Plan for Modernizing Federal IT, Enhancing Security, UnveiledObama Administration Proposes Guidelines, But Action Could Be in Hands of Next President
Proposed guidelines issued last week by the White House for modernizing federal agencies' information technology - a critical step to enhance government cybersecurity - come as the Barack Obama administration winds down. That means the next administration likely could be responsible for implementing the plan - or altering it.
The proposed guidelines provide for a four-step approach to identify legacy systems vulnerable to exploitation, plan for new systems and pay for them. Much of what's contained in the proposed guidelines is not new; it's an amalgamation of previous Obama administration directives, though with a stronger emphasis on strengthening security.
"Moving the federal government to modern infrastructure, such as cloud-based solutions, is a fundamental necessity to building a digital government that is responsive to citizen needs and secure by design," U.S. CIO Tony Scott says in a blog announcing the proposed guidance. "Doing so will enhance agencies' ability to protect sensitive data, reduce costs and deliver world-class services to the public. No one change is the silver bullet, however. Rather, this is a sustained effort that will ensure the federal government can best serve the American people in the 21st century."
The Office of Management and Budget, where Scott's office is located, gives the public until Nov. 26 to submit their views on strengthening the guidance.
Extension of Obama Initiative
The proposed guidance is an outgrowth of the Obama administration's $3.1 billion initiative unveiled in April to seed a fund to modernize federal information systems (see White House Proposes $3 Billion Fund to Modernize Federal IT). Simultaneously, a bill winding its way through Congress - the Modernizing Government Technology Act of 2016 - would create a working IT capital fund that would enable agencies to bank savings from modernization efforts to help pay for upgraded systems. The bill also would establish a governmentwide IT modernization fund in which agencies - led by their chief information officers - could present a business case for money for their modernization initiatives. The bill does not provide money for the fund; that would require a congressional appropriation.
The House, with overwhelmingly bipartisan support, approved the Modernizing Government Technology Act in September. "Using these old systems makes data housed by federal agencies more vulnerable to digital attacks, and it's a gigantic waste of taxpayers' money," says one of the bill's sponsors, Rep. Will Hurd, R-Texas.
The bill has been assigned to the Senate Homeland Security and Government Affairs Committee, whose chairman - Sen. Ron Johnson, R-Wis. - is preoccupied with a tough re-election battle. It's unclear whether the legislation will clear the committee and come up for a vote in the post-election, lame duck session.
If the Senate doesn't pass the Modernizing Government Technology Act this year, the next president and Congress would have to act. Both major presidential candidates have suggested they support modernizing federal IT as a way to secure government systems and data (see How Will the Next President Approach Cybersecurity?).
Democrat Hillary Clinton's campaign website says she supports expanded investment in cybersecurity technologies. Clinton also supports the Obama administration's Cybersecurity National Action Plan, which includes the modernization of federal IT and upgrades to government cybersecurity.
Republican Donald Trump says he'd establish a cyber review team and calls for the securing of IT "as modern technology permits." Trump says the team would consist of military, civilian and private-sector cybersecurity experts who would comprehensively review all of the government's cybersecurity systems and technology. The team would make recommendations for the best combination of defensive technologies tailored to specific agencies.
Neither candidate, however, has explained how they'd come up with the billions of dollars needed to secure information systems and data.
One Party Rule?
How the government appropriates money on IT modernization development could be influenced by the outcome of this year's presidential and congressional elections, especially if one party wins the White House and a majority in each house of Congress.
"When the U.S. Senate and the House of Representatives are controlled by the president's ruling party, federal agencies are predicted to invest approximately 8.32 percent more in new IT development and modernization than when the opposition party holds the majority in both chambers," says Min-Seok Pang, assistant professor of information systems at Temple University, who researched the political influence on IT investments in the U.S. government between 2003 and 2016. "The budget allocation decisions between IT development and maintenance in governments are affected by political environments."
In the current federal budget proposed by Obama, 78 percent, or $63 billion, of the planned federal IT spending of $82 billion is earmarked to maintain legacy systems. Moving some of those legacy-support funds to pay for modernized IT could eventually save money and make systems more secure. "As more and more data is stored online, the need to protect against the adverse consequences of malicious cyber activity becomes more pressing each year," Scott says.
A number of IT security experts agree that modernizing IT would bolster security. "If you use modern, advanced technologies instead of trying to drag forward your old concepts into the new world, you can save money and lower your risks at the same time," says Tom Patterson, chief trust officer at systems integrator Unisys.
The administration's modernization initiative calls for increased use of cloud computing technologies. Says independent IT security consultant Robert Bigman, who served for 15 years as CISO at the CIA: "For a few more dollars" federal agencies and other enterprises using cloud services would receive "better configuration security, better auditing, better identification and authentication and better encryption" than what legacy systems furnish.