Three lessons to take away from the IRS breach
August 27, 2015
There is no silver bullet to prevent the kind of attack that exposed the tax records of more than 300,000 people, but there are lessons to be learned.
David Stegon was a staff reporter for FedScoop and StateScoop from 2011-2014.
As the chief information officer at the National Reconnaissance Office, Jill Singer works in a top secret environment with the highest security measures, but she still implements open source development where possible.
Singer, who will give a keynote address at the Red Hat Government Symposium on October 23, said her agency uses open source programs like Apache, Tomcat, Subversion, JBOSS and more to give the agency a standard environment in which to program.
“There’s a certain attraction to open source when you consider long-term software licensing costs,” Singer said. “If we can find it and use it for free, with support that makes us comfortable and quality that is acceptable, we are happy to save the millions of dollars in licensing agreement payments we might make to a more traditional vendor.”
She continued, “With that said, we make diligent decisions on when to use open source and when to use more traditional products. The decision space isn’t just cost. We look at capabilities, ease of integration, security risk, available skill sets and more when we are assessing our software development requirements.”
Outside of open source, the NRO is working on several large information technology projects.
She said for a few years, the agency has been on an optimizing information technology strategic path that represents a combination of technology, process and culture changes designed to drive efficiency, as well as improve integration with the Intelligence Community and the Department of Defense.
A big part has been the NRO’s development of its own private cloud. With top secret security requirements, the agency decided against hosting its data with a private vendor and instead built its own internal cloud. Singer said the cloud is simple, yet effective.
“We have a few applications on there and will be adding as time goes forward,” she said. “The goal was to create as safe an environment as possible for our data, and this provides us with exactly what we need.”
Singer said NRO is also focused on a robust applications inventory and assessment process right now as its applications baseline has grown in complexity over the years.
“Our approach is pragmatic and we chunked it into phases: initial collection; detailed collection; analysis and assessment; and ongoing institutionalization,” Singer said. “Through the process, we plan to determine and prioritize whether an application should be virtualized for cloud, retired, migrated to a different platform, or protected as legacy.”
Going forward, Singer said one of her top priorities will be participation and collaboration in the IC's IT Environment initiative, otherwise known as IC ITE.
"The director of National Intelligence, together with his top IC leaders, made a strategic decision over a year ago to migrate much of our infrastructure IT to a shared services platform. The basic philosophy is for the IC agencies to “do in common what’s commonly done,” she said.
Some of the key components of IC ITE are a common desktop, an IC cloud, common help desk, an applications mall, and optimized network services. NRO is focused on a successful migration path to the shared services.
“Our path has to balance mission needs against fiscal realities within a defined time constraint,” Singer said.
She added the NRO has thrown its hat in to handle some of the services and will be a happy customer of others. For example, Singer said the NRO’s desktop services will be handled by the IC ITE which will leave her and her team time and resources for other initiatives.
“A second priority for NRO is maturing our IT portfolio management and associated decision processes,” Singer said. “We need to dig into our IT spending across the organization and ensure we have complete transparency in our IT projects, contracts and associated resources. We will focus on corporate accountability and enterprise solutions over sub-optimized local solutions. The portfolio work will help us clearly see where we have gaps."