President Donald Trump delayed signing an executive order that would make the heads of federal agencies accountable for internal IT modernization and cybersecurity of their agencies.
Trump was scheduled to sign a cyber-focused executive order Tuesday afternoon after a meeting with various cyber experts. The White House canceled the signing and Deputy Press Secretary Stephanie Grisham offered no explanation.
An early draft of the executive order creates review boards to examine various aspects of the nation’s cybersecurity vulnerabilities, adversaries and workforce, led by the secretaries of Defense and Homeland Security, National Intelligence Director, and the Director of the National Security Agency.
The White House’s morning briefing hinted at several changes from the draft. For one, the executive order will direct heads of federal agencies to take responsibility for internal cybersecurity and for modernizing their organization’s technology. The agency leaders should not delegate these tasks to chief information officers, a White House official said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The measure will direct agency heads to work with the assistant to the president for intergovernmental affairs and technology initiatives Reed Cordish to coordinate those efforts. The director of the Office of Management and Budget will then be tasked with managing and overseeing risk across all components in the executive branch, the official said.
Trump plans to hold cabinet secretaries and agency heads “totally accountable for the cybersecurity of their organizations, which we probably don’t have as much … as we need,” he said during a meeting that included his cybersecurity adviser and former mayor of New York City Rudy Giuliani.
He also plans to “empower these agencies to modernize their IT systems for better security and other uses,” spanning federal networks and data, he said.
Agencies protecting civilian networks and infrastructure aren't "currently organized to act collectively/collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions,” a draft of the executive order said.
“[M]aking it clear that the head of the agency is responsible for the systems and the data is helpful,” Rep. Jim Langevin, D-R.I., and head of the House Cybersecurity Caucus, said.
"One of the things I was really upset about with the OPM breach is the director or the agency clearly didn’t understand the value of the data they were charged with protecting," he added, referring to a massive intrusion into the Office of Personnel Management background checks that exposed the personal information of about 22 million people.
Langevin warned that agencies will need to be given resources to protect their data.
Under Barack Obama, a handful of lawmakers introduced legislation intended to promote IT modernization, including the Modernizing Government Technology Act. The MGT Act proposed that each agency create a working capital fund for modernization and that the General Services Administration operate a broader fund that agencies could apply to for additional support. The bill passed the House, but after the Congressional Budget Office estimated the cost at $9 billion, it didn’t get traction in the Senate.
Broad IT modernization “won’t be satisfied with a reshuffling of organizational charts,” Rep. Gerry Connolly, D-Va., said in a statement emailed to Nextgov. He said he hoped the new administration would be willing to invest in cybersecurity and IT upgrades by “leveraging savings,” as the MGT Act intended.
Trump noted during his meeting with Giuliani that agencies need to work with the private sector, which is “way ahead of government” in cybersecurity capability, to make sure owners and operators “have the support they need from the federal government to defend against cyber threats.”
Despite the fact that the Democratic National Committee spent “hundreds and hundreds of millions of dollars more money than we did,” they were hacked “terribly successfully,” Trump said during the meeting. “And the Republican National Committee was not hacked. Meaning it was hacked, but they failed. It was reported, I believe, by Reince [Priebus] and other people that it was hacked, but we had a very strong defense system against hacking.”
Giuliani noted that the private sector is “wide open to hacking, and sometimes by hacking the private sector, you get into government. So we can't do this separately.”
Joseph Marks contributed reporting.