Get Silicon Valley Execs Out of Government Cyber, Major Report Urges

The incoming Trump administration should rely more on Washington bureaucrats to secure federal agencies and less on Silicon Valley CEOs, according to a Wednesday report prepared by lawmakers and cyber experts.

The report, from the Center for Strategic and International Studies’ Cyber Policy Task Force, faults the government for “misunderstanding” how government works and compounding the government’s cybersecurity problem “with its desire to bring high-profile business executives into government.”

“While the government can learn much from corporate experience, particularly in the delivery of services, the United States needs a different structure than a corporation if it is to effectively manage policy and programs,” the report notes, adding “these White House CTOs CISOs, CIOs need to be pruned.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

President Barack Obama made a major push to hire executives from Microsoft, Google and other top tech companies into his administration and created the first governmentwide positions for a chief information officer, chief technology officer and chief information security officer.

The report, titled “A Cybersecurity Agenda for the 45th President,” is modeled on a similar agenda created before Obama took office in 2009, which was considered highly influential for the new administration.

These officials had some successes, such as CIO Tony Scott’s “cyber sprint” to shore up government defenses, but also sometimes struggled to manage government’s arcane bureaucracy. Other initiatives such as CIO Vivek Kundra’s 25-Point Implementation Plan to Reform Federal Information Technology achieved more limited success.

This version was co-chaired by House Homeland Security Chairman Rep. Michael McCaul, R-Texas; Sen. Sheldon Whitehouse, D-R.I. who serves on the Senate Judiciary Committee; Karen Evans, a former top White House cybersecurity official under President George W. Bush who is advising the Trump transition; and Sameer Bhalotra, former White House senior director for cybersecurity under Obama.

The report gives a mixed assessment of the Obama administration’s cyber policy, saying the president “exceeded the art of the possible” in terms of establishing new cyber policies and bringing order to a messy cyber bureaucracy. “However, despite progress, advanced attackers can still penetrate most American networks,” the report notes.

It recommends the Trump administration take a more aggressive approach to defending cyberspace than the Obama administration and put less faith in the private sector to defend its own networks, though it stops short of advocating specific regulations.

Here are some other highlights:

Force the private sector’s hand on encryption:

The report urges a non-absolutist approach to encryption, effectively endorsing a proposal by Senate Intelligence Chairman Richard Burr, R-N.C., and outgoing ranking member Sen. Dianne Feinstein, D-Calif., which would require private companies to help the government break through or bypass strong encryption under certain circumstances and with a court order. That puts the report authors at odds with most technologists and civil liberties advocates and with a bipartisan congressional report from the House Judiciary and Energy and Commerce committees.

Apple refused an FBI request to help the bureau crack into an encrypted iPhone used by San Bernardino shooter Syed Farook in 2015, sparking a legal battle.

Trump urged a boycott of Apple during that dispute, though he hasn’t spoken extensively about encryption since.

Dual track international agreements:

The Trump administration should follow a dual track strategy on international cyber agreements, aiming for consensus on a broad range of issues with like-minded allies and on narrower areas of common interest with cyber adversaries such as Russia and China, the report argues.

Specifically, the U.S. should renegotiate elements of the 2001 Budapest Convention, the most powerful international agreement on combating cyber crime, in order to convince Brazil, India and China to sign on. Those nations have refused to join the pact because they were not part of the original negotiations.

Keep DHS in the lead:

The Trump administration should retain the Homeland Security Department as the lead agency for protecting private-sector critical infrastructure despite strong arguments for giving the Defense Department or the FBI a greater role, the report concludes.

The Trump administration should, however, strip non-cyber responsibilities from DHS’ main cyber agency, the National Protection and Programs Directorate, and elevate NPPD into a “national cybersecurity agency” with operational responsibilities similar to U.S. Customs and Border Protection.

Trump pledged in a video message before Thanksgiving to launch a DOD-led review of “vital infrastructure” cybersecurity, raising concerns that he might try to transfer some DHS cyber responsibilities to DOD.

The CSIS report also endorses streamlining congressional oversight of DHS and cybersecurity, which has long been a priority for House Homeland Security Chairman McCaul.

The administration should also retain the White House cybersecurity coordinator role currently filled by Michael Daniel and elevate that role from a “special assistant to the president” to an “assistant to the president” status, the report notes.

Crack the lock on info sharing:

The government must release more information about cyberattacks to the private sector and do it in a speedier manner, the report argues, stating “much of this information does not pose a risk to sources and methods if released, and a senior cybersecurity official must be empowered to order the release.”

The government must also ease the path for private companies that have been breached to anonymously release more information about their attackers. “This could be modeled on the National Transportation Safety Board (NTSB), which investigates air crashes, or the Federal Aviation Authority’s Aviation Safety Reporting System (ASRS), where there is a blanket prohibition against using submitted information for enforcement purposes,” the report notes.