President Donald Trump will bolster the nation’s defenses against online attacks by boosting cybersecurity spending in Thursday’s budget plan and later proposing measures to modernize and centralize federal computer networks, White House homeland security adviser Thomas Bossert said in his first major policy speech.
“President Trump intends to put his money where his mouth is,” in the new administration’s budget outline, Bossert told the Center for Strategic and International Studies in a keynote address at its Cyber Disrupt 2017 event Wednesday. “Cybersecurity will be funded through DHS and the Department of Defense.”
Earlier, he told a private breakfast session that there would be a “significant plus up” for cyber programs in both DHS and the Pentagon, one of the attendees told CyberScoop.
But, he said, the broader question of modernizing decades-old federal computer networks would probably take a year or two to address. “There will not be a budget [outline Thursday] that reflects an overnight modernization of [federal] IT. I think that’s somewhere around a $90 billion endeavor that’s going to require … years of investment” and much “thoughtful analysis” to ensure the money is well spent.
Bossert also announced that the president will issue a public call for internet companies to collaborate to stop the scourge of botnets — massive networks of compromised computer hardware weaponized by hackers.
For good measure, as he left the stage, Bossert gave the first official confirmation of reports that former NSA official Rob Joyce will take the post of cybersecurity coordinator at the White House.
“For those of you that speculate he’ll be joining, I’m honored to confirm that rumor,” he said. “And we’ll welcome Rob as soon as the process can work its way through.”
Joyce has headed both the offensive and defensive elements of NSA — leading at different times the ninja hackers of Tailored Access Operations and the storied cyber defenders of the Information Assurance Directorate.
“He will be an absolute treasure” in his new role at the White House, Bossert said.
Bossert sought to address head-on the issue of modernization as the key to securing U.S. government IT. “We cannot any longer defend indefensible networks,” he said.
“Federal networks at this point can no longer sustain themselves. We cannot tolerate indefensible technology, antiquated … hardware and software,” Bossert said. “Modernization is absolutely critical. We will pursue that. You will see details in the coming weeks and months on how we will pursue that.”
The guiding principle of the administration’s attitude towards federal network security, he said, was that it was “an absolutely solemn responsibility.” The government runs federal IT “on behalf of the American people. That is President Trump’s personal view … And he doesn’t view it kindly that we have bureaucrats viewing this as a responsibility among others and questions about priorities,” he said.
“If we can’t do better” on federal network security, “he’ll be very frustrated,” Bossert said.
From that principle, he explained, flowed the central premise of the draft executive order that’s been widely circulated: The heads of federal agencies will be held “responsible and accountable to the president … for their own enterprise network security.”
But he said that would balanced with the need for a government-wide view of federal IT security — and confronting the reality that there were insufficient human and technical resources to allow multiple networks to be defended.
“Shared services will be a fundamental requirement,” he said.
“We can no longer dream away the notion that we will have cybersecurity expertise in terms of capital investment and human investment at 190 or 220 federal agencies,” he said.
But the need to strike that balance has been recognized since at least the Clinton administration, noted Barack Obama’s White House Cybersecurity Coordinator Michael Daniel.
“I would argue the balance is different, agency to agency,” Daniel told CyberScoop on the sidelines of the daylong event.
Bossert, in a conversation with Frances Townsend, for whom he worked when she held his current post in the President George W. Bush White House, laid out the process for striking that balance.
Every agency would be required to use the NIST framework to conduct a cybersecurity risk assessment and then submit it for vetting by the Department for Homeland Security and the White House Office of Management and Budget, he said.
“They’re going to be required to produce a [risk management] report for the president, but it’s going to go through the secretary of homeland security … under FISMA … It’s going to go through OMB so that they can look at it from a management perspective. And it’s going to go to the president through me, in most cases.”
But the process of vetting those reports lacked one vital component, Bossert admitted: “We’re going to have to develop metrics. We don’t have them.”
The exact metrics would need to remain secret he said. “The idea is to defend our crown jewels from a national security perspective. And that will inherently will be something that we don’t want to reveal to the public or our enemies.”
But the work to develop those metrics should be “acknowledged as we work through that process.”
Daniel welcomed what he said was a degree of continuity with the previous administration’s efforts on modernization and centralization, but cautioned that the devil of the budget proposal would be in the detail.
“Typically at this stage the budget proposal is very high-level and topline … it will be interesting to see what the detail is as that comes out later in the process,”
Bossert took no audience questions and left through a side-door avoiding reporters. Before leaving, he asked the audience not to obsess about the cybersecurity executive order that has been circulating in draft form, and which he said might be finalized in the coming “weeks or months.”
“Please don’t focus on the EO,” he said, urging the audience instead to pay attention to the budget outline Thursday.
“Please focus on our conduct and behavior. That’s more important. And the president’s priorities speak for themselves. He’s made cybersecurity a priority in his first 60 days several times, privately and publicly.”