Trump’s cyber job #1: protecting federal networks and data

As the White House continues to fine-tune an executive order on cybersecurity, a top official said that protecting federal networks and data as well as the critical infrastructure are the Trump administration's top two cyber priorities.

Tom Bossert, the White House homeland security and counterterrorism advisor, told an audience at the Center for Strategic and International Studies' Cyber Disrupt Summit that the administration's third priority is to protect the nation and the American people in cyberspace.

The U.S. lacks a cyber deterrence policy, and the administration will sit the cabinet down to determine how to share information with allies and deter adversaries, Bossert said.

"We will be looking for achievable ideas to that end," he said. Bossert added that the administration has already waded through 15 recent reports on cybersecurity -- from the CSIS Cyber Policy Task Force report to the Commission on Enhancing National Cybersecurity -- and 175 recommendations.

He said those reports stress the same priorities the administration is outlining.

"Federal networks can no longer sustain themselves," he said. "We cannot tolerate indefensible technology, antiquated technology, hardware and software. Modernization is absolutely critical."

He said that the administration will boost cybersecurity funding in its forthcoming budget and that details on the amount and how the administration will approach modernization will be revealed in the coming weeks and months. He cautioned that the budget will not reflect an "overnight modernization."

Cybersecurity will be funded through the departments of Defense and Homeland Security, he said. "This is not just simply an exercise in defense readiness, this is an exercise in protecting America."

It will take years to properly reform the budget process and funding, Bossert said. In addition, the administration is going to task agencies with evaluating known, unmitigated risks and vulnerabilities and prioritizing how they can address them within budget constraints.

"That requires greater investment in DHS's capabilities as far as our shared-service provider in that function and role," he said. "It also requires us to have the ability to meet those unmet needs, and that's a budget mechanism as much as it is an additional budget cost item."

He said the government must ultimately develop a structural funding mechanism to address IT needs at a federal enterprise level as opposed to individual agency processes.

"That's not a call for more money, it's a call for efficiency," he said.

The next priority is assigning responsibility, he said. "Federal agency heads will be held responsible and accountable to the president ... for their own enterprise network security."

In parallel to that, Bossert said, the administration "will hold the entire federal network as an enterprise and view it as something that needs to be defended as such. We can no longer dream away the notion that we will have cybersecurity expertise in terms capital investment and human investment resident at 190 or 220 federal agencies."

Bossert said that agencies will be required to implement the National Institute for Standards and Technology's cybersecurity framework and to deliver reports to the administration on how they will mitigate risk. The administration will review those strategies and develop private metrics and a scorecard for agencies to meet.

As part of the effort to transition to a federal enterprise approach, Bossert said shared services will be a "fundamental requirement."

The cybersecurity executive order is still being finalized and could be weeks or months away, he said, but said one item it will address is an effort to reduce botnets.

"I believe that we can radically reduce the number of botnets in this country," he said. "I believe that's a voluntary effort ... the president will call for that publicly."

Bossert said that reducing botnets will require a focus on the root causes and more cooperation from tech firms, internet providers and social media companies.

Other cyber agenda items for the Trump administration will include assessing DHS capabilities to carry out its mission and possible reforms at the agency. According to Bossert, the Trump administration will focus on giving law enforcement the tools and support it needs to go after hackers and those seeking to do harm to the U.S.

He also said that while some initiatives created under President Barack Obama might not continue, the Trump administration hopes to continue to collaborate and coordinate with the tech sector -- regardless of anyone's "political stripe."

"They have bright ideas and they're welcome," he said. "They're encouraged, because they're going to inherit the cyber earth."