• Cybersecurity
• Privacy issues
• Legacy systems and an aging government workforce
• Open government and Big Data

To deal with these issues, the U.S. government is reaching out to expertise beyond the Beltway, particularly to IT professionals in Silicon Valley. What’s needed is input from these experts, but more importantly, a new viewpoint from a young demographic that works in new ways (and whose expectations of government quite differ from those of past generations).

Cybersecurity

In the wake of early-2015 security breaches at the OPM (Office of Personnel Management), the government took initial steps to meet what federal agency CIOs and chief information security officers declared their “top priority and challenge.” Their actions include the following:

• The GSA (General Services Administration) revised the way in which federal agencies acquire IT by creating a CyberIA Special Item Number (SIN) for cybersecurity and information assurance to IT Schedule 70, as it had for cloud computing earlier in the year.
• The government began looking for “government-wide identity monitoring data breach response and protection services.” The GSA plans to enter into agreements with contractors that “would allow the government to keep a group of response teams on call for when the data breach hits, and have an agreed-upon pricing structure already in place for when services are needed quickly.”
• Sen. Mitch McConnell (R-Ky.) attempted to add the Cybersecurity Information Sharing Act of 2015 on as an amendment to the National Defense Authorization Act. It would have added a new exemption to the Freedom of Information Act (FOIA), mandating “that the government withhold from the public ‘cyber threat indicators and defensive measures’ that companies or individuals share with authorities.” Critics were concerned about the broad language of the proposal, which would allow companies to report information to the government simply to avoid public disclosure. Forty senators voted against it. 
• The National Institute of Standards and Technology (NIST) updated its Framework for Improving Critical Infrastructure Cybersecurity. Rep. Anna Eshoo (D-Calif.) introduced the Promoting Good Cyber Hygiene Act of 2015, which instructs NIST to establish voluntary best practices for network security.
• The CIO Council solicited comments from the public regarding proposed guidance designed to strengthen cybersecurity protections in federal acquisitions. At least one group (the Professional Services Council), urged revision or withdrawal of the guidance, asserting that it was too flexible and “too little, too late.”
• The American Council for Technology (ACT)-Industry Advisory Council (IAC) public-private partnership, which is dedicated to improving government through the application of IT, identified eight security areas that require improvement. It is soliciting input on each from industry, government, academia, and all other interested parties and will summarize the findings in a report to the Office of Management and Budget (OMB).
• ITAPS (IT Alliance for Public Sector), a division of the Information Technology Industry Council (ITI), detailed recommendations to address the challenges and priorities for the Obama administration with regard to cybersecurity, including what “protocols and practices industry uses to maximize cyber crisis response capability,” with special emphasis on the importance of having clear “lines of responsibility and accountability to address these challenges when they occur.”

Two recent government reports provide a framework for understanding cybersecurity issues and the ways in which the federal government has dealt with them over the past few years. A U.S. Government Accountability Office (GAO) report, “Cyber Threats and Data Breaches Illustrate Need for Stronger Controls Across Federal Agencies,” identifies an array of cyberthreats facing federal agencies, both intentional (“targeted or untargeted attacks from criminals, hackers, adversarial nations, or terrorists, among others”) and unintentional (“from equipment failure or careless or poorly trained employees”). And a Congressional Research Service (CRS) report, “Cybersecurity: Legislation, Hearings, and Executive Branch Documents,” presents an overview of cybersecurity activities undertaken by Congress and the executive branch.

The government is also working with industry and educators to help develop tools and teach people to manage those tools in the future. For example, the Systems Integrity Management Platform (SIMP), the National Security Agency’s (NSA) “cyber tool that allows computer systems to maintain a specific security,” is publicly available via GitHub so other government organizations and private companies can use it to “help fortify their networks against cyber threats.”

According to Peninsula Press, there is a growing demand for cybersecurity professionals that’s likely to increase even more in coming years. Education efforts to promote interest in cybersecurity are supported at the national level (e.g., the National Initiative for Cybersecurity Education), through state and local initiatives, and with the assistance of academia (e.g., the CyberGirlz Silicon Valley project).

Privacy Issues

The federal government nibbled at the edges of identity and privacy issues throughout the summer, with the promise of future action. This will not be easy—the “IAPP-EY Annual Privacy Governance Report 2015” indicates that government privacy offices have low budgets and insufficient staff. According to the OTA’s (Online Trust Alliance) seventh annual report, federal agencies lag behind the private sector in terms of the adoption of adequate email authentication. Identity theft, email security and authentication, and the prospect of moving away from passwords or combining passwords with another method of authentication were all pressing issues discussed this summer. Examples include the following:

• The House of Representatives’ Committee on Energy and Commerce requested a report from the GAO “on the efficacy of providing credit monitoring for consumers following data breaches.”
• The Federal Trade Commission (FTC) announced PrivacyCon, a conference to be held on Jan. 14, 2016, which will bring together researchers, academics, industry representatives, federal policymakers, and consumer advocates to discuss how best to address consumer privacy issues. Over the summer, the FTC sued LifeLock for violating the terms of a 2010 settlement in which the company paid $12 million over false advertising claims. More recently, news broke that “Lifelock is involved in an unspecific SEC [U.S. Securities and Exchange Commission] investigation.”
• A GAO report warns that existing federal privacy laws do not adequately deal with the commercial uses of facial recognition software.
• Rep. Todd Rokita (R-Ind.) introduced the Student Privacy Protection Act to amend the Family Educational Rights and Privacy Act of 1974. It would require educational agencies and state educational authorities to protect student records and personally identifiable information, as well as notify parents of security violations.
• DARPA (Defense Advanced Research Projects Agency) “is working to give users better control of what data they release and how others can use it.” DARPA’s Brandeis program would allow systems to “perform tasks without the need to decrypt data and at the same time would block efforts to reconstruct data from any output result. The program is also leaning on machine learning, having a computer turn privacy preferences into actionable decisions about who may and may not have your data.”
• The National Institute of Standards and Technology (NIST) announced that it is designing a Domain Name System (DNS) Based Secured Email platform to authenticate mail servers using cryptographic keys. It also released the final version of its Secure Hash Algorithm-3 (SHA-3) standard.
• During a Senate Committee on the Judiciary hearing, the FTC asked Congress to modernize the Electronic Communications Privacy Act so that it could gain access to information from service providers without a criminal warrant.
• The House Committee on the Judiciary passed the Judicial Redress Act, which would extend “some of the rights conferred on Americans by the Privacy Act to citizens of Europe and other U.S. allies, allowing them to access and seek corrections to personal data about them held by federal agencies.”