Trump’s draft cybersecurity order raises policy questions

President Trump cancelled the signing of an executive order on cybersecurity without explanation, per pool reports. Trump had been expected to sign the order today to commission a review of the federal government’s capabilities and defenses, similar to reviews ordered by Obama when he took office and again last year.

A White House official acknowledged the similarities between Trump’s order and the Obama administration’s previous work during a briefing. “The changes are in management philosophy, in enterprise risk management, and modernizing federal IT. Not that that’s something previous presidents haven’t tried, but President Trump has a plan for accomplishing it,” the official said.

A draft of the order, obtained by the Washington Post, summarizes review measures Trump wants federal agencies to take and raises more questions about his policy on cybersecurity than it answers.

Although the document offers a definition of critical infrastructure, it does not mention voting systems and it’s unclear if the new administration will honor former Department of Homeland Security Secretary Jeh Johnson’s classification of election systems as critical infrastructure. Trump questioned intelligence community reports that the Russian government ordered hacking campaigns designed to influence the outcome of the election, and has alternately claimed that the election that landed him in office was not tampered with or claimed that 3 million people voted illegally.

Trump did not mention election systems during a briefing on the order. “We will protect our critical infrastructure such as power plants and electrical grids. The electrical grid problem is a problem but we’ll have it solved relatively soon,” Trump said, according to a pool report.

The order also does not contain clues about whether the Trump administration will attempt to regulate private internet companies on cybersecurity issues or take a more hands-off approach. During the campaign season, Trump backed the FBI in its battle with Apple over creating a backdoor to its own devices. But the draft order does not address encryption, merely noting, “The Internet is a vital national resource.”

Questions about how the order might impact net neutrality also went unanswered — a White House official told pool reporters that the order is not intended to address net neutrality.

A lingering question left over from the Obama administration also goes unanswered in Trump’s first significant action on cybersecurity: What should the norms of escalation in cyberspace be? Obama was criticized for doing too little, too late when he sanctioned Russian officials and businesses in December, but the former president cautioned that he did not want to trigger an “arms race.” The State Department and the United Nations have been working to develop rules of engagement, and it remains uncertain what position Trump will take on the question.

Trump’s order will give the Department of Defense 60 days to conduct a review of national security systems for vulnerabilities and 60 days for the Department of Homeland security to review “protection of the most critical civilian Federal Government, public, and private sector infrastructure.” The Director of National Intelligence will conduct a review of cyber adversaries — it will be interesting to see the role Russia plays in this report — and the Department of Commerce will review its efforts to encourage businesses to adopt better cybersecurity practices.

The draft executive order does not assign a role to the Federal Bureau of Investigation, Lawfare notes. The FBI assumed significant cybersecurity responsibilities under the Obama administration. “Perhaps this is an omission that will be corrected in a later draft,” Lawfare writes. “However, if the FBI remains absent from this EO, they will be the agency with the most to lose out of this process.”