IT management is key to security, CIO says

Agencies need centralized budgets and operational authority over their IT systems to ward off attacks, said Roger Baker, CIO at the Veterans Affiars department. 

“I’m disappointed that the government lags the private sector in cybersecurity by many years,” Baker said, speking Feb. 24 at a cybersecurity summit in Washington D.C., hosted by FedScoop. 

Interconnected but decentralized networks are only as strong as their weakest link, he said, and without centralized IT control to enforce visibility and security measures, “we are going to remain completely open.”

Related coverage:

The weak link in security: People

Cyber bill's FISMA mandate could be a step backward

VA is the second largest executive branch department with 300,000 employees and a $2.5 billion IT budget, and it is the only agency with a consolidated IT appropriation, Baker said. That centralization did not come easily.

“VA got that by failing big time,” he said, referring to the 2006 loss of a laptop PC containing the records of 26 million VA patients. But the result has been an order-of-magnitude improvement in the department’s security posture in the past three-and-a-half years and a savings of hundreds of millions of dollars.

“I don’t think there should be any question as to whether we should do this across government,” Baker said.

The issue was echoed by Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, who said IT threats are substantial and growing — from organized crime, foreign intelligence agencies and terrorists.

“Technology is not the answer in and of itself,” Henry said. Law enforcement has had success in fighting criminals through increased cooperation with the private sector and foreign governments, he said, but business practices and processes need to change to improve security.

Consolidating the IT budget under a single official rather than distributing it throughout various offices and agencies creates the ability to enforce enterprisewide policies and control IT programs. Baker said he has been able to save millions of dollars by ordering an end to hundreds of projects that were not performing — because he held the purse strings.

Baker said he now has visibility into most of VA’s 300,000 desktop PCs and has established a departmental network control center — two major steps forward.

“But in 2007, I was a lot further along than that in a large private organization” because of the centralized authority, he added.

Before joining VA in 2009, Baker was president and CEO of Dataline, and before that, he was CIO at General Dynamics IT.

In the private sector, he had control of all access and perimeter defenses and was able to do continuous monitoring of systems, a goal only now being addressed in government. He said he would like to have the ability to do blacklisting, the blocking of sites, applications and other online resources that have been declared unsafe. In the private sector, companies are already talking about whitelisting, the more restrictive practice of allowing only approved resources into the network.

Baker said VA is continuously under attack from without and from within. The outside threats get the most attention, but the breaches caused by insiders “are the most painful,” he said. The high-profile laptop theft in 2006 was the result of insider error, and he said 99 percent of the insider problems are the result of “stupid human tricks.”

Not all the breaches are high-tech. “Paper causes me the worst privacy problems,” he said. The most recent incident was an 18-inch stack of papers containing personal information that was improperly put in a dumpster. The documents have not been recovered. He said they are probably at the bottom of a landfill, but there is no way to be certain of that.

Baker praised the rank and file workers who have day-to-day responsibility for IT security and do the best they can. But he said they are challenged by bureaucracy and management practices that interfere with effective security policies and controls. He called the lack of central authority “the elephant in the room” that nobody wants to address.

Baker said he does not expect government to fully catch up with the private sector in its security controls, but he would be happy if he were able to do at VA this year what the private sector was doing last year.