Federal cyber leadership should be bipartisan
Imagine: @realDonaldTrump has been hacked and the latest missive from the president’s Twitter account announces imminent airstrikes on Genovia. Foreign militaries scramble, and the potential for an accidental escalation of conflict is suddenly very real.
This has not happened, and hopefully it never will, but it does demonstrate the precarious position seemingly innocuous technology occupies in our national security infrastructure.
Many federal information technology (IT) systems are similarly on the hook for the safety and security of 320 million Americans, and, unfortunately, we are not doing everything we can to secure these systems. However, there are simple steps we can take to ensure cybersecurity does not remain the soft underbelly of U.S. national security.
The first step is to reverse a dangerous lack of investment in federal information technology systems. The second is to fill leadership positions in the form of presidentially nominated and Senate-confirmed appointees who have the vision to address cybersecurity threats. And the third is to ensure we have a qualified and dedicated workforce to help upgrade outdated federal information technology infrastructure, help protect critical infrastructure and thwart cyberattacks that could lead to the theft of personal information and intellectual property.
The security of federal networks also depends on these people — and this administration and Congress must cease immediately their attacks on federal employees, which only makes it harder to recruit, hire and retain the cybersecurity talent our country needs.
To understand what is at stake, consider two cybersecurity vignettes — the first regarding national security and the second hinting at the potential economic harm that can result from a cyberattack on federal IT systems.
Nearly everyone, save for President Trump, recognizes that the Russian government directed a sustained and coordinated attack on our electoral system during the 2016 election. It is hard to imagine a more fundamental threat to the security of our Republic than foreign adversaries undermining and potentially upending the public’s faith in our most basic democratic exercise — free and fair elections. Every day, bad actors attempt to breach the federal networks that hold sensitive information. U.S. Food and Drug Administration (FDA) servers contain at any point in time some portion of the proprietary information that spurs $333 billion in pharmaceutical sales in the U.S. each year — a potential bonanza for hackers lies just beyond a government firewall.
While federal agencies and their employees do their best to thwart cyber intrusions, they are hampered by old information technology systems that make their jobs harder and the job of cybercriminals easier. Legacy IT systems, some dating back to the Johnson administration, make protecting federal networks difficult because they are hard to encrypt and are expensive to maintain. At the Internal Revenue Service (IRS), which has the sensitive information of every taxpaying individual and company, the systems that are critical to collecting more than $3 trillion in taxes are some of the federal government’s oldest systems. Because of this, the IRS spends about 70 percent of its $2.7 billion annual IT budget on its operational or legacy systems. Yet, the IRS is unable to upgrade its IT systems in part because of the severe and drastic budget cuts that have been enacted since 2010. The current IRS budget is almost 20 percent less than the FY2010 funding level when adjusted for inflation, and the IRS continues to face additional proposed cuts amid heightened demand for its services and additional unfunded mandates such as enacting provisions of the recently passed tax bill.
The issues facing the IRS are not unique to the agency. Across the government, departments like Veterans Affairs and Department of Defense face the same problems. Congress has done its part to help agencies with this problem by passing the Federal Information Technology Acquisition and Reform Act (FITARA) and the Modernizing Government Technology (MGT) Act to provide agencies with the foundation to make better IT acquisition investments and the money to upgrade their IT infrastructure.
The challenges agencies face to modernize their IT infrastructure and take a 21st century approach to cybersecurity are compounded by a lack of focus from this administration. Although the administration issued a cybersecurity executive order in May and recently released a National Security Strategy, there have been little-to-no specifics on what actions this administration will take to address cybersecurity threats.
This is a crisis that demands more than just white papers. It requires sustained leadership and attention, which is sorely lacking throughout the government. Over a year into this administration, the president still has not named a Federal Chief Information Officer to guide agencies in upgrading outdated information technology infrastructure, which leaves federal networks vulnerable to attacks. The Federal Chief Information Security Officer (CISO) position has also been left vacant, filled in an acting capacity by the Deputy CISO who has taken on a third role as a senior director for cybersecurity for the National Security Council.
Governmentwide, positions that are critical to implementing any cybersecurity strategy are going unfilled. The president has not nominated a candidate for Undersecretary for the Department of Homeland Security’s National Protection and Programs Directorate, which is charged with coordinating efforts to protect the country’s critical infrastructure and enhancing the security of our cyber and communications infrastructure. The Department of Veterans Affairs, where the IT systems have been designated by the VA inspector general as a material weakness for 18 years, is also waiting for a nominee to fill the position of Assistant Secretary for Information Technology. Critical positions at the Department of Defense, including the Principal Deputy Undersecretary for Acquisition, Technology, and Logistics, and the Chief Information Officer, are filled with acting officials while they wait for the president to name permanent leaders.
At the same time, this administration and the majority in Congress are taking actions that make it difficult to compete with the private sector in recruiting and retaining skilled cybersecurity and IT professionals. In his first budget proposal, the president took a meat cleaver to federal employees’ retirement benefits. In Congress, the House of Representatives passed legislation to increase the probationary period for federal employees from one year to two years. Many seeking to enter public service understand that the government cannot pay as much as the private sector, but reducing retirement benefits while increasing trial periods for a highly sought-after workforce is counterproductive and only makes the federal government more vulnerable to malicious cyber-enabled activities.
The good news is that there is a road map, and it can be bipartisan. In Congress, we have found incredible success putting aside partisan differences, rolling up our sleeves and delivering solutions to the most vexing challenges facing federal IT. If this administration gets serious, it can join the fight and ensure the men and women on the front line fending off cyberattacks have the skills and resources they need to safeguard our national security.