Paul Kurtz: Heads Must Roll When IT Security is CompromisedToo often in government, no one is held accountable when a serious breach occurs, Paul Kurtz says.
In this exclusive interview, cybersecurity expert Paul Kurtz, chief operating office of Good Harbor Consulting, explains:
Paul Kurtz served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush and advised President Obama during the transition. Among his government posts: senior director for national security of the National Security Council's Office of Cyberspace Security; member of the president's Critical Infrastructure Protection Board, where he developed the international component of the National Strategy to Secure Cyberspace; and director for counterterrorism in NSC's Office of Transnational Threats.
ERIC CHABROW: Hello, I'm Eric Chabrow with GovInfoSecurity.com. Paul Kurtz is chief operating officer of Good Harbor Consulting. Before joining the security consulting firm in 2003, Kurtz served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Bill Clinton and George W. Bush. He also advised Barack Obama during the transition. Thanks Mr. Kurtz for taking time to talk with us today.
PAUL KURTZ: No problem.
ERIC CHABROW: You have noted that the way federal agencies are currently governed no one individual is ultimately responsible for information security. Shouldn't the job of chief information security officer become a statutory office, and if so, to whom should this CISO report to?
PAUL KURTZ: The bottom line behind that is accountability. Someone in each federal agency has to be accountable and you could leave it to the discretion of the secretary or the director of an agency, but ultimately a senior level person must be accountable for the information system. That has been a huge problem. In fact, I would call it the biggest problem that we have across federal agencies.
ERIC CHABROW: Why is it a significant problem?
PAUL KURTZ: Well, because when we have significant breaches and significant problems, we often find that there is a policy out there and that people aren't following it. And, if people were following the policy or there was enforcement within the agency, we would have far fewer problems. So it means someone is not doing their job and so you have to have accountability.
Now is it the CIO? Is it the chief security officer? Is it the undersecretary for management? Is it the secretary or the director for the agency? Someone's got to be accountable at a senior enough level that they are actually able to call the shots. So, in other words, accountability needs to rest with the person who's calling the shots on the overall spin and strategy to protect the information infrastructure.
That leads you to ... okay, you are really probably talking about chief security officers, or you are talking about a CIO or you are talking about the undersecretary for management in whatever agency it is.
Say, for example you drill down in a place like the State Department. You have several entities within State that touch the IT system; you have information resources management (IRM), you have diplomatic security (DS), and none of them really fully call the shots as to what people are spending and what their enforcement mechanisms are in order to address IT.
You can't necessarily say it is IRM's fault or DS's fault; you have got to go north of that in the chain so you actually find that person who is ultimately accountable. That is how it needs to be done so there is a criteria that probably needs to be written and you have a criteria for who that entity person must be and they have to full knowledge and authority over what is happening on the IT systems. Or, you do the statutory mandated chief security officer, which shall have the following responsibilities. I will leave it to Congress and others to figure out which one is better.
ERIC CHABROW: Should the statutes designate a specific position an undersecretary, CIO, the CISO to be ultimately responsible for information security?
PAUL KURTZ: The statute should address accountability and the consequences for not being compliant with whatever the federal standard is. In other words, people should lose jobs. If they are not doing their job, if they are not meeting the federal standard, they should lose their job, at a very senior level.
ERIC CHABROW: I read these GAO reports and get the impression that people don't lose their jobs in government. Is that a wrong impression on my part or is that true when things don't work out?
PAUL KURTZ: No, it's very true, unless they are shamed into it. Take the VA laptop issue (a burglar in 2006 stole a government laptop containing personal information on 26.5 million individuals from the home of a Veterans Affairs employee). Ultimately people left, not because they were fired, but because they were shamed into it. They had to get themselves out of the news so someone stepped down. But people don't lose their jobs.
ERIC CHABROW: What is it about government that people don't lose their jobs?
PAUL KURTZ: That's not just typical to the IT space; that's acknowledged across government. It's very difficult to relieve people of their duties from federal service. Often, they are moved to another part of the federal government or another part of the agency where they no longer have responsibility for the area where they screwed up. That has always been a problem for taxpayers; they don't see accountability, they don't see people who have made mistakes relieved of their duties and having to go out and find another job. That creates a lot of positive enforcement not positive enforcement but helps people understand it if they mess up then they are out of a job. And, in the private sector, everybody has to deal with that.
ERIC CHABROW: You see anything in the new administration that that will change?
PAUL KURTZ: Well, I think you are certainly seeing transparency. You are certainly seeing a willingness to not sweep stuff under the rug. The president did it a couple of weeks ago when they had the problem with Tom Daschle (nominated to be secretary of Health and Human Services) and he said, "Look, I screwed up." And, Daschle ultimately took him name out. But this has to happen down at the agency level. When there are problems, people need to be relieved of their duties. Is that going to happen overnight in the U.S. government? No way. There are a lot of forces that act against that, but in this space, in the IT space where everything we do depends upon IT we need to create real accountability.
ERIC CHABROW: You've been listening to Paul Kurtz, one of the nation's leading experts on cyber and homeland security. I would like to thank Mr. Kurtz for spending time with us today and you for listening. I'm Eric Chabrow of GovInfoSecurity.com. Please join us again for our next podcast interview.