A presidentially commissioned task force on cybersecurity says the incoming Donald Trump administration needs to begin shoring up the federal government’s IT security posture by granting a promotion to the White House official who oversees cybersecurity, giving that person the title of “assistant to the president” and having him or her report directly to the National Security Advisor.
Elevating the post of Cybersecurity Coordinator, a position currently held by Michael Daniel — a lower-level “special assistant” to the President — would help ensure cybersecurity becomes an everyday part of how the federal government does business, the Commission on Enhancing Cybersecurity said in its final report.
The newly empowered coordinator would also be in charge of keeping the director of the Office of Management and Budget apprised of what federal agencies, the federal chief information officer and the federal chief information security officer are doing to secure federal systems.
“It’s not so much about changing the structure, it’s about solidifying and empowering the structure,” Kiersten Todt, the commission’s executive director, said Monday at a Washington event hosted by the New America Foundation. “We make an analogy to counterterrorism: When there’s a terrorism issue, the President turns to Lisa Monaco, his assistant for counterterrorism and homeland security. Right now, cybersecurity is part of Lisa’s portfolio, but it also has other homes throughout government. This would allow the President-elect to have one individual to turn to when something like the OPM breach happens and ask how we’re going to look at it across the board.”
Todt said the commission had briefed President Barack Obama on the recommendations on Friday. The current administration is now in talks with Trump transition officials to schedule a similar briefing, and the commission expects to discuss its 100-page report with the incoming administration soon.
The 53 specific action items deal with a varied range of national topics from public awareness and education to privately-owned critical infrastructure, state and local government cybersecurity and the “Internet of Things,” but several are focused specifically on how the federal government is organized to defend itself from cyber attacks.
The commission said the government needs to create a new agency — or reassign an existing one — to focus solely on defending federal networks and national critical infrastructure. That agency would also be in charge of consolidating all civilian federal agency network connections into a single, more defensible infrastructure and setting new standards that IT systems have to meet in order to connect to the network.
“Two areas, in particular, would benefit: providing secure and reliable internet connectivity to federal agencies, and procuring standard devices and services,” commissioners wrote. “In addition to administering the consolidated federal network, this agency would monitor and assess information technology trends across the digital economy, with an emphasis on critical infrastructure. This tasking would help address the limited capability within the federal government to monitor and assess these trends in the United States and gauge how they might affect the cybersecurity of critical infrastructure, consumers, and the federal government.”
And when it buys new IT, the government must consider cybersecurity and the ability to integrate those systems into a shared network first, the commission said. It recommended that agency CISOs be given veto power over all new IT investments, and that the General Services Administration help agencies build integrated teams of technology and acquisition experts to guide new procurements, suggesting DoD’s Defense Advanced Research Projects Agency or Defense Innovation Unit-Experimental as possible models.
The panel also said agencies must do more to fold their cybersecurity responsibilities into their core missions rather than treating it as a “separate checklist.” Along those lines, the report recommends that the new administration, within its first 100 days, find ways to harmonize their legal duties under the Federal Information Security Modernization Act with the cybersecurity framework the National Institute of Standards and Technology promulgated as nationwide guidelines.
The framework, the commission said, must become the standard that agencies use to measure their cybersecurity posture, possibly pushing aside myriad pages of existing governmentwide guidance.
“The Federal CISO should conduct a complete and comprehensive review of all current OMB cybersecurity requirements. At a minimum, these requirements should include OMB memos, binding operational directives, reporting instructions, and audit directions. Requirements that are no longer effective, are in conflict with current presidential priorities, or are outdated should be withdrawn,” the commission wrote. “All new policies should be structured using the Cybersecurity Framework to ensure consistency in reporting and assessments.”
The commission also recommended a greater use of the National Guard as a response force to help handle the aftermath of a major cybersecurity incident, saying its members can be well-trained in cybersecurity and that governors should have more authority to deploy them to protect key systems from cyber attack.
“The governors are already using the Guard to varying degrees — there are probably 56 different models for how it’s being used, so I was happy to see that called out in the report,” said Timothy Blute, who directs the homeland security and public safety program at the National Governors Association. “We’re drafting our own paper on how governors can already use the Guard, and that’s one area, but we also need to work with DoD to clarify when and how the Guard can be used, under what status, who pays for it, under what rules. The feedback we’ve heard from states is that they want to use the Guard, but they want to use it in a way that DoD agrees with.”
Many of the other recommendations relating to the federal government’s cybersecurity practices and its organization are already in the process of being implemented via the administration’s Cybersecurity National Action Plan, President Obama noted in a statement on Friday.
“We have pushed to reduce the federal government’s reliance on legacy technologies, proposing an innovative $3.1 billion fund to modernize costly and vulnerable IT systems — a fund that the Commission proposes to expand,” Obama said. “Agencies are increasingly centralizing their cybersecurity efforts and relying on the Department of Homeland Security (DHS) for shared services like vulnerability detection, network discovery and monitoring, intrusion detection and prevention, and cybersecurity assessments of high priority IT systems.”
Another recommendation would mandate that all agencies mandate the use of “strong authentication” for employees and contractors accessing federal systems. The administration contends it already made significant progress on that front during the “cyber sprint” that followed the OPM data breaches, but the president also suggested agreement with another recommendation that all federal services that are provided directly to citizens use “appropriately strong authentication” rather than only usernames and passwords.
“Expanding the use of strong authentication to improve identity management will make all of us more secure online,” the President said. “The Commission’s recommendations are thoughtful and pragmatic. … Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change.”