From the Q&A with a White House official about cyber executive order expected today. This is not the complete transcript, but covers the waterfront...
Won't it cost a lot of money to upgrade government-wide?
The idea here is to ask the government to, in a responsible fashion, come back and provide a methodology working with Congress for the appropriate budget funding to modernize that IT. It will cost money over time, but so would maintaining very old and difficult to defend networks and software.
I'm not prepared right now to call on Congress to do anything but I think it's fair to say that Congress will be a key partner on this, especially modernization of IT. ... I would anticipate others outside the building noting that there will be a cost to the modernization of IT. In addition to it being a key component to cybersecurity and to any risk management plan to put new, modern and defensible systems in place, I belileve we can make a strong case for it also being a long term cost-efficiency.
Does internet language impact net neutrality?
It's not intended to have a specific reference to that issue. It's simply intended to note that if any others, foreign adversaries, governments or individuals, are seeking to undermine the reliability of the internet itself, corrupting data, corrupting critical infrastructure, sabotaging those things, the federal government or otherwise in the critical infrastructure realm, that we need to thwart, deter and defend those efforts because if we don't the Internet could become unreliable itself, and that would be an unfortunate outcome for us and our western allies. ... It is meant to be inferred that we are eager to continue working with our allies who share the same worldview of how the Internet should be open, free and protected.
Anything in initial assessment by administration -- glaring gaps?
I don't think it's fair to say we've been in office long enough to do a complete assessment of that. ... The methodology of this was to look through all the commission reports and other external reports, including the Donilon and Palmisano report that came out under President Obama's tenure. We have taken some of those recommendations. You will see that, for instance, requiring the use of the NIST framework is something that was recommended in that commision. It's a bipartisan issue, it's something we believe is a good recommendation and you'll see President Trump directing it in his order.
... Agency heads are already obliged to manage their risk, which includes assessing it, which includes main determinations on what risk they're willing to accept. What risk they're not willing to accept. How they will address that risk and manage it. This is not new, that's a requirement. What we're doing moving forward is attempting to make agency heads aware that they have a deep responsibility here as opposed to delegating it down to their CIOs or more subordinate junior staff. We want them to stay on top of it and we believe that President Trump's cabinet will do so.
Main differences between what happened before and the future?
A number of these recommendations have been made by CSIS, in 2009, and again by President Obama's commission led by Tom Donilon and Sam Palmisano again in 2016. So the changes are in management philosophy, in enterprise risk management, and modernizing federal IT. Not that that's something previous presidents haven't tried, but President Trump has a plan for accomplishing it.
New on critical infrastructure?
The electric grid is an example. We look to in this executive order, ask the secretary of homeland security and others to continue to work with those sector representatives, owners, and operators many of whom are private and not government and cannot be directed, to provide whatever resources we can to help them protect their systems. We also direct our government to prepare for the unfortunate and hopefully small potentiality of an electric grid disruption.
... There won't be an immediate action starting tomorrow that might have some implication to operations. This will be an announcement of a path forward of steps we're going to take to try to continue to improve and better improve our federal networks. Also our critical infrastructure.
Lastly, you'll see the opportunity for his cabinet to provide report recommendations on how to deter those nation-states and others whoever the biggest threats may be, from doing things that would essentially undermine our free and open internet. I don't think it's the intent for instance of the United States to enter into highly restrictive internet controls as we've seen in other foreign nations.
Anything in NIST framework that would have to happen that's not happening now?
We will find that out when each agency head receives a) the direction to use it, and b) is forced to provide us a report how they have or have not accepted and mitigated the risk.
So it's possible they're already doing what's required?
It is possible.