Trump talks cybersecurity, modernizing federal IT; EO postponed [UPDATED]


President Donald Trump signs an executive order Tuesday, Jan. 24, 2017, in the Oval Office of the White House in Washington. (AP Photo/Evan Vucci)

In the wake of his draft cyber review memo leaking last week, President Donald Trump met with cybersecurity professionals Tuesday afternoon before a planned signing of an executive order detailing federal agencies’ responsibilities for protecting the nation’s networks.

While the president originally planned to sign the order Tuesday afternoon, White House Press Director Stephanie Grisham said the signing was canceled, declining to provide further details.

“I will hold my cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organizations which we probably don’t have as much, certainly not as much as we need,” Trump said Tuesday while discussing relevant issues with cybersecurity adviser and former New York Mayor Rudy Giuliani; Sen. Dan Coats, R-Ind., the nominee for director of national intelligence; current NSA Director Adm. Mike Rogers and former Director Keith Alexander; Homeland Security Secretary John Kelly; National Security Adviser Gen. Mike Flynn; Counterterrorism and Homeland Security Adviser Tom Bossert; and Senior Adviser Jared Kushner, among others.

“We will empower these agencies to modernize their IT systems for better security and other uses,” the president said.

The order itself — as outlined by an administration official earlier in the day —  doesn’t include any new proposals. It puts the onus on agency IT managers and CIOs to protect their systems; directs agencies to adhere to NIST’s cybersecurity framework; and gives the Office of Management and Budget authority to set policy and monitor security across the executive branch. Rather, the intent is to reiterate and strengthen those responsibilities.

“This is not new, that’s a requirement,” the administration official said. “What we’re doing moving forward is attempting to make agency heads aware that they have a deep responsibility here as opposed to delegating it down to their CIOs or more subordinate junior staff. We want them to stay on top of it and we believe that President Trump’s Cabinet will do so.”

The final point — OMB’s role — builds on work done toward the end of the Obama administration, with the appointment of a federal chief information security officer (CISO) within OMB, reporting to the federal CIO, charged with setting broad cybersecurity policy.

The first federal CISO, Gregory Touhill, spent only a few months in the job before leaving public service just before inauguration.

“What we’re asking now is for the OMB director to run an effort — or to lead an effort — to then assess the enterprise risk to the entire federal government,” the official said.

The order also harkens to another late Obama administration initiative: The Modernizing Government Technology Act, a version of which passed the House in September but languished in the Senate. While it was not clear whether the exact legislation would be revived, the Trump administration said it plans to make IT modernization a key part of its cybersecurity posture.

“This order also directs the agency heads to being to plan for the deliberate modernization of the federal executive branch IT,” the official said. “Working with the assistant to the president for intergovernmental affairs and technology initiatives, this will be critical, and it’s a long overdue step, important to the ability to secure our networks and data.”

The Obama administration originally proposed a $3.1 billion revolving fund to manage these upgrades. However, the final version of the MGT Act to pass the House required agencies to find funding within their existing budgets, with a much smaller revolving fund. Legislators failed to reach a compromise last year on just how large that fund would be.

“The idea here is to ask the government to, in a responsible fashion, come back and provide a methodology working with Congress for the appropriate budget funding to modernize that IT,” said the Trump official. “It will cost money over time, but so would maintaining very old and difficult to defend networks and software.”