Controversial Security Group Shut Down

Concerns that its dues and meeting structure created the perception that select companies could buy access to federal officials doomed the Chief Information Security Officer Exchange.

The fledgling Chief Information Security Officer Exchange—a public-private partnership aimed at improving government IT security—was shut down last week over concerns that its dues and meeting structure created the perception that select companies could buy access to federal officials.

Rep. Tom Davis, R-Va., and the federal CIO Council, which co-chaired the initiative, withdrew their support. Computer Sciences Corp. and NetSec Inc., the companies that had signed on, also withdrew. All parties said they would consider participating in a restructured initiative.

"This has evolved in a way that we are not entirely comfortable with," said David Marin, Davis deputy staff director. "Its the fact that this entity is charging dues and producing a work product. We envisioned a much more informal gathering."

Davis inaugurated the exchange in February upon unveiling the annual federal computer security report card with an average grade of D+. Steve OKeefe, president of the public relations company OKeefe & Company Inc., of Alexandria, Va., served as executive director. The exchange planned to hold four program meetings a year, plus special events, and write an annual report on federal information security priorities and operational issues.

/zimages/4/28571.gifTo read about why federal security took home a D+ report card , click here.

Dan Matthews, vice chairman of the CIO Council, said last week that his group voted to end its participation in the exchange but is interested in establishing an initiative "that is open and accessible to all members of the information technology community in both the government and the private sector."

Earlier this month, CSC, based in El Segundo, Calif., and NetSec, of Herndon, Va., were named as members of the exchanges advisory board, a role that cost each company $75,000 for the year.

The board was to consist of six cabinet-level CIOs or CISOs (chief information security officers) and six industry officials. Other vendors could participate in the exchange by sponsoring events for lower sums. CSC decided to withdraw after ethical concerns were raised.

"Any time theres a question or perception of buying client time, were not going to be involved," a CSC spokesperson said.

According to OKeefe, the private-sector funding structure was known from the outset. It is not uncommon, he said, for vendors to pay fees to meet with government officials at conferences, summits and other forums in Washington sponsored by for-profit organizations.

"I dont believe there has ever been any ambiguity that the program was going to be funded by the private sector," OKeefe said. "There are several for-profit organizations that put on similar events. I sincerely hope that the goals of the exchange go forward in whatever forum there is."

Christopher Yukins, associate professor of government contracts law at The George Washington University Law School, in Washington, said that industry-sponsored events can trigger questions when they are closed to the public and when participation on either the public or private side is limited.

"As you narrow the number of federal officials that are linked directly to those [industry] resources, the chances that the resources could constitute a bribe or gratuity would go up," Yukins said, adding that the rules of government ethics are multilayered and complex. "This unbelievable labyrinth of rules is all about nexus. If its not a widely attended event, the nexus becomes clearer."

"There arent very clear lines that have been crossed in this instance," said Amit Yoran, former director of the National Cyber Security Division at the Department of Homeland Security, in Washington. "It seemed to be very similar to a large number of other events and venues. It was mischaracterized or misrepresented by some folks to be unethical."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.