About a dozen federal chief information officers took a trip to the West Coast about a month or so ago to better understand how large companies are overcoming technology challenges similar to those of the federal government.
Tony Scott, the federal CIO, led the fact finding tour. Scott said there were many goals of the trip, including discussing with some of the largest cloud computing vendors the current and future security needs of the government, such as scalable Web services.
But what Scott and the other federal CIOs also talked about was both the opportunity and necessity to evolve the way agencies define their system needs.
“We’re at a critical inflection point at the IT industry as a whole. Not just because of cybersecurity, but it’s sort of a big drive for it, we have to make investment and we have to really start moving off some of these older constructs and doing it with some sense of urgency,” Scott said in an exclusive interview with Federal News Radio.
“OPM has a plan to do that in their space. In many ways, they are ahead of where other agencies are. What troubles me is that in some of these public forums we’re yelling at what I call the firefighters today, the people who are actually leading the charge, versus the people who actually contributed to the problem early on. I want to reward good behavior and good practice when I see it. You can nitpick around the edges on a bunch of things and no one wants to have a crisis like has happened at the Office of Personnel Management. But the real tragedy is if we don’t learn from it and move forward, then we should be really criticized. That’s my goal, take every bit of learning that we have and then move forward as quickly as we can.”
The challenge of archaic systems is not new for the government. The annual federal CIO Survey by Grant Thornton and the Professional Services Council found respondents say they still spend about 75 percent of their budget maintaining older systems and only 25 percent for development, modernization or enhancement (DME) efforts. While the amount spent on operations and maintenance (O&M) has dropped 10 percent over the last two years, CIOs say the move to a better ratio is a long-haul challenge.
This O&M versus DME challenge is not new by any means. Agencies have struggled with the problem for decades, and it’s one of many reasons OPM suffered a massive data breach.
While tools such as PortfolioStat have helped move the needle toward more spending on DME a bit and thus to better security, Scott said there are some basic pieces to the cybersecurity plan that have been put off for too long because of a presumed lack of funding.
Scott: 30-day cyber sprint will address overdue fixes
Scott said his recently announced 30-day cyber sprint aims to begin to address many of these basic fixes that should’ve been done years ago.
Scott said the 30-day sprint should be thought of in two ways.
“The first is in the next 30 days we know there is a set of things we can do that that will fairly dramatically improve our security profile,” he said. “These are the things like two-factor authentication, patching, minimizing the number system administrators that you have and so on. What I wanted to do there is really create a sense of urgency to go after these basic things that we should just have almost a zero-tolerance policy for exceptions on. I think it’s realistic that we will make really big progress on that in the next 30 days given the direct focus we have. Every agency head, every CIO of the major agencies have gotten the message and they are working hard on it.”
The second way agencies and others should view the 30-day cyber sprint is learn from OPM and the other successful recent cyber attacks and make some short and long-term improvements around federal cyber policies and practices.
Scott said the goal is to raise the level of the government’s responsiveness to the ever-growing cyber challenges every organization faces.
“In the Defense world, you talk about offense and defense with cyber, but there is another way of thinking about this. An awful lot of money, resources and technology have been focused in the past on just blocking bad stuff from happening, and it’s a valid thing to do and it’s appropriate to do. But with the sophistication with the kinds of actors we face and the tools they have, it’s almost a certainty that despite all the good things you do, something is still going to happen. It’s going to get through your defense in-depth or what have you,” Scott said. “So we need parallel capability to quickly detect when something has happened, isolate and contain, and then clean and return to normal operation. It’s an area where both the tech industry and policies and practices have to come together and lean forward in a way, and that has to happen in a much shorter time frame than how things have evolved in the past.”
He added cyber information sharing is the other key piece to this change that is needed within government and industry. The Obama administration and Congress are working on several cyber information sharing bills.
Two weeks into the cyber sprint, Scott said he believes agencies understand the urgency of the cyber challenge and are taking the efforts seriously.
“Like anything even in the two weeks, we can clearly see where there are additional opportunities and we are prioritizing those,” he said. “I would view this 30-day sprint as the beginning of what I think will be a good journey over the next several months to improve our cybersecurity.”