30-Day Cybersecurity Sprint: Just a StartFederal CIO Boasts of Improved Authentication
The 30-day Cybersecurity Sprint overseen by Federal CIO Tony Scott has crossed the finish line, but in reality, it looks more like a starting gate to a marathon to get the federal government to secure its battered IT.
See Also: Creating a Culture of Security
"The work of addressing cyber-risks is never done," Scott says in a blog posting.
"Cyberthreats cannot be eliminated entirely, but they can be managed much more effectively."
In June, the Office of Management and Budget launched the sprint to assess and improve the health of federal information assets and networks (see Ramping Up Agency Security, Yet Again). As part of the sprint, OMB directed agencies to further protect federal information, improve the resilience of its networks and report on their successes and challenges.
OMB specifically instructed agencies to immediately patch critical vulnerabilities, review and tightly limit the number of privileged users with access to authorized systems and dramatically accelerate the use of strong authentication, especially for privileged users.
Since then, Scott reports, federal civilian agencies increased their use of strong authentication for privileged and unprivileged users. Specifically, he says, federal civilian agencies increased their use of strong authentication for privileged users from 33 percent to nearly 75 percent - an increase of more than 40 percentage points since agencies last reported their quarterly data on Performance.gov. This was accomplished mostly through the use of personal identity verification cards, which can be used as a second factor to access government IT.
But more must be done to secure government IT. Scott says a team of 100-plus experts from across the government and private industry are leading a review of the federal government's cybersecurity policies, procedures and practices to accelerate and amplify the work and objectives of the sprint. The team's assessments will be the basis of a set of action plans and strategies to address critical cybersecurity priorities that will be released in the coming months.
But Scott says the government can't tackle its cybersecurity challenges without appropriate funding from Congress. Specifically, Scott calls on Congress to end the across-the-board appropriations cuts known as sequestration and provide agencies certainty in their cybersecurity budgets.
"Decades of underfunding and years of uncertainty in budgets and resourcing for strategic and critical IT capabilities like cybersecurity have contributed to the current unsustainable state of the federal government's networks," he says.
It's a point picked up by Alan Kessler, chief executive of the IT security firm Vormetric. "However good the strategy, if there's no team to make it happen, and no resource behind the effort, it will fail," Kessler says. "In the past, many of these agencies have undoubtedly performed assessments, added up and requested resources, and never received the budget to make better IT security happen. Without a team and resources required, it's not getting done."
Sen. Tom Carper, the Delaware Democrat who has led legislative efforts to secure federal government IT, agrees that "Congress has a responsibility to help, too. ... We know all too well that cybersecurity is not only a sprint, it's a marathon. It will take sustained focus, vigilance and progress to ensure every federal agency and business is equipped with the capabilities needed to fend off future cyber-attacks."
With a bureaucracy the size of the federal government coupled with the dysfunction of Congress, finding the right approaches to securing agencies' IT will be difficult.
Regardless of what the administration, Congress and agencies eventually do to increase federal government IT security, it will never be enough. That's a reality everyone faces, in and out of government. "Let me be clear: there are no one-shot silver bullets," Scott says. "Cyberthreats cannot be eliminated entirely, but they can be managed much more effectively."
These days, getting to a state of effective cybersecurity management would be considered a winner crossing any finish line.