Here’s How to Really Make Cabinet Secretaries Responsible for Cybersecurity

Ari Schwartz, a special assistant to the president for cybersecurity during the Obama administration.

Ari Schwartz, a special assistant to the president for cybersecurity during the Obama administration. Jeff Chiu/AP File Photo

The president and OMB director should pester Cabinet officials about cybersecurity regularly, a former official says.

President Donald Trump’s executive order declaring Cabinet secretaries will be held responsible for their agency’s cybersecurity failings was the easy part, a former top White House cyber official told lawmakers Wednesday.

The hard part will be ensuring cybersecurity stays top of mind for those Cabinet secretaries day in and day out, said Ari Schwartz, a special assistant to the president for cybersecurity during the Obama administration.

Cabinet secretaries have known for years that their departments were vulnerable to criminal and nation-state hackers and often failing basic government security metrics, Schwartz told the House Homeland Security Committee’s cybersecurity panel. But that often wasn’t enough to break through the deluge of other policy and operational concerns, he said.

To force the issue, Cabinet secretaries and agency chiefs must feel pressure from the White House Office of Management and Budget director and even from the president himself, said Schwartz, who’s now managing director for cybersecurity at the law firm Venable.

“That means holding Cabinet-level meetings on cybersecurity and the president going around and asking each agency what they’re doing, holding up the [Federal Information Security Management Act] report card from OMB and asking them: ‘What are you doing to do more?’” he said.

The Homeland Security panel called Schwartz and other cyber experts in the wake of a May White House report that found major cybersecurity deficiencies across the government, including that 71 out of 96 participating federal agencies had cybersecurity programs at risk or high risk of significant failures.

Fixing those shortcomings will require a more nuanced approach than simply punishing low-performing officials or allocating more money to failing programs, Schwartz said. It may be counterproductive, for example, to give more money to a program that’s not effectively using the money it already has, or to fire officials who are performing poorly simply because they lack resources.

Schwartz and other experts on the panel praised the Homeland Security Department’s Continuous Diagnostics and Mitigation program as a vehicle to fix governmentwide cyber shortcomings.

Under that program, Homeland Security provides a suite of pre-vetted cybersecurity tools and services to agencies that they can plug in for particular tasks.

The full Homeland Security Committee, on Tuesday, forwarded a bill that would give the CDM program legislative backing.

Schwartz joined many U.S. cyber experts in criticizing a recent decision by National Security Adviser John Bolton to cut the position of White House cybersecurity coordinator. Schwartz would have preferred for the position to be elevated to a deputy assistant to the president position, he said.

“I think we took a major step backward by getting rid of the position totally rather than elevating it the way it should be,” he said.