The federal chief information officer wants organizations to change a number of paradigms around cybersecurity, including how systems are designed, how those systems fit into their mission and what it’s going to take to fund them.
U.S. CIO Tony Scott spoke Tuesday at the Billington Cybersecurity Summit in Washington, D.C., saying that “bubble wrapping” legacy systems with modern security tools in hopes that it will save some money in the short term is a recipe for disaster in the long run.
“In a world where every 5 years you can get double for every dollar you spend, if you’ve missed four or five of these upgrade cycles, you are spending five, six, 10 times more to keep old stuff going,” he said. “There is not a good economic argument to this. Those that think they are saving money by not upgrading are deluding themselves.”
Scott pressed audience members to rethink the way they are designing systems, saying the basic architecture for systems hasn’t changed over three decades despite threats and attacks that have multiplied and matured. Like many in both the public and private sectors, Scott called for security to be built in by design so enterprises can avoid bolting on security to already-bulky IT systems.
“Components aren’t self aware, can’t communicate with the other components or the security posture, or whole bunch of other things that in a different design model you would really want to know,” he said. “It’s like driving a car down the road and not knowing whether you have bald tires, or the oil pressure is low, or brakes aren’t working. That’s the model for all of this stuff. There is not secure-by-design in the model.”
He also called on organizations to spend more time fine-tuning their architecture to better understand the cybersecurity posture they need for their mission.
“Ninety-five percent of what we do exactly mirrors the org chart of the federal government. In a digital world that doesn’t make sense any more,” he said. “We were expecting the Marine Mammal Commission to do the same kind of job the [Defense Department] does for protecting its systems and networks.”
The third paradigm is something Scott has talked about at length over the past few months: The need to reexamine the way federal agencies budget money to modernize systems.
“There are 7,000 programs on the civilian side that get funding from Congress to do the work that we do. Built into every one of those is a little allocation for IT — just enough for that set of systems and infrastructure to keep that on life support,” Scott said, adding that that funding cycle is unsustainable.
There are currently two forms of legislation before Congress — the IT Modernization Fund and the MOVE IT bill — that would allow agencies to create some sort of revolving fund for continuous IT upgrades. A combination of those bills will be marked up later this week.
Whatever the solution, Scott said the current status quo will not last in the future.
“When you have that kind of world, you are giving yourself a life sentence to live in yesterday’s world,” he said.