You may not have heard of Tony Scott, but that may change next week.
Over the past 16 years, he served as the chief information officer (CIO) for both Microsoft and Walt Disney, and from 1999-2005 he was the chief technology officer of information systems and services at General Motors Corporation. He was recruited to become the CIO of the U.S. back in February to stop our nation’s cyber-bleeding, specifically at federal agencies like the Office of Personnel Management, which suffered a monumental breach, the full ramifications of which are still unknown.
In an interview with Federal Times, Scott described our nation’s antiquated data security practices in stark terms.
“Most of the systems, most of the technology you and I use every day was designed and architected in the 1970s or 1990s,” he said, noting even newer systems are built on the same framework. “It’s kind of like trying to put airbags on a ’65 Mustang — it just wasn’t designed for security, wasn’t designed for safety.”
In an effort to jump-start a thorough review of federal systems and hopefully get people thinking, working and most importantly taking the necessary actions to close loopholes, Scott called for something he called a “30-Day Cybersecurity Sprint,” which started on June 12. Federal agencies have to report how they did on Monday, and according to Scott, not every agency will pass muster. “Some will get there, and some won’t,” he told Reuters.
The list of tasks Scott set for the federal agencies he oversees was impressive:
- Immediately deploy indicators provided by the Department of Homeland Security regarding priority threat-actor techniques, tactics and procedures to scan systems and check logs. Agencies shall inform DHS immediately of any signs of malicious cyber activity.
- Patch critical vulnerabilities without delay. The vast majority of cyber intrusions exploit well known vulnerabilities that are easy to identify and correct. Agencies must take immediate action on the DHS Vulnerability Scan Reports they receive each week and report to the Office of Management and Budget and DHS on progress and challenges within 30 days.
- Tighten policies and practices for privileged users. To the greatest extent possible, agencies should: minimize the number of privileged users; limit functions that can be performed when using privileged accounts; limit the duration that privileged users can be logged in; limit the privileged functions that can be performed using remote access; and ensure that privileged user activities are logged and that such logs are reviewed regularly. Agencies must report to OMB and DHS on progress and challenges within 30 days.
- Dramatically accelerate implementation of multi-factor authentication, especially for privileged users. Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems. Agencies must report to OMB and DHS on progress and challenges within 30 days.
How Did It Come to This?
It would be an understatement to say that we need to get a better handle on the state of federal cybersecurity in the wake of the mother of all data breaches, the depth and breadth of which continues to unfold over at the Office of Personnel Management. For instance, the agency just revealed that 1.1 million fingerprint records were among the purloined files—that is in addition to the sensitive personal, financial and medical records already reported.
“The government may need to invest in tools that go beyond trying to prevent hacks, and more quickly detect and contain threats, and repair any damage,” Scott also told Reuters.
You think? If my tone seems a little arch, consider the millions of unnecessarily compromised records that got us to this important milestone in the evolution of best data security and privacy practices. It’s simply dumbfounding. There are way more than a billion records “out there.” Scott’s proposed protocols are welcome rain, but we are nonetheless lost in the desert of a very real and very pitched crisis, and nothing will ever un-compromise the records that have been stolen to date.
Our agencies have been defending against tens of thousands of persistent attacks for more than a decade. We have seen intrusions at many federal agencies. Yet it took us this long to initiate a 30-Day Cybersecurity Sprint to do what everyone in the data and privacy business has been screaming for since 2005.
A Sprint or a Marathon?
While I understand the metaphor of a sprint here, we are engaged in a test more like that first 26.2-mile foot race run by Pheidippides from Marathon to Athens to announce the defeat of the invading Persians (for the record, he died soon after). The only difference: we have not defeated our invaders.
The cyber war we’re currently losing could have devastating consequences for our nation, and the rest of the world. We need all the firepower we can get. We need a thoughtful plan carried out by brilliant minds. Perhaps that is Tony Scott’s plan. But we need a culture that puts security first and inculcates everything and everyone from the cleaning crew to the Secretary of every department. Again, that seems to be Scott’s intention, and if so, we are heading in the right direction. We need to protect our people.
As it stands, there is no salve to soothe the millions of people who never signed on to work for the government but who married or live with someone who does, and are now angry and scared. What do we say to the thousands of undercover operatives who risk their lives every day in service to this nation when everything about them, including their personal issues, medical records, even their fingerprints, are now potentially exposed to foreign intelligence operatives and/or will be for sale on the black market to the highest bidder? For them, this is too little too late. The only hope now is to make this a part of ancient history—like that race to Athens.