Before the 15 commission and task force reports, before the 175 collective recommendations, Tom Bossert, assistant to President Donald Trump on homeland security and counterterrorism, had a handful of priorities in mind for how the new administration should approach cybersecurity.
As it turned out, everyone working to advise the new administration was on the same page, and that line of thinking is validation of what could end up in the cyber executive order.
“Those priorities start with those things that we can control the most and the most directly,” Bossert said March 15 during the Cyber Disrupt 2017 event at the Center for Strategic and International Studies. “The most directly controllable things for President Trump and I to control are federal networks and their data. Federal networks and data is the first priority for us. Priority two … is critical infrastructure, but not all critical infrastructure is equally critical, so we will focus in on the most critical of those things. We need to tackle the notion of the security our nation and the American people. Cybersecurity is an area we talk about quite a bit but we have not yet gotten serious about a serious deterrent strategy.”
When it comes to federal networks, Bossert highlighted IT modernization as “absolutely critical.”
Insight by ThunderCat Technology and Cisco: Federal technology experts provide insight into how video teleconferencing systems have evolved in importance during the pandemic in this exclusive executive briefing.
“We will pursue that,” Bossert said. “You will see details in the coming weeks and months of how we will pursue that. It is not easy, but we cannot any longer defend indefensible networks.”
With a price tag of about $90 billion, don’t expect to see an overnight update of government IT systems in the budget. Trump’s “budget blueprint” is set to come out March 15, and Bossert said it will reflect the president’s view that “we need greater Defense readiness but also greater security.”
“Cybersecurity is part of his budget request,” Bossert said, adding it will be funded under defense and homeland security spending.
Bossert said starting at the point where federal cybersecurity is now, to a fully modernized network is going to take money and time, and what happens between now and then is just as important because of what the administration will be asking of agencies when it comes to risk management.
“As we assess risk, which is not just a function of requiring departments and agencies to report to us the risk management activities, it’s also a function of them reporting to us that risk which they’re aware of and that they’re not mitigating,” Bossert said. “That’s something we have not done before, reporting your known and unmitigated risk will be a requirement moving forward.”
Bossert said along with a focus on modernization and risk management, the administration will be pushing for adoption of the NIST framework, and will be establishing metrics for agencies and Cabinet heads to measure progress in.
“Those metrics … will be something we know when we see them,” Bossert said, adding that they would likely be internal measurements.
One of the things first leaked about the cyber EO was that the administration will hold agency heads more accountable for managing their agency’s cyber risks. The draft order would require agency senior leaders to implement the cybersecurity framework developed by the National Institute of Standards and Technology to measure and mitigate risk.
Some cyber experts, though, say that could set up agency heads to fail, since they don’t have the private sector budget or workforce to meet cyber standards. Bossert confirmed federal agency heads will be held responsible — as they have been for the last decade — for their own enterprise network security, but he also said that shared services will be a fundamental requirement when it comes to approaching cybersecurity.
“Also, not an ‘or,’ not an ‘instead of,’ … we will hold the entire federal network as an enterprise and view it as something that needs to be defended as such,” Bossert said. “We can no longer dream away the notion that we will have cybersecurity expertise in terms of capital investment and human investment resident at 190 or 220 federal agencies. It would be very difficult to achieve and sustain that, and it would be unwise for us to attempt to do it on behalf of the taxpayer.”
The private sector will also play a significant role in strengthening cybersecurity, notably in the administration’s plan to dramatically reduce the number of botnets, which is like an army of computer programs designed to look for certain weaknesses on websites and software.
Bossert said the president will publicly call for a voluntary effort to achieve that goal, which will require collaboration from social media companies and internet search engines.
When it comes to recruiting and retaining the workforce to help with these cyber efforts, Bossert said the administration will be moving toward a management service provider model, and that the Homeland Security Department is already playing that role to its “compatriot departments and agencies,” and would need to reach out to and get resources from industry.
“I think that DHS needs to do a hard internal assessment of its capacity and capabilities to meet its mission,” Bossert said. “That’s not a negative, that’s not a criticism, it’s just a thought and recommendation for DHS as they move forward; their leadership’s already engaging in that effort.”
Bossert said he and the administration will work hard to gain and keep the public’s trust when it comes to privacy, but he acknowledged that a healthy distrust of large institutions is understandable.
He also said there will be debates on “difficult topics” like encryption.
“We have to give law enforcement the tools they need to take bad people, whether they’re terrorists or cyber hackers or nation states seeking to do us harm, and we need to stop treating them in a way that mollycoddles them,” Bossert said. “We have a responsibility to stop focusing on the victim of this stuff. It’s an issue of the person who intentionally sought to do us harm. The tools we use are directed at them, not directed at the innocent citizens of this country.”