Is IT security getting short shrift?

Concerned former DOD officials call for greater use of cybersecurity metrics.

Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say. “It’s been the source of enormous frustration,” Linton Wells said in a recent interview in which he recounted some of the difficulties he faced during his four-year tenure as principal deputy assistant secretary of Defense for networks and information integration. Wells left the Pentagon in June to become a research fellow at National Defense University in Washington. He said Deputy Defense Secretary Gordon England, who has significant input into budget decisions, supports boosting the military’s information assurance capabilities. But convincing senior budget officials from the military services to spend money in that area is a continuing challenge, Wells said. “What they say is, ‘Look, we’re all short on money for things we want to buy — ships, planes, tanks, whatever. Show me how this $2 million you want to put on this today is going to turn cell C17 from red to yellow to green in 2011,’” Wells said. “And that’s often a hard thing to do in information assurance.” Wells said officials in charge of putting together the information technology security budget for DOD’s networks need better metrics for measuring return on investment for information assurance programs. “We have not done a good job of making the case that a dollar spent here is going to lead to a quantifiable increase there,” he said. John Garstka, director of forces transformation and resources in the Office of the Undersecretary of Defense for Policy, said quantifying the return on investment for anything in the information domain is difficult. “It only comes into play when there’s a crisis,” he said in reference to information assurance programs. Robert Lentz, director of information assurance policy in the Office of the DOD Chief Information Officer, declined Federal Computer Week’s request for an interview. “IA is a priority for the department, but…as a matter of policy, we don’t publicly discuss internal deliberations regarding resource decisions,” DOD spokesman Air Force Maj. Patrick Ryder wrote in an e-mail message. Former DOD Deputy CIO Priscilla Guthrie echoed Wells’ assessment of the problems involved in getting funds for information assurance amid competing military priorities. “It’s always hard to get money for IA,” she said. “It’s tough in industry, and it’s tough in government.” Guthrie left the Pentagon in December 2006 and is now director of the Information Technology and Systems Division at the Institute for Defense Analyses in Alexandria, Va. Guthrie said she supports efforts to develop metrics for measuring the value of information assurance — with certain caveats. If used improperly, metrics could lead to a false sense of security and encourage officials to focus only on known threats to military networks while neglecting risks not covered by those metrics. “The challenge with metrics is that it’s easy to measure what you know, but it’s hard to measure what you don’t know,” Guthrie said. “You want to work off the things you can count, but you also need to study the things you don’t know about. You don’t want the entire bureaucracy working off the things you know.” Members of a new panel at the Pentagon focused on portfolio management for network-centric capabilities released numbers for a six-year spending plan that starts in fiscal 2008. According to the plan, investment in information assurance represents 9.5 percent of the portfolio in that six-year period, compared with information transport at 71.6 percent, enterprise services at 14.8 percent, network management at 3.5 percent and knowledge management at 0.6 percent. Taken together, all network-centric programs in the portfolio are valued at about $100 billion from 2008 to 2013, according to the document. Information assurance could soon get a boost with the appointment of Marine Corps Gen. James Cartwright as vice chairman of the Joint Chiefs of Staff. Guthrie said the issue is a priority for the former commander of the Strategic Command.