The United States government has a plan to shore up its cyber defenses and prevent more devastating hacks, but setting that plan in motion will require extracting more funding from a hostile Congress, boosting young Americans’ interest in the IT field, and dramatically transforming how an estimated 2.7 million federal civilian employees think about cybersecurity.
Care to bet on its success?
These are the challenges facing federal departments and agencies as they begin executing the directives in the Cybersecurity Strategy Implementation Plan, released on Oct. 30 after a “comprehensive review” of the government’s cyber standing. The massive Office of Personnel Management data breach, which exposed the records of nearly 22 million federal workers, prompted the Office of Management and Budget to oversee a 60-day “cyber sprint,” including basic security upgrades and the review that led to the CSIP.
Cybersecurity has never been a more popular topic in Washington than it is right now. Questions abound about how the United States should protect its own systems and when it should strike back to deter future cyber aggression. The dramatic scope of the OPM hack—affecting not just current federal workers but also people who applied for jobs and were never hired—propelled cybersecurity, a pervasive but esoteric topic, to the top of the political and legislative conversation.
“No matter what goes on around the government, keeping focused on this has got to be a priority.”
The hack was “a wakeup call for agency heads,” said Rob Knake, a senior cyber policy fellow at the Council on Foreign Relations who served as director for cybersecurity policy at the National Security Council from 2011 to 2015.
Suddenly, senior officials, some of whom might not know a thing about computers, had to think seriously about cybersecurity. “I think it is on the top of the agenda for federal agency heads the same way it’s on the top of the agenda for CEOs in the private sector,” Knake said.
The CSIP is the government’s attempt to turn that attention into action, to convert anxiety about identity theft and network security into badly needed reform. “This puts some emphasis on it that [it] really, really needs,” said Howard Schmidt, who served as President Barack Obama’s cybersecurity coordinator from 2009 to 2012. “No matter what goes on around the government, keeping focused on this has got to be a priority.”
But momentum eventually fades, and with a new focus on terrorism after the Paris attacks, cybersecurity could soon recede from the headlines. The OPM hack, said Dave Weinstein, New Jersey’s first cybersecurity adviser, “has spurred a change within the [White House]; the question is whether it will translate into change within each department and agency.”
The cybersecurity strategy earned some praise for its focus on protecting networks and detecting unauthorized access instead of promoting “cyber hygiene,” a basic set of best practices for the use of networked computers.
“The 60-day sprint did nothing to address that,” Knake said of protection and detection. “This plan actually would.”
Knake described the plan as “the federal government eating its own dogfood,” because of its reliance on standards that President Obama ordered the National Institute of Standards and Technology to develop in 2013.
“They essentially took the NIST cybersecurity framework and went through it section-by-section and came up with a plan that aligns to it,” Knake said. “The emphasis on identifying the most critical systems and protecting those systems, versus cyber hygiene writ large, is a huge step. The second piece that’s huge is the focus on detection and pursuit of adversaries—saying, ‘We’ve got to find where we have adversaries in our networks and get them out.’”
While the plan lays out several specific proposals that won praise from experts, it still leaves many key questions unanswered.
The problem with patching
The plan calls for agencies to patch critical software vulnerabilities in their systems either immediately or, if a patch is not available, within 30 days of its availability. Knake said that such rapid and universal patch deployment was unrealistic. “That’s a reality of IT systems,” he said. “Older purpose-built systems that may have commercial code embedded in them can often be really, really hard to update. Sometimes it’s not even possible to [update them]. That’s why certain vulnerabilities persist so long, both in the federal government and in commercial applications.”
“I think you need to look at cybersecurity right now—for any enterprise, federal or otherwise—as a five-to-ten-year effort,” Knake added, “to move from simply investing in IT security products to investing in secure IT products.”
As with other components of the CSIP—and most of Obama’s other plans—the process of patching the federal government’s computer flaws will stretch far beyond the current president’s time in the White House, which ends in just 13 months. Implementation will not only depend on his appointees and their whims, but on those of the next commander-in-chief and likely the one after him or her.
Failure to authenticate
When OMB announced the CSIP, it trumpeted a significant increase in the percentage of federal employees using two-factor authentication—a method of logging into a system that requires both a password and a device that generates a one-time-use code—during the 60-day sprint. Given how many intrusions begin with rogue actors stealing legitimate login credentials, two-factor authentication, which would make remote abuse of stolen credentials impossible, plays a major role in both government and private-sector cybersecurity.
“The emphasis on identifying the most critical systems and protecting those systems, versus cyber hygiene writ large, is a huge step.”
The federal government’s main two-factor solution relies on personal identity verification (PIV) cards. OMB declared in the CSIP that PIV card use at civilian agencies—the Pentagon runs its own two-factor device program—jumped from 42 percent to 72 percent. Among “privileged users”—employees with administrator privileges on computer networks—the rate rose from 33 percent to “nearly 75 percent.”
On the surface, it would seem impressive that OMB managed to boost the overall number to 72 percent during the cyber sprint. But Schmidt, who co-founded a cybersecurity consulting firm after leaving the White House, pointed out that OMB never explained in the CSIP what it considered “use” of the PIV cards.
“Do employees have the option of using it or not using it?” he asked. “Because when they have an option, they go the easiest way.”
Schmidt recalled a lesson he learned while serving as chief security officer at Microsoft, where he co-founded the company’s Trustworthy Computing Group. “We got hacked and went into a program of strong authentication all the way down the board,” he said. “You didn’t get the option of saying, ‘Well, you can use it if you want to.’”
“You do it as a [whole] corporation,” he said of the approach favored by many large businesses, “whereas, you know, the government has used a situation where I’m going to send it out, and some choose to do it; some are bigger agencies, they decide to wait.”
OMB’s interest in two-factor authentication isn’t new. Karen Evans, the federal government’s chief information officer (CIO) from 2003 to 2009, made it a priority in the Bush administration. “There was a lot of emphasis put on [two-factor authentication],” said Schmidt, who left the administration in 2003. But Evans’ plan ran into opposition from federal departments that saw it as relatively low-priority—especially compared to the critical work they were doing maintaining the nation’s infrastructure.
“It was people saying, ‘Well, we can’t take down some part of [the Department of] Transportation, so we’ll put it on our list to get to it and we’ll try when we can,’” Schmidt said. “When I got to the White House in 2009, 2010, it was like, okay, well, let’s go over there with them. Well, it was deferred, the budget wasn’t there, and everything else.” The government needed to keep humming along. Who were these cybersecurity advisers to tell the managers of federal roads and railways what their priorities ought to be?
Getting buy-in from cabinet secretaries and mid-level managers will prove to be essential to the success of the CSIP, Schmidt said. He recalled repeated instances of agency leaders not making cybersecurity improvements a priority: “All the problems that [the Department of] Energy had, month after month, week after week—it’s like, ‘Yep, we’re working on it, but we’ve got to keep the energy running.’”
“It’s almost like you fix what you can fix now and try to catch up with it later on,” he said.
Even if the buy-in is there, the technology will need to be there, too. This is especially important when it comes to fundamental processes like login methods. If the computers don’t give employees what they need, nothing else matters.
One time while Schmidt was at the White House, John Brennan, then the president’s homeland security adviser and now the director of the CIA, tried to log into a computer in the personnel office using the two-factor system. Brennan was a believer in Schmidt’s work; Schmidt called him “my biggest supporter in the West Wing.” But the personnel office was no White House Situation Room. Brennan couldn’t log into the computer.
“Here’s a man as busy as they can get, he goes over to Personnel and tries to get [into the system], and the machine’s broken so many times,” Schmidt said. “It’s just ridiculous.”
For the CSIP to bring about real change, that kind of computer foul-up must be avoided. If anyone needs reliable technology, it’s the most influential employees in the most powerful government building in the world.
The cyber talent gap
On a political level, the CSIP can’t advance without buy-in from senior officials like Brennan. On a technical level, it can’t advance without competent computer-security professionals executing its functions in low- and mid-level positions across the federal workforce. But the government is struggling to recruit cybersecurity workers, and that could hamper the success of some of the plan’s technical goals.
“There, simply put, are not enough professionals in this field,” said Knake, “and for whatever reason, despite higher and higher salaries, it’s not attracting new talent at the collegiate level or in the post-collegiate job market. People are simply not drawn to the field. That’s the same challenge in the public sector [as] in the private sector.”
The government needed to keep humming along. Who were these cybersecurity advisers to tell the managers of federal roads and railways what their priorities ought to be?
The popular refrain is that the private sector is hiring away these professionals by promising them more money. Knake said it wasn’t as simple as that. He conceded that “government has some disadvantages on pay,” but he called those disadvantages “somewhat overstated.” He pointed out that businesses track their spending closely and won’t pay more than they need to in order to attract talent. “Banks and other companies do not necessarily pay gobs and gobs more money than the federal government does.”
If the government wants to bring in enough cyber talent to meet its CSIP goals, Knake said, it should tout its unique work environment. “The federal government has some things that the private sector doesn’t,” he said. “It’s that appeal to patriotism, and it’s the kind of jobs and the kind of roles that you can only have in the government.” You can repel a cyberattack at Microsoft, but—at least for now—you can’t respond with a cyberattack of your own.
It’s not just about the mission. It’s also about the work culture. “If there’s one area to experiment with new public sector hiring practices, it is cybersecurity,” said Weinstein. “Since government can’t compete with private sector salaries, they should look to changing the culture of government to mimic that of tech companies.”
Under President Obama, the federal government has recruited experts from top Silicon Valley companies and built a “stealth startup” of techies in Washington, where they are modernizing how citizens interact with their government. These experts cycle in and out, taking considerable pay cuts to do short stints in the public sector before returning to California with new experience and connections. Knake said that this approach, already popular at some agencies like the FBI, was “how we’re likely to address [the cyber talent] gap.”
“The federal government,” he said, “will provide training and will teach people who do not necessarily have cybersecurity skills coming into roles—will give them those skills and make them viable in the job market after they’ve completed a term of service or an initial assignment in government.”
Show me the money
If there’s one big problem with the CSIP, it’s what the plan leaves out: Congress. “This is a fairly ambitious strategy,” said Knake. “It will take billions to actually implement. Federal agencies have been under-resourced for IT modernization in general and IT security specifically.”
“Unless Congress comes to the table and recognizes the need to actually increase funding significantly in these areas,” he said, “it’s going to be really hard for OMB and federal agencies to implement this plan.”
One of the key areas in need of funding is system modernization. Many government computer systems are simply too old to accommodate new security tools like two-factor authentication. “Modernizing systems that are built with security in mind is the key piece that we need to look at,” he said, “and Congress really needs to look at an IT-modernization effort writ large across the government.”
But the Republican Party controls Congress, and conservatives control the Republican Party. The prospect of significant new spending, even for efforts that could be labeled “national security,” seems remote. Republicans would instead propose cuts to other programs to offset new cyber spending, and most Democrats would refuse to vote for such an arrangement.
So perhaps holding one’s breath for a government-wide computer upgrade isn’t wise.
Three words: Implementation, implementation, implementation
Proposing sweeping change is one thing. Executing on it is another. It’s always hard to predict the implementation phase of a major federal program—see “Act, Affordable Care”—but cybersecurity experts identified causes for both optimism and concern in the way the cyber plan is expected to move forward.
Knake praised OMB’s decision to rely heavily on the CIO Council, the group of several dozen IT leaders from agencies and departments, in drafting the plan. “Because of the way they went about developing this process—the inclusive nature of it, how it’s benchmarked to things like the NIST cybersecurity framework—they’ve already got a large field of buy-in from federal agencies,” he said.
“Overall, the CSIP is a sound plan. But the implementation strategy will be key.”
But Weinstein said that there was not yet a clear “incentive structure” rewarding compliance and punishing procrastination and failure. “The planning is occurring in a relatively centralized manner,” he said, “but implementation will be highly federated and decentralized.” That decentralization doomed the first version of healthcare.gov, the federal health-insurance marketplace, which was built without a project “quarterback” overseeing each subtask. There is no federal Chief Information Security Officer (CISO), and the CSIP does not create that post, an omission that Weinstein called a mistake.
Even if everyone is committed to the job, that doesn’t mean they will be able to overcome decades of bureaucratic inertia to change how their agencies treat cybersecurity. The federal government is like an aircraft carrier; it turns only slowly. “I had a saying all the time [that] I used to use,” Schmidt said, “that the government works at government speed, [and the] private sector works at Internet speed. And it’s true today.” It’s perhaps even more true now than when Schmidt left the White House two years ago.
What is clear is that the OPM hack—and the president’s dismissal of his OPM chief, Katherine Archuleta, in the face of bipartisan criticism—changed how senior officials thought about cybersecurity. Their new focus on the issue translated into stronger backing for their information-security managers, who Knake said “certainly have more support from their leadership post-OPM incident.”
“Now I think they’re just really looking for a clear direction, which they have [from the CSIP],” Knake added. “The only remaining piece is, will they get the funding they need to actually carry out this plan?”
“Overall, the CSIP is a sound plan,” Weinstein said. “But the implementation strategy will be key.”
Illustration by Max Fleishman