|
FEDERAL EXECUTIVE FORUM PRODUCED BY THE TREZZA MEDIA GROUP |
IT Security
May 30, 2006
Panelists
· Glenn Schlarman, Chief Information Policy and Technology Branch, OMB
· Scott Charbo, Chief Information Officer, Department of Homeland Security
· Tom Wiesner, Deputy Chief Information Officer, Department of Labor
· Bob Lentz, Director of Information Assurance, Department of Defense,
· Dr. Don Goff, Professor and Executive Director of the Security Studies Laboratory, University of Maryland University College.
· Mike Gibbons, Vice President of Enterprise Security Services, Unisys Corporation
· Mike Rau, the Vice President of Worldwide Enterprise Technical Sales Strategy, Cisco Systems
JIM FLYZIK, THE FLYZIK GROUP
Welcome. During today’s show we will discuss critical issues facing government and industry leaders in the field of information technology security. With me today on the show are Glenn Schlarman, the Chief of OMB’s Information Policy and Technology Branch, Scott Charbo, the Chief Information Officer, Department of Homeland Security, Tom Wiesner, the Deputy Chief Information Officer, Department of Labor, Bob Lentz, Director of Information Assurance, Department of Defense, Mike Gibbons, Vice President of Enterprise Security Services at Unisys Corporation, Mike Rau, the Vice President of Worldwide Enterprise Technical Sales Strategy at Cisco Systems, and Dr. Don Goff, Professor and Executive Director of the Security Studies Laboratory at the University of Maryland, University College.
Let’s get right into today’s show and right into the issues. I’m going to start off by asking each of our panelists to tell the audience a little bit about their roles in IT security in their respective agency or organization, and perhaps some of the priorities in this area. Let’s start with Scott Charbo, the Chief Information Officer at the Department of Homeland Security. Scott?
SCOTT CHARBO, DHS
Thank you, good to be here, appreciate it. The CIO at the Department of Agriculture owns the policies and accountability for certifying and accrediting the systems within the department. So we have an ongoing project right now to certify all of our systems by the end of this year. We started off in October, Secretary Chertoff kicked that project off and documented a number of systems and put an inventory baseline together and we are charging forward.
JIM FLYZIK, THE FLYZIK GROUP
Sounds great. We look forward to getting that done. Mike Gibbons, how about over at Unisys, what is your role in the security field there?
MIKE GIBBONS, UNISYS
Well my role as an integrator is to help provide a lot of those services such as certifying and accrediting systems at the Department of Homeland Security and a number of other federal agencies. But what’s interesting to me is, in the same way that FISMA forced US government agencies to think about security, within our own corporation now, we are actually doing some data privacy impact assessments because of a lot of the things appearing in the headlines today.
JIM FLYZIK, THE FLYZIK GROUP
Bob Lentz over at DOD. I would guess that this issue is a major priority over at DOD. Can you give us an idea of your role there?
BOB LENTZ, DEPARTMENT OF DEFENSE
Certainly. I’m the Chief Information Assurance Officer working directly for the Chief Information Officer at DOD. I’m responsible for the strategies, for the architecture, for the policies, as well as the resource and acquisition management and compliance across the Department of Defense.
JIM FLYZIK, THE FLYZIK GROUP
Great. Mike, how about over at Cisco? What is your role there and what are your priorities around this issue of IT security?
MIKE RAU, CISCO
My responsibility at Cisco is to look at our solutions and architectures we take to market across our product portfolios for enterprise and federal market space. Obviously the integration of security services into our product portfolio is one of the key top requirements for our customers and so my role is to locate customer requirements, feed them into the development organization, and make sure that we are meeting not only short term but long term needs for security.
JIM FLYZIK, THE FLYZIK GROUP
Thanks, Mike. Tom Wiesner, over at the Department of Labor. Tell us about your role there in cyber security issues.
TOM WIESNER, LABOR
Thanks for having me on the show. Along with the CIO, we are responsible for the security program, protecting the assets, the information at the Department of Labor, all our stakeholders where the information resides. We actually establish the policies for the department following (next phrase not clear) the guidelines from OMB direction. One of our big challenges moving forward is implementing AS 853 and finding all the security controls associated with that.
JIM FLYZIK, THE FLYZIK GROUP
Great. Dr. Goff, over at the University of Maryland, University College, what is your role over there around cyber security and IT security?
DR. DON GOFF, UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
Thanks Jim. We have two interests. First is the operational integrity of the networks that support the university. We do a great deal on line and we are globally distributed with many locations in Europe and Asia. So we have ongoing operational need for IT security and with data bases containing student names and things like that we pay careful attention.
Personally I am a professor of information technology and information assurance and run a lab on security studies so that we can bring the high end solutions to working adult students that we have. Many of whom are employed on our campuses.
JIM FLYZIK, THE FLYZIK GROUP
Great. I like the model here, we have industry, government and academia all working together towards common goals. Glenn Schlarman over at OMB I know that this is a major priority. You have to look out and have that government wide responsibility. Maybe you can talk about your role and your branch and the priorities that you have.
GLEN SCHLARMAN, OMB
Certainly Jim. Our job here at OMB is information policy, including security, privacy, information access and dissemination. So we look at this as an integrated program and primarily we are in the area of security for the non national security part of the government. To drive a more consistent understanding and implementation of the security controls necessary to protect the sensitive information that every agency has.
|
WHO IS RESPONSIBLE FOR SECURITY? |
JIM FLYZIK, THE FLYZIK GROUP
Thanks Glenn. I’d like to explore a little bit the organization structure and where the security functions sometimes reside. I know over the years it’s been an evolutionary thing, we’ve had CIOs and Chief Security Officers and we have the issues of physical and HR security and so forth and I know the position has been moved around. If you look at the history of this thing, where the function resides and who is responsible for this has changed.
So I am curious and I think our audience may be too on talking today about where we are on this particular matter. Let’s start with Labor, Tom, tell us a little bit about where the Chief Information Officer functions, where the Chief Security Officer, do you have one? And perhaps is that linked up with HR security and physical security in any means?
TOM WIESNER, LABOR
At Labor the security responsibility is clearly in the hands of the CIO in terms of the accountability and responsibility for the security program. We do have a Chief Information Security Officer at the Department of Labor at the departmental level. She executes all the programs and policies under the CIO, meets frequently with the CIO and myself on the execution of her program and so the CIO is very much in tune with what the CISO is doing on a daily basis.
We also benefit from the fact that my CIO is also the Assistant Secretary of Administration and Management section in the Department of Labor and he oversees the human capital offices as well as the physical security offices and so we see a natural blending under his leadership to bring IT security, HR security, and physical security all together under one umbrella. It’s been real apparent over the last year or so as we have tried to implement HSPD-12 where IT, physical security, HR, all are playing a role in that program and it works quite well at Labor along with the assistant secretary.
JIM FLYZIK, THE FLYZIK GROUP
I would think that having that centralized leadership helps quite a bit. Let’s go over to Scott Charbo over at Homeland Security. Scott, Homeland is such a complex organization and it’s been evolving over the last several years and the structure has been evolving. How about the issues of information security, physical security and HR security? Is that coordinated within the department? Who plays the respective roles in that critical area?
SCOTT CHARBO, DHS
Well our structure is similar to Labor in terms of the CISO reporting to the CIO and owning those procedures and the accountability of getting the projects done. We work really closely with our security officer for the physical. We have a classified mission as well so we work closely with them, they own some of those policies and we coordinate with them as well as our Chief Human Capital Officer. Collectively we all are under the Undersecretary for Management. So that’s a structure that works well along with a CFO that can push policies, budgeting, etc forward, it works well.
JIM FLYZIK, THE FLYZIK GROUP
And you have the centralized leadership there as well. Bob how about over at DOD, with these respective roles around the security issue which seem to always be evolving and changing. Can you give us an idea of how it sits over at the Department of Defense?
BOB LENTZ, DEPARTMENT OF DEFENSE
Sure Jim. The Department of Defense being a fairly large organization, first of all our Chief Information Assurance Officer sits at the top of the leadership chain at DOD so Mr. Grimes looks over the entire organization with his peers to make sure that security and information assurance is always given the highest priority. From an operational standpoint, one of the things that we have done at DOD recently is we’ve actually appointed a four star who is responsible for defending the DOD network, so he’s actually got the operational responsibility and he has delegated that in large measure to the joint task force in computer network operations.
Overall we work across the department in my capacity, information assurance, so that for example for HR issues, as you pointed out Jim, we deal very closely with personnel readiness within the DOD. For instance, focusing right now, one of our top priorities which is to certify about 80,000 DOD people in information assurance and so as a result, we work very, very closely with personnel readiness in that area.
JIM FLYZIK, THE FLYZIK GROUP
Great. Very refreshing to hear all the coordination going on. Glenn, before we break here, how about OMB? Do you guys see any particular structures or look at particular roles of structures in the government agencies or is it sort of a case by case basis?
GLEN SCHLARMAN, OMB
It used to be on a case by case basis, but going back to what Tom said, the Homeland Security Presidential Directive 12 in which the president called for a uniform identification card, physical and logical access for all government employees and contractors, has done an incredible amount to unify across virtually every agency the HR, the personnel security, the physical security and the IT security and I think that this is a trend. We’ve tried for years to do this and now we are actually doing it.
JIM FLYZIK, THE FLYZIK GROUP
Great to hear. When we come back we will hear from our industry guests and Dr.Goff on this same subject and explore some other subjects such as certification and accreditation and perhaps continuity of operations and planning and other related subject matters but in the meantime we’ll take a short break.
Break
JIM FLYZIK, THE FLYZIK GROUP
Welcome back. We are talking about information technology security with our distinguished panel of guests. I’d like to switch a little bit here and Dr. Goff, at the University of Maryland, University College, how have you seen this issue evolving over the years in terms of trends in the enrollments and classes? Is this a growing field in academia, is this something and are there some trends that you have noticed over there?
DR. DON GOFF, UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
Well clearly Jim, there has been dramatic growth in the number of enrollments in recent years in all facets of cyber security. You get students who take courses in policy, things like FISMA and the other alphabet soup statutory requirements, not the least to mention Sarbanes/Oxley, having to do with privacy rights and data integrity. We get students coming in who are particularly interested in how to do network security, how to do incident response management, and how to do computer forensics, all of which are on the technical side. And what we are seeing in the work force is a dramatic demand for this.
The people coming in are mostly non traditional students, working adults who have either gotten into the IT field after an undergraduate experience in a different discipline and who are trying to augment or who are trying to make career breaks so that they can get into information assurance and cyber security at this point and the demand seems to be quite high, the figures that we are tracking just in the state of Maryland are somewhere around 5 or 6 000 steady state cyber security trained individuals per year. The universities can’t keep up with the demand.
|
IMPACT ON BUSINESS STRATEGIES |
JIM FLYZIK, THE FLYZIK GROUP
In a way I guess that’s a good trend to hear. Hopefully we are getting at part of this issue and are getting a lot of trained skilled people out there in the workforce. Switching I’d like to mention our industry guests here. Have IT security issues impacted your business strategies, are you doing things differently? Let’s start with Mike Gibbons at Unisys. Have you seen IT security impacting Unisys?
MIKE GIBBONS, UNISYS
Well absolutely, not just because we are the providers of services, but again looking internally we’ve seen kind of a morphing of the Chief Information Security Officer role. Now the whole discussion is more about how to safeguard business and how to comply with the regulations out there such as Sarbanes/ Oxley.
We are seeing again disciplines like categorizing our data and how are we going to protect the privacy of our customers and privacy information, so the discussion is all now about risk management and it’s an elevated discussion. I’m actually part of a board across our whole company and our company is global and we have about 37,000 employees and the challenge is the CEO is now discussing with the board how we can protect our information security.
So the discussion is elevated and again we see the role of this Chief Information Security Officer, CISO, going up to more of a compliance risk management issue.
JIM FLYZIK, THE FLYZIK GROUP
Mike, how about over at Cisco, is the IT security cyber security impacting your business strategy?
MIKE RAU, CISCO
In many different ways and I’ll take it from a couple of different angles. First of all our Chief Security Officer who reports to the CIO is arguably one of the most powerful people in the country. They make a lot of decisions about our business practices, how we support connectivity with our partner base, whether it be for manufacturing or partners who do resale of Cisco products.
It also affects dramatically how we use IT assets internally inside of Cisco and the policies with which we enforce those particular IT assets. For us, the initiatives around security are a very far flung given all the impact that it has on our customer base and clearly across the broader array of products that Cisco is building today. One of the number one built in requirements is becoming security, or has become security.
You can’t build a product today without there being large security implications in the development and delivery of that product to the customer base as well as the processes which you establish after that product hits the market, and the way that you deal with things like viruses and worms and security vulnerabilities and so on and so forth. So it’s a pervasive issue within our business, one for how we own our own IT assets and how we use them, but also for how we take products to market.
And one good thing about Cisco has been that the Chief Security Officer has influence over where we take our product portfolio based upon our own IT experiences and how we use our products to support our business.
JIM FLYZIK, THE FLYZIK GROUP
Well great and I get a sense from listening to the panelists here that it’s growing in priority that information technology security continues to grow in priority. How do you think that we are doing in getting out there and proactively dealing with this issue?
I get this feeling that in our country, it’s largely been reactive it’s largely in dealing with a disaster or a bad thing to happen before we put the resources and attention on this particular matter. All of us begin backing up our data after we lose our data one time. It’s sort of like we need that wake up call. Do you think that we are getting more proactive in making the case at higher levels that this is a priority and we need resources to pay attention to it? Let’s start over with Scott Charbo.
At Homeland Security you guys have a major responsibility in this area. Scott, are we getting more proactive in this in trying to get out in front of this issue before the so called bad thing happens? What is your opinion on that?
SCOTT CHARBO, DHS
Well we are sort of split into two groups on that. One group is with my CISO in certifying the 700 or so systems that we have. We are on a path to get those completed by the end of the year, get that documentation supported, balancing our security check book if you will.
We aren’t quite sure where we are until we actually document it. The other side is that we have the assistant secretary for cyber security role which is a policy that hits the national infrastructure.
So we look at it from both sides. I think we are being proactive, we’ve made it a major initiative on all fronts for us and we are pushing it out and making it visible.
JIM FLYZIK, THE FLYZIK GROUP
Hopefully shows like this will help try to get that message out there and a proactive stance on these things so that we can get out there in front of these issues before they happen. Bob, how about over at DOD? Do you think we are getting out in front of these issues? I know that at DOD there are a lot of other real serious issues around security that the DOD needs to be concerned about. But do you see it growing in priority, trying to get more proactive as a way of addressing these problems?
BOB LENTZ, DEPARTMENT OF DEFENSE
Yes, Jim, in DOD the information assurance is constantly one of the top issues that’s being raised through out the departments at all levels. As you may know this past summer we just conducted a quadrennial defense review where all leadership gets together and looks out many years into the future to be able to predict and to emphasize certain priorities. Information assurance and security was actually one of those very fundamental priorities. So we are trying to get out in front and I will tell you that from the CIO’s stand point, our major priority in terms of being proactive is the IA architecture.
We are trying to establish an overarching architecture that allows us to be able to work with industry and work with the academic community and all of our partners to be able to look out into the future, not only to deal with issues of today but more importantly to predict where we want to be in the future and that is really where our most effective way of advancing our thinking in this area.
JIM FLYZIK, THE FLYZIK GROUP
Great. Tom Wiesner, how about over at the Department of Labor? Do you see a more proactive stance? You are an A + agency on your FISMA grade, so obviously …..
TOM WIESNER, LABOR
I guess we are doing something right?
JIM FLYZIK, THE FLYZIK GROUP
You’ve gotten there somehow. How do you become an A+? Tell us a little bit about the proactive…
TOM WIESNER, LABOR
We were an 'F' back in 2001 I believe and we got to the 'A+' level just this past year. It obviously doesn’t happen overnight. I agree with the other three gentlemen in terms of some of the focuses that they mentioned, but it really takes commitment of your management. It sounds simplistic but if you can get the secretary’s backing and the assistant secretaries and the agency heads etc, and your staff is committed to do the job, then it makes it a lot easier.
There’s still a lot of work to be done, but I think the priority, I think some of the things that we have done here in the recent years is integrate our security practices right in the IT life cycle program.
And I think over the years it has always been a catch up game, you built legacy systems many, many years ago and very little security controls would have you, you did the best you could but as you built up new products and new systems and new applications, you start looking at security requirements right at the beginning of your life cycle and you integrate it into your capital plan, your enterprise architecture, etc, I think you then start to build up those strong security controls of your programs and try to get ahead of the game.
JIM FLYZIK, THE FLYZIK GROUP
Well said Tom, coming from an A+ agency, on the FISMA grade there.
Short break
JIM FLYZIK, THE FLYZIK GROUP
Welcome back. We are talking about IT security. When we went to break we were talking about creating a sense of urgency or trying to become more proactive. Glenn, over at OMB, I guess that’s a major priority of yours, to make sure that the agencies are putting proper resources on this matter. How have you seen this evolving and do you think we are getting there?
GLEN SCHLARMAN, OMB
Well, I certainly think there is progress and your point on reaction is unfortunately it is human nature to react, and sometimes overly so, but what we are reacting to is yesterday’s problem. So the forward leaning thinking of the future planning and implementing the plan is what we are all driving for and that is essentially the underlying principles in FISMA.
Certainly the attention at every agency is higher than it’s ever been and we maintain that attention through the presence of a score card and quarterly regular scores. Now, is it perfect? No, of course not. Is congress’s annual report card perfect? No. But what they both do is keep the attention, keep the focus on the issues. I think that it is painful, but it’s being successful this far.
|
SECURITY ARCHITECTURE & ENTERPRISE ARCHITECTURE |
JIM FLYZIK, THE FLYZIK GROUP
Great. Thanks. I’d like to ask all our panelists. We’ll start with Bob, Bob Lentz. Bob you mentioned security architecture. And I know that most government agencies have the private sector helping them and now have in place enterprise architectures. Are there security architectures in place that are coupled to that enterprise architecture? How does that work? Have you built the security directly in to the enterprise architecture work? Can you comment on that?
BOB LENTZ, DEPARTMENT OF DEFENSE
Right now we are still at a stage where we are gluing IA onto those architectures instead of baking them in from the beginning. But we are getting very close to the point in working with industry that IA is now an integral part of all elements of product lines. And I think that is why, Jim, as you mentioned, the architecture is such a fundamental part of our future.
We just rolled out at DOD the latest version of our architecture. And we have the industry day scheduled coming up this June bringing all industry in to collaborate on this architecture so that we can allow it to address what we think the technology of the future is going to be.
So we are very close to having a strategy that our architecture allows to be baked in from the beginning, which will allow us to have enterprise solutions, which will allow us to address the threats of the future.
JIM FLYZIK, THE FLYZIK GROUP
That clearly sounds like where we need to go. Scott, how about over at Homeland? Do you have a security architecture group or a security architecture that couples with your enterprise architecture?
SCOTT CHARBO, DHS
We do. Our CISO owns the security architecture. We see that as very tightly bound to our networks, the networks, the platforms that we want to build our businesses and our applications off of so that the security architecture is baked within there.
The role of the individual then is very tightly aligned to that through our directory control. So that’s where we see, Glenn mentioned HSPD-12 earlier, in terms of being all bound together so that we can develop greater information assurance through that network, that security architecture, and ultimately that enterprise architecture.
JIM FLYZIK, THE FLYZIK GROUP
Great. It sounds like in getting proactive that’s one way to do it, is to get out front with the security architecture. Mike how about at Cisco, a private sector view on this. Do you see building security architectures, or helping agencies build security architectures as a major priority?
MIKE RAU, CISCO
Yes, our view on architectures in general is pretty critical to the success of IT infrastructures and as we look at developing products we look for them to fit into not only architectures for communications but also on how they apply security policy within the network.
Over time we don’t believe that security products are a separate set of appliances or a separate set of services, we believe that they need to be integral to the network, they need to be integral to the ?? process of a particular device so that they can be deployed more broadly and more effectively within an enterprise or federal customer.
And I think in general what we are trying to achieve there is a better ability to have the network and the end systems participate in a day zero response to worms and viruses and other vulnerabilities.
In general many of the attacks of worms and viruses that we see have a lot of the same characteristics of previous attacks in the past, so the networks and the end systems have the ability to actually learn and respond in a little more proactive way so that we avoid major IT catastrophes from the security perspective, and we think to keep performance high and security high, that needs to go for a more integrated strategy. That’s what we advocate through our self defending network strategy.
JIM FLYZIK, THE FLYZIK GROUP
Great. Mike over at Unisys? Similar?
MIKE GIBBONS, UNISYS
We actually have done a lot of work in the federal enterprise architecture world in helping customers look at a holistic strategy or framework at the top, or an architecture, and the challenge has been as we said before, many of the security initiatives were bolted on, you couldn’t really find a security architecture per se anywhere. What we found is there’s a combination of things you have to do for people, process, and technology point of view, you can’t forget that, it’s not just a matter of bolting on technologies here, but we have to have processes in place and a framework to make sure all the boxes are checked.
The problem with security is that it’s a wide set of disciplines, it’s like saying, systems integration. When you say information security, well, which part of information security do you mean? So you have to have a framework that looks at all the various disciplines in information security, you have to have it built into your systems development life cycle as a process to make sure the boxes are checked, then you have to have good measurement and continuous measurement, including certification and accreditation, which is supposed to be a continuous process, to assure that these things are effectively taking place.
That people are following the policy and guidance and building safe and secure systems. We’re talking about building systems where you have public trust and confidence. That’s the issue we are all trying to get to.
JIM FLYZIK, THE FLYZIK GROUP
Great. Tom Wiesner, at the Department of Labor, enterprise architecture, security architecture, do you have such architectures in place? Are they coordinated together?
TOM WIESNER, LABOR
Yes, to follow what Scott said a little earlier, we have a strong enterprise architecture program and then within that program we have a security architecture integrated into the enterprise architecture program. The CISO is responsible for the security architecture and works well with the chief architect to integrate security into where we want to go as a department. Architecture today with universal functions and as we move forward and transition strategies. Our security architecture is tightly integrated into our DA program.
JIM FLYZIK, THE FLYZIK GROUP
Before we go to break here, a final thought from Dr. Goff. A few years back I had the opportunity of being in the president’s critical infrastructure protection group and one the thing being kicked around then was the idea should we have a national issue around this or a national cyber academy or something. Has that thought resonated at all at the University of Maryland or throughout academia about centers of excellence across the country? I know we have some in place today but maybe we can let the audience know a little bit about that background.
DR. DON GOFF, UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
Well thanks for asking Jim, because as you know and all the panelists know that the national strategy to secure cyber space gives a strong emphasis to education. While you are designing the enterprise architectures you still have problems in that you are as vulnerable as the least educated end user, as the least educated network administrator or systems administrator, and so there is a need to gain the knowledge and the skills required to manage these networks and to make sure that this whole zone security is added in a proper way. We also have to grade performance that you are doing.
One of the proposals that had come out of the PCIPB, the President’s Critical Infrastructure Protections Board, was the notion that there would be an educational institution at the national level that would be delivered on line that would be the resource for people to learn these skills.
A couple of weeks after that was issued, the Department of Homeland Security stood up and all those functions were taken over and the department assumed that responsibility. But within that national cyber security division, the concept was endorsed but there have been a series of personnel changes and a series of things going on there that have kept that from coming to completion.
We would think that a national cyber academy that capitalized on the resources of the various universities around the country that have demonstrated their program efficiency….and there is a program that the National Security Agency and the Department of Homeland Security sponsor where universities vet their faculty, their research, their laboratories, their courseware and everything else to match the federal training standards and if after this exercise is complete they pass the designated the National Center of Excellence for Information Assurance and Education, and so pulling together that talent and utilizing that for the national good is something that really needs to be done.
JIM FLYZIK, THE FLYZIK GROUP
That sounds great. I’m just raising that again, the awareness to get out front and when we come back let’s talk a little bit more about security awareness and training.
Break.
JIM FLYZIK, THE FLYZIK GROUP
We are talking about IT security. When we left for break, Dr. Goff brought up the issue of education awareness training. I’d like to ask our panelists in your organization, is ongoing awareness and training, annual or just an ongoing thing? Is that a priority in your organization?. Let’s start with Glenn. Glenn, over at OMB, it this something that’s scored in the FISMA grade, how well they do in awareness and training? Is it standard practice?
GLEN SCHLARMAN, OMB
It is measured in the annual FISMA report at least. We ask about the degree to which agency employees are trained either those with specific security responsibilities, but just as importantly the general population, most of whom use computers, whether they have general awareness training. But on this specific issue we found it to be significant enough and inconsistent enough across government that last year we had a task force look at the big issues with cross government security.
They came up with four and I’m not going to mention all four, but one was training and awareness. And the specific responsibilities so we are looking for an approach and, going back to my original point of developing and maintaining a consistent approach, that we would have perhaps a center of excellence for government security training, the particulars of which I’m not prepared to go into right now.
But going back to Don’s point, it isn’t just the government, and this isn’t just a government program, it’s a national problem, and talk about being reactive, we will always be reactive until we have a fiber throughout industry and government and academia that understands what this problem is and it’s all education. It starts there.
JIM FLYZIK, THE FLYZIK GROUP
Great. Thanks Glenn. Scott Charbo, is security awareness and training is that an ongoing thing within the Department of Homeland Security?
SCOTT CHARBO, DHS
It’s constant. Cyber security isn’t sexy. It’s sexy when things go bad and then you are reacting and under the microscope, so pushing information training, consistent training to our employees is critical. Our employees are potentially the weakest link with information and system assurance and also they go home every night so we want them to come back at the end of every day. They are our inventory. So we want to make sure they have the skills and the proper training to protect that information and our systems to properly accredit it.
JIM FLYZIK, THE FLYZIK GROUP
I like that focus on people. Someone once told me that addressing cyber security if you first start with good people and take care of your people you are going a long way towards solving the problems. Mike, how about at Unisys? Is security training awareness an ongoing thing?
MIKE GIBBONS, UNISYS
Absolutely and it’s critical. What’s interesting is that all our contractors provide services on the ground. For example at the Department of Homeland Security we go through the same awareness training and you have to sign off as a prerequisite to do the work, it’s part of the department mandate, which is excellent, so we get the same training that the employees do, side by side.
But the interesting thing is, as with many things, there are many levels of training that are necessary. One of the emerging areas is training programmers how to not do silly things like use the wrong types of variables that allow flaws to be exploited on the internet. So we have been starting with the basics with security for training programmers and there are some initiatives that way. So again security training, many different levels of awareness is the first step.
JIM FLYZIK, THE FLYZIK GROUP
I like the idea too of contractor training and awareness being consistent with the government. I think that’s really important as we work towards a blended workforce. Scott do you have a comment on that?
SCOTT CHARBO, DHS
I wanted to make sure that Glenn heard that comment about the contractors being trained.
JIM FLYZIK, THE FLYZIK GROUP
You got that one? Actually somewhere down the road on the show, we want to explore this idea of the blended workforce, that’s government and contractors working together and looking at contractors the same way as you look at government employees but…... Bob, how about over at DOD, is awareness and training an ongoing thing?
BOB LENTZ, DEPARTMENT OF DEFENSE
Yes it is Jim. The CIO has an information assurance strategic plan and just like the national cyber strategy, one of our five goals is dedicated to IA training and education and certification and the Deputy Secretary of Defense just issued a policy recently to certify, as I indicated earlier, about 80,000 DOD personnel in Information Assurance.
Just last year as indicated in our FISMA evaluation, over 2 million personnel would receive annual awareness training and another nearly 70,000 that had specialized training and that included of course the challenge we had of deployed forces. So clearly education and training is a top priority. The commanders out in the field now completely understand the criticality of their IT systems and are making sure that the troops are aware of the threats and keep up with the training that’s required to keep these systems up and running and have the highest integrity required.
JIM FLYZIK, THE FLYZIK GROUP
Mike, how about Cisco Systems?
MIKE RAU, CISCO
On the education front for our employees and our contractors as we do employ a lot of contractors inside of Cisco, we do a lot of self certification tests based upon e-learning type content. We do also a series of, interestingly enough, commercials that run internally that demonstrate the impact of security vulnerabilities. Most of them are on how the employee actually behaves and things that they do.
Sometimes they are completely not IT related, it might just be a conversation they have on an airplane without understanding who is around them. In the case of contractors, it’s a very interesting issue. What we end up with, not only with contractors but also with guests that come into the facilities, is that it is more and more important to be able to provide them with network access but basically isolate them from certain assets within the IT infrastructure that they should have no access to as either a contractor or a guest. So we are starting to see more of a role for identity based solutions which dynamically provision services in the network so if a user comes in based upon who they are the policy follows the user.
It allows you to have a bit of openness to support guests and contractors, but at the same time keep your networks locked down and your assets more effectively protected.
JIM FLYZIK, THE FLYZIK GROUP
Great. Tom, how about in the Department of Labor? Awareness and training. Is that an ongoing initiative?
TOM WIESNER, LABOR
Yes, Absolutely. We have the security awareness training every year that we give out to all our employees and contractors. We start it in the late spring, and carry it through the summer, pushing throughout that period of time to encourage people to take that training. We use a new training initiative to accomplish that. We also have role based training for personnel with significant security responsibilities, we’ve raised the bar on that in the past couple of years.
This year the CIO came up with funds to fund a program that would lead to certification for IT professionals, security IT professionals, in Labor. Leading to a certified degree through a program and a series of courses in terms of where their skill sets are.
So we want to continually raise the bar. We are aware of people with responsibilities on a day to day basis but it is so important that anyone who sits down at a computer is aware of some of the vulnerabilities and sensitivity as you’ve mentioned.
|
SECURITY & THE SUPPLY CHAIN |
JIM FLYZIK, THE FLYZIK GROUP
This brings up a curious question. All of the panel is talking about how well the priorities are focused within your organization or agency. What about your trading partners, or your supply chain, or those you are doing business with. I know that back when I was in government we once took a look at that, back then it was called project matrix, where we took a look at all the different people we do business with and you quickly realize how dependent you are on others. I’d like to get maybe an industry and a government perspective.
Mike, how about at Unisys, do you look at your supply chain and what kind of security processes your trading partners have in place?
MIKE GIBBONS, UNISYS
Yes, we go through it internally and we actually have been hired now by some outside companies. We go out and we actually perform an assessment of the security of their trading partners and do a verification. So we actually have built a methodology to review, similar to the FISMA control families of 853, we look at a control policy practice of these companies on behalf of a major US corporation with all their trading partners.
And they are looking at that now as a due diligence process that is necessary to ensure that when they give information, be it customer information or others, they are going to have a trusted stream and then protection at the other end, at least to a basic set of standards.
JIM FLYZIK, THE FLYZIK GROUP
Bob at DOD, is this something that you guys look at from time to time? We have our own shop to get in order, but also what about the probably thousands of organizations or companies that you do business with?
BOB LENTZ, DEPARTMENT OF DEFENSE
Yes, Jim, the whole supply chain issue is one that has really become a center stage issue at the Department of Defense and at the national security level. We have a committee for national security systems that has actually commissioned within the past year a report that looks at global information technology and the supply chain issues that we are looking to.
It’s a big deal within the Department of Defense. We team very closely with the under secretary of defense for acquisitions. About 2 years ago we had a policy dealing with trusted integrated circuits to try to enhance the assurance level of trusted circuits in that area, and now we are focusing a great deal of attention on the software and supplier.
So these are big issues to us, globalization is a big issue to us, and we are focusing a great deal of attention on that. And we want to partner with industry to make sure that we are both synchronized because we do not want them to be non-competitive in this very globalized world that we live in. Because we need those against technology so much.
JIM FLYZIK, THE FLYZIK GROUP
Right. I like that term trust as well. I know I have the privilege to serve on the leadership institute we are looking at that whole definition on how do you know what is a trusted enterprise and what are the criteria that make an organization be viewed as a trusted enterprise. It’s a very interesting topic. We need to go to a short break and then we’ll be back to wrap up today’s show with some closing comments from all of our panelists.
Break.
JIM FLYZIK, THE FLYZIK GROUP
Welcome back. I’m here with Glen Schlarman, Scott Charbo, Tom Wiesner, Bob Lentz, Mike Gibbons, Mike Rau, and Don Goff and we are talking cyber security and we have a few minutes left on today’s show and I’d like to just pose a question out to our panelists for closing comments.
We hear a lot, some people project out there that we are heading some day towards a digital Pearl Harbor and a big cyber attack that has the capability of taking down major systems and others, and so forth. Others believe that it’s just a bunch of hype and that we are out there in front of that. I’m just curious how the panel see it. Where are we on this issue? Scott, what is your opinion or perspective on this, are we out in front of this issue enough that we can feel like we are in good shape and this so called “digital Pearl Harbor” is just a bunch of hype?
SCOTT CHARBO, DHS
I’m not much of a doomsday advocate. We certainly will have events that come up like we’ve had in the past. We will respond to those, we will mitigate those, we are very proactive in preventing a digital Pearl Harbor as you phrase it. We are very serious about physical and cyber security at Homeland, so much so that we’ve even made security part of our name. We are proactive, the secretary’s made it a priority and we are in charge of the planning.
JIM FLYZIK, THE FLYZIK GROUP
Right. Hype or are we in front of the issue? Mike?
MIKE GIBBONS, UNISYS
I think as Chicken Little said, rather than saying the sky is falling, I think the sky has already fallen and we are getting hit in the head every single day with a bombardment of spyware, mailware, viruses, all the problems that we’ve got in this day and age that we are fighting. So I think we are getting eaten away every day by the problem so I don’t know that we will have a catastrophic event but sure enough it’s an every day battle.
JIM FLYZIK, THE FLYZIK GROUP
Right. Bob?
BOB LENTZ, DEPARTMENT OF DEFENSE
Well there’s no doubt that our adversaries are very clever and very determined and we have to be proactive. It is there and it’s a big deal.
JIM FLYZIK, THE FLYZIK GROUP
Mike?
MIKE RAU, CISCO
Proactive, it’s the key word. It’s got to be part of every day in an organization and employee system, it can’t be after a worm or virus all of a sudden becomes a priority and then ebbs and flows from one virus to another.
JIM FLYZIK, THE FLYZIK GROUP
Tom?
TOM WIESNER, LABOR
Earlier on you asked us whether we would ever get beyond the reactive stage into the proactive stage, here we have the opportunity to be proactive and we have to be prepared as best we can and be prepared for the challenge when it comes.
JIM FLYZIK, THE FLYZIK GROUP
I like that. Don?
DR. DON GOFF, UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
Our IT dependence has grown over the last 10 years. It’s absolute now, our economy is tied to it. We have to manage the risk. We have to be smart about it.
JIM FLYZIK, THE FLYZIK GROUP
Right, there’s no decision about whether we have to do this. And Glen you have the last word on this issue.
GLEN SCHLARMAN, OMB
I look at this two different ways. If we are talking about an intentional attack, I have to go with Mike, we are actually experienced and involved and experiencing it every day. The good news is, in this case the target is also the weapon. So if there’s a bad guy attacking us electronically, they are not going to destroy their own weapon.
So we might be experiencing the worst. Accidental is something entirely different and I think Katrina, power outage, earth quake, you name it, we have experienced regional catastrophes and we have recovered. I’m not saying that we recovered as quickly as we could have or should have but I think we need to, we obviously plan for the future, but I believe that it’s this erosion that we get every day that doesn’t rise up to a high level that is the most difficult thing to address.
JIM FLYZIK, THE FLYZIK GROUP
Well said Glenn, I like that idea that we have to distinguish between natural disasters, accidental things versus an intentional say terrorism type of event.
I want to thank all my panelists for being with us here today on the show. They are all extremely busy people and took time out to share their thoughts with our audience on this critical issue. I appreciate you all being here and I look forward to working with you in the future. The purpose of this show is to try to solve problems and industry and government working together to solve some critical issues facing our country and I appreciate you taking the time out to participate with us in trying to further that effort.
I look forward to next month’s show when we will be talking about infrastructure consolidation issues across government. |
