WASHINGTON, Oct. 15 (UPI) -- The new Department of Homeland Security says it may be as long as two years before it sees significant benefit from its $2-billion plan to consolidate and integrate the computer systems of the 22 agencies that merged to form the agency last January.
Officials also acknowledge that using Windows software for all the department's PC desktops may pose a security problem, but say they are having "very serious and candid conversations" on the issue with Microsoft and had offered to help test the company's products before they are released. Microsoft executives acknowledged to United Press International that they needed to do better, said they were embarking on a major new security program for current and future software releases, and welcomed the offer of assistance.
DHS Chief Information Officer Steve Cooper told a congressional panel last week that version 1.0 of the department's information technology road map -- the so-called enterprise architecture that lays out the strategic plan for IT in the department -- was now complete and he and his staff were already hard at work on version 2.0.
The challenge, he said, was to integrate and consolidate the department's 700-plus different computer systems without interfering in its day-to-day work.
"We're literally trying to change the tires on the car while it's moving at 70 miles an hour," Cooper told the House government reform technology subcommittee last Wednesday.
He said that while there were some high priority areas -- he gave four examples, including document management and threat identification -- where he hoped for "quick hits" within six months or so, progress on most issues would take much longer.
"We need to rationalize and stabilize (the existing infrastructure) ... before we can launch new capability. ... (T)he good news is, we can add value along the way, so it's not an all-or-nothing proposition. But it will take us take us about 12 to 24 months to completely stabilize our infrastructure," he said.
Subcommittee Chairman Adam Putnam, R-Fla., asked about what he called the government's software "monoculture," pointing out that "90 percent of the federal government (uses) a single operating system" -- Microsoft Windows.
Over the summer, government agencies and private sector companies using Microsoft products suffered billions of dollars worth of damage from the Blaster and SoBig.F worms, which exploited defects in the Windows operating system. Some had to cease operations altogether for a time.
"How do we guard against these worms and viruses and issues that will only grow worse and more rapid as time goes by?" Putnam asked.
Cooper replied that, though he was aware of the security concerns, 80 percent of the systems his team had inherited were Windows and "the costs of changing would have been prohibitive."
Later, he told UPI that the DHS had had some "very serious and candid conversations" with Microsoft executives about the problem. He stressed that they were approaching the issue in a "collaborative" way, but said they were looking for evidence that Microsoft was working to reduce the number of security flaws in its products.
"It is about designing information security in from the beginning," he said. Patches -- extra programs designed to repair flaws in software -- are all well and good, he added, but they raise the question, "How did you not catch this internally ... before you released it?"
Microsoft's chief security strategist, Scott Charney, defended the company's products. "Software is complex and made by humans," he told UPI. But he acknowledged, "we clearly have to do better ... it's going to be a lot of work." He said the company had developed automated tools to look for coding errors that might create security vulnerabilities.
Putnam argued that government agencies could use their economic leverage to improve security standards. "The purchasing power of the federal government would be a powerful incentive."
Cooper explained to UPI that any company has to strike a balance between getting a product right and getting it out, but added, "I don't think they (Microsoft) have the balance right ... I'm saying (to them), 'I don't want you producing stuff before it's ready for prime time.'"
Charney responded, "I don't think that's a fair comment." He said that the company had already started delaying the market release of products so that a three-step security plan could be implemented, consisting of threat modeling and penetration testing -- where company programmers try to think and act like hackers -- and code review -- where possible vulnerabilities are put under a microscope.
Cooper said that the DHS had even offered to test Microsoft products before they were released. Charney said the company was excited about the offer. "We'd love to include the DHS in this," he said. Both men pointed out, however, that federal purchasing regulations put the idea at the center of a bureaucratic minefield, and neither could say for certain whether it would happen or not.
Both Putnam and Karen S. Evans, from the White House's Office of Management and Budget, emphasized the importance of IT in the new department.
"Nowhere is (information technology) more critical than for the Department of Homeland Security," Evans, the OMB's newly minted IT head, told the subcommittee. Putnam said it was the main reason Congress had voted to create the department.
