The extended wait for President Trump’s cybersecurity executive order may signal a welcomed deeper dive into the challenges, a Department of Homeland Security official said yesterday.
A leaked initial version of a new cybersecurity executive order was published in January in The Washington Post but was never officially confirmed and was pulled back for more work. There is still no public word on when it will be issued.
"I kind of like that they’re out there surveying a lot of people," Brad Nix, director of the U.S. Computer Emergency Readiness Team at the Department of Homeland Security, said at a cybersecurity conference in Annapolis, Md., yesterday.
"We have to see what it looks like," said Dan Jacobs, cybersecurity program coordinator for the General Services Administration, speaking at the Government Information Technology Executive Council conference.
"I am hearing a lot of good conversation taking place to get a sense of where agencies are and the challenges they’re facing. That’s good," he said. "Questions are being asked."
A later version of a draft cybersecurity executive order, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," leaked last month, adopted two of the Obama administration’s cyber initiatives. It stood in sharp contrast to moves by Trump to pull up other Obama policies by the roots. This draft, for instance, called for federal agencies to start using the Framework for Improving Critical Infrastructure Cybersecurity, based on a President Obama executive order.
Jacobs said that no matter what the big picture strategy turns out to be, the federal government will still be challenged to move cyber policies out quickly because of the hiring freeze and the spending limits across the government.
"Those topics still need to be dealt with," Jacobs said.
And some government officials are using the executive order as an excuse to delay decisions and actions, he said.
"It kills me, but we are still living in a world where even [information technology] implementers resist change," he said.
"I’m actually hearing on several occasions, ‘I just want to see what is happening with the cyber executive order,’" he said. "It may not drop for another two to three months."
His response, he said: "Why are you waiting? You see what the draft is. You have the ability to start posturing your agency today.
"Why are you waiting for the president of the United States to do your job?"
Nix said concentrated leadership is needed at the top to reconcile a spate of administration actions on cybersecurity, numbering 13 executive orders, laws and policies over the past four or five years, some repetitive, some innovative.
"But to my knowledge there is no real central component that is pulling all these together," Nix said. "We are kind of doing the things that we knew were missed" when the last policy directive was issued, "or the things that may be politically expedient."
Jacobs said he would have other advice for the president.
"The perception is that we are allowing international organizations to walk uncontested through our backyard," Jabobs said he would tell the president.
"That needs to end," he said. "We need to tell the American people we’re not going to allow that to happen."
Mark Kneidinger, DHS director for cybersecurity and communications at the Federal Network Resilience Division, said that within government, "we’ve made some huge gains in the past 18 months" in breaking down interagency barriers.
There is more determination than ever among government IT leadership to push ahead, he added.
But the level of collaboration is still rudimentary, he said. More must be done to improve communications models and processes. "Because the threat continues to grow," Kneidinger said. "We’re going to have to reach another level."
Mike Echols, former director of the joint program management office at the DHS National Protection and Programs Directorate, said the goal remains for an integrated cyberdefense "where everybody is playing in the same direction."