Security is 2000's hot issue, but government needs to give it focus
Christopher J. Dorobek
Like the drumbeat from a marching band, the word has been going out for the last nine months that cybersecurity would be this year's big action item. A scan of the headlines on almost any day indicates that the predictions have come true.
Distributed denial-of-service attacks,
e-mail viruses, stolen notebook PCs and misconfigured firewalls are big news. And within government, the security of information systems, networks and data transmissions is a dominant issue.Many facets
Much like concern about the year 2000 problem during 1998 and 1999, systems security leaves a large wake. Among other things, it has revived the long-running question of whether to name a governmentwide chief information officer.
David L. McClure, associate director for information technology management at the General Accounting Office, said recently that the position of a governmentwide CIO is not as important as the role the person would play and how much authority the person would have. Some IT officials say the CIO Council already fills that purpose more effectively than could a single person. The debate continues over how effective a general-purpose CIO would be.
But the most important ingredient in achieving federal IT security is awareness. As was the case during early year 2000 preparations, it seems that senior management does not take the issue seriously.
In February, distributed denial-of-service attacks prevented people from accessing Web sites for a few hours. How bad can that be?
In fact, those attacks are relatively insignificant in the grand scheme of things, but they are an indication of what might lie ahead.
A senior official at one Cabinet department said that when that department's Web site was hacked into several years ago'one of the first such attacks on a government site'it was painful in the short term. But the event grabbed the attention of senior management and illustrated the system's vulnerabilities, which in the end was good.
Security in and of itself is a tough sell. But promoting security as a cornerstone for carrying out an agency's mission makes improving security easier.
Rather than promoting security as a necessary shield against unseen, unpredictable threats, agency IT chiefs would gain traction by including security measures as essential components of any plan for electronic commerce or other online practice''from providing citizen services to allowing employee telecommuting.
It is revealing that the CIO Council broadened its security committee to include privacy and critical infrastructure protection. As agencies focus on electronic-government initiatives, security is no longer a matter of convenience but an integral part of the framework.
Most IT officials acknowledge that their systems are not secure enough. State Department CIO Fernando Burbano has made an eloquent case for a cybersecurity supplemental spending bill to provide agencies with funds to fix systems.
Once existing systems are safe, new systems could have the proper security built in.
The big differences between security and the year 2000 problem are that the latter had an immutable deadline and a fixed definition: The date code fixes had to be completed by Dec. 31. The security issue fluctuates with each passing month, and nobody expects an end to it.
As more of the government's business is conducted online, the hope among IT officials is that it won't take a disaster to convince people of security's importance. For e-government to become a reality, users' trust in government systems will have to be rock solid. The key to gaining that trust is security.