Computerworld

Trump's cybersecurity mystery: 90 days in, where's the plan?

An executive order was shelved without explanation, and a promised cybersecurity report hasn't materialized

On Jan. 6, weeks before he was due to become president, Donald Trump sat down with U.S. intelligence officials for a two-hour briefing at Trump Tower on cyberattacks conducted during the U.S. election. The meeting resulted in a pledge: a plan to counter cyberattacks against the U.S. within 90 days of taking office.

On Wednesday, President Trump marks his 90th day in office with no sign of a report or indication that one is on the way. That’s a surprise, given the recent string of successful, high-profile cyberattacks against the federal government.

Trump underlined the urgency of the situation at a news conference on Jan. 11.

"We're hacked by everybody," he said. "The United States, our government, out of a list of 17 in terms of industries is the worst ... in terms of protection."

It looked like he was determined to get things moving. A day later, he appointed former New York City mayor and early supporter Rudolph Giuliani as a informal advisor on cybersecurity.

A day after that, he again repeated the 90-day pledge in a tweet: "My people will have a full report on hacking within 90 days!"

Despite a rocky start to Trump's time in office, the cybersecurity plan didn't appear to be suffering. Drafts of an executive order were being passed around Washington and refined, signs that the issue was active in the White House.

On Jan. 31, less than two weeks after he had taken office, the executive order was ready to be signed.

The White House scheduled a signing session for 3:15 p.m. that day, and a few hours before that, officials briefed reporters on what the order contained.

The central directive was that the head of each federal agency would be responsible for cybersecurity within their department. It also directed the head of the Office of Management and Budget to assess and manage the collective risk of the federal government.

"I thought it was a very sensible kind of thing," said Paul Rosenzweig, founder of Red Branch Consulting and a former official at the Department of Homeland Security, in an interview this week. "To make managers responsible for the enterprise in ways they weren't and treating the entire federal government as a single enterprise was good."

But Rosenzweig was commenting on a leaked draft of the executive order. The final order was never signed or released.

At noon on Jan. 31, President Trump had lunch with Giuliani and at 1 p.m. Press secretary Sean Spicer told reporters the executive order represented "the first step" the President was taking "to address the new security challenges of the 21st century."

At 2 p.m., the president kicked off a "listening session" on cybersecurity. In the meeting were Giuliani and senior White House staff. Participants included chief strategist Steve Bannon, senior advisor Jared Kushner, Chief of Staff Reince Priebus, Homeland Security Secretary John Kelly, acting National Security Agency Director Mike Rogers and former NSA director Keith Alexander.

It's not clear what happened at lunch or in the afternoon meeting, but the cyber executive order was pulled with no explanation from the White House.

As a result, agency heads were never ordered to produce cyber risk reports that would have been due on Wednesday. It also means a 60-day review of federal government cybersecurity, due to have begun Wednesday, was never ordered.

Since late January, Trump has only taken one major step on cybersecurity. On March 29, he extended by one year special powers introduced by former President Barack Obama that allow the government to issue sanctions against people and organizations engaged in significant cyberattacks and cybercrime against the U.S.

The White House, and Giuliani's security consultancy, didn't respond to requests for comment.