Kundra Reflects on His Federal CIO Tenure

Ex-Fed CIO: IT Security Isn't the Enemy of Government Efficiency
Kundra Reflects on His Federal CIO Tenure
On Monday, his first weekday as the former federal chief information officer, Vivek Kundra posted a 12-page paper on his new employer's website entitled Reflections on Public Service, which covers his years working in local, state and federal governments.

In the paper, the new fellow at Harvard University's John F. Kennedy School of Government discusses his immigration to the United States at age 11, learning English by watching "Three's Company" and his drive to give back to his adopted country through public service. Besides the White House, over the past decade Kundra held top government IT positions in Arlington County, Va., the District of Columbia and the Commonwealth of Virginia.

Much of the paper discusses his thinking behind e-initiatives he fostered in the federal government, programs he feels have helped make the government become more efficient and its IT safer. More than 600 of the 4,400-plus-word treatise focused on securing government IT systems and how cybersecurity isn't the enemy of government efficiency.

"Too often this focus on security has been used as an excuse to prevent the government from adopting the sort of innovative technologies that could better serve and engage the American people," Kundra wrote. "What's true is the inverse: Done the right way, using more nimble, flexible, modern technology enhances security by freeing the government from decaying infrastructure and custom-made applications written in obsolete computer languages even pre-dating the personal computer revolution."

Kundra cited a State Department initiative to move toward continuous monitoring of its IT systems, and how it eliminated wasteful spending, such as the $133 million spent over six years on 95,000 pages of security documentation - or roughly $1,400 per page - that were outdated a few days after being published.

"Just as a stack of documents wouldn't help us solve vexing IT management problems, we can't rely on them for security," Kundra said, noting that during his 2½ years as federal CIO, the administration began to shift away from paper-based reports to real-time data feeds that enable continuous monitoring and remediation, resulting in agencies identifying vulnerabilities and responding to cyberthreats faster.

Kundra wrote of model legislation developed during his tenure that focuses on three key areas: Safeguarding the personal data of the American people and enhancing their right to know when it has been compromised; protecting national security by addressing threats to America's power grids, water systems and other critical infrastructure; and helping the government protect federal networks, while creating stronger privacy and civil liberties protections that keep pace with technology. None of the legislation has been enacted, though some of the initiatives' goals have been achieved through administration directives.

Data Breach Notification

"When a bank's account records are hacked, or a company accidently posts customer information in an insecure forum, the exposure of sensitive personal information can put Americans at risk for identity theft and other harms," he said. "Time is of the essence in such cases - the sooner you know about a data breach, the sooner you can notify customers and take preventive measures to limit the damage."

And, he addressed the administration's backing of a national data breach notification law to replace what he characterized as "a Byzantine patchwork of 47 different state notification laws. Streamlining these into a national policy would simplify and strengthen reporting requirements, not only ensuring that notifications reach all affected Americans, but also incentivizing organizations to have better data security in the first place. Whether we're talking about government IT spending or private sector data breaches, sunlight remains the best disinfectant."

Strengthening criminal penalties for hacking into systems - whether government or private sector - and finding ways for companies and government to voluntarily share information about cybersecurity threats and incidents without compromising privacy remain essential, he said.

Kundra cautioned against using cybersecurity as a way to hide government activities. "Security is used too often as an excuse to justify the government operating in a closed, secretive and opaque manner," the former CIO said. "So even as we work to advance the cybersecurity posture of our nation, we can't allow security to be a barrier to innovation and to engaging the very people we serve."

President Obama named Kundra the government's third administrator for e-government and IT in February 2009, giving him the additional title of federal CIO, and the added influence that goes with the new moniker.

"You can only imagine how excited I was when the president appointed me as the nation's first chief information officer," Kundra recalled. "On a bright February day, the previous morning's dusting of snow melting on the ground, I arrived at a White House that was, as the Washington Post put it, 'stuck' in the dark ages of technology. In their words, 'If the Obama campaign represented a sleek, new iPhone kind of future, the first day of the Obama administration looked more like the rotary-dial past.'"

Kundra left the White House during the dog days of August, laying a foundation for that new kind of cyber future, but leaving it to others to make sure it gets built.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.