Ex-feds: White House needs cybersecurity chiefs
Former White House adviser Richard Clarke, above, urges House members to put pressure on the administration.
Henrik G. DeGyor
A 'void is likely to continue at the leadership level' despite the Homeland Security Department, former FBI official Michael A. Vatis, says.
The Bush administration took heat this month from former top-ranking IT security officials who told House lawmakers the government lacks cybersecurity leadership.
'We have in many respects regressed in recent months,' said Michael A. Vatis, former head of the FBI's National Infrastructure Protection Center, speaking before the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
'With the dismantling of the President's Critical Infrastructure Protection Board and the White House Office of Cybersecurity, there is now a gaping void in the executive branch's leadership,' he said.
Despite creation of the Homeland Security Department, 'that void is likely to continue at the leadership level for several months,' said Vatis, now director of Dartmouth College's Institute for Security Technology Studies.
Former infrastructure protection board chairman Richard Clarke agreed, saying the new department should be the focus of federal cybersecurity efforts.
'Unfortunately, the department in the early days has not organized itself to take that responsibility,' he said. What's needed is a governmentwide chief information security officer with executive authority to direct agencies, he argued.Which direction?
'To date, the Office of Management and Budget has attempted to perform this function with one or two people buried in their bureaucracy and an interagency committee on the CIO Council, which lacks both expertise and authority,' Clarke told the panel.
But Mark A. Forman, OMB's associate director for IT and e-government, assured the panel that 'cybersecurity is a top priority in the administration's national security efforts.'
Forman said he is confident of the administration's ability to direct information security efforts and said it is too early to judge the new department's impact.
A second round of mandatory annual reports by agencies to OMB showed what Forman called substantial improvements in IT security. Sixty-one percent of agencies had IT security plans in place at the end of fiscal 2002, he said, compared with 40 percent the year before, and 47 percent of IT systems had been certified and accredited by December.
Forman said systems are on track to reach the 80 percent mark for accreditation by the end of this year.
The money being spent on federal IT security climbed to an estimated $4.25 billion this year, about 7 percent of the fiscal 2003 IT budget, compared with $2.7 billion last year, Forman said. That figure is expected to grow to $4.7 billion next year, an estimated 8 percent of the IT budget.
Forman reiterated that 'there is not a direct correlation between how much an agency spends on IT security and the quality of the results.'
Despite some improvements, the General Accounting Office reported that 'significant information security weaknesses at 24 major agencies' are putting many operations and assets at risk. GAO found that information security programs remain inconsistent with the requirements.
The reorganization of agencies under Homeland Security might have made things worse, at least for the time being, Vatis said. When NIPC moved to the new department, more than 300 full-time positions went with it.
'Yet, because most of the people [who had] those positions found other jobs at the FBI, only about 10 to 20 people have actually made the move,' Vatis said, which means a shortage of analysts 'ready to hit the ground running.'Cut the hiring red tape
He said the lengthy government hiring process plus the necessity of background investigations means it could take the department a year or more 'even to get back to the level of functionality that NIPC achieved in its first five years.'
Clarke recommended fully funding existing IT security programs. 'You're not going to get this done without outsourcing it. There is a real reluctance to outsource IT security, but that's an answer,' he added.
Additionally, contracts should be written with financial penalties for poor performance, Clarke said.
And GAO should use commercial vulnerability scanning tools in each department to make daily reports'more useful than annual reports, he said.
Clarke suggested that all government employees be issued smart cards similar to the Defense Department's Common Access Card. 'Multifactor authentication can replace vulnerable passwords and permit encryption,' he said.
Clarke urged the subcommittee to be a gadfly driving the administration to greater efforts.
'You have a great opportunity to be a pain in the rear end to this administration, and I encourage you to take full advantage of it,' he said.