President Donald Trump on Jan. 31 directed the heads of federal departments and agencies assume responsibility for managing cyber security risk, saying security of their networks could be better.
Trump had been expected to sign an executive order on strengthening cyber security but the White House press office said Jan. 31 afternoon that the signing had been canceled, without saying why.
Trump had lunch on Jan. 31 with Rudy Giuliani, who is providing outside counsel on cyber security matters, and followed that meeting up with an afternoon “listening session” with the former New York City mayor and cyber security experts.
Trump said at the meeting that he will “hold (his) cabinet secretaries and agency heads accountable, totally accountable, for the cyber security of their organizations, which we probably don’t have as much, certainly not as much as we need.” A portion of the meeting was covered by the White House press pool, which provided quotes from the president.
The president also said “We will empower these agencies to modernize their IT systems for better security and other uses. We will protect our critical infrastructure such as power plants and electrical grids. The electrical grid problem is a problem, but we’ll have it solved relatively soon.”
A White House official who briefed reporters earlier in the day said there would be a cost to the IT modernization, but that the administration could make a case to Congress that it is worth it in terms of “long-term cost efficiency.”
Trump also said the government needs to provide support to the private sector to help “owners and operators” protect their critical infrastructure, adding that the “private sector is way ahead of the government in this case.” Trump didn’t provide any details on how the federal government, currently through the Department of Homeland Security, will enhance the way it works with the private sector to strength the security of their networks.
The president did take a jab at the Democratic National Committee, which the federal government said last fall was hacked by the Russian government in an attempt to influence the presidential election on behalf of Trump.
Trump said the Democratic National Committee “spent hundreds and hundreds of millions of dollars more money than we did” yet “was hacked successfully, very successfully and terribly successfully.” He acknowledged that the Republican National Committee was also hacked, “but they failed,” presumably referring to the Russian government. He added that “we had a very strong defense system against hacking.”
Giuliani, at the meeting, praised Trump for convening the council of cyber experts. He added that in some cases, the private sector may have better cyber security solutions than the government and, in other cases, the government’s solutions might be better.
“Plus, we can search around the world, including countries like Israel and places where they’re doing a lot of advance cyber security analysis,” Giuliani said. “We can look for long-term solutions.”
Congress and the administration of former President Barack Obama worked together on legislation to incentivize the private sector to voluntarily share cyber threat information with the federal government. DHS also created an automated portal for real-time sharing of cyber threat indicators between the government and private sector. The private sector has been somewhat slow to share threat data with the federal government due to lingering liability concerns.
Giuliani said that by holding meetings and “using the bully pulpit,” Trump can “get the private sector to wake up. Some of the private sector have to wake up to the fact that they have to do more.”
The White House official that briefed media ahead of the cyber security experts meeting also said the forthcoming executive order would direct federal agencies to use a risk management framework that was developed under a private-public endeavor during the Obama administration to help companies better address how to strengthen their cyber posture.
“The executive order further directs the director of the Office of Management and Budget (OMB) to assess and manage the collective risk of the federal executive branch,” the official said, according to the pool report.
“This is a key distinction I’d like you to pick up on,” the official said. “Under existing statute, each agency head is responsible for managing their enterprise as an enterprise risk management function. Some of these are very large enterprises, as you might imagine. What we’re asking now is for the OMB director to run an effort, or to lead an effort, to then assess the enterprise risk to the entire federal government. Not the judicial or the legislative branch, but the entire executive branch.”
“The idea here is, as you’ll recall, there will be assumptions of risk that some secretaries or other agency heads choose on purpose to assume,” the official said. “We want to be informed of that so we can assess the risk to the entire enterprise at the federal executive branch.”
The experts at the meeting included U.S. Cyber Command Chief and National Security Agency (NSA) Director Navy Adm. Mike Rogers; retired Army Gen. Keith Alexander, Rogers’ predecessor at Cyber Command and the NSA and currently president and CEO of the strategic consulting firm IronNet Cybersecurity; Homeland Security Secretary John Kelly and Dan Coats, Trump’s pick as Director of National Intelligence (DNI) and a former Republican senator from Indiana.
Other meeting participants included White House aides such as Steve Bannon, Trump’s chief strategist; Jared Kushner, senior advisor; Mike Flynn, national security advisor; retired Army Col. Andrea Thompson, national security advisor to Vice President Mike Pence; Reince Priebus, chief of staff; Reed Cordish, director of intergovernmental initiatives; retired Army Gen. Keith Kellogg, chief of staff for the National Security Council and Tom Bossert, advisor for Homeland Security and Counterterrorism.
Speaking to reporters afterward but without taking questions, Alexander said that Trump went around the room asking questions to the experts.
“I only wish all the people in the United States could see what he does and what he did there,” Alexander told media representatives.