President Trump was the driver of a “change” election in 2016, but after four months in office it remains unclear what kind of change he wants to bring to the cybersecurity policy space.
The Trump administration has killed Obama-era cybersecurity regulations in the telecommunications sector, but its approach in other areas has been much more cautious, including in a closely scrutinized cyber executive order released last month.
“I have an optimistic outlook,” said Matthew Ballard, a former GOP House Homeland Security Committee staffer now with the Glen Echo Group consulting firm. “The cyber E.O. is a foundation,” he said, pointing in particular to its grounding in the framework of cybersecurity standards developed by the National Institute of Standards and Technology.
But concerns remain that the Trump administration has yet to pull together the various strands of cyber policy and begin to articulate a vision for moving ahead.
By comparison, former President Barack Obama at about the same time in his new presidency delivered a speech that largely set the administration’s direction on cyber for years to come.
That May 29, 2009, speech followed a 60-day policy review directed by presidential adviser Melissa Hathaway — a George W. Bush administration holdover — which led to the creation of a White House cybersecurity coordinator position and an emphasis on partnerships with the private sector buttressed by possible regulation.
Obama called for a comprehensive strategy to be written in collaboration with industry, setting an ambitious policy goal that continues to stir debate over what was actually accomplished during the Obama years.
The Trump administration in its first months has focused on the security of federal networks, a narrower approach to cyber policy that is reflective, perhaps, of the fact that many senior policy positions remain vacant at the Department of Homeland Security and throughout the government.
His executive order requires agencies to use the NIST framework as the basis of their cyber risk-management strategies.
The main collaborative effort with industry appears to be the ambitious information technology modernization plan being directed by presidential adviser and Trump son-in-law Jared Kushner.
That effort is in a nascent stage, although a bill by Rep. Will Hurd, R-Texas, to help accomplish those IT modernization goals passed the House in mid-May.
“Some of the goals articulated in the [Trump] executive order are absolutely spot-on, but there’s not a lot that’s new there, and many of the barriers to achieving those goals are still there,” said retired Rear Adm. David Simpson, former cybersecurity chief at the Federal Communications Commission. “It’s not clear that the administration appreciates those barriers.”
For instance, he said, the order doesn’t connect the dots between the Trump budget proposal, which includes substantial bump-ups for cyber and actually running and adhering to a risk-based cyber program across the vast federal bureaucracy.
Simpson, who was director of information technology for U.S. forces in Iraq during the occupation, said, “I don’t see the governing structure to allow these risk-based approaches to be successful.”
Betsy Cooper, the executive director of the University of California Berkeley’s Center for Long-Term Cybersecurity, said the executive order shows that cybersecurity is a high priority, “but it doesn’t really set a policy direction for the new administration. It calls for a series of reports, and that suggests the administration is still deciding whether to continue on the Obama path or take a new approach.”
Ballard, the former Homeland Security Committee staffer, said “the main negative thing” at this stage is that “the administration has been slow to hire the experts for the agencies,” particularly at the deputy and assistant secretary level.
Filling those slots may be the necessary precursor to developing and implementing a fully blown national cybersecurity strategy, which in turn suggests the U.S. is many months away from seeing the actual articulation of such a strategy.
The Trump executive order fills in some important pieces, namely on the government IT side, but much work remains to drive cyber policy to the next phase in a world of constantly changing cybersecurity challenges.