Administration faulted for lack of IT security leadership

Two former government IT security officials today criticized the administration before a House panel for a lack of leadership in IT security.

"There is at this moment a serious void in the executive branch leadership," following the dissolution of the President's Critical Infrastructure Board, said Michael A. Vatis, former head of the National Infrastructure Protection Center. The new Homeland Security Department is expected to assume the board's responsibilities, but "that void is likely to continue at the leadership level for several months."

Richard Clarke, former chairman of the Critical Infrastructure Board, said the new department should be the focus for information security. "Unfortunately, the department in the early days has not organized itself to take that responsibility," he said. Clarke also criticized the lack of a governmentwide chief information security officer with a full-time White House staff.

The comments were made in testimony before the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

The story from the Office of Management and Budget and the General Accounting Office was a familiar one, summed up by the title of GAO's most recent report on information security: "Progress made, but challenges remain to protect federal systems and the nation's critical infrastructures."

Mark A. Forman, OMB's associate director for IT and electronic government, sought to assure the panel that "cybersecurity is a top priority in the administration's national security efforts."

He said mandatory reports by agencies to OMB showed "substantial improvements" in IT security. Sixty-one percent of agencies have current IT security plans in place at the close of fiscal 2002, compared with 40 percent the year before, and 47 percent of IT systems have been certified and accredited for security. The amount of money being spent on federal IT security climbed to an estimated $4.25 billion this year, compared with $2.7 billion the pervious year, and is expected to grow to $4.7 billion next year.

But despite the improvements, GAO concluded that "significant information security weaknesses at 24 major agencies continue to place a broad array of federal operations and assets at risk. Although recent reporting by these agencies showed some improvements, GAO found that agencies still have not established information security programs consistent with the legal requirements."

Vatis, who is now director of Dartmouth College's Institute for Security Technology Studies, said the government's security posture is growing worse.

"We have in many respects regressed in recent months," he said, due in part to the shift of responsibilities to the Homeland Security Department.

Although employees were supposed to be transferred to the new department along with cybersecurity responsibilities, that has not always happened, Vatis said. NIPC was supposed to contribute 300 people when it moved from the FBI to the department. "In reality it was mostly a transfer of vacant full-time positions," he said. "Homeland Security now has the challenge of filling those positions. It could take over a year to get back to where we were."

Outsourcing was the key to improving government security, Clarke said. "There is a real reluctance to outsource IT security, but that's the answer," he said.

Clarke added that government has a long way to go to catch up with the private sector in security and urged the subcommittee to be a gadfly in pushing the administration to greater efforts.

"You have a great opportunity to be a pain in the rear end to this administration, and I encourage you to take full advantage of it," he said.