IT's role emerging in homeland security drama

A month after terrorists attacked the World Trade Center and the Pentagon, the Bush administration and Congress began to define the critical role that information technology will play in the massive effort to safeguard the nation.

Tom Ridge, director of the newly created Office of Homeland Security, last week named Richard Clarke, a top-level official from the National Security Council, to serve as his cyberspace security adviser, making him the "president's principal adviser on all matters related to cybersecurity," Ridge said.

Clarke quickly launched several initiatives to shore up the security of the government's key information systems and to take advantage of technology to ensure the security of government operations. His plans include shifting systems that currently reside on the Internet to a highly secure government intranet, dubbed GovNet.

Top officials across government also are considering how IT might fit into the homeland security strategy. The Defense Department, the Federal Aviation Administration and the Immigration and Naturalization Service, among others, are evaluating the state of existing systems and considering other options.

House and Senate officials are scrutinizing agencies' plans and looking for ways to put critical resources at the disposal of the federal government. Ideas making the circuit include the creation of technology squads that could be called on to help rebuild the technical infrastructure in areas struck by disaster.

Act I: Coordination Is Crucial

IT emerged as a key factor with the creation of the Office of Homeland Security. The Oct. 8 executive order establishing the office directs Ridge to ensure that agencies have the technology necessary to collect and share intelligence information.

Coordination is the key, said Ridge at his swearing-in ceremony. More than anything else, federal, state and local agencies must start cooperating. "The only turf we should be worried about protecting is the turf we stand on," he said.

Clarke will lead the effort in the area of cybersecurity, relying on years of experience at the Defense and State departments. He also will continue to lead efforts to secure every other area of the federal government, continuing his work of the past three years as national coordinator for security, infrastructure protection and counterterrorism at the NSC.

"America has built cyberspace, and America must now defend its cyberspace," Clarke said.

Clarke's appointment is drawing praise from agencies, industry and Congress not only because of the administration's decision to create a new position with authority and accountability, but because of the choice of Clarke to fill the job.

"This is a recognition by the president of the importance of this area, and he's appointed someone of experience to be, in effect, the cybersecurity czar," said Shannon Kellogg, vice president of information security programs at the Information Technology Association of America.

Clarke's job description does not appear to have changed much from the position he has held the past three years, but until now he did not have sufficient authority or attention from the administration and Congress to back him up, said Sallie McDonald, assistant commissioner of information assurance and critical infrastructure protection at the General Services Administration.

McDonald oversees the government's efforts to comply with the 1998 Presidential Decision Directive 63, which requires agencies to protect the information systems that support the nation's critical infrastructure. She worked closely with Clarke during the past three years as agencies, Congress and the General Accounting Office tried to determine who had ultimate responsibility for the nation's information security.

"His authority is not as clear as perhaps some people might like it to be, but that never stopped Dick Clarke, and we do have somebody who's firmly in charge now," McDonald said. "I think he has a lot of ideas, and he is going to move out this whole initiative, which I believe is extremely critical along with all of the other steps we're taking to secure the homeland."

Act II: Initial Steps

Clarke's first plan of action was to set up a secure network for critical government systems and communications.

GovNet will be based on the same technical protocol as the Internet, but will be separate from it and other public networks. Basing GovNet on IP will make it possible to leave Web-based systems unchanged while removing them from the threat of hackers, e-mail viruses and other online hazards that can bring down systems and corrupt data.

In the past, Clarke and other officials at the NSC have mentioned that the FAA's air traffic control system is a potential candidate for a separate, secure network.

Clarke's office is soliciting input from industry leaders through GSA's Federal Technology Service, giving vendors until Nov. 21 to offer solutions. Initially, the around-the-clock network will handle data traffic only, but eventually GovNet also will support voice and possibly video traffic.

Clarke also announced last week that the National Communications System will accelerate its development of a wireless network to serve emergency and national security personnel.

NCS has worked on such a network since 1995, recognizing that when landline networks have been damaged, wireless systems are often the only means of communications. But because wireless technologies change so quickly, it has been difficult to come up with a solution, one industry source said.

In the wake of the Sept. 11 attacks, when almost all wireless service was gridlocked in the New York City and Washington, D.C., areas, the government realized it was necessary to put other wireless capabilities in place as soon as possible, Clarke said.

Similar concerns prompted Sen. Ron Wyden (D-Ore.) to propose a new strategy for dealing with the loss of IT services and equipment during disasters.

Immediately after the attacks, many technology companies rushed to provide any products and services they could; for example, telecommunications com.panies offered free wireless phones and services to compensate for the blackouts. But it was all done on a case-by-case basis, with little or no coordination.

Wyden, chairman of the Senate Commerce, Science and Transportation Committee's Subcommittee on Science, Technology and Space, plans to hold hearings during the next few weeks on how industry can help on a more formal basis in the future.

His idea is to create a technology equivalent of the National Guard, with members of the IT community volunteering to be available to form a response team and lend their expertise in emergency situations. He hopes to encourage a discussion of other solutions.

Act III: Patching Holes

The nature of the terrorists attacks, meanwhile, has brought some individual agencies under close scrutiny by the Bush administration and Congress, with a focus on identifying areas where new technology might improve security or where existing systems have failed.

* Transportation Department Inspector General Kenneth Mead said last week that the FAA should maximize the use of advanced explosives-detection equipment and step up its software-based program to measure the performance of baggage-screening workers.

Mead told members of the House Transportation and Infrastructure Committee's Aviation Subcommittee that bulk explosives-detection systems, including InVision Technologies Inc.'s CTX baggage-screening system, "continue to be seriously underutilized."

As of July, the systems were screening an average of 350 bags per day nationwide, even though a single system is designed to handle as many as 150 bags per hour, Mead said.

FAA Administrator Jane Garvey said 19 bulk explosives-detection machines remain in warehouses — for which the agency has been criticized — but that all of them will be deployed to airports within 90 days, after preparations are made for their installation.

Mead also said the FAA needs to design clear performance standards under its program to monitor the work of baggage screeners and certify screening companies.

The FAA plans to rely on threat image projection (TIP) software, which displays fictitious objects or bags on screeners' monitors to test their response. TIP has been installed on all CTX machines and on all new TIP-ready X-ray machines that screen carry-on baggage.

* INS, which has been criticized in the wake of the Sept. 11 attacks, will speed up deployment of systems designed to assist with tracking illegal immigrants. But the agency needs more money for state-of-the-art technology, the new INS commissioner told Congress Oct. 11.

Given the importance of keeping track of foreigners, new databases, technology platforms and biometric tools are essential to identify potential threats to national security, Commissioner James Ziglar said.

One program is already under way, in conjunction with the State Department, to replace border-crossing cards with a new biometric "laser visa," which incorporates digital photos and fingerprint images into a document similar to a credit card. It has an optical memory stripe and must be read by a special scanner.

Last week, Sen. Dianne Feinstein (D-Calif.) asked the White House to give INS $32.3 million of the emergency supplemental funds approved by Congress to assist recovery from the attacks. That money would be used to implement a system to track foreigners entering the United States on student visas. The system has been required since 1996 but has never been put into place.

Feinstein is also considering legislation to require INS to upgrade its foreign student tracking system to include biometric information; fully integrate that data with systems used by the State Department and the FBI at U.S. points of entry; and integrate the system with existing "lookout" databases such as INS' own Ident system and the FBI's Integrated Automated Fingerprint Identification System.

Database software vendor Oracle Corp., meanwhile, offered the agency software licenses and database engineers to create a national system to track immigrants living in the United States (see box, below).

n DOD has postponed plans for a $1 million follow-on contract for a system that would improve the ability of 27 democratic countries to share information. The Partnership for Peace Information Management System (PIMS) will instead continue using the incumbent contractor, Computer Systems and Communications Corp., a unit of General Dynamics Corp., for the next 12 months, said Melanie Lewis, acting director of GSA's Center for Information Security Services, which is providing contract services for the PIMS program office.

Given the current importance of PIMS, officials determined that it was not the time to conduct a full-and-open competition, Lewis said.

The contract will be extended under the "urgent and compelling" provision of the Federal Acquisition Regulation, which allows agencies to make purchases in emergencies. GSA will reassess the situation and decide the steps to be taken, Lewis said.

Act IV: Advanced Security Technology

Much of what transpired last week focused on solving existing problems with existing technology. But the administration and Congress also are considering the long-term challenge of developing security-related technology beyond the scope of current efforts in the private sector.

John Marburger, nominee for director of the White House's Office of Science and Technology Policy (OSTP), told members at his Senate confirmation hearing that the office must ensure that research and development funds are efficiently used.

"Science and technology are already playing an important role in that response," he said. "Coordination and evaluation of the programs being proposed are increasingly important."

Wyden, whose subcommittee oversees the OSTP director's confirmation, cited a GAO report released just after the attacks that described an extreme lack of coordination among agencies when it comes to counterterrorism research and development.

In one case, GAO found that the U.S. Coast Guard and the Defense Advanced Research Projects Agency were conducting almost identical research to detect biological agents, but because neither knew about the other's efforts, they were unable to share information. OSTP's leadership must be in place to "make sure that the left hand and the right hand are having a conversation," Wyden said.

Other programs under way relate directly to the mission of the Office of Homeland Security, and OSTP will keep close track of the programs' management to ensure that duplication of effort does not occur, Marburger said.

Members of Congress also are concerned about the lack of research into cybersecurity technologies, including Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee. Earlier this month, Boehlert called on the government to work with academia and industry to advance the level of research into cybersecurity.

One obstacle is the way the government treats research, according to industry and academic IT experts who testified at a hearing Boehlert held last week on how to protect the nation's critical information systems.

No federal funding agency, such as the National Science Foundation or DARPA, has taken responsibility for basic computer security research, said William Wulf, president of the National Academy of Engineering. Because no agency feels it "owns" the problem, the government has funded only sporadic research proj.ects, he said.

"Well-funded, long-term basic research on computer security is crucial to our national security," Wulf said.

Christopher J. Dorobek, Judi Hasson and Greg Langlois contributed to this story.