US President-elect Barack Obama recently announced that he will appoint the very first national Chief Technology Officer as a part of his administration. It seems a good idea: the yet-to-be-named CTO will be charged with ensuring that the government and all its agencies have the right infrastructure, policies and services in place for the 21st century. Unfortunately, a CTO might not be the best resource to solve the most pressing issue for the Federal IT infrastructure. The problem is not so much a lack of vision, but rather a lack of IT security. What the nation really needs is a chief information security officer.
The Obama campaign has had direct experience with the consequences of weak IT security. Following Mr. Obama's victory in the presidential election, it was revealed that the computers of both the McCain and Obama campaigns were compromised. Currently, published reports indicate that the most likely culprit is "an unknown foreign entity." Though the Obama campaign's online donation records were apparently unscathed, a large number of strategic documents had been transferred from their networks while their network administrators remained unaware. The Obama campaign hired an IT security firm to patch the breach and strengthen security; according to the firm, they suspected Russia or China had been behind the attack, hoping to gain intelligence that would provide a stronger hand in negotiations with the winner of the presidential election.
Evidence is mounting that the IT security position of the US Federal Government itself may be catastrophically weak. The White House's e-mail archive system, for example, was recently penetrated and emailed messages between top officials were accessed. In August of 2008, news broke that the FBI uncovered a break-in to the Federal Emergency Management Agency's phone system, allowing a hacker to make more than US$12,000 worth of calls to foreign countries. This fall it was reported that dozens of Department of Homeland Security computers were compromised and sensitive information was transferred to Chinese Web sites. These are just a few of the publically known incidents; one can suppose that there were many more that have remained secret.
Further, Supervisory Control and Data Acquisition (SCADA) systems that control the vital infrastructure of industrial operations such as power generation, water treatment, oil and gas pipelines, and a myriad of major industrial applications, are sometimes connected to the public Internet in one fashion or another to support business demands. In the process it has been reported that some of these systems are presented with undetected vulnerabilities-"leaks" to the Internet. In one widely publicized incident occurring in March of this year, the Hatch Nuclear Power Plant in Georgia went through an emergency shutdown as a result of a software update that was made on the plant's business network, which was improperly linked to the SCADA system. Administrators were aware of the link, but did not realize it was a two-way connection. As a result, a synchronization of the corporate network erased data in the SCADA system, which triggered an alarm shutting down the entire plant. Here we see an illustration of how the line between our nation's physical security and the need for cyber security is blurred.