If the federal government wants to make real progress on cybersecurity, it will need to make the sense of urgency seen in the recent 30-day cybersecurity sprint a standard component of agency operations moving forward and fundamentally rethink existing lines of responsibility and accountability, according to recommendations released Monday by a major industry group task force.
In a letter to acting Office of Personnel Management Director Beth Cobert, U.S. Chief Information Officer Tony Scott and White House Cybersecurity Coordinator Michael Daniel, members of the Information Technology Industry Council’s IT Alliance for Public Sector urged the federal government to “boldly act to alter the overall culture and approach the federal government currently uses to address cyber threats.”
The recommendations come in response to massive cybersecurity failures that led to the theft of background investigations on more than 21.5 million current and former federal employees at OPM. Although the White House has reported progress in the aftermath of the 30-day cybersecurity sprint ordered by Scott, the task force of technology and security experts from 20 leading IT companies said without bold action across the entire government enterprise the problems that led to the OPM breach and other incidents will persist.
“In the remaining time for this administration, the federal government must execute a series of initiatives and reforms to rapidly and comprehensively secure federal networks and data, urgently declaring our nation’s networks a national priority,” the ITIC report states.
Among the most disruptive and controversial recommendations is a call to alter the existing lines of responsibility and accountability in federal cybersecurity and create a central position to oversee governmentwide security policy and spending — something Scott said in a recent interview with FedScoop that he did not favor.
“The federal government too often has vague lines of responsibility and accountability. Understanding how business establishes clear lines of responsibility and whom to hold accountable in a cyber crisis would be beneficial to establishing better cybersecurity accountability in the federal government,” the task force report states. “The current lines of responsibility and accountability are not getting the desired results across the federal government as demonstrated through recent incidences occurring at federal agencies. Exact lines are blurred and in some cases may even present a potential conflict of interest, such as the [chief information security officer] reporting to the CIO.”
The ITIC task force recommends that the federal government escalate security from merely an IT concern to a business risk concern. And to do that, it suggests creating what would effectively become a chief information security officer for the entire government. “For example, make permanent a central Administration role with appropriate authorities and budgetary controls to direct and oversee cyber activities across the government, including leadership of a cybersecurity ‘council’ for interagency coordination; separate agency CISO functions from CIO functions; establish a mechanism to escalate agency CISO security concerns directly to the department and agency head or central cyber function for adjudication as appropriate.”
“Now more than ever information and technology are critical to how the government functions and cybersecurity can no longer be viewed as an isolated issue. It should be a top priority government wide,” Trey Hodgkins, ITIC’s senior vice president for the public sector, said in a statement.
The recently completed federal cybersecurity sprint manifests the sense of urgency that should be core to the cybersecurity culture and approach going forward, the task force argued.
“The government must move boldly with speed, transparency in action, unity of effort, and clarity in purpose,” the report states. “While these efforts should result in immediate enhancements, they will also set the foundation for the government’s future efforts. Most importantly these efforts will begin the long process of restoring the American people’s trust in the ability of the federal government to protect its networks and the information that resides in and transits those networks.”
Read the ITIC recommendations here (PDF).