Q: Some people have criticized the various aspects of the 24 e-government initiatives, specifically Project Safecom-which aims to make wireless public-safety systems able to communicate with each other-and the e-authentication initiative, suggesting that they are lagging. What do you say in response?
A: Well, first of all, I'm very happy with the progress of not just the 24 e-government initiatives but the whole expanding e-government President's Management Agenda initiative. I look at some of these metrics-for example, the Nielson Net ratings that's now tracking the federal government usage. In [January] over 49 percent of American businesses were online with us. ...That's a real milestone for us. I look at how we restructured Firstgov.gov to be more citizen-friendly and [require just] three clicks to service. ... Last year we had 37 million users, and that's an awful lot of citizens. ...
Safecom, I'm very comfortable now with this, the way it is being integrated into the Department of Homeland Security. ... The big change for us continues to be the need for voice and data as opposed to just a voice-radio system. ... So, the next step ... is [to determine] what are the requirements for voice and data in those interactive public-safety wireless devices.
Q: How much money has been allocated by the federal government for cybersecurity in fiscal 2003?
A: In 2003, $4.2 billion. That's for our internal cybersecurity. There's more money than that for external. ... And that's a huge jump. I believe it was $2.5 [billion] in [fiscal 2002].
Q: How do you work with the Bush administration's cybersecurity adviser, Howard Schmidt? How will that role be filled when he leaves?
A: I can't talk too much about how it will be filled when he leaves or how the effect will be, but I can tell you how we've been operating, and a lot of this will obviously be made public as details are fleshed out.
The director of OMB is responsible for federal agency IT security. ... NIST, the National Institute for Standards and Technology, defines the technology standards. OMB issues the guidance and we do the follow up. ... Basically, we had to say what percentage of the systems are secured now that need to be properly secured. We're around 60 [percent], and we need to be 80 [percent] by the end of this year. ... We've made terrific progress, but we're not done.
The second prong is to be able to respond to vulnerability and threats within 24 hours. We need an instant-response capability. One of the things that was set up ... was the [Cyber Warning Information Network]. ... As it turns out, most of the cyberthreats attack the WhiteHouse.gov Web site. ... [P]eople use that as a virtual attack on the president. And so I get early alerts, we then alert the [federal chief information officer], and we've got the cycle time [from] the CIO council [to the Federal Computer Incident Response Center] down to 90 minutes or less. ... We've been able to make it work in as fast as 24 hours.
Q: Do you need more of a focal point within OMB on cybersecurity, the way you would on privacy?
A: We have three times the amount of people working on cybersecurity than we do on privacy. Both are major initiatives. We have a management philosophy difference in the center. My view on this is that cybersecurity has to be integrated with an architectural one. The way you address [cyber] vulnerabilities is with systems architecture and systems operators who can manage the architecture. ... We have to get the cybersecurity folks with the people who are managing the infrastructure; otherwise, you get ... people in the cybersecurity arena crying that the sky is falling because they are not in charge. And that doesn't help us.
Q: What has OMB done on "open source" software?
A: Federal agencies have invested a lot in the open-source capabilities ... [especially] at the mid-tier [computer]-server level. The issue for us is cost. A lot of people say you have to use open source because it's free, but the operations and support cost is not free for open source. ... I don't see us saying we're not going to use open source, and I don't see us saying we must use open source. Our policy is to use it where it is appropriate, and we are seeing that play out with a fairly growing demand ... in servers.
Q: How confident are you that companies without a big presence in Washington are going to have a chance to get at the e-government information technology pie?
A: I want to encourage them to come and engage in the competition. We have to get more value for the $58 billion that we are spending, and we are going to have to get a lot more people given the dramatic increase over the last couple years in IT spending. If we don't put in more people, we end up paying more per hour, which I don't think is a good deal for the taxpayers. So we're looking for ways to pull people in, but by the same token, the vendors have to understand that the government doesn't do a good job being the integrator. We need to be a solutions buyer.
Q: Does that mean companies need to go out and get the subcontractors together and come to you and say this is what we've got?
A: It depends. It's hard to talk in generalities, but what it means is that when new companies come in the marketplace, they should be looking at the IT data that we put up with the budget. What are the agencies buying? What are some of the performance measures they are looking? Vendors should come in understanding that we're a fairly intelligent customer but that in some ways it is difficult for us to deal with new ideas unless somebody can relay how the new idea affects our needs.
Q: Where is the clearinghouse for new innovative e-government technology?
A: The marketplace. I don't believe the government can create a clearinghouse per se. Everybody has to do market research. ... [W]e're becoming smarter about how we do market research. But the bottom line is we have to do a better job at identifying our requirements. That's why I maintain an open-door policy. Virtually all the [agency] CIOs maintain an open-door policy for ideas. But the other thing that we're doing is making out requirements that are known.