Cyber executive order a reasonable step forward, yet more remains to be done

The speed with which the Trump administration has been issuing Executive Orders comes as no surprise. President Trump’s campaign promises of addressing immigration and financial regulation have become the focus of his first 100 days and the defense of these actions has dominated the news cycle from day one. 

The same focus, however, hasn’t been given to an important policy area that was exposed during the 2016 election: cybersecurity. Since the first draft of the cyber EO was leaked on Jan. 31, updated drafts and political grandstanding have caused the signing of this extremely important measure to be delayed twice – and have shifted focus away from important issues in the process.

ADVERTISEMENT

On the whole, the latest draft EO takes a measured, careful approach. But sometimes, what is most interesting about these rather dry government orders is not what is included, but what is not. By leaving out important aspects of cybersecurity, the new administration is signaling what it intends to prioritize --- and what it is leaving behind.

Take workforce growth – if there is one thing we hear over and over from companies in Silicon Valley and beyond, it is that there are not enough good cybersecurity professionals to fill the many open jobs. The original leaked draft of the executive order proposed a “workforce development review . . . to understand the full scope of U.S. efforts to educate and train the workforce of the future.” That section is totally missing from the most recent version.

This is a disappointing change. The talent pipeline is a crucial component of cybersecurity, and one that deserves urgent government action. Our universities aren’t creating the number of top cybersecurity professionals needed by our government and companies. This is a market failure which will require government action to solve.

These problems are compounded by a second omission – the role of the White House. Nowhere in the new EO is the Federal Chief Information Security Officer (CISO) cited. Perhaps this isn’t surprising, given that we don’t yet have one. Other top technology positions remain unfilled as well – no Chief Technology Officer has been named, and the White House CISO recently left. And other appointments that have been made – Rudy Giuliani’s cyber advisor position in particular – fall completely outside traditional White House structures.

The vacuum at the top – and confusing reporting lines for those who remain – will make it difficult to develop a comprehensive cybersecurity strategy. The result is likely instead to be a piecemeal approach. And, especially given the new EO requires lots of intergovernmental collaboration to produce myriad reports – I count 11 separate reports due this year alone– who is going to moderate departmental infighting when they disagree about who should take the lead?

The cybersecurity EO is a well thought out and reasonable step forward. It deserves to get the president’s priority attention and signature. And unless the final version takes account of our need to grow both the cyber workforce and our White House leadership in this area, more remains to be done.

Dr. Betsy Cooper is the Executive Director of the UC Berkeley Center for Long-Term Cybersecurity. The CLTC recently released ‘Cybersecurity in the New Administration: Looking Beyond the First 100 Days.’


The views expressed by this author are their own and are not the views of The Hill.