CIOs call for secret clearance

The security committee of the CIO Council last month urged all agency chief information officers and deputy CIOs to obtain a top-level security clearance usually reserved for those working on sensitive military or intelligence programs.

The committee believes CIOs and deputy CIOs need these security clearances so that they will be able to access national security information as part of the ongoing critical infrastructure protection effort, according to a Dec. 30 memo to CIOs from Mark Boster, chairman of the security committee and deputy assistant attorney general for information resources management at the Justice Department.

The security clearance is part of the Clinton administration's national effort to protect computer systems that support critical infrastructures, such as banking, telecommunications, transportation and utilities. The federal government itself has been classified as a critical infrastructure, and many agencies are working closely with the private-sector owners and operators of banks, utilities and other infrastructures to secure their computer systems.

"It is becoming increasingly evident that CIOs and deputy CIOs will have a need to handle classified information in their normal course of doing business," according to the memo, which was obtained by FCW. "This seems especially apparent in the development and implementation of highly sensitive critical infrastructure protection plans and related vulnerability assessments."

Neither Boster nor James Flyzik, CIO at the Treasury Department and vice chairman of the CIO Council, could be reached for comment.

Obtaining a secret security clearance is based on a National Agency Check of government records about a person and is relatively inexpensive and quick compared with the process for obtaining top-secret clearance.

All military officers must be capable of attaining a secret clearance to be in command of just about any type of unit because they must be able to read operational orders and other crucial documents.

Top-secret clearance is based on a Special Security Background Investigation. That process can take six months to a year, and investigators can delve back 15 years into an individual's personal background. The top-secret clearance process is expensive, sometimes costing as much as $100,000 for one investigation. People holding this clearance may be required to undergo periodic polygraph examinations.

Ed Giorgio, a principal at Booz-Allen & Hamilton Inc. and former chief of cryptoanalysis and cryptography at the National Security Agency, said the council most likely is trying to obtain for agency CIOs better access to government vulnerability databases. Such databases accurately portray the critical infrastructure threat but usually are classified.

CIOs and private-sector officials probably will be more willing to cooperate with government critical infrastructure efforts if they are aware of the threats to their systems, he said.

"You're probably seeing people make an honest effort to share this information more broadly," Giorgio said. "If you bring them into your cone of information about what the threat is...it makes them more likely to cooperate with your objectives."

However, he noted that some CIOs could be opposed to security clearances because they are afraid that holding such a clearance could affect their ability to speak freely on issues.

Kevin Roth, vice president of system integration at the Information Technology Association of America, said giving CIOs and deputy CIOs security clearance would increase the awareness of the importance of critical infrastructure protection to CIOs.

Roth said, however, that it might impede the information-sharing relationship between the government and the private sector, which has been emphasized by supporters of the protection effort as being key to its success.

"If they're requiring security clearances for individuals within the government, are they planning to require security clearances for those in the private sector?" Roth asked. "If so, that might create some problems for getting those security clearances for everyone in the private sector who needs them."

The fact that CIOs do not already have the clearance needed to receive national security information is surprising, said Mark Gembicki, president of WarRoom Research, Annapolis, Md. However, he noted that clearing these officials would not help the security effort at agencies unless emergency response employees also were cleared so that they could be told about threats and work to secure systems from these dangers.

"Having a need to know about the threats and vulnerabilities...doesn't mean anything unless you have a response team that can address those risks," Gembicki said.