INTERVIEW: Lee Holcomb, techie-turned-manager
NASA faces work force, security concerns
Before becoming NASA's chief information officer, Lee Holcomb was a self-described techie for the space agency, serving as its director for information technology strategy.
In that job, Holcomb ran one of the world's first massively parallel processing systems and developed a real-time synthetic aperture radar processor.
He also worked on applications to support Voyager spacecraft, space shuttle and air traffic control systems.
As the Internet developed, Holcomb also helped establish NASA Web sites for aeronautics and space data, and educational products.
Holcomb also was a senior engineer at NASA's Jet Propulsion Laboratory, where he was responsible for directing Voyager spacecraft hardware development and systems analyses.
Since taking over the CIO post in October 1997, Holcomb has dealt with the space agency's budget, policy and personnel issues relating to technology.
Holcomb has a bachelor's degree from the University of California at Los Angeles and a master's degree from the California Institute of Technology. He also was a Sloan Fellow at the Massachusetts Institute of Technology.
Freelance writer Merry Mayer interviewed Holcomb by telephone.GCN: Name your biggest budget concerns.HOLCOMB:
Two things I would comment on. One is in information technology security. Our investment has grown substantially over the last few years as a percent of our programs. I think that is indicative that we are now reaching a more appropriate level of investment in IT security. That number is somewhat over $100 million for the agency.
The other area the agency is looking at is how it does electronic business in the future. As a result of that, we may determine that an increased investment to improve our productivity and what we are able to achieve may be warranted. So you may see some growth for e-NASA types of initiatives.GCN: How is NASA doing with recruiting and keeping IT workers?HOLCOMB:
Recruitment and retention is a problem throughout the federal government in all IT worker communities. NASA has been successful in attracting IT professionals into certain areas.
For instance, in the research community we have been reasonably successful in bringing in assistant professors or those who are in the research community because we offer a tremendous opportunity to take on a very challenging set of problems.
In more operational areas, such as networking and IT security, we have to compete with the private-sector market, and it is difficult. We have looked at some latitude in changing pay scales provided by the Office of Personnel Management and that has provided a modest incentive.
There has been work by the federal CIO Council on this issue. There have been proposals such as the Cyber Corps, which would let the government pay educational expenses and the individual would agree to work for a period of two or three years for the federal government. Those sorts of activities, I think, offer an opportunity to help with retention.
It is a big problem. The demographics in the federal government show that the work force is aging. Depending on the agency or the area, you could have as many as 50 percent of your work force eligible for retirement sometime in the next four years.GCN: The House Government Reform Subcommittee on Government Management, Information and Technology last year gave NASA, along with many other agencies, a D' for its security practices. Why?HOLCOMB:
We met with the staff members of the committee and went over their method of scoring the agencies. We expressed a fairly strong disagreement with their method.
The questionnaires they offered were appropriate if you are trying to grade a financial system that is pretty modest in size. That is in fact what it was based on, a set of audit standards used for small financial systems.
If you try to use those same standards for a large agency with mission-critical systems, financial systems, Web pages and so forth, their method of analyzing doesn't really give a good perspective.
GCN: How is your agency trying to improve security?HOLCOMB:
- Family: Wife and a 15-year-old daughter
- Hometown: Los Angeles
- Last movie seen: 'Miss Congeniality'
- Hobbies: Tennis, as much as possible
- Favorite Web site: www.nasa.gov
We have set top-level IT security goals. We believe auditing against our achievement of these goals with real metrics is a more appropriate way to go forward.
Goal No. 1 is making sure NASA and contract employees understand their responsibilities and demonstrate their skills. We measure that through training of chief information officers, IT managers and systems administrators. And we track percentage of training by individuals. We also look at the percentage of applicable contracts that have implemented our most recent IT security policies in contractual clauses.
Goal No. 2 is looking for systems and application vulnerabilities and making sure they are kept at a level where they don't jeopardize operations. We use audit tools to specifically measure the number of known vulnerabilities per system in the agency.
The third goal is to issue intrusion attempt alerts and take effective action. We want to make sure we maintain and identify and distribute a hostile site list. We want to make sure that our emergency notification is successful.
We use a ratio of successful compromises to attacks, and we want to drive that down to a low level. We have tracked that for several quarters now, and in the last four quarters that ratio is dropping. We are getting more effective at shielding ourselves from attack.
The fourth goal we have set is to have an effective infrastructure for authentication and access control. Our first step will be in deploying a public-key infrastructure. Last year, the infrastructure was put in place; this year, we are deploying the computers for PKI.
Goal No. 5 is to maintain effective policies and guidance. In this area, we tracked a number of NASA systems that have implemented comprehensive IT security plans.
I would not say at this point that we have solved all these problems, but we are moving in the right direction.GCN: Using your metrics, what grade do you think you should have received?HOLCOMB:
I think among the federal agencies we should have been in the B range. GCN: Do you think that the amount of information NASA puts on the Internet makes the agency vulnerable?HOLCOMB:
We have a duality of roles. On the one hand, we need to communicate with the public and inform them of what we are doing. Many people who come to work for NASA do so because they can openly speak about everything they do. There are tremendous opportunities and value in sharing the excitement of space with the whole world. We as an agency will always be very open; that is in our culture, and that is in our mission.
We have always had a big presence on the Web. We have about 1.9 million publicly accessible Web pages, making us one of the larger agencies in terms of volume of information. That does pose a big challenge.
Every one of those external Web sites can become a point at which someone could attack the agency. So we have to balance our desire to be open and publish everything that is appropriate to publish and also provide for layered security or increased security for areas that need to be protected. So we have tried to lay out a strategy that allows us to be both open and protective. GCN: Please talk a little about e-NASA.HOLCOMB:
We have developed a framework. We haven't taken this too far yet. We are really looking at four portals.
One is a portal for those who want to do business with NASA. In that portal, I think the Virtual Procurement Office would fit.
What our e-NASA strategy would do is to allow those who want to do business with NASA to get the information they need to compete with others for NASA work via the portal. So it is broader than electronic transactions for procurement.
It would enable small businesses, large businesses and disadvantaged businesses to be on an even playing ground, to electronically obtain information that they need to compete for grants, contracts and so forth.
Our e-NASA strategy also includes portals serving three other communities. One would be a team doing collaborative work'that would include contractors, universities and others building spacecraft and doing science and engineering.
There is a portal for employees that deals with internal business processes and employee needs.
Finally, there is a public portal to help anyone access the 1.9 million Web pages that we have.