By the time President Trump signed his Cybersecurity Executive Order on May 11, it had taken on a mythic air. The administration had produced a series of drafts soon after the inauguration that leaked, circulated, provoked criticism, and motivated refinements. While the months-long wait for the final product felt Godot-like, it ultimately received bipartisan praise for its thoughtfulness. But now, more than 110 days since the clock started, eight deadlines have passed, with eight more quickly approaching.
Planning and information-gathering matters, but experts caution that for the EO to succeed long-term, it needs to exit this phase as quickly as possible. Beginning the urgent, proactive work of implementing a robust national cybersecurity posture and defending critical infrastructure can’t wait, as destabilizing cyberattacks like the WannaCry and NotPetya ransomware outbreaks showed this summer.
The goal of a speedy review process is a good one, but has not materialized. “Unfortunately, leadership from the executive branch on cybersecurity has been weak,” senator John McCain said at the end of August. “The last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.”
White House and agency officials wouldn’t detail a tally of which EO deadlines have been met, but said that the reports are coming along. “Departments and agencies continue implementing Cybersecurity Executive Order 13800 and have made significant progress,” a National Security Council spokesperson tells WIRED. “While they continue to work towards the deadlines outlined in the Executive Order, the release of products may vary over time. However, many of the deliverables will be used to inform work going forward.”
Some of the progress has been tangible, and so far, at least, it seems that agencies are trying to stay on top of the imposed deadlines. On Wednesday, the White House’s American Technology Council and Office of American Innovation even submitted its draft federal IT modernization report (stipulated by the EO) to the President.
“I was part of that group that said ‘the Executive Order looks really good. It could be better, but we all know that it could be a lot worse, and the true test will be in the execution,'” says Kiersten Todt, a researcher at the University of Pittsburgh Institute for Cyber Law, Policy, and Security who was the executive director of the Commission on Enhancing National Cybersecurity under Barack Obama. “In talking with those in the White house and at the Office of Management and Budget, my understanding is that for the first wave of reports, which were due on August 9, most of those came in.”
There is other friction as well. Numerous members of the National Infrastructure Advisory Council (which advises the Department of Homeland Security on infrastructure issues and cybersecurity) resigned last week, citing diverse concerns about the Trump Administration’s agenda, including about cybersecurity. “You have given insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend,” they said in a resignation letter obtained by NextGov.
Experts fear that some combination of infighting and staffing shortages at federal agencies could slow the executive order’s momentum. “To the extent that you’ve got staffing gaps, that’s going to inhibit your ability to do implementation. It’s going to slow you down,” says Michael Daniel, president of the Cyber Threat Alliance and a former cybersecurity coordinator for the White House. “The timelines in the executive order are achievable, but some of them are pretty aggressive.”
Though the EO is halfway through its first year, there is still time to complete its initial phase and move forward on schedule. “I don’t think we’re going to get a report card on which reports were and weren’t completed, but I work with a lot of those agencies and I know they started acting on it,” says Josh Corman, a cybersecurity policy expert at the Atlantic Council. “But whatever those reports were prepared for should be tempered by the more recent game changers such as NotPetya that did some pretty nasty damage to critical infrastructure.”
Some say that the year-long analysis and planning phase laid out in the executive order is worthwhile, while others argue that the need for action is more pressing. Given the very real threats to national digital security and infrastructure, at this point the EO must at the very least stay as close to schedule as possible at this point the EO must simply stay as close to the schedule as possible so the federal government is ready to address very real potential threats to national digital security and infrastructure.
“There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action,” the National Infrastructure Advisory Council wrote in a report published days before its spate of resignations. “We call on the Administration to use this moment of foresight to take bold, decisive actions.”