Federal CIO: Cyber is ‘Our Most Important Mission Today’
Tony Scott said his mission "is to dramatically reduce the number of cyber incidents.”
In the wake of massive government data breaches that exposed millions of federal employees’ personal information, cybersecurity has become perhaps the White House’s highest priority.
One day after the leader of the House Oversight and Government Reform Committee asked Office of Personnel Management leadership to resign over the breaches, U.S. Chief Information Officer Tony Scott reiterated the importance of cybersecurity.
“Our overall mission is to dramatically reduce the number of cyber incidents,” Scott said Wednesday at the Brocade Federal Forum in Washington. “This is our most important mission today.”
Scott said strengthening the federal cybersecurity posture across government agencies is the only way to fully “restore public confidence in government and institutions,” which has undoubtedly decreased following the slew of hacks, breaches and negative cyber-related headlines.
Scott, only about four months into his new job as the government’s top techie, has been swift to react to the nation’s cybersecurity issues.
Last week, the White House – led by Scott – launched a 30-day "cybersecurity sprint" to assess and improve agencies' cybersecurity processes, resources and priorities. Emergency procedures include tightening controls for “privileged users” and network administrators, upping the use of multifactor authentication and immediately patching critical software vulnerabilities.
The reality, Scott said, is that every Internet-connected system is potentially vulnerable, noting that “a lot of money has been spent on technology trying to prevent bad things from happening.”
Simply building a bigger wall between adversaries and agency secrets has not proven to be an effective strategy. Rather than allocating an increasingly large percentage of IT budget dollars to cybersecurity, Scott argued for risk-based analysis that takes into account multiple variables.
“Information security often is just a percentage of the IT budget,” Scott said. “I think that’s the wrong way to think. The right way is on a risk-based analysis – we’ve got threats, risks, and just like insurance, there has to be an equation when thinking about how much money we should spend on cybersecurity.”
He also advocated increased information sharing between agencies and industry. And, not surprisingly, expect government investment in cyber-anything to increase – something Scott said has “been neglected” over the past two or three decades.
“The more we can share about threats and actors, best practices in how to defend and remediate when these things occur . . . is a very important part of this agenda,” Scott said.