FISMA Author on Reform: Former Rep. Tom Davis
With a strong reputation as a lawmaker who worked well with Democrats, the Virginia Republican is now director of Federal Government Services at the consultancy Deloitte. In this exclusive interview, Davis:
Tom Davis represented Virginia's Washington suburbs where many government workers live and government IT and defense contractors have offices. Before becoming chairman of the Government Reform Committee, Davis chaired several subcommittees, including the Subcommittee on Technology and Procurement Policy.
Davis has also served as a co-chair of the Information Technology Working Group, which promotes a better understanding among members of Congress of important issues in the computer and technology industries.
ERIC CHABROW: Hello, this is Eric Chabrow of the Information Security Media Group. Today we are talking with Tom Davis, the recently retired Virginia congressman who is now Director of federal government services at the consulting firm of Deloitte. Before leaving Congress last November, Davis was one of the most powerful members of the House of Representatives and when the Republicans were in the majority, he chaired the House Government Reform Committee. That panel provides federal government information technology oversight. He also authored a number of IT related laws, including the Federal Information Security Management Act, or FISMA. Welcome, congressman.
TOM DAVIS: Yeah, how are you?
CHABROW: Fine, thank you. How well has FISMA served the federal government since its enactment in 2002?
DAVIS: Well I think we are ready to take it to the next stage at this point, but at the time I think it took it to a level where you created an awareness in the department, you created some appropriate awareness within it and some guidelines for them to follow and we followed it up with the grades, and I think as a result of that we made some improvements.
That was years ago and I think we are ready now, and we have been ready, to take it to another level.
CHABROW: A result of FISMA were the scorecards that the White House Office of Management and Budget used to grade departments and agencies on how well they secured their IT systems. How useful were the scorecards and how could they be improved?
DAVIS: I would tie it to appropriations, I think. You have got to get the appropriators involved in this or I think otherwise there is no and you have got to make sure that this comes down from the top from the president that this is a priority. I get the feeling sometimes that everybody is hoping this won't happen on their shift. They are not getting additional dollars in any of these cases, they try to secure your networks but without any additional money they have a lot of other missions that they are trying to accomplish and you get no credit for doing anything here. It doesn't help you accomplish your mission, and you are trying to make sure you don't get a cyber attack, but you don't get any credit if an attack doesn't come whether you put FISMA or not and you are just taking the chance that it doesn't hit on your watch. Now, though, we are getting more and more penetrations and I think people are starting to get worried.
CHABROW: Would that mean that there will be more money as we get worried?
DAVIS: I think you can see it's more money, but you've got to tie that to results, you have got to tie that to the appropriate incentives. I think they are going to get more money now. I think everybody understands how serious this is. You've got members of Congress having their websites that have been penetrated.
CHABROW: How do you justify the expenditure?
DAVIS:. If you were to get a cyber attack tomorrow in one of these departments and they had not done what they needed to do, the world would be crying out and they would not just be yelling for heads they would be bayoneting the wounded.
This is something that I think that once it occurs it is like 9/11, "Well, why don't we check people more at the airport?" Well, if nothing happens nobody cares, but once something happens everybody is going to be looking for heads to roll.
What FISMA did is it gave the appropriate notification that this is serious and you have to do certain things. I think at this point you need to start testing these systems. I think we are going to have to contract them and start testing some of these systems to make sure that they are what they purport to be.
CHABROW: Continue with the scorecards or go to a different way of just measuring how effective the processes they have put in place?
DAVIS: I think measuring the processes.
CHABROW: So, a new form of metrics. Get rid of the scorecard? DAVIS: Yeah, I think you need a new metrics at this point and I think you need to tie it to appropriations.
CHABROW: What does that mean, "tie it to appropriations?"
DAVIS: That means the appropriators need to be involved in this kind of case. People may check the boxes, but you are not going to get the appropriate actions taken without some additional appropriations. This takes money. You jut can't take this out of existing accounts and expect managers to be able to handle the job. They may check the boxes but they are not going to be able to make the kind of improvement that [are needed].
CHABROW: Does the stimulus package offer contractors that serve the federal government work in cybersecurity?
DAVIS: No. You know we looked at that and we talked about it and it just didn't happen. There was talk about it but when you look at the package you don't see it.
CHABROW: Is that a disappointment or do you think this is just not a stimulus-type of thing?
DAVIS: Looking at everything else they did stimulus with; absolutely, it should have been there. But, it could have qualified, it's up to them but they didn't. The answer is they didn't put anything in.
CHABROW: Beyond the stimulus package, the Obama administration pledges more money for information security. How would you access the current climate regarding the contracting of government information security work to the private sector? Are the contractors ready?
DAVIS: I think the climate is there. I just think what you have to have is you have got to have somebody at the federal level take accounting of this and enforce it and that is not happening right now.
CHABROW: Does that surprise you that it is not happening now? DAVIS: No, it hasn't happened for years. I'm not going to blame the incoming administration, but this stuff doesn't just happen.
CHABROW: People say that this administration is taking security seriously with the 60-day study going on right now.
DAVIS: I didn't say they haven't, I just said they have only been in a few days and they didn't have any money in the stimulus for it. You asked, "Could they have done it?" Sure, they added everything else in the stimulus.
CHABROW: Why is information security, information management bipartisan where it seems like almost everything else isn't?
DAVIS: There are a lot of things that are partisan and a lot of things that aren't partisan, but I think when it comes to securing the homeland on something this is one, that Republicans and Democrats, I think, come together and realize that something has to be done. The problem is where are you going to get the money and where are you going to take it from.
I was disappointed that they didn't have it in the stimulus package with all the other things that they put in, but perhaps they were waiting for the study to come by. They understand that it is a real problem. You will find agencies that will comply, that may end up with a cyber attack and they won't by FISMA compliant, and then you start looking at this and tracing it you will see that nobody enforced this stuff. That is going to be bad and then heads will roll, but you hope that you stay out ahead of this thing and it won't take a cyber Pearl Harbor.
CHABROW: I was talking to Paul Kurtz (former Clinton and Bush administration cybersecurity advisor) and he mentioned to me that one of the problems he sees, and he thinks it is a major problem, is that heads don't roll.
DAVIS: They don't roll now but that is because you haven't had a cyber attack. When you have a cyber attack heads will roll real quick. After 9/11, they are just trying to do who do you blame and it gets ugly really quick after that. But, at this point, heads don't roll because there is no enforcement.
CHABROW: Is it OMB responsible for enforcement or someone else?
DAVIS: I think more than anybody else, yes. OMB is the one that is really responsible at the end of the day for doing this. And, in Congress, it is very diffuse over who is responsible and who isn't. You have a lot of different committees that claim jurisdiction, but nobody is in charge. I think it has got to be centralized. It is still very stovepipe and we are going to have some cyber attack somewhere and there are going to be some damages done and at that point people are going to what to know what have you done about it. A lot of us have been screaming about this for years, Republicans and Democrats, but at the end of the day you can't legislate this stuff because it comes from the executive branch. Hopefully, after they have finished their study at this point they will put some money behind this. That is our goal and that is the hope.
CHABROW: Do you know how much money it would take?
DAVIS: It's never going to be perfect, but I mean you are talking billions. But what do you mean by take; nothing is ever completely safe because people continue to be innovative in terms of the way they approach this, but they are clearly vulnerable right now.
CHABROW: The Cyber Security Commission for the 44th Presidency calls for an Office of Cyberspace. Do you think that is something that is needed and that is the kind of person who would need to take charge or if that is not what you are talking about?
DAVIS: That would be fine with me. Somebody has got to be accountable somewhere and right now it is still very, very diffuse and is agency by agency. Do you know what I am saying?
CHABROW: Are you concerned that the economy and the problems we are having there are just going to take attention away from cybersecurity?
DAVIS: You are competing for dollars and priorities at this point. Let's let them finish the study and see how they act, but you know, at this point we are not where we need to be and I think everybody understands that.
CHABROW: Thank you very much.
DAVIS: No problem. Thanks.
CHABROW: That was retired U.S. Representative Tom Davis, the author of FISMA. I'm Eric Chabrow of the Information Security Media Group. Thanks for listening and join us for our next podcast interview.,