Four senior cybersecurity officials are stepping down from their US government positions, raising concerns that an exodus of top leaders may make the federal government more vulnerable to hacking.
Two of those resigning – Sean Kelley, the chief information security officer for the Environmental Protection Agency, and Richard Staropoli, the chief information officer for the Department of Homeland Security – had been in their jobs for just a few months.
The other two, Rob Foster, the Navy's chief information officer, and Dave DeVries, the director of information security and privacy at the Office of Personnel Management, are departing agencies for which computer security is a top priority. DeVries assumed his job shortly after the OPM suffered the largest known cyberattack in federal government history, and Foster had served in similar positions at the Department of Health and Human Services and Immigration and Customs Enforcement.
Ann Dunkin, the CIO of the EPA under President Barack Obama who was asked to leave by Trump’s transition team and now holds the same title for Santa Clara County, California, told BuzzFeed News that four executives leaving in such a short time raised red flags.
“There appears to be a concerted effort to remove the career CIOs who were there during the Obama administration,” Dunkin said. “During the last week we’ve seen four go? That smells.”
There isn’t one apparent reason for the spate of departures, all of which were announced since last week. Kelley and Foster are taking jobs in the private sector, something that's not unusual for government cybersecurity officers seeking better pay, and DeVries is retiring, reportedly to spend more time with his family. The reason for Staropoli's sudden resignation Aug. 3, after just three months on the job, was not known. None of the four could be reached for comment on the record.
But one federal security executive who requested anonymity because he hadn't been authorized to speak to a reporter told BuzzFeed News that the large number of still unfilled vacancies seven months into Donald Trump's tenure likely influenced the departures.
“Acting personnel don't want to put staff through a lot of change that may not be in line with the permanent person's vision when they arrive. So that also contributes to employees reevaluating their options,” the executive said.
According to the Partnership for Public Service, a nonprofit group that pushes for government efficiency, Trump has appointed significantly fewer top federal employees than his recent predecessors. Out of more than 1,100 non-judicial government positions that require Senate confirmation, for example, Trump has only nominated 279.
The departure of key leaders can, in turn, trickle down to rank-and-file cybersecurity employees, said Jake Williams, a former Department of Defense analyst who left federal service to start his own cybersecurity company, Rendition Infosec.
“Every new CTO/CIO/etc. has their own special focus and initiatives that they like to push,” Williams told BuzzFeed News. “As a mid level/senior manager, three months in you're just starting to understand the direction they want to take and the new marching orders. Having to readjust to new directions a couple times a year creates absolute anarchy in an organization and leads to more people leaving. It's also bad for security since there is no coherent direction.”
Federal cybersecurity breaches can have devastating effects. When the OPM was hacked in 2015, the intruders, believed to be Chinese, accessed an estimated 21.5 million federal employees’ Social Security numbers as well as a database that contained government background checks for federal workers. A recent study from the Government Accountability Office found that OPM made moderate success in modernizing its cybersecurity under DeVries.
Trump, on the campaign trail, struggled to talk about cybersecurity, often referring to it as "the cyber" and saying in one debate that the "security aspect of cyber is very very tough, and maybe it's hardly doable." His executive order on cybersecurity, signed in May after several false starts, largely followed the recommendations made by Obama's staff just before his term finished.
As hard as the turmoil can be for government cybersecurity efforts, it’s hard to blame executives for taking better jobs outside of government, Williams said.
“The government simply doesn't move at the speed of cybersecurity. Attacks are evolving rapidly and information security leaders need the flexibility to innovate and react quickly to new threats,” he said.
“It's not surprising they are leaving. If they stay and suffer a breach on their watch, their chances of transitioning into a successful civilian career later are drastically reduced, whether the breach is their fault or not.”