“We’ve seen increasing attacks from allies, adversaries, primarily nation-states, but also non-nation-state actors, and sitting by and doing nothing is no longer an option,” said Thomas Bossert, Trump’s homeland security adviser, at a White House briefing.
He said the order was not, however, prompted by Russia’s targeting of electoral systems last year. In fact, the order is silent on addressing the security of electoral systems or cyber-enabled operations to influence elections, which became a significant area of concern during last year’s presidential campaign. The Department of Homeland Security in January declared election systems “critical infrastructure.”
The executive order also does not address offensive cyber operations, which are generally classified. This is an area in which the Trump administration is expected to be more forward-leaning than its predecessor. Nor does it spell out what type of cyberattack would constitute an “act of war” or what response the attack would invite. “We’re not going to draw a red line,” Bossert said, adding that the White House does not “want to telegraph our punches.”
The order “is a step forward,” said Ari Schwartz, a former White House and Commerce Department cyber policy official who worked on the Commerce guidelines. “It shows that there’s consensus on moving ahead on these issues.”
The order places the defense secretary and the head of the intelligence community in charge of protecting “national security” systems that operate classified and military networks. But the secretary of homeland security will continue to be at the center of the national plan for protecting critical infrastructure, such as the electric grid and financial sector.
The order itself was revised numerous times to account for industry and government agency concerns. It was also delayed for various reasons, including a desire by national security adviser H.R. McMaster to review the document, as well as by White House senior adviser Jared Kushner, who removed a section on information technology modernization that will be placed in a separate executive order.
A number of career National Security Council personnel who worked on policy issues in the Obama administration also helped craft the executive order, which is one reason for the policy continuity. They added a section on workforce development, for instance.
A commission on cybersecurity appointed by Barack Obama briefed the Trump transition team on its recommendations — a number of which were incorporated into the document. They include mandating that federal agencies use the framework drawn up by the Commerce Department’s National Institute of Standards and Technology; encouraging agencies to share information technology services; and putting an emphasis on “risk management” or identifying ways to make systems more resilient to attacks and intrusions.
The stress on risk management “is a much more comprehensive and thoughtful approach than we’ve had in the past,” said Kiersten Todt, who was the executive director of the Presidential Commission on Enhancing National Security, which presented its report in December. Agencies and companies evaluate their assets, identify risks and ensure that operations are disrupted as little as possible during an attack.
“You’re not looking for the Holy Grail that is going to prevent every” hack, she said.
The order also showed Trump administration officials are engaged on the issue of threats that take the form of automated attacks conducted by “botnets” or computers infected with malware.
“It is encouraging to see the focus on botnet threats,” said Robert Silvers, former assistant secretary of homeland security for cyber policy. Silvers noted that the botnet attack last October that disrupted major sites on the Internet for much of a day showed how vulnerable the Internet can be when consumer devices are poorly secured.
“Internet of Things security is a critical but very complicated issue, and it is laudable that the new administration wants to pursue solutions,” he said.
Trump is also looking to encourage “transparency” in the marketplace, calling for a review of existing policies to see whether they are sufficient to get companies — especially public, critical sector firms — to be more forthcoming about their risk management practices.
Amber Phillips contributed to this report.