Firing Isn’t the Only Option for Holding Leaders Accountable for Cyber Lapses, Federal CISO Says

Holding government leaders accountable for cybersecurity lapses was a major pillar of a cybersecurity executive order President Donald Trump issued in 2017 and of a national Cybersecurity Strategy released last month.

The government is unlikely to advertise when it brings that accountability to bear, however, federal Chief Information Security Officer Grant Schneider told reporters Thursday.

When asked for particular instances of accountability for agency security incidents and low compliance scores on cybersecurity metrics, Schneider replied that the government was likely to be discreet about disciplinary action.

“The government is never going to publicize anyone getting fired for anything,” he said, adding: “I think there are a variety of ways to hold people accountable besides they got fired from the federal government.”

People who fail to meet cybersecurity requirements may be ushered out of their positions in ways that aren’t officially recorded as an involuntary separation from the federal government, Schneider added.  

Schneider was speaking after an address at a U.S. Chamber of Commerce cybersecurity summit during which he stressed the importance of accountability in cybersecurity for federal managers, industry leaders and U.S. adversaries.

“The direction we’re taking on cybersecurity is really a movement from a focus on policy and process to one on action and accountability,” he said during the address.

Last month’s National Cybersecurity Strategy included numerous priority actions, such as centralizing cybersecurity management within the federal government, encouraging nations to abide by norms of good behavior in cyberspace and incentivizing a secure and adaptable marketplace for information technology.

In the coming months, federal agencies will be creating implementation plans to achieve those goals and to ratchet up accountability for individuals and organizations that don’t meet them, Schneider said.

The government’s accountability effort for the private sector will likely vary based on industry sector and may vary company by company, he said.

Schneider also praised a recent Trump administration move to speed up the approval process for offensive cyber operations launched by the military and intelligence agencies. The goal of the move is to ratchet up consequences for U.S. cyber adversaries.

Under the previous Obama administration rules most offensive cyber actions required White House approval. Under the Trump administration procedure, that approval typically comes from within the organization launching the operation.

The government is “already seeing some dividends” from the streamlined procedure, Schneider said.