President Donald Trump and members of his national security team met with industry cybersecurity leaders today in what was billed as a “listening session” prior to the signing of an executive order that will introduce some fundamental changes to the government’s approach to national cybersecurity.
Although Trump was expected to sign the order Tuesday, the signing was postponed shortly after Trump began the meeting.
White House officials, however, briefed reporters on background on some of the details of the long-awaited cybersecurity executive order. According to those officials, the order directs agencies to manage their cyber risk by using the National Institute of Standards and Technology cybersecurity framework, and orders agency heads to begin planning for a major modernization effort for IT systems across the executive branch.
“We must defend and protect Federal networks and data,” Trump said during a brief press conference before meeting with cybersecurity experts. “I will hold my Cabinet secretaries and agency heads accountable, totally accountable, for the cybersecurity of their organizations. We will empower these agencies to modernize their IT systems for better security and other reasons,” he said.
The order puts the Office of Management and Budget in the lead for assessing cybersecurity risks across the executive branch, and directs agency heads to take a more active role in managing and reporting cyber risk at their agencies.
“What we’re doing moving forward is attempting to make agency heads aware that they have a deep responsibility here as opposed to delegating it down to their CIOs or more subordinate junior staff,” a White House official told reporters.
According to the official, the IT modernization effort, which has been stalled in Congress because of a Congressional Budget Office cost estimate of $9 billion, is an important component in the effort to secure government networks and data. The administration is looking to Congress “for the appropriate budget funding to modernize” Federal IT systems, the official said.
“Congress will be a key partner on this, especially modernization of IT,” the official said. “In addition to it being a key component to cybersecurity and to any risk management plan to put new, modern, and defensible systems in place, I believe we can make a strong case for it also being a long-term cost efficiency.”
The White House plans to reference previous studies conducted during the Obama administration to help inform its assessment of the most critical vulnerabilities in Federal systems, the official said.
“We have taken some of those recommendations. You will see that, for instance, requiring the use of the NIST framework is something that was recommended” during the Obama administration’s Commission on Enhancing National Cybersecurity. “It’s a bipartisan issue,” the official said. “It’s something we believe is a good recommendation.”
Mike Hettinger, principal of Hettinger Strategy Group, said it is encouraging to see the president address cybersecurity in the first two weeks of his administration. “The Obama administration, following the OPM breach, took many proactive measures to address government’s overall cybersecurity posture so the new administration is not starting from scratch. I’m hopeful these efforts will build on the groundwork that has been laid,” Hettinger said.
“The order also appears to tie cybersecurity to IT modernization, which I believe is a critical step,” said Hettinger, who has tracked congressional efforts to develop an IT modernization fund. “Newer technologies build cyber in by design and so to the extent we can move away from legacy IT to more modern systems, this will improve our cybersecurity.”
Rep. Will Hurd, R-Texas, intends to introduce a bill similar to the one he proposed in the last congressional session, called the Modernizing Government Technology (MGT) Act, which passed the House, but got held up in the Senate for long enough that it didn’t make the end of the 114th Congress.
“We’re reintroducing something that’s going to look similar,” said Hurd, adding that he’s optimistic about getting support for the bill this time around. “There’s widespread support for the concept.”
Hurd made the comments during a recent exclusive interview with MeriTalk at the Consumer Electronics Show in Las Vegas.
Senate debate over the original bill was in part based on a Congressional Budget Office (CBO) estimate that implementation would cost $9 billion from 2017-2021.
“We’re going to get a bunch of folks together to see how we deal with the CBO issue,” Hurd said, calling the $9 billion estimate “ludicrous.”
Hurd also said that having someone like Rep. Mick Mulvaney, R-S.C., appointed as the budget director would be helpful.