More than two weeks ago, the President postponed issuing an executive order on cybersecurity. Since then, we’ve had no word from the White House on when he intends to sign it. However, two purported drafts of the order have wound up on the Internet—the Washington Post published the first one, and Lawfare, the second. Here are a few quick impressions on those drafts, bearing in mind that the finalized version, if signed, will likely be different.
The drafts are relatively tame compared to some of the President’s other executive orders. Both generally call for reviews of and reports on the nation’s cyber defense capabilities. The first draft would have created four review panels to report to the President on issues ranging from U.S cyber capabilities and vulnerabilities to the identification of cyber adversaries. The second draft sounds similar themes, and maintains elements of those reviews, but places more emphasis on ensuring that federal agencies are prepared to confront cyber threats. This measured approach has led at least one expert to suggest (with respect to the first draft) that the Administration is merely “kick[ing] the can down the road.” Both drafts, for instance, fail to mention just how the Administration plans to address the specific cyber threat that the nation is already well aware of—Russia.
Protecting the nation’s critical infrastructure is a key theme in both drafts. The first draft calls for a report on “options to incentivize private sector adoption of effective cyber security measures.” The goal is to “induce private sector owners and operators” of critical infrastructure “to maximize protective measures,” invest in “cyber enterprise risk management tools and services,” and “adopt best practices.” The second draft refines its approach to the report, calling instead for certain federal agencies to “identify authorities and capabilities . . . to support the cybersecurity efforts of critical infrastructure owners and operators.” It also includes a section on “core communications infrastructure,” tasking the Secretary of Commerce with finding ways to encourage collaboration between “owners, operators, and other stakeholders of core communications infrastructure” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
Finally, the second draft is much more specific in its findings and recommendations. It goes well beyond the first draft’s vague observations on the threats posed by bad cyber actors, spelling out several “[k]nown but unmitigated” vulnerabilities for agencies to focus on, including the use of “operating systems or hardware beyond the vendor’s support lifecycle,” the failure to implement security patches, and not “execut[ing] specific configuration guidance.” Its directions are also more precise—for instance, it requires agencies to use The Framework for Improving Critical Infrastructure Cybersecurity—a best practices manual by the National Institute of Standards and Technology—to “manage . . . cyber risk.” Details like these provide a helpful starting point for agencies conducting their own security assessments. Pinning agency practices to the Framework also encourages uniformity, the lack of which has characteristically plagued agencies in cyber security matters.
Between the Administration’s other orders, the court cases, and the press conferences, it’s unclear when the President will turn his attention back to cyber security. But we’ll be watching closely for any updates on the cyber security executive order in the coming weeks.
 For a thorough analysis of the first draft order, see https://www.lawfareblog.com/assessing-draft-cyber-executive-order.