Commerce secretary urges bold action on cybersecurity

Commerce Secretary Penny Pritzker warns of a cyber workforce shortage and cautions against government efforts to overly-centralize cybersecurity authority.

"Consider me very wary of any vast centralization effort that dilutes our authority -- as [government] managers -- to hold our teams accountable," she told the Commission on Enhancing National Cybersecurity at its final field meeting in Washington.

Pritzker argued that the commission needs to address the question of, "how to strike a balance between centralizing certain cybersecurity functions and standards while preserving the independent authority needed for department leaders to fulfill our mission-critical responsibilities."

She said that having the right people is central to her challenge to meet the department's cybersecurity commitments. 

"Since arriving at Commerce, I have faced a chronic shortage both in quantity and quality of cybersecurity personnel," said Pritzker. "Yet I do not have the authority, flexibility, or resources to do enough about it."

Pritzker urged the commission to adopt a number of initiatives to address the national shortage of qualified cybersecurity professionals.

"You might consider recommending a centralized system to recruit, train and place federal cybersecurity personnel," she told commission members.

"We need specialized pay scales to compete with the private sector -- like those used for the financial industry," she added. "Maybe it's time for contracts with preset time commitments or even private-sector-style non-compete agreements."

She also floated ideas such as debt forgiveness for graduates of certified programs, "tuition-free community college in return for federal service; and cybersecurity apprenticeships within civilian agencies."

Pritzker also decried the cumbersome funding process for upgrading legacy technology and called for more flexibility in the acquisition and contracting process.

"Securing funds from Congress for specific programs is much easier than long-term improvements," she said. "As a result, we rely on loose change in our operational and maintenance budgets to patch outdated systems instead of making strategic decisions."

Pritzker called for an adoption of shared services that can create efficiencies for government agencies that simultaneously preserves agency autonomy.

"For example, DHS' Continuous Diagnostics and Mitigation is a valuable tool for helping departments conduct real-time risk management," she said. "We see it as a service -- not just a top-down mandate -- that empowers my peers and me to meet our core responsibility to secure our departments' networks and data." 

She also said that shared services could be applied to the procurement process and that the General Services Administration and the National Institute of Standards and Technology "could provide CIOS from across the federal government with a sandbox environment to evaluate the latest software."

Echoing a common refrain, Pritzker also pushed the commission to enhance cooperation between government and the private sector, saying that government still lacks "effective mechanisms for fostering meaningful government-industry cooperation across the full spectrum of cybersecurity issues."

She implored the commission to be bold and creative in its recommendations that "will steer the next President's agenda from day one and influence our country's cybersecurity priorities for many years to come."

The 12-member commission is in the process of reviewing more than 170 responses to its recent request for information, and is scheduled to deliver its final report to President Barack Obama on Dec. 1.