As President Donald Trump postponed signing an executive order Tuesday on cybersecurity, data security experts expressed skepticism over one provision to centralize the executive branch’s cybersecurity management under the Office of Management and Budget.
It is not clear whether the OMB language will remain in the final version, but some data security analysts interviewed by Morning Consult on Tuesday say it needs to change.
“This kind of thing needs to be run by people who are experts in the field, not necessarily experts in management,” said Bruce deGrazia, a former Defense Department official and the current cybersecurity program chairman at the University of Maryland University College.
“This is not something that is new to this administration,” deGrazia said, noting that OMB was given a key role in coordinating federal cybersecurity by President Barack Obama. He called that a “mistake.”
Following a meeting between Trump and cybersecurity experts on Tuesday afternoon, the White House canceled a previously scheduled signing ceremony without explanation. A White House aide did not immediately respond to questions about the reason or the rescheduling of the executive order’s release.
Ahead of the planned event, a senior White House official told the press pool that the order would direct the OMB director “to assess and manage the collective risk of the federal executive branch.”
“What we’re asking now is for the OMB director to run an effort, or to lead an effort, to then assess the enterprise risk to the entire federal government,” the official said, according to the pool report. The official added that agency heads would report cybersecurity risks to OMB and seek assistance in managing those risks.
A former official at the Department of Homeland Security, who spoke to Morning Consult on the condition of anonymity, said the OMB doesn’t have a staff of cybersecurity experts. “Who is going to set these cybersecurity standards?” the ex-official asked.
The ex-official said each federal agency has markedly different risks, which makes a more centralized approach to risk management difficult to implement.
Other security professionals said a centralized cybersecurity structure would work only if individual agencies retain responsibility for their own information technology. “It is a good idea to centralize information security governance, but accountability must reside with the agencies at the highest level,” said Dave Weinstein, the chief technology officer for New Jersey. “Cybersecurity is not exactly a core competency of OMB.”
Max Everett, a cybersecurity consultant and former White House chief information officer, said there must be a “fundamental recognition” at OMB about the diverging requirements for each department.
“It’s a valid concern to say that the security risks and concerns for the Department of Interior are very different than the Department of State,” Everett said. But he also noted that an OMB-centralized structure could cut down on duplicative purchases and increase efficiency.
The new management system planned under the draft executive order would place the onus on agency heads to assess and manage cybersecurity risk, “as opposed to delegating it down to their CIOs or more subordinate junior staff,” the White House official said.
It is not clear if that system will be in the final version, but cybersecurity experts were more positive about that aspect. “Both private sector companies and government agencies who have suffered cyberattacks in recent years, at the end of the day, the senior executive agencies in recent years are responsible for that,” said Everett. “In some sense, it’s sort of a recognition of what we already know.”