Tony Scott, the US Federal CIO, addressed the Billington CyberSecurity Summit with the aim of outlining what he sees at the path forward with respect to information technology for the United States Government. In doing so he paid particular attention to the implications of that path for cyber security.
Scott explained that three "paradigms" must change if the country is to advance its cyber security. Those paradigms involve technology, organization, and funding.
"We're still putting components together in the same way we have for at least twenty-five years," Scott observed. The architecture we use, and many of the components we fit into it were designed before we faced the threats we do today. Thus security wasn't designed in, and we're in the position of "air-bagging and bubble-wrapping" old technology. In particular, he sees the poverty of legacy components with respect to artificial intelligence (he said, strongly, but in an off-hand way, that the old technology wasn't "self-aware") and intercommunication. We've pursued technological improvements in "horsepower and maximum interoperability," and he thought we'd largely succeeded in advancing down those lines. But "we haven't asked if we should interoperate."
As far as the second, organizational paradigm is concerned, Scott argued that we've decided to structure our IT in accordance with our organization charts. "Ninety-nine percent of what we do mirrors the Federal organization charts. That just doesn't make sense anymore." Instead we should, he argued, question the mission of IT in any agency. The agency should focus on its core mission. Not every agency needs to, nor should it, focus on the "bricks and mortar" of IT.
Finally, Scott argued that the way we fund IT needs to change. As it is now, funding is usually sufficient to "keep an agency's IT on life support," but rarely does it enable modernization and upgrading. This he sees as a significant failing. It costs, he said, five or six times as much to keep old, legacy systems—many of them at or beyond the end of their lifecycle—online and functioning. In the next three years he sees $7.5 billion in hardware alone reaching the end of its life. That's hardware only, not software, which itself represents a tremendous aging problem. And it doesn't include the legacy systems that have already hit end-of-life. He sees hope in a bipartisan movement in Congress toward funding a continuous upgrade cycle, because "We don't want just a lift and shift. We want a modern architecture."
Changing course for the way forward
Scott argued that these three paradigms must change, and that there are sound security and economic grounds for moving beyond them. What we spend protecting old systems would be much better applied toward newer, more capable, more secure successors.
To a question about the security of the IT supply chain, Scott replied that supply chain risk was very much on the minds of people in Government. What he called "meaningful actors" see all manner of ways of inserting themselves into the supply chain, and that his office is engaging NIST to look for ways of improving the security of IT logistics.
In response to questions about strategy and workforce development, Scott said that he was seeing an increasing focus on core cyber security personnel. But he hoped to "widen the lens," and bring in others from different disciplines (he mentioned economists, behavioral and social scientists, and marketers) who "get cyber" and are in a position to contribute to the security of our systems and networks.