recommended reading

Get Silicon Valley Execs Out of Government Cyber, Major Report Urges

jiawangkun/Shutterstock.com

The incoming Trump administration should rely more on Washington bureaucrats to secure federal agencies and less on Silicon Valley CEOs, according to a Wednesday report prepared by lawmakers and cyber experts.

The report, from the Center for Strategic and International Studies’ Cyber Policy Task Force, faults the government for “misunderstanding” how government works and compounding the government’s cybersecurity problem “with its desire to bring high-profile business executives into government.”

“While the government can learn much from corporate experience, particularly in the delivery of services, the United States needs a different structure than a corporation if it is to effectively manage policy and programs,” the report notes, adding “these White House CTOs CISOs, CIOs need to be pruned.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

President Barack Obama made a major push to hire executives from Microsoft, Google and other top tech companies into his administration and created the first governmentwide positions for a chief information officer, chief technology officer and chief information security officer.

The report, titled “A Cybersecurity Agenda for the 45th President,” is modeled on a similar agenda created before Obama took office in 2009, which was considered highly influential for the new administration.

These officials had some successes, such as CIO Tony Scott’s “cyber sprint” to shore up government defenses, but also sometimes struggled to manage government’s arcane bureaucracy. Other initiatives such as CIO Vivek Kundra’s 25-Point Implementation Plan to Reform Federal Information Technology achieved more limited success.

This version was co-chaired by House Homeland Security Chairman Rep. Michael McCaul, R-Texas; Sen. Sheldon Whitehouse, D-R.I. who serves on the Senate Judiciary Committee; Karen Evans, a former top White House cybersecurity official under President George W. Bush who is advising the Trump transition; and Sameer Bhalotra, former White House senior director for cybersecurity under Obama.

The report gives a mixed assessment of the Obama administration’s cyber policy, saying the president “exceeded the art of the possible” in terms of establishing new cyber policies and bringing order to a messy cyber bureaucracy. “However, despite progress, advanced attackers can still penetrate most American networks,” the report notes.

It recommends the Trump administration take a more aggressive approach to defending cyberspace than the Obama administration and put less faith in the private sector to defend its own networks, though it stops short of advocating specific regulations.

Here are some other highlights:

Force the private sector’s hand on encryption:

The report urges a non-absolutist approach to encryption, effectively endorsing a proposal by Senate Intelligence Chairman Richard Burr, R-N.C., and outgoing ranking member Sen. Dianne Feinstein, D-Calif., which would require private companies to help the government break through or bypass strong encryption under certain circumstances and with a court order. That puts the report authors at odds with most technologists and civil liberties advocates and with a bipartisan congressional report from the House Judiciary and Energy and Commerce committees.

Apple refused an FBI request to help the bureau crack into an encrypted iPhone used by San Bernardino shooter Syed Farook in 2015, sparking a legal battle.

Trump urged a boycott of Apple during that dispute, though he hasn’t spoken extensively about encryption since.

Dual track international agreements:

The Trump administration should follow a dual track strategy on international cyber agreements, aiming for consensus on a broad range of issues with like-minded allies and on narrower areas of common interest with cyber adversaries such as Russia and China, the report argues.

Specifically, the U.S. should renegotiate elements of the 2001 Budapest Convention, the most powerful international agreement on combating cyber crime, in order to convince Brazil, India and China to sign on. Those nations have refused to join the pact because they were not part of the original negotiations.

Keep DHS in the lead:

The Trump administration should retain the Homeland Security Department as the lead agency for protecting private-sector critical infrastructure despite strong arguments for giving the Defense Department or the FBI a greater role, the report concludes.

The Trump administration should, however, strip non-cyber responsibilities from DHS’ main cyber agency, the National Protection and Programs Directorate, and elevate NPPD into a “national cybersecurity agency” with operational responsibilities similar to U.S. Customs and Border Protection.

Trump pledged in a video message before Thanksgiving to launch a DOD-led review of “vital infrastructure” cybersecurity, raising concerns that he might try to transfer some DHS cyber responsibilities to DOD.

The CSIS report also endorses streamlining congressional oversight of DHS and cybersecurity, which has long been a priority for House Homeland Security Chairman McCaul.

The administration should also retain the White House cybersecurity coordinator role currently filled by Michael Daniel and elevate that role from a “special assistant to the president” to an “assistant to the president” status, the report notes.

Crack the lock on info sharing:

The government must release more information about cyberattacks to the private sector and do it in a speedier manner, the report argues, stating “much of this information does not pose a risk to sources and methods if released, and a senior cybersecurity official must be empowered to order the release.”

The government must also ease the path for private companies that have been breached to anonymously release more information about their attackers. “This could be modeled on the National Transportation Safety Board (NTSB), which investigates air crashes, or the Federal Aviation Authority’s Aviation Safety Reporting System (ASRS), where there is a blanket prohibition against using submitted information for enforcement purposes,” the report notes. 

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Hospital Breach Affects Thousands of Patients

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.