HOW WE'VE CHANGED/POLICY: In the wake of the attacks, altered government IT landscape, morale

'You can always recover from cybercrime,' NASA's Paul Strassman says. 'Under a terrorist attack, you are deeply damaged and your ability to recover has been crippled.'

Olivier Douliery

The administration's proposed increase in IT spending for fiscal 2003 was a direct response to Sept. 11, OMB's Mark Forman says.

Henrik G. DeGyor

The response to Sept. 11 'has been a gigantic case study in cross-agency collaboration,' the Council for Excellence in Government's David McClure says.

Olivier Douliery

The events of Sept. 11 rocked the world. They also rattled government IT to its core, transforming the way officials view systems and information security.

For one thing, the apocalyptic strikes on the World Trade Center and the Pentagon made the threat of malicious-code incursions look like kid's stuff.

For agency CIOs, Sept. 11 rendered brutally real the potential of a terrorist attack that would physically devastate their information infrastructures, said Paul Strassman, NASA's acting CIO.

'You can always recover from cybercrime,' he said. 'Under a terrorist attack, you are deeply damaged and your ability to recover has been crippled.'

At NASA, the potential for an infrastructure attack rose to the very top of the agency's list of IT threats after the events of last fall, he said.

'I now have to worry about NASA from a totally different perspective,' Strassman said. 'Prior to Sept. 11, the de facto security levels were geared to information crime'basically malfeasance, denial of service, spamming and God knows what else. After Sept. 11, a whole new category was added.

'Under terrorism, you have a deliberate action that would be aimed at crippling information technology, like the taking out of two backup data centers, as a prelude to committing a major act of terrorism.'

IT is a prime target

That's not to say that code attacks are any less a threat'just the opposite.

'Cybercrime is going to be used as part of a terrorist attack,' Strassman said. 'It's what is called a combined attack. It's a much more sophisticated, sequenced threat.'

Art Pyster, deputy CIO of the Federal Aviation Administration and deputy assistant for information services, agreed.

'There is much higher level of concern that a [terrorist] attack on the nation would involve a cybercomponent,' he said. 'One of the saving graces of that terrible day last September was that even though the hijackers did unconscionable things, the air traffic control system still operated flawlessly.

'The air traffic controllers were able to safely bring down 5,000 airplanes in a matter of hours. It would certainly have been far more difficult to do had there been an attack on the air traffic control system at the same time.'

For CIOs, the new risk of combined attacks means having to adopt a new mind-set on systems and security.

'We had previously talked far more about physical security and systems security as separate things,' Pyster said. 'You protect your physical assets, and you protect your information assets. We didn't think of them as protected in a coordinated fashion. We now have an explicit effort to protect our assets in an integrated fashion, understanding the interdependencies between physical protection and cyberprotection.'

The attacks brought a new urgency to the need for agencies to update their continuity of operations and contingency plans for their systems.
[IMGCAP(2)]
'Sept. 11 intensified the understanding that we need to dust off and maintain contingency plans,' said Mark Forman, the Office of Management and Budget's associate director for IT and e-government. 'For most agencies, the last time they had done a contingency plan was for year 2000. Everybody now recognizes that continuity of operations and business recovery plans have to be maintained and kept fresh.'

Infrastructure protection

At the Centers for Disease Control and Prevention, officials realized the degree to which the agency's computing and communications infrastructure might be vulnerable when they had to vacate the Atlanta campus on Sept. 11, said Jim Seligman, CDC CIO and program manager for information security for the Health and Human Services Department.

'We recognized that with the core infrastructure being housed here, we had to increase our focus on lessening that degree of vulnerability,' he said. 'In the last 10 months, we have increased our focus on being able to prepare for and recover from an event of mass destruction.'

For Forman, the attacks led to an overnight reassessment of OMB's e-government initiatives, especially those that would most facilitate information sharing among federal, state and local agencies.

'We really quickly looked at our e-government strategy and key issues relating to homeland security,' he said. 'What happened was the government-to-government initiatives rose to the top. They were in the middle or bottom of the priority list before.'

Indeed, the Bush administration's request for an 8 percent increase in IT spending for fiscal 2003 was a direct response to Sept. 11, Forman said.

'There was broad recognition of the need for agencies to work together to perform missions that overlap multiple agencies,' he said. 'Sept. 11 was proof that the federal government had to work better with state and local governments on everything from threat identification to disaster response. It was a very tragic way to have that wake-up call for agencies.'

For many observers, the attacks underscored the critical importance of minimizing the islands of automation'as OMB put it in its 2003 budget proposal'across the government.
[IMGCAP(3)]
The response to Sept. 11 'has been a gigantic case study in cross-agency collaboration,' said David Mc-Clure, vice president for e-government at the Council for Excellence in Government and until recently the General Accounting Office's director of IT management issues.

'It really highlighted the data integration and data-sharing issues for government agencies and the real challenge of doing a more effective job of sharing information across mission lines,' he said.

Before Sept. 11, said Edward DeSeve, managing principal of Governmentum LLC of Washington and former deputy director for management at OMB, data sharing among agencies simply seemed like a matter of good housekeeping.

Afterward, he said, 'all of the sudden it becomes terribly relevant to your mission when you realize that you need somebody else's data very quickly, and you need it to be stored accurately and easy to retrieve. That's a major impact.'

The administration demonstrated that it is serious about integrating systems. OMB recently directed the agencies set to become part of the proposed Homeland Security Department to halt work on IT infrastructure projects valued at more than $500,000.

'The effort now is to move the ball forward into integration, to create an organization that joins across the silos,' Forman said. 'We're focused on building in the interoperability now.'

French Caldwell, vice president and research director for Gartner Inc. of Stamford, Conn., and a former program analyst in the Office of the Secretary of the Navy, said: 'That makes sense. OMB is saying, 'We're not going to do any more infrastructure spending for those 22 agencies until we get a combined architectural view of what [the Homeland Security Department] is going to look like.' '

In many ways, creating the new department represents a huge test case for post-Sept. 11 exigencies for data sharing and interoperability: There will be daunting challenges in integrating member-agency systems.

Integration effort

'Programs and agencies will be brought together in the new department from throughout the government and will bring their own communications and information systems,' Robert Dacey, GAO's director of information security issues, said in a recent statement to lawmakers. 'It will be a tremendous undertaking to integrate these diverse systems and enable effective communication and share information among themselves, as well as those outside the department.'

An enterprise architecture will be critical to guiding the integration and modernization of homeland security systems, Dacey said. 'Without an enterprise architecture to guide and constrain information technology investments, stovepipe operations and systems can emerge, which in turn lead to needless duplication, incompatibilities and additional costs,' he said.
Paradoxically, interconnectivity of systems in the new department makes it more of a target, NASA's Strassman pointed out.

'If I'm an information terrorist and put together a list of targets, guess what would be on the top of list,' he said. 'Anything that Homeland Security puts up as a coordinated capability would be the thing I would want to take out first.

'The department will have to have in place an information architecture that is robust enough to take a hit.'

Many uncertainties lie ahead as Homeland Security and its IT infrastructure take shape and other major government responses to the events of Sept. 11 evolve. But there is no question that those events have changed the government IT landscape.

'Sept. 11 illustrated the importance of technology in delivering government's mission,' McClure said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above