President-elect Donald Trump was very clear: “I will appoint a team to give me a plan within 90 days of taking office,” he said in January, after getting a U.S. intelligence assessment of Russian interference in last year’s elections and promising to address cybersecurity.
Thursday, Trump hits his 90-day mark. There is no team, there is no plan, and there is no clear answer from the White House on who would even be working on what.
It’s the latest deadline Trump’s set and missed — from the press conference he said his wife would hold last fall to answer questions about her original immigration process to the plan to defeat ISIS that he’d said would come within his first 30 days in office.
Since his inauguration, Trump’s issued a few tweets and promises to get to the bottom of Russian hacking — and accusations of surveillance of Americans, himself included, by the Obama administration.
Meanwhile, more contacts between Trump aides and Russian officials have surfaced — including some omitted from sworn testimony and official forms — and the committee chairman overseeing the inquiry being run by the House got so entangled with the Trump administration that he had to step aside.
Trump did start early with an event on cybersecurity, convening a meeting on Jan. 31 in the Roosevelt Room featuring Rudy Giuliani, who’s leading a group tasked with building private sector partnerships on cybersecurity. “We must protect federal networks and data. We operate these networks on behalf of the American people and they are very important,” Trump said in his remarks then, not addressing a coinciding executive order that was announced to be signed that day but that was abruptly pulled without explanation.
That appears to have led to some confusion about responsibility for the anti-hacking plan in the White House. The National Security Council would normally be involved in creating such a report. But on Wednesday, a NSC spokesperson told POLITICO that he was unaware if the NSC was in charge of compiling it, or if that responsibility fell to Giuliani — or if the report exists.
Giuliani is continuing his work talking to the private sector, but a spokesperson for the former New York City mayor confirmed that he is not involved in any 90-day report.
The White House spokesperson wouldn’t directly address why the deadline was missed.
“The president has appointed a diverse set of executives with both government and private sector expertise who are currently are working to deliver an initial cybersecurity plan through a joint effort between the National Security Council and the Office of American Innovation,” said Trump deputy press secretary Lindsay Walters, referring to the office run by Trump’s son-in-law and top aide Jared Kushner.
Trump made the deadline promise repeatedly. A week after the initial statement, he tweeted on Jan. 13, “My people will have a full report on hacking within 90 days!”
Given the issues at play, cyber security experts worry that missing this particular set deadline could have significant consequences and speaks to deeper concerns about the White House not grappling with clear threats.
“It would set an unfortunate precedent to miss the president’s first important cyber-related deadline,” said Michael Sulmeyer, director of the Harvard Belfer Center’s Cyber Security Project and former director of Cyber Policy Plans and Operations at the Defense Department.
“Ever the critic on the campaign trail, Trump and his cyber team now have the responsibility to keep the country safe from cyberattacks,” Sulmeyer said. “Given so much attention on North Korea this past week, and that North Korea conducted one of the most serious cyberattacks against the United States, we should expect the new administration to be on the case.”
This isn’t the first time Trump has promised more information about intelligence that never materialized. Speaking to reporters pressuring him for answers on New Year’s Eve, the then-president-elect said he knew “things that other people don’t know” that he’d reveal “on Tuesday or Wednesday.”
Trump said Tuesday a tax reform plan would plan would be ready “very soon,” but Treasury Secretary Steven Mnuchin has said a previously-stated goal of an August roll-out was unrealistic.
And then there are Trump’s tax returns, which he repeatedly said he would release after the completion of an audit. The White House acknowledged recently that Trump might never release his tax returns as promised.
Officials on the Hill say they haven’t seen any sign of the promised cybersecurity report, either.
A spokesman for Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said “I don’t have anything on the record at this time.” A spokesperson for ranking member Mark Warner (D-Va.) declined comment.
“We have little visibility into what they might be working on,” said a Democratic staffer for a committee with jurisdiction, when asked about any familiarity with the report.
Missing the announced deadline demonstrates “a lackadaisical approach to what intelligence officials have routinely said is our biggest national security threat,” said Ned Price, who was a spokesman for the National Security Council in the Obama White House and worked for the CIA during George W. Bush’s presidency. “It speaks to the level of priority that this administration apparently has attached to cybersecurity, which apparently isn’t much — that is in stark contrast to the way the Obama administration addressed this issue over eight years, and especially during the last stretch.”
While the 90-day plan languishes, that vanished executive order on cybersecurity has been making progress. The National Security Council’s cyber directorate is finalizing a multipronged executive order, which experts see as the administration’s chance to declare its cyber agenda. The latest leaked draft, from early February, directs agency heads to use the National Institute of Standards and Technology’s cyber risk management framework to manage their technology assets.
The framework lays out best practices for assessing which computer systems are most important and most vulnerable, and it recommends ways to better protect them. The draft executive order directs the Office of Management and Budget to provide risk assessments of every agency, although sources said that provision could be changed, as it overlaps with existing requirements under the Federal Information Security Management Act.
The leaked draft also includes a provision focusing on the security of critical infrastructure sectors like the energy grid, in addition to sections on the Pentagon’s cyber capabilities and the need for a national cyber-deterrence strategy.
“There was certainly a desire, particularly during the campaign, to do a top-to-bottom review of where things stand. My sense is that will probably be how the executive order is sold, regardless of whether that is exactly how it was conceived or not,” said R. David Edelman, former cyber official at the NSC and the National Economic Council during the Obama administration.
Price said that from his experience, if there isn’t significant work underway toward producing a report and plan, the White House could be at least another 90 days away from finishing one.
“This is not a simple issue,” Price said. “If the clock really is at zero, we shouldn’t expect a well-produced report any time soon.”