The White House's first chief information security officer has ambitious plans to shore up government cybersecurity, including elaborate educational campaigns for employees and ensuring investments in data protection are proportional to the value of that data.
In one of his first public appearances since his appointment last month, Gregory Touhill told an audience in Washington Tuesday his approach to cybersecurity was multipronged with separate goals for hiring cyber talent; educating federal workers about cyber hygiene; and encouraging agencies to treat information as an "asset" by considering whether it's worth it to invest in high-tech protections for low-value data sets.
"We focus too much on the technology and the keyboard stuff," he said. "Protecting information could be as simple as not discussing certain information over the phone, guarding the paperwork that you provide, shredding information that appropriately needs to be disposed of."
In 2017, his team plans to come up with new ways to "educate and train and hopefully entertain our workforce, to help them better understand both the 'why' as well as the 'how' of cybersecurity," Touhill said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Annual reviews of computer programs, he added, won't be enough to ensure proper cyber protection.
In the near term, the administration plans to launch Cyber.gov, a repository for information about cybersecurity-related goals and strategies, in the next couple of weeks. A group of federal CISOs will have their first meeting Oct. 28; Touhill is also considering setting up a volunteer CISO advisory council.
Longer term, there will be an increased push for continuous diagnostic mitigation technology, and eventually, hunt-teams could actively look throughout dot-gov domains for hackers, he said.
"If I had my way, we'll do a bug bounty across dot-gov, and the program office that fielded the flawed code would reimburse the bug bounty pool," he added.
Part of Touhill's plan is to help agencies make more deliberate investment decisions, he explained.
"I don't want to spend 10 bucks guarding a $5 piece of information," he said. "I want to go out there and have proportional defense," which requires a deep understanding of all the information being protected.
Some of his ideas were more whimsical. For instance, he has already spoken to the Education Department about creating a competition asking school children to come up with a manifestation for a cyber mascot, called "Byte," modeled after Smokey the Bear, and McGruff the Crime Dog, both used to spread awareness among children about public safety issues.
"Wouldn't it be cool if the school kids in America got their energy and their enthusiasm and their creativity and ... help us define something that will be an enduring reminder of the importance of cybersecurity in society?" he said.
Despite the fact he joined the White House near the end of the administration, Touhill said he expects to be in the office through the transition and aims to train incoming senior executives about cyber response.
"I raised my hand and I expect a full tour of duty," he said. "I'm playing it for the long game as opposed to 'I'm only to be around for a couple of weeks.'"