A CTO’s views on the new Fed CTO

I’m very pleased with the pick of Aneesh Chopra as the Federal Government’s CTO.  I wish I could add more context than that, and was thinking of a quick biographical sketch of Aneesh and some ideas on why this is great news.  Then I read Tim O’Reilly’s post at OReilly Radar, and frankly I just totally agree with everything Tim said.  Please check out his post at:

http://radar.oreilly.com/2009/04/aneesh-chopra-great-federal-cto.html

Here is an excerpt that particullarly resonated with me:

“Chopra has been focused for the past three years on the specific technology challenges of government. Industry experience does little to prepare you for the additional complexities of working within the bounds of government policy, competing constituencies, budgets that
often contain legislative mandates, regulations that may no longer be relevant but are still in force, and many other unique constraints. In his three year tenure as Secretary for Technology for the Commonwealth of Virginia, Chopra has demonstrated that he has these skills. In fact, last year, the National Association of State Chief Information Officers ranked Virginia #1 in technology management. ” Read the rest of this entry »

May I have your views on the future of IT?

If all goes well I’ll get a speaking part at the next DoDIIS Worldwide Conference at Orlando 17-21 May 2009.  I love this conference.  It is attended by great folks, many of whom are technologists with a deep background in a favorite mission area. The greatest systems integrators come to the conference.  And the technology companies that exhibit at the conference are also great, with many demonstrating cutting edge, disruptive technologies that make for an intellectually stimulating time.

I submitted a proposal to deliver a presentation at a breakout session on megatrends in the IT world and some assessments on the future of IT. Read the rest of this entry »

You Really Have to See This: From MIT Media Lab

Words can hardly describe how neat this technology is.  I’m excited and enthused for many reasons, including the potential power of this technology to help us all make better decisions and of course to bring even more fun to our lives.  Watch and let your imagine go… Think of the wonderful ways we can interact with data to do good things in the world. 

Other thoughts:  Look for the dynamic, moving newspaper.  Yet again there is more evidence that Hollywood is driving enterprise technology.

Vivek Kundra: Still the Alpha CTO and now the First Fed CIO

Today’s news on Vivek Kundra’s role in the federal space made me think of another CTO, Yuvi Kochar. Yuvi, the CTO of the Washington Post, is a great connector of CTOs who leads the informal collective of the Washington Area CTO Roundtable.  Although I had heard Vivek speak a time or two, the first really deep interactions I had with
Vivek were through Yuvi’s work in service to the tech community and I much appreciate that.

For a quick update on Vivek from a CTO perspective see: Read the rest of this entry »

Enhancing Security and Functionality At The Same Time

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point. 

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase. 

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.  

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.

2. Inventory of Authorized and Unauthorized Software.

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4. Secure Configurations of Network Devices Such as Firewalls and Routers.

5. Boundary Defense

6. Maintenance and Analysis of Complete Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based On Need to Know

10. Continuous Vulnerability Testing and Remediation

11. Dormant Account Monitoring and Control

12. Anti-Malware Defenses

13. Limitation and Control of Ports, Protocols and Services

14. Wireless Device Control

15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering

2. Red Team Exercises

3. Incident Response Capability

4. Data Recovery Capability

5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.  

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise. 

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
 

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

A Blog I Like: Haft of the Spear

Michael Tanji brings a perspective forged in years of intelligence work and a successful stint protecting information in the financial sector.  He is a well published author who focuses on national security issues and is also a thought leader in the computer security domain.

At Haft of the Spear he writes primarily about technology related/enabled national security issues, which includes a heavy dose of information warfare. 

Read HOTS at: http://haftofthespear.com/

Next week I write about Nicholas Carr and his Rough Type blog.

Intelligence Community Executive Forum and Carahsoft

Carahsoft is a fantastic company in Reston, VA run by the hardest working, most modest, ethical, business leader I have ever met.   His behind the scenes style means he would probably not want me to mention much more about him, but if I have your curiosity up about them you can read more here (read the one about their winning the Smart CEO magazine Future 50 in Jan 2009, or Fairfax County economic development authority award for 2009, or other award after award after award).

One thing I like about Carahsoft is their desire to help government customers think through hard problems and their desire to help their extended team mates and partners learn about customer hard problems so enterprise solutions can be developed.  One of the many ways Carahsoft does that is by hosting venue like the Intelligence Community Executive Forum (ICEF).  This periodic venue brings together executives and thought leaders from government and industry to listen to lesssons learned, hard problems and successes in creating CONOPs to address mission needs.

I’ll be helping Carahsoft with the next ICEF on 17 Feb 2009.   This one will focus on collaborative enterprise solutions like those provided by Adobe.   Panels will be held on topics like real-time collaboration, secure information sharing and Integration/web2.0.

Please check out the agenda and register if you can make it.   More info is here: http://www.intelligencecommunityexecutiveforum.com/

  

A Blog I Like: Devost.net

Matt Devost has been a thought leader in information technology, cyber warfare, counter terrorism and security training for over a decade.  He has built successful companies, taught warriors security, helped protect industry and taught (and still teaches) information warfare at Georgetown university.

Through history great thoughts have come from leaders who work at the intersection of multiple domains of practice and Matt continues to demonstrate his thought leadership at is blog.  As proof let me mention his winning of NDU’s Sun Tzu infrormation warfare essay contest in 1996. The article he co-authored titled “Information Terrorism: Can You Trust Your Toaster?” remains a classic thought piece that should be read by every IT professional and military strategist today.

Read that article and Matt’s more recent thoughts at: http://blog.devost.net/

Next week I write about Mike Tanji and Haft of the Speer.

Vivek Kundra: The Alpha CTO

Every CTO I know has heard of Vivek Kundra, CTO of
the District of Columbia.  We have all been following his accomplishments
in transforming the technology program in DC and have watched in excitement as
more and more capabilities have been rolled out to serve the city and its
citizens. We have followed reports of bold moves he put in place to ensure
technology programs deliver.  We have read about his new approaches to
technology portfolio management and watched as he discussed the leap ahead he
delivered to his enterprise by his audacious, courageous use of Google Apps and
other cloud-based solutions.

If you are not one of those familiar with Vivek, here
is a short bio: Vivek Kundra is the CTO for the
District of Columbia where he leads an organization of over 600 staff that
provides technology services and leadership for 86 agencies, 38,000 employees,
residents, businesses, and 14 million annual visitors. He brings to the role of
CTO a diverse record that combines technology and public policy experience in
government, private industry, and academia. Previously, Vivek
served as Assistant Secretary of Commerce and Technology for the Commonwealth
of Virginia, the first dual cabinet role in the state’s history.  In the
private sector, Vivek led technology companies
serving national and international customers. Earlier he served as Director of
Infrastructure Technology for Arlington, Virginia. He also taught classes on
emerging and disruptive technologies at the University of Maryland. Since Vivek became District CTO, he has been honored with major
IT awards. In 2008, the MIT Sloan CIO Symposium recognized him among
outstanding IT innovators. In addition, InfoWorld Magazine named Vivek among
its “CTO 25″.

I recently saw Vivek at a meeting of the Washington Area CTO Roundtable,
an informal collective of area CTOs led by Yuvi Kochar, CTO of the Washington
Post Company. Before the meeting we chatted about mashup technologies (including his Apps for Democracy  contest and also JackBe).  During the meeting Vivek discussed several
aspects of his innovative efforts to transform the District’s information technology
infrastructure.   A point that struck me was his leadership through
principles.  Three key ones he articulated were: 1) Leveraging commercial
technology, 2) Driving transparency, and 3) Rethinking notions of IT
governance. 

Vivek and I just finished a phone call where we discussed these and other items
in more detail.  Here is a bit more on his approach. 

1) Leveraging commercial technology: Commercial radios and cell phones
allowed a rapid enhancement of the tactical communications infrastructure of
the DC workforce, including the police workforce.  Police squad cars are
also now equipped with commercial, but toughened, laptops.  Commercial web
technology has been leveraged in ways that leaped ahead of old clunky office
automation and also enable rapid development and mashups. 

2) Driving transparency and engaging citizens:  Technology
impediments to information access and information sharing were eliminated in
ways that enable citizens to see how government decisions are being made. 
Data was also exposed in ways that enabled mashups and agile
programing/development.  Examples include DCs digital public square and
Apps for Democracy efforts.

3) Rethinking notions of IT governance: Totally new, innovative ways to
manage IT portfolios were created and used to ensure all stakeholders could
evaluate the technology program and better make informed decisions on when to
terminate programs and where to invest more money.  Chief among these
innovations was an approach to portfolio management that replicates a stock
market trading floor.  More important, however is the relentless focus on
performance and innovation to support performance.  Beside rethinking
these notions of governance Vivek also took measures to smartly
watch/reduce/reprioritize IT costs.

I asked Vivek for thoughts that might be relevant to technologists who have set
their sites on careers where they can deliver results.  Many of us would
like to follow in his footsteps.  I wondered, if there is a particular
computer programing language we should all be learning now?  Should we be
diving into Python?  That’s hot now.  And what about databases? MySQL
and Hadoop are all the rage.  The thoughts I got back from Vivek were
incredibly insightful and far more relevant than the simplistic question I
asked. 

V:  Technology is important, and we do need to know technology.  But in these very exciting times where
Moore’s law pushes us all forward it is actually more important to be able to quickly learn new technology rather than focus on one and only one.  This is the beauty of the new world of
technology. There is always something to learn.  We should also always remember that the reason to learn is the mission.  To an enterprise CTO, technology by itself is worthless.  Technology
only has value if it addresses business problems and drives business success.
Therefore technologists must have an ability to translate between the worlds of
mission needs and technology and need an ability to rapidly learn and deeply
understand both.

I asked Vivek for his intention for sharing his models and methods, since they
have clearly delivered success in DC.  He is doing quite a bit there so
all of us who would like more info have plenty of ways to learn more:

V: The DC CTO site at http://octo.dc.gov
provides links to many of the ongoing activities of the office and for those
who would like more on the models that produce the results we link to policies,
guidelines and procedures.  We also provide information on how our
governance process works.   But additionally we host visits to our
office by interested parties and have begun blogging about them.  In
another effort we hope will help move the models forward we are pressing ahead
with plans to turn our stock market approach to portfolio management into an
open model and will open source the code that makes it work, which should help
drive more innovation there.

Speaking of innovation, Vivek seems to have found a way to accelerate
innovation, which is something all CTOs are interested in doing.  I asked
him for his thoughts on where to look for innovation.  Another interesting
reply:

V:  You can look for innovation many places, but remembering that
necessity is the mother of invention you should keep an eye open for places
that innovate because they really need to.  I always keep an eye on the
developing world and am so incredibly amazed at the tech innovation
there.  Enterprise IT does not mean that every program and project must be
delivered with huge budgets and huge staffs and the incredible innovations
coming out of the developing world prove that time and time again.  I’m
excited and enthused about developments like cell phone voting in Estonia,
electronic census that works in Chili, fishing villages around the world using
instant direct data to plan movement.  Innovation occurs many places, but
some of the greatest lessons for innovation are coming from the developing
world.

I asked Vivek about how to find balance between setting standards and enabling
innovation:

V:  Standards are important, but if a standard gets in the way of
innovation kill it.   Use standards that enable innovation. 
This is the role of the CTO.

Vivek also offered thoughts on social networks.

V:  In seeking ways to make your cycles of innovation move faster, never
underestimate the power of social networking tools and the networks you can
build with them.  Facebook is the example most talked about but there are
many others including networks built around ecommerce like eBay and
Amazon.  I believe we should not only embrace them to enable the power of
social networking but to help us leverage, in a large way, the IT
infrastructure of these platforms.   The new generations today are making
maximum use of these platforms and I view this as a very optimistic point.

As for me, I view the results of Vivek Kundra and his models as optimistic
points.  The great thing about being a CTO is the learning never stops in
this field and Vivek is a great teacher we should all be learning from.

For more on Vivek and the way hew views technology, including some of his inputs to the Obama adminstration, see: http://www.ctovision.com/2009/01/federal-government-technology-directions-and-the-fed-cto.html

We Have A Cyber Czar, and He Has Spoken

A debate has been running for months both among government thought
leaders and the technical literati on whether or not the US should appoint a
“Cyber Czar” who can exert authority over IT security in the federal space or perhaps even
aspects of the nation’s IT defenses.  This is a complex discussion
that has had some of the greatest thinkers in and out of government
involved.   A great snapshot of issues and the opinions of many well
reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency“   and other
thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .

Unfortunately for those who would like to still debate and discuss this
issue, there is already a Cyber Czar who can accomplish most all his
objectives in our networks.  His name is Russian Prime Minister
Vladimir Putin.  This former KGB operative now controls Russia with an
iron fist and has shown others again and again he will exert influence
anywhere he needs to in order to accomplish his objectives.  He will
use tanks when required and cyber when desired and combinations when it
suits him.  There are indications his agents are also in our networks
now.  If our objectives are to keep players like him out, we cannot say
we are accomplishing them.  If his objectives are to get in, then we
can say he is accomplishing them.  Till this situation changes, we
need to confront then this new reality:  Vladimir Putin is the Cyber
Czar.

We have our own great technologists and wizards of cyber, of course. 
And we have great hero entrepreneurs of technology who have built the
cyber world we all use today.  One of those greats is Michael Dell,
creator of an idea and corporation that develops, manufactures, sells
and distributes personal computers we all depend on.

But he is someone who will now think twice before thinking he can
interact as a peer to Cyber Czar Putin.  After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell
praised Russia’s technical and scientific prowess and asked a nice,
friendly question:  “How can we help.”  As a former govie CTO I would
get asked that type of question all the time from industry and really
appreciated it whenever a senior thought leader would ask that.  But
not Czar Putin.  He did not appreciate that at all.   Putin was
offended by the assertion that the mighty Russia might need help in anything Cyber.
The exchange is captured here on YouTube:

Fortune: described the exchange this way:

“Putin’s withering reply to Dell: “We don’t need help. We are not
invalids. We don’t have limited mental capacity.” The slapdown took
many of the people in the audience by surprise. Putin then went on to
outline some of the steps the Russian government has taken to wire up
the country, including remote villages in Siberia. And, in a final dig
at Dell, he talked about how Russian scientists were rightly respected
not for their hardware, but for their software. The implication: Any
old fool can build a PC outfit.”

Clearly cyber domination is personal with Putin.  He is the Cyber Czar. 

I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT:  Please don’t be
pleased with this current situation.  Please don’t just think the title
of Cyber Czar I’ve now used to describe Putin is something we should be
proud of.  It is not.  We should continue to act till we are able to
assert that we are masters of our own networks.  Our nation’s
intellectual property, including the intellectual property of all our
companies and citizens, is too important to let it be given away
without at least a cyber fight.