump reportedly ordered that all new executive orders go through an expanded process that sought broader input from more government departments.
It appears as though due to that process, the cybersecurity order was passed around for additional input and resulted in a bloated document that looks set to create a mountain of work with uncertain outcomes.
In order of listing, the reports are:
- A risk management report from every agency head to the director of the office of management and budget (OMB) and the secretary of homeland security (DHS) within 90 days describing how they are implementing the NIST cybersecurity guidelines.
- A report to the President from Commerce, the DHS, the OMB and the General Services Administration, within 150 days, covering modernization of the federal government's IT systems.
- A report to the President's counterterrorism advisor from the defense secretary and director of national intelligence (DNI), within 150 days, covering how they will move toward a consolidated network architecture.
- A report to the President through the DHS, within 180 days, covering how the federal government can support critical infrastructure companies: so-called section 9 entities.
- A report to the President from the DHS and Commerce, within 90 days, looking at the transparency and risk management practices of section 9 entities.
- A report to the President from the DHS and Commerce, within 240 days, having spoken to Defense, the Attorney General, the FBI, the FCC and the FTC, on how to deal with denial of service attacks and botnets.
- An assessment to the President's counterterrorism advisor, within 90 days, on the risks of a cyberattack on the nation's electricity grid.
- A report to the President from Defense, the DHS, the DNI and the FBI, within 90 days, on cybersecurity risks facing defense and military systems.
- A report to the President from Treasury, Defense, the Attorney General, Commerce, the DHS and the DNI, within 90 days, covering strategic options for "deterring adversaries and better protecting the American people."
- A report to the President from State, Treasury, Defense, Commerce, the DHS and Attorney General, within 180 days, covering how supporting the multi-stakeholder decision-making process can keep the internet free and open.
In short, while well intended, the executive order has become bloatware, as people who obviously do not have experience with executive orders have been given the opportunity to create a wish list of all the reports they would want from all the people they would want to hear from.
Assuming this draft makes it through unedited (which, in itself, would be a little concerning), we can't see how these long series of reports requiring massive cross-department coordination will ever see the light of day. Even if they did, imagining that the president would deal with no fewer than six reports on cybersecurity is fantasy.
The end result will likely be stasis in place of the obviously intended big leap forward. The Trump Administration still has a lot to learn. ®
PS: The White House's Chief Information Security Officer Cory Louie, who was installed by President Obama, has been forced to resign by Team Trump with no immediate successor. One of Louie's duties was the almost impossible task of managing the security of the tweet-happy president's mobile devices.