The views expressed by contributors are their own and not the view of The Hill

Why the government’s cybersecurity matters

With the recent breach of personnel information from the Office of Management and Personnel and revelations that insiders within our intelligence community mishandled and exposed sensitive information, citizens may be asking themselves, “How could it get worse?” To be certain, our national security and national prosperity will be significantly threatened if we do not ensure that cybersecurity and protection of the people’s information are at the top of every agenda in every department and agency.

Cybersecurity is a risk management issue, and the United States government, like many businesses around the country, is accepting a lot of risk. This should be deeply concerning to all Americans, as it represents a critical threat to our national security, the openness of our economy and our way of life. However, the good news is it does not need to be this way. There are concrete and achievable steps that the government must take to reduce the level of risk, beginning with filling the vacant federal chief information officer and chief information security officer positions with experienced and qualified personnel, upgrading our network architecture and infrastructure, investing in workforce training and adopting many of the proven best practices that work in the private sector. 

{mosads}The United States government is arguably the largest repository of data in the world. It possesses information about every citizen, from birth to grave. It knows where you live. It knows where you were educated. If you apply for a security clearance or a government position, or join the military, it knows whom you associate with and where they live. It knows about your health and welfare. It knows about your family and the neighborhood in which you live. It knows about your financial posture, where your resources are and their quantity. If you travel abroad, it knows that too. It knows where you work and for whom. It tracks businesses, commerce, investments and taxes. It collects information on critical infrastructures, nearly all of which are owned and managed by private companies. It manages essential public services for the safety of our people, including air traffic control and airspace management that protects you while flying home for the holidays. It provides the information used to manage safe rail and road systems, water ports and other essential transportation activities that fuel our economy. It possesses critical information that ensures that our energy infrastructures are safe and secure. It manages public health capabilities and thwarts the outbreak and spreading of diseases. It provides for the defense of our country and our way of life. The list goes on and on regarding the information that defines the lives of its people that the government creates, manages, shares, collects and archives as custodian. 

Information has value and it requires valuable resources to create, collect, manage, store, archive, retrieve and share. The information that the U.S. government possesses is priceless. In order to preserve the privacy, civil rights and civil liberties of our citizens, as well as our national security and prosperity, information must be appropriately managed and protected. In today’s internet-enabled world, cost-effective and efficient automated systems are not good enough. Our citizens require a modern, digital government that delivers services effectively, efficiently and securely.

Cybersecurity is not merely a technology issue, it is a risk management issue that involves people, process and technology. For too long, the U.S. government did not properly address the security of its unclassified yet highly sensitive data. It accepted too much risk at all levels. It did not inculcate a culture of security into its training and daily operations. It did not demand that security be an agenda item in its boardrooms or its requirements documents. And, in many areas, it ignored the risks and consequences of data breaches. As citizens, we have a stake in the protection of our information and need to ensure that our government recognizes cyber risks and acts appropriately to protect the information that fuels our economy, defends our country and supports our fellow citizens.

I believe we can and must better protect the precious information of which our government is the custodian. We need to fill the chief information officer and chief information security officer vacancies with qualified and mission-ready personnel, now. Our arcane and antiquated U.S. government network architecture is based on a 1980s organization chart and needs to be upgraded to a secure, modern infrastructure leveraging today’s intelligent, software-defined security solutions. We need to move quickly and deliberately to improve education and training of a cyber-ready workforce. Our government needs to thoughtfully and intelligently adopt best practices from the private sector, which has leap-frogged the government as the primary source of innovation and agility. 

Americans expect an open, transparent and responsive government. Per our Constitution, we also expect our government to “provide for the common defense,” which now includes protecting our information. Today’s capabilities present the opportunity to provide the citizenry greater access to services and information, yet this must be accomplished in a manner that does not inadvertently compromise the privacy, civil rights or civil liberties of our citizens; undermine our national security; or damage our national prosperity. We expect our information to be secure.

Our national security and prosperity depends on it.

Touhill is president of Cyxtera Federal Group. He formerly served as the first Federal Chief Information Security Officer of the United States.