Author: Will Hurd
I knew the federal government had a real problem with cybersecurity. But there was one moment, during an oversight hearing with the senior security officer at the Social Security Administration (SSA), that I realized it was even worse than I originally thought.
I asked a simple question about what the agency, which stores the personally identifiable information for nearly all Americans, was doing to patch bugs revealed by a technical vulnerability assessment.
The official’s less-than-helpful answer? “Very many different things.”
The assessment had been conducted nine months prior, and yet the officer testifying didn’t know how many bugs needed to be fixed nor what the status of those fixes were.
This lack of attention to the most fundamental cybersecurity best practices leaves SSA susceptible to a mass data breach.
An agency this large and this negligent puts itself at risk of the kind of attack suffered by the Office of Personnel Management (OPM), in which a hostile threat actor stole the personal records of 21.5 million Americans—including the highly sensitive information used to conduct background checks for those who will be given access to our nation’s most valuable secrets.
The dismal state of cybersecurity at federal agencies isn’t the fault of this one official alone, of course. The deck is stacked against both her and many of her colleagues in the federal government. The legal, regulatory, and cultural barriers hindering the adoption of new technologies, the lack of investment to aid in digital defense, a dearth of qualified professionals willing to commit their cybersecurity skills to protect the federal government, and an immature information exchange environment have exacerbated an already insufficient information security culture in the federal government.
According to the General Accounting Office (GAO), the federal government spendsmore than $80 billion on IT procurement, 80 percent of which is spent on maintaining old and outdated systems. The people who buy the IT goods and services are not the same people who use the IT goods and services. The Chief Information Officer (CIO) who is charged with overseeing good digital hygiene isn’t in control of the entire agency’s IT budget, and, because of the way the government is funded, agencies are unable to utilize savings they realize through the adoption of new technologies.
This has to change. Fortunately, we have made some progress.
In 2015, the Federal Information Technology Acquisition Reform Act (FITARA) was signed into law. FITARA empowers CIOs with responsibility over IT investments, project performance, and results-based management, all necessary to steer federal agencies towards modernization.
The passage of FITARA was huge, but we’re trying to do more. The recently introduced bipartisan, bicameral Move IT Act seeks to ensure that those CIOs are rewarded for their efforts to save our tax dollars and modernize their IT by allowing them to reinvest what they save.
Once we have regulatory reform, we need to attract qualified professionals in the cybersecurity realm. This is not a unique challenge to the federal government. In 2015, in Texas alone, 40,000 computing jobs—positions that require some education in coding—went unfilled, according to an analysis done by Code.org using Bureau of Labor Statistics Employment Projections. In that same year, according to the study, Texas only produced around 2,100 computer scientists. Even scarier, only about 5,000 high school students took the AP Computer Science course.
While we need to do basic things, like ensuring uniform access to AP Computer Science in high school and introducing coding classes into middle school, we also should consider the creation of a Cyber National Guard.
The federal government could forgive the student loan debt of STEM graduates who agreed to work for a specified number of years in the federal government in cybersecurity jobs at places like SSA or Department of Interior. Furthermore, when those individuals moved on to private sector jobs they would commit one weekend a month and two weeks a year to continued federal service. This would help ensure a cross-pollination of experience between the private and public sectors.
In Washington, DC, the term cybersecurity has come to mean information sharing. Last year, Congress passed landmark legislation in the form of the Cybersecurity Act of 2015 to provide the necessary legal protections for the private sector to share threat intelligence with the government. The former head of the NSA, General Keith Alexander, uses a historical analogy to put in context the importance of information sharing between the public and private sector. He says that “assuming that either the private sector or the government alone will be able to defend our nation is tantamount to the French reliance on the Maginot Line during the lead-up to World War II. We ought not repeat that historically catastrophic mistake.” The French poured an incredible amount of money, materials and manpower into building fortifications along their border with Germany, called the Maginot Line, which was ultimately ill-suited to stop the attack Germany wielded—they just went around it.
Neither the private sector nor public sector can protect our country from our cyber adversaries alone. Consider this: Members of the financial services industry know best the kinds of threats they face every day. They have an idea of the types of malware organized Russian criminals have developed to attack US financial systems and where these financial systems are most vulnerable. Their intricate understanding of the issue means they know what our intelligence agencies should be looking for when they look into this issue as well.
Intelligence organizations operate around something called “collection requirements.” These are a set of specific questions a collection effort must aim to answer. Members of the financial service industry could turn their knowledge into collection requirements to be used by the US national security apparatus. Once the appropriate intelligence is collected, the information gleaned could be fed back into the private sector, allowing them to strengthen their own digital defenses. This is the type of information sharing that both the private and public sectors should achieve.
From investment in technology to investment in people, we as a federal government and as a nation need to do much more to ensure a safer and more secure digital age—before it’s too late.