This article first appeared on CyberScoop.
In cybersecurity policy, if in nothing else, there is likely to be a great deal of continuity between the Trump presidency and its predecessor, scholars and executives said Wednesday — seizing in particular on a renewed push for federal IT modernization expected from the incoming administration.
“What you see in the draft [executive order on cybersecurity the administration has been circulating] more than anything is else is continuity,” Jeffrey Eisenach told an event at Stanford University’s Hoover Institution Washington campus Wednesday. Eisenach is a scholar at the right-leaning American Enterprise Institute think tank and was a volunteer for the Trump transition team.
“There is not a partisan divide on this question,” he continued, “The issues [Republican critics of the Obama administration raised] went to execution,” rather than policy.
“If you talked to people in the Obama White House, in the Obama cyber world during the last year of the administration, I think they were painfully aware that there was a gap between the vision and the execution,” he concluded.
His remarks reflected a broad consensus among the panelists and speakers at the event, although Adam Klein, of the Center for a New American Security, cautioned that “There’s a lot of conjecture in this.”
“Many of the people who will shape these polices aren’t in place yet,” he noted, adding that the administration is “likely to be reactive rather than proactive until their people are in place.”
But the early signs seem encouraging, noted Steve Grobman, CTO of Intel Security, formerly known as McAfee.
Trump’s draft cybersecurity EO puts a focus on modernizing federal IT that Grobman called “critically needed [and] long overdue.”
“Properly managed and funded this draft order would enable the retirement, replacement and modernization of legacy federal IT that is difficulty to secure and expensive to maintain,” Grobman noted.
Eisenach said he didn’t know when or even whether the EO would be signed, but it does represent a “clear policy direction” from the top.
“If you look at the draft [EO] the focus on upgrading federal IT is quite clear and something everybody ought to take heart about,” added Eisenach.
Denise Zheng from the Center for Strategic and International Studies said that if she had to single out one recommendation, “I think it’s procurement and how the federal government buys technology to secure its own networks.”
She said that there was a growing realization that better security could be achieved through centralizing the provision of some IT services and buying in others from outside — something that industry was likely to welcome. “There is certainly an appetite to do managed services, to outsource and to do less of the government’s own cybersecurity by itself. And I do think there’s an alignment of government and industry interests there,” she said.
Along with the focus on upgrading IT, the draft EO puts stress on making agency heads responsible for securing their own IT systems, which Grobman said would make a big difference.
“For too long cybersecurity policies and operational outcomes have been delegated too far down the the management chain, often with poor results,” he said. “Holding heads of government agencies responsible for cybersecurity outcomes in their agencies and putting [the White House Office of Management and Budget] with its budgetary authority in a lead position to drive accountability throughout government has the potential to radically improve the security posture of government agencies,” he added.
“Our initial impressions are positive,” Grobman summed up. “The administration is off to a good start.”