Homeland Security CIO Answers Tough Questions

By CIOinsight  |  Posted 09-01-2004

Homeland Security CIO Answers Tough Questions

The first CIO of the Department of Homeland Security, Steven Cooper was appointed by President Bush in February, 2003, and he immediately began the daunting task of knitting together the 22 agencies and 190,000 federal employees who now make up the DHS.

It's a tough job, but a critical one.

Cooper believes the threat to the country's information infrastructure has actually increased since the DHS was founded 19 months ago.

"First of all, there is a much more concerted effort on the part of people who want to kill us." says Cooper.

"I don't think most federal CIOs are as concerned about teenage hackers. What we're much more concerned about are governments who are putting teams in place to attack the information assets of the U.S."

With his background in both the private and public sectors, Cooper is well positioned to influence IT policy and programs at DHS and beyond—and it helps to keep him on top of the problems and pitfalls facing a large federal agency in its effort to win the war on terrorism.

Technology journalist Randy Barrett recently spoke with Cooper in Washington, D.C., about the department's security and integration efforts, and about Cooper's hopes for improvement in the private sector as well.

CIO Insight: Has the security of government networks changed significantly since Sept. 11?

Cooper: One thing that changed is that on Sept. 11 there was no Department of Homeland Security.

The effective date for the beginning of the department was March 1, 2003. That's when the department became official; we transferred 180,000 people from 22 component organizations and set about the work of creating the DHS.

Steven Cooper
CIO, Department of Homeland Security
Before he was appointed CIO of the Department of Homeland Security, Steven Cooper was a special assistant to the President for homeland security and served as senior director for information integration at the White House Office of Homeland Security. Cooper also spent more than 20 years in the private sector in various CIO positions in the manufacturing and pharmaceutical industries.

There had been some kind of network security in place for most of our inherited organizational elements. However, a significant number of those components did not have their own networks or infrastructure.

They didn't have any wide-area-network backbone that they were directly responsible for, so they didn't have network security, information security, physical security or information assurance programs at all.

What we playfully call the Big Six—the U.S. Coast Guard, Secret Service, Federal Emergency Management Agency, Customs, Citizenship and Immigration Services, and the Transportation Security Administration—did have some security in place. They had large IT organizations and their own WAN networks, and that's formed the core of our own network environment.

As of July 27, 2004, we have integrated DHS Net, our core wide-area backbone.

That doesn't mean we have collapsed or consolidated all six into one. It means that, in addition to what we inherited, we have now moved forward and put in place a new emerging core WAN, and around that WAN we have put in place cybersecurity programs, including intrusion detection, network operations center—the types of things that mature organizations have and that we need in order to get to the single network, the one DHS infrastructure that we've set in motion.

Click here to read the latest security survey research from CIO Insight.

How fully integrated is the Homeland Security Operations Center at this point?

The HSOC is fully operational. It is manned by 24 people, operating in three shifts, 24-by-7.

It is staffed by folks from the DHS with a lot of different skills and backgrounds, as well as by people from sister agencies—the Federal Bureau of Investigation, the intelligence community, the Departments of State and Energy, the Coast Guard and the Secret Service. Those people are monitoring terminals that actually reach back to their home organizations. They are fully connected.

But the information sharing is not yet seamless. We don't have all of the different applications represented in the HSOC integrated among and between themselves.

What is the goal?

First of all, within the Department of Homeland Security itself, the goal is to move as quickly and as appropriately as possible to seamlessly integrate the applications and data repositories the department owns.

While we've identified all the major applications, we're still identifying more. We think we're about 90 percent complete. We're probably still at the beginning of the seamless integration that we'd like to move toward. But the important thing is that that does not preclude having all the information available for analysis and action.

I don't want any reader to believe we are less secure because we don't have seamless integration. We are not less secure. It requires a little more effort and energy on the part of our analysts because they have to turn from one terminal to another.

What we want to do is continue to improve the environment as a tool set that our analysts use so they can be more productive faster.

We're probably still in the first third of the work we want to do. Over the next 18 to 24 months we'll move pretty much toward 100 percent of what we'd like to do.

Next Page: Integrating with the Centers of Disease Control, grading gov't security and software regulations.

More with the CIO

of DHS"> How well integrated into the HSOC is the Centers for Disease Control's BioSense system, for instance?

It is not integrated if you mean electronically or digitally connected.

Because we have people in the HSOC representing the Department of Health and Human Services, we have the reach-back capability, first of all, and second, the folks that actually run BioSense also have a forward reach into the HSOC if and when it's appropriate to make contact.

Don't forget that it is also extremely effective. I know it's not as sexy from a technology standpoint, but the subject-matter experts that handle any subject in any department can pick up the telephone and call directly into the HSOC.

Information is moving, even though sometimes it involves human contact via telephone. The point is that that still counts, even if the goal is to automate or make available as much information digitally as we can in the fight against terrorism.

What plans do you have to secure the new network?

We have put in place a single departmental Computer Incident Response Center. That's a big step forward, because rather than having 12 of these things running around, we have one 24-by-7 operation.

The CIRC has already successfully responded to virus attacks, and it has been instrumental at managing every type of incident.

We have also implemented an information security advisory board, identified information security managers for every major organizational element, and put in place information systems security officers who work at the application level.

We have also implemented one of the first automated tools—a digital dashboard—so we can maintain a constant digital scorecard of our performance.

The DHS has been getting pretty poor grades from Congress regarding the Federal Information Security Management Act. So far you have an F.

Honestly, we went from a patchwork quilt that was relatively insecure to not being where we want to be yet. But we're certainly more secure than we were a year and a half ago.

The same is true, to a relative degree, across the entire federal environment. If you take each department's scorecard, unfortunately you will see large departments sitting with Fs, but if you look at the overall grades, they are improving.

To what extent does the work you do affect the overall security of government networks?

The DHS is unique in that our National Cyber Security Division is tasked with providing policy, guidance and direction to state and local governments, tribal governments and the private sector. Through the federal CIO Council, we have been paying a lot of attention to cyber-security. What we've done there is to try and coordinate and share best practices. We know who actually is making good progress and we talk to them about how they're doing that.

I would argue, based upon factual data represented by FISMA scorecards, that the government as a whole is slightly more secure.

Can the government have any effect on commercial network security?

That's a legitimate question. The federal government can have an incredible impact through a different mechanism—legislation. Look at the impact the Sarbanes-Oxley Act has begun to have on disclosure of financial risk and vulnerability. Now, suppose Congress passed a law that said CEOs have to sign off on cyber readiness and preparedness, much as they do on their financial statements. That would have a huge impact. There is talk about such legislation, but to the best of my knowledge there isn't any yet.

Meanwhile, our National Cyber Security Division has been working very closely with the private sector that owns the country's critical infrastructure, and with our public-private Information Sharing and Analysis Centers, of which there are 13, each aligned with particular industries. Some, like the telecom ISAC, have been in place for a long time. A great deal of trust has been built among the members of the private sector and those folks in the ISAC, and there is a lot of very good exchange of information on risk and vulnerability. But that's one end of the spectrum. In certain other ISACs, some of which are brand-new, there is very little trust in the federal players. It's a mixed bag.

Which specific ISACs aren't making much headway?

In general, some of the financial services and insurance groups. This is me, Steve Cooper speaking, I'm not representing a federal position or policy, but I can't blame folks in those industry segments; after all, information security is their lifeblood. Let's suppose the banking industry shared a vulnerability and said, "You know what? If somebody attacked us and took advantage of this vulnerability it could bring the banking industry to its knees." Holy cow! Can you imagine the impact if that information were made public? I can't blame them for not wanting to share anything.

Some experts say that if the government were to announce that it will only procure software with minimal holes and backdoors, the problem of lazy coding would disappear and everyone would be safer. Do you agree?

Yes, I think that's fair. There have been discussions about that in the Department of Homeland Security, the federal CIO Council and at the Procurement Council. But here's the dilemma: Let's suppose we actually put our criteria together and announce that we're making it effective Jan. 1, 2005. What happens if we're trying to buy something and no software meets our criteria? Do you say, "Wait a minute, I need something here and I'm going to live with the vulnerabilities for the time being and buy the product?"

Still, I think we are going to pursue this issue, though I don't know exactly what form it will take.

Randy Barrett, based in the Washington, D.C. area, has been following business and technology for 15 years.