Can Tony Scott get it all done?
- By Adam Mazmanian
- Nov 24, 2015
U.S. CIO Tony Scott says he came from Silicon Valley to "help land the planes" at a time when there is plenty of air traffic in federal IT. (Photo by Robert Severi)
When U.S. CIO Tony Scott started making the rounds at Washington-area events in March, about six weeks after his appointment, he projected a calm, unruffled demeanor and showed a knack for staying on message with his metaphors.
He told audiences he had come to town from Silicon Valley to "help land the planes." As an experienced pilot, Scott said he knew that getting into the air was the easy part. And under President Barack Obama, whose administration formally created the U.S. CIO position, there was plenty of air traffic when it came to federal IT.
The 25-point IT management reform plan of the first CIO, Vivek Kundra, promised to have agencies moving IT operations to commercial cloud providers, put acquisition of commodity IT on an enterprisewide basis and monitor risky projects using a data-driven oversight process. Steven VanRoekel, the second U.S. CIO, pushed PortfolioStat and launched the U.S. Digital Service, an effort to embed forward-thinking design, acquisition and usability specialists inside agencies' IT organizations to transform and modernize how the government imagined IT. Congress had passed the Federal IT Acquisition Reform Act, and implementing the new law was going to be a big job, requiring a technology rethink across all levels of the federal government.
Scott -- a corporate CIO with experience leading IT organizations at VMware, Microsoft, Disney and General Motors -- did not come armed with a lengthy agenda like Kundra or speak management-guru like VanRoekel. He showed up at events without the protective screen of a confidential assistant or Office of Management and Budget press handlers. He was entirely believable in the role he cast for himself: a dedicated IT manager who came to Washington, despite the terrible weather and worse traffic, to help land the planes.
But not long after Scott started, the planes crashed.
The theft of personal information on 21.5 million federal employees and their families from the Office of Personnel Management, including the breach of the database of forms on employees seeking security clearances, was the most devastating cybersecurity event to strike the U.S. government to date. The infiltration, discovered in mid-April, upended Scott's plans for an orderly execution on existing policies and spurred a governmentwide "sprint" to tighten up cybersecurity, with a focus on two-factor authentication and the use of personal identity verification (PIV) cards.
Scott didn't exactly see the OPM hack coming, but he wasn't totally surprised either. In a recent interview with FCW at his office in the Eisenhower Executive Office Building, Scott said he knew going in that the vulnerability of federal systems needed to be addressed.
"When I first came on board, one of the things I had a strong sense of is cyber is one of the areas that we're going to have to double down and really pay a lot of attention to," he said. "You could look around you and see in the retail sector, in the banking sector, in the media and entertainment sector, to name a few, that there had already been a series of pretty eventful occurrences. To believe that the government was somehow immune from that was probably not credible."
He added that the OPM hack "put an exclamation mark on the work that I already thought we were probably going to need to do. At the end of the day, I don't think it changed things all that much, although there were a few weeks in there where obviously we got some extra work to do."
As part of a longer-term initiative to protect networks, Scott released the Cybersecurity Strategy and Implementation Plan for federal civilian agencies on Oct. 30. That document offers definitions for what constitutes a "major breach" and gives agencies a blueprint for responding. It is complemented by the 2016 Federal Information Security Modernization Act guidance and a long-awaited update to OMB's Circular A-130. Agencies are now required to identify "high-value assets" that need special protection, and CIOs are tasked with identifying systems that rely on older infrastructure and are due for modernization.
"Coming out of this sprint we asked people to look at your high-value assets," Scott said. "Then we asked [CIOs and chief information security officers] to make a risk-based assessment about whether things are adequately protected or not."
There is more antiquated technology in government than Scott would like to see, but he takes a realistic view about where modernization activity should be focused.
"I would love to see all Windows Server 2003 systems upgraded or replaced," he said. "But if they're not in a place where it's the highest priority threat or there's any threat at all, then I care a lot less about it."
Scott is also realistic in accepting that -- despite the best efforts of his team at OMB and IT shops across government -- federal systems will continue to be targeted.
"I don't care if you're the local 7-11 store or the U.S. federal government," he said. "The number of attacks is going up." At the same time, Scott stressed that feds are improving their batting average when it comes to deflecting attacks.
Agency IT leaders have generally given Scott high marks in return. "I think he's done a very good job -- especially when it comes to keeping important work moving in the face of so many potential distractions," Federal Communications Commission CIO David Bray said.
Scott has also put much-needed emphasis on cultivating leadership in the IT ranks by not just recruiting from the private sector but also developing talent internally, Bray said.
"We need to think about how we can work with the folks we already have," he added.
Indeed, while the hiring and deployment of the digital services teams -- which were pioneered in the wake of the HealthCare.gov launch debacle -- continue, Scott stressed that there is still a lot of work to be done.
"I think the digital services are a great example of the surgical use of a very special kind of talent to act as a catalyst for certain things," Scott said. "Where the digital services teams have done work, they've really made some important contributions in the most critical of the consumer- or citizen-facing services. That's great."
However, he said, those teams "are not designed today to do the heavy lifting of taking these old, siloed systems and moving them to a modern platform.... Mostly we've focused them on citizen-facing kinds of services, where frankly there was a lot of work to do as well."
From Silicon Valley to the Oval Office
Scott said he was happy as CIO at VMware and didn't give much thought to government work. Even though he worked at a leading cloud vendor when "cloud first" was the declared goal of the Obama administration, Scott focused on technology and not the marketing of VMware's services to government.
"Coming here, I had to get up to speed as quickly as one can on the ways that government buys stuff," Scott said.
He was first approached at a technology conference in September 2014 and asked to help with White House efforts on diversity and nontraditional hiring in technology. He invited some friends and CIOs to a conference, after which, Scott said, "I naively thought I was done."
Instead, he was recruited by U.S. CTO Megan Smith, a former Google executive; Todd Park; Beth Cobert, who was OMB's deputy director for management at the time; OMB Director Shaun Donovan; and others in the West Wing.
"Over time it became apparent that it was a challenging opportunity and one where I felt that I could make a unique contribution," Scott said. He came on board in February.
In his second day on the job, Scott found himself in the Oval Office briefing Obama. Although Scott declined to share details on his interactions with the president, he said he has offered advice on a range of issues related to IT in government. Scott's was among the voices that prevailed in the long-running conversation about how to handle high-grade commercial encryption.
"At the end of the day, I think the better policy is probably not to require these backdoors" for law enforcement to access encrypted communications from commercial providers, Scott said. The problem is as much practical as it is technological, he added: Smart programmers who aren't subject to U.S. law will put functionally unbreakable encryption on the market.
"All the really bad people who are highly motivated to keep their stuff secret are going to use the encryption method that doesn't have a backdoor," he said. At the same time, by giving law enforcement a window into encrypted communications, the government would create an "easy button" that could end up thwarting other investigative work.
"It actually makes you a little less effective than if you used all of the tools and resources that are available to you," Scott said.
Political cover for a final push?
Scott has been pleased with his relationship with Congress. He has appeared before committees to talk about the OPM hack, FITARA implementation and other IT issues. At the same time, he noted, the bipartisan agreement about IT is centered on the perception that federal agencies are moving too slowly to modernize, spending too much money, and relying on creaky and vulnerable technology.
"Most people agree that there's a lot of work to do [and] that we're way behind the point where we should be and way behind private industry in terms of modernizing," Scott said.
He said he is seeking to advance the IT procurement cause now that FITARA is law by talking more seriously about funding mechanisms that can be used to "accelerate the move to some more modern platforms."
And so far, Scott appears to be well-liked on the Hill.
"Tony's got a very difficult job, but he has a great background and experience on how to do it," Rep. Will Hurd (R-Texas) said. "It seems like he's getting the right kind of support that he needs in order to be successful at his job. I think he's a smart guy, he's a thoughtful guy, and he knows how to work with people."
Hurd, a former CIA officer and cybersecurity specialist who leads the IT Subcommittee of the House Oversight and Government Reform Committee, added, "This is an issue that transcends political affiliation. This is about protecting the federal government, this is about protecting the citizens of the United States of America, and this is something that...shouldn't be tainted by partisanship."
Scott, for his part, said he hopes to stay around until the lights go out on the Obama administration.
"It's been both the opportunity and the challenge of a lifetime," he said. "I'm going to stick it out as long as they'll have me."
By the end of the term, Scott said he wants to get to 100 percent use of PIV cards for privileged users of federal systems. He would also like to see more significant progress on replacing outdated systems, an overall reduction in the number of privileged users and more attention paid to patching existing vulnerabilities.
"One thing I know from my private-sector experience -- and I think it holds true in the public sector -- is if you're slow, you're dead," he said. "So you'd better figure out how to be faster and faster and faster, or I don't like the outcome. Certainly, federal IT has to become that way."
Scott knows it is impossible to leave a clean in-box for his successor, whether he or she serves in a Democratic or Republican administration. But he'd like to leave a playbook behind for the next U.S. CIO -- something that would serve as "a homework list for my successor that outlines, at least from my perspective, the opportunities and challenges" of the role.
He also plans to attach a note that reads, "Congratulations. It's the best job you'll ever have."