But, the president said the bill could hold his communications 'hostage.'
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- US president Donald Trump signed the Modernizing Government Technology (MGT) Act, which could force the federal government to upgrade its IT systems.
- Congress wants Trump to create a strategy for offensive cyber attacks, or else they plan to pull funding for the White House Communications Agency.
On Tuesday, US president Donald Trump signed the 2018 National Defense Authorization Act (NDAA) into law, which contains a provision that could force the federal government to upgrade its out-of-date IT systems. The Modernizing Government Technology (MGT) Act was enacted as part of the NDAA, but it is facing some roadblocks from Congress.
The MGT Act creates a $500 million fund over the course of two years to be used for modernizing legacy IT systems. The US government currently spends about $80 billion a year on IT, and some estimate that 80% of that is spent solely on maintaining old systems.
As part of the MGT Act, agencies will also be able to bank savings from the fund to be used for future IT endeavors, if so needed.
SEE: Security awareness and training policy (Tech Pro Research)
Signing the MGT act into law could be the "most incredibly powerful thing that Congress has done in a decade," according to Bob Gourley, co-founder of the cybersecurity consultancy Cognitio and former CTO of the Defense Intelligence Agency.
"The MGT law applies to all of government, not just DoD," Gourley said. "It establishes new methods and authorizations for modernizing IT that have not been in place before, and will result in more economical use of resources and much greater motivation to modernize. This will help reduce cybersecurity problems and will end up being very strategic for the nation."
The NDAA also contained a few important cybersecurity notes. For starters, with the bill, Trump has officially banned the use of Kaspersky lab software within the US government, based on fears that the Russia-based firm has ties to the Kremlin. The software was originally banned in September after an operational directive was issued by the US Department of Homeland Security (DHS).
The bill also contains a provision that requires the administration to create a policy for the use of offensive cyberattacks in response to future attacks perpetrated against a given party. Once the strategy is defined, it would need to be reported to Congress, per a provision in the bill, or Congress could withhold funding from the White House Communications Agency (WHCA).
Trump objected to the cybersecurity provision in a statement, arguing that "Congress should not hold hostage the President's ability to communicate in furtherance of the Nation's security and foreign policy." He also wrote in the statement that the provision "threatens to undermine the effective operation of the Executive Office of the President."
The provision for a policy that addresses cyberspace, cybersecurity, and cyber warfare is fairly controversial, Gourley said. While it's good to have such policies in place, he noted, "it seems unusual for Congress to be mandating this, and they also make it clear that if they don't get it then they will cut funding for White House communications," Gourley said. "I'm no lawyer but seems to me that this is a constitutional/separation of powers issue."
Trump signed his delayed cybersecurity order back in May 2017, focusing on centralized IT and a move to the cloud. With the signing of NDAA into law, there will likely be many more cyber initiatives coming from the White House over the next two years.
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- Trump administration releases rules on disclosing security flaws (ZDNet)
- Cyberwar: The smart person's guide (TechRepublic)
- CIA to continue cloud push in the name of national security (ZDNet)
- Certified Information Systems Security Professional (TechRepublic Academy)