National Security

After initial stumbles, Trump orders overhaul of federal cybersecurity

Homeland security adviser Tom Bossert speaks during the daily White House press briefing at the White House on Thursday, May 11, 2017.
Homeland security adviser Tom Bossert speaks during the daily White House press briefing at the White House on Thursday, May 11, 2017. AP

Twenty-one days past its self-appointed deadline, the Trump administration Thursday ordered a cybersecurity overhaul that mandates broad reviews of the nation’s cyber vulnerabilities and gives the military greater responsibility for the safety of computer networks.

President Donald Trump’s long-delayed executive order will force 190 federal agencies to ditch outdated computer systems and migrate toward one centralized network, with much data and processing in the “cloud,” or through shared digital access.

The administration offered no estimate of how much such a move will cost, but a senior adviser to Trump, Tom Bossert, noted that the Department of Homeland Security alone has $819 million budgeted for cybersecurity in 2018 and that $1.5 billion has been budgeted across all departments for protecting cyberspace.

Bossert said foreign hackers increasingly besieged the U.S. government, private businesses and individual internet users, and that a greater role for the federal government in ensuring security was necessary.

“The trend is going in the wrong direction in cyberspace,” said Bossert, Trump’s assistant for homeland security and counterterrorism. “Sitting by and doing nothing is no longer an option.”

Executives at private firms in Silicon Valley largely applauded the order.

“It’s absolutely positive,” said Brian Laing, vice president of products and business development at Lastline, a Redwood Shores, California, cybersecurity company. “Having something like this come down from the presidency, it really is a sign that the government is behind this.”

“Getting the government’s own cyber house in order is job one, and holding agency and department heads accountable is key,” said Steve Grobman, senior vice president and chief technology officer at McAfee, the computer security giant in Santa Clara, California.

One executive offered a slight skeptical note.

“Cybersecurity is kind of like dieting. You can have the best plan in place, but if you don’t stick to it, you won’t see the results you want,” said Brian NeSmith, chief executive of Arctic Wolf, a network security company in Sunnyvale, California.

If the government falters in implementing better cybersecurity, he said, “we’ll be reading more about Russian or other entities successfully infiltrating our nation’s defenses.”

The order gives the Pentagon a greater role in several areas, including working with other government departments in combating attacks by rogue robotic networks known as botnets, fighting foreign hackers and protecting critical areas such as dams, energy plants and the electrical grid. The executive order also sets out timetables for unifying federal computer networks, moving data into the cloud and updating computer systems.

As it is now, Bossert said, “we spend a lot of time and inordinate money protecting antiquated and outdated systems.”

Trump gave federal agencies and departments 90 days to identify risks to their networks and submit plans of action to the Department of Homeland Security and the Office of Management and Budget.

He also ordered the federal government to adopt the standards for risk management established by the National Institute for Standards and Technology, a branch of the Commerce Department. The federal government has long promoted the standards to private businesses but ignored them itself.

During his presidential campaign, Trump called the scope of national cybersecurity problems “enormous” and pledged to make the area “an immediate and top priority.” He pledged to implement a cybersecurity plan by his 90th day in office.

But the White House had stumbled in rolling out the strategy, canceling an Oval Office ceremony Jan. 31 to sign the executive order only minutes before it was to occur. Twice in February and once again in March, the signing was expected to take place. Early drafts of the executive order drew criticism.

The executive order signing came on Trump’s 111th day in office.

Bossert brushed off questions about the delay.

“We’ve sometimes been criticized for doing things too quickly, and now we may be criticized for doing things too slowly,” he said, adding, “Maybe I’m right in the middle of the sweet spot.”

The order calls for the federal government to help private companies and operators protect “our nation’s most critical infrastructures, utilities, financial and health care systems (and) telecommunications networks,” he said.

Those critical components of the economy and civic life are increasingly under attack.

“The Russians, the Chinese, the Iranians, other nation-states are motivated to use cyber capacity and cyber tools to attack our people and our government and their data. And that’s something we can no longer abide,” Bossert said.

Foreign hackers, presumably working with spy agencies, have repeatedly breached branches of the federal government in recent years. Chinese hackers are blamed for a 2014 hack at the Office of Personnel Management, pirating the personal information of some 21 million government employees – including the then-director of national intelligence – and their relatives.

Rogue hackers also forced White House servers to shut down briefly that same year, and since then they have breached the FBI, the Internal Revenue Service, the State Department, the Postal Service, the Federal Aviation Administration and the Pentagon.

Tim Johnson: 202-383-6028, @timjohnson4