How to improve security? Centralize IT management, VA CIO says.

Government lags behind private sector because of a lack of central operational authority, Baker tells summit

Government IT systems are at increased risk to inside and outside threats because departments lack centralized budget and operational authority over their IT systems, the Veterans Affairs Department’s CIO said today.

“I’m disappointed that the government lags the private sector in cybersecurity by many years,” said Roger Baker, who has been in his current federal job less than two years.

Interconnected but decentralized networks are only as strong as their weakest link, he said, and without centralized IT control to enforce visibility and security measures, “we are going to remain completely open.”


Related coverage:

The weak link in security: People

Cyber bill's FISMA mandate could be a step backward


Baker, who said he is on the campaign trail for consolidating IT authority, made his pitch at a cybersecurity summit in Washington hosted by FedScoop.

VA is the second largest executive branch department with 300,000 employees and a $2.5 billion IT budget, and it is the only agency with a consolidated IT appropriation, Baker said. That centralization did not come easily.

“VA got that by failing big time,” he said, referring to the 2006 loss of a laptop PC containing the records of 26 million VA patients. But the result has been an order-of-magnitude improvement in the department’s security posture in the past three-and-a-half years and a savings of hundreds of millions of dollars.

“I don’t think there should be any question as to whether we should do this across government,” Baker said.

The issue was echoed by Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, who said IT threats are substantial and growing — from organized crime, foreign intelligence agencies and terrorists.

“Technology is not the answer in and of itself,” Henry said. Law enforcement has had success in fighting criminals through increased cooperation with the private sector and foreign governments, he said, but business practices and processes need to change to improve security.

Consolidating the IT budget under a single official rather than distributing it throughout various offices and agencies creates the ability to enforce enterprisewide policies and control IT programs. Baker said he has been able to save millions of dollars by ordering an end to hundreds of projects that were not performing — because he held the purse strings.

Baker said he now has visibility into most of VA’s 300,000 desktop PCs and has established a departmental network control center — two major steps forward.

“But in 2007, I was a lot further along than that in a large private organization” because of the centralized authority, he added.

Before joining VA in 2009, Baker was president and CEO of Dataline, and before that, he was CIO at General Dynamics IT.

In the private sector, he had control of all access and perimeter defenses and was able to do continuous monitoring of systems, a goal only now being addressed in government. He said he would like to have the ability to do blacklisting, the blocking of sites, applications and other online resources that have been declared unsafe. In the private sector, companies are already talking about whitelisting, the more restrictive practice of allowing only approved resources into the network.

Baker said VA is continuously under attack from without and from within. The outside threats get the most attention, but the breaches caused by insiders “are the most painful,” he said. The high-profile laptop theft in 2006 was the result of insider error, and he said 99 percent of the insider problems are the result of “stupid human tricks.”

Not all the breaches are high-tech. “Paper causes me the worst privacy problems,” he said. The most recent incident was an 18-inch stack of papers containing personal information that was improperly put in a dumpster. The documents have not been recovered. He said they are probably at the bottom of a landfill, but there is no way to be certain of that.

Baker praised the rank and file workers who have day-to-day responsibility for IT security and do the best they can. But he said they are challenged by bureaucracy and management practices that interfere with effective security policies and controls. He called the lack of central authority “the elephant in the room” that nobody wants to address.

Baker said he does not expect government to fully catch up with the private sector in its security controls, but he would be happy if he were able to do at VA this year what the private sector was doing last year.

Reader Comments

Mon, Mar 17, 2014 Jerry

Ask any VA IT staff where the "leader" of the centralization of VA IT is currently? (Hint: Not in VA) Then ask a facility VA IT staff where the state of VA IT is at currently? (See chaos, see Josh Ohio) I could not have said it better.

Wed, Aug 24, 2011

I am employed by DHHS working on detail doing scientific research at the VA. Data security is a must for anybody, not only at work but also at home. The question is to what extent. From my experience, a single, one fits all solution to assure data security, centrally or locally implemented, does not seem like a good approach. In fact, it can be counterproductive and can inhibit carrying out my primary mission, doing research. With today's technology, it should be possible to rate data files and to automatically decide what efforts should be made to secure each data file, depending on the type of data. Obviously, a missile launch code requires a different level of security than a social security number or scientific data that are generated for future publication. When security restrictions severely interfere with my primary mission, it becomes a serious problem for me. This happens here at VA Research all the time. I am sure this is not intentional, however, VA IT support is unresponsive to this problem and refers to the VA security requirements that are implemented centrally. Knowledgeable local administrators, who work with US government PC users, should be able to adjust security levels as needed and should, together with individual user also be held accountable for any severe breaches that might have been caused by their action. The likelihood for this to happen in research is minimal and can easily be avoided. In my opinion this seems like a safer solution than a secure all/breach all solution, which also feeds an unnecessary, counterproductive lack of trust between IT Security and individual PC users. Dealing with IT security at DHHS is a totally different experience for me with a more collegial and rational approach to solve problems arising from maintaining data security without interfering with my research.

Tue, Mar 29, 2011 Jeff Kentucky

Listen to the users...as a government employee who has a strong IT background, but is now working in admin/analysis, I see an incredible dumbing down of our network resources. I understand the need to lock things down and restrict installation of apps etc, but some of the policies and procedures that are in place were designed with the lowest common denominator of user in mind. It makes the network look like a fischer-price toy compared to the high-tech tool it should be.

Mon, Feb 28, 2011 usa_two California

I agree with Josh. Central IT operations never works in the long run. However, I have seen examples where centralized "Governance" works admirably well. The IT shops are in-tune to the needs of their customers (distributed), but yet operate under an all-encompassing security policy that is dictated from the top (centralized). This model has worked well in many large companies. I work in the public sector and when most IT departments were centralized, it created a disaster and the customer needs were not consistently met. Most department directors that must use central IT services wish they had their own IT back. So what happens if there are insufficient resources to accommodate each line of business? Who suffers? Rhetorical question, I know. In a distributed environment, no problem here. With proper coordination and governance from above, a centralized security implementation can be maintained. It just takes managers and VPs with the proper skill sets to implement the model. Just because a person may have had experience in one line of business or in one IT area, does not necessarily qualify him in all IT areas. Plus, any new CIO will always want to change things to show those who hired him that he is doing something. The pendulum has always swung from centralized to de-centralized and back and forth. The money spent on swinging the pendulum could have been better spent recruiting and hiring a CIO with experience to operate a de-centralized environment with a centralized governance policy.

Sun, Feb 27, 2011 Josh Ohio

Baker doesn't know what he's talking about. The over-centralization adds bureaucracy to the lumbering beast that is Government IT, and reduces its ability to transition quickly to newer technology. The key is smaller operations. Its odd that I work for General Dynamics IT and their IT is a freaking mess due to over centralization. Nobody can get anything done. For those of you in the DoD, think AFNETOPS, or anything similar in the other branches. If you'd like to maintain the ability to respond quickly to zero-day exploits, or have someone trained, who can deploy and setup an entire domain with email/firewalls/etc, you need to stop listening to this old hack. CIOs read too many magazines.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above