United States President Donald Trump has yet to replace two key cybersecurity positions: Chief Information Officer (CIO) and Chief Information Security Officer (CISO). These two positions, as you can imagine, are key to maintaining and advancing cybersecurity throughout not only the United States government, but its citizens as well.
We’re not here to make any political stances—let’s make that clear. We’re merely here to inform those interested in white house cybersecurity of a potential problem.
Under the previous administration, the CIO position was held by Tony Scott who, as praised by his peers in a petition to keep him during the next administration, was pretty good at it.
President Trump, however, did not bring back Scott.
It’s been over a month and neither positions have been filled, despite not needing a Senate vote to confirm.
Margie Graves is currently acting as CIO but no permanent plans to keep her there have been in the works, which is a little concerning to be sure.
Scott seems to be a little worried as well, telling Passcode:
“It’s kind of like stopping maintenance in the apartment you own. You can stop painting walls or stop replacing the water heater. You can bring a lot of money to the bottom line if you stop spending. But if we instead replaced and ran modern platforms, if we invested in the right places, we can save up to half in maintenance—around $30 billion per year.”
With no permanent plans for Graves, it’s difficult to imagine she would enact any lasting policy on the matter.
This “vacuum” makes it much more difficult for the U.S. government to update their IT infrastructure (an $85 billion dollar per year venture), increasing the likelihood of a cyberattack or breach.
The position of Chief Information Security Officer is a little more murky. Cory Louie was either fired or resigned a few weeks into Trump’s presidency. He was reportedly escorted from his office but there has been no comment from the White House on the matter.
The position of CISO is in charge of the government’s internal cybersecurity. The specifics are unclear, obviously, but it’s assumed that Louie was in charge of all networked communications and data security inside the White House.
This would include, as you would imagine, the phone used by the President. Trump was given a locked-down “impenetrable” phone, like the one used by his predecessor, but it’s widely known that he still uses his outdated Samsung phone to Tweet among other things.
This would most likely drive a CISO mad.
Louie was different than Scott, former Federal CISO Gregory Touhill, and White House IT Director David Recordon who all resigned when former President Obama left office. Louie remained. Until he didn’t.
The Trump administration hasn’t been totally silent on the cybersecurity front, however. Before his inauguration, Trump appointed former New York City Mayor Rudy Guiliani as his cybersecurity advisor. Peter Thiel (founder of Paypal) is also along for the ride as a technology confidant. Neither have said much of anything regarding White House cybersecurity, or cybersecurity in general.
Guiliani was a curious choice. As cybersecurity advisor, he would be tasked with informing the President and his constituents on matters of the most sophisticated cyber-criminals and cyber-crimes foreign and domestic.
Guiliani, however, is not even able to protect his own website (his SSL certificate was expired)
Chrome sums up Giuliani’s ability as a security advisor https://t.co/b8JUYuMhYD pic.twitter.com/no6yGXHEbs
— maxwell ogden (@denormalize) January 13, 2017
The CNBC reporter who made the discovery said of the matter:
“This is really, really, really basic—it barely even qualifies as security. Those files give you all the information you need to do nefarious things. This is horrifying. This organization that bills itself as a security company has taken zero time to harden its own website.”
While perhaps a little dramatic, it’s still concerning that the nation’s top cybersecurity advisor isn’t using an encrypted connection on his own website.
President Trump was supposed to sign an executive order on cybersecurity in late January, but instead the administration cancelled those plans. The President said the order would “hold [his] Cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organizations which we probably don’t have as much, certainly not as much as we need. We must protect federal networks and data.”
More recently, cybersecurity executive order has new legs (2,200 words of legs) in which the reports are as follows:
This executive order seems a bit different from Trump’s cybersecurity plan during his campain:
“The United States must possess unquestioned capacity to launch crippling counter-cyberattacks. This is the warfare of the future… America’s dominance in this arena must be unquestioned and today, it’s totally questioned.”
Granted, the administration and its cybersecurity plans are still in their infancy, but the shakiness of the whole operation gives us enough to be concerned about the future of cybersecurity in the United States.
Along with the above quote, Trump’s campaign plan for cybersecurity was: “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state and, if necessary, to respond appropriately.”
Maybe we should start by hiring those two crucial positions?