Looking for an industry assist
State and local governments had just begun to follow the federal government's lead in turning to outside technology firms for help in running agency information technology operations when terrorists attacked New York City and the Pentagon on Sept. 11, 2001.
Now, one year later, as local officials prepare for their role as first responders on the homeland security front, the trend toward tapping the private sector for a range of IT services is expected to accelerate, government insiders and industry observers say.
"We're going to have to bring the private sector in [to help with homeland security initiatives] because the states can't do it all," said one state chief information officer, who asked not to be identified. "And not just for outsourcing ongoing services but also for developing new IT stuff."
Indeed, observers say, the private sector can provide state and local governments with the technological expertise and innovation along with the economies of scale needed to help combat terrorism on the home front.
But it won't be as simple as just signing a check and then sitting back. In what will be unfamiliar territory for many, government officials are going to have to decide which parts of their operation can be outsourced successfully, and then find and manage industry partners who they can trust to do the job.
An array of services is available, from developing and running interoperable broadband and wireless communications networks for first responders to protecting agency systems from cyberattacks. Other offerings include disaster recovery, business continuity services, and help developing data standards that allow easy interoperability between disparate databases and systems.
According to Gartner Inc. Dataquest, 80 percent of state officials have named homeland security as a top technology initiative for 2003. What's more, after years of focus on e-government and service to citizens, state budgets now are focusing their limited dollars away from internal development and toward external services providers.
Rishi Sood, a principal analyst for Gartner, expects states and localities to undertake homeland security endeavors in several phases, beginning with ensuring that communications and networking infrastructures work optimally, increasing network security and automating first responders.
Longer-term, government entities will look to build a management model that enables different organizations to work together better. Specifically, how do federal agencies share data, networking and telecommunications services down to the state and local level, and vice versa? How can they build more manageable frameworks that focus on regions and the protection of regions?
"The previous obsession with e-government has morphed into focusing on what the needs of homeland security are, and homeland security has really started to accentuate the need for jurisdictions to work together and actually build common systems rather than their own independent systems," Sood said. "So it's really speaking about some innovative technologies and some newer ways of implementing technology, and that's an area where the private sector really has the best expertise and
"There just hasn't been that follow-on-through development at this point yet," Sood said. "We really expect this to finally begin to take off during the second half of 2003 or early 2004."
Cathy Clements, regional vice president of business development and state government sales for Sprint, said that state CIOs are moving forward with some law enforcement activity, but "overall, homeland security from a policy and funding standpoint is still an unknown at this point."
With so much uncertainty, homeland security remains a sensitive topic for many government officials. Carolyn Purcell, CIO of Texas, a leader in outsourcing thanks to a recent move to turn over the operation of two of its data centers to Northrop Grumman Corp., chose her words carefully when answering the outsourcing question.
"It's almost certain that some of homeland security functions would be outsourced in some way or another," she said. "But I would say that when we do [outsource], we would do it with great deliberation and care to ensure that we do it responsibly."
Skilled government personnel are retiring at an increasingly rapid rate, and 46 of 50 states currently face budget deficits. Many are calling for IT funding cuts, and vendors offer an attractive option to make up the skills and resources gap. They possess more cutting-edge skills and a better grasp on technology than the public sector, and they can do many of the same functions more efficiently and less expensively than the government can in-house.
"States are being forced to cut programs at a time when they know that they're going to have to put some resources into homeland security," said Steve Kolodney, vice president of digital
government for American Management Systems Inc. and a former CIO for Washington. "The safest way to go about that is to spread the risk by engaging the private sector where they can, and I think that's a reasonable strategy that some states will begin to deploy."
Many observers note that despite the legislative and financial standoff on Capitol Hill, states already are outsourcing some functions that can support homeland security requirements. "Homeland security represents just a different set of scenarios that you now have to bake into all of your other business activities," said Larry Singer, CIO for Georgia.
For example, long before the terrorist attacks, states were seeking to improve communication between police and other emergency personnel and set up more effective disaster recovery and business continuity centers. But the perceived enemy at that time was more likely to be a hurricane or run-of-the-mill criminal than an international terrorist.
Likewise, states have long been monitoring networks and firewalls against potential intruders and mischief-makers, but this function is now likely to be one of the more prevalent homeland security priorities and a top candidate for outsourcing to the
This latter trend, said Amit Yoran, vice president of managed security services for Symantec Corp., is as much a function of market maturation and the fact that states now are recognizing the value of focusing their limited in-house resources on strategic security initiatives, while passing off the more day-to-day security management functions to a third-party.
"Sept. 11 was a point that brought increased awareness to cybersecurity and the possibility that terrorists could use networks as an avenue for wreaking havoc," he said. "But it's not like on Sept. 11 we had to redefine how to best protect networks or how to best monitor network systems. There was a valid requirement for these types of solutions long before then, and the solutions that states are asking for and that we are offering have not changed."
For example, the Capital Wireless Integrated Network (CapWIN), a joint project among Maryland, Virginia and Washington, D.C., being built by IBM Corp., will improve voice, data, and video communication among regional law enforcement, public safety and transportation personnel.
IBM will supply the communications bridge to all participating agencies. The network is scheduled to be operational in 2003, and IBM will continue on after that, enhancing the network and rolling it out to additional end users, according to Paul Leuba, IBM's CapWin project manager.
Pennsylvania has been working with KPMG Consulting Inc. to develop the Justice Network, a statewide effort to enhance public safety by providing a common online environment in which authorized state, county and local officials can access offender records and other criminal justice information from 15 participating state agencies.
Another outsourcing project of note is Computer Sciences Corp.'s design and back-end operation of a multilayered biometrics identity management system recently put in place by Pennsylvania's Department of Corrections.
"Credentialing and controlling access has been an issue for some time at government facilities, but this application is now addressing homeland security and the fact that the threat can come from within," said Ben Gianni, vice president of homeland security at CSC.
Georgia, meanwhile, already is responding to homeland security requirements, making the recent decision to turn its firewall monitoring over to Internet Security Systems so that its internal staff can devote more time and resources on the state's intrusion detection systems for cybersecurity.
Singer, who was instrumental in Georgia's recent decision
to outsource its broadband telecommunications networks, noted that the decision to outsource some of the state's network security was based on the same criteria he's always relied upon when considering whether to outsource.
"If our needs are the same as everyone else's, if the function is not peculiar to what we do, if it doesn't require peculiar knowledge of our environment and if somebody else, because of their volume and leverage, can do it cheaper than we can, then we're going to outsource it to them," he said. "It shouldn't and won't matter what type of technology initiative is involved."
Hayes is a freelance writer based in Stuarts Draft, Va. She can be reached at email@example.com.