White House Adviser Wants to Move Cyber Risk Decisions Up the Chain

A key goal of President Donald Trump’s recent cybersecurity executive order is to manage cyber risk on a governmentwide level rather than allowing agencies to make ad hoc determinations, the president’s top cyber adviser told an advisory board Thursday.

Currently, as a result of either budget constraints or poor cyber management, numerous agencies are relying on outdated software that may be vulnerable to attacks, White House Cybersecurity Coordinator Rob Joyce told members of the National Security Telecommunications Advisory Committee.

For example, the outdated Windows XP operating system, which was a target of the recent WannaCry ransomware attack, is still used in some smaller agencies, Joyce said. Microsoft stopped issuing patches to protect against hackers targeting XP in 2014 but issued an emergency patch to protect against the WannaCry attack this month.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Trump administration’s goal, he said, is to pinpoint where those outdated or risky systems exist, to make governmentwide decisions about whether those risks are acceptable and to reallocate money to update those systems when the risk is unacceptable.

“If we allow individual departments and agencies to fend for themselves, we often will get the lowest common denominator as our weakest link in what is an interlinked federal network,” he said.

The executive order, released last week, mandates agencies adhere to a cybersecurity framework developed by the National Institute of Standards and Technology, and promises to hold agency heads accountable for poor security, among other directives.

It also directs the Homeland Security and Commerce departments to work with private businesses and other stakeholders to make the internet more resilient against botnets, which are armies of infected computers that hackers conscript to launch cyberattacks unbeknownst to their owners.

There were initial concerns that section would include new mandates for industry, but the final draft makes any cooperation voluntary.

Joyce urged private-sector members of the advisory committee to share botnet-combating ideas with the White House.