Several CIOs say the OPM cyber breach is a stark reminder that any system or network is vulnerable.
Federal CIO Tony Scott put the issue in perspective during a speech at the Brocade Federal Forum Conference in Washington Wednesday: “There are two kinds of people, those who have been hacked and know it, and those who have been hacked and don’t know it.”
This modern-age saying rings especially true now.
So what can senior federal IT managers take from the OPM experience? What can they do to make sure they are not next on Capitol Hill?
Richard McKinney, the Transportation Department CIO, said, when people ask him what keeps him up at night, his answer is always, “Cybersecurity.”
He said DoT is taking another hard look at its data.
“We are having a very broad conversation within DoT about what are our high- valued assets we wouldn’t want to see in the wild, whether it’s intellectual property, personally identifiable information or just anything that is not FOIA- able and documents we need to protect,” McKinney said in an interview with Federal News Radio before he spoke at the Brocade conference. “We are identifying those and making sure that we have the protection schemes in place to guard those. There has been and should be a broad emphasis on perimeter, detection, strong authentication and Trusted Internet Connection. All that stuff is extremely important. But all of us are beginning to realize, no matter how good we do that, we’re going to have intruders. So if they break into your house, are the jewels in the safe? Are you protecting your assets? Are you making it hard, if not impossible, for them to get to those things?”
McKinney said DoT is ensuring those crown jewels are doubly protected to better defend against the intruders. The department’s team is broader than just the CIO or chief information security officer who is defining the high-value data assets, he said. It includes the mission areas and other CXO community members.
McKinney said the 30-days cyber sprint the Office of Management and Budget recently kicked off is about recognizing the urgency of the moment.
Through that sprint, which is being led by Chief Information Security Officer Drew Orndorff, DoT will tie up any cyber loose ends as soon as possible.
OPM hack reminds leaders of their own cyber risks
While all CIOs would say they worry about cybersecurity every day, a massive breach like the one OPM endured also could provide their agencies with an important reminder.
Simon Szykman, a former Commerce Department CIO who is now chief technology officer at Attain, said, during his tenure, cyber attacks against other organizations helped him explain to senior officials why they should care about IT security and helped him secure resources to do something about the threats and vulnerabilities.
“It’s not just the resources, but it requires a certain level of buy-in at the large agencies from CIOs of some of the components or sub-agencies. It also takes a certain amount of awareness by senior career and political leadership for them to understand what that risk really means,” he said. “I think, frequently, what you will find is, there is a level of risk that is not fully appreciated by people outside of the IT community, so you have people who could be more influential, but don’t understand what their exposure is. If they understood that better, they may be more willing to redirect or commit resources to address some of the shortcomings.”
Szykman said the OPM hack also could give CIOs more influence to implement cyber capabilities that are long overdue, such as two-factor authentication. The cybersecurity tools many times are a priority, he said. But when the agency is trying to balance what feels like a never-ending list of priorities, some things get lost in the shuffle.
“People are starting to look around and see where they are at risk, and what could happen that would be bad and what could be done about it,” Szykman said. “It makes sense to do that, but in the short term, that’s reactive to this incident. It’s important to work more proactively in the future.”
OMB is trying to embrace the idea of acting more proactively.
First, Scott said, OMB is developing a cyber playbook similar to the playbook developed by the Digital Services office at OMB in 2014.
“So far, we’ve thought about digital services teams as primarily being in the application development space or in the Dev/Ops space,” Scott said. “This was the team that worked on HealthCare.gov. They are currently working in the Veterans [Affairs Department]. They are doing some work in the Department of Defense and in other places,” he said. “But I want you to think about digital services teams a little more broadly. We need digital services teams in cyber. We need them in infrastructure. We need them in network. We need them in every single aspect of IT that you can think of.”
Scott said he also wants to focus over the long term on how agencies fund cybersecurity activities.
In the fiscal 2016 budget request sent to Congress in February, the White House asked for $14 billion for cybersecurity.
Scott said, too often at agencies and other organizations, cybersecurity is a percentage of the overall IT budget. The budget goes up or down based on the overall fiscal health of the organization.
“I think that’s the wrong way to think about security,” he said. “The right way to think about it is on a risk-based analysis. We’ve got threats. We’ve got risks. Just like insurance, that has to be the equation when we are thinking about how much money we should spend on cybersecurity. What is our appropriate response, not only as a nation but as an organization? It can’t be a percent of the budget or some other arbitrary number. I’m starting to see boards of directors and others in responsible positions think about cybersecurity that way. Overall, our mission for cyber is to — I would use the word — dramatically reduce the number of cyber incidents that affect the government’s information. This is our most important mission today.”
Scott urges agencies to buy secure commercial products
Because cyber is the government’s most important mission today, Scott said, industry must play a bigger role. He’s not talking about more contracts and more services.
He said there are a couple of things that can happen to boost every organization’s cybersecurity.
“One is architectural in nature. Everything that we do should be two-factor enabled, [HSPD-12] card enabled from networks to applications to servers to storage and so on. We need end-to-end security in everything that we do. And anytime there is a seam or gap and that security chain gets broken, it’s a guaranteed problem point from a security perspective,” Scott said. “I’m going to urge that, for technology that we buy for handhelds and PCs and so on, we use TPM chips enabled gear. It’s just a simple, fundamental thing, but it would greatly enhance our capabilities. And there are other things like that — that, if we took action right now, in a pretty short period of time, would help us be in a much better position.”
TPM means “Trusted Platform Module.” A TPM chip meets an international standard for designing microprocessors by integrating cryptographic keys into the devices.
It’s not clear whether Scott will issue new policies. But Scott’s answer to a question about developing metrics may give some insights into his plans for issuing policies and such.
“You know OMB has been issuing guidance for years and a lot of it has been ignored. I would tell you, I think you get what you measure and get what you inspect,” he said. “We intend to do a lot less issuing guidance that goes nowhere and a lot more inspection and conversation in terms of the things that we do. I think it’s an important part of how we get better. And then, enrich, enhance and make simpler are all parts of that formula.”