Policy

Commission trying not to drop cyber ball during transition

President Barack Obama’s Commission on Enhancing National Cybersecurity, which met Monday in New York, is an important way the administration is trying to ensure that hackers can’t slip through any cracks in the transition process next year.

By Shaun Waterman

May 16, 2016

“The commission allows you to say: ‘Here are the views of [the stakeholders] this administration trusted on this issue,’” said Ari Schwartz, a former White House National Security Council cyber official.

Schwartz, now at Washington white-shoe law firm Venable, told FedScoop in an interview Monday that he believed the commission would lay out an effective blueprint for President Barack Obama’s successor to follow. “It’s a way of ensuring the incoming administration knows what [the outgoing administration’s] thinking was,” he said.

Schwartz added that a big problem was the issue of legacy IT — some of which is too old to be secured properly.

“How do agencies transition to new systems? That’s a question the administration has put a lot of effort into, post Healthcare.gov,” he said, referring to the disastrous rollout of the website associated with the Affordable Care Act.

He said the administration’s proposed $3.1 billion revolving modernization fund, recharged each cycle with the savings made from past upgrades, would be a good solution “if Congress lets them do it.”

Democratic House Whip Rep. Steny Hoyer from Delaware has proposed legislation to enact the proposed modernization fund, which would be overseen by a special panel of officials, but its future in a GOP-controlled Congress already roiled with budget fights is highly uncertain.

If that doesn’t happen, Schwartz added, the next administration will “have to find a viable way to do that [modernization] the second they get in.” Delay could mean vulnerabilities — like those that led to the huge OPM breach — would worsen.

National security experts have long fretted that drawn out transitions, with key security posts empty or filled with career officials “acting up” while candidates are being confirmed, represent a significant danger point for the U.S.

Schwartz said that when the Obama administration came to power, its predecessors under President George W. Bush were in the midst of a major push on cybersecurity — the Comprehensive National Cybersecurity Initiative, or CNCI.

The incoming President Obama, concerned about a worsening cybersecurity situation, immediately ordered a 60-day review of U.S. government cyber policy.

“Melissa Hathaway, who ran CNCI [for the Bush administration] stayed on and … headed the 60-day review,” said Schwartz, adding that such continuity was important to ensure no balls were dropped during the transition.