Since 2014, most major American government agencies and key personnel, from the United States Postal Service (USPS) to the White House and the CIA Director have fallen victim to an assortment of hackers. Although the private sector data breaches captured our attention, the federal government proved to be a lucrative target for hackers. Therefore, it should come as no surprise to anyone that the White House would introduce a new cybersecurity plan.
As part of the Cybersecurity National Action Plan (CNAP), a strategy that will increase cybersecurity spending to just over $19 billion, the government proposes to: (1) use $3 billion to overhaul federal computer systems; (2) build a cyber corps of professionals within the government using scholarships and relaxed office attire; (3) strengthen public-private partnerships; (4) launch a national cybersecurity awareness campaign; and (5) establish a commission to create cyber strategy. In addition to these strategic talking points, the plan proposes the creation of a federal chief information security officer (CISO) position. The CISO would be responsible for executing the White House’s five-point plan throughout the government.
Anyone who has paid attention to the plethora of successful cyber-attacks against the U.S. government knows that this plan should have been announced a long time ago. In 2015, we saw the U.S. Office of Personnel Management (OPM) had lost 21.5 million records for current and former government employees, including security clearance data. Just in case you missed it, that data also included millions of sets of fingerprints. Just a few months later, the personal emails of CIA Director John Brennan and DHS Secretary Jeh Johnson were hacked by a hacker claiming to be a high school student. Many cybersecurity experts suggest that every part of the U.S. government has probably already been hacked, even though the White House has claimed that cybersecurity is one of its top priorities over the past several years. It seems that we’ve finally reached a breaking point.
But we’re not out of the woods. There are some serious flaws with the CNAP. First and foremost, cybersecurity tutorials, sponsored by the government, and the encouragement of two-factor authentication are great. Companies in the private sector have been doing both for over a decade. Fortunately, our government is finally catching up. Also, spending $3 billion on an IT system overhaul is incredibly overdue. As President Obama suggested, our “government IT is like an Atari game in an Xbox world.” If this analogy is correct, our government IT is almost three decades behind. That means that the U.S. government has security like Swiss cheese, riddled with holes.
Then there’s the effort “to build a corps of cyber professionals across government to push best practices at every level” where the White House proposes to do more “including offering scholarships and forgiving student loans – to recruit the best talent from Silicon Valley and across the private sector.” Isn’t this what the CyberCorps: Scholarship for Service was supposed to do? The CyberCorps OPM web site describes the program as “a unique program designed to increase and strengthen the cadre of federal information assurance professionals that protect the government’s critical information infrastructure.” That sounds remarkably similar to the President’s new proposal.
But the fed is going to have a hard time recruiting the best talent from Silicon Valley when they are offering Atari salaries when Xbox salaries are the norm. The average salary for cybersecurity professionals is $116,000. To make matters worse, the cybersecurity czar position established by the CNAP only offers an insultingly small salary range of $123,000 to $185,000. The current average annual salary for a CISO in the Washington D.C. metro area is $225,000 and goes up to $334,000 in some cases. The salary disconnect is one of the reasons that JPMorgan Chase was able to establish a cybersecurity center near the National Security Agency (NSA), offer huge salaries, and hire away some of the agency’s best and brightest. It is also one of the reasons why so many cybersecurity professionals are leaving government, heading to Silicon Valley, and being paid millions to build startups.
The White House is going to have to make a more assertive move in cybersecurity if it plans to protect U.S. innovation from cyber threats. Thus far, we have just barely scratched the surface and even after it is implemented, our government will continue to be an Atari in an Xbox world.