recommended reading

Get Silicon Valley Execs Out of Government Cyber, Major Report Urges

jiawangkun/Shutterstock.com

The incoming Trump administration should rely more on Washington bureaucrats to secure federal agencies and less on Silicon Valley CEOs, according to a Wednesday report prepared by lawmakers and cyber experts.

The report, from the Center for Strategic and International Studies’ Cyber Policy Task Force, faults the government for “misunderstanding” how government works and compounding the government’s cybersecurity problem “with its desire to bring high-profile business executives into government.”

“While the government can learn much from corporate experience, particularly in the delivery of services, the United States needs a different structure than a corporation if it is to effectively manage policy and programs,” the report notes, adding “these White House CTOs CISOs, CIOs need to be pruned.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

President Barack Obama made a major push to hire executives from Microsoft, Google and other top tech companies into his administration and created the first governmentwide positions for a chief information officer, chief technology officer and chief information security officer.

The report, titled “A Cybersecurity Agenda for the 45th President,” is modeled on a similar agenda created before Obama took office in 2009, which was considered highly influential for the new administration.

These officials had some successes, such as CIO Tony Scott’s “cyber sprint” to shore up government defenses, but also sometimes struggled to manage government’s arcane bureaucracy. Other initiatives such as CIO Vivek Kundra’s 25-Point Implementation Plan to Reform Federal Information Technology achieved more limited success.

This version was co-chaired by House Homeland Security Chairman Rep. Michael McCaul, R-Texas; Sen. Sheldon Whitehouse, D-R.I. who serves on the Senate Judiciary Committee; Karen Evans, a former top White House cybersecurity official under President George W. Bush who is advising the Trump transition; and Sameer Bhalotra, former White House senior director for cybersecurity under Obama.

The report gives a mixed assessment of the Obama administration’s cyber policy, saying the president “exceeded the art of the possible” in terms of establishing new cyber policies and bringing order to a messy cyber bureaucracy. “However, despite progress, advanced attackers can still penetrate most American networks,” the report notes.

It recommends the Trump administration take a more aggressive approach to defending cyberspace than the Obama administration and put less faith in the private sector to defend its own networks, though it stops short of advocating specific regulations.

Here are some other highlights:

Force the private sector’s hand on encryption:

The report urges a non-absolutist approach to encryption, effectively endorsing a proposal by Senate Intelligence Chairman Richard Burr, R-N.C., and outgoing ranking member Sen. Dianne Feinstein, D-Calif., which would require private companies to help the government break through or bypass strong encryption under certain circumstances and with a court order. That puts the report authors at odds with most technologists and civil liberties advocates and with a bipartisan congressional report from the House Judiciary and Energy and Commerce committees.

Apple refused an FBI request to help the bureau crack into an encrypted iPhone used by San Bernardino shooter Syed Farook in 2015, sparking a legal battle.

Trump urged a boycott of Apple during that dispute, though he hasn’t spoken extensively about encryption since.

Dual track international agreements:

The Trump administration should follow a dual track strategy on international cyber agreements, aiming for consensus on a broad range of issues with like-minded allies and on narrower areas of common interest with cyber adversaries such as Russia and China, the report argues.

Specifically, the U.S. should renegotiate elements of the 2001 Budapest Convention, the most powerful international agreement on combating cyber crime, in order to convince Brazil, India and China to sign on. Those nations have refused to join the pact because they were not part of the original negotiations.

Keep DHS in the lead:

The Trump administration should retain the Homeland Security Department as the lead agency for protecting private-sector critical infrastructure despite strong arguments for giving the Defense Department or the FBI a greater role, the report concludes.

The Trump administration should, however, strip non-cyber responsibilities from DHS’ main cyber agency, the National Protection and Programs Directorate, and elevate NPPD into a “national cybersecurity agency” with operational responsibilities similar to U.S. Customs and Border Protection.

Trump pledged in a video message before Thanksgiving to launch a DOD-led review of “vital infrastructure” cybersecurity, raising concerns that he might try to transfer some DHS cyber responsibilities to DOD.

The CSIS report also endorses streamlining congressional oversight of DHS and cybersecurity, which has long been a priority for House Homeland Security Chairman McCaul.

The administration should also retain the White House cybersecurity coordinator role currently filled by Michael Daniel and elevate that role from a “special assistant to the president” to an “assistant to the president” status, the report notes.

Crack the lock on info sharing:

The government must release more information about cyberattacks to the private sector and do it in a speedier manner, the report argues, stating “much of this information does not pose a risk to sources and methods if released, and a senior cybersecurity official must be empowered to order the release.”

The government must also ease the path for private companies that have been breached to anonymously release more information about their attackers. “This could be modeled on the National Transportation Safety Board (NTSB), which investigates air crashes, or the Federal Aviation Authority’s Aviation Safety Reporting System (ASRS), where there is a blanket prohibition against using submitted information for enforcement purposes,” the report notes. 

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.