US government CIO Tony Scott ordered federal agencies to complete 30-day "cyber sprints" to patch holes in their security in the wake of the Office of Personnel Management hack that exposed personal details of 22 million Americans.
He warned federal government could find more cyber intrusions as it takes a close look at its sprawling and sometimes creaky systems.
"I think it's a realistic chance, and I think this is true no matter where you go. It's not unique to the federal government," said Tony Scott, who spent 35 years in the private sector running systems at companies such as Microsoft, Walt Disney and General Motors.
Scott was named as the federal CIO in February and knew from the start that stepping up cyber defences would be a focus.
But the hacks at the federal hiring office that scooped up the sensitive data of 22 million Americans have given his mission new momentum, Scott said in an interview in his office.
Scott began reviewing the status of cyber security at government agencies early in his tenure. Some were making progress, but overall, the government needed to step up the pace, he said.
The hacks at the Office of Personnel Management lit a fire under that process. A month ago, after an initial intrusion was first confirmed, Scott ordered agencies to take a series of steps in a 30-day "cyber sprint" on critical security measures.
He told them to cut the number of "privileged users" that have extra administrative access to systems, require "two-factor authentication" to add an extra layer of security for passwords of those privileged users, and patch critical vulnerabilities in network operating systems.
"We said, 'Run hard for the next 30 days and get big progress on these things. No excuses, just get it done,'" Scott said.
Those 30 days are now up, and by July 20, Scott plans to publicly share the results showing which agencies achieved the goal.
"Some will get there, and some won't," he said, noting that some details will be withheld in order not to give hackers a roadmap to ongoing vulnerabilities in the government's databases.
"There's probably no CIO in any federal agency now who wants to be the bottom of the list," he said.
In September, his office will deliver broader recommendations from the review on policy, procurement and technology, some that can be knocked off quickly, and some that could need Congressional approval.
"Shame on us if we don't also take advantage of this time to come forward comprehensively and say, 'We need to make these other changes as well,'" Scott said.
The government may need to invest in tools that go beyond trying to prevent hacks, and more quickly detect and contain threats, and repair any damage, he said.
Scott's office includes a team of private sector tech experts created after the botched launch of the healthcare.gov website - professionals who he said are being deployed "surgically" in agencies to help modernise computer systems.
But with more scrutiny and more tools comes more insight into problems that may have previously been overlooked, and hackers keep developing new sophisticated ways to threaten systems.
"There's two kinds of CIOs: ones who have been hacked and know it, and those who have been hacked and don't yet realie it. But the reality is, you've been hacked," he said.
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
