How New Cyber Executive Order Could Change Federal IT
President Donald Trump (File Photo)
President Trump’s long-awaited cyber executive order defines cybersecurity as “an executive branch enterprise” and seeks a single consolidated federal network architecture with centralized security and control. The order also advocates for adopting other government-wide shared services, such as email and other cloud-based services.
A single network infrastructure would simplify security, standardizing defenses and minimizing the number of access points to the open internet.
The Defense Department and Intelligence Community, which already have their own enterprise-wide networks, would either become self-contained components within a federated structure or remain as stand-alone networks. The order gives Secretary of Defense James Mattis and Director of National Intelligence (DNI) Dan Coats until Oct. 8 to justify “any deviation from the requirements.”
Either way, says White House Homeland Security Advisor Tom Bossert, “we view our federal IT as one enterprise network.”
Tying overall network security to system modernization and the adoption of more shared services opens the door to a far less federated, more centralized approach to federal information technology. It follows similar efforts in the national security space, such as the Pentagon’s pursuit of a Joint Information Environment (JIE) and the DNI’s Intelligence Community Information Technology Enterprise (IC-ITE).
Bossert said such a move is imperative. “If we don’t move to commonality and shared services, we have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” he said at a press briefing on the executive order. “I don’t think that’s a wise approach.”
Responsibility for overseeing that move rests with the American Technology Council, a new entity chaired by the president himself and includes the vice president, the secretaries of Commerce, Defense, and Homeland Security, the DNI, the director of the Office of Management and Budget (OMB), the director of the Office of Science and Technology Policy, the U.S. Chief Technology Officer, the heads of the General Services Administration, the U.S. Digital Service and a few others.
The idea of a unified federal civilian network gained momentum over the past year and was a central conclusion of President Obama’s Commission on Enhancing National Cybersecurity’s December 2016 report. House Homeland Security Committee Chairman Rep. Mike McCaul also favored the idea during the executive transition to President Trump.
Acting Federal Chief Information Security Officer Grant Schneider, who has served in OMB under both administrations, told GovTechWorks in April he backed the idea, noting: “A ‘dot-gov’ environment would provide us opportunities we don’t have today,” to achieve better situational awareness, cross-agency efficiencies, common standards and technologies.
Michael Daniel, cybersecurity coordinator under President Obama and now president of the Cyber Threat Alliance, also backs the concept. “I strongly support the approach taken to Federal networks, holding agencies accountable while also encouraging the move to shared services,” he said in a statement following release of the order.
“Increasing the use of shared services and enterprise licenses could help wring cost savings out of agency IT budgets by shaking loose duplicative services and licenses. More importantly, it would also significantly enhance cybersecurity,” said Sallie Sweeney, principal cyber solutions architect with General Dynamics Information Technology (GDIT). “Centralizing control will help ensure upgrades and security patches are implemented immediately and that outdated technology is quickly phased out, which is not the case today.”
Case in point: The WannaCry ransomware attacks that spread around the globe May 12, knocked out hospitals, government agencies and even an automobile plant. “The WannaCry malware exploited a vulnerability in Windows XP – an outdated, unsupported operating system,” Sweeney said. “System owners chose the convenience of delaying the upgrade over the risks posed by maintaining an insecure system. Now they will pay the price, either with infected systems or by having to rush to make fixes that should not have been put off in the first place.”
Aged tech was also partially responsible for the 2015 security breaches at the Office of Personnel Management, Bossert noted. “We spend a lot of time and inordinate money protecting antiquated and outdated systems,” he said. “The president has issued a preference from today forward in federal procurement of federal IT for shared services: Got to move to the cloud and try to protect ourselves, instead of fracturing our security posture.”
Emphasizing cloud as a modernization solution is not new. The federal government has nominally espoused a “cloud-first” policy for IT modernization since 2010. But in practice, cloud adoption has been relatively slow, partially because of agency caution and partly because products of delays getting cloud offerings authorized through FedRAMP, the Federal Risk and Authorization Management Program.
But by emphasizing shared services as a means to help secure government networks, the order suggests that whatever reservations still remain about the security of cloud solutions are now seen as more manageable than the unseen risks of maintaining outdated technology platforms for the long term.
Just how far federal agencies will go in terms of shared services is hard to say.
Standardizing such applications across the entire government will be a monumental undertaking. Doing so even within a single agency – let alone across entire departments or even the federal enterprise – exposes all kinds of internal conflicts over budget, control and choice. Agency and department heads inevitably fear the loss of control that comes with surrendering information technology decisions to higher-level decision makers.
But the arguments in favor of enterprise contracts and expanded shared services are compelling. The Air Force cut its IT spending by 17 percent during the past two years alone, just by getting a better grasp on what it’s buying and how, according to Butch Luckie, Air Force chief of IT business analytics. Luckie told Federal News Radio that consolidating 2,200 contract actions into a single, service-wide maintenance agreement with Cisco will save the service $109 million over three years.
“Multiply that kind of savings over hundreds of categories and dozens of agencies and the potential easily stretches into the billions,” said GDIT’s Sweeney.