Jeb Bush: Hold Federal IT Managers Accountable for Government’s Cyber Woes

Republican presidential candidate and former Florida Gov. Jeb Bush

Republican presidential candidate and former Florida Gov. Jeb Bush Jae C. Hong/AP

The massive OPM hack shows the federal civilian government “clearly lags behind,” the Republican presidential candidate said.

Republican presidential candidate Jeb Bush says the massive hack at the Office of Personnel Management shows the federal civilian government “clearly lags behind” when it comes to cybersecurity and that more federal IT managers need to be held responsible.

“If it is to lead the way in addressing these threats, the federal government must put its own house in order, prioritizing to reflect the urgency and importance of protecting key databases and communications,” Bush wrote in a Jan. 12 op-ed for Business Insider. “Agency chiefs who fail to prioritize cybersecurity and poorly performing IT managers must be held accountable.”

In the op-ed, which described Bush’s “plan to address the monumental threat of cyberattacks,” the presidential candidate praised recent legislation making it easier for private companies to share cyberthreat information with the government but faulted President Barack Obama “for a lack of leadership.”

He said the military and the intelligence community are “often ahead of the cyberthreat curve.”

Intense congressional furor over the OPM hack -- in which purported Chinese cyberspies stole background investigations containing sensitive data on 21.5 million federal employees, retirees and contractors -- eventually forced former agency Director Katherine Archuleta to resign last summer.

However, congressional Republicans have repeatedly pressed for the ouster of OPM’s chief information officer, Donna Seymour, citing her response to the hack and her handling of IT security upgrades at the agency.

In the op-ed, Bush also talked cyber hygiene -- although his proposals were a little short on specifics.

“The average time lag between a cyberattack and when the attack is detected is roughly 200 days,” Bush wrote. The OPM hack went undetected for more than a year. “We need to adapt our approaches to cybersecurity so we are more likely to detect an intrusion before it is too late. This means more regularly scanning networks, applying new technological tools to detect intrusions, and better sharing of threat signatures so an attack on one does not lead to an attack on many.”

After the OPM hack, the Obama administration ordered agencies to immediately patch critical vulnerabilities and strengthen security, such as implementing two-factor authentication as part of a 30-day “cybersecurity sprint.”