What’s in store for Federal cybersecurity policy when the Trump administration takes charge in January?
While detailed policy roadmaps for cyber in the new administration are still under wraps, Gary Barlet – who is Public Sector CTO and Principal Solutions Architect at cloud security technology provider Illumio after logging nearly a decade as OIG chief information officer at the U.S. Postal Service – told us in an exclusive interview that he is looking for much of the current bedrock of cybersecurity policy to carry forward, but with an accelerated timeline for action and greater accountability for results.
MeriTalk: Gary, there’s a new administration coming into town in January, and while we don’t have any detailed plans in hand yet for Federal agency technology and cybersecurity priorities, how is Illumio looking at the changeover in administrations and how that might impact agency technology priorities?
Barlet: First of all, we are looking forward to working with the Trump administration and new agency leaders on the whole spectrum of technology and security goals that are vital to the government improving its abilities on both of those fronts. The incoming administration will be inheriting the results of a lot of hard work by agencies during the Biden administration to modernize their technology and improve cybersecurity through the ongoing zero trust security migrations.
MeriTalk: Are you expecting any changes coming in big-picture cybersecurity priorities?
Barlet: I think there are a few aspects to consider. Number one is that the first Trump administration took a very serious policy approach to security through the president’s Executive Order 13800 issued in May 2017 that aimed to strengthen the cybersecurity of Federal networks and critical infrastructure. That order focused on many of the key priorities that carried through the Biden administration as well, including modernizing Federal IT infrastructure, working to help state and local governments to protect critical infrastructure, and working more with allied nations on cybersecurity.
For the second Trump administration, I don’t think they are going to come in and say that cyber is not important. That just won’t be the case.
MeriTalk: Any changes in approach that you foresee?
Barlet: I think there’ll probably be some continuation of what’s happened under the Biden administration, but the new administration might take a slightly different tack. If you look at the recent announcements for nominees to run agencies, President-elect Trump in many cases is really going outside the mainstream, or the traditional lineup of people to run agencies.
It’s going to be very interesting to see what kind of people end up running some of the cybersecurity organizations in government. He may be tapping some people that are hard-core cyber folks in the private sector to come in and try to help impact the government.
MeriTalk: What’s a key change or two that some of the incoming people ought to be bringing to the table?
Barlet: What the Federal government really needs now is an accelerated effort to improve cybersecurity.
Everyone knows that by and large the Federal government lags behind the private sector in cybersecurity, and other capabilities driven by technology. There are a lot of reasons for that, and you can make all the excuses you want, but the fact of the matter is that when it comes to cyber, the government is lagging behind. It’ a very significant problem, and the problem is only growing, and as that happens the government is only lagging further behind.
What I am really hoping to see out of this new administration is a refocus not only on the problems, but also pushing harder for the right solutions. We’ve got to accelerate this process. We have to stop saying things like it’s going to take five years, or seven years, or ten years to get things done. There is no reason why government can’t get this stuff done faster. We’ve got to stop playing the long game, and we have to accelerate our efforts. I’m hoping that’s what we are going to see.
MeriTalk: What’s contributing to that slower progress, what needs to be dealt with to get that kind of acceleration?
Barlet: Whether that acceleration bears out may depend on a lot of things, but one of them is of course the funding to do it. You know, there’s no dedicated funding source for cybersecurity. Part of the reason why the government lags behind is they’ve got such a huge IT deficit. They’re constantly just trying to fill in the hole, much less build something better.
And there’s already some activity at least in the planning stages to shake up some of the Federal government’s spending priorities, and that could benefit security spending. With the appointment of Elon Musk and Vivek Ramaswamy to run the Department of Government Efficiency (DOGE) effort, there will be a focus on cutting waste and trying to make government more efficient. Does that free up funds to throw at cybersecurity, and try to tackle that IT deficit? I am optimistic that maybe that’s the path it will go down.
A lot of the proposed efforts to shake things up and break the status quo – I’m really hoping that’s going to carry over to cyber.
MeriTalk: How about a couple of very policy-oriented questions – does there need to be some kind of new cybersecurity executive order, or are we pointing in the right directions generally? And how about the migration to zero trust security that’s already underway?
Barlet: I don’t foresee a change in any of those existing mandates. Because they make sense. It’s kind of the direction industry is going anyway, and it makes sense for government to follow along on that same path.
What I am hoping for – if there is a new cybersecurity executive order – would be a little more emphasis on quicker timelines and accountability for getting the work done. We’ve been talking about implementing zero trust, and Federal agencies have made progress on that. But I would love to see an executive order come out that had a little more meat on the bone for implementation, and deadlines to go along with it, and some more accountability for that.
MeriTalk: I know we can’t speak for Congress, but any thoughts on the likelihood of more funding from lawmakers for cybersecurity? How does that message get through to Congress in maybe a more compelling way?
Barlet: That’s a great question and I’m not sure of the answer. There are changes coming in congressional leadership and we will have to wait and see what impact those have. But again, I am really hoping with this new wave of leadership in the White House that they are going to be able to communicate that we really have to fix our cybersecurity problems. We’ve got to fund that, and we’ve got to implement improvements rapidly. I’m hoping there’s a focus on helping Congress to see the light on that.
If the incoming administration were to make cybersecurity one of its top priorities, if it comes in and says we’ve got to stop messing around, then perhaps the Republicans controlling both the House and the Senate in January might offer up a relatively brief window to take a more aggressive direction on cybersecurity. There may be a window of opportunity for everyone to push hard on this priority.
And, of course, another factor on congressional appropriations is the timing of them. We may get some more certainty on FY2025 spending in December, or something more short term and then revisit full-year appropriations this spring. All of that would give agencies a very narrow window to spend a lot of money. There’s goodness there but also danger because when you’re trying to spend money in a hurry, you have to make a lot of quick decisions, and they are not always good ones.
MeriTalk: And then of course future events may shine a brighter light on the need for better security. Solar Winds and Colonial Pipeline were certainly factors in recent years that helped to inform policy like the Biden administration’s cybersecurity executive order.
Barlet: One of those kinds of events may have already occurred with Iranian efforts to attack the Trump campaign before the election. That may be one of those things that makes it clearer that this stuff is important, and you need to do a better job at it.
MeriTalk: As Illumio views the threat landscape, do you see any motivations changing on the part of attackers, or are those remaining the same for nation-state adversaries, ransomware actors, thieves, the usual suspects?
Barlet: Not too much, the big threats are still going to be the big threats. Russia, China, North Korea, and Iran are still going to be dangerous adversaries, ransomware attackers will still be looking to make money. Ransomware poses an interesting area to watch with the new administration. Are they going to do something along the lines of banning ransom payments, or something similar? We don’t know, but I don’t see ransomware attacks decreasing in the near term.
MeriTalk: How is Illumio looking to help government agencies in this next phase of government?
Barlet: From our perspective we are going to double down on trying to help government meet these mandates and put good cyber hygiene and protection in place, especially if there’s a renewed focus on it by the Trump administration. It’s really just going to be a strong focus on trying to help the government, especially as we start to see demand for acceleration.