Will a Federal CISO make a difference?
Earlier this month, the White House released a "FACT SHEET" on the "Cybersecurity National Action Plan.". For 10 years or more we've had a succession of these grand plans for the government to protect us and the Internet.
One element of the CNAP is the role of the new Federal Chief Information Security Officer, who is tasked with driving the changes in a proposed $3.1 billion Information Technology Modernization Fund. The point of the fund is to "enable the retirement, replacement, and modernization of legacy IT that is difficult to secure and expensive to maintain..." This is indeed a worthy goal, as the new DROWN attack on the long-obsolete SSL 2.0 protocol partly demonstrates.
Security
A Federal CISO! Do we need such a person? Of course a Federal CISO would not have a job anything like a CISO in any other organization, partly because the Federal Government is not "an organization," but rather a large number of loosely confederated organizations with substantial autonomy. Does it make sense? What would this person do?
One clue is the job posting for the position:
The Administration has created the position of Federal Chief Information Security Officer to drive cybersecurity policy, planning, and implementation across the Federal Government. This is the first time that there will be a dedicated senior official who is solely focused on developing, managing, and coordinating cybersecurity strategy, policy, and operations across the entire Federal domain.
The entire Federal domain. That's a pretty awesome responsibility for a job with a salary range of $123,175 to $185,100/year. Alas, the open period for the position ended on February 29, so don't bother applying,
I spoke with Randi Parker, Director of Public Advocacy, Cybersecurity, Workforce Development at CompTIA, an industry trade association which, in part, advocates for cybersecurity policy. Above all, Parker said that the CISO needs to have some real authority, in particular budgetary authority. The CISO also should have both private and public sector experience, which makes sense. Whatever the specifics, Parker said that CompTIA is supportive of the Federal Government improving its overall cybersecurity posture; if a Federal CISO does that, then they are all for it. It's hard to argue with this.
What Parker said makes sense, so let's ask the key question: What kind of authority would this person have? One way to answer this is to look at their position in the company org chart, the company being the Office of Management and Budget (OMB) within the Executive Office of the President.
The position is part of OMB's Office of E-Government & Information Technology, which is headed by the US Chief Information Officer Tony Scott. Mr. Scott reports to the Deputy Director for Management, a position which is currently vacant. The President nominated Andrew Mayock in December to replace Deputy Director Beth Colbert, who was shifted over to run the Office of Personnel Management in the wake of their data beach scandal. Mayock will report to Shaun Donovan, Director of the Office of Management and Budget who, at least in theory, reports to the President.
So the CISO will be four management levels down from the President. Since the position is an appointed one with no statutory mandate, it's likely that the position will have limited, if any real authority. I'll also note that this position exists in parallel with the Cybersecurity Czar Michael Daniel, officially the Special Assistant to the President and Cybersecurity Coordinator. That person, once again in theory, creates policy which, presumably, is executed by the Federal CISO.
The one thing that could make a difference is, as Parker said, budgetary authority, and it's here that the proposed $3.1 billion Information Technology Modernization Fund could make some difference. The CISO would probably have no stick, but could have a big, fat, juicy carrot to entice Federal agencies to secure their infrastructures. Given how large and sprawling the Federal government is, I have to wonder whether $3.1 billion would go very far, although DoD, a not-insignificant chunk of the "Federal domain" has their own programs and plans for improving security.
At least they're not tasking the underpaid Federal CISO with curing the cybersecurity ills of the world, just the Federal government. It's hard to argue with the need to spend money towards this end and, if we're going to spend it we should have someone directing the spending rather than just throwing money at the agencies. It's worth a try. After all, it's only $3.1 billion.