White House links innovation and cybersecurity

Rob Joyce NSA/WH 

White House cybersecurity coordinator Rob Joyce discussed how the coming cybersecurity executive order connects with the recently announced Office of American Innovation, led by Jared Kushner.

The White House is close to finalizing its long-awaited cyber executive order, and there are growing questions over how authorities for modernizing and securing federal IT will be split between the National Security Council and the new Office of American Innovation.

Rob Joyce, the White House cybersecurity coordinator delivered his first public remarks at the Georgetown Conference on Cyber Engagement on April 24, and he said the order is "close and nearby."

He indicated the timing of the release is less about finalizing the order than about finding the right news cycle opportunity, as a number of former officials have been speculating to FCW in recent weeks.

"I think the important focus on this is we want to make sure the cybersecurity EO emerges … in sequence with other things that the administration is rolling out so that we don't distract from other important messages that are out there," Joyce said.

In his remarks, Joyce ran through the same overarching administration priorities that homeland security advisor Tom Bossert outlined in a March address at the Center for International and Security Studies.

The primary focus of the administration when it comes to cybersecurity will be to protect federal IT infrastructure. That will involve modernizing systems and moving toward shared services and commercial solutions in an effort to raise the standards for smaller agencies that do not have the budget and workforce to focus on cybersecurity the way the Department of Defense does, Joyce said.

While that overall policy goal will be reflected in the EO, he said, it is looking more like the NSC will play a supporting role to Jared Kushner's new Office of American Innovation, which is charged in part with modernizing federal IT.

"I'm pleased to be a part of that so I get to participate in, my staff gets to participate in, those meetings," Joyce said. The emphasis on shared services, cloud and other technical reforms, he said, "means a refresh, [and] also means an opportunity to wire in from the ground up cybersecurity."

He said his team will work with Kushner's office to ensure cybersecurity is incorporated in modernization efforts from the beginning.

When asked by a reporter after his talk about whether IT modernization expenditures will be driven by the EO or the innovation office, Joyce said, "We'll make sure that those activities are closely aligned … it will be a little bit of both."

All of this connects with the administration's goal to enshrine a comprehensive enterprise risk management approach to federal IT. That will begin, Joyce said, with each agency conducting a comprehensive review of its IT architecture and infrastructure in order to get to a whole-of-government enterprise view.

The executive order will also make agency heads responsible for cybersecurity at their agencies. Joyce stopped short of saying that cabinet secretaries could be fired if their agencies experience any breaches going forward.

"The idea that they get called for not doing the right thing and held accountable by the president should be a strong message," he said.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.

Nominate Today!

Nominations for the 2018 Federal 100 Awards are now being accepted, and are due by Dec. 23. 


Reader comments

Mon, Apr 24, 2017 Michael DeKort Pittsburgh

Privileged Account Security – The Giant Dirty Secret and massive hole in most organizations cybersecurity. Why isn't it being addressed? Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It’s the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).
Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don’t help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don’t specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.
This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group