My Opinion: NYT wants cyber security to be a divisive issue.

I just read an article that seems designed to keep spreading FUD (Fear, Uncertainty, Doubt) about the US government and the NSA.   The article is titled “Control of Cybersecurity Becomes Divisive Issue “.  It starts with an assertion stated as if it were a fact that says “The National Security Agency has been campaigning to lead the government’s rapidly growing cybersecurity programs”.

I bump into all sorts of people in the beltway, and there is a huge amount of buzz regarding cyber.  There is also a huge amount of pontification and rumor and hype, and I think Risen and Lichtblau have fallen for some of that. Read the rest of this entry »

Foreign Spies Make Recession Worse and Steal Part of Our Future

Foreign spies are in our country for many bad reasons. Spies target defense secrets and seek to penetrate the
decision-making process of our government leaders.  They also gain unauthorized access to information held by our nation’s corporations.  In this time of
serious economic crisis this aspect of the threat from foreign spies is particularly troublesome.  Spies contribute to the problem’s we face in the economy.

Today one of the most damaging things spies do is steal the trade secrets and intellectual property of our corporations and research labs.  The intellectual property they steal is moved overseas where other countries (and companies inside those countries) can benefit from the investments we make in research and development.  This hurts our economy in many ways.  It causes the value of our research and development to be significantly sub-optimized.  It hurts the ability of our companies to compete in the global market place.  It causes more jobs to go overseas.   It can threaten the survival of companies which of course hurts both investors and employees.  This is all bad for the economy.  And its all WRONG!  Our country needs to invest enough in our counterintelligence capabilities to find foreign spies and get them out of here. 

A particularly insidious threat is one where a country might couple the power of spies in our borders with cyber attacks and cyber espionage to extract information from companies while at the same time monitoring the response to those attacks.  Humans can enable cyber attacks in many ways that make them far more damaging.  In fact the most feared type of data theft if one where a trusted insider moves data.  With modern high capacity thumb drives large quantities of data can be moved in moments.

I just read an article by an authoritative source on this topic, Michelle Van Cleave.  Michelle served as the hed of U.S. counterintelligence from July 2003 through March 2006 and was in a position to observe firsthand some of the damage being done by foreign spies.  The article outlines examples and gives a firsthand account of some of the challenges we face in this area.  It concludes with:

How important is all of this, really? Cynics will scoff and say, “There
will always be spies.” But I have read the file drawers full of damage
assessments; I have catalogued the enormous losses in lives, treasure
and crucial secrets that foreign intelligence work has caused. The
memory of what’s in those files — and the thought of the people and
the operations still in harm’s way — can keep me awake at night.

So we have to choose. We can handle these threats piecemeal, or we
can pull together a strategic program — one team, one plan, one goal
– to reduce the overall danger. We can chase individual spies case by
case, or we can target the services that send them here. The next
devastating spy case is just around the bend. I fear that when it
comes, we will all ask ourselves why we didn’t stop it. I suspect I
already know the answer.

I recommend this article to all, especially enterprise technologists.  If you are a CTO, a CISO, a CISO it is especially important for you to understand the nature of the threat to your systems and to your intellectual property.  If you are a citizen it is important for you to know as well.  We must collectively address this challenge to our intellectual property and to our economic recovery.

For more on these topics please see:

http://www.ctovision.com/cyber-war/

and

http://www.ctovision.com/information-warfare/

 

CTOs, Global Cyberwar and Our Collective Future

If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity.  This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read.  It is also a roadmap that will help any trying to navigate these very tough issues.

I've been involved in things cyber for a long time.  My deepest
involvement began in December 1998, almost 10 years ago to the day.  
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues.  But I've never seen one that captures the
complexities and the need for specific actions as well as this one. 

I'd really recommend you read every word, if you want to be considered literate in this field.   But if it will be a little while till you get to it, here are some key points:

The three major findings are:  1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international  aspects of cybersecurity will make us more secure.

The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI).  In general the give credit to that initiative, and call it good.  I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work.  But as the comission points out, the work of the CNCI is good but not sufficient. 

The biggest shock for me in this study:  The amount of funding on R&D for cyber security.  I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort.  According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million.  Less than two-tenths of one percent of the total federal R&D.

The report has a great section on identity manangement. 

I am convinced the organizational approaches outlined in the study are the right ones as well.  There is only one place in our government where we can lead solutions to this challenge.  Where is that?  Hey read the report!

What else do I recommend CTOs do besides read the report?  I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security.   A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html

The Future of Cyberspace Security: The Law of The Rodeo

This is an update of my now annual assessment of the future of technology associated with good and evil in cyberspace which was first posted here.

Predictions
of the future of technology are increasingly starting to sound like
science fiction, with powerful computing grids giving incredible computational power to users and with autonomous robots becoming closer and closer to being in our daily lives vice just in computer science departments. Infotech, nanotech and biotech are fueling each other and each of those three dominate fields are generating more and more benefits that impact the other, propelling us even faster into a new world.   Depending on your point of view the increasing pace of science and technology can be good or
bad.  As for me, I'm an optimist, and I know we humans will find a way
to ensure technology serves our best interests.   

Read the rest of this entry »

CIA IT Leaders Are World Class IT Leaders (continued)

CIO magazine continues its reporting on the IT enterprise at CIA and the CIA's CIO (Al Tarasiuk).  I have little more to add:  My comments from before still stand:  Al is a world class leader and this follow on report just underscores that.  I imagine Al is similar to other great CIOs from industry (folks like HP CIO Randy Mott, for example) and my old boss Mike Pflueger of DIA.   These leaders must wrestle with far more than technology (they can hand of the easy technology stuff to CTOs, right?).  In story after story of the great CIOs I note that they spend a great deal of time on culture, policy, process and human factors. 

For continuity I wanted to provide the link to the rest of the story.   It is here:  http://www.cio.com/article/print/441688

Bob

Compliance enhances IT support to the mission

I’ve previously blogged about Triumfant, a company that has mastered
the automated detection and resolution of IT problems.   I also think
of them as the world’s greatest compliance monitoring capability.  What
do I mean by compliance?  I mean compliance in the context of the many
rules, regulations and configurations that external organizations and
the government require, and also compliance with your own policies and guidance.

For those who are not familiar with the full scope of compliance
issues, a great source is the site of the IT Compliance Institute.  
Their goal is to be a global authority on the role of technology in
business governance and regulatory compliance.   That means they are
driven to seek out regulations, understand the requirements for
compliance, and then help determine the best way to automate that
compliance. 

The site holds several white papers and
checklists on topics like IT Audit, Risk Management, keeping up SOX
compliance, Change Management, Logging, Reporting, and Security.  
These papers seem to be good primers for any CTO or other enterprise
technologist who needs to understand this domain. 

Here are some other thoughts on compliance:

- During my time as a CTO of a DoD Agency, I noticed a shift in how
federal organizations perceived compliance.  Federal organizations are
all about compliance, and have long followed mandates like the
Clinger-Cohen Act, FISMA, the many Enterprise Architecture requirements
(like DoDAF or FEA), and a wide variety of other requirements.   But
most federal organizations did not treat compliance as a way to
optimize delivery of IT capabilities to users.   And most federal
organizations did not have to comply with many of the regulations being
levied on industry (like SOX, for example).   That is all changing. 

- More recently IT professionals began to see compliance and the need
for automated control of systems as a way of not just complying with
regulation and reporting requirements, but a way of ensuring uptime,
helping speed delivery of new software deployments, helping reduce IT
admin costs, and helping with overall abiity to support the mission. 
Add to this new awareness of the importance of compliance the recent
shifting of federal policy  towards having agencies produce financial
audits and IT auditing requirements to the same standards as the
commerical sector.

There are more shifts in compliance underway in the federal space,
including a new Federal Desktop Core Configuration (FDCC).  I see all
this compliance as a good thing that should be executed in a way that
enhances uptime, enhances security, and enhances the delivery of
capability to end users. 

For more on compliance see my previous post    http://www.ctovision.com/2008/07/automated-resolution-of-it-problems.html

For more on triumfant see:  http://triumfant.com

Vision for the Enterprise CTO: Lessons from DNI Vision 2015

This
note provides two lessons and a comment for enterprise chief technology
officers that comes out of a new vision document from the Director of
National Intelligence (DNI).

The DNI, Mike McConnell, just released Vision 2015, a vision for a
globally networked and integrated intelligence enterprise.   This
vision is for far more than just IT, but it has lessons for all
enterprise technologists.   

This document lays out a compelling, motivating vision for the future
of one of the largest enterprises on the planet, the US Intelligence
Community.  Currently this enterprise is guided by a Director who
exercises authority over its 17 major components and several smaller
organs.  But those many parts also have other chains of command and
frankly the enterprise is not optimized for mission success.   I’ve now
read a vision, however, that I know will change the future.

This is not just an IT vision, which might be ignored by
parts of the enterprise.  It is an enterprise vision.  So, the first lesson I believe this vision has for enterprise CTOs:  life can be so much simpler
if your boss releases a compelling, motivating vision for the entire
enterprise. 


The IT guys in the intelligence community clearly had input to this document.  Some smart techies wrote large sections of this, I can tell.  Here are a few paras from the vision:

QUOTE:

The end state will be seamless access to all intelligence information, tools and processes across multiple agencies and databases. Our information architecture will have to undergo a fundamental shift: from the multiple hub-and-spoke model of information collection, analysis, and dissemination based on specific discipline to a unified architecture designed around a common “cloud” (i.e., a distributed peering network) containing our information. This information infrastructure will allow authorized end-users to discover, access, and exploit data through a range of services, from federated query to integrated analytic tool suites.

Currently, each intelligence agency operates and maintains its own network and information infrastructure: power, cooling, circuits, switches, routers, databases, information management systems, data centers, security and enterprise systems management tools. By 2015, we will migrate to a common “cloud” based on a single backbone network and clusters of computers in scalable, distributed centers where data is stored, processed, and managed. The shared data centers will be unique facilities designed and located for access to communication and power supplies. The Intelligence Enterprise will benefit greatly from a more robust, secure, and effective means to organize, update and retrieve all of the information it collects. The centers will also allow experience and technologies employed across the Community to be leveraged, focusing scarce technical resources and reducing costs.

Over the last 20 years, the Intelligence Community has been challenged to keep pace with rapidly evolving information technology. Although a less-than-agile acquisition and procurement system has been part of the problem, the Intelligence Community is also undermined by its basic approach. If we are to maintain a technology edge, we must adopt an enterprise wide, service-oriented architecture that is interoperable with systems in other federal departments, and can share information with non-traditional partners. A service-oriented architecture provides a proven means to adapt new technologies while responding to changing user needs. By creating “software as a service,” this architecture reduces system complexity and deployment risks through a shared development style, uniform standards, and common interfaces. These services will enable a user-defined analytic environment through the use of composite applications – discrete services that can be pulled from a central library and dropped into a user-defined workspace.

The range of Enterprise-wide services that should be deployed by 2015 include communication services (e.g., common e-mail, directories, calendaring, and collaboration); data services (e.g., federated queries and searches, tagging, entity extraction, and storage); security services (e.g., single sign-on, access control, monitoring, and auditing); and analytic services (e.g.,portals, data mining, visualization, and modeling and simulation tools).

 UNQUOTE

Something this vision does very very
well is capture the IT components of the vision, which is very
empowering for enterprise technologists.  This points to what I believe is the second big lesson for enterprise technologists:  CTOs
should ensure their vision for the future makes it into the bosses
vision.   

And a closing thought:  To me the IT components of this vision were a
very familiar read.  It is the same vision that was successfully
accomplished under the leadership of Mike Pflueger and Mark Greer when
they transformed the DIA and DoDIIS enterprise from 2004 to 2007 (I was
honored to have been their student and their CTO).   They lead a team
of us at DoDIIS HQ and throughout the global enterprise to consolidate
the efforts of 11 major enterprises (and several smaller ones) into one
strong globally networked intelligence enterprise.   In my entire
career they are the only two people I met who I’ve seen accomplish this
type of effort in government.   [Mike and Mark, my crystal ball is clear
on this issue.  You will likely be getting a call from the DNI.  The call might come in 2014 saying a rescue is needed because this IT integration was harder than they thought.  But hopefully the call will come in 2008 and ask your
help/advice on this in its early stages.  If you can work your magic in
the early days of this effort the nation will be far better off for
it.]

Automated Resolution of IT Problems

In January 2008 I was named to the advisory board of Triumfant, a
company who has mastered the automated detection and resolution of IT
problems.  Of all the IT firms I’ve seen, they are the ones with the
most comprehensive approach to automated resolution management and the
only one I’ve seen that can automate the entire lifecycle of IT problem
management, from identification to resolution.

I recently read some very exciting news about Triumfant.   They have
just signed a partnership agreement with one of the largest suppliers
of computers to the federal government: computer giant Dell Inc.  
Triumfant software will be sold pre-installed on Dell computers to
federal customers running Microsoft Windows XP and Vista.   

I take this as a huge endorsement of the Triumfant approach of
automated process monitoring and IT compliance enforcement.   This agreement between Triumfant and Dell is
also great news for enterprise CTOs and other technologists who must
meet the mandate of the OMB’s Federal Desktop Core Configuration
(FDCC). 

Read the rest of this entry »

Enter my office: using Adobe Acrobat Connect

I have picked a primary online meeting tool for my consultancy (Crucial Point LLC).  Although I will use any tool a client or associate needs me to use, the tool I prefer is Adobe Acrobat Connect.  

Why did I select Adobe Acrobat Connect?  A key reason is that no downloads are required for this to work (assuming, of course, that you have flash player installed on your system, which 98% of the computers on earth already do).

Read the rest of this entry »

Protecting Federal Networks Against Cyber Attack

The Department of Homeland Security has released a blueprint for the enhanced protection of federal networks against cyber attacks.  A factsheet for this effort is  available here. 

Here is a summary of that summary:

It declares a policy:  "It is the policy of the
United States to prevent or minimize disruptions to our critical
information infrastructure in order to protect the public, the economy,
government services, and the national security of the United States."

It formally announces a Presidential Directive:  "On January 8, 2008, President Bush approved National Security
Presidential Directive 54/Homeland Security Presidential Directive 23,
which formalized a series of continuous efforts designed to further
safeguard Federal Government systems and reduce potential
vulnerabilities, protect against intrusion attempts, and better
anticipate future threats."

Read the rest of this entry »