Analysis On January 6, president-elect Donald Trump had a meeting with the heads of the intelligence services and came out with one action point: cybersecurity.
“Whether it is our government, organizations, associations or businesses we need to aggressively combat and stop cyberattacks,” an official statement read. “I will appoint a team to give me a plan within 90 days of taking office. The methods, tools and tactics we use to keep America safe should not be a public discussion that will benefit those who seek to do us harm.”
A week later, he named former New York mayor Rudy Giuliani as his cybersecurity tsar (despite a total lack of relevant experience). Two weeks later he became president of the United States; 90 days later is today. So where is the cybersecurity team and plan?
It’s hard to tell, but based on some shoe-leather reporting by Politico the answer seems to be: absolutely nowhere.
The cybersecurity focus did seem to be there at the start of the Trump presidency. Only a week after taking office, a draft cybersecurity executive order was leaked to the Washington Post.
That order largely followed the Obama Administration’s view of cyberspace: it’s a vital national resource and a source of economic value and the government should actively ensure its security.
Where it differed was that it took a more authoritarian view of the internet and suggested new legal powers would be given to government agencies over what is overwhelmingly a privately owned network.
Critically, the leaked order called for a report within 60 days to provide the president with recommendations – a timeline that fitted closely with his 90-day promise, given the time taken to approve an executive order and sign it.
Things then sped up rapidly: just four days later, on a Tuesday, the entire day at the White House became built around the new cybersecurity order.
Officials briefed the press that the new order would “hold the heads of federal agencies accountable for managing their cyber risk.” They held up a cybersecurity framework developed by NIST, the National Institute of Standards and Technology, as the new standard.
The executive branch’s Office of Management and Budget (OMB) would also be given a new, powerful role in cybersecurity. It would be asked to assess the federal government’s efforts and would be put in charge of updating the system.
That afternoon, Trump and his cybersecurity tsar Giuliani held a roundtable, the first part open to the White House’s press corps. Both went heavy on the need to secure networks against attacks, and both implied they would apply pressure on corporations to work with the federal government to that end.
Giuliani warned that “the private sector is wide open to hacking, and sometimes by hacking the private sector, you get into government.” The order, he said, would “get the private sector to wake up.”
Trump was scheduled to sign the executive order in the Oval Office just a few hours later.
And then it all fell apart.
It’s hard to know exactly what happened, but the collapse of Trump’s immigration order – which restricted people from a list of countries from entering the United States but was struck down by a federal judge – was almost certainly a huge part of it.
The immigration order was a disaster: it caused widespread chaos; was roundly attacked; was ruled unconstitutional and illegal; and invoked the ire of several government departments who had not been properly briefed on its contents – let alone consulted.
Then there was the fallout from a new National Security Council order that was reportedly edited by presidential advisor Steve Bannon without the president’s knowledge to include himself on the council and diminish the role of the Joint Chiefs of Staff – a huge departure from tradition, and a significant power grab that left many in government fuming (Bannon was unceremoniously kicked off the council a few months later).
The upshot of these failures was that the White House put an immediate freeze on new executive orders and instituted a new system (actually the previous system), which saw broader consultation and input before new orders were put before the president.
And that was despite the fact that many cybersecurity experts were broadly supportive of the draft cybersecurity order. In particular, many were encouraged by the idea of a centralized approach after years of in-fighting between different government departments over who was in charge of cybersecurity.
With the new consultation policy in place and Trump desperate to show he was on top of his priorities, the White House then reached out to different departments – including Defense, Commerce, Homeland Security, State, Treasury and Justice – and put together a new cybersecurity executive order.
And the end result was, predictably, an absolute dog’s dinner: a 2,200-word extravaganza that, far from being a high-level guidance document, read like a policy wonk’s wet dream. The new draft ordered no fewer than 10 new reports, six of which would go directly to the president.
The centralization effort was lost and the White House’s OMB was moved from being in charge to being the recipient of other departments’ reports. The order proposed a degree of inter-departmental collaboration that only someone who hasn’t worked in Washington could imagine would ever happen. We predicted stasis.
That was back on February 9. It is now April 20 – and nothing has been heard about how the new cybersecurity order is progressing.
And it seems that no one inside government has heard anything either. When Politico approached the National Security Council, a spokesperson said they were unaware of any such effort or any effort to create the planned 90-day report. A spokesperson for Senate Intelligence Committee chairman Richard Burr said pretty much the same.
And then the more damning reports: not only did the White House refuse to comment on where the cybersecurity plan was, but Trumps’ own cybersecurity tsar himself, Rudy Giuliani, confirmed that he wasn’t working on a cybersecurity report.
This failure to come through on a promise is not the first time the Trump Administration has over-promised and under-delivered. Nor it is a new occurrence for new administrations – every enthusiastic new president is hit by the reality of actually running a country as opposed to talking about what’s wrong with it.
However, Trump’s failure to provide a report, or an executive order, or a team – or even a process and timeline for one his “number one priority” – is stark and contributes to the feeling that his administration is overwhelmed by the size of the task and is spinning its wheels. ®