Draft Trump Order ‘Kicks the Can Down the Road’ on Cybersecurity

With each day this week, President Donald Trump has courted controversy, made enemies, and excited his base with executive orders aimed at strengthening the U.S. border and upending American trade policy, among other issues. But a draft executive order on cybersecurity that leaked Friday takes the exact opposite approach: It lacks any sweeping measures and avoids controversy by creating review panels to examine cybersecurity issues.

Trump won the presidential election after a Russian information operation that hacked into the computer systems of his Democratic opponents and leaked the fruits of those raids online, according to U.S. intelligence assessments. That Russian campaign, aimed at tipping the election in Trump’s favor, cast a spotlight on the woeful state of cybersecurity in the United States, but Trump’s draft order on cyber policy makes no mention of Moscow’s hacking and offers no clarity on how the administration plans to tackle the issue.

While Trump’s advisers have broadly advocated a more hawkish approach to the use of American power in cyberspace, the order contains no concrete mention of how the United States might deter its adversaries in cyberspace. The order only states that United States is “committed” to “employing the full spectrum of capabilities to defend U.S. interests in cyberspace; and identifying, disrupting and defeating malicious cyber actors.”

Cybersecurity experts reacted skeptically to the draft order. The move, said Jason Healey, a senior research scholar at Columbia University, allows the Trump administration to “kick the can down the road.” With a lack of executive branch appointees in place to execute policy, Healey called it — with a measure of irony — a “smart move.”

The draft executive order, first obtained by the Washington Post, sets up four review panels to examine a series of cybersecurity issues. It notes that the government is “not currently organized to act collectively/collaboratively” to effectively protect government and civilian networks and critical infrastructure. The review boards appear to be an attempt to primarily figure out how to better block cyberattacks on the United States.

The first review will delve into “the most critical U.S. cyber vulnerabilities” and will deliver a report to the president within 60 days of Trump signing the order.

The second review will deliver a “report on the identities, capabilities, and vulnerabilities of the principal U.S. cyber adversaries” and is also due in 60 days. That report will likely delve into the politically sensitive territory of Russia’s digital operatives, who U.S. intelligence official say conspired to boost Trump’s presidential bid. Trump has repeatedly cast doubt on those assessments and questioned their underlying evidence.

A third review will take the results of the first and second to identify “an initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure.” A separate draft executive order tasks the defense secretary to identify ways to improve the capabilities of American military hackers, among other initiatives.

The fourth and final review will examine how to “incentivize private sector adoption of effective cybersecurity measures.” That review will be lead by the commerce secretary and is due within 100 days.

Computer systems are typically rife with vulnerabilities, but there is no easy solution as to how to improve security across the board. Experts argue that markets are currently struggling to solve the problem of computer systems’ pervasive insecurity. Consumers know little about security, are unlikely to buy products based on their security features, and have few ways to evaluate the security of a product anyway. Firms, as a result, have little reason to design their products with security in mind.

One initiative led by Peiter Zatko, the legendary hacker better known as Mudge, aims to create a Consumer Reports-style rating system for software. Such efforts to provide consumers with better information are at a nascent stage, and a government effort to incentivize cybersecurity may help that effort gain momentum at the very least.

Christopher Furlong/Getty Images