A cybersecurity task force recommended that the Trump administration move quickly to improve and reorganize oversight authorities, elevate the role of the White House cybersecurity coordinator and clarify the cyber defense roles of civilian and military agencies.
A cybersecurity task force that included members of Congress focused on the issue recommended that the Trump administration improve and reorganize oversight authorities, elevate the role of the White House cybersecurity coordinator and clarify the cyber defense roles of civilian and military agencies.
The task force was co-chaired by Rep. Michael McCaul (R-Texas), Sen. Sheldon Whitehouse (D-R.I.), former White House Senior Director of Cybersecurity Sameer Bhalotra as well as former Administrator of E-Government and Information Technology at the Office of Management and Budget and current transition team member Karen Evans.
McCaul serves as chairman of the House Homeland Security Committee, and Whitehouse is a ranking member of the Judiciary Subcommittee on Crime and Terrorism.
The recommendations in the report, released Jan. 5 by the Center for Strategic and International Studies, include policy, organizational and personnel proposals.
The report follows on the heels of the December report of the Commission on Enhancing National Cybersecurity, established by President Barack Obama in February. Two of its widest-ranging recommendations included the creation of an appointed post of assistant to the president for cybersecurity and the establishment of a new program to consolidate all civilian agencies' networks into a single network. CSIS's report included the first, but not the second.
One of the most contentious issues the task force considered, the report states, is the best approach for the protection of critical infrastructure.
In November, Trump laid out an agenda in which the Department of Defense would develop a "comprehensive plan to protect America's vital infrastructure from cyberattacks," an authority currently under DHS jurisdiction.
However, McCaul said that turning over these authorities to DOD would be a "grave mistake," and that this topic "has come up a lot in transition discussions."
"I don't believe the American people want to militarize our cyber defenses," he said. "We have civilian police officers, civilian FBI agents… We don't have the military walking through the streets… I think the same principle applies to cyber, in terms of needing a civilian agency to defend the nation's critical infrastructure."
McCaul added that to effectively fulfill this mission, DHS will need an independent operational component to carry out the specific mission of handling digital threats, rather than considering them a tangential focus.
In addition to elevating the White House cybersecurity post and establishing an independent cyber agency within DHS, the report put forward several organizational changes.
The report proposed the establishment of a Division of Data Protection within the Federal Trade Commission to strengthen consumer data security as well as the streamlining of agency committees, a responsibility that would fall to the Speaker of the House, the Senate majority leader and the Rules Committee.
Whitehouse also brought up the idea of a roving or independent oversight authority "across a wide array of civilian agencies" that would "stress test their security, rather than simply check off a minimum security checklist."
He also said that cyber incidents and the steps government is taking to mitigate threats need to be quickly relayed to the public to keep citizens informed.
"One obstacle to transparency is the culture of overclassification that pervades the executive branch," he said, suggesting Trump should designate a specific "cybersecurity discloser" position within the White House charged with reporting information to the public.
As far as specifics on which recommendations in the report would require legislative action, Whitehouse expressed uncertainty.
"I have not done a survey to see what can be accomplished by executive order versus what can be accomplished by legislative action," he said. "But clearly, there will be legislative action required."
Other recommendations in the report included the expansion of shared and cloud services, and efforts to build a robust IT workforce. To strengthen the tech pipeline, the report made the short-term recommendation to increase the number of visas granted and the long-term recommendation to allocate funds to DHS and the Department of Education to improve cybersecurity and STEM education.