When it comes to cybersecurity problems within the government, I feel like Bill Murray in the movie “Groundhog Day” – I’m watching and listening to government officials have the same discussions of the same problems over and over, and making only incremental progress in addressing them.
In May, I was hopeful that this endless repetition might stop when the Office of Management and Budget (OMB) released its Federal Cybersecurity Risk Determination Report and Action Plan. OMB said the plan “presents a high-level assessment of government cybersecurity risks, identifies actions to improve federal cybersecurity,” and discusses the need for agencies to work together to “identify how to implement those actions.” Mandated 12 months earlier by President Trump’s executive order on cybersecurity, this “Risk Report” appears to be useful for those who are new to the issues discussed.
Unfortunately, the report isn’t really news to those who have been toiling in the cyber trenches for years. In fact, much of it is a rehash of things we have known for at least 15 years, going back to the old FISMA scorecards, when the average agency score was a “D.”
The Same Discussions Year After Year
Despite increased investments in things like continuous diagnostics and mitigation, information-sharing initiatives (ISACs and IASOs), threat-sharing (STIX and TAXI), and NIST’s risk management framework and cyber security framework, the story has remained the same. We’ve had discussions of the problems, lots of fanfare about initiatives, but little real progress.
To give an example, one of the risk report’s recommendations was to “hold agency heads accountable for their organization’s security and governance processes.” But the president’s May 2017 executive order on cybersecurity already clearly stated that agency heads will be held accountable for implementing risk management measures and processes. Despite this charge, the risk report points out that “71 of 96 agencies (74 percent) participating in the risk assessment process have cybersecurity programs that are either at risk or high risk” a full year later.
Has anyone been held accountable for this? The federal government is spending its time observing and practically congratulating itself for recognizing the problems, rather than trying to understand the root causes and addressing them.
We Know the Problems; Where Are the Solutions?
To its credit, OMB’s risk report correctly states that “two of the most significant areas of risk that were identified in agency assessments were the abundance of legacy information technology, which is difficult and expensive to protect, as well as shortages of experienced and capable cybersecurity personnel.”
Given this, it seems that rather than OMB’s recommendation that agencies “continue standardizing their IT offerings and cybersecurity capabilities,” a more focused effort should be made to centralize and standardize IT infrastructure protection. This could be done by relying on cloud providers to do much of the heavy lifting (manage, maintain, and help secure facilities, systems and infrastructure), while users would still be responsible for things that they host in the cloud.
The standardization that cloud providers offer, along with shared security responsibility and economies of scale, will go a long way toward addressing the primary issues that were raised in the report — specifically, not having enough skilled workers and the complexity of existing systems.
It’s simply not enough to threaten to hold an agency head accountable. To be successful, we need agency officials who are empowered with the administrative and budgetary authority to make this happen by a specific date.
The Race to the Cloud Needed to Start Yesterday
As an early proponent of the security of cloud computing, I am more convinced today than ever that the cloud can be more secure than allowing agencies to manage their own unique infrastructures, and that economic efficiencies from further cloud adoption will benefit the American taxpayer.
I am also convinced that now is the time for federal agencies to quit dragging their feet and actually make widespread migration to the cloud a reality. Let’s not have this same conversation 15 years from now. Let’s have government really do something big.
America once pursued an ambitious race to the moon that led us places man had never been before. It’s time to develop a similarly comprehensive “race to the cloud” initiative. That’s the type of big thinking required to make our government’s systems and data more secure, and to best serve the American people.
Rick Tracy is senior vice president and chief security officer at Telos Corporation.