The government official leading a review of federal network security acknowledged that investigators might discover more digital intrusions on the government’s outdated systems.
“I think it's a realistic chance, and I think this is true no matter where you go,” Tony Scott, the federal chief information officer (CIO), told Reuters in an interview. “It's not unique to the federal government.”
Scott is spearheading the White House's 30-day “cyber sprint” in the wake of a damaging data breach at the Office of Personnel Management (OPM) that left more than 22 million people’s most sensitive data in the hands of suspected Chinese hackers.
The accelerated review is aimed to plug the most glaring holes in the government’s network security. Agencies were directed to patch critical vulnerabilities, restrict the number of people with access to privileged data, quicken the adoption of multi-factor authentication and scan systems for malicious activity.
“We said, 'Run hard for the next 30 days and get big progress on these things,'” Scott said. “No excuses, just get it done.”
The 30-day window came to an end over the weekend.
Scott told reporters last Thursday that the government had “dramatically increased the amount of two-factor authentication for privileged users.”
Federal civilian agencies boosted their use of multi-factor authentication by 20 percent, he said. And several agencies now have 100 percent adoption of multi-factor authentication.
The White House will soon release more details on the results of the sprint, identifying which agencies succeeded and which fell short.
“Some will get there, and some won't,” Scott told Reuters. “There's probably no CIO in any federal agency now who wants to be the bottom of the list.”
During the sprint, Scott also dispatched teams to look at various aspects of the government’s cybersecurity policy.
In September, the White House will unveil policy recommendations to tweak and overhaul how the government acquires and oversees its information technology. Scott said the changes will reflect a focus on acquiring tools to better discover intrusions and mitigate the fallout, rather than simply trying to repel hackers.
Scott indicated to Reuters that Congress might need to approve some of these alterations.
“Shame on us if we don’t also take advantage of this time to come forward comprehensively and say, ‘We need to make these other changes as well,’” he said.
But the government’s rapid review may also uncover more hacks, Scott conceded. The same would be true at any company taking a hard look at its network.
“There’s two kinds of CIOs: ones who have been hacked and know it, and those who have been hacked and don't yet realize it,” he said. “But the reality is, you've been hacked.”