Securing Government IT: Your Tax Dollars Not At Work

Securing our federal IT systems and networks is so important that spending tax dollars to educate some 125 federal chief information security officers about the latest in cybersecurity-and to get them to collaborate-seems like a sound investment. That's not the case, however.The government has opted to have private businesses, especially companies that sell IT security products and services, to pick up the tab. Earlier this month, through the auspices of House Government Reform Committee chairman Tom Davis, R.-Va., and the Federal CIO Council, the CISO Exchange was created. What prompted Davis and the CIOs to create the exchange? Very poor grades-a D average-government agencies received on an IT security scorecard; one-quarter of the agencies got an F.

Yet, the government already has two other organization with the aim to educate CISOs and get them to work together to tackle this vital challenge. The Federal Computer Security Program Managers' Forum, sponsored by the National Institute of Standards and Technology, holds bimonthly meetings, in which a guest speaker-usually a government security expert-makes a presentation, followed by discussion among the security managers. Unlike the new CISO Exchange, the NIST-backed forum doesn't invite private industry to participate. "This is strictly an information exchange," says Marianne Swanson, the NIST official who manages the forum. "We're not going off to write new policy documents." In addition, any government security manager can participate; the CISO Exchange is aimed at senior information security officers.

The other group, the CISO Forum, was created about two years ago by the then-government IT security chief Amit Yoran, and aimed at CISOs throughout government. That forum eventually was housed in the Department of Homeland Security when Congress created the department. It held bimonthly meetings, and established working groups that tackled concerns such as configuration, patch management, and compliance of with the Federal Information Security Management Act.

But interest in continuing the CISO Forum seemed to vanish when its chief sponsor Yoran department government last fall. It hasn't met since last August, according to government officials. Homeland Security hasn't responded to repeated inquiries seeking the status of the CISO Forum.

"It would be very unfortunately if the group does not continue to exist; there was a fantastic exchange between the CISOs, by learning from each other and not repeating the same mistakes," Yoran says.

Yoran, in creating the forum, says he made a conscious decision to keep the forum a tight-knit group of CISOs. "There was a certain level of candor that wouldn't have been accomplished if the venue was more open."

But Yoran, a former Symantec VP and now an advisor to a number of IT firms, says he could see the CISO Exchange, especially the sharing of ideas between government IT security officials and IT security vendors, as a logical next step. CISOs benefit, he says, by learning about the latest technologies to thwart damage to IT systems. The vendors benefit, he adds, because they hear first hand of the security predicaments government IT managers face and can use that knowledge to adapt products to meet those challenges.

Meanwhile, the White House isn't giving the CISO Forum a rousing endorsement. Seeking an official to comment on the CISO Forum, the Office of Management and Budget-the White House office charged with developing government IT policy-instead issued a 99-word statement that supports the idea that CIOs, not CISOs, be held responsible for establishing IT security.

"The Chief Information Security Officer's Forum, like many other informal groups of government technology officials, plays a role in identifying challenges, opportunities, and best practices in their fields," the statement reads. "Each member of the forum advances their work through their respective Chief Information Officer, and each CIO meets as a member of the statutorily established Chief Information Officers Council. It is through the regular Council meetings and the work of its committees that the Office of Management and Budget receives the input of the CIOs, which may include the work product of the CIO Security Officer's Forum and other similar bodies."

Perhaps the White House is right: CIOs should be the ultimate IT-business official responsible for securing their agencies technology infrastructure. In fact, Justice Department CIO Vance Hitch co-chairs the CISO Exchange; he chairs the CIO Council panel on IT security and privacy. Still, I'd be willing to dig a bit deeper into my pockets to assure that the CISOs-the CIOs' chief advisors on IT security-were unfettered by outside influences in helping formulate federal IT security policy.