On 11 May 2017, President Donald Trump signed an executive order implementing both a review of cybersecurity on the part of federal agencies and a strengthening of “critical infrastructure.”
The order said in part:
The executive branch has for too long accepted antiquated and difficult-to-defend IT. Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.
Homeland Security Adviser Tom Bossert told media outlets after the order was signed: “A lot of progress was made in the last administration, but not nearly enough.”
According to the order, several Cabinet-level departments — including Homeland Security, the Treasury, the Attorney General’s office and the Defense Department, among others — must submit a joint report on “strategic options for deterring adversaries and better protecting the American people from cyber threats.” Once that report is submitted, the Office of Management and Budget must submit its own report to the White House within 90 days.
However, security experts criticized the plan after its announcement for what they called a lack of feasibility and excessive reliance on the military. Dan Tentler, who founded the tech security firm the Phobos Group, told ZDNet that Trump’s administration could be forced to reissue the order:
They’re going to find themselves in a situation where they have zero intel on a chunk of the government and are faced with coming up with a written plan to fix problems … They won’t know what the problems are and without that there’s no way to draw up an actionable plan on how to fix anything. At best, we’ll see a kind of haphazard patchwork of fixes made of band-aids, superglue, and those little plastic bag ties from grocery store bread.
The advocacy group Access Now said in a statement that the order ignores issues like data breaches while also reversing course from the Obama administration’s decision not to involve the military in the safeguarding of “critical infrastructure” sectors, like government facilities, water systems, and commercial facilities:
Civil society organizations in the United States have fought hard against the militarization of the domestic internet. Not only is it bad policy to put civilian infrastructure under the domain of the military, but it could lead to increased NSA surveillance and is very likely a violation of posse comitatus. Any role of the Department of Defense in cybersecurity should be explicitly and firmly limited.
Critics also have argued that the perception of U.S. military involvement online shifted following the leak of government documents by former federal contractor Edward Snowden in 2013. Ian Wallace, a visiting fellow at the non-profit Brookings Institution, argued at the time:
While it is self-evident to us that minimizing government involvement is precisely what ensures the success of the internet, it is equally clear to authoritarian states like Russia and China that the Internet (including the content it carries) must be controlled. This latter view is exemplified by the desire of Russia, China and others to see the International Telecommunications Union, an adopted member of the United Nations family, expand its role into setting international rules for the internet.
Despite alarmist concerns to the contrary, there is no practical way in which the United Nations (or any other organization) could “take over” the internet. But if the United States starts to be seen as a danger to others, new barriers will emerge and everyone will lose.
Trump was scheduled to sign an earlier version of the order on 31 January 2017, but cancelled without explanation.