Kundra Reflects on His Federal CIO TenureEx-Fed CIO: IT Security Isn't the Enemy of Government Efficiency
In the paper, the new fellow at Harvard University's John F. Kennedy School of Government discusses his immigration to the United States at age 11, learning English by watching "Three's Company" and his drive to give back to his adopted country through public service. Besides the White House, over the past decade Kundra held top government IT positions in Arlington County, Va., the District of Columbia and the Commonwealth of Virginia.
Much of the paper discusses his thinking behind e-initiatives he fostered in the federal government, programs he feels have helped make the government become more efficient and its IT safer. More than 600 of the 4,400-plus-word treatise focused on securing government IT systems and how cybersecurity isn't the enemy of government efficiency.
"Too often this focus on security has been used as an excuse to prevent the government from adopting the sort of innovative technologies that could better serve and engage the American people," Kundra wrote. "What's true is the inverse: Done the right way, using more nimble, flexible, modern technology enhances security by freeing the government from decaying infrastructure and custom-made applications written in obsolete computer languages even pre-dating the personal computer revolution."
Kundra cited a State Department initiative to move toward continuous monitoring of its IT systems, and how it eliminated wasteful spending, such as the $133 million spent over six years on 95,000 pages of security documentation - or roughly $1,400 per page - that were outdated a few days after being published.
"Just as a stack of documents wouldn't help us solve vexing IT management problems, we can't rely on them for security," Kundra said, noting that during his 2Â½ years as federal CIO, the administration began to shift away from paper-based reports to real-time data feeds that enable continuous monitoring and remediation, resulting in agencies identifying vulnerabilities and responding to cyberthreats faster.
Kundra wrote of model legislation developed during his tenure that focuses on three key areas: Safeguarding the personal data of the American people and enhancing their right to know when it has been compromised; protecting national security by addressing threats to America's power grids, water systems and other critical infrastructure; and helping the government protect federal networks, while creating stronger privacy and civil liberties protections that keep pace with technology. None of the legislation has been enacted, though some of the initiatives' goals have been achieved through administration directives.
Data Breach Notification
"When a bank's account records are hacked, or a company accidently posts customer information in an insecure forum, the exposure of sensitive personal information can put Americans at risk for identity theft and other harms," he said. "Time is of the essence in such cases - the sooner you know about a data breach, the sooner you can notify customers and take preventive measures to limit the damage."
And, he addressed the administration's backing of a national data breach notification law to replace what he characterized as "a Byzantine patchwork of 47 different state notification laws. Streamlining these into a national policy would simplify and strengthen reporting requirements, not only ensuring that notifications reach all affected Americans, but also incentivizing organizations to have better data security in the first place. Whether we're talking about government IT spending or private sector data breaches, sunlight remains the best disinfectant."
Strengthening criminal penalties for hacking into systems - whether government or private sector - and finding ways for companies and government to voluntarily share information about cybersecurity threats and incidents without compromising privacy remain essential, he said.
Kundra cautioned against using cybersecurity as a way to hide government activities. "Security is used too often as an excuse to justify the government operating in a closed, secretive and opaque manner," the former CIO said. "So even as we work to advance the cybersecurity posture of our nation, we can't allow security to be a barrier to innovation and to engaging the very people we serve."
President Obama named Kundra the government's third administrator for e-government and IT in February 2009, giving him the additional title of federal CIO, and the added influence that goes with the new moniker.
"You can only imagine how excited I was when the president appointed me as the nation's first chief information officer," Kundra recalled. "On a bright February day, the previous morning's dusting of snow melting on the ground, I arrived at a White House that was, as the Washington Post put it, 'stuck' in the dark ages of technology. In their words, 'If the Obama campaign represented a sleek, new iPhone kind of future, the first day of the Obama administration looked more like the rotary-dial past.'"
Kundra left the White House during the dog days of August, laying a foundation for that new kind of cyber future, but leaving it to others to make sure it gets built.