Federal Chief Information Officer Tony Scott wants the bandwagon of lawmakers to slow down and reconsider their calls for Office of Personnel Management Director Katherine Archuleta and CIO Donna Seymour to resign.
Scott said it would be a bad decision for OPM, the government and especially all those impacted by the massive data breach for Archuleta and Seymour to leave government anytime soon.
“If you look at various points of time and when things really started to change in OPM, it’s when Director Archuleta and Donna Seymour came in. They’ve driven more change, more quickly both from a governance model from putting in the right tools and technology, and from a leadership perspective than anyone ever did before them,” Scott said in an exclusive interview with Federal News Radio. “It’s unfortunate that all of these things have happened. I think as we pointed out in a number of hearings, it was the very fact that they were putting in the right tools, organized the right way and did these other things that these breaches were discovered. But for that activity, we might still be sitting here fat, dumb and happy and thinking that everything was great. We’d be getting IG reports that everyone would ignore and all of those old behaviors that we really have to work hard to move forward on.”
He said he understands the severity and incredible impact this breach is having on current and former federal employees, and personally feels horrible that the data loss happened.
“At the same time what it does it strengthens my resolve to go after these things in the most deliberate and diligent way that we can, and I really feel strongly that not only my office, but across the rest of the federal government that we have to be very focused on taking action and making sure we do everything in our power to make sure these kinds of things can’t happen in the future,” said Scott, who joined the government in February.
Scott’s confidence in Archuleta and Seymour comes as more and more lawmakers are calling for their dismissal.
Joining Rep. Jason Chaffetz (R-Utah), chairman of the Oversight and Government Reform Committee, is his counterpart in the Senate, Ron Johnson (R-Wis.), chairman of the Homeland Security and Governmental Affairs Committee, who said he is surprised that Archuleta continues to be OPM’s director.
“I never would’ve appointed her,” Johnson said, after the committee’s hearing on the massive data breach Thursday. “She’s a very nice person, maybe qualified for other things, I don’t think she’s qualified for this position. It’s a sad reality.”
Thursday’s hearing — the third of the week — followed a similar path as the three previous ones on two cyber breaching impacting anywhere from 4 million to as many as 32 million current and former federal employees, congressional staff and members and their families.
Several committee members wanted to place the blame on Archuleta and her staff for not fixing the long-standing cyber problems.
But Scott compared the lawmakers’ actions over the last week to blaming the firefighters for the blaze and not the fire starters.
“I’ve spent time on the ground with the teams that are in OPM doing the work, but from DHS and the OPM teams. They are working really, really hard and doing the right things,” he said at the hearing. “I’ve talked to them about the leadership they are getting from both Director Archuleta and Donna Seymour, and they tell me they are very, very supportive of the efforts and leadership they see there.”
Sen. Cory Booker (D-N.J.) asked Scott whether based on his private sector experience if Archuleta was the right person for the job.
“Yes sir, and I’ve been impressed with the deployment of the additional tools,” Scott said. “The work that’s going on at OPM right now would serve template and model for work other agencies would need to do as well. We are learning on this across the federal government. We have to learn from this and we have to be much faster as a federal government in responding to what is a very rising and fast rising and fast morphing set of threats. This is not a small challenge.”
After the hearing, Scott said the challenge OPM and the entire federal government faces is similar to the one the private sector must deal with daily.
“There’s been kind of a rising of the water levels, if you will, in terms of the size, scope of impact of these things. In some ways it’s to be expected, and yet I don’t think we should take it lightly,” he said. “As a CIO in the private sector, I used to host summits of CIOs of very large institutions, and what I saw was that every year for the past several years an increasing amount of a CIO’s time was spent on cybersecurity. It’s the kind of thing every board of directors, every audit committee would talk about. Now at every single audit committee meeting, at nearly every board meeting this was a topic of conversations. This is the issue of our time in some cases and it’s not exclusive to the federal government.”
Private sector similarities
Over his first 100 days as the federal CIO, Scott said he sees several parallels between the government and the private sector. The most obvious one, he said, is the correlation between good governance models and strong cybersecurity.
“The reason these are related is with good governance you can properly assess what are our high-valued assets, what are we trying to protect, what is our risk tolerance for exposure or potential exposure of those things, and then you can craft a plan that is appropriate to that posture and profile,” he said. “I think the same thing is true for the federal government. You have to have a good governance model in place where the right conversation can take place between the CIO and the other people in the agency, the deputy secretary, the secretary and so on, and then you create the cyber defense plan for the risks that you face.”
These similarities are one major reason why Scott is excited about the Federal IT Acquisition Reform Act (FITARA). He said the law helps agencies establish that good governance model so they can better secure their networks and systems.
Scott emphasized that government and industry are facing a much more aggressive adversary using advanced tools and techniques to break into networks to steal data.
He said the evolution of cyber attacks calls for a corresponding response on the government and industry’s part.
That is where the Homeland Security Department plays a larger role. OPM found both data breaches because of advanced tools through the EINSTEIN program.
DHS is expediting the implementation of EINSTEIN across the civilian agencies. DHS says the latest iteration of its EINSTEIN program, known as 3A, is up and running for about 45 percent of the government – 20 percent more than nine months ago. E3A has the capability to stop malicious network traffic automatically and in real-time.
Authorizing legislation needed
But Scott said E3A isn’t a panacea by any means, and he’s not sure lawmakers and others understand just what the software is supposed to do.
“There’s criticism of this tool or of that tool, and I think it reflects a basic misunderstanding of what those tools were intended to do and what they are good at. You don’t put in a screw with a hammer and you don’t use a saw to paint things. They are just the wrong tool for the job,” he said. “In this case, EINSTEIN has a purpose and it has served us well for the purposes it was intended. We are enhancing that tool to include additional capabilities, but it will never be the end-all, be-all. It has to be used with other tools, and our emphasis has to be one making sure we have all the right tools in the toolbox, defense in-depth and the capability to detect, isolate, contain and respond.”
Andy Ozment, DHS’s assistant secretary for the Office of Cybersecurity and Communications, told Senate lawmakers Thursday that Congress should pass authorizing legislation for EINSTEIN.
“One of our impediments has been that some agencies are concerned that existing legislation impedes their ability to work with us on EINSTEIN, so your clarification of that would greatly be appreciated,” he said.
The Homeland Security and Governmental Affairs Committee was scheduled to review the EINSTEIN Act of 2015 on Wednesday, but privacy concerns tabled the bill and Johnson said he would work with DHS and other experts to improve the bill.
Scott said he asked about the status of EINSTEIN 3A at the first CIO Council meeting he attended.
“I heard some legitimate concerns from CIOs that had to do with challenges with certain ISPs and other implementation details,” he said. “We immediately informed a small subgroup to work on those issues and they have been working away at those ever since. I think they are getting pretty close to getting most of the roadblocks resolved.”