Fate of Trump cyber order still unclear

The wait for the Trump administration's cyber executive order has many increasingly wondering just what will be in it and why it is taking so long to complete.

On Jan. 31, President Donald Trump was moments from executing his cyber order, and then the administration abruptly pulled it back for what has turned into months of reworking.

Various drafts have leaked, and many in industry have had positive things to say about what they have seen in terms of holding agency heads responsible for cybersecurity and implementing the NIST framework and other recommendations from recent commissions and reports.

Yet there is still no order, and the administration has not responded to multiple requests for information about its status.

"I don't think the delay is due to any real substantive revisions going on at this point," said one former White House official who now works for industry and requested anonymity to discuss the topic.

In this official's view, the delay is more a matter of the White House continuing to confront staffing issues and other more pressing political and policy challenges.

The former official said the last leaked draft looked close to a finished document that had buy-in from many in industry.

"It is in their advantage to get this thing out the door, and I think a lot of us would really be supportive," said the official. "I worry that if it's not going out the door the people start to feel that pressure that you've got to put other stuff in. I think they've addressed a good baseline of issues and they should run with that."

Former White House CIO and Fortalice CEO Theresa Payton takes a different view, however. She told FCW on the sidelines of the Forcepoint Cybersecurity Leadership Forum that the last draft she saw was not ready for release.

Payton believes the order has been held up by several factors, including the lack of career political officials in the administration, questions about how the new White House innovation initiative will affect cyber and IT, and the fact that she believes the administration is still in listening mode.

"Often times EOs tend to go for the kitchen sink and there's so much in there it gets lost in how to actually execute and implement," she said. "So my biggest piece of advice I would give to…the new administration would be, do single purpose executive orders and be very clear and distinct on what you are compelling the departments and agencies to do."

She said one thing on which her colleagues in industry agreed is that the order should not call for any additional studies and instead must be biased towards action.

She also differs from the former official who wants the administration to push out the order sooner rather than later.

"I wanted to see something in the first 30 to 60 days, but we didn't," she said. "So at this point I think it's more important to wait a little and get it right than to hurry up and get it wrong."

As long as it is released before the end of the year, Payton said, that will be fine because there is already extensive guidance in place from the Office of Management and Budget, the National Institute for Standards and Technology and others.

And, while many in industry have praised leaked drafts for continuity with policies and studies that have evolved over the course of the Bush and Obama administrations, Payton would like to see something a bit more revolutionary.

"There are these new technologies that are out, and we're still talking about strong passwords," Payton said. She wants to see a greater emphasis on cloud, two-factor authentication, digital shredding, blockchain, tokenization of data and behavioral user analysis.

She also said that she wants to see federal CIOs and chief information security officers have the "head cover" to tell the administration what the obstacles are to solving IT problems and implementing all the existing guidance.

"The one thing that's missing from all of these frameworks...is the 'how to do it,'" she said.

A solution to that, Payton argued, is to bring in CIOs from the private sector who are working with state of the art technology and can provide lessons learned to federal officials on modernizing IT.

"It's not just rubber met the road, they've got some miles behind them between implementation and they could give you some really good advice," she said.