Expectations build for Trump security order

Anticipation is building for President Trump’s long-awaited executive order on cybersecurity. 

Trump was first expected to sign the executive order in January, but it was abruptly delayed without explanation. The cybersecurity industry and members of Congress have been watching closely for signs of progress on the executive order in the three months since it was tabled. 

Lawmakers are eager to see the contents of the order so they can move forward on an agenda for cybersecurity in the new Congress that is aligned with the priorities of the administration.

“We very much want to be a willing, supportive partner for what we hope is going to be a bold agenda with regard to cybersecurity by this administration,” Rep. John Ratcliffe (R-Texas) told The Hill of his plans for the subcommittee with oversight of Department of Homeland Security’s cybersecurity efforts. 

“Depending on what we see from them, some of those priorities could get shuffled or adjusted, magnified, or there could be additions to those.”

This week, rumors swirled that the order could be signed as soon as Friday, but hopes for that fizzled as the day progressed.

{mosads}The White House has been soliciting input from the private sector on the executive order. Subsequent draft iterations have circulated showing alterations that some say reflect progress from the first draft order leaked in January.

Steve Grobman, senior vice president and chief technology officer for McAfee, said that he has been encouraged by what he has seen in drafts, but noted that the delay has delayed agencies from moving forward on a new cybersecurity agenda. 

“It seems like we’re now tweaking minor details,” Grobman said. “Every week that we delay the executive order from being enacted is pushing those timelines out.”

An early version of the document published by the Washington Post read like an order for a government-wide cyber assessment, directing the Departments of Defense and Homeland Security to review critical cyber vulnerabilities and capabilities. 

Later versions have shown the White House holding agencies accountable for their own cybersecurity and requiring them to abide by the cybersecurity framework developed by the National Institute for Standards and Technology.

There has been some concern that the final version of the order will omit a section on information technology modernization, which the new administration has labeled a priority along with protecting federal networks and critical infrastructure from cyber threats.

Jared Kushner, Trump’s son-in-law, is expected to be tackling IT modernization in his leadership of the Office of American Innovation. 

“IT modernization is one of the most important things that you can do to improve cybersecurity,” said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, a Silicon Valley cyber firm. “It would be a shame if these efforts were not coordinated.”

Grobman said he’s not worried about cybersecurity and modernization being separate, pointing to the trends in some large businesses of moving security organizations outside of traditional IT environments.

“Regardless of whether it falls into the cybersecurity executive order or is broken out into another one, their push to modernize IT systems is very positive,” he said.

For its part, Congress has already got the ball rolling on this issue. House lawmakers on Friday reintroduced bipartisan legislation to set up a working capital fund for IT modernization.

While the executive order delay has sparked speculation and some rumbles of frustration, those on Capitol Hill and off view the new administration’s effort to think through the order as a positive sign.

“I would like to think that maybe they’re being a little more careful and not getting out over their skies too far,” Ratcliffe said. “Some of the executive orders they’ve pushed out quickly have famously now been pulled back and revised.” 

The administration has also earned praise for bringing on Rob Joyce, a former NSA official, to coordinate the White House’s cybersecurity efforts. He is widely respected inside and outside government.

Joyce said at a Georgetown University cybersecurity conference this week that the executive order was “close and nearby,” but offered no firm timeline. 

While White House officials have signaled that cybersecurity will be a priority, the new administration’s efforts have yet to progress beyond words to something concrete. 

Trump has also earned criticism for missing a deadline for a plan to counter hackers, a goal he imposed on himself following an intelligence briefing on Russia’s election interference. 

Stakeholders outside the government hope the executive order will jumpstart the administration’s pursuit of a comprehensive strategy for cybersecurity.

“Given everything that they’ve put in the blueprint, the blueprint is the right blueprint. Now, they need to execute to that blueprint,” Grobman said. “Coming up with a practical and fiscally viable plan to execute the blueprint is going to be challenging.”