Washington D.C. (May 11, 2017) — U.S. President Trump finally issued a long-anticipated executive order on cybersecurity directing U.S. federal agencies to take measures to protect agency networks and coordinate with the private sector on critical infrastructure. However, the substance of the executive order largely conforms with recommendations from an expert commission created by President Obama in the final months of his presidency. Further, outside the bounds of the executive order, the Trump administration has continually undermined government efforts to improve the security of the internet.
“The measures in the executive order will serve as incremental changes to existing policies, while the Trump administration has otherwise either ignored or undermined pressing digital security threats internet users face,” said Drew Mitnick, Policy Counsel at Access Now. “The action does not touch several critical areas, like the insecurity of ‘Internet of Things’ devices, data breaches, or vulnerability disclosure,” continued Mitnick.
Last year’s cybersecurity commission report was created by the Obama administration to provide guidance to the next president. Drawn largely from the report, President Trump’s executive order specifies that federal agencies must implement the NIST Cybersecurity Framework, shifts cybersecurity accountability to federal heads of government agencies, and creates processes to assess a number of topics: cybersecurity workforce development, resiliency to botnets, international cooperation, risks to the defense industrial base, and electrical disruption incident response.
Unfortunately, the order also carves out a prominent role for the military in protecting domestic critical infrastructure, an action that the Obama Administration rejected. Military involvement increases the likelihood that privacy will be violated and decreases the opportunities that functions involving the internet — a civil resource — will be transparent.
“Civil society organizations in the United States have fought hard against the militarization of the domestic internet. Not only is it bad policy to put civilian infrastructure under the domain of the military, but it could lead to increased NSA surveillance and is very likely a violation of posse comitatus. Any role of the Department of Defense in cybersecurity should be explicitly and firmly limited,” said Amie Stepanovich, U.S. Policy Manager and Global Policy Counsel at Access Now.
Apart from the order, the Trump administration has shown little regard for the privacy and digital security. He has encouraged hacking by foreign governments, criticized the use of digital security measures like encryption, and failed to appoint people to important cybersecurity positions, such as the White House Chief Technology Officer. President Trump has also failed his promise to “put together a team of the best military, civilian and private sector cybersecurity experts to comprehensively review all of our cybersecurity systems and technology.”