Homeland Security CIO calls for cybersecurity standards

Steven Cooper, the new CIO at the Department of Homeland Security, said he has had “some pretty candid conversations” with Microsoft Corp. CEO Steve Ballmer and other company officials about software security concerns.

“And I think, believe it or not, that we’re really influencing them as a community,” Cooper told a gathering of about 150 CIOs at a CIO Symposium put on in Columbus, Ohio, by the Columbus Technology Council and the Center for Information Technologies in Management.

While Cooper didn’t go so far as to say his agency is partnering with Microsoft to fix vulnerabilities in the company’s Windows operating system, he did say, “We are collaborating with them very closely with working to improve … software.”

Cooper said he met with nearly 75 government CIOs earlier this week, most of whom said their departments now have internal cybersecurity plans that include some kind of vulnerability and risk assessment, use third parties for penetration testing and have put in place some type of patch management process.

“And yes, at the top of the list was Microsoft,” Cooper said. “No surprise, I suspect. I’ve had some pretty candid conversations with Steve Ballmer and the Microsoft gang.”

On a different topic, Cooper acknowledged that the first version of his department’s national enterprise architecture, released in late September and available online or by CD, still needs work. And he asked CIOs from various industries and from state and local governments to help make it better. “Help us add the granularity from your perspective,” he said.

“How many of you would buy Release 1.0 of anything?” he said of the document. “It’s about an inch deep and a mile long. (But) the safety and security of all of us depend on our ability to rapidly get this enterprise architecture right. It really does have that magnitude of impact.”

“What do you expect folks like us to do?” asked John Deane, CIO at Dublin, Ohio-based Wendy’s International Inc.

Cooper suggested that even fast-food restaurants could help disseminate information by putting cybersecurity pamphlets on their counters. He also pointed to an initiative in which the government has appropriated US$12 million for CIOs to develop a dozen or so information-sharing pilot projects, each costing less than $1 million.

“All we’re asking initially (is) if you’d give us some kind of concept paper, one or two pages,” he said. “Just share with us what you’d like to do: ‘Here’s what we can do for x amount of dollars.'”

Cooper said he would like to deliver some business value from any pilot programs that get seed money within three to six months to show how IT can enable rapid and effective information sharing between the private, local, state and federal sectors.

Joe Gottron, CIO at Columbus-based Huntington Bancshares Inc., said it’s important to know how the department will measure progress toward its goals. “Calculating progress will help in getting people engaged and be part of that process. The task is so enormous,” Gottron said. “He (Cooper) needs to create a sense of purpose similar to that created around the Apollo 13 landing.”

Cooper said his department is using “cycle time” and information quality, admitting “those are not exactly the right matrixes. At the department level, we don’t have those (processes) in place yet.”

Jesse Jones, CIO of Columbus’ Department of Technology, asked Cooper how information submitted to the Department of Homeland Security would trickle down to state and local governments.

Cooper said he’s been working with CIO associations at the state and national levels, but he pointed out that there are 56 states or territories, 33,000 counties and 89,000 municipalities in the U.S. “I haven’t found the right organization or body that gets to all those cities and counties.”