The Trump administration is leaving many top technology jobs across government vacant, raising concerns about the security and maintenance of federal computer systems in the wake of an election where hacks dominated the headlines. The White House’s own cybersecurity practices are another source of concern, say experts.
Of the nine agency-level Chief Information Officer (or CIO) roles that are politically appointed, only one is currently filled — and that top tech slot is occupied by a holdover from the Obama administration.
The Federal CIO and Federal Chief Information Security Officer (or CISO) jobs are also vacant, as is the White House CISO gig.
“These are critical roles in terms of shepherding any sort of policy towards cyber and technology across the government,” said Paul Innella, the President of cybersecurity consulting firm TDI.
Leaving the jobs unfilled “doesn’t send a good message” about the new administration’s commitment to keeping its systems safe, according to Innella.
“It begs the question, who is guarding this?” he said.
A CIO’s job varies across from agency to agency and is “broad and challenging,” according to a report released by the government’s CIO Council just before the inauguration. A CIO is charged with covering everything from securing systems against hackers to maintaining (and replacing) legacy computer systems.
Roughly a third of the CIO Council’s members are political appointees, the report noted. The tech chiefs at major agencies including at the Department of Homeland Security, Department of Energy, and the Veterans Affairs Department are among that group. Only one of the jobs, the Environmental Protection Agency CIO, requires Senate confirmation according to a 2016 Congressional Research Service report. The EPA’s CIO also serves as the agency’s Assistant Administrator for Environmental Information.
In agencies where CIOs are not political appointees, the role is generally filled by a career civil servant. Similarly, career officials have stepped into acting CIO roles in the agencies awaiting the administration’s plans, according to the website listing members of the government’s CIO Council. Federal Deputy Chief Information Officer Margie Graves is also serving as the acting Federal CIO after the departure of former CIO Tony Scott as part of the transition.
Scott, a Microsoft and Disney vet, spearheaded plans to improve government cybersecurity in the wake of the massive data breach at the Office of Personnel Management revealed in 2015. Part of those plans included the creation of a government-wide Chief Information Security Officer. Retired Brig. Gen. Gregory Touhill stepped into that role last September, but also departed during the transition after just four months on the job. It is unclear if anyone has assumed his duties or if there are plans for a replacement.
On the agency side, Rob Klopp was asked to stay on as CIO for the Social Security Administration and agreed to do so “for at least the next few months,” he told FCW shortly after the Inauguration. The other eight politically appointed agency CIOs left in the lead-up to the transition, FedScoop reported in January, with the exception of Defense Department tech chief Terry Halvorsen who retired at the end of February.
White House Chief Information Security Officer Cory Louie left the administration in early February, as previously reported by ZDNet and confirmed by a person familiar with the White House’s digital operations who requested anonymity because they were not authorized to comment.
IT contracting executive Chris Herndon is now serving as Director of White House Information Technology, according to this source and Herndon’s own LinkedIn profile. One of Herndon’s deputies has taken on many of Louie’s responsibilities, but not the White House CISO title, the source said.
When asked for comment about Herndon as well the remaining top level federal and agency tech vacancies, a White House spokesperson said it would let this reporter know when the administration has “any official announcements.”
The government has long struggled to recruit technical talent, a problem highlighted by the CIO Council’s January report. In many cases, when CIOs found well-qualified candidates for cybersecurity jobs, “those candidates ended up taking other jobs — often in the private sector,” according to the report. The report attributed the recruitment issues to the long, confusing government hiring process and an inability to compete with private-sector salaries.
Recruitment may be even more difficult for the Trump administration because of its strained relationship with Silicon Valley, according to Kenneth White, a security researcher and the director of the Open Crypto Audit Project.
“Pick your top tech companies — who is going to take a two year sabbatical to go join this administration?” he asked.
But without strong tech leadership in those roles, White worries that progress towards modernizing government systems made during the Obama administration might regress.
“It’s crucial the government keep pushing forward,” he said.
Industry observers have also been rattled by reports highlighting poor digital hygiene by President Trump and other members of his administration as well as the abrupt delay of a much hyped Executive Order on cybersecurity in January.
“We’re kind of waiting for what’s going to happen,” Innella said. “From a broader technology perspective, it doesn’t seem like it’s a high priority for the administration.”
Meanwhile, the New York Times reported in January that Trump continued to use an outdated and unsecured Android Phone after his inauguration. More recently, the Indianapolis Star reported that Vice President Mike Pence used a personal AOL email to conduct state business while he was the governor of Indiana. And that email account was hacked last summer, according to the Star.
After he was hacked Pence set up another AOL account, the Star reported.
A major line of attack by the Trump campaign focused on Hillary Clinton’s use of a private email system while serving as Secretary of State. The FBI said its investigation Clinton’s email use did not find evidence that her account was hacked.
Hackers did break into accounts belonging to Democratic Party organizations and operatives — and stolen emails were later published by WikiLeaks. In January, the Office of the Director of National Intelligence released a report that concluded with “high confidence” that the hacks were part of an “influence campaign” ordered by Russian President Vladimir Putin.
Contacts between Trump campaign officials — as well as Trump himself — and Russian operatives has drawn intense scrutiny in recent weeks.