Cybersecurity advisers to former President Barack Obama are backing President Donald Trump’s first foray into cybersecurity policy.
A draft executive order obtained by the Washington Post shows that the White House will soon call for an extensive review of U.S. cyber vulnerabilities and capabilities. The proposed order also suggests that the Trump administration may consider reorganizing the defensive cyber responsibilities currently split between the Homeland Security Department and Defense Department.
The review — which is in total due on the president’s desk within 100 days from when the executive order is signed — will contain information regarding U.S. strengths, weaknesses, allies and enemies in cyberspace.
A component of the report will focus on measuring the effectiveness of existing defenses intended to thwart cyberattacks aimed at U.S. critical infrastructure, including the communications, critical manufacturing, defense industrial base, energy and emergency services sectors, among others.
“The draft seems mostly to call for reports on an aggressive timeline in areas that the Obama administration had interest,” said Ari Schwartz, a former special assistant to Obama and senior director for cybersecurity in the White House’s National Security Council.
“It does show that the Trump administration is taking cybersecurity seriously and making it a priority, which is positive for what will come of these reports,” Schwartz said.
In short, the executive order is essentially calling for a cyber “strategic national risk assessment,” or SNRA, described Ely Kahn, a former National Security Council director of cybersecurity in the White House. If signed, the executive order will follow through with actions previously taken by Obama.
The Obama administration launched an SNRA two years ago, executed by the Homeland Security Department’s Office of Risk Management and Analysis in support of Presidential Policy Directive 8. That directive examined a host of threats beyond cyber, including terrorism, pandemics and catastrophic natural disasters.
“As a nation, we have struggled to set clear priorities as to what are the greatest cyber risks and what are the most cost effective ways to mitigate these risks,” said Kahn, “I think we have been too focused on specific tactical improvements to cybersecurity that have helped move the ball forward, but have lacked the overarching guidance provided by a well structured risk assessment.”
Notably, the proposed review will request proposals to create a public-private incentive structure that could, at least in theory, encourage the adoption of “effective cybersecurity measures” by the private sector.
“I think it’s also interesting to note the focus on economic incentives and not new regulations [in the EO]. The previous administration struggled to gain any traction in Congress for new cybersecurity regulation,” said Kahn.
In 2011, the Obama administration proposed a package of legislation that included a regulatory framework for companies in critical infrastructure sectors. Firms that worked to individually improve their cybersecurity posture in this arena were rewarded with greater autonomy to meet federally enforcement oversight standards. But that proposal was rejected by Congress.
It remains to be seen whether the aforementioned strategic risk assessment will be deliverable within 100 days.
When Obama took office he promised that federal cybersecurity review would take place in less than 60 days. That review ultimately took 120 days to complete.
“It is good for a new president to have aggressive deadlines,” said Schwartz. “Since FDR, administrations have found it useful to set priorities near that [100 day] time frame and agencies are used to it.”