First 100 Days

Cybersecurity and Cyberwarfare

Assessing the Trump Administration’s First 100 Days

On September 26, 2016 during the first presidential debate, then-presidential candidate Donald J. Trump briefly discussed his position on cyberattacks and cybersecurity. Responding to the moderator, Lester Holt, regarding who is responsible for cyberattacks and how the United States should fight them, candidate Trump stated: “[W]e ha[ve] to get very, very tough on cyber and cyberwarfare. It is . . . a huge problem . . . . The security aspect of cyber is very, very tough. And maybe, it’s hardly doable. But I will say, we are not doing the job we should be doing.”

At best, President Trump’s statements on cybersecurity during his campaign were amorphous. He promised to focus on “the cyber” to prevent international cyberattacks (like what the Democratic National Committee experienced when a foreign actor, likely connected to the Kremlin, stole approximately 27,000 emails and attachments and released them to WikiLeaks).

The success of his administration could depend on cybersecurity. In the digital age, cyberwarfare may be the United States’ largest threat to national security, and cybersecurity may prevent foreign or domestic attackers from disrupting or destroying our nation’s critical infrastructure.

Once President Trump was elected, Republican strategists predicted that cybersecurity and cyberwarfare would be a focal point of his administration given his emphasis on fighting terrorism. This commentary describes President Trump’s drafted, and ultimately unsigned, executive order that addressed cybersecurity and cyber education in the public and private sectors, as well as the administration’s response to cybersecurity after the unsigned order.

I. Trump’s Proposed Cyber Security and Capabilities Order

In his first ten days as President, Mr. Trump signed nineteen documents that have the full force of law: two proclamations, seven executive orders, seven presidential memoranda, and three national-security presidential memoranda. Some executive orders did not make the cut and were not signed into law, notably President Trump’s executive order on cybersecurity.

On Tuesday, January 31, 2017, President Trump announced his intention to sign an order that would broaden executive authority to enforce cyber efforts. He intended to allow government agencies to secure federal networks as well as work with the private sector to protect the nation’s critical infrastructure. Notably, the order was expected to hold directors and secretaries responsible for the security and defense mechanisms in place to protect their networks and servers, preventing officials from deflecting responsibility to lower-level employees.

The order, initially titled the Executive Order on Strengthening U.S. Cyber Security and Capabilities, directed executive officials to create review boards to assess the United States’ agencies. The White House did not release a draft of the order, but the Washington Post published a proposed draft, which the White House denied as being accurate.

The order required agencies to provide information about the agencies’ most critical cyber vulnerabilities and cyber adversaries. Based on the provided information, the Department of Defense, Department of Homeland Security (“DHS”), and the National Security Agency would review the government’s cyber capabilities and provide agency-specific recommendations. Even the Department of Education would be affected by President Trump’s proposed order, because it would be required to provide the previously mentioned departments and agencies information about mathematics, science, and cybersecurity education at public schools. Finally, the Secretary of the Treasury, Secretary of Homeland Security, and the Assistant to the President for Economic Affairs were directed to draft a proposal that encourages the private sector to maximize protective measures, invest in cybersecurity tools, and adopt best practices.

II. President Trump’s Response After Proposing the Order

Later that afternoon, however, President Trump postponed signing the executive order after attending a “listening session” with White House, cabinet, and cybersecurity experts. The White House did not provide an explanation for postponing this order, but President Trump pledged to continue working to strengthen federal networks and data.

These “listening session” cybersecurity experts likely dissuaded President Trump from signing this executive order. First, and most importantly, agencies would have to take ownership, and suffer the consequences, of their current infrastructure. Some of these systems are over fifty years old and riddled with vulnerabilities.1 Agencies were likely not prepared to publicly report on, and take responsibility for, systems and infrastructures they know are outdated, unsecure, and highly susceptible to a cyberattack. Second, the order significantly shifted agency roles concerning cybersecurity. For example, the Pentagon and DHS’s responsibilities concerning cybersecurity would have been equal, while the Federal Bureau of Investigation’s role was silent. This would have been a controversial shift in cybersecurity enforcement and investigation responsibilities.

Even in the first 100 days of his presidency, President Trump’s additional efforts to boost cybersecurity efforts lack definition. In February, he appointed Thomas Bossert as the assistant to the president for Homeland Security and Counterterrorism, de facto making Bossert President Trump’s cybersecurity leader. Bossert served as deputy homeland security advisor for President George W. Bush and was largely responsible for Mr. Bush’s Comprehensive National Cybersecurity Initiative (which helped minimize vulnerabilities in the nation’s critical infrastructure). In March, the Trump administration proposed increasing DHS cybersecurity spending to $1.5 billion in 2018. The additional funds, if approved, are intended to “safeguard[] cyberspace . . . for DHS activities that protect Federal networks and critical infrastructure from an attack.”2 Since the unsigned executive order, however, specific national cybersecurity efforts remain unchanged since President Barack Obama’s orders in 2016.

Foreign officials have underscored the importance of the United States’ cyber efforts in international affairs. Last February, Israeli Prime Minister Benjamin Netanyahu stated, during a cyber conference in Tel Aviv, that he intended to raise the issue during his February meeting with President Trump in Washington, D.C. The same week as his meeting with Prime Minister Netanyahu, President Trump and Canadian Prime Minister Justin Trudeau committed to jointly work on strengthening cybersecurity and critical infrastructure.

III. Conclusion

The first 100 days of President Franklin D. Roosevelt’s presidency defined how Americans judge the accomplishment and influence of a first-term president. From March 9, 1933 to June 17, 1933, President Roosevelt passed unprecedented New Deal legislation, restored confidence in the United States economy, and altered United States jurisprudence. President Trump now faces a similar, yet silent, national crisis in cybersecurity and cyberwarfare. While President Trump plays a waiting game on cyber efforts, the United States remains susceptible to large national security breaches. Given President Trump’s early actions, however, major cyber reforms should be on the horizon for the Trump administration, yet remain shapeless after his first 100 days.

* J.D. Candidate, 2018, University of Illinois College of Law. Thank you to Matthew Loar and Katherine Kargl for providing commentary and guidance.

1 See, e.g., U.S. Gov’t Accountability Off., GAO-16-696T, Hearing Before the Comm. on Oversight and Gov’t Reform, H.R: Federal Agencies Need to Address Aging Legacy Systems (2016) (statement of Dir. Powner, Info. Tech. Mgmt. Issues).

2 Office of Mgmt. & Budget, Exec. Office of the President, America First: A Budget Blueprint to Make America Great Again 24 (2017).