Trump's Cabinet Leaves Key Cybersecurity Reports Unfinished

Major cybersecurity reports looking at the American government's ability to defend itself from hacking are unfinished months after the deadline set by President Donald Trump.

In an executive order signed May 11, Trump told key Cabinet members to carry out complete reviews of their departments and agencies' effectiveness at detecting hacking and protecting their data. Each were told to issue reports within 45 days. The deadline passed June 23.

Some of the reports remain incomplete, a National Security Council (NSC) spokesperson told Newsweek. "Departments and agencies continue implementing Cybersecurity Executive Order 13800 and have made significant progress since the Executive Order was issued," the spokesperson said.

The NSC did not respond to questions about how many reports are unfinished and when they will be completed.

The executive order also tells the secretaries of state, the treasury and defense, along with the attorney general and others, to submit separate, final reports to the president within 90 days based on their individual department assessments.

These are to outline to the president how effective they are at investigating, attributing, guarding against and sharing information between themselves about cyberthreats. These reports were due August 9.

Asked whether Cabinet members would meet their deadlines, the NSC spokesperson said, "While they continue to work toward the deadlines outlined in the executive order, the release of products may vary over time."

"Many of the deliverables will be used to inform work going forward and summaries of the work may be made available at a specific future date," the spokesperson said.

Related: U.S. government cybersecurity lags behind that of a fast food joint, say analysts

On Wednesday, Senate Homeland Security Committee Chairman Ron Johnson and ranking Democratic member Claire McCaskill sent letters asking for the completed reports from the State, Treasury, Defense, Commerce and Homeland Security departments.

"Cyberattacks are a real and growing threat," Johnson said. "Obtaining these reports will be helpful as the committee continues its oversight to improve America's national and cyber security."

Trump's order is part of a plan to beef up the government's cybersecurity following U.S. intelligence agency findings early this year that Russia had worked to interfere in the 2016 election.

President Barack Obama made efforts to improve federal cybersecurity defenses, designating America's election computer systems as "critical infrastructure" last October. Yet government departments and agencies remained extremely vulnerable to being attacked, according to cybersecurity experts.

Last week, analysts at the cybersecurity consulting firm SecurityScorecard ranked the federal government's cybersecurity performance far behind even the fast food and retail industries.

In early August, a Government Accountability Office report showed there are still vulnerabilities at the U.S. Office of Personnel Management—even after a data breach in 2015, when hackers made off with the government's records of more than 21 million people who had gone through security background checks.

The delay in the Trump administration's cybersecurity evaluations follows the en masse resignation of a quarter of the people on a Department of Homeland Security panel advising on cybersecurity and infrastructure protection last week.

One resignation letter cited President Trump's "insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend."

Some Cabinet members, like Attorney General Jeff Sessions, have shown little interest in learning about cybersecurity and its importance to protecting American assets.

However, "we're in a new era," McCaskill wrote in the request for the reports. "Cyberattacks from our enemies could devastate our country in ways ranging from hacking government computers to access our nation's secrets to shutting down our electrical systems."

Update: This story has been updated to clarify the deadline of the 90 days reports.