US government performs 30-day cyber sweep of its own systems

Time up for 30-day ‘cyber sprint’ on US agencies’ critical security measures ordered by US Chief Information Officer Tony Scott, results to be shared by July 20

Photo by: Reuters
Photo by: Reuters

Updated Jul 28, 2015

The federal government could find more cyber intrusions as it takes a close look at its sprawling and sometimes creaky systems in the wake of massive hacks, the nation's chief information officer told Reuters.

"I think it's a realistic chance, and I think this is true no matter where you go. It's not unique to the federal government," said Tony Scott, who spent 35 years in the private sector running systems at companies such as Microsoft Corp, Walt Disney Co and General Motors Co.

Scott was named as the federal CIO in February and knew from the start that stepping up cyber defenses would be a focus.

But the hacks at the federal hiring office that scooped up the sensitive data of 22 million Americans have given his mission new momentum, Scott said in an interview in his office, where golden Mickey Mouse ears from his time at Disney and other corporate memorabilia line his shelves.

The hacks have created a political firestorm and led on Friday to the resignation of the chief of the Office of Personnel Management as Americans questioned the security of government-housed data.

Scott began reviewing the status of cyber security at government agencies early in his tenure. Some were making progress, but overall, the government needed to step up the pace, he said.

The hacks at the Office of Personnel Management lit a fire under that process, he said. A month ago, after an initial intrusion was first confirmed, Scott ordered agencies to take a series of steps in a 30-day "cyber sprint" on critical security measures.

He told them to cut the number of "privileged users" that have extra administrative access to systems, require "two-factor authentication" to add an extra layer of security for passwords of those privileged users, and patch critical vulnerabilities in network operating systems.

"We said, 'Run hard for the next 30 days and get big progress on these things. No excuses, just get it done,'" Scott said.

Those 30 days are now up, and by July 20, Scott plans to publicly share the results showing which agencies achieved the goal.

"Some will get there, and some won't," he said, noting that some details will be withheld in order not to give hackers a roadmap to ongoing vulnerabilities in the government's databases.

"There's probably no CIO in any federal agency now who wants to be the bottom of the list," he said.

In September, his office will deliver broader recommendations from the review on policy, procurement and technology, some that can be knocked off quickly, and some that could need Congressional approval.

"Shame on us if we don't also take advantage of this time to come forward comprehensively and say, 'We need to make these other changes as well,'" Scott said.

The government may need to invest in tools that go beyond trying to prevent hacks, and more quickly detect and contain threats, and repair any damage, he said.

Scott's office includes a team of private sector tech experts created after the botched launch of the website - professionals who he said are being deployed "surgically" in agencies to help modernize computer systems.

But with more scrutiny and more tools comes more insight into problems that may have previously been overlooked, and hackers keep developing new sophisticated ways to threaten systems.

"There's two kinds of CIOs: ones who have been hacked and know it, and those who have been hacked and don't yet realize it. But the reality is, you've been hacked," he said.