TechNews.com: Homeland Security's IT Strategist
Guest: Steven I. Cooper, Chief Information Officer for the Dept. of Homeland Security
Friday, May 2, 2003, Noon ET
| Cindy Webb |
The newly minted Department of Homeland Security brings under one roof scores of federal agencies that were formerly spread across the full spectrum of the federal government. But creating one agency out of so many disparate pieces is a significant organizational hurdle, particularly when it comes to integrating all the various information technology systems. In addition, the new department must turn to new technologies to protect America's borders and mine the reams intelligence data on foreign and domestic threats.
The new department is also tasked with working with state and local governments, putting it in a unique position to influence and develop chief information officers nationwide. Next week, TechNews.com will explore state CIO issues -- stay tuned.
Steven I. Cooper is the man responsible for crafting a comprehensive technology strategy for the Homeland Security Department. He joined washingtonpost.com reporter Cynthia L. Webb for a discussion of CIO issues.
An Edited Transcript of the Discussion Follows:
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Cynthia L. Webb: Hi Steve. Thanks again for joining us today. As chief information officer of the newly formed Department of Homeland Security, you are tasked with heading up the creation of the overall technology plan for the department. Can you give us a sense of what steps you have started working on to develop this blueprint?
Steven I. Cooper: We have been working on our enterprise architecture since the transition team was formed. This work has focused first on developing an 'as is' picture of the department's information technology assets. We expect to complete this initial inventory during june 2003. We are then going to work with the business units to understand their business strategy, goals, and objectives, in order to develop and document a 'to be' architecture, or desired state. This is where we'd like to be. We expect to have our first pass at the 'to be' state by August of this year. By comparing where we are to where we want to be, we then can develop our road map, or migration strategy for moving to the desired state. We expect to have our first version of our road map by september, so we can head into fiscal year 2004 ready to execute the migration strategy.
Cynthia L. Webb: Information technology is a big piece of making the mandates of your new department work. How are you reaching out to your counterparts -- especially the CIOs of the states -- to improve communication and information sharing across agencies and state lines?
Steven I. Cooper: We have been working with the state CIOs via NASCIO, the National Association of State CIOs, since last summer. We have formed a working group with them to participate actively in our enterprise architecture, since it is a national architecture for homeland security, not just a federal architecture. In addition, we have on ongoing dialogue with them regarding initiatives in the states that we can leverage.
Cynthia L. Webb: NASCIO's Web site is www.nascio.org.
Annapolis, Md.: What is your plan for assessing existing technologies and systems to determine which should be integrated and which should be shelved -- and how are you monitoring, managing and mining data in the mean time?
Steven I. Cooper: Two part question:
First part: We are working with our science and technology directorate to evaluate new technologies; my office is reviewing existing technologies by meeting with vendors, reading white papers, understanding what already exists in our agencies and in other federal departments, and in the states to see if we can reuse or apply what is working to our business challenges.
Second part: About data, not sure I understand the context of your question. Can you clarify?
Herndon, Va.: When will your "vision architecture" be released to industry? Will you be scheduling time to meet with industry over time to see how they can help meet your mission's objectives?
Steven I. Cooper: We expect to release a first version by Sept. 2003. We will work through associations and other industry groups to obtain feedback and input.
Fairfax, Va.: Many of the mechanisms for achieving the mission objectives of DHS are in the hands of state and local government organizations. How do you anticipate the department, and particularly its information systems, will interact with state and local organizations and their systems?
Steven I. Cooper: Several ways. We have a state and local unit in the department, who meets with state and local reps on a regular basis to understand their concerns and challenges.
We have joint working groups in architecture and in business areas, such as the first responder community to make us aware of solutions that are already working.
I have talked about a vision of a 'network of networks' modelled after the interstate highway system, that we want to replicate across the systems arena to interconnect both physical networks and applications across the nation.
Cynthia L. Webb: Steve, you mentioned possibly leveraging initiatives that states might be undertaking. Can you name a few examples of potential programs that can be "cross-shared" between the states and federal agencies?
Steven I. Cooper: Yes, Pennsylvania's JNET; Minnesota's CRIMNET; Iowa's electronic government network. Kentucky has a similar electronic network. Utah is working in the wireless space, as is California and Washington.
New York City is working with us and California to put intelligence information online in a secure environment. These are a few examples.
Frankfort, Ky.: How does the Homeland Security Department plan to get all federal agencies to collaborate both between themselves and with state and local governments in developing and implementing effective GIS programs?
Steven I. Cooper: Do you think bribes will work? :-)
Seriously, the way forward is a combination of shared objectives and $$. We must find common ground that state and local governments need every day to run their environments, that we could use in case of a terrorist incident. This way we have a win-win for the fed/state/local/tribal governments.
St. Louis, Mo.: What's the procedure for new tech companies to get 'on the radar screen' of your science and tech group?
Cynthia L. Webb: Steve, we have a lot of questions along these lines. What's the secret, if any, to get face time with the right decision makers?
Steven I. Cooper: Two ways for you to get noticed: Submit information via the TSWG (tech support working group), which is a group specifically under contract to our S&T directorate to evaluate technologies. For information technologies, my office has a Web site -- http//vendors.dhs.gov -- to submit ideas and information.
Cynthia L. Webb: Can you tell readers if there is an e-mail or Web site within DHS that is best for sending proposals? Or should they just be on the look out for RFPs?
Steven I. Cooper: Watch fedbizopps.gov for RFP and RFI requests. Watch vendors.dhs.gov for information technology specific to the department. Also, go to firstgov.gov and query on the technology or information technology that you might be interested in. That will also provide info about who might be looking for this type of offering.
Alexandria, Va.: What types of technologies is DHS using to gather information on the Internet for terrorist activity monitoring and/or cybercrimes? Also, how is this being accomplished -- is it automated or are mass personnel involved in Web crawling daily?
Steven I. Cooper: We are using several commercial products, like autonomy for open source review of data on the Web. We also have several tools that are used in our intelligence environment to collect, assess, aggregate, and analyze data. We are looking at several new and emerging technologies, like SRD's Nora software to find non-obvious relationships. Tacit Software has unique collaboration software that we are reviewing. These are just a couple examples, and are not an endorsement of the product or company.
Arlington, Va.: People should be aware that you can spend millions of dollars on IT security and safeguards and one untrustworthy person can compromise the whole system. The person can be a disgruntled employee or an agent of a foreign government. A good personnel security program needs to go hand and hand with IT security efforts or the money spent is wasted. Finding a human to compromise an IT network is usually cheaper and easier than using technology to penetrate a network and any security systems.
Cynthia L. Webb: Mr. Cooper, this is an interesting point. What do you make of the threat of individuals on compromising the integrity of our nation's critical IT infrastructure?
Steven I. Cooper: I would agree that it is always a risk. However, all personnel working in the department, including contractors, must pass a security clearance and additional reviews and background checks depending on level of clearance. While not perfect, we are comfortable we have an adequate level of precaution and review regarding our people.
Dawson, Texas: I have been watching the Bush administration's key players in cybersecurity resign as the CyberSecurity Plan was reduced to advisories. Is there any way that companies outside DC can actually get to speak with these members or other decision makers to provide input on cybersecurity issues?
Steven I. Cooper: Yes to those still in government. You can send an e-mail to email@example.com and I'll help route it to the correct people.
For those now in the private sector, like Dick Clarke, you can probably find him on the Web.
Waltham, Ma.: I am the CEO of a software company that provides an information sharing platform that is already deployed by two different branches of the U.S. military. Given all the "noise" around the new Homeland Security Department, can you explain how a provider that is already on the GSA schedule should contact the Homeland Security Office?
Steven I. Cooper: Send us info at vendors.dhs.gov. Let contracting officers know of your current contracts and work. Meet with the business units as you are able to.
Cynthia L. Webb: On the questions concerning state and federal interaction, a lot of states are in the midst of dire budget crunches. There has been concern from some that DHS IT-related funding will be tied to matching grants at the states -- money that some states are short on. Any insight into ways states can bolster their IT operations with limited resources?
Steven I. Cooper: We've been working this across the state CIOs to look for shared opportunities to leverage pooled funding. We haven't actually done one yet, but believe this may be a way to leverage dollars and get results that can be shared by many.
We are also building into federal contracts the ability for states to use our contracts and the deliverables.
St. Louis, Mo.: Are we still facing the potential of a "Digital Pearl Harbor?"
Steven I. Cooper: We believe that while this is a possibility, the probability is relatively low.
We believe we have done a lot in the federal arena to provide multi-layered security for our digital environments, and continually 'red team' our networks and applications to find vulnerabilities.
Miami: Is there any truth that new laws permit the Dept. Of Homeland Security to access medical records of Americans and non-citizens here? There is a rumor spreading that new consent forms for medical diagnosis and treatment have the provision that we must also consent to releasing our test results and medical records to the Dept of Homeland Security.
Steven I. Cooper: None whatsoever. This is a myth.
Annandale, Va.: Much of the department's work will deal with information sharing between and among agencies. Yet, federal agencies have been notoriously lax in establishing strong controls on who has access to what. How will the department manage access controls across its IT systems?
Steven I. Cooper: We are working jointly with several federal agencies in key areas: DHS (Dept. of Homeland Security), Justice and Treasury are creating the integrated wireless network.
We're working with HHS and Energy in the biological, chemical, and radiological arena, as well as with the Pentagon.
We are also moving to a single identity credential and smartcard for both physical and logical access to facilities, digital envornments, and data
Crystal City, Va.: Are you hiring?
Cynthia L. Webb: Steve, another reader from Capitol Hill writes a similar question: Are there many job opportunities at the moment with the tech side of DHS? On the OPM site there didn't seem to be a huge number of available jobs for computer folk.
Steven I. Cooper: There will be. We are in the process of doing a skills inventory across IT within the department. We hope to be complete this summer. This will help us identify skills gaps and we will then look to hire. These jobs will be posted on OPM's site and our dhs.gov site.
Alexandria, Va.: Good afternoon, Mr. Cooper. Thanks for talking with us today. I'm curious about intelligence sharing -- we have a million systems that collect billions of pieces of information. That's not even necessarily a bad thing. In fact, shouldn't we try to keep a lot of our "lists" and information resources on separate systems in case a cyberattack brings down, say, one type of server but not another?
Steven I. Cooper: We actually keep information compartmentalized for both security and privacy reasons. We bring data together only as needed for specific business purposes, all with full legal compliance to protect privacy and to accomplish the mission.
Arlington, Va.: What will you be doing to work with the Office of Management and Budget about funding projects that consistently fail to meet security standards?
Steven I. Cooper: We are graded by OMB on information security. If we receive a 'failing' grade, we are accountable to fix the problem or risk losing funding for that initiative.
Richmond, Va.: What are the primary challenges you are facing trying to integrate such different organizations, or are you only trying to achieve interoperability as opposed to integration?
Steven I. Cooper: Good question. In the short term, we'll go with whatever we can do quickly and safely (meaning limit any harm to mission capability and delivery of service). Longer term, we are moving to simplify and unify our IT world -- this means both integration and replacement with single solutions.
Cynthia L. Webb: We have a lot of questions here about information sharing amongst departments. Related to that challenge, how do you deal with breaking down long-standing practices of government agencies keeping to themselves and in some cases, refusing to share information for fear of losing control of their turf?
Steven I. Cooper: We've actually made good progress here. We've been using technology that enables us to share information without the owning department or agency losing control of their data.
In some cases we are using data marts; in other cases, we are using extract software that pulls data based on selection criteria and brings it together only for a needed period of time, then deletes the extracts.
San Francisco Calif.: Your department asked companies to send you a list of their company's critical assets and how they can be attacked. But I think it can fall into the hands of terrorists and this information would help terrorists learn the easiest ways to do the greatest damage to our economy and country. What is being done so your databases are not hacked or to keep someone within your department from selling it? I am a retired federal employee and I know that some federal employees have more integrity than others. But because there is a risk that this information can get into the hands of terrorists or hostile foreign governments, why is your department collecting this information?
Steven I. Cooper: we're interested in jointly understanding what risks and vulnerabilities exist in our critical infrastructure...we don't have to hold this under federal control, and in many cases, are not...we are using the ISACs (information sharing analysis centers) to gather this info and discuss risks and find solutions. The ISACs are self governed and are staffed by the private sector with federal participation.
We are also doing everything we can to ensure the security of federal threat databases, because the data is segregated and secured, we are comfortable that it is sufficiently protected where it does exist.
Arlington, Va.: How does the DHS work with the CIA and FBI in evaluating new technologies? Is there someone or a group of people within your department that coordinates these evaluations?
Steven I. Cooper: Yes, my office and science and technology both interact with the CIA and FBI in this type of evaluation. We also interact with In-Q-Tel, the CIA's venture capital arm.
Our science and technology directorate will also be establishing a research projects unit to expand this type of assessment.
McLean, Va.: Could you comment on your opinion as to the usefulness of standards such as XML (extensible mark up language) and Topic Maps to assist in the development and evolution of an IT architecture that integrates diverse systems across agencies?
Steven I. Cooper: Extremely useful. We have XML working groups underway in criminal justice, law enforcement, public safety, and are getting started in public health. We need to expand this work, and speed it up.
We are linked to the National Institute of STDs, and to external STD groups in geospatial and wireless arenas as well.
Vienna, VA: What are your plans for the disaster management e-gov initiative, disasterhelp.gov? Does the government want to obtain the best that industry has to offer by competing this work through an open solicitation? Thanks!
Steven I. Cooper: We want to gain the best, and will offer competitive procurements to help us add new capability to disasterhelp.gov.
Cynthia L. Webb: Here is a link for In-Q-Tel, the CIA-related venture capital outfit: http://www.in-q-tel.com/
Burke, VA: What role do you envision Small Businesses (HUBZones, veteran-owned, women-owned, 8(a), etc.) playing in DHS' IT management, integration, acquisition and outsourcing for new technology solutions?
Steven I. Cooper: We've begun conversations with the SBA to target small business for the department. We'd like to increase our knowledge of who's out there, what they have to offer, and how we can apply it. We will also be using small business set-asides in many of our procurement actions.
Falls Church, Va.: A new General Accounting Office report criticized the watch list system this week. When will you be consolidating the watch lists and how will you go about the consolidation?
Steven I. Cooper: We're actively working on this, and will have updates to share in a relatively short time.
Washington, D.C.: For companies that have technologies beneficial to homeland security but also seek opportunity in foreign markets, how do you recommend companies reconcile this and do you recommend that these companies meet with someone in homeland security before discussing sale of these technologies to foreign governments and entities?
Cynthia L. Webb: Steve, for readers not up on this, can you also explain if there are mandates that limit foreign vs. national work by companies working with your department?
Steven I. Cooper: In some areas there are limitations, particularly in classified work. In other cases, i recommend that you also talk with the commerce dept for guidance on doing business with the dept and in foreign markets
Reston, Va.: Has DHS standardized on technology platforms, e.g. Oracle for their database technology ? And also is DHS exploring using Open Source technologies for their IT infrastructure ?
Steven I. Cooper: We are looking to move to simplify our environment and move to fewer where possible. This both saves the taxpayer money, simplifies maintenance and support, and makes it easier to add new capability. We use Oracle widely across the department, and will be evaluating and using open source technologies.
Arlington, Va.: Mergers are notorious for creating security holes in systemwide architecture. How much attention is being paid to securing the disparate systems that are now being folded into the Department of Homeland Security?
Steven I. Cooper: a significant amount...all major applications are being reviewed and we have launched a dept wide information security program to accredit all of our systems
Forestville, Md.: How are you assessing business continuity and COOP plans? Will there be any outsourcing opportunities in those areas (hint)?
Steven I. Cooper: Yes and yes.
Falls Church, Va.: What's the projected fiscal year 2004 budget look like for IT spending at Homeland Security Dept? How much does the president want? How much does Congress want to give?
Steven I. Cooper: The president's budget requests about 3 billion for IT spending across the department. I can't predict how much Congress will or won't give. :-)
Independence, MO: What do you say to a person like myself who finds this business of homeland security troubling. I see many things that raise my level of concern about individual privacy and at the same time, I see major cutbacks in airport security that not long ago, were hailed as so important. Then there is all the fuss over duct tape and plastic as a way to safeguard from chemical attacks. It seems like one giant organizational mess. Personally I fear it more than I find it comforting.
Cynthia L. Webb: This reader poses an interesting thought. What is your response to people that worry about the red-tape a department of your size can have, as well as those that have privacy concerns of an agency tasked with so much information sharing?
Steven I. Cooper: My 16-year-old daughter shares your concern, and advises me of this every day.
We are safer than we were a year ago. The number of al Qaeda operatives that have been detained and arrested is significant, as are other terrorist arrests. There have been no incidents in the U.S. since 9-11-01. We are doing a great many things right and the country, you, and your family are safer that a year ago.
Having said that, we are also acutely aware that we have more to do. We are not letting red-tape get in the way of the things we must do quickly to make us all safer. We are addressing chemical and bioterrorism, and have increased our detection capability across the country and at points of entry.
Cynthia L. Webb: We've covered a lot of topics today, but can you give readers a few primers of what's top on your agenda in the coming months?
Steven I. Cooper: Complete our enterprise architecture and road map. Integrate the watch lists and push out to local law enforcement. Create an information exchange environment with the first responder community. Share threat and intelligence information with local law enforcement. Determine and model critical infrasturcture risks.
Cynthia L. Webb: Our chat flew by. Unfortunately, time is up for our discussion today. Steve, thanks again for covering so much information. We look forward to having you back online again in the near future to update washingtonpost.com readers on the progress of your work at the DHS.
Steven I. Cooper: Thank you for this opportunity. I am sorry I could not answer all the questions.
Automatically Update Page | Get New Responses | Submit Question
© Copyright 2002 The Washington Post Company