Goals of open government, cybersecurity in conflict

Everybody agrees that both open government and cybersecurity are generally good things. But pursuing the two goals at the same time may now prove difficult for the Bush administration.

Open government means efficient information-sharing among government officials across the country, as well as easy access for citizens seeking computerized information in areas such as health care, taxes, and the environment. In contrast, cybersecurity requires barriers: passwords, authorization procedures, background checks and punishment for privacy violators. Over the past two months, President Bush has laid out strategies to pursue each of these divergent goals.

One part of the open-government strategy, which has been unveiled in stages since mid-August, is to make government more responsive by improving management. The White House has drafted two proposals: The Freedom to Manage Act of 2001 would speed up congressional debate on future reform bills, and the Management Flexibility Act of 2001 would give federal managers more options to adjust pay and hiring rules, as well as policies on the use of government property.

The parallel cybersecurity plan, unveiled in an October 16 executive order, creates a top-level, multiagency group, the President's Critical Infrastructure Protection Board, which would promote defenses against hackers, data thieves, and other Information Age criminals who threaten government computer systems. The board will also push companies in the energy, transportation, and financial sectors to improve their information security. Since the mid-1990s, government officials have been worried that terrorists or hostile nations might try to disable key computers and thus damage government operations, oil and gas distribution networks, banks, telephone systems, and other critical infrastructures.

The executive order, titled "Critical Infrastructure Protection in the Information Age," put Richard Clarke, the President's chief cybersecurity adviser, at the head of the board. Only six days earlier, Clarke had previewed the next step in strengthening government cybersecurity when he asked industry for suggestions on how to design a government-only communications network dubbed "Govnet." The network, according to a memo to industry released on October 10, would provide voice, videoconferencing, and data services for a limited core of critical government officials.

Clarke, who has served in the White House since the late 1980s, has seen his authority wax and wane under three Presidents. In 1989, he was appointed assistant secretary of State for political-military affairs under President George H.W. Bush; Clarke's authority expanded under President Clinton, when he served as the chief counterterrorism official in the White House. In the current administration, he will head the newly created board, whose members include nine Cabinet Secretaries or their designees, plus top officials from 11 other agencies, including the office of the new homeland security chief, Tom Ridge. The executive order charges the board with promoting information security, but gives control over spending to the individual agencies and the Office of Management and Budget.

"I'm very pleased that Dick has received this appointment," said Harris N. Miller, the president of the Information Technology Association of America. Miller, who has worked with Clarke on cybersecurity for several years, says the President's backing will help Clarke "very much use the bully pulpit to promote ideas and praise the sectors that are being collaborative and cooperative, and to damn with faint praise those that are not living up" to others' progress.

Clarke is already promoting the plan. Govnet would ensure the security of a critical core of government information, while leaving other data available to citizens via the Internet, he said in a late October speech to information-security experts. "We want to build as secure an intranet as possible--one that taxpayers can rely on to be 100 percent safe ... a network that is separate from the routers connected to the Internet," Clarke said in comments reported by National Journal's Technology Daily. Agencies won't be allowed to connect to the proposed Govnet until they meet a demanding level of anti-hacker defense capability, he said. No agency had yet reached that level of security, he said, adding, "Our enemies are smart, and they know how to use our technology against us." Over the past year, computer virus attacks have increased by 66 percent, and the viruses are becoming more dangerous, according to Clarke. The trend makes a "devastating cyberattack" on government computer systems more likely, he said.

The key issue for Clarke is determining the necessary level of protection for various classes of information and networks, said Frank Prince, an analyst with the market analysis firm Forrester Research Inc. An anti-hacker system that merely segregates critical government networks from the outside world could succeed, he said, but only if it is limited in size and scope.

As the networks expand--for example, if the FBI were to try to electronically share its anti-terrorism data with local police forces--it becomes more difficult to guarantee security, said Prince. He predicted that Clarke's Govnet plan, modified with advice from industry, will become "some combination of a separate, highly secure network on a small scale and [a partly secure] open Internet" that will help government agencies share noncritical information with one another, with citizens, and with businesses.

It is difficult to protect government data from hackers while also ensuring its availability to those who have a right to view it, Prince said. However, some government agencies, such as the Internal Revenue Service, are making step-by-step progress by working with technology companies. In any information-security program, "all of the complexities of the real world are recreated in the electronic world-the jurisdictional rules, the way people react, the things they want to do," Prince added.

The new presidential directive on cybersecurity contains a variety of other measures, as well. For example, Clarke will also chair the National Infrastructure Advisory Council, which will include industry representatives such as Miller and will promote government-industry cooperation. The NAIC will oversee the private sector's Information Sharing and Analysis Centers, where executives from different industry sectors meet to privately share information on threats and defenses. The council will be staffed by the Commerce Department's Critical Information Assurance Office, which is headed by John Tritak.

According to Miller, "John is very important as a liaison with industry" and is now leading discussions with the insurance companies and financial auditors to ensure regular professional oversight of companies' plans to deal with information security.

Although management reform efforts intended to make government more open will increase the need for cybersecurity, they can also aid security programs, Harris argues. The government needs more information-security experts and needs to give its managers more flexibility in getting the most out of existing spending, he said. With changes, agencies will be able to quickly hire cybersecurity experts via commercial Web services. With proper management, cybersecurity and open government can work together, just as automakers have been able to simultaneously improve both performance and safety in cars, Harris said.

New technology is already helping civil servants to cooperate across agency lines, said Mark Forman, the associate director for information technology and electronic government at OMB. But the full value of computer systems, he maintains, can only be achieved if lower-level government officials are given more authority to make decisions. "The choice that has to be considered is whether we have to have command-and-control [from the top of bureaucracies] or distributed decision-making" among many technology-linked experts, he said.

For example, security officers in different agencies, such as the Coast Guard and the Customs Service, can now use technology to share anti-terrorist information, Forman said, without having to pass that information through their separate bureaucracies. Other officials are informally sharing information between their agencies, he added. On October 29, Forman announced 22 federal projects, involving several agencies, that are intended to boost government efficiency with computer technology. The projects are one element of a $100 million, three-year plan to improve the government's use of information technology.

Harris cited a number of other trends that are already pushing the government toward change: Many civil servants will be retiring over the next few years; computer technology is getting cheaper; more citizens expect to access information online; and much government work is already provided by technology companies. "That's an opportunity for reform because there will be fewer people with an interest in maintaining the status quo," he said.

However, Bush's plans have plenty of skeptics. "Our union will certainly do anything it can to educate members of Congress about the dangers of this," said Jacqueline Simon, the public policy director for the American Federation of Government Employees. To reform government, she said, "you have to have better pay and get rid of this constant threat of contracting out and privatization." She said the 600,000-member union opposes many of the administration's measures, such as a proposed change in the law that would help companies bid for work against government agencies.

But Forman said he is already working closely with Democrats such as Sen. Joe Lieberman of Connecticut, the chairman of the Senate Governmental Affairs Committee. Lieberman has introduced the E-Government Act of 2001, which he developed with Sen. Conrad Burns, R-Mont. The bill, which is also backed by several other Democrats, including Senate Majority Leader Tom Daschle, D-S.D., would create a chief information officer for the executive branch, authorize an e-government budget of $200 million per year, train more federal workers in the use of computers, and help citizens get access to federal information and services, despite restrictions on agency jurisdictions. If properly managed, predicted Forman, "there is congruence between e-government and security."