Tony Scott, the country’s chief information officer, wants to overhaul the way government IT is run. On Friday, he will announce a long-term cybersecurity strategy focused on hiring elite technologists, utilizing emerging tech, and fostering consistent, rapid responses to cyberattacks.
“Most of the things we have built systems out of today have their design point 10, 15, even 20 years ago,” Scott told BuzzFeed News. “I’m talking about operating systems, I’m talking about hardware and software. What we’ve had to do in response to today’s cyberthreats is kind of air-bag and Bubble Wrap the things that we’ve built. And we can only do so much of that.”
Scott envisions a government model built on cloud computing and recurring upgrades. He will task federal agencies with taking a more active role replacing outdated networks and their underlying technology. And he hopes to lure cybersecurity talent with appeals to public service and with the seemingly insurmountable challenge of protecting government networks from multiplying adversaries.
Scott’s cybersecurity implementation plan follows a series of sophisticated data breaches targeting government agencies. The largest hack, and perhaps the most embarrassing for the Obama administration, struck the Office of Personnel Management earlier this year, when millions of Social Security numbers and fingerprints belonging to current, former, and prospective federal employees were stolen. The colossal theft, which affected more than 21 million people, led to the resignation of OPM’s director, Katherine Archuleta, and urgent calls to update antiquated networks and to rectify the government’s glaring IT vulnerability.
In the aftermath of the breach, Scott instituted government-wide security measures, including patching vulnerabilities, shrinking the number of privileged administrators, and utilizing basic tools, like two-factor authentication. The use of smart cards by federal employees to securely access government machines has increased from 42% following the breach to 80% in mid-October, he said. This form of strong authentication is believed to function as a preventative measure. In both the OPM and Target data breaches, compromised credentials granted hackers a way in.
“I think that one of the key differences between this effort and things that have gone on before is we are going to measure,” Scott said, referring to quantifiable improvements within the federal workforce. “And Congress is watching, the inspectors general are watching, the GAO [Government Accountability Office] is watching, and we are reporting the results. That creates a focus that might have been missing before.”
In what has been described as a victory for tech companies, the Obama administration has decided to not seek legislation forcing Silicon Valley firms to install so called “backdoors” on their encrypted devices, a thorny cybersecurity issue that companies like Apple and Google have been watching closely.
Throughout 2015, the FBI Director James Comey and other government officials have expressed their frustration to Congress with what they describe as the “going dark” problem, whereby encrypted devices and applications place criminals beyond the reach of the law. In turn, cryptologists and privacy advocates argue that granting privileged access to law enforcement is both technologically unworkable and necessarily introduces security weaknesses.
On this debate, CIO Scott is clear: “I think in the long run we are probably not well served by backdoors to encryption and in general we end up benefiting as a society by having very strong non-hackable encryption,” he said. “And I say that knowing that it will present some challenges for law enforcement and investigative agencies.”
Scott is the country’s third CIO, a position established during President Obama’s first term in 2009. Before joining the federal government, Scott served as CIO of VMware, Microsoft, and the Walt Disney Company.