Acceptable Risk

?I want every state employee to have access to the Internet.?

So went Secretary of State Colin Powell?s battle cry for improving the morale and efficiency of his troops upon taking office in early 2001. It may seem like a retro goal for the year 2002, but the U.S. Department of State has always had one good excuse for not having cutting-edge technology: security. In the late 1990s, the department?s OpenNet platform gave 30,000 users around the world access to a department intranet and e-mail but not to the Internet. The department was following a strict policy of risk avoidance, but now officials say it?s time for a change.

?Risk avoidance is to stick your head in the sand and say, ?We?ll be safe if we never use the Internet,?? says State Department CIO Fernando Burbano. ?We?re doing risk management now. We know how to add the additional security and how to tighten things up.? That means penetration testing in which white-hat hackers (the good guys) look for holes in the system. It also means that users won?t have all the risky bells and whistles most businesspeople enjoy, such as the ability to run ActiveX and JavaScript on their Web browsers.

Thanks to the $110 million that Powell has earmarked to fund Internet access, users will no longer have to jostle for Internet time on standalone computers. Instead of shuttling between three computers, they?ll use only two: one for classified information, and another for unclassified and ?sensitive but unclassified? information. (Well, sort of. Many users have one monitor and keyboard and use an electronic switch to toggle between classified and unclassified CPUs. The classified hard drive is removed and locked in a safe while not in use.)

Burbano says that by adding on to the OpenNet platform rather than supporting a third computer for every user, the department slashed its price per seat from $5,400 to less than $1,000.

The attitude adjustment from one of risk avoidance to risk management will be a big leap for some?especially considering the newly urgent threat of cyberterrorism, plus the department?s history of embarrassing security lapses. In 2000, the State Department had to remove from its systems software written by a citizen of the former Soviet Union, and a laptop containing classified information disappeared from headquarters.

In spite of the danger and spotty track record, security experts say the department needs to start dealing with security issues rather than just trying to avoid them. ?State needs Internet connectivity with the world to do its job effectively,? says Dorothy Denning, author of Information Warfare and Security and a professor of computer science at Georgetown University. ?You can?t be a participant in today?s society without opening yourself up to security risks.?