CIOs gird for security risks

CIOs gird for security risks

FEMA CIO Ronald E. Miller says he responded to the dismal situation he found when he took over in October by shaking up the agency's security organization.

IT managers across the federal government are grappling with security problems that were brought to the forefront of their attention by last year's terrorist attacks.

The issues they face come both from within their agencies and from other sources. Dealing with them often requires persistence and innovation, several systems chiefs said at a recent Potomac Forum conference.

Federal Emergency Management Agency CIO Ronald E. Miller responded to the dismal security situation he found when he took over in October by shaking up his agency's security organization.

Miller said he walked into his office and found a stack of inspector general audits, vulnerability assessments and other government reports that spelled out 'how horrible FEMA's security was. It was quite clear we had a lot of work to do.'

After the Sept. 11 attacks, FEMA workers had to build a new regional operations center in New York in 36 hours, Miller said. 'While we were trying to contend with this, the Nimda worm comes along,' he said.

Most of FEMA's servers were removed from the network, checked for the correct security patches and restored, Miller said. The process took 'about two or three weeks at a very critical time,' he said.

FEMA's password files could be easily penetrated, according to an agency vulnerability study, Miller said.

He ordered the creation of a central cybersecurity office to oversee security policy, programs and training 'and the things that really need to come before we start talking about technology.'

One of Miller's goals is to establish configuration control over FEMA's network. He discovered that FEMA has about 500 servers for its 2,600 employees.

To reduce the number of servers, Miller sent out a letter asking employees what each server does and what its security configuration is. Employees who responded got help in bringing their servers into security compliance; the others will be unplugged, Miller said.

'I'm not convinced yet that it's something where resources are an issue,' Miller said of the government's IT security problems. 'I'm convinced at this point that we haven't used the resources we have as effectively as we could.'

Lee Holcomb, NASA's CIO, said his agency started an extensive internal security assessment about three years ago. 'We were in very bad shape,' Holcomb said. 'We ended up with a list of about 60 major recommendations.'

NASA officials decided to start with 'the easy things,' Holcomb said, by training employees. The agency now has installed various tools to detect intrusion and respond to incidents.

NASA IT specialists scan the agency's 85,000 computers for security weaknesses, Holcomb said. 'I think out of 150 mission-critical systems we had two years ago, about 20 percent of the systems had current, audited security plans and risk assessments,' Holcomb said. 'That's a pretty pathetic score.' NASA has improved that figure to close to 100 percent.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.