Federal cybersecurity once again is on the Government Accountability Office’s list of high-risk government programs. It has been there for 20 years now, despite the fact that the previous administration got high marks for its commitment to improving cybersecurity. Given the scope of the challenges and the aggressive online adversaries we face, it is not likely to come off the list any time soon.
The biggest challenge agencies are facing in securing their systems? The GAO doesn’t rank them, but I believe it is the workforce. Not that there is anything wrong with the people doing the job now. There just aren’t enough of them. Technology, policy and budget are all necessary for effective cybersecurity, but it requires people to operate, implement and spend.
Efforts are being made to fill the labor pipeline and streamline government hiring. But even without wrongheaded policies such as a federal hiring freeze these will take years to bear fruit. In the meantime, private sector competition for skilled professionals will continue.
The GAO identifies programs that are vulnerable to fraud, waste, abuse and mismanagement, or that are ineffective, and reports on them to Congress every two years. There were 32 programs on the high-risk list in 2015. One of them, managing terrorism-related information, was removed from the 2017 list. But three new areas were added: Management of programs serving tribes, government environmental liabilities, and the upcoming 2020 census.
Federal cybersecurity went on the high-risk list in 1997. This area was expanded to include critical infrastructure protection in 2003, and privacy of personally identifiable information (PII) was added in 2015. GAO has made about 2,500 recommendations to agencies in this area in the last 20 years, and “as of October 2016, about 1,000 of our information security–related recommendations had not been implemented.”
The problem is not that cybersecurity has been ignored. “Leadership at the White House and Department of Homeland Security demonstrated commitment to improving cybersecurity,” GAO says in its latest report. This was under the Obama administration, however. It remains to be seen what the commitment of the current administration will be. Initial indications, including a federal hiring freeze and an apparent plan to turn critical infrastructure protection over to the military, have not been promising.
Regardless of its commitment, however, government is limited in what it can do to improve the security of critical infrastructure in the private sector. Assistance programs at Homeland Security and sector-specific agencies such as the Energy Department are voluntary for industry. Without broad government regulatory authority for the security of designated critical infrastructure there is little government can require. And “regulation” now is a dirty word in Washington.
There are a variety of initiatives to improve federal cybersecurity and provide governmentwide resources for system monitoring and for intrusion detection and prevention. And the president’s proposed budget for fiscal 2017 included $19 billion for cybersecurity, a 35 percent increase over FY 2016. It also included funds for the Scholarship for Service program and to improve professional education and development.
These can help fill the labor pipeline, but takes time to produce trained workers. And in the meantime, “according to [the Office of Management and Budget] and agency chief information security officers, the federal government suffered from a shortage of cybersecurity professionals due to persistent recruitment and retention challenges,” GAO found.
OMB issued the Federal Cybersecurity Workforce Strategy in 2016, identifying ways to help recruit and retain a federal cybersecurity workforce. These include guidance on the use of special hiring authorities to recruit cybersecurity professionals as well as directions to DHS for piloting a new hiring tool. But actually changing federal hiring processes can be like moving a mountain. And even effective reform will not eliminate the competition for talent from the private sector, which will remain attractive to many professionals.
None of this is to say that government cybersecurity has to be poor, and the High Risk designation does not mean it has failed. But even with all the help and good will that administrators and legislators can muster, federal cybersecurity is likely to remain a high risk area for quite a while.