Mismanagement Could Scuttle Trump Cyber, IT Modernization Plans

Donald Trump rode to the presidency with a promise to bring fresh thinking from industry and a can-do spirit to the sclerotic world of Washington. That promise, if fulfilled, could pay dividends for government’s outdated and highly vulnerable technology infrastructure pummeled by cyberattacks during the Obama administration.

It could also be a big money saver, as the president himself noted Tuesday when he speculated to a group of visiting executives that the government could buy entirely new computer systems for less than the roughly $80 billion per year required to maintain its existing civilian IT infrastructure.

As the president approaches 100 days in office, however, the Trump administration has shown scant interest in the laborious, expensive and often boring work of making government more efficient and secure.

If current trends continue, former government technologists and management experts says, the end of Trump’s first term could find government more vulnerable to cyberattacks and technology failures rather than less.

The root of the problem, these observers tell Nextgov, is a mismatch between big ideas to make government more secure and efficient and the infrastructure of people, money and time needed to turn those big ideas into reality.

Without a dedicated staff inside government who trust and are committed to a president’s big new plan, they said, even the best ideas have little chance of lasting success.  

Big Plans Abound, But Implementers Missing

Trump’s big plans include a rotating suite of cybersecurity advisers announced even before Trump was inaugurated and led by former New York Mayor Rudy Giuliani. That group is still getting its footing, according to one person briefed on the matter, but expects to soon begin developing white papers on major cybersecurity topics.

More recently, Trump announced an Office of American Innovation, led by his adviser and son in law Jared Kushner, which will focus on modernizing government technology, among myriad other topics.

Those external groups could make great strides in moving the federal government to a more modern and secure digital infrastructure, former officials say.

But that can’t happen without top federal executives in place who can take those big ideas, align them with stringent federal regulations and build them into longstanding government programs and processes.

“It’s smart to set up things where you get outside advice like that, but you need people [in government] to catch and implement that advice and you need funding as well,” said Steven VanRoekel, who served as the nation’s second federal chief information officer under President Barack Obama following a private sector career at Microsoft. “You can’t do it with just mandates and you can’t do it with just resources. You need both.”

Among the most important jobs not yet filled by the Trump administration, VanRoekel and other former officials said, are the Office of Management and Budget’s deputy director for management, the federal CIO, federal chief information security officer and numerous agency CIOs and CISOs.

“You need to have the key managers and leaders in place at agencies to really make significant change and progress,” said former Homeland Security Department CIO Richard Spires who now leads the IT management training company Learning Tree International. “There’s a whole machinery in place that really can make a difference if they want to change things, but you need to have that machinery working.”

The federal CIO and CISO positions were first created under Obama and are not mandated by law, so there’s no guarantee Trump—who has said he may leave many positions vacant to save costs—will fill those posts. The president did appoint a former National Security Agency official, Rob Joyce, to another Obama-era position of White House cybersecurity coordinator in March.

A Leaner Government at Lower Ranks

Those unfilled posts represent just a sliver of the blank space making up Trump’s federal government roster.

Out of 553 top government positions requiring Senate confirmation, Trump has taken only 22 through confirmation and announced 53 more to date, according to a tally maintained by the Partnership for Public Service and The Washington Post.

As of March 20, the two-month mark of his administration, Trump had confirmed or announced 37 nominees, compared with 92 by Obama at a similar point in his administration.

A federal hiring freeze has also left thousands of jobs unfilled at lower ranks during the first months of the Trump administration. Most cybersecurity jobs were exempt from the freeze because they count as national security posts. However, many of the employees who operate, maintain or simply use government IT systems—the first line of defense against cyberattacks and mishandling of federal data and the worker bees who would put any major shift in government technology into effect— were not exempt.

Trump announced an end to the hiring freeze Wednesday, but agencies must replace it with broad plans to cull their workforces.   

“We get attacked every single day in the federal government, and having the right people in place to assess and mitigate those attacks is important for our country and our infrastructure,” VanRoekel said. “We’re facing real challenges without those people in place.”

Then, there’s the money. Trump’s budget blueprint, released in March, included a 7 percent hike for DHS, which manages several governmentwide cybersecurity programs, and touted cyber-specific funding hikes at the Defense Department and the FBI. It also included cuts of 10 percent or more to most civilian agencies, which could reduce those agencies’ ability to effectively manage and secure technology.

Big Opportunity and a Ticking Clock

With just under 100 days completed in his administration, Trump has plenty of time to fill vacant posts and to work with Congress to allocate budget money in a way that makes cyber and IT management stronger rather than weaker, former officials and management experts were quick to point out.

Kushner’s Office of American Innovation, in particular, is well-positioned to make major changes in government technology, they said, given Kushner’s broad mandate and close ties to the president.

Mallory Barg Bulman, vice president for research and evaluation at the Partnership for Public Service, a government best practices organization, compared that office to the Partnership for Reinventing Government that Vice President Al Gore helmed during the Clinton administration. That effort succeeded in numerous early efforts to digitize government operations and cut more than 400,000 federal jobs.

Like Gore, Kushner “has the ear of the president” and easy access to him as well as authority to “coordinate across government and across sectors,” she said.

The office’s mandate also includes a host of other priorities, including better serving veterans, improving infrastructure and combating the nation’s opioid epidemic, however, and the arduous process of modernizing government technology, could get lost in the shuffle.

Giuliani’s cyber advisory group, by contrast, has less assured access to the president and possibly less focus time by its leader. Giuiliani is not being paid for his work and is doing it on top of other professional responsibilities with his law firm Greenberg Traurig, where he is a senior adviser and chairs the firm’s cybersecurity practice.

That commission “needs to have some kind of imprimatur or it will be harder to turn good ideas into outcomes,” said Dave Wennegren, chief operating officer of the Professional Services Council, a government technology industry group.

Trump officials floated a draft cybersecurity executive order during administration’s first weeks that would launch a major review of digital vulnerabilities in government and mandate some best practices. That order was abruptly pulled and it’s not clear when it will be released.

That delay could be a good sign if the administration is gathering more feedback from experts inside and outside government or waiting for the order’s chief implementers to be in position, Wennegren said.

“You want to have a confluence,” he said. “I have an important plan and here are the people who will carry out that plan. You need to have a deputy director for management at OMB and a federal CIO and undersecretaries for management at the agencies. Otherwise, you could write a document in the first month, but have no one do anything for six months.”

Delay too long, though, and you’ve missed your opportunity, he said.

“Your first year is that golden moment of opportunity because you never know what’s going to happen in the midterm elections,” Wennegren said. “You’ve got a mandate from the people who got you elected, so that first 12 months is absolutely crucial. I’d like to see a strong statement about cybersecurity and IT modernization in the first year.”