President Donald Trump watches during a meeting on cyber security in the Roosevelt Room of the White House in January.

President Donald Trump watches during a meeting on cyber security in the Roosevelt Room of the White House in January. Evan Vucci/AP

Ideas

How Trump Could Advance Federal Cybersecurity

The administration doesn't need to start from scratch.

John Kamensky

|
John Kamensky
By John Kamensky
Emeritus Fellow, IBM Center for the Business of Government

The data breach at the Office of Personnel Management in the spring of 2015 was breathtaking in scope—nearly 22 million sensitive personnel records stolen.  But this wasn’t a new issue.  There had been breaches at the FBI, Department of Homeland Security, the IRS, even the National Security Agency.

But the OPM breach was clearly a turning point. It resulted in the removal of the agency head and CIO. While federal agencies have been subject to cybersecurity requirements since 2002 under the Federal Information Security Management Act and Congress has held periodic hearings excoriating agencies for not complying, compliance didn’t always translate into changes in government’s culture. This led to the enhancement and expansion of multiple efforts as reflected in the cross-agency priority goal for cybersecurity, which serves as launching point for the new Administration’s efforts.

Solid Groundwork

In 2013, the National Institute for Standards and Technology convened a forum to develop a risk management framework to strengthen cyber defenses. It was published in 2014 as the NIST Cybersecurity Framework and is seen by many in government and industry as the cyber risk management “gold standard.” NIST continues to review potential updates to keep the Framework current.

Following the publicity of the OPM breach, in June 2015 the White House launched a 30-day “cyber sprint” to implement high-priority fixes. It also identified critical gaps and emerging priorities that were summed up in a Cybersecurity Strategy & Implementation Plan. Its implementation is being overseen by the President’s Management Council, comprised of top agencies’ chief operating officers.

The Cybersecurity National Action Plan was released in February 2016. A capstone of seven years of efforts, it assessed cybersecurity trends, threats, and intrusions and made a number of recommendations, such as boosting federal investments in cybersecurity to $19 billion (an increase of 35 percent), designating a federal chief information security officer, and establishing a Commission on Enhancing National Cybersecurity.

The White House Cyber Commission released its report in December 2016, recommending joint public-private sector action. It developed a set of guiding principles and identified areas for future action, noting the new administration should take action in its first 100 days to better equip government to operate in the digital age. It also recommended unifying all federal civilian agencies under a single common network.

The Way Forward

January 2017 report by a bipartisan cyber policy task force sponsored by the Center for Strategic and International Studies spans both public and private sector cyber challenges.  It cautioned: “The temptation for grand national initiatives should be avoided, as these usually fall flat.” It concluded that any initiatives must be carefully attuned to market forces, have congressional support, and not be run out of the White House. It offered recommendations, noting: “We can bring clarity to the task of cybersecurity if we start by assessing what actions create risk.” And at that point, specific steps can be proposed to reduce risks by incentivizing better behavior in both the public and private sectors.

Even before the OPM data breach in 2015, the Office of Management and Budget convened an interagency team in late 2013 to identify a subset of the FISMA requirements to address as one of the 15 cross-agency priority goals. As a result, the goal focused on three sets of risk management initiatives, and develop a set of targeted metrics to track progress at a high level:

  • Information Security Continuous Monitoring Mitigation. The focus is to provide ongoing observation, assessment, analysis, and diagnosis of an organization’s cybersecurity posture, hygiene, and operational readiness.
  • Identity, Credential, and Access Management. The focus is to put in place a set of capabilities that ensure users have legitimate access to IT systems required for their job function.
  • Anti-Phishing and Malware Defense. The focus is on implementing technologies, processes and training that reduce the risk of malware being introduced through email and malicious or compromised web sites.

The metrics are tracked by each agency and centrally reported via the Department of Homeland Security’s CyberScope portal, which is used to monitor implementation of FISMA requirements.

The President’s Management Council oversaw the implementation of this goal, and the goal’s staff support are located in OMB. In late 2016, the first federal chief information Security officer, Greg Touhill, was appointed and became the point person for the implementation team.  However, his scope was broader than just the set of initiatives reflected in the CAP goal. Several subgroups sponsored by the cross-agency chief information officers provide support as well.  These include a cross-agency the Chief Information Security Officers Council and a Joint Cybersecurity Metrics Working Group.

The cross-agency priority goal is implemented within the context of broader cybersecurity initiatives and the dynamics associated with ongoing breaches and incidents. The CAP goal focuses more on risk management than on technology fixes. OMB annually issues guidance to agencies describing new initiatives, requirements, and priority areas of interest. OMB also convenes periodic “Cyberstat” reviews, which are deep dive face-to-face meetings with agency officials to discuss progress within individual agencies and develop strategies to better focus resources.

While there has been significant churn, there has also been measurable progress, including:

  • Designation of a federal chief information security officer to serve as a voice and executive champion for cybersecurity issues within agencies and across the government.
  • A governmentwide set of continuous monitoring tools.
  • quarterly scorecard of status and progress by each agency.
  • Clarification of the roles and responsibilities of federal agencies in responding to cyber incidents.
  • Additional cybersecurity talent hired into government—6,000 in 2016 alone.

Next Steps  

The CAP goal has been a useful foundation for several key elements of the broader federal cybersecurity strategy. It provides metrics, insight, and oversight of agency efforts. As a result of its efforts, the fiscal year 2017 budget requested $19 billion to support cybersecurity efforts; its approval awaits completion of the pending budget. This includes legislation pending to create an IT modernization fund to replace vulnerable legacy systems.

The federal CIO Council, under the leadership of former federal CIO Tony Scott, offered an assessment of the status of federal IT, including cybersecurity, and recommended future actions, most of which are reflected in existing plans and reports. In addition, Touhill, the former federal Chief Information Security Officer, offered his insight, as well. According to Federal News Radio, he concluded: “agencies don’t need any more policies around cybersecurity and technology. . . . In fact, . . . the Office of Management and Budget had identified 63 policies that needed to be rescinded. . . .  The success measure is not the number of policies, but how well you execute them.”

The new Administration is still putting its agenda in place. According to NextGov: “An executive order seemingly prepped for President Donald Trump’s signature would order four major reviews of the nation’s cyber vulnerabilities and capabilities but would not make any immediate changes to U.S. cyber posture.”  

But a day later, Federal News Radio reported that the pending executive order would be more proactive, where “department secretaries now will be held more accountable than ever for managing their agency’s cyber risks. The draft order would require agency senior leaders to implement the cybersecurity framework developed by the National Institute of Standards and Technology to measure and mitigate risk. . . . Then, the Office of Management and Budget would assess and manage cyber risk governmentwide.”

NEXT STORY: I Was a Muslim in Trump's White House—and I Lasted Eight Days

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.