When Tony Scott joined the Obama administration in 2015 as the federal government's chief information officer, he had no idea the government was undergoing one of the largest data breaches in history. Scott took up his new position just six weeks before it emerged that the Office of Personnel Management was hacked, an incident that ultimately affected the sensitive personal information of 22 million people, most of whom were federal workers.
As a result, Scott led the nation's "cyber sprint" to address the data security and information governance issues of the federal government. It was a tall task, but one that he believes improved the government's cybersecurity posture in many federal agencies. "Once we found out what the root causes of the OPM breach were, we realized much or all of it could have been prevented by better data security hygiene and IT practices," he explained in an extended phone conversation, noting there had been a "dismal" set of practices in place before the sprint. Two-factor authentication, identifying critical vulnerabilities, making sure system admins only have privileged access — these were some of the easy fixes.
Now Scott's former position, one he was appointed to by then-President Barack Obama, remains one of many cybersecurity positions left vacant by the Trump administration. But Scott says this should not yet be a big concern.
"True, a lot of leadership positions are vacant," he said, "including the CIO, but at an operational level, things are still going strong." The concern, though, comes over time if those leadership positions are not filled. "Without leadership in place, it's unlikely agencies will significantly move the ball forward, and that's a concern." He also points out that filling cybersecurity positions, in general, is difficult because of a shortage of professionals in the field. "This administration," he explains, however, "seems to be pushing for making it easier to hire and train a strong pipeline of professionals." He noted the existence of scholarships for service and easier paths for veterans who have been training in cyber as positive developments.
Yet Scott didn't cut his teeth professionally as the U.S. CIO. Over the years, he has gained deep experience in top-level positions at Microsoft, Walt Disney, General Motors and VMware. And now he's bringing this expertise to Squire Patton Boggs as a senior data privacy and cybersecurity adviser.
"There is a set of things that are really important to bring to our clients," he said. First, Scott notes, the number of high profile attacks that happened this summer raised a lot of eyebrows — whether it was the large-scale ransomware attacks or the recent Equifax breach. The interconnected world in which companies are doing business also means these attacks can happen anywhere, to anyone, from any place in the world, at any time. Plus, he emphasized the growing complexity of the regulatory environment.
"Whether you're talking about criminal, civil, privacy or intellectual property law, you have to have a global view of what's going on in the regulatory environment, and you have to have the tools to deal with that."
"Whether you're talking about criminal, civil, privacy or intellectual property law, you have to have a global view of what's going on in the regulatory environment, and you have to have the tools to deal with that," he said. These are some of the insights he says he brings with him in his new endeavor with Squire Patton Boggs. "It's great when you join a team that has the talent we do," he says, adding that it's a team with a strong international presence and understanding of cross-border issues.
Scott says he also has an extensive understanding of enterprise needs. "How do you get good governance in large enterprises so you have the right discussions about what the enterprise is engaged in? What data do you have? With whom do you share it? Who is in your ecosystem? What are the risks associated with all of that? These are all increasingly important conversations that are needed with senior leadership and the board," Scott explains, noting that many of these conversations may not have happened a couple years ago, as public and regulatory awareness is on the rise.
Scott told me he's particularly interested in the automated vehicle industry. As the former CTO of General Motors, he was involved in the early stages of developing OnStar and the beginnings of the connected car space. Scott, who is speaking on the topic in Washington, D.C., this week, says there are complex and difficult challenges emerging with automated vehicles. "The biggest problems are the unexpected things," he notes. Technology has been good at helping develop cars that can drive down the street in nice conditions, but driving conditions are as variable and unpredictable as the weather.
He also points out that a paradigm shift is needed in the software industry with regard to liability. The connected car space, he predicts, will likely drive this change. "Large enterprises want to control when they update and patche vulnerabilities in their software," he says. "But patches can be disruptive and require downtime." Best practice, he notes, has been to create critical patches, test them, locate unanticipated failures and, only when it's safe, deploy them. "Implicit in that," he says, "is that the enterprise is assuming the liability between when they know about a vulnerability and when it's deployed. More and more now, we're moving toward an ecosystem in which companies no longer have control of when those patches are applied, if at all. Sometimes it's done automatically or happens in the background. This shifts liability," he says, "to a different place; suddenly, with cloud computing, the enterprise becomes the customer and there is less ownership in terms of timing and outcomes."
This becomes critical in the connected car space where human safety is on the line.
Though we're clearly entering a new and rapidly changing technological world rife with uncertainty, Scott says he's an eternal optimist with faith in the brighter side of humanity. He cites the need for what he calls the "Petrov button." Stanislav Petrov was known as "the man who single-handedly saved the world from nuclear war" in 1983. At the time, Petrov was manning a nuclear early-warning system for the Soviet Union's military when alarms went off that the U.S. had launched a missile. He reasoned that it was a false alarm — a rare reflection of the sun on high-altitude clouds ended up being the culprit — and quite literally saved the world from nuclear disaster.
"I think we need a Petrov button for our new technology," Scott argues. "At some point, humans must have ultimate veto power and control over some things." Autonomous vehicles included.
If you want to comment on this post, you need to login.