Editor’s note: This is the latest article in an ongoing series examining how the federal IT landscape will evolve during the Trump administration.
After several high-profile breaches in recent years and a growing concern about the safety of federal IT systems, the Trump administration released a long-awaited executive order on cybersecurity in May that lays out the White House’s defense strategy.
The missive aims to protect federal networks, update antiquated systems and increase cooperation among agencies.
Perhaps most importantly, the order provides a blueprint for how agencies should revamp their cybersecurity policies and systems as well as a plan for how they can more closely work together during the Trump administration.
“The trend is going in the wrong direction in cyberspace,” U.S. Homeland Security Adviser Tom Bossert said May 11 while announcing the order. “It’s time to stop that trend and reverse it on behalf of the American people.”
The order’s most immediate impact is that dozens of agencies must begin following the National Institute of Standards and Technology’s framework for improving cybersecurity. The NIST guidelines serve as industry standards and best practices to help organizations manage threats. Agency leaders will submit reports this summer on how they can best manage these risks. The Office of Management and Budget and the Department of Homeland Security will review their findings and make recommendations for improvement this fall.
“The shift to have agency heads responsible and accountable raises cybersecurity’s visibility in each of the executive branch agencies,” says Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center.
Corman says applying the NIST cybersecurity framework is like “drinking our own champagne.” He also notes that raising accountability is a needed first step. But a larger focus on routine cyberhygiene and replacing outmoded technology should quickly follow, he says.
“We’re trying to defend an indefensible kingdom,” he adds. Agencies “need to do an IT refresh for the federal government. Not only would it be more stable, reliable, agile and productive for federal needs, but it would also potentially get rid of these legacy, unsupported exposures against known vulnerabilities.”
In short: Fewer, more modern systems would be easier to defend.
New Federal IT Policies Build on Existing Programs
President Donald Trump’s executive order builds on the work of the Bush and Obama administrations. For example, the White House’s budget request for fiscal 2018 includes some $280 million for the Continuous Diagnostics and Mitigation program, a four-phase approach designed to provide IT administrators with real-time information about their networks, to describe the risk of specific threats and to make it possible for agencies to rapidly identify vulnerabilities. The program is expected to put a premium on content filtering, network access protection, email boundary protection, web boundary protection and data loss prevention technologies among other practices.
The budget request also includes nearly $400 million for the National Cybersecurity Protection System, operationally known as EINSTEIN. EINSTEIN detects and blocks cyberattacks on agencies and provides situational awareness of the threat environment.
“The technology is out there where you obviously don’t need a moonshot,” says Michael Sulmeyer, the director of the Belfer Center’s Cyber Security Project at the Harvard Kennedy School. “From there, funding cybersecurity really doesn’t have to be much of an expensive proposition. I think the main difficulty, though, is getting the agility for funding. To keep up with how technology requirements are going to change when you implement some of these systems requires agility.”
Corman stresses that while the White House wants to increase collaboration throughout government, agencies cannot follow a one-size-fits-all approach on cybersecurity.
“You want to use technology for a purpose, strategically, and that’s not going to be the same for the IRS as it would be at the Pentagon,” he says.
He points to two IT initiatives — the Defense Department’s nascent Defense Innovation Unit Experimental (DIUx) program and 18F, a digital services agency run through the General Services Administration — highlighting that not all fixes must be uber-expensive or planned years in advance.
But Darrell West, founding director of the Center for Technology Innovation at Brookings Institution, says the executive order’s push for intra-agency teamwork shows that uniformity has its place.
“There needs to be greater standardization because, even though each agency has a different mission, their cybersecurity needs are pretty similar,” he says. “It’s a matter of protecting the software, protecting the hardware and making sure new mobile platforms are fully protected. That’s not an issue of homeland security versus the health department ... ideally, since all the agencies are going through this exercise, they can each learn from one another.”