Week ahead: Dems put spotlight on Trump’s cyber practices

by Joe Uchill - 02/13/17 6:00 AM ET

The House Science subcommittee on research and technology is holding a hearing Tuesday on strengthening U.S. cybersecurity capabilities.

But partisan sparks could fly, with Democrats calling for expanding the hearing to explore cybersecurity practices in President Trump’s White House.

In a letter to committee leaders on Thursday, three Democrats asked the panel to probe the new White House’s “careless cybersecurity practices.”

{mosads}”Last Congress, this Committee took a keen interest in private email server management and wider issues of cybersecurity in the Executive Branch,” the Dems wrote to Science Committee Chairman Lamar Smith (R-Texas) and two subcommittee chairs.

“We are writing to inform the Committee of further opportunities to investigate Executive Branch cybersecurity issues that have been of intense interest to you in the past.”

The letter goes on to discuss Trump’s use of unsecure cell phones and poor Twitter security.

But the big news in the coming week will be – as it has been the last two weeks – the potential for a cybersecurity executive order.

The Washington Post published a draft of the order in late January, and days later White House officials briefed reporters on a more expansive version. Trump was scheduled to sign that order on Jan. 31st, but the signing was delayed and the administration has said little publicly in the two weeks since on the order’s fate.

Some have even questioned if any cyber actions have been taken, noting that Trump often acts with little notice. Two weeks of leaked drafts and pushed back dates have cybersecurity experts looking for clues and wondering what they may have missed.

Second, there are questions about what will be in the final executive order. The executive order as leaked, circulated and briefed to reporters is changing rapidly.

Information on new versions of the executive order that trickle out of the White House tend to focus on big-picture, broad-stroke additions to older drafts.

Despite the questions, many stakeholders say the delays might not be a bad thing.

“The executive order started from a position where they consulted narrowly, something that got pushback with other executive orders,” said Betsy Cooper, executive director of the Center for Long-Term Cybersecurity at University of California, Berkeley.

“They keep adding layers to the order because they’ve consulted people inside and outside of government. It reflects a more traditional process.”

Prior to joining Berkeley, Cooper worked in the Department of Homeland Security’s Office of General Council and Office of Policy.

The initial draft of the order focused on gathering information to fuel better decisions. That draft largely focused on audits, leveraging cybersecurity-conscious agencies to issue reports on vulnerable systems, threats and other matters.

One security expert described that initial draft as ordering “someone else to solve the problem in 90 days.”

More recent leaked drafts still include those audits, but better address differences between agencies, separation of powers, and include more clearly defined roles.

One big change: the role of the Department of Defense in cybersecurity has diminished in subsequent leaked drafts.

The FBI did not appear in the Washington Post draft, but in later versions reportedly has a role handling the threat of botnets and defense infrastructure. Homeland Security also now more clearly retains its dominion over domestic infrastructure.

The draft on Jan. 31 that the White House briefed reporters on, featured the Office of Management and Budget taking on a role akin to a corporate chief risk officer, providing risk assessments of different security actions. That draft also emphasized modernizing federal information technology.

Both of those components appear to remain in the most recent version of the executive order.

In drafts circulating this week, one new element is entitled “Supporting Transparency in the Marketplace.” That spooked corporations that did not want to be required to be more open about their cybersecurity practices, said Harriet Pearson, a cybersecurity attorney at Hogan Lovells and former Chief Privacy Officer at IBM.

But all in all, said Pearson, most of the draft executive order focuses on middle of the road, useful, if unsurprising, actions.

“This is not a controversial executive opinion,” she said.

When that order will come forward, though, is anyone’s guess.