House Research and Technology Hearing Turns Rancorous Over Trump Cybersecurity Concerns
House Research and Technology Subcommittee members spent a significant part of a Tuesday hearing trading barbs over criticisms of President Donald Trump's cybersecurity practices since taking office in January, instead of examining recommendations from the Commission on Enhancing National Cybersecurity (CENC) and other entities. The hearing was meant to focus on the recommendations and how they could aid federal government cybersecurity (see 1702080032). A House Science aide told reporters Monday the hearing could aid in “some legislation a little later this year,” though Trump's anticipated cybersecurity executive order (see 1701310066) will “have some relevance” in shaping the bill.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Ranking member Eddie Bernice Johnson, D-Texas, said she would “not accept” comments from House Science Republican members and staffers that criticized committee Democrats' push for an investigation into the Trump administration's cyber practices. Concerns about the Trump administration's cyber practices focused on news reports Trump is using his old smartphone instead of a government-issued secure device, and claims some Trump staffers are using private email accounts for official business. Johnson and other House Science Democrats suggested in a letter last week the committee should be as interested in the Trump administration's cyber problems as it was last year about former Democratic presidential nominee Hillary Clinton's use of a private email server while she was secretary of state.
The House Science Democrats' letter “can be seen as a positive sign,” a GOP aide told reporters during a conference call Monday on condition of not being identified. During the 114th Congress, the Democratic members said the committee was “off on the wrong track” when it “undertook to look at the [2015 Office of Personnel Management] cyberattack and breach, multiple breaches at the [Federal Deposit Insurance Corporation], attacks at the IRS and so on and so forth,” the aide noted. Chairman Lamar Smith, R-Texas, also cited the hypocrisy in committee Democrats' concerns about the Trump administration's cyber issues. “We were pleasantly surprised to learn of your newfound interest in the Committee’s oversight and investigatory responsibilities, particularly given your often heated rhetoric attacking the Majority’s cybersecurity investigations in the past,” Smith said in a letter.
House Science Democrats' interest in oversight of the executive branch's cybersecurity didn't start with Trump's transition into the White House, Johnson said during the hearing. House Science Oversight Subcommittee ranking member Don Beyer, D-Va., also rejected House Science Republicans' comments, noting committee Democrats' past interest in both the OPM and FDIC incidents. Trump has been in office “for less than one month and cybersecurity issues are already plaguing his presidency,” Beyer said: “I hope [House Science Republicans] will continue to show interest in investigating” executive branch cyber incidents “even when they involve a sitting Republican president.”
The hearing reviewed recommendations. GAO has “consistently” found shortcomings in the federal government's approach to the cybersecurity of its IT systems, Information Security Issues Director Gregory Wilshusen said. It now believes the Department of Homeland Security must “expand” its cybersecurity capabilities, and the federal government at large needs to “effectively” implement government-wide risk-based cybersecurity programs, Wilshusen said. The federal government also needs to improve its protection of personally identifiable information, including ensuring privacy for electronic healthcare records, he said.
CENC's recommendations (see 1612020050) emphasize “the need for collaborations between the public and private sectors, as well as international engagement,” said NIST Director-Information Technology Lab Charles Romine: The recommendations report “also discusses the role consumers must play in enhancing our digital security.” NIST is “actively considering additional steps” to assist federal agencies in improving their cybersecurity practices, including encouraging the agencies to “take advantage” of NIST's Cybersecurity Framework as a way of implementing Federal Information Security Management Act (FISMA) rules, Romine said. “Thoughtful application” of the NIST framework's risk management approach across the federal government “could complement and enhance” meeting FISMA, he said.
The Center for Strategic and International Studies' Cyber Policy Task Force believes the U.S. needs to develop a “new international strategy” on cybersecurity that emphasizes partnerships with “like-minded nations,” improvements in cyber deterrence and development of responses and countermeasures “that go beyond the threat of military action,” said VMware Chief Technology Officer Iain Mulholland, a task force member. The federal government must also make a “serious effort” to reduce cyber crime that involves “international cooperation to fight botnets and sophisticated financial crime,” he said. The Trump administration should “use incentives when possible to encourage improvements in the private sector's cyber hygiene” but also should “be ready to regulate if incentives don't work,” Mulholland said. A “stronger” DHS role in cybersecurity is critical, as is clarification of the roles that the Department of Defense and other agencies play in cybersecurity, he said. The task force recommended in part that Congress move forward with legislation to reorganize DHS's National Protection and Programs Directorate into the Cybersecurity and Infrastructure Protection Agency.