Tony Scott’s plan for restoring confidence in federal cybersecurity
Americans’ confidence in the government’s ability to protect national secrets — including personally identifiable information — may be at an all-time low in the aftermath of the recent massive data breach at the Office of Personnel Management. But Tony Scott, the nation’s chief information officer, has a plan to restore that confidence and radically improve the nation’s cybersecurity.
“I don’t know about you, but my angst level on this has gone way up over the last couple of years,” Scott said, speaking to more than 1,100 attendees Wednesday at the Brocade Federal Forum in Washington, D.C. “I don’t think the problem is lack of ideas; I think the problem is lack of implementation. This is our most important mission today [and] we’ve got to do a lot more and we have to do it a lot sooner than what we’re currently on a trajectory to do.”
Although he did not mention or discuss the OPM hack, Scott said one of the biggest security challenges facing government is trying to protect old and outdated IT infrastructure and systems. He likened the process to trying to install air bags in a 1965 Ford Mustang — a not impossible but technically difficult thing to do correctly.
“Fundamentally, at the end of the day, what we have to do is just replace a lot of what we have with much more modern architecture, much more modern concepts of networking, storage and cloud,” Scott said. “So that has to be our most important agenda.”
Replacing the government’s outdated technology certainly won’t happen overnight and is a costly proposition — but it’s one that Scott and many other federal IT officials said is absolutely necessary. But Scott said he expects the percentage of IT spending dedicated to security will likely increase steadily during the next couple of years. “I would expect that that [trend] line is going to take a curve up again as we make investments that have, frankly, been neglected over a 20 or 30 year period of time,” he said. “And we have to do it in a way that has the right set of analytics and data-driven decision making that is important for the success of any enterprise and just the right amount of oversight as well.”
Read: What 40 years of working with data has taught Tony Scott – From theme parks and cars to pharmaceuticals and government agencies, U.S. CIO Tony Scott has seen the ways big data can revolutionize an enterprise.
Improving security in the right way means enforcing some basic processes, according to Scott. And some of those processes and protections that agencies have neglected may have played important roles in some of the recent high-profile data breaches, including the latest at OPM.
“Everything we do should be two-factor enabled, from networks to applications to servers and so on. We need end-to-end security in anything that we do,” Scott said. “Things like two-factor authentication are really important. Things like patching, things like making sure we’re minimizing the number of system administrators and making sure that people with elevated access are also using two-factor [authentication] are some of the key things,” he said. “It’s really important each day we wake up and focus on making our nation’s cybersecurity better.”
Scott called on agencies to refocus on their risk management approach to cybersecurity. “A lot of the money that we’ve spent so far has been on technologies that try to prevent bad things from happening. All of that is necessary and needed but not sufficient,” he said. “Some of the things that I think we’ve got to get better at are things like detecting quickly when something has gone wrong [and] isolating, responding and remediating very quickly.”
The new cybersecurity landscape is one that values speed to market above all else, Scott acknowledged. “My measure of success is speed to market,” he said. “In today’s world, speed means everything.”
Scott’s first response to the uptick in cybersecurity threats targeting the federal government has been forming a 30-day sprint team to study existing security policies, resources and agency priorities. “It won’t be a panacea for everything, but my hope is it will dramatically accelerate our progress,” he said in an interview with FedScoop.
Richard McKinney, CIO at the Transportation Department, told FedScoop there’s a growing awareness in the federal government that existing security efforts — smart authentication, trusted Internet connections, continuous monitoring, perimeter defenses — are not enough and more can be done. “I think you’re going to see a shift to understanding what our high value assets are and how to lock that stuff down. I think we’re going to work from the supposition that bad guys will get in. Let’s double-down on understanding our high value assets,” he said.
Scott agreed. “The reality is you’ve been hacked and you either know it or you don’t know it,” he said, echoing a growing trend in federal IT circles that more effort needs to be put into cybersecurity intelligence.
“I think our approach to this is rapidly maturing,” McKinney said. And encryption will play a fundamental role in the future. There is no reason government should not be encrypting data at rest, he said.
Scott, however, acknowledged the difficulties of deploying encryption on systems and applications that are decades old and, in many cases, highly customized. “The other sort of unspoken problem is that in the federal government, there was a trend for a long time to take operating systems and customize them very, very heavily to the point where you couldn’t take patches or upgrades, and couldn’t take advantage of some of the newer modern technologies,” Scott said. “In essence, you were frozen in time wherever you were, and then that locked you out of being able to do a lot of things.”
McKinney said he believes government will eventually get to the point where encryption is commonplace. “To break into a server that stores encrypted data is to have nothing,” he said. “I think the tools to remedy this are right at our fingertips. We just need to act.”