Plan for Responding to Barrage of Agency Hacks Coming this Fall, Federal CIO Says
The new recommendations will build on the 30-day “cybersecurity sprint” mandated by the White House this summer.
New federal guidelines laying out recommendations for better securing federal agencies computer networks and responding to cybersecurity incidents are coming this fall, U.S. Chief Information Officer Tony Scott said Wednesday.
The new recommendations will build on the 30-day “cybersecurity sprint” mandated by Scott’s office in the wake of the massive breach of background investigation files at the Office of Personnel Management disclosed earlier this summer.
The new guidelines will make “serious recommendations, both policywise and processwise” about how agencies can better respond “when the government itself is the victim of a cyberattack,” Scott said during Nextgov’s annual Prime conference. “I look forward to some of these important changes, because I think it will make us faster, more responsive and more thorough in our response.”
A recently set-up White House cybersecurity unit -- within the Office of Management and Budget -- is already working to reduce the number of cyberincidents where government information is compromised, Scott said.
“I think having a measurable goal like this is important,” he added, likening it to the practice of quality control on a factory floor.
Too often, the basics continue to trip agencies up.
"The good news is, I think we are making progress,” Scott said. “The bad news is, incidents that do occur, mostly occur because we failed even the most basic preventative measures."
As a result of the cyber sprint, agencies began taking steps to tighten their online defenses. Overall, the percentage of federal employees required to use a smart card in addition to a password to log on to agency networks increased from about 42 percent to more than 72 percent during the exercise, according to OMB.
That could be key in preventing future breaches.
Of the more than 69,000 cyberincidents civilian federal agencies reported to the U.S. Computer Emergency Readiness Team in 2014, more than half -- 52 percent -- could have been prevented by stronger log-on procedures, Scott said.
Congress Also Amping Up Oversight
Meanwhile, Congress is prepping another probe into how agencies have responded to the OPM hack.
The breach -- in which hackers stole personal information on nearly 22 million current, former and prospective federal employees and contractors -- has revivified congressional oversight of agency IT practices, one lawmaker says.
"Oversight [of cybersecurity] has taken on new life in this Congress; I think OPM is one of the reasons for that,” said Rep. Will Hurd, R-Texas, the chairman of an IT oversight subcommittee, in a keynote address at the conference.
He pointed to calls by members of the broader House Oversight and Government Reform Committee for former OPM Director Katherine Archuleta to resign over her handling of IT security at the agency. Archuleta stepped down in July.
"The pressure that we were putting on the Hill helped get her to step down, because this is an example of the federal government, saying, 'Do as I say, not as I do,'" Hurd said. “And we need to stop that. And I think Congress needs to do a better job of playing our oversight role and you're going to be seeing that."
The next hearing -- which will come either later this month or next month -- will focus on evaluating the new leadership team put in place by the White House after Archuleta resigned and steps to prevent future damaging hacks. Beth Cobert, the deputy OMB director, has been tasked with leading the agency on an interim basis.
"My biggest questions are: How do we ensure this doesn't happen again?” Hurd told reporters after his speech Wednesday. “And, why when you have data” -- inspector general and other watchdog reports -- “wasn't this kind of behavior . . . taken care of sooner?"
Hurd, who said many agencies aren’t following “the basic tenets of good digital hygiene,” said he wants to understand the decision-making that led OPM to delay plugging security gaps, “so that we can cut that out in other agencies."