Can Tony Scott get it all done?

The U.S. CIO has made a mantra of "land the planes" and pushed notable improvements in his first nine months. But the to-do list for 2016 is long indeed.

Federal CIO Tony Scott  (Photo: Robert Severi for FCW)

U.S. CIO Tony Scott says he came from Silicon Valley to "help land the planes" at a time when there is plenty of air traffic in federal IT. (Photo by Robert Severi)

When U.S. CIO Tony Scott started making the rounds at Washington-area events in March, about six weeks after his appointment, he projected a calm, unruffled demeanor and showed a knack for staying on message with his metaphors.

He told audiences he had come to town from Silicon Valley to "help land the planes." As an experienced pilot, Scott said he knew that getting into the air was the easy part. And under President Barack Obama, whose administration formally created the U.S. CIO position, there was plenty of air traffic when it came to federal IT.

The 25-point IT management reform plan of the first CIO, Vivek Kundra, promised to have agencies moving IT operations to commercial cloud providers, put acquisition of commodity IT on an enterprisewide basis and monitor risky projects using a data-driven oversight process. Steven VanRoekel, the second U.S. CIO, pushed PortfolioStat and launched the U.S. Digital Service, an effort to embed forward-thinking design, acquisition and usability specialists inside agencies' IT organizations to transform and modernize how the government imagined IT. Congress had passed the Federal IT Acquisition Reform Act, and implementing the new law was going to be a big job, requiring a technology rethink across all levels of the federal government.

Scott -- a corporate CIO with experience leading IT organizations at VMware, Microsoft, Disney and General Motors -- did not come armed with a lengthy agenda like Kundra or speak management-guru like VanRoekel. He showed up at events without the protective screen of a confidential assistant or Office of Management and Budget press handlers. He was entirely believable in the role he cast for himself: a dedicated IT manager who came to Washington, despite the terrible weather and worse traffic, to help land the planes.

But not long after Scott started, the planes crashed.

The theft of personal information on 21.5 million federal employees and their families from the Office of Personnel Management, including the breach of the database of forms on employees seeking security clearances, was the most devastating cybersecurity event to strike the U.S. government to date. The infiltration, discovered in mid-April, upended Scott's plans for an orderly execution on existing policies and spurred a governmentwide "sprint" to tighten up cybersecurity, with a focus on two-factor authentication and the use of personal identity verification (PIV) cards.

Scott didn't exactly see the OPM hack coming, but he wasn't totally surprised either. In a recent interview with FCW at his office in the Eisenhower Executive Office Building, Scott said he knew going in that the vulnerability of federal systems needed to be addressed.

"When I first came on board, one of the things I had a strong sense of is cyber is one of the areas that we're going to have to double down and really pay a lot of attention to," he said. "You could look around you and see in the retail sector, in the banking sector, in the media and entertainment sector, to name a few, that there had already been a series of pretty eventful occurrences. To believe that the government was somehow immune from that was probably not credible."

He added that the OPM hack "put an exclamation mark on the work that I already thought we were probably going to need to do. At the end of the day, I don't think it changed things all that much, although there were a few weeks in there where obviously we got some extra work to do."

As part of a longer-term initiative to protect networks, Scott released the Cybersecurity Strategy and Implementation Plan for federal civilian agencies on Oct. 30. That document offers definitions for what constitutes a "major breach" and gives agencies a blueprint for responding. It is complemented by the 2016 Federal Information Security Modernization Act guidance and a long-awaited update to OMB's Circular A-130. Agencies are now required to identify "high-value assets" that need special protection, and CIOs are tasked with identifying systems that rely on older infrastructure and are due for modernization.

"Coming out of this sprint we asked people to look at your high-value assets," Scott said. "Then we asked [CIOs and chief information security officers] to make a risk-based assessment about whether things are adequately protected or not."

There is more antiquated technology in government than Scott would like to see, but he takes a realistic view about where modernization activity should be focused.

"I would love to see all Windows Server 2003 systems upgraded or replaced," he said. "But if they're not in a place where it's the highest priority threat or there's any threat at all, then I care a lot less about it."

Scott is also realistic in accepting that -- despite the best efforts of his team at OMB and IT shops across government -- federal systems will continue to be targeted.

"I don't care if you're the local 7-11 store or the U.S. federal government," he said. "The number of attacks is going up." At the same time, Scott stressed that feds are improving their batting average when it comes to deflecting attacks.

Agency IT leaders have generally given Scott high marks in return. "I think he's done a very good job -- especially when it comes to keeping important work moving in the face of so many potential distractions," Federal Communications Commission CIO David Bray said.

Scott has also put much-needed emphasis on cultivating leadership in the IT ranks by not just recruiting from the private sector but also developing talent internally, Bray said.

"We need to think about how we can work with the folks we already have," he added.

Indeed, while the hiring and deployment of the digital services teams -- which were pioneered in the wake of the HealthCare.gov launch debacle -- continue, Scott stressed that there is still a lot of work to be done.

"I think the digital services are a great example of the surgical use of a very special kind of talent to act as a catalyst for certain things," Scott said. "Where the digital services teams have done work, they've really made some important contributions in the most critical of the consumer- or citizen-facing services. That's great."

However, he said, those teams "are not designed today to do the heavy lifting of taking these old, siloed systems and moving them to a modern platform.... Mostly we've focused them on citizen-facing kinds of services, where frankly there was a lot of work to do as well."

From Silicon Valley to the Oval Office

Scott said he was happy as CIO at VMware and didn't give much thought to government work. Even though he worked at a leading cloud vendor when "cloud first" was the declared goal of the Obama administration, Scott focused on technology and not the marketing of VMware's services to government.

"Coming here, I had to get up to speed as quickly as one can on the ways that government buys stuff," Scott said.

He was first approached at a technology conference in September 2014 and asked to help with White House efforts on diversity and nontraditional hiring in technology. He invited some friends and CIOs to a conference, after which, Scott said, "I naively thought I was done."

Instead, he was recruited by U.S. CTO Megan Smith, a former Google executive; Todd Park; Beth Cobert, who was OMB's deputy director for management at the time; OMB Director Shaun Donovan; and others in the West Wing.

"Over time it became apparent that it was a challenging opportunity and one where I felt that I could make a unique contribution," Scott said. He came on board in February.

In his second day on the job, Scott found himself in the Oval Office briefing Obama. Although Scott declined to share details on his interactions with the president, he said he has offered advice on a range of issues related to IT in government. Scott's was among the voices that prevailed in the long-running conversation about how to handle high-grade commercial encryption.

"At the end of the day, I think the better policy is probably not to require these backdoors" for law enforcement to access encrypted communications from commercial providers, Scott said. The problem is as much practical as it is technological, he added: Smart programmers who aren't subject to U.S. law will put functionally unbreakable encryption on the market.

"All the really bad people who are highly motivated to keep their stuff secret are going to use the encryption method that doesn't have a backdoor," he said. At the same time, by giving law enforcement a window into encrypted communications, the government would create an "easy button" that could end up thwarting other investigative work.

"It actually makes you a little less effective than if you used all of the tools and resources that are available to you," Scott said.

Political cover for a final push?

Scott has been pleased with his relationship with Congress. He has appeared before committees to talk about the OPM hack, FITARA implementation and other IT issues. At the same time, he noted, the bipartisan agreement about IT is centered on the perception that federal agencies are moving too slowly to modernize, spending too much money, and relying on creaky and vulnerable technology.

"Most people agree that there's a lot of work to do [and] that we're way behind the point where we should be and way behind private industry in terms of modernizing," Scott said.

He said he is seeking to advance the IT procurement cause now that FITARA is law by talking more seriously about funding mechanisms that can be used to "accelerate the move to some more modern platforms."

And so far, Scott appears to be well-liked on the Hill.

"Tony's got a very difficult job, but he has a great background and experience on how to do it," Rep. Will Hurd (R-Texas) said. "It seems like he's getting the right kind of support that he needs in order to be successful at his job. I think he's a smart guy, he's a thoughtful guy, and he knows how to work with people."

Hurd, a former CIA officer and cybersecurity specialist who leads the IT Subcommittee of the House Oversight and Government Reform Committee, added, "This is an issue that transcends political affiliation. This is about protecting the federal government, this is about protecting the citizens of the United States of America, and this is something that...shouldn't be tainted by partisanship."

Scott, for his part, said he hopes to stay around until the lights go out on the Obama administration.

"It's been both the opportunity and the challenge of a lifetime," he said. "I'm going to stick it out as long as they'll have me."

By the end of the term, Scott said he wants to get to 100 percent use of PIV cards for privileged users of federal systems. He would also like to see more significant progress on replacing outdated systems, an overall reduction in the number of privileged users and more attention paid to patching existing vulnerabilities.

"One thing I know from my private-sector experience -- and I think it holds true in the public sector -- is if you're slow, you're dead," he said. "So you'd better figure out how to be faster and faster and faster, or I don't like the outcome. Certainly, federal IT has to become that way."

Scott knows it is impossible to leave a clean in-box for his successor, whether he or she serves in a Democratic or Republican administration. But he'd like to leave a playbook behind for the next U.S. CIO -- something that would serve as "a homework list for my successor that outlines, at least from my perspective, the opportunities and challenges" of the role.

He also plans to attach a note that reads, "Congratulations. It's the best job you'll ever have."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.