- By Jason Miller
- May 28, 2002
GCN Management Photos by Henrik G. DeGyor
When the Environmental Protection Agency got wind of a pending GAO report outlining security weaknesses, the agency shut down its Internet connection and quickly started making fixes. Above, left to right: Mark Day, deputy CIO for technology and director of the Office of Technology, Operations and Planning; Mojgan Rahai, shared services expert and team coordinator, and Bill Sabbagh.
A bad report from an auditor can do more than ruin you day. In an extreme case, it can threaten a cherished program or project that has absorbed a lot of time, effort and funds.
Typically, reports from the General Accounting Office or an inspector general initiate a fairly routine process. Agency chiefs might be upset by a report, but they respond to inquiries, work with auditors, agree at least somewhat with their findings and develop a plan to make things better.
On the rare occasion when a report illustrates holes in an agency's operation, as opposed to policy flaws, it's time for officials to go into crisis mode.
Many agencies, however, don't have the crisis management skills to deal with such a situation, according to several former government officials.
'The tendency is for people to go into bunker mentality,' said Bob Woods, who spent 30 years in government IT, including time as a deputy assistant secretary for IT at the Veterans Affairs Department and as commissioner of the General Services Administration's Federal Technology Service.Perception problem
'They don't have continuous communications with oversight people, the press, the agency customer, vendors and industry associations,' said Woods, now an executive with the government services group of Affiliated Computer Services Inc. of Dallas. 'The government does not manage perception well.'
Because of this bunker mentality, agencies may face the perception of wrongdoing when a negative GAO or IG report becomes public, said Elaine Kamarck, who ran the National Partnership for Reinventing Government for the Clinton administration from 1993 to 1997 and received her fair share of GAO reports.
'Many agencies just are not open about their problems, which leads to the assumption that something illegal is going on,' said Kamarck, who now is a professor at Harvard University's Kennedy School for Government. 'The way to defuse the situation is to talk it to death.'
When the Environmental Protection Agency went into crisis mode in February 2000, then-CIO Al Pesachowitz and Mark Day, deputy CIO for technology and director of the Office of Technology, Operations and Planning, initially relied on internal communications.Verify the criticism
EPA officials learned that some members of Congress were going to release a GAO report summary outlining weaknesses in EPA's Internet and Web site security. The fear was that hackers would target EPA's security vulnerabilities, said Pesachowitz, who now is a civilian-sector executive at Grant Thorton LLP of Chicago.
One of the first things Pesachowitz and Day did was make sure GAO's findings were credible. Once they realized the report was valid, they met with then-EPA administrator Carol Browner to explain the issue.
'I walked her through the problems and how we needed to fix them and then recommended [that EPA] take the Web site and Internet connection down,' Day said. 'Since this was an operational issue, it needed a more immediate response.'
Browner made the call to shut down the Internet connection, Day said.
Therese Morin, a lead partner for IT solutions at PricewaterhouseCoopers LLP of Arlington, Va., and co-author of Information Leadership: A Government Executive Guide, said having a plan in place and discussing that plan with GAO is an important first step in crisis management.
'A lot of agencies have a tendency to sweep the report under the rug or fight GAO, but if you show GAO the action you plan on taking, they will be receptive to working with you,' she said.
Kamarck also suggested talking to congressional appropriators and authorizers so they understand why the report came out and what you will do about it.
'Sometimes the cure can be worse than the disease,' Kamarck said. 'Once you get a negative report, congressional members or the cabinet secretary may try to micromanage the problem, and that makes things worse.'
After the decision to take EPA's Internet connection down, Pesachowitz put a 'swat' team in motion to fix the weaknesses. The quick-response team was made up of IT employees and key managers, led by Day.
Over a four-day period, the team went to work installing a firewall to separate EPA's intranet from its public access site. Pesachowitz also asked senior managers for a prioritized list of what had to be put back on the Web.Communication is key
Greg Shaw, a research scientist for the George Washington University Institute for Crisis, Disaster and Risk Management, said communicating with the stakeholders'in this case, agency employees'is a key piece in managing the crisis.
Four days after the report came out, EPA restored limited Internet access, Day said. Employees could search the Web, but could not download or fill out forms online.
Morin said fixing some problems quickly is a valuable first step in managing a crisis because it shows the agency's commitment to resolving the report's findings.
EPA also hired Science Applications International Corp. of San Diego to help with some of the long-term security issues, Pesachowitz said.
'We were prepared to put in the new firewall in April, so we just had to accelerate,' Pesachowitz said. 'We had all the equipment on site and the wiring of the building was already finished. Otherwise, this would have taken us much longer.'
The swat team continued to work on GAO's concerns over the next three months, restoring 91 percent of EPA's Web functionality, Day said. The team, which met with Day weekly for the first 90 days and now meets monthly, has become a permanent security organization within the agency, Pesachowitz said.
Shaw said changing policies and practices, such as establishing the security group, provides future auditors with proof that the agency took the report seriously and improved business operations.
EPA formalized a security policy and procedures by the middle of last year.
Woods said successful crisis management comes back to communicating with all parties.
Agency officials should never be surprised by a GAO or IG report, he added.
'If you meet regularly with your oversight committees and you coordinate with stakeholders, you will never have a problem,' he said. 'When you don't involve someone, they will be the ones screaming the loudest.'