White House: Vendors must improve on security protections

Federal technology vendors must do a better job of building privacy and security protections into their software, two top-ranking White House officials said Thursday.

"Technologies that achieve interoperability while protecting societal issues are where you, as a community, need to start focusing," Mark Forman, the Office of Management and Budget's associate director for information technology and e-government, told industry representatives during a conference sponsored by the National High Performance Computing & Communications Council.

Forman said privacy and security must be key components of the "enterprise architecture" blueprints that are guiding agencies' efforts to integrate their systems, reduce paperwork, and accomplish tasks in "minutes or hours, rather than weeks or months."

As that transformation occurs, federal agencies must take steps to ensure the accuracy of shared information, and prevent its misuse. "We have to balance the benefits of [information sharing] with privacy protection, civil liberties and intellectual property rights," Forman said. "After the events of September 11, I don't think there's any question that we're going to grapple with that."

Forman noted that although "very little" interoperability currently exists between federal agencies, information-sharing will increase dramatically over the next few years as a result of top-priority initiatives related to homeland security. "We have to address both the opportunities and threats of a networked environment," Forman said.

Federal agencies must team up with the private sector to address some of the key threats, according to Howard Schmidt, who serves as vice chairman of President Bush's Critical Infrastructure Protection Board.

Schmidt, who formerly served as chief security officer for Microsoft, said White House officials are working with industry leaders to develop a new set of "standards and best practices" for federal IT procurement. Schmidt said those standards would help ensure that when the government purchases a software or hardware product, cyber-security protections would be built into the product and "come right out of the box," instead of being added to the systems later at an additional cost.

Schmidt added that lawmakers should modify certain laws to make it easier for the private sector to help federal agencies protect their critical information systems. He said legislation providing narrow exemptions from the Freedom of Information Act (H.R. 2435, S. 1456) for example, would make it easier for private companies to tell federal agencies about potential system vulnerabilities--and how to fix them--without exposing themselves to potential litigation.

In the meantime, Forman said, the Internet will continue to play a crucial role in federal agencies' efforts to modernize and integrate their systems. "We cannot disconnect from the Web," he said, noting that agencies rely on the Internet to communicate with other agencies, federal contractors and the public. "I cannot see that changing. We will continue to become more interconnected."