How executive vacancies hinder IT modernization and cybersecurity

A record number of high-ranking federal positions are vacant in the Trump administration, and this will hamper IT modernization efforts and heighten cybersecurity risks.

According to a recent report by the Washington Post and the Partnership for Public Service, by early February 2019, only 54 percent of the civil service positions that require Senate confirmations had been filled, compared to 77 percent at the same time in the third year of the Obama Administration.

Nominees for 128 positions are currently awaiting Senate approval, while 147 positions do not even have nominees.

Currently, the Department of Defense, the Office of Personnel Management and the Drug Enforcement Agency are led by acting officials.

The high vacancy rate is an ominous signal for federal IT management. My research using data from Federal IT Dashboard finds that when the head of a federal agency does not have a Senate confirmation, it leads to a significant decrease in budget allocation for new IT development or modernization, shifting funds toward IT operations and maintenance. When an agency's head remains unconfirmed by the Senate for more than a year, its IT modernization spending decreases by five percentage points.

IT modernization carries considerable risks of failure, including project delays and budget overruns. An agency executive without a Senate approval is unlikely to have strong authority that is needed to embark on risky IT modernization endeavors.

The lack of progress in IT modernization will not only hinder effective agency operations and policy execution, but also increase exposure to cybersecurity risks. My research with Huseyin Tanriverdi at University of Texas-Austin with the data from FISMA reports finds that CFO agencies that spend less in new IT development or modernization are likely to suffer from more frequent cybersecurity incidents. This finding contradicts the “security-by-antiquity” argument. Specifically, we find that a one percentage point increase in IT modernization is associated with a 5 percent decrease in security incidents.

This is because a tangled web of legacy systems makes overall IT infrastructures in federal agencies complex and fragmented, exposing more vulnerabilities in enterprise architectures. Integrating the findings of the two studies tells us that the record vacancies in high-ranking positions intensify the cybersecurity threats to the federal government.

Federal agencies need talented IT professionals to deal with mounting cybersecurity threats. My preliminary research utilizing OPM data to investigate the demographic characteristics of federal IT personnel and IT security risks shows a connection between length of federal service among IT employees and a higher number of reportable breach incidents. For the period covering 2012 to 2015, I found that for agencies where the average length of service of IT workers is below 15 years, the average number of incidents is 1,855 a year. For agencies where that length of service is more than 15 years, there is an average of 2,035 incidents.

This finding signals that refreshing the talent pool in federal IT could have an impact on reducing cybersecurity risks.

For more effective IT management and modernization in the U.S. government, I have the following policy prescriptions.

First, the administration and the Senate should speed up the nomination and confirmation processes. Congress can amend the Federal Vacancies Reform Act to shorten the number of days that an acting official can serve. The Senate also should consider measures to streamline the confirmation process for sub-cabinet nominees.

Second, while the Federal IT Acquisition Reform Act substantially empowers agency CIOs to have authority and accountability in IT modernization, Congress should do more. An early version of FITARA provided for Senate confirmation for CIOs. Senate confirmation would allow the agency CIOs to take more risks and enable them to play a stronger leadership role in driving IT modernization.