SAN FRANCISCO — President Donald Trump signed on Thursday his long-delayed cybersecurity executive order, which orders broad reviews of the federal government’s online vulnerabilities and creates standards for cybersecurity practices across various government agencies.
It is the first step taken by Trump since he assumed office to follow through on his campaign promise of bolstering the US’ cybersecurity defenses. A copy of the cybersecurity executive order, posted online, appeared to echo many of the recommendations made in previous leaked versions, as well as standards established under the George W. Bush and Obama administrations. The first move, according to those recommendations, is for each government agency to access its cyber risks, including agencies responsible for critical infrastructure.
Department of Homeland Security advisor Tom Bossert, who spoke to reporters Thursday about the executive order ahead of its release, dismissed questions over why the order had been repeatedly delayed. The White House's drafting of the document was first reported in late January; its release was rumored to be imminent several times since then.
“We’ve seen increasing attacks from allies’ adversaries, primarily nation states, but also non-nation state actors, and sitting by and doing nothing is no longer an option,” Bossert said. "We spend a lot of time and inordinate money protecting antiquated and outdated systems...Modernizing is imperative to our security.”
Bossert said that the executive order focused on protecting the federal networks, upgrade the US infrastructure and facilitate better coordination across government agencies. He also suggested that Trump's executive order would rely on the private sector to help the nation defend itself from Distributed Denial of Service (DDoS) attacks and botnets.
While most cybersecurity experts welcomed the executive order as a continuance of past White House policies, many wondered about the timing. Four private cybersecurity companies, who had been brought in to issue recommendations on the cybersecurity executive order, told BuzzFeed News that they were surprised that Trump signed the order on Thursday. All said they had not been provided final versions of the order, despite being repeatedly asked to look at other drafts.
"This feels very rushed, and given the multiple times it's been delayed, I'm not sure why they had to rush it out now," said one senior executive at a company which had worked with Trump's administration extensively on the order. He asked not be named as he had agreed not to discuss his role in the order.
Michael Daniel, president of the Cyber Threat Alliance and former special assistant to former president Barack Obama and cybersecurity coordinator for the White House, wrote that overall, the executive order, "continues the general approach to cybersecurity that started in the Bush Administration and ran through the Obama Administration... in general, I don't see anything unusual or that really goes in a different policy direction."
Access Now, a nonprofit advocacy group for digital rights worldwide, criticized the executive order, saying that it only orders “incremental changes to existing policies,” and that it fails to address issues such as smart devices, and data breaches in the private sector. They also criticized the order for creating a prominent role for the military in protecting domestic critical infrastructure.
“Civil society organizations in the United States have fought hard against the militarization of the domestic internet," said Amie Stepanovich, U.S. Policy Manager and Global Policy Counsel at Access Now. "Not only is it bad policy to put civilian infrastructure under the domain of the military, but it could lead to increased NSA surveillance and is very likely a violation of posse comitatus," she said, referring to the law that forbids the military from acting on US soil. "Any role of the Department of Defense in cybersecurity should be explicitly and firmly limited.”