The White House on Thursday named Gregory Touhill, a retired brigadier general in the Air Force and a current official at the Department of Homeland Security, as the first federal chief information security officer. Touhill, who will be in the position only for the remainder of President Obama’s term, will be responsible for managing the federal government’s cybersecurity policy.
The appointment comes seven months after the White House first announced plans to create the CISO position, a key element of Obama’s overall cyberstrategy, as part of his $19 billion Cybersecurity National Action Plan (CNAP).
The White House also announced that Grant Schneider will be the acting deputy CISO under Touhill, who will report to Tony Scott, the federal CIO.
The New Federal CISO’s Role
In a blog post, Scott and J. Michael Daniel, special assistant to the president and cybersecurity coordinator, note that Touhill is the right person to manage a sprawling cybersecurity enterprise across the federal government.
Since April 2014, Touhill has served as deputy assistant secretary for cybersecurity and communications at DHS. Touhill has also served as acting director of the National Cyber and Communications Integration Center. And as Federal News Radio reports, before coming to DHS, Touhill held a variety of CIO and leadership positions in the Air Force, where he served for 21 years overall before retiring in May 2005.
“In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies,” write Scott and Daniel.
Touhill will lead a team within the Office of Management and Budget that has been pushing cybersecurity best practices across federal agencies, “and is the team that conducts periodic cyberstat reviews with federal agencies to insure that implementation plans are effective and achieve the desired outcomes,” Scott and Daniel note.
Many in the federal IT community have been waiting for months to see who would be named as the first federal CISO. However, there are concerns over how much impact Touhill will have, as a political appointee, in the roughly four and a half months Obama has left in office.
Schneider, as Scott and Daniel note, will serve in a career role, and pairing him with Touhill “is not only the norm” across government “but also provides needed continuity over time.”
Schneider currently serves as the director for cybersecurity policy on the National Security Council staff at the White House, “where he focuses on development and oversight of cybersecurity policies to protect government data, networks, and systems, and brings over 20 years of technical skills to the role,” Scott and Daniel note.
Changing the Federal Cybersecurity Posture
Recently, federal officials have said that the government needs to rethink how it architects cybersecurity IT, and that it needs to get away from a one-year budgeting cycle as it plans funding for cybersecurity initiatives.
The issue of cybersecurity and its effectiveness is seemingly ever-present. A report released this week by the House Committee on Oversight and Government Reform criticized the Office of Personnel Management for leadership failures and a lax cybersecurity culture, citing them as chief causes for the data breaches that struck the agency in 2014 and 2015.
As Scott and Daniel note, the government has already taken some steps to implement elements of the CNAP, including the establishment of Commission on Enhancing National Cybersecurity, which is scheduled to issue a report by Dec. 1 with recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors while protecting privacy and public safety.
The White House has also proposed legislation to establish a $3.1 billion Information Technology Modernization Fund to modernize federal IT systems and retire and replace legacy IT that is difficult to secure.
And the White House has also directed implementation of a Cybersecurity Strategy and Implementation Plan for the federal civilian government as well as the first-ever Federal Cybersecurity Workforce Strategy to identify, recruit, develop, retain, and expand the cybersecurity talent pipeline for the government.
How does Touhill approach cybersecurity? He told FedScoop in late June that DHS has been trying to bring “discipline and rigor” and well-documented tactics, techniques and procedures to its cybersecurity operations.
However, he said agencies often try to create cybersecurity solutions from scratch, and instead they need to focus first on “adopting some of those best practices and the best technologies that are out there” in the market already, “rather than invest the taxpayers’ time and resources in trying to create something.”
In terms of data protection, Touhill said agencies need to do a better job of classifying how sensitive and critical information is, and protecting information accordingly. Touhill said that in trying to protect everything equally the government could wind up weakening its defenses. “You need to know what’s most important and defend that with the best part of your resources,” he said.
Additionally, Touhill said that cybersecurity “not just a technology issue, it’s more appropriately a risk management issue,” and needs to be elevated to the highest levels of agencies and keep it there so that risks can be appropriately managed.
Touhill said there is no technology that is a “silver bullet” for cybersecurity, and that agencies should implement best practices.
“Working toward best practices will bring you into compliance, but compliance won’t always bring you best practices,” he said. “So rather than chasing the technology, we encourage folks based on the empirical data out there. The best organizations are the ones who are engaged in implementing best practices, and are also learning organizations that are always on the hunt for better ways of doing business that are aligned with those best practices.”