The soft spots in IT security? People and old tech

The $3.1 billion IT modernization plan in President Barack Obama's proposed fiscal 2017 budget, according to federal CIO Tony Scott, is key to closing a big federal security hole -- aging technology. And developing cybersecurity programs at agencies and universities will help close another daunting security gap -- that of effective cybersecurity education.

Almost all cybersecurity concerns boil down to those issues, according to Scott and other federal agency CIOs who gathered on March 15 at AFFIRM and US Cyber Challenge's Third Annual Cybersecurity Summit in Arlington, Va.

The fund, which is part of the larger Cybersecurity National Action Plan rolled out by the White House in February, would be run by the General Services Administration if approved by Congress. It would provide a revolving fund that agencies could access to upgrade legacy IT to more efficient technologies. Agencies would then pay back into the fund as they realize savings from their upgrades.

Legacy IT systems, Scott said, are one of the biggest security liabilities the federal government has. He tapped his familiar metaphor of trying to keep an aging car on the road -- noting that over time, that approach becomes more expensive and dangerous than simply buying a new vehicle.

"We're in that old car stage" at some agencies, he said. "The IT modernization fund is aimed at reaching an inflection point to replace legacy systems" across government, he said.

Agencies would have to present a business case to get funding under the plan, Scott said. Those plans should contain a strong management commitment and show some innovative thinking. "We're looking to more shared services instead of top-to-bottom" IT plans, he said. "Even some big agencies can do something in common" with other agencies. Shared infrastructure and applications, as well as good cybersecurity hygiene, are also positive building blocks for business cases aimed at tapping the fund, he said.

Although the White House is still fleshing out details of the plan, Scott said the initial reaction "has been positive" on Capitol Hill. GSA Administrator Denise Turner Roth faced a couple of pointed questions about the fund's details at a hearing in early March, however.

"Everyone gets it," Scott said. "Legacy systems are a concern."

Cybersecurity training, recruiting and maintaining a strong federal cybersecurity workforce is a perennial and growing problem, he said. "A CISO is the hottest job in IT," he noted. "It's the hardest job to fill in tech today."

Scott said educational frameworks under CNAP, which include developing cybersecurity core curriculum for cybersecurity workers coming into the federal government and other cybersecurity education frameworks, will help.

Transportation Department CIO Richard McKinney said he is currently looking for 22 new employees for his agency's chief information security office. He's made one hire recently and said his approach to keeping new IT talent is to hold on loosely.

McKinney said he's taking a longer view for IT hiring. "I'm not worried," he said, about keeping younger, more restless millennial employees long term. "They will move on."

But by making young hires, he demonstrates that his agency is willing to invest in new employees, including training them  in the latest IT skills.

Even if they then decide to leave, McKinney said, “we will create a backdraft to pull in more people.”