In principle, holding each agency head accountable for his or her agency’s cybersecurity is logical. The problem with that is they were already accountable. When the OPM was breached, director Katherine Archuleta stepped down. And there were calls for the director of the IRS to resign after its breach last year. Simply forcing agency heads to resign without providing the funds and support they need to successfully protect their agencies is just setting them up for failure. Never mind that we’re cutting your budget – if you get breached, you will be fired.
One thing I found quite interesting was this quote: "Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services."
This represents a significant change for government agencies, which used to steer away from shared services like cloud SaaS, particularly for cybersecurity. It’s encouraging to see cybersecurity specifically called out here as something that can be moved to the cloud.
If Trump plans to hold each agency more accountable, it should start with the work the U.S. Government Accountability Office (U.S. GAO) has already been doing for years. They have done an admirable job of giving organizations easily understood letter grades for security for years. The review isn’t terribly deep, but the National Institute of Standards and Technology (NIST) Cybersecurity Framework they use has been widely adopted in both government and industry. By applying this framework to the key security domains: data, applications, networks, mobile and endpoints, agencies can focus their program on improving in the most important areas.
But, the compliance-audit-accountability game only works if an agency actually wants to get more secure. Otherwise, it devolves into a game of who will check the box for the least amount of money. A classic race for the bottom. So, more likely, “accountability” will be rated solely on whether an agency gets breached or not.
I doubt the new administration will take a nuanced position about whether the agency had adopted a cost-effective risk management strategy. Get hacked. Get fired. #securityiseasy.
In a nutshell, federal agencies have a major problem on their hands. They have to pay back a ton of “security debt” that they accrued over the past 20 years of “e-gov.” So, the truth is that they cannot feasibly achieve both modernization while also increasing their cybersecurity posture with the limited resources available to them. In the long term, there are cost savings associated with doing security more efficiently. But in the short term, there’s a lot of cleanup to do. Most government agencies do terribly on the U.S. GAO cybersecurity scorecard.
My experience is that federal agencies are woefully unprepared for application layer attacks. In my estimation, they are at least a decade behind the financial industry, which is nowhere near satisfactory at producing and operating secure code. There are numerous reasons, but I believe the root cause is that government outsources most of their software development, and certification processes haven’t been effective at ensuring security. Instead, we need to ensure that government buyers and contractors are communicating about security needs from the very start of projects. Relying on vague security regulations and guidelines has made it almost impossible to purchase secure systems.
My highest priority recommendation for our federal government is to make security visible. The federal government has the power to make both agencies and companies disclose exactly how they are building applications and securing systems. We have the right to know how teams are trained in security, what processes are used to build and test security, what components are integrated, and what security tools are used to assure our nation’s information technology. This is not only an inexpensive way for the government to address the issue of cybersecurity, but also the most likely to make a real difference.