The announcement by the Obama administration that it would request a cyber-security budget increase of about 30 percent to $19 billion in Fiscal Year 2017 reflects a long-unfilled need in responsible management of the U.S. government’s information technology infrastructure.
A fact sheet released by the White House outlined a Cybersecurity National Action Plan, known as CNAP in the acronym-loving federal bureaucracy, aimed at improving the level of privacy and security for government agencies and everyone else.
The CNAP lists some lofty goals, but it also recognizes that there are some challenges in changing the current state of government cyber-security. The $19 billion that the President plans to spend would be parceled out to modernize and update existing systems and to create new positions including a federal Chief Information Security Officer and a group of computer scientists called the CyberCorps Reserve.
To its credit, the White House proposal recognizes that much of the existing government infrastructure is incredibly outdated and part of the effort would be to replace those ancient systems with more modern systems that can actually be made secure.
But it doesn’t seem to grasp just how massive such an effort would be. The fact is that there have been many such efforts to modernize federal IT, and they have failed if only because the job is so big it’s beyond comprehension of mere mortals.
Perhaps more significantly, without major changes in the manner in which IT procurement is handled, the administration’s plans are doomed from the beginning.
The problem, at least for starters, is that doing something as simple as upgrading a single computer system and its associated network is a process so time consuming that any system or performance specifications will be outdated before the government can sign the first procurement contract, awarded of course through competitive bids.
In a field as fast moving as data security, the specifications will be out of date before they can even be written. The only agencies that even have a chance of staying even with technology are those in which normal procurement rules don’t apply.
For the rest of the government, by the time a request for information can be acted on, the questions in the RFI will be irrelevant. By the time an RFP goes out, it will be out of date, and by the time responses come back, the specified products will probably not be in production.
If you work in the private sector, you’ll probably find this hard to believe, but in fact the procurement rules are strict with required time limits and durations before action can be taken. Those rules are codified into law and changing them literally requires an act of Congress.
If you try to cut corners and speed things up, you’ll find yourself dragged into a series of lawsuits by losing vendors who loudly claim that whatever you did is wrong. This means that every action is open to second (and third) guessing. Thus few contract awards can be counted on to stick.
Add to this the problem with updating existing computer systems that are so far out of date that security wasn’t even on the radar when they were designed.
White House $19B Cyber-Security Plan Has Little Chance of Success
Those old, slow systems are also incompatible with other systems owned by the government which means that no single fix will work with anyone else or any other federal agency.
No single solution can be even used throughout a single agency and even custom development of security solutions is difficult when it’s possible at all.
And that’s just the beginning.
While naming a new federal CISO is a step in the right direction, it’s just a first step. Each of the departments in the Executive Branch has a different mandate, incompatible systems, different histories of implementation and different security requirements.
And that’s just one of the three branches of the federal government. While the CISO will likely hold dominion over the other security managers, this is not a situation in which one person can simply issue a mandate and expect it to happen.
Even getting a basic inventory of existing IT hardware and software in all of the departments and agencies is a multi-year undertaking. Not only do these organizations not know what they currently have in terms of infrastructure, they don’t have a way to find out. Even getting the tools to conduct an inventory will require a multi-year procurement action.
But supposed that somehow the initial challenges of implementing a change in the government’s IT systems were to become possible, then what?
Initially, nothing would happen. The new federal CISO is being appointed by a President with less than a year left to serve. Then, assuming the next president decides to have a CISO, a new one will be appointed. That person will have to start all over, and the process will then begin again. That $19 billion will have already been spent, perhaps with little to show for it in terms of comprehensive security improvements.
“It takes a lot more than just money to get started,” said Ray Rothrock, CEO of RedSeal, a security company that’s active in public policy. “I don’t think you can just sit down with a big chunk of money. It needs to be built over time.”
Rothrock pointed out that in some cases, procurement issues can be avoided. “There’s a lot of stuff that can be done without procurement of a new system,” he said. Included are studying the existing architecture and defining what an appropriate architecture should be. He said that it’s also important to define metrics so that it’s possible to know how the existing systems work and how well they accomplish that.
Part of the strategy is also knowing what to define as your desired outcome. “I hope that the business strategy is meant to achieve three things,” said Cylance CISO Malcolm Harkins. “Lowering of the risk, lowering the total cost of controls, lowering the control friction that can occur.” He said that the control friction means making sure that security measures don’t make it harder for employees to do their work.
But Harkins also noted that it’s critical for the new CISO to pay attention to the big picture. “You have to manage the outcome, not the risk,” he said.