This week, the House passed a major bill that would create working capital funds agencies to modernize their internal technology. Last week, President Donald Trump signed an executive order directing agencies to update their cybersecurity practices and to hold agency heads, not chief information officers, accountable for incidents.
What do these moves mean for technology contractors? They could signal continued or greater upcoming investments in private-sector cyber services, Candace Worley, McAfee’s chief technical strategist, told Nextgov.
This conversation has been edited for length and clarity.
Nextgov: How might the cybersecurity executive order affect cyber investments?
Candace Worley: The executive order was a great step forward. It’s an acknowledgment that cyber is going to be—and is—a primary concern for the government and something the government is going to have to actively engage with. The nature of the attacker has changed over the course of the last several years, and now we see organized crime, nation-states, hacktivism. ...The government is telegraphing right now that they recognize this is a problem. They need to put some wood behind the arrow ... in terms of giving guidance to the rest of government.
Nextgov: But does the order have teeth?
Worley: At that level, it probably can’t take into consideration enough of the variables. The guidance was at the right level for an executive order, and I’m sure they are going to be counting on the people in the next levels down to put in an additional detail.
This goes to the [Modernizing Government Technology Act]—the first step is you’ve got to modernize infrastructure. The older the operating systems and the older the equipment, the more likely it is that a patch isn’t available or patching is difficult. In putting forward an order that says, 'Listen, we need to get our infrastructure up to par ... it will actually help to protect the government from attack.'
Nextgov: Is the MGT bill really necessary? There’s always debate on the Hill about whether there are other ways to incentivize modernization.
Worley: There are two factors at play: One is budget to acquire updated hardware, software, networking equipment, etc. The second is human capital. There’s always a finite set of both of those. And cybersecurity takes a very specialized set of talent. We’re in a situation now where by 2020, [there will] be 2 million more jobs in the market than there are people qualified to fill them. As we look at this dilemma for government, where governments often have limited budgets, it’s difficult for them to pay the premiums [for modernization].
Nextgov: Are you seeing an uptick in your cyber business, then?
Worley: We’re not finding a huge difference. The agencies we work with understand the criticality of addressing the cyber crime issue and we continue to see the same level, or more, commitment going forward. Cyber is going to become more of an issue, and I think most organizations realize that.
There’s always a challenge in moving things to private sector 100 percent. Profit is a strong motivator of behavior; depending upon what you’re moving to the private sector, you want to sure the right incentives are there to ensure that the health and welfare of the government comes before profit.
Nextgov: The cyber EO outlines a shift in responsibility for cyber incidents from the CIO or chief information security officer to the agency head. Does that have implications for contractors?
Worley: That makes sense as long as there’s continued communication governmentwide. If agencies are doing things in isolation, we could end up in a bad place. Holding each agency accountable at the head level will be part of the behavior around making sure you get patched, making sure you get the right cybersecurity assets in place.
Where you have local accountability, you have a higher probability that those agencies are going to be exhibiting the right behaviors as it relates to maintaining their infrastructure [and] raising their budgets.