By Alex Salkever On. Nov. 25, President Bush signed a landmark bill creating a new Cabinet-level Homeland Security Dept. Bush wants former Pennsylvania governor Thomas Ridge to oversee an agency that melds together 22 departments, subgroups of departments, and divisions of the government such as the Coast Guard, the Customs Service, and the Immigration & Naturalization Service. The law puts some 170,000 federal workers under a single letterhead.
Getting this gargantuan measure passed by Congress was no easy task. It took more than a year -- and a Republican sweep in the November elections. Now comes the real challenge, however. For the landmark bill's 500 pages, it's surprisingly light on details, especially when it comes to improving government information technology (IT). Although Mark Forman, head of technology services for the Bush Administration, has pushed hard for improving IT, the sad truth is that Uncle Sam still hasn't mastered use of the computer.
FAILING GRADE. Witness the latest annual computer-security audit of the federal government, performed by the General Accounting Office. A year after September 11, 15 out of 24 government agencies surveyed received failing grades. It's time for Bush to make improvements in both inter- and intragovernment computer literacy and security a cornerstone of the rest of his term.
As the war on terrorism illustrates, the flow of information inside a government is crucial to protecting national security. These days, nothing dictates information flows more directly than IT policy.
What to do? Now that it looks like Ridge will be heading up a massive homeland security effort, he's just the man to help the White House improve government IT. Here's how:
DUBIOUS AUTHORITY. Three key departments -- Interior, Transportation, and Treasury -- that will be working closely with Homeland Security in fighting terrorism have interim chief information officers (CIOs). But let's be real: They'll have no bureaucratic power until their jobs are made permanent. "If you look at all these agencies, with most of them flunking again, it says there is a problem with management," notes Bill Wall, now a network-security engineer with network gearmaker Harris Corp. and formerly an Air Force security engineer. Adds Wall: "There are a lot of CIOs still not in power yet."
Good CIOs can make a world of difference by assessing the big picture: How can agencies make better use of information technology? How can they improve communication with each other? The Homeland Security Dept. could become a shining example of IT efficiency, with a strong CIO and a very muscular technology hierarchy. Ridge needs to bear in mind that, if he gets the big stuff in government right, the small stuff usually is gravy.
Ask any CIO: The most important point of contact -- and vulnerability -- in a big organization is usually the e-mail system. It's the most effective way to communicate precise details to groups of people in a secure way. But if it's not set up correctly, it can also be easy for hackers to compromise. Making sure that all 170,000 employees in the new department have a secure e-mail system is a big job, but it should be the "biggest single concern" of Homeland Security's new CIO, says Bill Hancock, a vice-president in charge of security for Exodus, the Web-hosting unit of Cable & Wireless. Amen to that.
VERY DIFFERENT JOBS. Like many executives in the private sector, government mandarins have all too often failed to recognize that building and maintaining an IT infrastructure is a very different task from guarding it. So Ridge should also move toward creating a network security division, complete with a chief security officer (CSO). The goal: create "incident teams" that can respond quickly and effectively to attacks via the Internet. Make it clear that the CSO and the CIO cannot be the same person. These are two separate jobs.
There's still plenty of debate over whether a new Homeland Security Dept. is a good idea, or just a shuffling of the deck chairs on a still-vulnerable ship of state. Bruce Schneier, founder and chief technical officer of Counterpane Internet Security and publisher of the noted Cryptogram Net security newsletter, worries the reorganization might squelch creative thinking while leaving weak security policies in place. For example, Schneier fears that the information systems used to assess passengers as security risks still haven't been synchronized as well as they could and should be.
A big problem may be that the three main intelligence entities -- the FBI, CIA, and the Pentagon -- aren't part of the Homeland Security Dept. But they have promised to tighten coordination, not just among themselves but with the new HSD. And getting the IT right will go a long way toward accomplishing that, as well as the goals of the Adminstration and the HSD. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column