As the administration “sprints” to close gaps in federal cybersecurity and Congress rushes to judgment on breaches of federal personnel data, the real problem is a lack of accountability and responsibility in both the executive and legislation branches.
In the wake of potentially devastating breaches of government personnel records, the White House has launched what it calls a “30-day Cybersecurity Sprint” to close gaps in government cybersecurity. In the legislative branch, congressmen expressed outrage at the exposure of millions of records at the Office of Personnel Management (OPM).
Both responses are disappointing. There is plenty of blame to go around for the long history of security lapses in government information systems.
Despite the growing awareness of cybersecurity issues, there has been a lack of accountability and responsibility for cybersecurity, in both the legislative and executive branches. There have been few consequences for IT breaches among agency officials, and Congress has failed almost completely in its oversight responsibilities. Lip service is paid to cybersecurity and there is plenty of outrage after the fact, but legislators continue to focus on politics and ignore real problems. With our government in gridlock, it is no wonder that our information systems are providing easy pickings for foreign nations and criminals.
The White House’s Cybersecurity Sprint is a product of this lack of focus. Agencies now are being required to:
- Deploy threat indicators from DHS to help identify malicious activity
- Patch critical vulnerabilities without delay
- Tighten access by privileged users
- Speed up use of multi-factor authentication
Agencies are to report to OMB and DHS on each of these efforts within 30 days.
These are all best practices that should have been done years ago, not rushed in an impractical 30-day program. The Personal Identity Verification (PIV) Card was mandated in 2004 for physical and logical access control; but 11 years later, with millions of cards issued, they still are not routinely used as a second authentication factor on IT systems. Patching critical vulnerabilities? That has been an issue for years.
Nowhere in the announcement does Federal CIO Tony Scott ask why these things are not already being done. It is not because no one cares. It is because cybersecurity never has been a high priority in agencies. And Congress sets priorities with its budgets. It is hard to hold people responsible for a job when Congress refuses to give them the tools they need.
Members of the House Oversight and Government Reform Committee were shocked—shocked!—to find that OPM for years has fallen short on cybersecurity, and they produced IG reports to document it. But they don’t seem to have read the reports. One of the most recent, for fiscal 2013, expressed concerns that efforts to improve cybersecurity at OPM had stalled “due to resource limitations.”
The IG reported that OPM had information system security officers assigned to only 17 of 47 information systems. There are plans to hire more, “but this plan continues to be hindered by budget restrictions.”
Whose fault is that? That lies squarely at Congress’s door.
Federal officials need to be held responsible for maintaining the basics of cybersecurity on a daily basis under a coherent governmentwide plan. But this cannot be done until Congress does its job, which it has for years refused to do.
It is hard to feel much sympathy for OPM Director Katherine Archuleta or her CIO Donna K. Seymour. But until they are given the resources they need to do their jobs, the outrage expressed by congressmen is just so much hot air.