Interview on "Ask the CIO" with Jeff Clabaugh

WTOP: Let’s talk about the OpenSource project. What was it that so many employees didn’t have until recently? What was it that this project addressed?

MORRISON: Until recently, our employees at the State Department – and there are over 40,000 of them all over the world in embassies and consulates – didn’t have Internet access on their desktops. It was mainly an issue of security. As you can imagine, we have some sensitive information on our systems at the State Department. We were very nervous about opening up to the Internet unless we could be absolutely assured that all of our sensitive information was going to protected. Also, since our embassies and consulates are frequently located in out-of-the-way places, there was insufficient bandwidth for people to cruise the Internet.

WTOP: So how did the project address that? First of all, give me a kind of technical road map of what it was you set out to do?

MORRISON: Secretary Powell –  when he took over as Secretary of State, and as he always reminds us as Chief Executive Officer of the State Department –  was very concerned to give all the employees the technology tools they needed to do their job. So one of his first orders to us was to give safe Internet access to everyone. We developed a very thick security checklist. It’s as thick as the Manhattan telephone directly. And we made sure that all of our installations worldwide went through and ensured that their security was up to snuff. This involved things like checking configurations, ensuring that password policy was conforming to standards, and other security regulations were being followed. Then we also had an aggressive program to purchase bandwidth for some of our far away missions and consulates. As you can imagine, it’s easier to say these things than it was to do them. But I’m happy to report that after 18 months of work, as of the end of May 2003, over 43,000 of our employees worldwide now can cruise the Internet from their desktops.

WTOP: I don’t think you need to be shy about this next part. It’s certainly something worth bragging about. Two things you don’t hear very often, and that is “on time” and “under budget.” How did you manage to pull that off?

MORRISON: First off, I have to say that we benefited from the very beginning from top management attention. I had to report to Under Secretary for Management Grant Green and other top Department officials on a monthly basis. It is surprising how when you have to be accountable for your monthly targets, how you are really motivated to get the job done. Also, we had very experienced project managers. We went out and found the best people that we had in the State Department, took them away from their regular jobs and put them in charge of this project. Finally, I must say that the overall environment was very good. The last 18 months have been times when prices were falling. PC equipment as well as bandwidth was getting cheaper, so I don’t want to claim all the credit. We got a big assist from the economy.

WTOP: Did the war in Iraq have an effect on the timetable for this project?

MORRISON: We were affected by the war in Iraq as well as the earlier conflict in Afghanistan. We had to be very nimble in redeploying some of our installation teams because certain posts that were scheduled to be visited for installation would suddenly become too dangerous to go to. So we had to always be prepared to change our schedule on a moment’s notice. We often did this luckily with more than 250 different posts and another 70 or so domestic locations in the United States. We were always able to keep our teams going.

WTOP: I’m fascinated by the use of these roving installation teams. I’ve seen them called “tiger teams”. Is that the concept that you used, why did you use it, and is it something that could be used by other government agencies on other projects?

MORRISON: When we first started the project, we expected that each embassy would go through out security checklist and do the work themselves. But we quickly found that people were too busy with the normal press of business or didn’t have the proper IT security expertise. So we quickly concluded that we would have to form tiger teams here in the United States that would go out and visit the different embassies and help them meet the security standards. It turned out to be a resounding success. In fact, I have heard Mark Forman say that we might think of this idea for other installations government-wide. That is not have every agency go up the learning curve on every bit of technology, but once someone becomes expert, spread that expertise across the government. We of course think that’s a very good idea.

WTOP: Were these installation teams comprised of private sector contractors?

MORRISON: Oh yes. We would have at least one government employee heading the team. But the majority of team members were private sector contractors. Since this is an 18 month crash effort, we really couldn’t field the teams out of our existing government employees. We had to ramp up. And now we’ve ramped down now that the project is over.

WTOP: Those are some very interesting assignments for some private sector employees.

MORRISON: Yes, quite a few of them have written to me or e-mailed to me about their experiences. Many had never been out of the United States before. They became very familiar with traveling in Third World countries, getting visas, negotiating in foreign languages and learning how to be international representatives of the United States.

WTOP: You’re working on a classified network as well. Can you tell me a little bit about that project and maybe it’s timetable also?

MORRISON: I’d be happy to. Secretary Powell also wanted the people who are working on classified information to have modern PC and LAN equipment. That was no less a priority for him than giving people Internet access. So we have started up a $200 million project to give all of our people who are working on the classified side modern PC LANs. That project is scheduled to be completed at the end of September 2003. Also, it will be under budget and about three months earlier than we had originally estimated.

WTOP: If I could ask you a few questions about security, if you had to say what keeps you awake at night, what would it be?

MORRISON: I constantly worry about what I don’t know. The State Department has multiple layers of defense. We have firewalls, we have intrusion detection devices. We even give away for free anti-virus software for employees to take home and put on their home PCs so that they don’t inadvertently introduce a virus from home. But you never know. Somewhere some 14 year old is sitting there programming the killer virus. You always have to be alert. It could happen any time of the day or night. I know since January we have had over 155,000 instances of malicious code turned back at our fire walls. So it’s always out there. I’m also very nervous because our major systems have not been certified and accredited. We have over 150 major systems at the State Department, and none of them have been certified and accredited. We are now on an 18 month crash course to get that done. We’re working very closely with the Office of Management and Budget and with the National Institutes of Standards and Technology to accomplish that. But until that’s done, I’m worried that there may be some problem in one of our systems that none of us are aware of.

WTOP: I know you will speak to this issue this week, so it’s a good question to ask you. What do you think the concrete, the tangible results have been to date from the Federal Information Security Management Act?

MORRISON: You’re right. I have to testify tomorrow, so I appreciate you helping me prepare for that. The biggest positive result of the Act is that it has focused top management attention on this issue. Once again, what gets reported gets improved. Now all of the agencies have to submit quarterly reports to OMB and also now to Congress. My other colleague CIOs and other managers above me are really focusing their attention on improving IT security. For example at the State Department, the program to certify and accredit all of our systems will cost around $50 million. That’s a big check to write, but management here was very happy to write it because we have to tell OMB and Congress how we’re doing. We certainly don’t want to report that we’re not doing our duty.

WTOP: Let me ask you just one more question that I’m not sure gets enough attention. It has to do with private sector and its role when it comes to IT security for the government. After all, it’s the private sector that owns the lions’ share of this nation’s infrastructure. What is their responsibility?

MORRISON: The private sector has the biggest role to play in IT security. As you said, we really depend on the private sector telecommunications to ensure the continuity of our operations. We also get most of our firewall and anti-virus and other security software from the private sector. For instance, we have automatic downloads of anti-virus software so if a new worm comes out at two in the morning, the code to combat it is automatically downloaded. We couldn’t do that in the government. It really depends on the private sector to provide this vital protection. We also depend on the private sector to help us as we implement our security programs. As I was saying before, the security upgrades we performed in connection with putting the Internet on everyone’s desktops couldn’t have been done without the participation of the private sector people who formed the bulk of our tiger teams.

WTOP: Is there anything that we didn’t talk about that you had hoped to get to?

MORRISON: I just want to again say how grateful all of us at the State Department are to Secretary Powell for coming here and getting us the resources to significantly upgrade our technology. It has made a huge difference. For me, it all comes down to things like getting an e-mail from my old friend Aurelia Brazeal, our Ambassador in Addis Ababa, Ethiopia. She e-mailed me that only a few hours after getting Internet access in her Embassy, they were able to order some material over the Internet at a substantial savings. Previously, they had to purchase the materials locally at quite a premium price. But she said “I just save the taxpayers $2,000 thanks to having Internet access on the desktop.” To me, it all comes down to things like that. Giving people the tools to do their job.

[End]