Speakers Air Concerns about Security Risks, Lagging Management Reforms as Budget Committee Reviews Progress in Implementing Information Technology Strategy

Seventy-second Session,

47th Meeting (AM)

GA/AB/4286

20 June 2018

Delegates in the Fifth Committee (Administrative and Budgetary) today aired their concerns about the security risks and lagging management reforms that persist throughout the Organization’s Information and Communications Technology (ICT) system more than two years since the Secretary-General began carrying out a five-year plan to modernize the vast network.

Egypt’s delegate, speaking on behalf of the “Group of 77” developing countries and China, said the Group was troubled by the information security risks generated by the system’s continuing high number of legacy applications systems and websites. The Group also sought more information on ongoing measures to protect the confidentiality of data uploaded to Umoja, since the management of the core infrastructure of Umoja — the Organization’s enterprise resource planning system — had been outsourced to a commercial vendor.

Regarding management issues, the Group wanted to understand why policies to delegate authority and designate staff members carrying out significant ICT functions had not been delivered and why performance measures for senior managers’ compacts, related to the execution of ICT strategy, were not specific. The Group also urged the Secretary-General to address the low implementation rate of recommendations made by the Board of Auditors on ICT strategy.

The United States representative shared the concerns of the Advisory Committee on Administrative and Budgetary Questions (ACABQ) that compliance in carrying out ICT strategy remained a challenge throughout the Secretariat. He agreed that greater coordination and cooperation across the Secretariat, perhaps even throughout the United Nations system, was essential to make the ICT system most effective and efficient.

Regarding the management of the Organization’s enormous ICT system, he supported the Secretary-General’s proposal to create a single office of Information and Communications Technology, stressing that a single entity with a holistic approach would enhance the delivery of technology services to its client base. “My delegation remains dedicated to fully bring the UN into the twenty-first century and achieving transformational reform and cost containment,” he said.

Introducing the Secretary-General’s report on the status of implementing the strategy, Salem Avan, Director at the Global Services Division and Officer-in-Charge of the Office of Information and Communications Technology, said significant progress had been made since the strategy was endorsed at the beginning of 2015, and spending had been reduced by approximately $100 million.

To address the threat of cyber-attacks, the Office had taken numerous actions, including the development of an ICT security road map that had developed more secure enterprise systems and applications in the Secretariat, he said. A “Digital Blue Helmets” team had been established to help protect the United Nations from cyber threats and to promote cybersecurity.

“We are confident that the direction we are moving in will enable transformation that promotes innovation and a data-driven approach at all levels,” he said, adding: “I urge the Committee to consider that the progress made in the first three years of a five-year strategy indicates that the long-term goal of coherent, reliable and efficient ICT in the UN is achievable,” he said.

Anand M. Bajan, Director of External Audit and Chair of the Audit Operations Committee, Board of Auditors, introduced the Secretary-General’s note transmitting the Board’s first annual progress report, which was issued in July 2017 and covered the implementation of the ICT strategy during 2015 and 2016.

The Board’s report included concerns on management, the implementation of the ICT strategy and the lack of resources for the implementation of training programmes, he said. In addition, network security, the classification of information assets and the mandatory implementation of minimum requirements for public websites were concerning. It noted that of the 23 recommendations made in the Board’s previous reports, two had been fully implemented and 21 per cent were under implementation.

Carlos Ruiz Massieu, Chair of the Advisory Committee, introduced its related report and said progress had slowed in several areas during the reporting period, including the implementation of the remaining strategic ICT projects, and in defragmenting and consolidating ICT capacities. Regarding information security, the Advisory Committee welcomed the implementation of the 10-point information security action plan. Yet it remained concerned by the slow progress in reducing the fragmentation of the Organization’s ICT landscape, which had increased the threat level facing the Secretariat.

The Advisory Committee emphasized the need to address continued weaknesses in ICT governance and accountability, he said, and reiterated that the cooperation of managers was critical for the strategy’s success, as were specific performance measures in the senior managers’ compacts that would allow assessment of their performance in managing ICT activities. He added that the Advisory Committee had asked the Board of Auditors to conduct a comprehensive inventory of ICT capacities across the Secretariat to serve as a baseline of the current situation, from which to measure future progress and trends.

The Fifth Committee will meet again at a date and time to be announced in the Journal.

Information and Communications Technology Strategy for the United Nations

SALEM AVAN, Director at the Global Services Division and Officer-in-Charge of the Office of Information and Communications Technologies, introduced the Secretary-General’s report on the status of implementation of the information and communications technology (ICT) strategy for the United Nations (document A/72/755/Rev.1). Since the endorsement of the strategy at the beginning of 2015, significant progress had been made in its implementation, he said, adding that spending had been reduced by approximately $100 million, with annual costs streamlined, thus creating efficiencies in ICT services and allowing for investments to become more focused.

A new email system had been deployed globally, providing efficiencies in the management of email, while enforcing uniform security policies and facilitating improved collaboration globally, he said. The Enterprise Application Centres had reduced the number of applications from 2,340 in 2014 to 1,220 in 2017. They had also worked to provide technical solutions to support the prevention of sexual exploitation and abuse across several areas. The Enterprise Application Centre in Vienna, for example, had developed software products which were currently being used by dozens of Member States to fight organized crime, money laundering and narcotics trafficking.

Inspira had been enhanced to include new functionalities to support offer management, the Secretariat mobility programme, post management and reference checking, he continued. The Unite Service Desk provided global, round-the-clock support for Umoja and other enterprise applications. Resolution time for all support requests decreased by some 66 per cent with more than 108,000 calls received in 2017. A single global network for one United Nations had been established by interconnecting 594 United Nations locations.

With cyber-attacks emerging as a significant threat to the United Nations and its work, the ICT security road map had resulted in more secure enterprise systems and applications in the Secretariat, he said. A mandatory computer-based information security awareness course had been developed and more than 80 per cent of Secretariat users had completed it by December 2017. Moreover, the “Digital Blue Helmets” team had been established to help protect the United Nations from cyberthreats and to promote cybersecurity. The ICT Office had developed 150 business intelligence reports in all administrative areas and 50 dashboards covering administrative as well as substantive areas.

The approved ICT resources for 2018-2019 were $381.3 million, the same amount as for 2016-2017, he said. ICT resources for peacekeeping had decreased from $851.9 million for 2016-2017 to an estimated $747.9 million for the 2018-2019 biennium. The extrabudgetary resources had decreased from $184.9 million for 2016-2017 to an estimated $181.5 million for 2018-2019. Similarly, it was estimated that ICT personnel globally had dropped from 3,387 in 2015 to an estimated 2,950 by the end of 2018.

ANAND M BAJAJ, Director of External Audit and Chair of the Audit Operations Committee, Board of Auditors, introduced the Secretary-General’s note (document A/72/151) transmitting the Board’s first annual progress report, issued in July 2017, on the implementation of the ICT strategy during 2015 and 2016. Discussing its key findings, he said that the Secretary-General’s bulletin defining the organization, roles and functions of the ICT Office was issued in September 2016, almost two years after the five-year strategy period commenced. The delegation of authority and designation of staff members performing significant functions in the ICT Office had yet to be issued as of February 2017. The provision in the senior managers’ compact regarding implementation of the strategy was subjective and generic in nature and did not facilitate an objective assessment of their performance in implementing the ICT strategy. Departments had yet to align their business plans with the strategy and they continued to run their own ICT units.

Project monitoring involved continuous tracking of physical and financial progress to control time and cost overruns and execute the project in an economic, efficient and effective manner, he said. However, the reports on the status of implementation of the strategy presented the project timelines and the physical progress achieved in terms of percentage completion but did not provide details of project cost and financial progress achieved against each of the 20 strategic projects. Policies on such important subjects as information security, disaster recovery, cloud computing, minimum security for websites, video conferencing, mobile devices, email services and remote access remained to be promulgated or revised. Moreover, the self-regulatory policy compliance function indicated in the first and second reports on the status of implementation had not been fully implemented due to lack of resources.

Though training programmes had been developed, they could not be implemented due to lack of resources, he said, adding that the funds provided for substantive and technical ICT skills training were less than 5 per cent of what was required. While the strategic project for information security had been implemented in 60 per cent of the Secretariat in 2015, in 2016 that figure fell to 5 per cent. Low progress had been achieved in network security, classification of information assets and mandatory implementation of minimum requirements of public websites. Despite the strategy emphasizing that the ICT Office would oversee and monitor ICT investments to enable more informed decision-making and holistic reporting of global costs, that Office’s involvement in procurements had been limited.

The strategy required negotiating contract discounts using global purchasing volumes of hardware and software licenses, he said. Although the Secretary-General’s reports on the status of implementation also reported that the Organization negotiated discounts in the areas of infrastructure, externally acquired licenses and related ICT services, the ICT Office had not carried out any analysis of discounts obtained so far through global sourcing. The progress of defragmentation and consolidation of ICT resources was slow with only 3 of 70 ICT units having been consolidated as of January 2017. Further, of the 23 recommendations made in the Board’s previous reports (documents A/67/651 and A/70/581), two recommendations had been fully implemented and 21 per cent were under implementation.

CARLOS RUIZ MASSIEU, Chair of the Advisory Committee on Administrative and Budgetary Questions (ACABQ), introducing its corresponding report on the status of implementing the ICT strategy (document A/72/7/Add.51), regretted that progress had slowed in several areas during the reporting period, including in the implementation of the remaining strategic ICT projects, and in defragmenting and consolidating ICT capacities. Regarding information security, the Advisory Committee welcomed the implementation of the 10-point information security action plan, but remained concerned about the slow progress in reducing the fragmentation of the ICT landscape of the United Nations, which resulted in an increase in the threat level facing the Secretariat.

Concerning application management, he said the Advisory Committee looked forward to receiving further information on the outcome of the study under way to address the proliferation of applications and develop a strategy to manage the Secretariat’s portfolio of applications. Such a strategy should be based on clear Secretariat-wide application development policies and guidelines that clarify the functions and arrears that were covered centrally by the Enterprise Application Centres and those that could be addressed at the local level.

“With regard to these issues, the Advisory Committee emphasizes the need to address continued weaknesses in ICT governance and accountability,” he said, reiterating that “all Secretariat entities must fully comply with all the provisions of General Assembly 69/262 and the Secretary-General’s bulletin on the organization of OICT.” Cooperation of managers was critical for the successful implementation of the ICT strategy, as were specific performance measures in the senior managers’ compacts that would allow assessment of their performance in managing ICT activities. The Advisory Committee had asked the Board of Auditors to conduct a comprehensive inventory of ICT capacities across the Secretariat to serve as a baseline of the current situation, from which to measure future progress and trends.

MOHAMED FOUAD AHMED (Egypt), speaking on behalf of the “Group of 77” and China, said the Group had always supported initiatives to improve the effectiveness, efficiency, transparency, credibility and accountable of the Organization and the ICT strategy was a key step toward these objectives. During the upcoming informal consultations, the Group wanted to understand why policies for the delegation of authority and designation of staff members performing significant ICT functions had not been issued and why performance measures in senior managers’ compacts related to the implementation of the ICT strategy were not specific, especially as that was an area where clear and objective performance measures could be articulated to improve assessment and the achievement of benchmarks. The Group also wanted to know why annual ICT work plans by Secretariat entities had not been prepared in a consistent way across the Organization. The Group urged the Secretary-General to address the low implementation rate of the recommendations made by the Board of Auditors regarding ICT strategy. It expected the outstanding recommendations would be implemented without further delay.

Regarding substantive issues, the Group acknowledged that a previous Board of Auditors report had identified certain limitations of the ICT strategy, including insufficient recognition for peacekeeping activities. “This last area accounts for some 75 per cent of overall ICT expenditures. We look forward to a discussion of how to address these gaps,” he said. The Group also was concerned about the continuing high number of legacy applications systems and websites that present information security risks. Turning to Umoja, the Group noted that the management of the core infrastructure of the enterprise resource planning system had been outsourced to a commercial vendor and it wanted additional information on measures taken to ensure protection and confidentiality of the data uploaded to Umoja. Regarding procurement, the Group looked forward to additional analysis and comparison on the cost savings and economies of scale that could be achieved to procure equipment and services through systems contracts.

Stressing that the Group remained very concerned with the late introduction and consideration for agenda items during a session traditionally devoted to the complex subject of United Nations peacekeeping, he said that should be the exception not the norm.

BRIAN THOMAS CONROY (United States) shared the concerns expressed by the Advisory Committee that Secretariat-wide compliance on carrying out ICT strategy remained a challenge and believed that an increased level of coordination and cooperation across the Secretariat, perhaps even the United Nations system, was essential for achieving maximum effectiveness and efficiency. He looked forward to the next ICT progress report and detailed updates for all Secretariat entities on the progress being made on implementation. He also noted the important proposal on management reform now before the Fifth Committee. The Secretary-General had proposed to establish a single ICT office through the consolidation of the existing Office of Information and Communications Technology in the Department of Management and the ICT Division in the Department of Field Support. Since ICT was a cross-cutting function that underpinned the Organization’s core mandates and activities, a single entity with a holistic approach would enhance the delivery of ICT services to its client base. “My delegation remains dedicated to fully bring the UN into the twenty-first century and achieving transformational reform and cost containment,” he said.

MICHEL TOMMO MONTHE (Cameroon), Chairman of the Fifth Committee, urged the delegates to work together to conclude their negotiations and wrap up the resumed session. He stressed the importance of communications technology to the Organization’s consistent and smooth operation. In that area, the Fifth Committee needed to analyse four points: the coordination of managing the ICT system; business security; business continuity; and business recovery after a disaster. He noted that one critical consideration was that the peacekeepers were waiting for the Fifth Committee to deliver on recommendations for the budgets of peacekeeping missions. “The eyes of the peacekeepers can be a critical factor that would help us organize ourselves,” he added.