White House $19B Cyber-Security Plan Has Little Chance of Success

NEWS ANALYSIS: There's general agreement that the Obama administration Cyber-Security proposal is a good idea, but there are many roadblocks to its implementation.

Cyber-Security Plan 2

The announcement by the Obama administration that it would request a cyber-security budget increase of about 30 percent to $19 billion in Fiscal Year 2017 reflects a long-unfilled need in responsible management of the U.S. government's information technology infrastructure.

A fact sheet released by the White House outlined a Cybersecurity National Action Plan, known as CNAP in the acronym-loving federal bureaucracy, aimed at improving the level of privacy and security for government agencies and everyone else.

The CNAP lists some lofty goals, but it also recognizes that there are some challenges in changing the current state of government cyber-security. The $19 billion that the President plans to spend would be parceled out to modernize and update existing systems and to create new positions including a federal Chief Information Security Officer and a group of computer scientists called the CyberCorps Reserve.

To its credit, the White House proposal recognizes that much of the existing government infrastructure is incredibly outdated and part of the effort would be to replace those ancient systems with more modern systems that can actually be made secure.

But it doesn't seem to grasp just how massive such an effort would be. The fact is that there have been many such efforts to modernize federal IT, and they have failed if only because the job is so big it's beyond comprehension of mere mortals.

Perhaps more significantly, without major changes in the manner in which IT procurement is handled, the administration's plans are doomed from the beginning.

The problem, at least for starters, is that doing something as simple as upgrading a single computer system and its associated network is a process so time consuming that any system or performance specifications will be outdated before the government can sign the first procurement contract, awarded of course through competitive bids.

In a field as fast moving as data security, the specifications will be out of date before they can even be written. The only agencies that even have a chance of staying even with technology are those in which normal procurement rules don't apply.

For the rest of the government, by the time a request for information can be acted on, the questions in the RFI will be irrelevant. By the time an RFP goes out, it will be out of date, and by the time responses come back, the specified products will probably not be in production.

If you work in the private sector, you'll probably find this hard to believe, but in fact the procurement rules are strict with required time limits and durations before action can be taken. Those rules are codified into law and changing them literally requires an act of Congress.

If you try to cut corners and speed things up, you'll find yourself dragged into a series of lawsuits by losing vendors who loudly claim that whatever you did is wrong. This means that every action is open to second (and third) guessing. Thus few contract awards can be counted on to stick.

Add to this the problem with updating existing computer systems that are so far out of date that security wasn't even on the radar when they were designed.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...