Tuesday President Donald Trump pledged to strengthen the government’s ability to protect its computer networks, but then canceled plans to sign an executive order on cybersecurity without explanation. A White House official said that morning the order would put the Office of Management and Budget in charge of cybersecurity efforts within the executive branch and direct federal agency directors to develop their own plans to modernize their infrastructure.
“We must defend and protect federal networks and data,” Trump said during a meeting on cybersecurity. “We operate these networks on behalf of the American people and they are very important and very sacred.” The executive order had been scheduled for signing after the meeting. It was unclear when it would be signed.
Such a review has become standard for incoming administrations wanting to put their own stamp on cybersecurity. But this year, the push follows allegations of election-season hacking by the Russian government.
U.S. intelligence officials have told Trump that Moscow tried to influence voters by hacking Democratic emails and trolling social media sites. Trump has sought to downplay Russia’s role in the election.
“The executive order is the first step the president is taking to address new security challenges of the 21st century,” White House spokesman Sean Spicer told reporters earlier Tuesday.
President Barack Obama directed his own comprehensive 60-day “clean slate” cyberspace policy review in 2009. That review built on President George W. Bush’s aims laid out in 2003.
But in other ways, it may be another turn at reinventing the wheel.
The previous administration also conducted a 30-day “cyber sprint,” requiring agencies to assess their security after more than 21 million people had their personal information stolen from the Office of Personnel Management in what the U.S. believes was a Chinese espionage operation. The Office of Management and Budget also worked on an analysis of agencies’ “high-value assets” in 2015.
Experts say such information is still valuable.
“They ought to fully leverage all of that information that’s already done (to) accelerate their review,” said retired Air Force Gen. Greg Touhill, who was picked by Obama to serve as the nation’s first federal chief information security officer. Touhill was also previously a leading cybersecurity executive at the Department of Homeland Security.
The White House official said Tuesday that no review has been done so far on any vulnerability in the system. The official said the executive order would ask the Commerce Department, Defense Department and other agencies to take steps to protect the nation’s critical infrastructure.
The official requested anonymity to discuss the order in advance of the signing.
The order’s call to have the Defense Department involved in securing infrastructure renewed an ongoing debate that has made many in government uneasy, especially at the Department of Homeland Security. U.S. critical infrastructure, such as the electrical grid, is almost exclusively privately owned and operated, and while DHS is charged with identifying threats and working with civilian and private sector groups, any private sector participation is voluntary.
“I’m very uncomfortable as a retired military officer with the military being charged to protect every storefront in America and every house in America with an on-scene cyber presence,” Touhill said.
Officials said the order was created after a study of all commission and external reports, which is why it recommends, for example, that agencies be required to use an already existing cybersecurity framework drafted by the Commerce Department’s National Institute of Standards and Technology.
One of those reports included a 100-page presidential commission report delivered to Trump last month. It contained 16 urgent recommendations as well as a proposed roadmap for cybersecurity work over the next two to five years. It recommended the president create an ambassador for cybersecurity to continue efforts to create international cyberspace guidelines.
Another report prepared for the incoming president and released earlier this month was conducted by a bipartisan cyber policy taskforce for the Center for Strategic and International Studies.
The taskforce — guided by Sen. Sheldon Whitehouse, D-R.I., and House Homeland Security Committee Chair Rep. Michael McCaul, R-Texas — recommended streamlining federal cybersecurity bureaucracy but also said the Homeland Security Department needed to do better. It recommended creating a new, separate agency within it dedicated to handling cybersecurity.