President Donald Trump’s Executive Order on Cybersecurity, concentrating as it does on things largely within the authority of the executive branch, is a reasonable early approach to a very complicated public policy challenge. Its three components focus on preparatory steps to harmonize and modernize the federal government’s information technology (IT), better protect critical infrastructure, and improve the U.S. Government’s own cybersecurity strategies and policies. These steps are certainly necessary, though the administration’s ability to make progress ultimately will depend on what it actually does with respect to each of the three areas covered by the EO. And even at the level of the preliminary steps described in the EO questions certainly remain: Will, for example, agency heads have the authority (and the budget) to make the changes they identify in the strategic plans the EO requires; will OMB or the White House have the authority (and the budget) to centralize and harmonize the executive branch’s technology infrastructure; and will the administration invest the time to collaborate closely with Congress to execute the plans that executive branch agencies draw up?
The most interesting part of the EO, however, is the section focused on botnets, which is a reflection of the novel threat posed by increasingly ubiquitous (and generally insecure) Internet of Things (IoT) devices. Botnets are the workhorse of the cybercrime world. Botnets consist of networks of hijacked Internet-connected devices—computers, baby cameras, and anything in between. They can be used for a wide range of criminal activities from distributing malware, to harvest banking credentials, and, as in the case of the Mirai botnet last fall, targeting important pieces of the Internet’s infrastructure with destructive denial of service attacks. Last year’s attack using the Mirai botnet, for example, shut down a portion of Dyn’s DNS system—part of the address book of the Internet.
So the focus on botnets in the EO is appropriate, and should the Trump Administration really want to make progress on the issue it has some legislative proposals at the ready. Toward the end of the Obama Administration, Justice Department officials made a series of recommendations for legislative changes that would broaden the circumstances in which it could obtain injunctions to shut down botnets. The government can also enhance its existing collaborations with companies like Microsoft to leverage legal authorities available to both private sector actors and government to take down botnets. The Trump Administration could, therefore, notch some early wins in its fight against botnets should it decide to renew the Obama Administration’s request for legislative changes.
But the EO is of course only the very beginning of a strategy. The Trump Administration has a lot of work to do—work that is getting more important and more urgent by the day.