The key to ensuring the cybersecurity of federal agencies lies not in any gee-whiz technology, but in the arcane details of the org chart and budgeting procedures, a panel of former and serving officials said Thursday.
“Structurally, from a budgeting perspective, we’re not set up for for success [in federal cyber security],” said Thomas McDermott, the acting deputy assistant secretary for cybersecurity policy at the Department of Homeland Security.
“The way the federal budgeting process works, with one-year money, it makes it much harder to spend [on] long-term upgrading infrastructure, as opposed to continuing to patch old and frankly often indefensible IT systems,” he said.
The panel was part of FedScoop’s Lowering the Cost of Government IT Summit at the Newseum.
McDermott said the challenge was “how to normalize and build in cybersecurity as part of an agency’s normal budgeting process … making it part of the norm and not … off on the margins.”
It’s not just the question of how budgets are planned and spent, added Kiersten Todt, executive director of the President’s Commission on Enhancing National Cybersecurity: There’s also the vital matter of who’s in charge.
“From a budget perspective we have an interesting challenge,” Todt said. “We also need to make sure that budget is allocated appropriately to make sure things that are needed get done.”
The commission has been hearing from officials about how best to ensure cybersecurity policies can be developed and enforced across government, she said.
“They way positions have power and they way they are effective is when they have budget authority, and when they have overall authority, and [the question is] how do we structure that in the government?” she said.
“One of the things we are hearing and learning is about responsibility, accountability and capability, and how do these three elements fit together in the government realm to ensure cybersecurity,” she added.
With a change in government potentially every four or eight years, officials need to ensure the baton is not dropped during transitions.
Each successive administration seems to have to relearn the same cyber lessons over again, said Bob Gourley, formerly the CTO of the Defense Intelligence Agency and now a partner is consulting business Cognitio.
“How do we make sure that this cyber amnesia doesn’t keep occurring?”