What went wrong?

Good intentions couldn't save CISO Exchange from backlash over $75,000 industry fees; How this public-private partnership to improve IT security came unraveled

By
Alice Lipowicz

When Stephen O'Keeffe introduced members of the newly formed advisory board of the Chief Information Security Officers Exchange at an April 5 press conference, the initiative seemed to have all the elements for success.

The exchange was to be led by Rep. Tom Davis (R-Va.), the powerful chairman of the House Government Reform Committee, and Vance Hitch, chief information officer of the Justice Department and chairman of the Federal CIO Council's committee on cybersecurity and privacy.

They were assisted by O'Keeffe, an Alexandria, Va., public relations executive who had organized and was managing the exchange.

Although Davis did not attend the press conference, Hitch was there and helped O'Keeffe introduce the federal CISOs who would sit on the exchange's advisory board. Everyone agreed that an organization bringing together industry and government experts to improve federal cybersecurity was urgently needed.

"Our industry support has been overwhelming," O'Keeffe said from a Washington Convention Center podium.

In less than two weeks, however, Davis and Hitch were running away from the exchange as if it were a virus. Their main worry was that the $75,000 fees charged to the exchange's six industry board members might look like payments for exclusive access to the top-level government officials on the board.

On April 14, the CISO Exchange officially shut down. To date, the attempts to revive it in some fashion have been unsuccessful.

"This horse is dead," O'Keeffe said recently regarding the exchange.

That the CISO Exchange collapsed so quickly is an example of how even the most experienced government and corporate executives can get tangled in a messy partnership. Davis and Hitch are among the most influential officials in federal IT policymaking, and O'Keeffe is a seasoned public relations expert with many IT clients.

But now, Hitch describes the exchange as simply a "paper proposal," Davis says he never knew about the $75,000 fees, and O'Keeffe is virtually the only one left defending it. How did they get tripped up?

 

'TOP-OF-THE-CLASS' IT SECURITY

The CISO Exchange did not get much attention when Davis announced its formation in February. He unveiled the exchange as he released the Reform Committee's annual report card on federal information security, which again gave most federal agencies very low grades.

Davis has pushed for more interaction between industry and government to improve government performance, and supported the Digital Tech Corps, which lets government IT workers do stints in industry. The CISO Exchange would follow that example and "bring together federal CISOs and industry leaders to move our government to the top of the class in IT security," Davis said in a Feb. 16 press release.

Davis said the exchange would be chaired by himself and by the federal CIO Council, represented, respectively, by committee Staff Director Melissa Wojciak and Hitch. Wojciak and Hitch also would chair the exchange's advisory board, which would meet quarterly to discuss best practices and produce an annual report on federal IT security.

O'Keeffe, founder of public relations firm O'Keeffe & Company, assumed the role of executive director. O'Keeffe's firm lists among its clients government IT firms such as EzGov Inc., CDW Government Inc. and Northrop Grumman Corp., and agencies and associations, including the General Services Administration and the Armed Forces Communications and Electronics Association.

Don Upson, former technology secretary for Virginia and principal of IDG Government consulting firm in Richmond, Va., was to be a minority partner in the exchange and also was to put on programs for the group. Upson's firm lists as one of its executives Davis' wife, Jeannemarie Devolites Davis, a Republican state senator in Virginia, but there is no indication she was involved in the exchange. Mrs. Davis did not respond to several calls requesting comment.

At the FOSE 2005 trade show April 5, O'Keeffe and Hitch announced the names of the other advisory board members, including six chief information security officers from the Defense, Homeland Security, Housing and Urban Development, Justice, State and Treasury departments.

They also announced that Ken Ammon, president of government solutions for NetSec Inc., and Austin Yerks, president of business development of the federal sector for Computer Sciences Corp., would be the first two of six planned industry members on the exchange's advisory board.

"Although industry does not have the same report card, industry has the same issues," said Jane Scott Norris, State Department CISO, after the press conference.

O'Keeffe also unveiled the CISO Exchange's fee structure. The six industry sponsors who paid $75,000 would be allowed to sit on the board and to attend meetings, but the corporate exchange members who paid $25,000 or $5,000 membership fees, while receiving some benefits, would not be eligible to attend the meetings -- except for a winner of a special lottery held for that purpose, he said.

 

'ATMOSPHERICS DON'T LOOK GOOD'

Almost immediately following the press conference, questions were raised about the fees and the prospect that the fees, combined with the limited access to meetings, might create an appearance of selling exclusive access to federal officials.

"These are closed meetings where you pay your way in," Bob Woods, executive chairman of the Industry Advisory council, an IT industry group, said April 8. "The atmospherics don't look good."

Questions also arose about the legal structure of the CISO Exchange, which, chaired by two federal officials, appeared to have official federal sanction. However, it was not established as a federal advisory board under the Federal Advisory Committee Act, according to David Marin, deputy staff director for the House Government Reform Committee.

The exchange was neither a non-profit organization nor a corporation, according to O'Keeffe. Its fees were to be held in a bank account belonging to a holding company of his firm.

On April 8, Davis said he was re-evaluating his role, citing concerns over the fees and structure.

"We were not aware of fees being charged," the Reform Committee's Marin said. Davis does not want "any would-be sponsor to believe that sponsoring the exchange means they will have an inside track to him or committee staff," Marin said. Furthermore, Davis "wants to make absolutely sure that no one infers that the committee's name or resources are being used to support a commercial endeavor."

Other participants reconsidered as well. On April 11, CSC's Yerks withdrew, saying he "shared the chairman's concerns," said company spokesman Chuck Taylor.

Even so, Davis defended the exchange April 12 at Federal Sources Inc.'s annual federal outlook conference.

"This brings a cross-pollination of cultures of the private sector and the government sector," Davis said. "We stand behind it, and we think it's going to be a successful program."

[IMGCAP(2)]Later the same day, however, the other co-chair, Hitch, began distancing himself from the exchange. Hitch, who had stood with O'Keeffe when the organization's advisory board was announced, now termed those announcements as premature.

"I'm not officially co-chairman yet, because [the CISO Exchange] doesn't exist yet," Hitch said. "It's a paper proposal." He added that he was examining "noncontroversial" alternatives to the exchange.

Two days later, the CISO Exchange was dead.

"We are not co-chairing," Marin said April 14. Neither Davis nor Wojciak would be involved with the group, he said.

The CIO Council also pulled out, stating it was looking to establish an exchange with industry "that is open and accessible to all members of the IT community in both the government and private sector," said Dan Matthews, vice chairman of the council.

O'Keeffe, in several calls after the collapse, seemed stunned by the turn of events and repeatedly challenged media accounts of what had occurred.

"Where is the news story?" he wrote in an e-mail to a reporter.

O'Keeffe argued that the exchange was similar to several other business programs around Washington that involve government participants, including dinners, conferences and trade shows sponsored by PostNewsweek Tech Media and Federal Computer Week, among others. He also said a Washington Technology reporter had a conflict of interest in writing about the CISO Exchange because the magazine is owned by PostNewsweek Tech Media.

The exchange had been subjected to "misinterpretation," O'Keeffe said. "This is nothing new."

 

LESSONS LEARNED

In hindsight, it appears a lack of communication among its organizers contributed to the CISO Exchange's demise. But fundamental problems with the group's fees and structure ultimately brought it down.

That the six paying sponsors would meet regularly -- and exclusively -- with senior government officials was problematic, said Patricia Salkin, director of the Government Law Center at Albany Law School.

"It creates a public perception of advantage," Salkin said. "Whether it is undue influence or not, there is the appearance."

If an open invitation to attend had been extended to all CISO Exchange members, and if the fees had been more affordable to all, the group's fate might have been different, Salkin said.

Charging a fee, even as high as $75,000, to private sector participants to partner with a government entity might be acceptable in some major initiatives, said Lawrence Martin, director for the Center for Community Partnerships, which studies public-private partnerships, at the University of Central Florida in Orlando. But charging a $75,000 fee, limiting industry access to the six paying sponsors and closing the meetings to the public are all features likely to raise eyebrows, Martin said.

"It doesn't pass the 'smell test,' " Martin said. "I would not want to condemn it, but someone did not put a lot of thought into how this would be perceived by the public."

Even so, some of the criticism might have been muted somewhat by "public education" about why the high fees and limited access were necessary to meet the goals of the group, Martin said.

O'Keeffe said the fees -- totaling $450,000 from the six board members alone -- would cover his own hourly management fees, staff costs for report preparation, and expenses for the meetings and an annual dinner.

But Upson, while defending the fees, agreed they were not explained well.

"It's not that the fees were bad, but there needed to be an explanation of what would be done with the money," Upson said.

Woods said simply that the $75,000 fees appeared too greedy.

"If it had been 25 grand, nobody would have paid attention," he said.

O'Keeffe cited many examples of corporate sponsors paying high fees to mingle with high-level government officials at dinners, conferences, educational forums and trade shows.

"There is a clear precedent for government executives participating in private sector, sponsor-funded initiatives," O'Keeffe said, referring to the FOSE trade show and other events owned by PostNewsweek Tech Media.

However, Jan Baran, senior partner in Wiley, Rein and Fielding in Washington and an expert in government ethics, said the events named by O'Keeffe -- dinners, trade shows, conferences and such -- are clearly owned and operated by private business interests, even though they may include government officials as participants. In contrast, the CISO Exchange was to be headed by two federal officials, he said.

Federal officials may give a speech or attend a conference with private industry sponsors, but under most government ethics rules, "they cannot run an organization like this," Baran said. "It sounds like this organization was created with an expectation that the congressional and government officers would be running it. It was wrongly structured."

Marin, asked about the ethics rules, said Davis believed the exchange was to be an "informal" group and became "uncomfortable," ultimately dropping out when the CISO Exchange's structure was announced.

As for the CIO Council, it "never en-dorsed or co-chaired the CISO Exchange," said Council Vice Chairman Matthews.

Shortly before the CISO Exchange fell apart, some of the federal officials involved approached the Industry Advisory Council to investigate the possibility of setting up a CISO partnership with that group. No formal proposal was advanced to the council, however, Woods said.

"The ball is in the CIO Council's court," he said.

But nothing looks to be happening immediately. The CIO Council is working with its own Best Practices Committee to "restructure" a forum for its CISOs, Matthews said April 29. At this time, the CIO Council is not negotiating with any private sector groups or individuals, he said.

Asked what went wrong with the exchange, Matthews said: "The CISO Exchange was structured, as originally proposed, with limited membership. That structure gave the perception of impropriety."

In the weeks following the demise of the CISO Exchange, the CIO Council began re-examining its private sector relationships.

"In the coming months, the Council will be crafting guidance to ensure that these relationships provide for close interaction between business and government while providing a clean and competitive environment for all," Karen Evans, council director and administrator of IT and e-government for the Office of Management and Budget, wrote in an e-mailed statement.

Davis also is open to ideas about forming another exchange for federal CISOs, but there is no specific proposal at this time, Marin said. While Davis "still supports the goal" of the CISO Exchange, he was uncomfortable with the group's structure and fees, Marin said.

Although O'Keeffe has dismantled the exchange, he continues to defend the group's fees and organization.

"It's a pity this program has folded," he said. "There needs to be a bright line on what is appropriate and what is not appropriate."

Staff Writer Alice Lipowicz can be reached at alipowicz@postnewsweektech.com. PostNewsweek Tech Media Staff Writers Wilson Dizard, Roseanne Gerin, Jason Miller and Patience Wait contributed to this story.