Yesterday, May 19, I was asked to provide expert witness testimony to The House Subcommittee on Management, Organization, and Procurement, Committee on Oversight and Government Reform on the subject of "The State of Federal Information Security." This was my first time testifying before Congress and was a result of several meetings last week, with various House and Senate Committee's, that I recently blogged about here.
As I blogged about last week, the Federal government, both the House and Senate, are looking at a variety of legislation dealing with cybersecurity. While these initial reviews are happening at the Federal level and are focusing on government information systems, they are looking to the IT industry to provide advice and expertise as to how to insure the security of the nations information systems, including those of the private sector. This particular hearing involves the House's review of FISMA, the Federal Information Security Management Act of 2002 and updating it for today's evolving threats.
Below is my review of the hearing, along with several photo's from the hearing. You may click on any photo to view an enlarged version is a new browser window.
Rayburn House Office Building
My day began with an 8 AM breakfast briefing in the cafeteria of the Rayburn House Office Building with the public policy staff from The Computing Technology Industry Association (CompTIA), to review my oral testimony and the questions I may be likely to receive from the Members of the Subcommittee. At 8:40 AM we went up to the second floor to the Hearing Room, room 2247.
Hearing Room 2247 prior to the arrival of the Subcommittee Members and the various staffers and observers.
The Subcommittee heard testimony from a panel of six experts, representing various elements of the Federal Government, one witness representing a large IT business and one witness representing a small IT business, me. The panel included Mr. Vivek Kundra, the new Federal Chief Information Officer, Office of Management and Budget, recently appointed by President Obama. I have blogged previously about Mr. Kundra's appointment, which you may read by clicking here, so I was thrilled to have the opportunity to meet him and honored to be testifying alongside him. Also on the panel were Mr. Gregory Wilshusen, Director, Information Security Issues, Government Accountability Office, Ms. Jacquelyn Patillo, Chief Information Officer, US Department of Transportation, Ms. Margaret Graves, Acting Chief Information Officer, US Department of Homeland Security, Mr. Samuel Chun, Director, Cyber Security Practice, U.S. Public Sector, EDS, a division of the Hewlett-Packard Company and me.
Mr. Kundra, Ms. Patillo, Ms. Graves, Mr. Chun and me, awaiting the arrival of Mr. Wilshusen and others before the start of the Hearing.
The Hearing was opened by Chairwoman Diane Watson, D-CA, and we were then sworn in to provide our testimony. For those unfamiliar with Congressional Hearings, the House operates on a 5 minute rule, so each Member was allowed to deliver a 5 minute opening statement, followed by each witness reading their 5 minute oral testimony, which is extracted from the lengthier written testimony that is submitted to the Subcommittee in advance of the hearing. Because I was invited to testify just last week, as of today, my written and oral testimony is not yet posted on the Subcommittee web site, but I expect once they post the Hearing record, it will be there.
Swearing in of the witness panel by Chairwoman Watson.
Chairwoman Watson delivering her opening statement.
At this point, I need to interject a few personal comments. At my wife's suggestion, I brought our oldest daughter Hannah with me to Washington. Hannah is a senior at Portsmouth High School and an Honor Student. She will be heading off to college next year and after discussing it, we felt this would be an unparalleled opportunity for Hannah to see how our Federal system of government works. Here is where I owe a very large and sincere thank you to Chris Kotopis from CompTIA. Unbeknown to me, Chris had informed Chairwoman Watson's office that Hannah would be traveling with me to attend the Hearing. After Chairwoman Watson completed her opening statement and introduced the witness panel, she then acknowledged Hannah for traveling to be present at the Hearing and asked her to stand and be recognized. I was completely surprised by this and immensely proud of my daughter for this incredible learning opportunity which just took on an entirely new dimension. I quickly modified my own opening statement, to thank Chairwoman Watson for her kindness in recognizing my daughter. After the Hearing concluded, as seen below, the Chairwoman continued to be quite gracious with her time, talking with Hannah about government, youth and the future, as well as inviting her behind the Committee table for a photo. What an impression to make on a High School Senior! I am sure this will be a life long memory for Hannah, as it is for me.
Chairwoman Watson speaking with me and Hannah after the Hearing concluded.
Ranking Member Bilbray, my daughter, Hannah Shoer and Chairwoman Watson.
Every Congressional Committee has it's Chairperson, from the majority party and then a Ranking Member, from the minority party. For this Subcommittee, the Ranking Member is Congressman Brian Bilbray, R-CA. Ranking Member Bilbray delivered his opening statements immediately following Chairwoman Watson, followed by statements from any other Members who wished to speak.
Ranking Member Bilbray delivers his opening statement.
Following the members opening statements, each witness then proceeded to deliver their own opening statements, which you may read in detail on the Subcommittee home page, which I linked to earlier in this post. For me, I found immediate commonality of concern with both Ranking Member Bilbray and Chairwoman Watson, specifically around the are of training and the fact that the human being IS the last line of defense in any cyber security discussion. Each witness had their own perspective, as it related to their agency, company or experience. That not withstanding, there was widespread agreement that training needs to be a fundamental part of any legislation, if it is to be effective.
Delivering my oral testimony to the Subcommittee.
My own statements centered around insuring that any update to the current FISMA legislation, along with any newly adopted legislation "enhance the security of our federal systems and protect our country and its citizenry." I was asked to represent CompTIA and it's many small business member companies and by extension, the millions of small businesses in the United States that are our clients. Unfortunately, whenever you engage in a discussion about IT security, whether at this level or within a business of any size, the discussion tends to get too focused on technology. I saw this during the question and answer phase of the Hearing. We, collectively, tend to have the view that technology alone should be able to solve any problem that we face. However, without adequate and verifiable training, it is impossible for technology to do this job. During our meetings last week with various Committee staffers, we heard case after case of examples of highly sensitive data being exposed to the Internet after someone with access to this information loaded it onto a portable computer that they brought home and left unsecured. In some cases even letting their children use the computer for games and peer-to-peer sharing software. This is a training issue, far more than a technology issue.
Responding to Members questions during the Hearing.
I summarized my testimony as follows: "In conclusion, it is undisputed that we must protect the American public by having a security framework that guards information systems for both our federal critical systems, as well as, the private sector." I firmly believe this to be true and after my experience yesterday, I also believe that this Subcommittee, as well as the other Committee's looking in to this very important issue, believe this to be true as well. I was also encouraged to hear, during the questioning period, that the Members are concerned about drafting legislation that is realistic and able to be effective. They are concerned that the Federal Government set the standard and lead by example, with a model that will be able to be replicated in the private sector, regardless of the size of the business. As a small business person myself, I am deeply concerned about this very aspect of this discussion and I was very pleased to hear this publicly stated, on the record and I made this feeling known. Clearly, this is not a quick or simple process. Any new guidelines will have to be very broad to properly address the wide audience this relates to. At the same time, it's extremely important that this effort creates a standard and that the Federal government does lead by example. Otherwise, as I have stated before, there is a very real danger that we could wind up with competing or conflicting standards at the Federal level and within each of the 50 States. That would create an intractable environment for small businesses to operate within and would damage our economic potential as a nation. As she made her closing statements, Chairwoman Watson asked each of the witnesses to submit additional written input on several topics that the Subcommittee would like to hear from us on. There is a clear openness toward and willingness to work with both Federal agencies and the private sector in addressing this critical issue.
Following the conclusion of the hearing, I had the opportunity to personally thank Chairwoman Watson for her kindness toward my daughter and for calling this Hearing.
Thanking Chairwoman Watson following the closing of the Hearing.
I also had the opportunity to formally meet Vivek Kundra. I wanted to take the opportunity to properly introduce myself and wish him well, as if you read my blog post about his appointment, you know I am very excited about the elevation of the importance of IT within the Obama Administration. I hope that these developments will become permanent fixtures within our government, which I am sure they will be.
Talking with Vivek Kundra following the Hearing.
And while Mr. Kundra's presence at the hearing was considered to be the main attraction, my daughter Hannah took on her own rock star appeal after her introduction from the Chair, as Mr. Kundra was very excited to meet her.
Vivek Kundra, Federal CIO, talking with me and my daughter, Hannah Shoer
After the hearing I was also interviewed by a reporter covering the hearing for Federal Computer Week. If I see the article, I will post a link to it in this blog. After a long few hours, we left the Hearing Room and received our second nice surprise of the day, courtesy of CompTIA, when we were brought to Congresswoman Carol Shea-Porter's, D-NH, office where we were escorted by a staff intern from Exeter, NH on a private tour of the Capitol. We were able to observe both the House and the Senate from the Galleries and were quite lucky to see the Senate enact the credit card reform legislation which was passed yesterday.
After this, I worked from the CompTIA office for the rest of the day until our flight home in the evening.
