Cyber Security

Trump’s New Cybersecurity Order Could Have Come From Obama

It's a far cry from candidate Trump's proclamations of 'the cyber' — and experts say it isn't half bad

Cyber Security
Tom Bossert announces Trump’s executive order to bolster cyber security — REUTERS
May 11, 2017 at 4:10 PM ET

President Donald Trump has finally signed his overdue executive order on improving government cybersecurity.

The White House had previously said the order would be delivered by Trump’s 100th day in office — April 29, not that anyone’s counting. And while Trump stumbled over the subject early in his presidential candidacy — he was routinely mocked by cybersecurity professionals for referring to “the cyber” and references to the computer expertise of his 12-year-old son, Bannon — it’s clear that he’s learned to trust experts on the subject.

“Overall, I’m pleased. It follows the same path that my team and I were on. I think it’s a good continuation,” Greg Touhill, hired under Obama as the first federal chief information security officer and then summarily dismissed by Trump in January, told Vocativ. “One of the things I’m most pleased with, besides the risk management approach, is the fact that they acknowledge the current architecture is insufficient to meet our needs.” Trump still hasn’t hired a replacement CISO, but most of Touhill’s staff still works for the White House, he said.

“I’m a big fan of the EO,” said Jason Healey, a senior fellow for the Atlantic Council’s Cyber Statecraft Initiative and former cybersecurity advisor for the George W. Bush White House. “Though it’d be better if it’d have come out right away, as it is a set of early priorities, not a major strategy in itself. That means it will certainly miss a lot of important topics and actions, but is a statement of what should come first.”

Perhaps the most important aspect of the executive order, Homeland Security Adviser Tom Bossert told reporters, is that federal networks — long regarded as vulnerable to devastating attack — will adopt cybersecurity recommendations from the National Institute of Standards and Technology (NIST), a federal agency whose standards are already used in the private sector.

“It’s time for us now to implement the NIST framework,” Bossert announced.

In addition to adopting this framework, the latest edition of which came out in December, the order also echoes remarks Trump made in October, when he shied away from talking about “the cyber” and began making recommendations similar to those already put in place by President Obama’s White House.

Some of the report appears to rely heavily on Healey’s own writing from January, he said. “Much of the language on ‘future generations’ and ‘American values’ is really similar to my recent Atlantic Council report.” 

Parts of the order, however, were either naive or could lead to government overreach, cautioned Jake Williams, founder of the security firm Rendition Infosec and a former cybersecurity analyst at the Department of Defense.

A section designed to combat botnets — armies of compromised “zombie” computers that a hacker can direct to act in tandem — calls for a joint report from a wide range of federal officials, including the heads of the Justice Department, FBI, Federal Communications Commission and Federal Trade Commission.

“The FTC can conclude today that automated threats impact commerce and the FCC will tell you that without increased law enforcement access to communications, they can’t stop the threat,” Williams said. But botnets are inherently legally difficult to combat, given that attacking computers are mostly comprised of innocent victims — and a method to combat them would likely involve invading their computers.

“Whoever consulted on this section is either hoping for expanding monitoring capabilities of US persons dramatically, or has no understanding of the threat,” Williams said.

Updated with comment from Touhill.