Cybersecurity Executive Order

March 14, 2017–Thomas Bossert, who is President Trump’s assistant for homeland security and counterterrorism with a portfolio including cybersecurity issues, today provided a range of updates regarding the executive order on cybersecurity that the administration has been developing and may issue in the coming weeks. Speaking at an event organized by the Center for Strategic and International Studies, Mr. Bossert emphasized several aspects of the coming order, of which preliminary drafts have been circulating in public venues for several weeks.

At a high level, he said the Trump administration’s priorities for cybersecurity are centered in four areas:  improving federal government agency network security, taking action to protect “the most critical” of U.S. critical infrastructure sectors, securing the U.S. against cyber attacks by developing a “serious deterrent strategy,” and sorting out how to share U.S. cyber threat data with allies in a way that will deter U.S. cyber adversaries. On the issue of protecting federal networks, Mr. Bossert confirmed that under the executive order “federal agency heads will be held responsible and accountable to the president for their own enterprise network security.” 

At the same time, he said, the administration has concluded that “federal networks at this point can no longer sustain themselves” because many of them are based on outdated equipment, and he said that modernization of network systems is “absolutely critical” to improving their security.  He said that details of the modernization effort will be made public in the “coming weeks and months.”

As agency heads assume greater responsibility for cybersecurity, they will also be tasked with having to report to the White House about cyber risks that they face, and about risks that they are facing but have been unable to mitigate.  “This is a new requirement moving forward,” he said. In addition, he said that the entirety of federal networks also will be defined as a “single enterprise,” and that agencies will be able to avail themselves of cyber defense capabilities under a “shared services” model with agencies including the Department of Homeland Security providing some of those services.   DHS, in turn, will rely on private sector companies to furnish technology solutions, he said.

Federal agencies that need to improve network security will be allowed to appeal to the White House for resources to do that, and Mr. Bossert indicated that the Trump administration’s federal budget “blueprint” to be released tomorrow will contain details on that funding.  The president, he said, “intends to put his money where his mouth is” on funding for security improvements. “We do need to address unmet needs” in federal agency budgets for security, he said, “as opposed to an agency process where we ask for improvement but don’t give them money.”

Mr. Bossert said the administration will need support in Congress to achieve the goals of its executive order as it relates to federal agency system upgrades.  He said he has canvassed numerous members of Congress and found that “every single person of both political stripes” believes that “reform” is needed, and that “they have committed to me at least verbally” that they support the gist of the administration’s plans.

He said the administration will generate internal metrics to measure the pace of improvement in federal agency security, but said that information probably won’t be made available to the public. Asked about the executive order’s impact on privacy and civil liberties, Mr. Bossert replied that while a “healthy distrust of large institutions is understandable . . . [w]e won’t violate what people see as their core privacy expectations.” He added, however, “I can’t promise you that we will be less aggressive in terms of law enforcement.  There will still be debates on things like encryption.”

On the law enforcement front, he said that “we have to give law enforcement the tools they need” to track down “bad people . . . seeking to do us harm . . . and we need to stop treating them in a way that mollycoddles them.”  He added, “We need to start turning around the messaging on that.” Regarding cooperation with allies, he said the process will be rooted in the establishment of behavioral “norms” that reflect “our statement that we have an expectation of how people will behave themselves.”

“Those norms are important, and that’s how you start,” he said. “If they accept those norms and then fail to abide by them, we have a responsibility to do something about it,” he said, adding, “I don’t want to rush to call anyone out.” – John Curran, john.curran@wolterskluwer.com

Courtesy TRDaily