President Barack Obama's budget request for fiscal 2017 includes a slight increase in funding for IT programs and a significant boost (35 percent) in cybersecurity dollars. After reviewing the budget, industry experts chimed in on what the request will mean for the federal acquisition landscape.
Here's a short rundown of some comments offered to Federal Times. And check out our full budget coverage, including a roundtable discussion with top experts on management, acquisition and presidential transitions.
Bob Stevens, Vice President of Federal Systems, Lookout:
There's no question in anyone's minds there's massive room for improvement in Washington when it comes to cybersecurity. OPM and this week's leak of FBI contact information have made that abundantly clear. It's encouraging to see the president take cybersecurity so seriously and seek to put significant funds and staff in place to manage it.
However, while the president's executive order does mention technologies associated with the Internet of Things and cloud computing, mobility is noticeably absent from the order. This is a gross misstep in my mind given the increasing amount of data accessed by mobile devices.
In fact, after analyzing 20 federal agencies, Lookout recently discovered 14,622 personal devices associated with government networks (despite them claiming to not have BYOD programs). We also found 58 percent of federal employees are aware of the security consequences of using their personal mobile phones for work, yet 85 percent will use their phones for potentially risky activities anyway — underscoring a significant problem that could put federal agencies — and the sensitive information they handle — at risk. If we're pouring more money into cybersecurity, it's critical that mobile be a threat surface that is prioritized.
Mike Pittenger, Vice President for Security Strategy, Black Duck:
[The creation of a Federal CISO] is welcome news to federal workers. The government has struggled for years to keep its systems up to date and build adequate defenses. In 2015 the Office of Personal Management breach reportedly affected every government employee and exposed SF-86 background check forms for all who have applied for clearances. This is extremely detailed and private information that we don't want in the hands of our adversaries.
The appointment of a Federal CISO is a very good step and it's essential that the role have appropriate authority to enact changes.
The federal government has enormous purchasing power. It can — and should — use it to demand more accountability from vendors. This includes much greater visibility into the software the government purchases. We know from our on-demand code audits that open source software comprises 35 percent of the average commercial application and NIST has reported over 6,000 new vulnerabilities in open source components since 2014. Ensuring that these at-risk components are known to government vendors and monitored for new vulnerabilities will go a long way to improving the security profile of federal customers.
John Dasher, Vice President of Marketing, Niara:
While the new CISO's role to "coordinate cybersecurity across federal agencies" is extremely important, this CISO could help elevate cybersecurity across public and private sectors and perhaps it could lead to the government working to leverage the many brilliant CISOs the U.S. has across all industries. They already do a remarkable job of talking to each other, learning from each other's experience. Perhaps the new government CISO can become a productive part of that elite group. Certainly the opportunity exists to be an enabler that helps both public and private sectors.
On the other hand, an argument could be made that says this new CISO should purposefully constrain the role on a department or two, and focus there. Boil-the-ocean efforts seldom succeed; each government agency is a huge undertaking in and of itself.
Regardless of path, the cybersecurity technology landscape is changing so rapidly that it requires a dedicated, forward-looking executive to make the right choices.
J.J. Thompson, Founder and CEO, Rook Security:
Commissions and workgroups are great. Money is better. Vision and the right leaders to see this through to success are the critical component. This cannot be business as usual. The leadership for these initiatives needs to be composed of people who can sift through myriads of great ideas, all with merit, and operationalize them rapidly.
The challenge there is that the type of person who comes up with ideas can seldom steer a workgroup to simple effective outcomes. The person who can work with workgroups can seldom sift through the bureaucracy. The role of federal CISO should not be about who has been the best CISO so far, it's who can attract the right team to bring the aforementioned objectives to life.
Amjed Saffarini, CEO of CyberVista:
The White House's call for a Cyber Corps Reserve program is a welcomed evolution in the White House's efforts to protect government systems, private companies and citizens alike. It also points to the increased awareness of our country's growing cybersecurity skills gap. Too often, we hear only about the technology problems and solutions in cybersecurity without enough appreciation of the 'people problem' at the core of many damaging cyberattacks.
Many important questions still remain about the president's plan: Given the already crushing shortage of cybersecurity professionals, where will these cyber workers come from? How will these workers be trained? What incentive structure will be in place to ensure these workers stay in their positions? What will the roles of prior government cyber issues be?
Despite these questions, we commend the White House for proposing a solution to the cyber skills gap and we look forward to seeing the federal government and its private sector partners tackle this critical issue.
Anthony Robbins, Vice President, Brocade Federal:
The FY 2017 budget recognizes and addresses a number of key IT challenges. President Obama's request for a $3.1 billion revolving fund to retire antiquated IT systems is a critical step to ensure agencies have the financial resources to upgrade the federal government's enterprise infrastructure, adopt leading technology solutions that support commercial best practices and stop unnecessary spending on legacy systems moving forward.
The current budget still calls for 71 percent of its IT spending to go toward maintaining legacy systems. To reduce the funds required for IT maintenance in the future while taking advantage of new technologies for cloud, mobile, and the Internet of Things, agencies must use available and significant budgets to build more modern enterprise infrastructure. Such modernization will require that agencies move to the New IP, an innovative approach to networking that allows agencies to deliver world-class digital services for government.
Ryan Gillis, Vice President for Cybersecurity Strategy and Global Policy, Palo Alto Networks:
Tuesday's announcements of the Cybersecurity National Action Plan and the president's FY17 budget request include a wide-ranging series of cybersecurity initiatives intended to address some underlying and systemic threats to everyday activities in the digital age. These proposals merit a mix of near-term action and longer-term consideration and I am encouraged that the administration drew heavily on recommendations and best practices from private industry.
However, the ultimate significance of the announcements depends heavily upon Congress and the next administration to implement. Recognizing that this is a highly polarized election year, we have a precedent of bipartisan cooperation on key cybersecurity initiatives over the last few years, including the NIST Cybersecurity Framework and passage of several pieces of legislation.