Is IT security getting short shrift?

Concerned former DOD officials call for greater use of cybersecurity metrics

Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say.

“It’s been the source of enormous frustration,” Linton Wells said in a recent interview in which he recounted some of the difficulties he faced during his four-year tenure as principal deputy assistant secretary of Defense for networks and information integration. Wells left the Pentagon in June to become a research fellow at National Defense University in Washington.

He said Deputy Defense Secretary Gordon England, who has significant input into budget decisions, supports boosting the military’s information assurance capabilities. But convincing senior budget officials from the military services to spend money in that area is a continuing challenge, Wells said.

“What they say is, ‘Look, we’re all short on money for things we want to buy — ships, planes, tanks, whatever. Show me how this $2 million you want to put on this today is going to turn cell C17 from red to yellow to green in 2011,’” Wells said. “And that’s often a hard thing to do in information assurance.”

Wells said officials in charge of putting together the information technology security budget for DOD’s networks need better metrics for measuring return on investment for information assurance programs.

“We have not done a good job of making the case that a dollar spent here is going to lead to a quantifiable increase there,” he said.

John Garstka, director of forces transformation and resources in the Office of the Undersecretary of Defense for Policy, said quantifying the return on investment for anything in the information domain is difficult. “It only comes into play when there’s a crisis,” he said in reference to information assurance programs.

Robert Lentz, director of information assurance policy in the Office of the DOD Chief Information Officer, declined Federal Computer Week’s request for an interview.

“IA is a priority for the department, but…as a matter of policy, we don’t publicly discuss internal deliberations regarding resource decisions,” DOD spokesman Air Force Maj. Patrick Ryder wrote in an e-mail message.

Former DOD Deputy CIO Priscilla Guthrie echoed Wells’ assessment of the problems involved in getting funds for information assurance amid competing military priorities. “It’s always hard to get money for IA,” she said. “It’s tough in industry, and it’s tough in government.”

Guthrie left the Pentagon in December 2006 and is now director of the Information Technology and Systems Division at the Institute for Defense Analyses in Alexandria, Va.

Guthrie said she supports efforts to develop metrics for measuring the value of information assurance — with certain caveats. If used improperly, metrics could lead to a false sense of security and encourage officials to focus only on known threats to military networks while neglecting risks not covered by those metrics.

“The challenge with metrics is that it’s easy to measure what you know, but it’s hard to measure what you don’t know,” Guthrie said. “You want to work off the things you can count, but you also need to study the things you don’t know about. You don’t want the entire bureaucracy working off the things you know.”

Members of a new panel at the Pentagon focused on portfolio management for network-centric capabilities released numbers for a six-year spending plan that starts in fiscal 2008.

According to the plan, investment in information assurance represents 9.5 percent of the portfolio in that six-year period, compared with information transport at 71.6 percent, enterprise services at 14.8 percent, network management at 3.5 percent and knowledge management at 0.6 percent. Taken together, all network-centric programs in the portfolio are valued at about $100 billion from 2008 to 2013, according to the document.

Information assurance could soon get a boost with the appointment of Marine Corps Gen. James Cartwright as vice chairman of the Joint Chiefs of Staff. Guthrie said the issue is a priority for the former commander of the Strategic Command.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group