Rep. Will Hurd, R-Texas, called for the administration to nominate more permanent agency chief information officers (CIOs).
“I’m worried that we don’t want to stall some of the progress that we’ve achieved over the last couple of years,” Hurd said at the Washington Post Cybersecurity Summit on Oct. 3.
During the early stages of President Donald Trump’s administration, many agencies have acting CIOs and are waiting for appointments of permanent CIOs.
CIOs are needed to make strategic decisions about how to modernize legacy systems.
“Those CIOs drive long-term planning, communication, and effectiveness,” said Milo Speranzo, director of strategy and compliance for Tech Data Government Solutions, in an interview with MeriTalk in September.
Hurd said that one of the goals of his Modernizing Government Technology Act is to give CIOs more visibility and power to make decisions about their agency’s technology landscape.
“We still have agency CIOs that don’t report to the agency head or deputy agency head, which would never happen in any other organization,” Hurd said.
One of the key issues that CIOs are tasked with is how to ensure the cybersecurity of their agencies. Hurd said that he wants to see security baked into a product throughout its life cycle rather than thrown in as an afterthought; however, this requirement is difficult to legislate.
“By the time we actually pass the legislation, is it already old news?” Hurd said.
Hurd said that the rapid growth of technology capabilities make it hard for Congress to keep up with regulations.
Richard Clarke, former White House cybersecurity adviser, said that Internet of Things (IoT) devices need higher levels of security.
“Most of these devices are being rushed to market without the embedded security,” Clarke said.
However, Clarke said he is hesitant to ask for legislation on new technologies because it could hurt innovation.
“I think the idea of regulating AI [artificial intelligence] right now is crazy,” Clarke said.
Hurd said that another challenge is educating Congress about technology issues. Without that knowledge, Congress doesn’t know what role it plays in the technology sector.
“A lot of my colleagues think the Dark Web is the direct messaging function on Twitter,” Hurd said.
Despite the difficulty of navigating where Congress should step in, Hurd said that he does have advice for companies.
“Patch your software,” Hurd said.
Hurd said that all of the recent high-profile data breaches haven’t been a result of zero-day exploits. The companies have known about the vulnerabilities before the attack happened.
Hurd also said that companies should use multifactor authentication and that network administrators shouldn’t be using the word “password” as their passwords.
“Who is still doing that?” Hurd said.