Just a handful of months into his tenure as U.S. chief information officer, Tony Scott has already learned you can’t let a good crisis go to waste. And with the wounds of the Office of Personnel Management breach still fresh, Scott hopes to parlay the need to better protect federal information into a new vision for cybersecurity.
He calls it “secure by design.” Scott, who often compares securing aging federal IT systems to building airbags into a 1965 Ford Mustang, said the current computing environment in the federal government and its security have drastically changed. To prevent attacks rather than simply responding to them, IT architects must rethink how they build systems.
“We find ourselves in a different context completely than the compute environment we started as a design point 10, 15, 20 years ago,” Scott said Friday. “And I think what that calls for, in my mind, is new design.”
He called for designing system components with security in mind from the outset. These components must be “designed to be part of an ecosystem that knows how to respond to and deflect the kinds of cyber threats we face,” he said. Within this construct, Scott said it’s possible to imagine systems with “self-awareness, self-healing,” “the ability to isolate and contain and recover, and the ability to communicate in a structured way with the other parts of the ecosystem.”
This differs dramatically from the way the federal government is currently securing its systems. Scott said most agencies are just “bubble wrapping and air bagging existing environments.”
“I think we have to fundamentally recognize that we have to change things by design, and we may not be not be able to just increment our way to success without some new design thinking somewhere along the way,” he pitched as he strolled through the audience at the 2015 Cybersecurity Innovation Forum.
This strategy isn’t something that will happen overnight, Scott admitted, and realistically it may not happen before the close of this administration in early 2017. But in the meantime, the U.S. CIO is intent on securing the government’s information.
While Scott’s much-talked-about “cybersecurity sprint” in wake of the OPM breach has concluded — with mostly encouraging results, like the rocketing of smart card use at CFO Act agencies from about 42 percent to 72 percent in 30 days — he said the effort is part of a larger “marathon” to improve federal cyber hygiene. The Office of Management and Budget plans to issue even more strategic recommendations in coming months on more than two-factor authentication, Scott said.
The series of recommendations will have to do with “process changes, legislative changes, human resource changes, organizational things that we think can be done to improve our game in the overall cyber space,” the U.S. CIO said.
But really, Scott said, it’s doing the simple things that will help prevent another massive OPM-like breach. Of the nearly 70,000 cyber incidents in federal civilian agencies in 2014, he said more than half could have been prevented with stronger adoption of two-factor authentication.
“I don’t care what business you’re in — if you can get a 50 percent improvement by doing one thing, you’ll take that every day,” he said. “Yet it’s amazing to me how often we fail to take even the most basic steps. That’s why we focus so much on this particular metric.”