When it comes to IT security, CIOs say that talk is cheap

By Christopher J. DorobekGCN StaffIf government is to tackle systems security, Congress will need to put money where its mouth is, federal systems officials say.In recent weeks, members of Congress, chief information officers and industry analysts have been touting systems security as the next hot government information technology topic. Three years ago it was procurement reform. For the past couple of years, year 2000 work dominated.But as agencies shift their focus from the year 2000 problem to security, systems chiefs emphasize that they will need funding to answer Capitol Hill and administration demands for more stringent systems protections.Late last month, Treasury Department CIO James Flyzik repeated what most agency IT executives have been saying privately for months: The government must direct more money toward critical infrastructure protection.'We're in violent agreement that we need to move out quickly,' Flyzik, vice chairman of the Chief Information Officers Council, said in a speech at a breakfast sponsored by Federal Sources Inc. of McLean, Va.'It's purely an issue of getting dollars,' he said. 'It's purely a budget issue. There's no doubt about it. Everyone's in agreement. We've got to move out on the area of information system security and critical infrastructure. The big issue is finding dollars.'Federal date code readiness efforts are widely seen as successful, at least in part because of the year 2000 emergency fund established by Congress. State Department CIO Fernando Burbano said establishing a similar fund could prove critical to the success of agencies' security initiatives.To that end, the Clinton administration late last month proposed a budget amendment of $39.25 million for fiscal 2000 specifically for critical infrastructure protection. The money would be spread among seven agencies for everything from the Federal Intrusion Detection Network to training, retraining and recruiting IT workers.But the amendment is 'just a drop in the bucket' toward what is needed, said Burbano, co-chairman of the CIO Council's Security, Privacy and Critical Infrastructure Committee. He noted that the year 2000 emergency fund was $3.6 billion.The additional date code funding was one of the main reasons that State was able to ready its systems, and there must be a similar effort for systems security programs within agencies, Burbano said.Security has always been a concern, but attacks are increasing, Burbano said. Attacks are also becoming more sophisticated, and dealing with them requires advanced hardware, software and training, Burbano said. 'That just drives up the cost.'A National Security Council official who spoke on the condition of anonymity said the budget amendment is an acknowledgment that the security efforts need a funding jump-start. 'Some of the initiatives that we are proposing for fiscal 2001 clearly need to be accelerated in fiscal 2000,' the official said.'The reason we were able to do this is we were able to convey that there is a serious threat, we do have significant vulnerabilities and we want to make the U.S. government a model of computer security. If you take all three of those, it became clear that we should not wait another year to get our non-Defense Department security issues funded,' the official said.The administration has proposed $1.4 billion for infrastructure protection in fiscal 2000, but much of that money would go to DOD or national security agencies, with about $200 million allocated for civilian agencies.The budget amendment would provide funds in four areas:' The Federal Cyber Service, which would award scholarships to students in return for government service' Expansion of information sharing and analysis centers, where industry can share information about security incidents with federal, state and local governments' Public-key infrastructure pilots' Creation of a permanent 15-member review team, managed by the National Institute of Standards and Technology, to help agencies design and deploy security plans required by Presidential Decision Directive 63.The biggest part of the additional funding, about $16.85 million, would be directed at bolstering the IT work force, the official said.IT work force problems have dominated the CIO Council's agenda. The funding would go toward an ongoing IT occupational study by the Office of Personnel Management, expected to be completed in the spring. That study will provide input for a National Academy of Public Administration study of the need for a separate government IT pay scale.Funds for the Federal Cyber Service program, formerly called the Cyber Corps, would pay for 300 scholarships initially, expanding to 600 next year. To be run by OPM and the National Science Foundation, the education program would provide scholarships in exchange for four or five years of government service.Administration officials said now is the time to urge Congress to support a special security funding measure because lawmakers have been receptive to IT security issues.'We do want to build on the shared recognition that we developed with the Hill [about year 2000] and want to work on the bipartisan effort to resolve the computer security issue,' the administration official said.