America’s Cyber Czar
It was a Friday at the end of March 2015 when a staffer rushed into Tony Scott’s office. “There’s something you need to be aware of,” Scott ’88 remembers hearing, as he looked up from his desk in the Eisenhower Executive building next to the White House.
Scott was told that U.S. government computers were under attack and had been for some time — likely the work of a foreign state. It was worst-case scenario stuff. Four million U.S. government employees’ records at the Office of Personnel Management (OPM) had been hacked, including sensitive employee background checks.
But that wasn’t the worst of it. He eventually discovered the number was closer to 21 million, the largest hack of American government information ever.
Scott, the nation’s third chief information officer (CIO), told his assistant to gather the crisis response team. The problem, he learned, was that no such team existed. Or at least none with standing members and a vetted step-by-step plan for how to secure affected systems and files, analyze what data had been compromised, trace how the intruders had gained access, and work with the FBI and other law enforcement agencies to track down and bring to justice those responsible.
“It was a wake-up call,” Scott said. “I realized then we weren’t well organized internally or well coordinated with other government agencies externally, including law enforcement.”
The breach was hardly the welcome Scott might have hoped for to his new position, a job he’d started just seven weeks earlier.
“It’s not a job I ever thought I would do,” said Scott, who graduated from USF with an information systems degree and went on to earn a law degree at Santa Clara University.
He was working in IT at Sun Microsystems when he enrolled in evening classes at USF, with the goal of finishing a degree he’d started in his native Illinois two years earlier. He immediately felt at home.
“At USF, I found myself in an environment that was adaptable to my work schedule; I was learning with peers about my same age who, like me, already had some working experience to draw on and added to the course; and I found the instructors to be world class in their knowledge, guidance, and wisdom,” Scott said.
Protect the Nation’s Data
When the Obama administration tapped Scott, he was CIO at VMware, an industry leader in cloud computing headquartered in Palo Alto. He’d spent 30 years working as a top technology executive at companies such as Microsoft, Disney, and General Motors.
He was first approached about the government position in September 2014 at the Techonomy Detroit conference where he spoke about the need to increase diversity in the tech sector.
“I turned them down a couple of times,” Scott said of the White House’s offer. “But the ask got stronger and stronger each time, and every objection I had they figured out a way to neutralize — so in the end, I had no choice but to say ‘yes.’”
On Feb. 5, 2015, President Obama introduced Scott as the new U.S. CIO — a position the president created six years earlier to get a handle on the federal government’s sprawling civilian IT infrastructure. The move to hire Scott was part of a broad effort to bring more top tech talent from private firms to Washington to speed the transition to digital government and fix the fallout from the healthcare.org launch — when thousands of Americans couldn’t sign up for insurance under the Affordable Care Act because the website didn’t work.
As CIO, Scott oversees technology for the American government’s 24 cabinet-level departments, manages an $84 billion IT budget, leads the federal government’s move from paper to digital records, and manages dozens of federal teams working to protect the personal information the government stores — whether that’s veterans’ health data, Social Security payments, or tax records.
Ultimately, Scott accepted the post because he wanted to serve a bigger purpose and give back in some way. The inclination had grown as he weighed the move and reflected on the values behind his USF education, growing up Catholic, and the death of his father a year earlier.
“The more I thought about it, the more it intrigued me,” he said. “I’d been through the digitization move at several places. And it occurred to me that it was a time in the government transition when leadership and experience in the position would probably make a difference, and I thought there was something I could contribute.”
Less than two months into the job, 21 million federal employees’ personal information was hacked.
It didn’t come as a complete surprise.
“When I first came on board, one of the things I had a strong sense of was that cyber was one of the areas we were going to have to double down on and really pay a lot of attention to,” Scott said. “You could look around and see in the retail sector, in the banking sector, in the media and entertainment sector, to name a few, that there had been a series of occurrences. To believe that the government was somehow immune to that was not credible.”
If anything, the OPM hack put an exclamation mark on the work he already thought needed to be done, Scott said. The good news was the attack was discovered and shut down thanks to recent cybersecurity improvements. So, things were moving in the right direction.
He used the breach to deliver a stark message to Obama administration insiders and lawmakers that they were going to have to spend money to secure the government’s information and to update old technologies to prevent similar attacks in the future — attacks such as the suspected Russian hacks of Democratic National Committee computers in July.
“One should never waste a good crisis,” Scott said. “They’re great motivators and help everyone row in the same direction, which is extremely helpful when you’re trying to make big changes.”
By June, Scott and his newly formed crisis management team initiated a 30-day cybersecurity sprint, requiring government agencies to identify all vulnerable systems, patch critical holes, review and begin to limit the number of users with access to crucial operations, and dramatically accelerate the implementation of two-factor login authentication — requiring a user ID and personal smart card.
“Basically, I had them set aside everything they were working on to focus on this for a month,” Scott said. “The vast majority of fixes boiled down to basic house cleaning and maintenance that hadn’t been done for years.”
In fact, two-factor authentication had been a federal policy for a decade but only 28 percent of civilian agencies had adopted it. After the sprint, 75 percent had implemented it and more have since. Before the OPM hack, thousands of security holes were past the 30-day period when they should have been fixed. Today, 99 percent are patched.
“I’m very happy with the improvements Mr. Scott has implemented, including two-factor authentication and limiting workers’ access to the minimum resources necessary to do their jobs,” said E.J. Jung, a computer security and privacy expert who teaches computer science at USF. “It’s about time the government followed through on industry-standard practices.”
At the same time, she’d like to see those and other fundamental security protocols implemented 100 percent government-wide. Thousands of employees can still log in with just a password, Jung said — which means hackers only need a list of stolen passwords to break in.
Scott has directed government IT leaders to begin using the Department of Homeland Security’s cutting-edge cybersecurity software EINSTEIN, designed to detect and thwart intrusions from the outset.
Plus, President Obama, with Scott’s guidance and support, released the U.S. Cybersecurity National Action Plan in February, the first such plan in the nation’s history. The plan calls for a 35 percent increase to the current cybersecurity budget to $19 billion, along with a list of additional security enhancements.
If cybersecurity has consumed much of Scott’s attention since the OPM hack, updating antiquated technology and recruiting a new generation of IT experts have been close behind.
When Scott was hired, he learned some government computer systems were 50 years old. One Defense Department system that sends emergency messages to U.S. nuclear forces still runs on 1970s IBM machines and uses 8-inch floppy discs.
Maintaining the government’s aging technologies consumes $67 billion of the U.S.’s $84 billion IT budget.
“We can criticize the cybersecurity state of systems in the federal government, but the truth is that the systems were created in an age when they didn’t face the types of threats that exist today,” Scott said.
In addition to improving security, new technology will support the shift to digital government. All agencies need payroll and human resources systems, many make and receive payments for goods and services, others do case and/or patient management. Today, such services can be accessed in the cloud, making them more secure, cheaper to expand or shrink based on agencies’ needs, and less complex to run compared to departments buying or developing their own.
“It’s a completely different concept than the government’s used before,” Scott said.
The Next Generation
The digital shift requires recruiting a new generation of techies to government. For Scott, that means hiring more women, minorities, and employees who speak multiple languages, as well as hiring from different regions of the U.S.
“We want to make sure the people in our workforce represent the people in our national population,” Scott said. “We think that richness of spectrum contributes to a much better dialogue and more inclusive and successful IT policy.”
Scott saw the benefits of diversity at USF. As someone who worked in IT, he’d run up against gaps in companies’ knowledge when they attempted to expand abroad or market a product to a different population — occasionally running afoul of cultural values.
“At USF, my classmates and the faculty came from every cross section of America, with different ethnic, economic, and global backgrounds,” Scott said. “It was a huge factor in my USF experience. In my classes, we had such insightful discussions that I was able to take ideas from there to work and apply them directly.”
Challenge of a Lifetime
Scott’s expertise on recruiting, the digital transition, and cybersecurity are examples of the knowledge USF information systems graduates gain from the program, said Mouwafac Sidaoui, chair of the Department of Business Analytics and Information Systems. Graduates include Spotify Vice President of Engineering Craig Butler ’08, former California Chief Information Security Officer Michele Robinson ’05, Nike Director of North America Systems and Data Kelly Madigan ’99, and Hewlett-Packard Enterprise Vice President and Chief Diversity Officer Brian Tippens ’96.
“Our program provides students with a foundation in both the functional areas of business and in computing technologies,” Sidaoui said. “This blend enables graduates to appreciate the strategic role of technology, formulate a vision for information systems, and communicate that vision.”
Recruiting techies to D.C. requires a different approach than hiring in Silicon Valley, particularly since the private sector pays more — a fact Scott knows firsthand, having taken a salary cut to work at the White House.
“Sure, I’d like to see these roles pay better,” Scott said.
But his pitch isn’t about money; it’s about helping recruits find a profession that resonates with their values. He wants employees who are driven by the challenge of “working on the hardest problems at the biggest scale with the greatest impact,” as he’s fond of saying.
“If that’s what they’re looking for, there’s no better place than the federal government,” Scott said. “For me, this has been the challenge and the opportunity of a lifetime.”
Enough of an opportunity, he said, that he’ll consider staying on under a new administration if asked.