Trump-Era DHS Cybersecurity Priorities a Mix of Old, New, Officials Say
The Department of Homeland Security will continue to advance on some areas of cybersecurity policy begun during President Barack Obama's administration, even as the department begins to implement President Donald Trump's nascent cyber strategy, current and former federal officials said Monday during a New America event. Administration officials are developing contours of cybersecurity policy priorities, including via Trump's anticipated cyber executive order (see 1701310066 and 1703060048). Congress' main cybersecurity role in the 115th Congress is likely to be exercising its oversight role over recently passed cybersecurity bills, said Congressional Cybersecurity Caucus Co-Chairman Jim Langevin, D-R.I. Meanwhile, National Governors Association Chairman Terry McAuliffe, D-Va., touted state governments' growing role in cybersecurity.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
DHS acting National Protection and Programs Directorate (NPPD) Deputy Undersecretary-Cybersecurity Jeanette Manfra said the department and White House are “very much aligned” on priorities for the order. White House Homeland Security Adviser Thomas Bossert and other administration officials have indicated they plan to bolster cybersecurity spending at DHS and the Department of Defense, and seek to modernize the federal IT infrastructure. That strategy includes designating DHS to lead a shift to a managed service provider model for federal agencies' cybersecurity. DHS hopes to create a strategy “in the next couple months” and implement that plan over a two-year period, Manfra said.
DHS also anticipates continuing to push some of the cyber policy priorities introduced during the Obama administration, including the department's bid to reorganize NPPD as the Cybersecurity and Infrastructure Protection Agency, Manfra said. House Homeland Security Committee Chairman Michael McCaul, R-Texas, vowed to reintroduce legislation this year on the NPPD reorganization after it failed to advance last Congress (see 1701050073). Manfra also noted DHS interest in continuing to pursue cybersecurity workforce initiatives begun during the Obama administration and the Obama administration's emphasis on critical infrastructure cybersecurity.
Former NPPD Undersecretary Suzanne Spaulding urged the Trump administration not to overemphasize Defense's cybersecurity role at the expense of DHS' role, given Trump's December vow to expand DOD's role. Trump said he wanted to direct the DOD and the chairman of the Joint Chiefs of Staff to “develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks, and all other form of attacks” (see 1611220065). “It is really important that we continue to have a civilian agency” at the lead of federal government cybersecurity efforts, Spaulding said. She cautioned against efforts to create a separate federal agency with centralized cybersecurity authority since cyber responses require a “granular” understanding that differs greatly by sector.
Cyber Threat Alliance President Michael Daniel, former White House cybersecurity coordinator under Obama, also cautioned the Trump administration against reorganizing federal agencies' cybersecurity responsibilities, saying such a fight is “not a very productive use of time.” Officials should continue to pursue the Obama administration's emphasis on public-private partnerships on cybersecurity, Daniel said.
McAuliffe said his emphasis during his term as NGA chairman been on improving all state governments' cybersecurity (see 1607190012) because the state-level governments are an easy target for hackers that face stronger cyber deterrence practices at the federal level. “We are only as strong as our weakest link,” he said. Improved cyber practices at the state level will also “send a strong message to businesses,” McAuliffe said. Virginia's cybersecurity presence has grown significantly since McAuliffe became governor, including via the Virginia Cyber Security Commission (see 1410220053 and 1502250018). McAuliffe said he's trying to replicate the state's success in growing cybersecurity jobs with other emerging technologies, including autonomous vehicles and drones.
Langevin said he anticipates Congress' main cybersecurity policy priority during the 115th Congress will be providing oversight of the implementation of the 2015 Cybersecurity Act and other recently passed cyber bills. The act codified the DHS National Cybersecurity and Communications Integration Center's role as the main civilian hub for cyberthreat information sharing. It enacted strong liability protections for information sharing and required private sector entities to remove personally identifiable information from data before sharing (see 1512180052). Congress needs to look closely at whether that law is having the “desired effect” on cyberthreat information sharing, Langevin said.
Congress is also likely to be interested in improving cyber risk management metrics, since “if we don't know the degree to which” efforts like the National Institute of Standards and Technology Cybersecurity Framework are being used, “we’re doing ourselves a disservice,” Langevin said. He said he's aiming to file a metrics-centric bill in the near future but noted he will also look to work with other lawmakers who have filed similar legislation. Rep. Ralph Abraham, R-La., recently vowed to file legislation direct NIST to form a public-private working group that would develop metrics and implementation models for the private sector's use of the NIST framework. Abraham struck language from the NIST Cybersecurity Framework, Assessment and Auditing Act (HR-1224) during a House Science Committee markup (see 1703010068). Rep. Joe Wilson, R-S.C., refiled legislation (HR-1030) in February that would direct the Office of the Director of National Intelligence to develop metrics that “can be used to measure the damage of cyber incidents” as a way of determining how to respond to similar incidents (see 1702150027).