"I think it's a realistic chance, and I think this is true no matter
where you go. It's not unique to the federal government," said Tony
Scott, who spent 35 years in the private sector running systems at
companies such as Microsoft Corp, Walt Disney Co and General Motors
Co.
Scott was named as the federal CIO in February and knew from the
start that stepping up cyber defenses would be a focus.
But the hacks at the federal hiring office that scooped up the
sensitive data of 22 million Americans have given his mission new
momentum, Scott said in an interview in his office, where golden
Mickey Mouse ears from his time at Disney and other corporate
memorabilia line his shelves.
The hacks have created a political firestorm and led on Friday to
the resignation of the chief of the Office of Personnel Management
as Americans questioned the security of government-housed data.
Scott began reviewing the status of cyber security at government
agencies early in his tenure. Some were making progress, but
overall, the government needed to step up the pace, he said.
The hacks at the Office of Personnel Management lit a fire under
that process, he said. A month ago, after an initial intrusion was
first confirmed, Scott ordered agencies to take a series of steps in
a 30-day "cyber sprint" on critical security measures.
He told them to cut the number of "privileged users" that have extra
administrative access to systems, require "two-factor
authentication" to add an extra layer of security for passwords of
those privileged users, and patch critical vulnerabilities in
network operating systems.
"We said, 'Run hard for the next 30 days and get big progress on
these things. No excuses, just get it done,'" Scott said.
Those 30 days are now up, and by July 20, Scott plans to publicly
share the results showing which agencies achieved the goal.
[to top of second column] |
"Some will get there, and some won't," he said, noting that some
details will be withheld in order not to give hackers a roadmap to
ongoing vulnerabilities in the government's databases.
"There's probably no CIO in any federal agency now who wants to be
the bottom of the list," he said.
In September, his office will deliver broader recommendations from
the review on policy, procurement and technology, some that can be
knocked off quickly, and some that could need Congressional
approval.
"Shame on us if we don't also take advantage of this time to come
forward comprehensively and say, 'We need to make these other
changes as well,'" Scott said.
The government may need to invest in tools that go beyond trying to
prevent hacks, and more quickly detect and contain threats, and
repair any damage, he said.
Scott's office includes a team of private sector tech experts
created after the botched launch of the healthcare.gov website -
professionals who he said are being deployed "surgically" in
agencies to help modernize computer systems.
But with more scrutiny and more tools comes more insight into
problems that may have previously been overlooked, and hackers keep
developing new sophisticated ways to threaten systems.
"There's two kinds of CIOs: ones who have been hacked and know it,
and those who have been hacked and don't yet realize it. But the
reality is, you've been hacked," he said.
(Reporting by Roberta Rampton)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|