Technologists Say Trump Cybersecurity Executive Order Only a ‘Plan of a Plan’

Security industry experts call the EO straightforward but lacking in substance, with unrealistic deadlines for reviews and few proactive initiatives.

Cybersecurity.EO

After more than 100 days in office, the Trump administration released its long-awaited executive order on cybersecurity May 11, which calls for government agencies to conduct security reviews and to recommend future steps to secure the United States’ infrastructure, networks and data.

The executive order gives both civilian and military agencies a 60-day deadline for conducting reviews of both infrastructure vulnerabilities and their adversaries. The reviews will be overseen by the secretaries of Defense and Homeland Security. Along with the National Security Agency, the two departments will also conduct a review of U.S. capabilities in cyberspace.

While many of the recommendations are common-sense steps to help secure the nation’s information infrastructure and systems, technology experts were critical of the lack of progress the order represented for the issue of cybersecurity.

Order Checks Boxes but ‘Kicks Can Down the Road’

Calling the executive order “mostly a plan for the government to make a plan,” the Information Technology and Innovation Foundation (ITIF), a non-partisan research and educational group, criticized the lack of progress made by the government in pursuing security.

“The last administration put together a commission which left a comprehensive set of action items for the new administration to pursue that should have been the starting point for this order,” the ITIF stated. “While the executive order checks most of the boxes thematically, it generally kicks the can down the road instead of taking any decisive actions.”

Cybersecurity has become a major modern political issue following the hacking and release of e-mails from the Democratic National Committee and those of 2016 Democratic presidential candidate Hillary Clinton and her campaign chairman, John Podesta. Both China and Russia have conducted significant cyber operations against the United States, which has used its own capabilities to — among other efforts — undermine the nuclear-weapons program of Iran (using Stuxnet in 2010).

The release of the cybersecurity executive order also comes as Democrats continue to call for investigations into Russia’s attempts to influence the 2016 presidential election, an issue whose importance the Trump administration has attempted to minimize. On May 9, President Trump fired FBI Director James Comey, less than two weeks after the FBI chief reportedly asked for more resources to pursue the investigation into Russia election meddling.

Order is About Actions Any Enterprise Should Undertake

The fundamental ideas of the order are sound, and the actions are things that any enterprise should be doing, Paul Vixie, CEO of Farsight Security, told eWEEK. The main problem with the order is that it is calling for a massive review of the entire government over the next 60 days, a nearly impossible deadline, he said.

“They all have the same 60 days and they have to somehow hire the consultants to get this done, and there are only so many of those in the world, so I’m not expecting this to end on schedule,” he said.

Some technologists lauded President Trump’s focus on requiring broad adoption of the NIST Cybersecurity Framework across all agencies.

“Trump’s order mandates that the security of federal agencies has to be controlled on an entire enterprise level—instead of building security protocols for specific systems, all people, processes, and policies within the agency must be analyzed and reported on,” Mike Shultz, CEO at Cybernance, a cyber governance platform, said in a media advisory.

Developing a Cybersecurity Workforce is a Focus

Farsight’s Vixie also commended the Trump administration on focusing on developing the U.S. cybersecurity workforce to help defend the nation in the future.

“The order is pointing out that we are all subject to the weakest link in the chain — and that is the people,” Vixie said. By focusing on training the workforce and citizens to be more knowledgeable about cybersecurity, the order could help the nation as a whole, he said.

“We need to find a rising tide to lift all these boats,” Vixie said.