Trump postpones cyber executive order

President Donald Trump held a "listening session" with cyber officials at the White House and outlined cyber priorities on Jan. 31, but unexpectedly canceled plans to sign an executive order on cybersecurity.

A draft of the order circulated last week by the Washington Post stated that working groups would conduct reviews of U.S. cyber vulnerabilities and capabilities and report back to the president with recommendations on how to better protect critical infrastructure and networks.

At the event where he was expected to sign the order, Trump said the U.S. will take quick action to secure critical infrastructure and networks and modernize IT systems.

"I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cyber security of their organizations, which we probably don't have as much, certainly not as much as we need," the president said.

According to a White House official who briefed the press before the event, agencies will be required to implement the National Institute of Standards and Technology cybersecurity framework to manage risk.

"The executive order further directs the director of the Office of Management and Budget to assess and manage the collective risk of the federal executive branch," said the official.

"This order also directs the agency heads to begin to plan for the deliberate modernization of the federal executive branch IT," said the official. "Working with the assistant to the president for intergovernmental affairs and technology initiatives, this will be critical, and it's a long overdue step, important to the ability to secure our networks and data."

The draft order states the government will carry out three separate reviews over the next 60 days.

The secretary of defense, secretary of homeland security, director of national intelligence, and the national and homeland security advisors will review U.S. cyber vulnerabilities and provide recommendations for protection of national security systems as well as critical civilian federal and private-sector systems.

The second review is an assessment of capabilities of cyber adversaries. The third will look at U.S. cyber capabilities – including cyber education -- that need improvement to protect critical infrastructure.

A fourth review, to be led by the secretaries of commerce, treasury and homeland security, will have 100 days to assess private-sector incentives to boost cybersecurity and public-private information sharing.

"We must work with the private sector -- the private sector is way ahead of government in this case -- to make sure that owners and operators of critical infrastructure have the support they need from the federal government to defend against cyber threats," Trump said at the event.

Former New York City Mayor Rudy Giuliani, whom the president has asked to chair an advisory group focused on working with the private sector on cybersecurity, also attended the event. He said the private sector is largely open to hacking, "and sometimes by hacking the private sector, you get into government. So we can't do this separately.

"Some of the private sector have to wake up to the fact that they have to do more," Giuliani said.

One former Obama administration official told FCW that the draft order and additional details provided by the White House show the Trump team is building on the work of the Commission on Enhancing National Cybersecurity and the recommendations it released in December.

"This is a good start in terms of demonstrating that they are listening to what's been done," said Ari Schwartz, managing director of Cybersecurity Services at Venable, and former senior director for cybersecurity at the National Security Council.

He said the new team is "clearly taking a deliberative approach," and talking to various stakeholders and not trying to develop cybersecurity policy from scratch.

Schwartz cautioned that one of the biggest difficulties will be getting the government agencies to move to a risk management framework, which he said was an ongoing challenge in the previous administration.

The White House did not provide any explanation as to why the president did not sign the executive order as expected or what changes might be in the works.