WHO SHOULD REALLY MANAGE INFORMATION SECURITYIN THE FEDERAL GOVERNMENT

WHO SHOULD REALLY MANAGE INFORMATION SECURITYIN THE FEDERAL GOVERNMENT?

Author:

Alexander D. Korzyk, Sr., A. James Wynne

Paper:

ABSTRACT

The importance of security technology to the government organization was documented in a 1996 survey of all the new Federal Chief Information Officers conducted by the Environmental Protection Agency three critical technologies stood head and shoulders above the rest. Over half of the CIOs selected these three closely related critical technology challenges facing the new Federal Chief Information Officers.

· The first critical technology on the list is the Internet Worldwide Web and organizational Intranets. These relatively recent technologies are redefining business processes in corporations and in those corporations thatre-engineered more than a year ago. Unfortunately, the government and corporations have not fully embraced the impact of this first critical technology because of the second critical technology.

· The second critical technology is security technology. Organizations and corporations at all levels of management have never placed a high priority on information security until the last two years. During the Cold War the Department of Defense, National Security Agency, Central Intelligence Agency, and the Federal Bureau of Investigation enforced strict information security requirements. However, now there are literally millions of organizations and corporations that want to participate on the World Wide Web but are afraid to do so because of the lack of security in their communication’s infrastructure and information systems. Until only recently most of these organizations had operated in isolation on their own private networks. Now as budget cuts become commonplace and organizations want to enter the World Wide Web without compromising information security, where everyone’s information becomes available to everyone else if it is not protected properly. Similarly, the government and private corporations have not fully embraced the third critical technology because of the second critical technology.

· The third critical technology is Electronic Commerce/Electronic Data Interchange (EC/EDI). The government and corporations have again been hesitant to implement EC/EDI because of the lack of security technology used on the Internet and World Wide Web. Government and private industry want to use the Web as the infrastructure on which to run EC/EDI. The majority of CIOs agree on the challenges, but are these the individuals who should be responsible for ensuring organizational communications and information security? Should the lackadaisical managers who ignored security technology for years manage security technology? Will the CIO be impartial enough to not compromise security while facing deadlines and pressure from the CEO or agency head? This paper addresses the question of who should really manage security technology for government organizations and presents the basis for developing a business model for managing security technology.

Introduction

Massive amounts of changes in technology and its uses are occurring at an alarming rate. Since the end of the Cold War in 1989, after Desert Storm in 1991, and the election of President Clinton in 1992, sweeping transformations in government operations have taken place at the local, state, and Federal level of government.

Along with the shifts in how governments operate, dynamic advances in commercial technology have acted as catalysts for changing the business processes of government. These processes depend more and more on enabling information and security technologies. In two years personal computer central processing units have moved from an Intel 486-33 megahertz chip to an Intel Pentium II 300 megahertz chip with a 64-bit bus architecture. Workstations and mid-range computers have advanced from single RISC-based chips to symmetric multiprocessor RISC chips.

Networks have evolved from mainframe centric to distributed client/server and peer-to-peer architectures. Communication mediums have moved from copper-based Ethernet to fiber optic based frame and cell relay, SONET, FDDI, and ATM protocol. Transmission speeds have increased by an order of magnitude to over 100 megabits per seconds. The Internet has grown from a few hundred thousand users to over 100 million users. The management of these revolutionary and fast-developing technologies has also undergone major changes. The American public as primary customers of the Federal agencies is taking charge [13]. Efforts to reengineer the Federal government, particularly the Department of Defense (DOD), have stagnated in recent years, but are now getting more attention as Congress gets serious about streamlining and cuts budgets [15]. The passage of the Clinger and Cohen Bill forced major federal agencies to appoint Chief Information Officers to replace the senior information resource manager. This paper examines the constantly changing, and evolving new roles of government officials in managing information and the security of that information in the "Information War" and offers recommendations for challenges for managing security in this new environment. The winners will be those who gain dominance through information [7].

CIO Challenges and Critical Technologies

The Association for Federal Information Resource Management conducted a Top Ten Challenges Survey of the Federal Chief Information Officer in October 1996. The survey findings present and discuss the top 10 challenges facing CIOs today as defined by a number senior information technology officials and managers at Federal agencies and departments. Table 1 lists the top ten challenges considered to be the most important to the Federal CIO [2].

Table 1.

Federal CIO Top 10 Challenges Number Challenge Rank by Percent

1 Implementing IT capital planning and investment management 76

2 Measuring IT contribution to mission performance 56

3 Formulating or implementing an agency IT architecture 52

4 Aligning IT and organizational mission goals 41

5 Championing BPR as a precursor to IT decisions 37

6 Building effective relationships with agency senior executives 35

7 Gaining a seat at the senior management table 32

8 Engaging senior executives on IT strategic directions 30

9 Providing effective IT infrastructure and related services 27

10 Ensuring Year 2000 operations 25

The first three challenges in Table 1 directly affect the three critical technologies identified as most important in Table 2 which lists the most critical technologies considered to be most important to the Federal CIO in performing the CIO function during the years ahead. Table 2 lists the top ten critical technologies from the survey [1].

Table 2.

Federal CIO Top 10 Critical Technologies

Number Critical Technology Rank by Percent

1 Internet/Intranet/Web 73

2 Security Technology 68

3 Electronic Commerce/Electronic Data Interchange 57

4 Distributed Computing 47

5 Data Warehousing 42

6 Client/Server Computing 41

7 Workflow 35

8 Executive Information Systems/Decision Support Systems 28

9 Groupware 22

10 Relational Databases 21

Who Should Manage Information In The Federal Government?

Governors, Senators, Representatives, and officials at all levels of government organizations, as well as corporations, did not consider information as a valuable resource in the early 1980s. These managers of government and corporate employees did not consider knowledge capital (the knowledge of their peers and subordinates) to be of value [26]. The only valuable knowledge was that which affected national security. The government at the national level focused all efforts on defeating the Soviet threat. By the mid-1980s, senior executives recognized that computer information could be very powerful if used correctly. Federal agencies sent information resource managers to the Information Resource Management College in Washington, D.C. for a quick four-month course on how to manage information. Industry followed suit by creating a Chief Information Officer position. Unfortunately, for both government and commercial information managers, most of the CIOs did not sit on Executive Boards even though they had significant leadership responsibility for information system projects that required executive sponsorship from board members [4]. In private industry information managers typically reported to the Chief Financial Officer who was a participating member on the board. In the government they typically reported to the resource manager who also controlled finance. Industry is now beginning to redefine the role of the CIOs by replacing them with Chief Technology Officers (CTOs) [3]. The Federal Government is just now beginning to get rid of their information resource manager position and replace them with CIOs [23].

Who Should Manage Security In The Federal Government?

Security consists of more than one type of security. Typically security consists of physical security, procedural security, computer security, operational security, personnel security, communications security, and information security. Before the recent flood of Internet users, information security had often taken a low priority compared to operational security. Security guards watched building entrances and exits, installed video cameras to monitor hallways, stairways, etc. to reduce the number of security personnel needed to physically secure a building.

Managers considered locked drawers and a locked room secure. General managers were responsible for their organizations to follow the security regulations written by military intelligence personnel and the National Security Agency. Only classified information received any large amounts of capital to protect it from threats.

In the mid-1980s, security specialists decided that since there were so many computers emanating electromagnetic waves, that there was no way that a spy could zoom in on the signature of any one personal computer and collect data because of number of cross overs between personal computers. Thus, the elimination of the TEMPEST individual workstation electronic shielding requirement saved the Federal government millions of dollars and allowed the Federal government to buy personal computers off-the-shelf. The number one challenge for Federal CIOs from Table 1 is implementing IT capital panning and investment management across the agency. Who should decide on how much to spend on security technology capital required to make the Internet/Intranet/World Wide Web secure for EC/EDI?

Managers did not consider other information valuable enough to protect it with other than minimum protection. Most unclassified systems operated at great risk since the managers typically felt that the unclassified information could not be harmful to the national interests of the United States. This perspective has changed drastically. Information aggregation has become a critical topic because highly summarized data may reveal significant amounts of information about an organization, country, corporation, etc. [14]. In 1989, the Department of Defense recognized the onset of the "Information War" and began to take steps to prepare for it. DOD issued a memorandum mandating that all unclassified systems comply with the National Computer Security Evaluation Criteria level C2 by the end of 1992. Unfortunately, four years after that date most services are still working on meeting that goal due to high costs and extremely complex solutions. A new doctrine of warfare called "Information Warfare" is sweeping through DOD forcing great changes to how business is conducted [7]. This is placing even more pressure on the services to reach the C2 goal. Simply protecting the gateway to the system from external threats is extremely shortsighted. Most attacks on information systems come from within the organization by an insider. Reaching the C2 level will help contain the amount of damage an insider can wreak.

The Information Technology Management Reform Act (ITMRA) of 1996

The Information Technology Management Reform Act (ITMRA) established a focal point for information technology and information resource management issues. The significance of ITMRA was to mandate the appointment of a CIO by each Federal agency. Thus, the passage of ITMRA established a new framework for strategic management of information technology by the Federal government. CIOs would now be the focal point for managing information technology in the future [1]. However, the Office of Management and Budget (OMB) took over control of all Federal CIOs from the General Services Administration (GSA). Previously, GSA had provided oversight responsibilities for all Federal Departments and Agencies to include spending authority. Specifically, the deputy director of OMB, has become the chairman of the new Federal CIO Council. This replaced the Industry Advisory Council of which senior information resource managers were members.

The new CIO Council will not be the principal forum for making decisions or setting policy. Rather, the CIO Council will be the principal forum for generating ideas and sharing best practices or even using the best practice of another agency by cross leveling. Although the Deputy Director stated that OMB will not take over programs, OMB will realign budgets to force agencies and departments to make necessary changes whenever the agency or department goes more than 10% over their budget [22]. ITMRA’s directing the 23 largest agencies and departments to replace their senior information resource management positions with Chief Information Offices will involve a cultural change because managing information technology will be a strategic function instead of a support function. ITMRA created an environment for change by establishing a CIO position, which will work with senior management and provide information technology solutions to the business of the organization [24]. So far, most of the agencies and departments have complied by simply changing the title of the senior information resource manager to Chief Information Officer. Some of the CIOs are political appointees and some are government civil service careerists. Some have information technology experience where others do not. In all cases, the CIOs are all responsibilities listed in Table 3.

Table 3. CIO Responsibilities

1. Formulating agency information technology investment strategies

2. Integrating IT operations with core programs and budget plans

3. Identifying interagency system development opportunities

4. Developing and implementing the organization’s information architecture

5. Establishing, staffing, and professional development of all IT personnel

6. Devising performance metrics for evaluating IT investments and system results

The second major mandate of ITMRA was the repeal of the Brooks Act. The Brooks Act was thirty years old and controlled the management of Federal information technology. The primary problem of the Brooks Act was the Delegation for Procurement Authority, which created a huge bureaucracy in all agencies.

The Federal CIO

One of dangers of placing the responsibility of managing security technology with the Federal CIO is that they may be a political appointee instead of a careerist. This could be an advantage to the organization, which has a political appointee. Coming from industry or academia, the appointee will have key contacts that could sway the amount of the IT budget approved for that particular agency or department. A careerist CIO, particularly one who has been in the government for over ten years, would not have the comprehensive political contacts, and would only add another layer to the bureaucratic structure without being effective. An appointee would be much more familiar with the capital investment process used by corporations for IT and may have a better chance of being successful than a federal careerist CIO. There is no organizational model for determining to which the CIO would report.

ITMRA deliberately left some ambiguity in the bill to allow agencies and departments the flexibility to establish their own reporting chain. Industry does not follow any particular model because there is no formal CIO model [8].

Many corporations follow the old MIS model because they simply renamed the vice president of MIS or information

systems director as CIO [24]. Similarly, the Federal CIOs will probably follow the same senior information resource manager model and simply rename the position as CIO as in the case of the Department of Defense. The Office of Management and Budget will take the place of the GSA in providing oversight of IT acquisitions in the Federal government. In that vein, they are focused on the location of the CIO office, the duties of the CIO, and the qualifications of the CIO [20]. The CIO office location should be no less than one level down from the Secretary or Director of a bureau and that the CIO not report to the CFO.

The Federal Chief Information Security Officer (CISO)

The Gartner Group and others have argued for some time that the head of corporate information resources security should be elevated to at least the same level, yet separate from the CIO, or better yet upgraded to the same level as the CEO and the CFO. All of these positions would report to the Board of Directors [17]. Table 4 shows the CISO paradigm.