Op-ed: Communicating the cybersecurity threat

Hal Snedden is a FedScoop contributor and a cybersecurity policy analyst with PotomacWave Consulting.

Five months ago, on Feb. 12, President Barack Obama spoke to the American people in his State of the Union address about the cybersecurity threat we face from our enemies. Americans were told the electricity for their TVs, their 401(k) retirement savings accounts, and their vacation flights were all vulnerable to being disrupted or compromised by cyberattacks from our adversaries abroad.

Hearing this for the first time in a State of the Union address, most Americans were frightened, although few understood or realized how these threats could materialize into electrical service interruptions, online financial theft or widespread airplane groundings due to airline scheduling system shutdowns.

The public should not be blamed for failing to comprehend the threat. Cybersecurity threats, in general, are a difficult concept to conceptualize. Without an actual event that disrupts critical infrastructure’s essential services described by the president, Americans are left to their imaginations or fictional events depicted in cinema or on television.

This lack of corroborative evidence may explain why the American public has not demanded en masse immediate cybersecurity legislation from Congress or why political partisanship has not been overcome by the urgency to mitigate the threats. Perhaps the urgency for passing legislation was pacified by the president’s cybersecurity executive order, signed into law before the State of the Union. The mandate is serving as a partial solution.

Five months after president’s speech, we are in a similar position. Americans do not yet grasp the magnitude of the enormous threat to critical infrastructure. This isn’t for lack of warnings. Just recently, The Wall Street Journal reported Iranian-backed hackers had infiltrated the “control system software,” potentially enabling them to “manipulate oil or gas pipelines.” By inference, our enemies could be within striking distance of disrupting not only our energy infrastructure. Obviously, this is a serious problem that needs our attention.

That we aren’t keenly aware of the threat to critical infrastructure worries some in Congress. Rep. Patrick Meehan, R-Pa., chair of the House subcommittee on cybersecurity, recently stated, “We in Congress, and across the governmental sector, aren’t doing a good enough job of really alerting the citizens in general about the true nature and scope of the threat we face.”

This isn’t to infer Congress and federal departments and agencies aren’t working hard to promote awareness of cybersecurity and communicate the threat. In April, comprehensive cybersecurity legislation was passed by the House dealing with information sharing between critical infrastructure and the government. The legislation stalled in the Senate due to privacy concerns, but we can expect Congress to revisit cybersecurity later this year, once immigration and the sequester are addressed.

Also, federal executive departments and agencies are bringing awareness to cybersecurity. There is a plethora of cybersecurity websites maintained by these government entities that highlight and discuss an array of cyber-based threats from a variety of sources.

If the information is available and we know the threat exists, why has there been so much difficulty in understanding the problem and coming up with a solution? Dorothea Brande, an American writer, famously stated, “A problem clearly stated is a problem half solved.” We can learn from her wisdom.

The challenge will be rethinking government communication strategies and policies to determine why the current message on the threat environment has not been successful in creating a public understanding of its scope and implications. The stakes couldn’t be higher — the security of our critical infrastructure depends on it.

Only a catastrophe would change how US views cybersecurity

Congress hasn’t passed serious legislation on it in 11 years. The federal government is not structurally organized to address it. And the public won’t push for real action until a “Pearl Harbor” type of event.

“Well, that was a little sobering,” said Nigel Ballard, Intel’s director of federal marketing, after hearing these, and other, obstacles the U.S. must face to address cybersecurity. Ballard was moderating a panel discussion on cybersecurity at FedTalks 2013 on June 12, where representatives from the White House, Congress and federal government converged to give their thoughts on how to effectively address cybersecurity.

It will take more than executive action from President Barack Obama, the panelists said. The way the government and the public think about cybersecurity must change, and structural shifts must occur before any real progress can be made.

“You can’t imagine that we will issue a framework and we will be finished and that’s the end of the story,” said Chuck Romine, director of the IT Laboratory at the National Institute of Standards and Technology. “This is going to be an ongoing process, a living document, a living set of standards that must evolve as the threat space evolves.”

Most important, people are taking notice, said Michael Daniel, special assistant to the president and cyber coordinator on the White House’s national security staff.

“Our ability, and the focus we’re seeing on this issue — the kind of focus Congress is putting onto the issue, the fact that it’s moving out of the realm of essentially the techno-geeks and into the boardrooms, into the C-suites and the corporate world and into the realm of the deputy secretary and secretary level within the government — all of those are actually very good trends,” Daniel said.

But there are more than a few hurdles the U.S. must clear before an agile, cogent strategy emerges. Rep. Gerry Connolly, D-Va., called out Congress.

“Congress has passed nothing substantive on cybersecurity since 2002,” he said, referencing the Cybersecurity Enhancement Act of 2002, embedded in the Homeland Security Act, which founded the National Cyber Security Division.

Not that Congress hasn’t made attempts since then. The House has passed numerous bills on the issue in the last two years — including another “enhancement act” to assess cyberthreats to critical infrastructure, and an Internet activity information-sharing bill, CISPA — only to see them die in the Senate. The Senate has made its own attempts, but failed each time to muster enough votes.

Outside Congress, federal agencies have done themselves few favors with a fragmented leadership structure unable to nimbly respond to cyberattacks.

“The federal government is not well organized to meet this threat,” Connolly said. “If you look at the top agencies, we have 250 people called CIO. That means we’re doing this,” Connolly crossed his arms, pointing in two different directions. “No one is quite empowered to be responsible, to make cogent decisions in a timely fashion. The system is designed to make sure that doesn’t happen.”

And the public might not pressure the government to change this structure until “a cyber Pearl Harbor,” Connolly said.  “If we do have a cyber Pearl Harbor, where something terrible happens because of this vulnerability, the public reaction is going to be very strong,” he said. “And then federal intervention will be inevitable. We won’t be talking about voluntary standards anymore.”

More than public pressure, though, the federal government needs different paradigms through which to view its cybersecurity approach. Currently, we map military concepts onto our protection of cyberspace. Foreign cyberattacks are akin to foreign nations invading U.S. territory in this analogy, which, to a degree, is relevant. We have a physical military presence dedicated to cyberspace defense. Foreign actors are targeting the U.S. But that shouldn’t necessarily militarize cyberspace itself, Daniel said.

“Mapping our models from the physical realm into cyberspace can be challenging,” he said. “The geography and sovereignty concepts still matter in cyberspace. All those servers and boxes exist somewhere, but concepts like ‘near’ and ‘far’ and ‘the border’ have different meanings.”

In cyberspace, countries have no interior to defend: “We all live at the border,” Daniel said.

Which requires new paradigms — or “models” as Daniel said — to think about how the government responds to cyberattacks. Daniel mentioned two possibilities: the disaster management model and the public health model.

Take natural disasters. The Federal Emergency Management Agency combines weather data from both the public and private sector to forecast the risk of a weather pattern turning into a disaster that would require FEMA to intervene. The organization does not respond to every potentially dangerous weather pattern, or every storm, tornado and hurricane. There is a bar (admittedly, a moving one) to determine whether the risk or severity of an event merits FEMA intervention.

“Do we want the federal government to have something like that in cyberspace, where we can integrate the information from private sector and government and give you a ‘forecast’ for what’s coming?” Daniel asked.

Or consider the way the Centers for Disease Control and Prevention respond to virus outbreaks. The agency determines whether people should be vaccinated, quarantined, and how serious these requirements should be. How contagious is the virus? How fatal is the virus? How available is a potential cure? CDC considers numerous factors to determine its response.

“If you look at how malware spreads, it mimics biological systems if you think about its terms of inoculation and quarantine and how much do you need to vaccinate,” Daniel said.

Natural disaster responses and public health crisis responses aren’t necessarily the right models to apply to cybersecurity, Daniel said, but they do expand the narrow way the government and public think about cybersecurity.

Chuck Romine mentioned workshops NIST had been holding since the president’s Feb. 12 executive order to both outline the cybersecurity problem for others, and refine its own best practices. It’s exactly what Daniel was encouraging the government to do: change your mindset.

“We don’t have to keep playing that same game,” Daniel said. “We can change how we think about it. One of the basics of security hasn’t changed in 25 years, that’s username and password —” he added, before Connolly cut in. “Not mine,” he said, “you have to know my mother’s maiden … whoops.”

Federal officials reiterate need for public-private partnerships

Seven men, chief technology officers and special advisers within different government agencies, gathered June 20 to give their unique perspective on emerging technologies.

The Armed Forces Communications & Electronics Association hosted the Emerging Technologies Symposium at the Omni Shoreham Hotel in Washington, D.C., drawing individuals from the public and private sectors to talk tech.

The final panel concluded the day’s talks on big data, cloud computing and cybersecurity, with a discussion on emerging technologies through the eyes of the CTO.

Federal shortcomings, the panel agreed, can be solved through collaboration of the public and private sectors.

Panel moderator Ira Hunt, CIA CTO, said the actions of the federal government could be viewed as “insanity.”

“We do the same thing over and over, and expect different results,” Hunt said. “Isn’t that the definition of insanity?”

Consulting the private sector is especially important at DHS’ Customs and Border Protection, according to Wolf Tombe, CBP CTO.

“We should look to the industry to see what’s practices are out there and what works,” he said. “And we need to look and innovation and best practices, and see how we can best leverage what’s already been done.”

Terry Pierce, special adviser for disruptive innovations at DHS’ Center of Innovation, also said government reaching out to the industry folks is already happening, and a reason why events such as the Emerging Technologies Symposium are so important.

The panelists also discussed big data and how it can be used to the government’s advantage.

“The global Internet desperately needs a clean in its hygiene,” said Richard Struse, chief advanced technology officer at DHS. “By leveraging the global censor network, we’ll be able to share information in machine speed, and be able to eliminate some of that extra noise.”

The panel admitted there is a long way to go, and Air Force CTO Frank Lonieczny joked, “We all know government isn’t particularly good at adapting to change.”

FedWire: FedTalks highlights, Army turns 238 and GSA’s green-tech testing

FedWire is FedScoop’s afternoon roundup of news and notes from the federal IT community. Send your links and videos to tips@fedscoop.com.

Missed FedTalks 2013? Here’s a Storify with event highlights.

GSA teams with utility companies to test money-saving technology.

Happy birthday, U.S. Army!

Curious how the House spends its money? New database reveals just that.

A peek at USDA’s mobile program.

VA hires 1600+ mental health professionals.

Time management at 40,000 feet.

Basic open government rules.

Undersecretary of the Army awards the Purple Heart medal:

Teri Takai’s challenges are ‘just like yours’

Most might assume the Defense Department’s chief information officer’s daily struggles differ significantly from other IT professionals’ obstacles. Everyone — except Teri Takai.

“The leadership and transformation challenges that I have are not very different than your day-to-day challenges,” Takai told the audience at FedTalks 2013 on June 12. “Mine are just on a bit of a larger scale.”

A larger scale meaning having the responsibility for 3.3 million people at 6,000 different locations on your shoulders. As DOD CIO, Takai is challenged with ensuring everyone at these locations have connectivity and access to technology.

DOD manages about 40 percent of the technology funds laid out in the federal budget, and the projection for the 2014 fiscal year budget is $39 billion dollars for technology.

However, it’s not just her U.S. employees or billions of dollars she has to worry about; Takai has to make sure the technologies her employees are using are compatible with those of the countries working with the U.S.

“As we move out of Afghanistan and begin to shift our troops toward the Pacific, I have to think about this new set of countries and how we’ll connect with them,” Takai said.

Takai also has to make sure DOD is staying up to date with technology, something it has been grappling with. Currently, it takes the department 80 months to bring in new technology.

“New technology is coming in faster than we are able to certify and distribute the technology we currently have,” Takai said.

Moving forward, Takai said one of her main focuses is to create a strong and clear strategy for DOD.  With more than 25,000 IT personnel, crystallized goals are essential for the department.

“We spend a lot of our time putting out strategies, not complex, but strategies that lay out the initiatives our organization needs to focus on,” Takai said. “Being clear on what I believe are the objectives for the organization is very important.”

And like so many industry and government leaders, Takai has to figure out how she can use emerging technologies to better her organization.

“Big data is going to be so critically important to us,” she said. “That combined with the cloud structure is going to be critical in moving forward.”

VanRoekel: ‘Billions of dollars waiting for us’

“There are billions of dollars waiting for us,” U.S. Chief Information Officer Steven VanRoekel said of the efficiencies available to federal departments and agencies through efficiency efforts currently being undertaken by the White House.

That money, VanRoekel said, can be used to reinvest in new technologies.

“There is a massive amount of capital infusion out there for us to play with if we can capture it,” VanRoekel said June 12 in giving the closing keynote address to FedTalks 2013 at the Mead Center for American Theater in Washington, D.C.

VanRoekel pointed to the Agriculture Department as a leader in this movement. The department consolidated from 21 email systems to one and cut its mobile contracts from more than 1,000 to just a few blanket purchase agreements.

While simple, those types of changes can save the federal governments billions over the long-term that – along with his cut-and-invest strategy – can put more money in the hands of innovators.

“Tough economic times call for innovation,” VanRoekel said, noting more than half of the nation’s Fortune 100 companies – including IBM, Microsoft and Proctor and Gamble – were founded during an economic downturn. He said the federal government is in a similar situation now with funding issues creating opportunities to innovative.

VanRoekel pointed to things such as the federal strategic sourcing initiative, efforts to create a more mobile workforce, grant reform and PortfolioStat as examples of what the White House is trying to do to spur along this innovation.

“There are great opportunities,” VanRoekel said, “especially for the vendor community. No longer do we want to spend money on maintaining outdated and bloated systems, but want to put our resources toward innovation. For the vendors that are on the cutting edge of technology, this should be great news.”

IT leaders converge for FedTalks 2013

Cyber, cloud, sequestration and a man who pretended to be a pilot.

That was the scene Wednesday as more than 800 leaders from government and industry joined FedScoop for FedTalks 2013 at the Mead Center for American Theater in Washington, D.C., for a deep discussion of technology in the federal government.

The event also featured an impassioned keynote address from Frank Abagnale, the subject of the movie, “Catch Me if You Can,” who retold the story of his time as a con man posing as a Pan Am pilot. Abagnale now works with the FBI, catching criminals involved in fraudulent check scams.

The event opened with Cristin Dorgelo, assistant director for Grand Challenges in the White House’s Office of Science and Technology Policy, discussing how the Obama administration is trying to engage citizens to address large, modern challenges.

Kimberly Stevenson, vice president of the Information Technology Group and chief information officer of Intel, discussed big data and analytics and how to undercover hidden potential by using them. Primarily, Stevenson discussed how big data and analytics helped the company’s sales.

“We did this by going into our data and seeing which buyers were clicking on what links on our site, and the frequency of that, and figuring out who had the most knowledge or interest in creating a product,” Stevenson said.

Dr. Patrick Dowd, chief technology officer and chief architect at the National Security Agency, discussed innovation in organizations. Then, Francis deSouza, president of products and services at Symantec, talked about the future of cyberthreats.

Teresa Carlson, vice president of worldwide public sector at Amazon Web Services, hosted a women leaders in technology panel with Treasury Department CIO Robyn East, General Services Administration CIO Casey Coleman and Department of Homeland Security Acting CIO Margie Graves.

During that talk, each of the CIOs discussed how industry can best work with them.

“We’re struggling to find efficiencies,” East said. “We have to use what little funding we have to do the best we can as parts of the department are relying on technology to help them become more efficient. We need vendors that can help us find efficiencies or we’re not interested in talking with them.”

Acting GSA Administrator Dan Tangherlini discussed the future of the government and how agencies need to change how they operate to stay current with the times. Hadi Partovi, founder of Code.org, then discussed the need for computer code to be taught and learned as that will be the language of the future.

Nigel Ballard, Intel’s director of federal marketing, hosted a panel on cybersecurity with Rep. Gerry Connolly, D-Va., Director of NIST’s IT Laboratory Chuck Romine and Michael Daniel, the White House’s cybersecurity coordinator.

During the talk, Romine provided an update on the cybersecurity framework his office is developing as part of President Barack Obama’s cybersecurity executive order.

“We’ve gotten an awesome response from industry,” Romine said. “We are going to host two more workshops and after the next one – which will be held soon in the middle of the country – [we] hope to have a first draft we can share for comment.”

Following Abagnale’s talk, David Muntz, principal deputy national coordinator for the Office of the National Coordinator for Health Information Technology, discussed the latest in electronic health records.

Dan Smoot, senior vice president for global customer operations at VMware, discussed logistics and how IT can help transform that. Following that, Sen. Mark Warner, D-Va., discussed measuring goals to help initiatives get done.

Two industry leaders then took the stage: Deloitte Consulting’s Mark White, who discussed how to put technology to business use, and CA Technologies’ John Borghard, who talked about disruptive trends in IT.

Defense Department Teri Takai spoke on her challenges and opportunities with DOD, saying at one point she had “the best vendors in the world” working for her.

Steve Felice, president and  chief commercial office of Dell, discussed innovating government for the 21^st century, and then SAP’s Mike Lennon hosted a fireside chat on Army enterprise transformation with the Army’s Kathleen Miller and Kristyn Jones.

“There is a linkage between what’s going on in government and how we create jobs, and it really comes from innovation,” Felice said.

U.S. CIO Steven VanRoekel closed the presentation part of the event by talking about the White House’s initiatives in big data.

Inside NSA’s data protection, cloud strategy

After recent leaks exposed the more clandestine side of the National Security Agency, the agency’s chief technology officer remained committed to open source, cloud-based software as the best way to consolidate NSA’s servers, save money and protect its systems from cyberthreats.

Speaking at FedTalks 2013 on June 12, NSA CTO and chief architect Dr. Patrick Dowd said the development of the government’s infrastructure has left everyone in a tough spot. Government organizations are highly diffuse, with siloed “enclaves” and numerous domains. Any patient hacker will eventually find a way in. And it might get worse before it gets better, he said.

But Dowd believes NSA is taking effective steps — using smart data, data tagging, public-key infrastructure and other security measures — that will save money, encourage collaboration and help protect critical systems.

“It’s really just a very difficult situation, very complex, and it’s expensive because of how many people have to manage it,” he said. “The fact that I manage one enclave and you manage another enclave, who’s to say that we actually synch up and that our policies are consistent?”

Indeed, policies are often not consistent, discouraging collaboration. The solution for NSA — and other agencies, in Dowd’s opinion — is server consolidation, which “breaks down barriers and facilitates collaboration,” Dowd said. “And it actually reduces operating expenses.”

NSA is encouraging server consolidation through privacy measures and migration to the cloud. At NSA, this begins with smart data — basically layering security measures onto data, so if any single point of the system is compromised, the whole will not fall.

Hackers are “not going to be able to penetrate it, and not be able to actually do anything,” Dowd said.

Those accessing NSA data receive a unique, personal encryption code they can use to encrypt data, a process called public-key infrastructure. That’s the “basic building block” for data security, Dowd said. Then, the agency adds on data tagging — where processes or data accessed “inherit your credentials.” It’s an electronic fingerprint of sorts.

“When that process runs against the data, the only data you’re actually able to see is the data that matches your criteria,” Dowd said. “Why is that a big deal for us? What it allows us to do is reduce the enclave environment.”

This leads to less overhead, more collaboration and more innovation, in Dowd’s opinion. “That is the thing you should take most care to optimize,” he said.

Securing data is only part of the battle, though. Migrating that data to the cloud is also essential for NSA. The agency has broken its cloud migration into three categories: a data cloud (similar to how Google collects data), a storage cloud (a geographically distributed content delivery network), and a utility cloud, built, in part, using OpenStack, an open source software. Numerous companies, such as Intel, Dell and Yahoo have contributed to building OpenStack.

“The goal is to raise the bar, so then when you supplement that with new emerging capabilities that are available commercially, they really do provide value because they don’t have to [protect] the entire landscape,” Dowd said.

And to assess your own organization, Dowd told the crowd, don’t ask the besuited higher-ups.

“Ask the people who report to you, then take them and ask the people that report to them. And go down until you find somebody who doesn’t wear a tie, but wears a t-shirt,” Down said, himself wearing a tie. They’ll tell you what’s really going on, he added.

FedTalks 2013: The life of Frank Abagnale

Frank Abagnale gets emails every day telling him he’s a genius. That he’s brilliant. That what he did as a teenager and a young adult, adventures that became the subject of the movie “Catch Me If You Can,” show gifts the average person simply does not possess.

But Abagnale will be the first to say they are wrong.

“Had I been brilliant or a genius, would I have needed to break the law to survive?,” said Abagnale  in an emotional keynote address Wednesday at FedTalks 2013. “What I did was immoral, illegal, unethical and a burden I live with.”

Abagnale’s story has been told many times in many ways – first as a book, then the movie starring Leonardo DiCaprio and Tom Hanks, and even a Tony-winning Broadway musical – chronicling his time as a con man following his parents’ divorce, pretending to be a Pan-Am pilot and traveling the world writing fraudulent checks.

He was eventually caught.

“I always knew I’d be caught,” Abagnale told the audience – serving time in prisons in France and Sweden, before being extradited to the United States. It was back home when, as part of his parole, he began helping the FBI catch criminals similar to himself.

“I owe my country 800 times what I could ever give them,” said Abagnale, who continues to work with the FBI more than 26 years after the terms of his release dictated. “I’m lucky to be in a place where you can get a second chance.”

He never received any money for the book or movie as part of his agreement with the federal government and has turned down three presidential pardons. His reasoning: “A piece of paper cannot forgive me for the things that I did.”

Abagnale now lives in Charleston, S.C., with his wife with whom he has three sons. Despite his storied adventures and time helping the federal government catch criminals, his lasting message was to the men in the audience – that being a good husband and raising a child is the greatest achievement of all.

“The measure of a man is not on achievements or skills or degrees, but someone who is there for his children,” said Abagnale, who told the story of his father who each night kissed his four children before they fell asleep and told each he loved them.

“He never missed a night,” Abagnale said, “and even if I fell asleep before he came in I know he did while I was asleep … Children need their mother and their father. Never underestimate the power divorce can have on children as they now have a burden they must carry the rest of their life.”

He also thanked his wife for his turnaround: “I could tell you that prison reformed me, but it was the love of my wife,” a woman he met while working undercover for the FBI.

“God gave me a wife and she gave me three beautiful children,” Abagnale said. “It was she and she alone that saved me. It was because of the love of a woman and the respect I have for her that makes my life great. We were able to raise our children, which is the most important thing because – the parents out there know – the last thing you think about before you go sleep is your children. That’s the most important thing.”

FedTalks 2013: Tangherlini wants GSA to be a transformative leader

Dan Tangherlini, acting administrator of the General Services Administration, wants his agency to be a leader in transformation that serves as a guide for the rest of the federal government.

Speaking Wednesday at FedTalks 2013 at the Mead Center for American Theater in Washington, D.C., Tangherlini said the federal government needs to break down its walls – both literally and figuratively – to adapt itself for the future.

“We need to chip away at the silos that separate us,” Tangherlini said.

Tangherlini pointed to GSA’s recent overhaul of its F Street headquarters, which it moved back into a few weeks ago. He said that move was the impetus for GSA migrating much of its information to the cloud to help it become a more streamlined organization, especially as the amount of data dramatically increases.

“We’re inventing new words to describe the size of the data we’re creating,” said Tangherlini, who mentioned the amount of mobile data increased 70 percent just from 2011 to 2012.

“The thing is that increase in data is speeding up as more people are collaborating, and we’re finding new ways to collect it,” he said. “In government, we need to find ways to harness that movement to change the way people work in government and interact with it.”

Tangherlini said GSA is trying to do this by changing how it interacts with others, pointing to projects such as Challenge.gov, where federal agencies can post contests to help solve problems collectively. One example from GSA is the “Great Idea Hunt,” where the agency asked employees for ideas and received more than 600, including 20,000 comments.

“There are lots of opportunities to change how we think,” Tangherlini said.