Trouble came to light the morning of tax day: April 15, 2015. At the federal government’s Office of Personnel Management, a security engineer decrypting some digital traffic to check what kind of data was flowing in and out of the system found something strange: a signal being sent from inside the system by security software that OPM didn’t use to a domain on the outside that OPM didn’t own. Investigation led to revelation: Hackers may have exfiltrated more than 20 million personnel records of current or former government employees—Social Security numbers, addresses, birthdates, race, job and pay histories, and more.
The agency announced the trouble in June. “Massive Data Breach” read headlines. Chinese hackers were suspected. Fallout from the theft may not be known for years. But the cybersecurity failing highlighted serious problems with government IT infrastructure—problems that Tony Scott J.D. ’92 had been working on at a top level for a couple months. In February that year, he had been sworn in as the third Chief Information Officer of the United States.
One lesson Scott learned as a career IT man—holding high-level posts with GM, Disney, Microsoft, and cloud computing firm VMware—is: Don’t waste a good crisis.
“You never want to have those things happen,” Scott told me. “But shame on you if you don’t leverage the learnings from that and scale it out to the larger enterprise.”
After the OPM hack, Scott testified before a congressional committee. He began by noting that well-financed, highly motivated, and persistent attempts to breach systems were not going away. “We have to be as nimble, as aggressive, and as well-resourced as those who are trying to break into our systems,” he said.
Nimble and aggressive are not terms often associated with most federal agencies. Nor is well-resourced, at least when it comes to IT modernization.
In summer 2015, Scott and the White House rolled out a 30-day Cybersecurity Sprint, getting agencies to work on “basic hygiene,” as he called it: simple but effective upgrades to security, such as multifactor authentication. He developed a Cybersecurity National Action Plan for more comprehensive IT transformation. And he tried to roll the big stone up the hill to change the way government develops and invests in IT. That Herculean—or Sisyphean?— effort is one that Scott describes in terms both urgent and frustrating, in part because of funding mechanisms: 80 percent of the $80 billion the federal government spends on IT annually goes to repairing and maintaining legacy systems, not upgrading and investing in new stuff. A lot of government IT is old and wasn’t designed with current security needs in mind. What’s really needed are systems that have security designed into them from the outset—“not bubble wrapped after the fact.”
Scott’s analogy: “You can put air bags in a ’65 Mustang. But it’s not gonna be pretty, and it’s not gonna work like the new Mustang that has it built-in as a part of the design.”
SOMETHING WAS BROKEN
Tony Scott used to own a ’65 Mustang—lime green. More history: He’s a Chicagoland boy, Oak Park—west side. He grew up playing hockey in the winter; he’s a big, amiable bear of a guy—looks like he could hold his own on the rink.
Back in high school, when springtime breathed new green hope into baseball in the Windy City, he and buddies would sneak out of class and catch the El to Wrigley and see Ron Santo and Willie Mays play. What choice did the boys have? There were no night games. As for the World Series, “That was pretty cool to see this year.”
While Scott was in college in Illinois, a visit to California convinced him to stay; he finished a degree in information systems management at University of San Francisco. After some time in the field, he came to Santa Clara for law, with concentrations in intellectual property and international law. The J.D. made him an unusual candidate for CIO positions—and piqued the curiosity of recruiters. He served as chief technology officer of information systems with GM. At Disney, he helmed IT corporate-wide and had his share of crises there: five power outages at a pair of data centers. Then he served as CIO at Microsoft and VMware.
Scott also credits studying case law with teaching him a valuable approach to problem solving: “Distilling out the things that matter versus the distractions is a useful skill set to have in business, in government, and in life.”
As for the things that matter, that figures into how Scott wound up in Washington. He delivered a talk in Detroit on diversity needs in tech. “Somebody from the White House who thought I had some interesting ideas invited me here to a brainstorming session,” he said. He leveraged his Rolodex to bring fellow CIOs onto a federal task force to focus on tech policy in economic growth and expanding opportunities for veterans and women. “I thought I was all done, and on the way out somebody grabbed me on the sleeve and said, ‘Hey, would you ever consider being a federal CIO?’”
He mulled it over—“I went from ‘Never’ to ‘I think I can make a contribution.’’’ Why? “This is the very beginning stages of the digitalization of the federal government.”
Scott was no stranger to that process in the private sector. “These are hard journeys,” he said. “They’re bumpy and they’re messy and they’re disruptive.” And, while he was new to federal budgeting and governance, he could see that something was broken. He also had been spending more and more time on cybersecurity issues in the private sector. He knew that was a problem for the federal government.
He also had been spending more and more time on cybersecurity issues in the private sector. He knew that was a problem for the federal government.
LANDING THE PLANE
We met on a cold day in December in Scott’s office in the Eisenhower Executive Building, with a window overlooking the White House’s West Wing. He took this post in the Office of Management and Budget in February 2015. So what did he find was the problem with IT budgets? Everything the federal government does from a funding perspective—including IT strategy—is tightly locked into a model following the organizational chart. “In a digital world, that doesn’t work,” Scott said, “especially if systems haven’t been engineered to work together.”
Take email. It has occasionally been in the news. Now 65 percent of the government has moved to cloud email systems. But often each agency (or subagency) implemented cloud email in such a unique way as to make simple collaboration difficult. And 35 percent haven’t modernized at all. That means no instant messaging or simple collaboration on documents across silos.
“That’s a horrible way to work,” Scott said. “But if we modernize that, allowing anybody across government to easily collaborate with others that they need to in furtherance of the mission, that’s a huge productivity gain. It’s also a speed and response issue. We have agencies that show up to fight forest fires together that can’t easily collaborate.”
But five years from now, Scott has said in hopeful moments, we’re not going to be talking about bureaucracy and slownessin government—but rather responsiveness and flexibility. So how do we get there?
In 2016, Scott advocated for passage of the Modernizing Government Technology Act to enable agencies to reprogram funds to upgrade tech. He stumped for the IT Modernization Fund to set aside $3.1 billion geared toward modernization. Agencies would pitch proposals to a board and compete for funding—then pay back the money. Scott estimated that the fund would yield $15 billion in improvements. “I guarantee you there is enough money in that inefficient, ineffective infrastructure and application space that paying back isn’t going to be the problem,” he said.
With bipartisan support—and strong backing from Rep. Will Hurd (R-Texas), a former CIA agent and chair of the House subcommittee on IT—both bills cleared the House. The modernizing technology act passed on unanimous consent. But the clock ran out in the Senate and neither bill got a hearing. Both bills may be back in 2017.
One testament to the bipartisan support for Scott is this: Last summer, a petition began circulating among government employees to keep him on as CIO, no matter who was elected president.
“What we’re really talking about here is efficiency and effectiveness of core government capabilities,” Scott said. “The policy and political stuff rides on top.” Everyone wants more efficient and effective government. “They also want security, and often these go hand in hand.”
In the past, Scott surmised, the IT profession within the federal government didn’t do as good a job as it needed to of creating a picture of the scale of the problems. “We might have moped around and looked at our shoes and complained, but we didn’t dimensionalize it in terms of: ‘Here are the dollars, here’s the risk, here are the decisions that we think can be made.’ Early on I used the analogy of ‘Anybody can take a plane off. Landing the plane is hard. It requires a lot of practice and skill.’ Making actionable data and information available can drive the right decisions.”
Like with the Mustang, Scott comes to the flying analogy firsthand: He’s a pilot.
BETTER, STRONGER, FASTER
In the days of mainframes, government was a pioneer in automation. And it made sense to write custom software for an agency. Scott’s new paradigm: “Write as little software as possible. Use common cloud services and building blocks to assemble what you need to do for your agency.”
In August 2016, Scott took government-wide an IT idea that had been tested in a few agencies: making source code available for sharing and reuse across federal agencies. “By opening more of our code to the brightest minds inside and outside of government, we can enable them to work together to ensure that the code is reliable and effective,” stated the press release at the rollout. “This is, after all, the People’s Code. Explore it. Learn from it. Improve it. Use it to propel America’s next breakthrough in innovation.”
Here in Silicon Valley, Google was a pioneer in sharing application program interface (API)—the routines, protocols, and tools for building software applications—to enable developers to build on and improve services. “We don’t have the notion of government API widely instantiated yet, but I think it’s coming,” Scott told me. “It’ll free up the creative juices of our country to help us solve some of those harder challenges. You shouldn’t have to know anything about the org chart of the entity you’re interfacing with in order to do business with it. Today, you have to know way too much about how the federal government is organized to do business with us. That’s just not a modern concept. You should be able to do that with the same kind of ease as you book travel today, or even better.”
Another key: Think of IT in terms of continuous improvement. “The technology allows, if we do regular refresh and upgrade, to write a productivity curve that is phenomenal. Traditionally, we’ve put something in and then forgotten about it until it breaks. That’s why we have some systems that are 20 and 30 years old. We’re paying a lot of money to keep those things going, and they’re not secure.”
A number of clocks are ticking. Along with cybersecurity, there’s the fact that people who understand old systems are retiring. And old systems themselves will eventually break.
“All of those things are relevant,” Scott said. “I’ve called it a bigger challenge than Y2K. What’s hard to get people’s heads around is that, unlike Y2K, there’s no midnight moment when the world’s gonna blow up. This is a situation where things get just a little bit worse every day the longer we don’t do something about it. What I fear is a point when you start to see massive failure at a bigger scale; the risk grows exponentially, not linearly, with time. It has to do with aging hardware, aging software, aging workforce. The risks are both physical—in that things just won’t work anymore—but also are to the mission: the very essential functions of government that will stop performing.”
The federal government doesn’t have to reinvent the wheel. But it does have to make that wheel bigger than any state or country has. Of the 24 federal agencies that were under Scott’s purview, the vast majority are bigger than any company in the Fortune 100.
As for examples of “the art of the possible,” Scott has cited Estonia, Great Britain, Australia. Last fall he appeared at a conference with a Danish government official talking about the digitalization of all government services there. In the United States, he mentions work done by the NYPD and the state of California. Though to be fair, he says, “In many of those cases, these were de novo kinds of things … They weren’t replacements for something that already existed.”
The old federal IT systems have to be kept running until new ones are developed, tested, and integrated. Social Security checks still need to be mailed. Air traffic still needs to be controlled. As Scott said at one conference, “You can’t just decide we’re going to turn it all off and wait until we figure out how to replace it.”
As for what he worries about beyond IT systems, there’s “misuse of information and data. I happen to know the owner of Comet Ping Pong Pizza,” he said. “The person with a gun went in and fired it in that establishment based on completely false, manufactured information.”
Tony Scott’s last day as U.S. CIO was January 17. His successor has yet to be named. What will be on that person’s plate? “We have to work on speed,” Scott said. Government culture necessarily relies on consensus, debate, and weighing of equities. “We need to find ways to preserve some of those benefits but do it a lot faster. There’s gonna be relentless pressure from the American people to have their government work better and more consistently with the way that they interact with other big important things in their lives. There’s no going back on that.”
Scott hopes that these past two years will be seen as an important beginning: “When we moved the needle on upgrading and replacing our infrastructure and applications that run the federal government, and when we introduced this notion of continuous upgrade.”
Changing the way government develops and invests in IT “can certainly be frustrating at times,” Scott said. “But I do see clear paths to getting this work done. It’s mostly a matter of creating enough clear visibility of the issues and of viable paths forward. This is not a problem that is going to be solved by going small and under the radar.”
Another thing to work on: getting the right kind of people in place. “Both a government thing and a tech thing more broadly: It’s important that we get more people with what we’re calling ‘TQ’—technology knowledge and awareness.”
In law and in some fields of research, it’s not uncommon to serve for a stint in government and then return to the private sector—even multiple times. Scott would like to see that with tech. “We need to create that culture going forward. It’s rich, it’s rewarding, it’s intellectually stimulating. It doesn’t always pay all that well, but it’s worth it—to our country, and on an individual basis.”
Steven Boyd Saum is the editor of this magazine. Robert Clark is an award-winning photographer whose work has appeared in National Geographic, Time, Sports Illustrated, Der Spiegel, and many other publications.