Hold on tight. That would fit well as a motto for Robert Carey’s approach to managing IT in the government. But he would be sure to add “with the appropriate control.”
Hold on tight. That would fit well as a motto for Robert Carey’s approach to managing IT in the government. But he would be sure to add “with the appropriate control.”
Now into his fourth year overseeing IT for the Department of the Navy, Carey finds his job as thrilling and challenging as the day he joined the CIO staff almost a decade ago. “It is a contact sport — IT and being a CIO,” he says. There are constant trade-offs that must be made to find the right balance with the resources available, Carey notes, but the endgame remains constant: Push the innovation envelope to meet the needs of warfighters and Navy personnel.
Carey chatted with FedTech managing editor Vanessa Jo Roberts about his IT vision for the Navy, immediate challenges and technologies on the horizon that will change the federal technology landscape.
FEDTECH: The Navy is preparing to migrate from its Navy Marine Corps Intranet to the Next-Generation Enterprise Network late next year. How do you think that’s going to improve IT for the warfighter and for other Navy users? What are the chief technology components you see playing into that?
CAREY: As I have said all along, the progression of network capability doesn’t take a spike on Oct. 1, 2010. We must maintain the path we are on of continuous growth of network capability. We must work on reducing our footprint, reducing legacy applications, becoming more green (reducing servers and importing energy-compliant devices into the network), improving decision-making and accountability for things that help operate and run the network.
The beneficiary of these activities is the warfighter and the users of the network, who should gain improved access to the information they need to do their jobs.
When we say improved IT to the warfighter, what we really mean is we are affording him or her access to information when he or she needs it to support some decision that must be made. We are continuing on that path.
Ideally, users should be able to plug their Common Access Cards into any Department of the Navy device and access their data and be able to search for the data they need at any time. That’s the Naval Networking Environment vision for 2016.
FEDTECH: And how do you see that happening in tandem with broader Defense Department efforts to improve data access across the services, not just within the Navy?
CAREY: I think it’s complementary to that. As a matter of fact — I won’t speak for Gen. James Cartwright — but I believe that the vice chairman of the Joint Chiefs of Staff is trying to achieve what we think of as the DON vision for DOD. The identity management and the directory services solutions that we come up with must interoperate with those being developed at the DOD level.
This universal user concept is the same concept that we are employing here in the Department of the Navy: I plug in my CAC, I authenticate to the network, and then I can do the things I need to do — and I can do them securely. With the universal user concept, the network is the greater DOD Global Information Grid.
FEDTECH: What do you think is the biggest technical hurdle to achieving this vision?
CAREY: I think the leap is not particularly a technical challenge. There are some technical challenges — don’t get me wrong — but I think it’s more culture and control than it is technical.
Because of the size of both DOD and the DON, there are some technical hurdles for scaling that have to be overcome with certain technologies. But for the most part, it’s about coming to an agreement on what the standards will be and then implementing them and making sure that they will work in a multimillion-user environment.
In my case, the Department of the Navy is 800,000 or 900,000 folks, so it is very different than even a large company of, say, 100,000 folks.
FEDTECH: Addressing the scalability and the throughput factors then are the chief technical hurdles?
CAREY: The technical hurdles are different, and they are larger. And remember, we are global, and we move. That’s generally not a problem that most companies have to deal with. Then, when you go afloat in the Navy, the problems are confounded by bandwidth constraints. We cannot go aboard a ship and upgrade the network every year or two. In a company, you do a tech refresh every two or three years — maybe four. Ship tour cycles and port availabilities are beyond that, so it’s a complicating factor.
Similarly, the tactical networks create unique issues. Marines in Afghanistan and Iraq are in a situation where they need the network to be agile and available, and to support their information needs, so we are constantly looking for ways to make that happen better.
FEDTECH: Looking further out, what are some emerging technologies for the service? Do you see some coming down the road to help address some of the issues you raise?
CAREY: I see a couple of broad concepts that you hear a lot about. We talk about Web 2.0. We talk about user-generated content. We talk about the ability of our workforce to engage the Net to move information around and support decision-making.
We are just scratching at the edge of what Web 2.0 affords us today, but I expect it to really become an accelerator of how we move and share information. As to cloud computing, I think it is a real-life opportunity for us to reduce our footprint, get green and homogenize our architectures, if you will, and again provide nodes on the network where people can engage and find the information that they need. Are we doing it today? No.
In DOD, we are working very hard at creating, in essence, that dot-mil cloud. How do I put my information in the cloud? What information goes in the cloud? What has to change with my applications to use the cloud? Certainly, new applications and technology can be designed to operate within a cloud environment, but there are some legacy programs that we still use and have to maintain that might not be conducive to operating in the cloud. But I do think cloud computing presents a great opportunity to us.
Last, I will leave you with this: IPv6. We’ve heard a lot about it over the last 10 years, but so far there’s not been a lot of activity. There are opportunities and challenges with IPv6. But there will come a point in time when, no kidding, you’ve got to move to it.
With any emerging technology, there is a time to invest and there is a time to let it evolve at its own rate. I think the time to ramp up the investment is not too far in the future so that we can take advantage of its capability for managing everything on the network.
FEDTECH: What sort of devices do you think will gain a foothold?
CAREY: It’s not a device per se, but I think green IT will gain a foothold. Part of the concept of green IT involves mobile workers and telework. We are trying to decouple the workers from their desks. As we do so, I see things like 3G and 4G phones enabling that.
We’ve had BlackBerrys for a while, and we have had smartphones in the marketplace for a while. They have moved from toy status to tool status over the last few years.
Well, those leaps in technology that allow you to engage the Internet or the web securely from that handheld device really do enable you to be more productive and do more while not tethered to a desk. In addition, as we spread the network out and support things like continuity of operations and pandemic planning, we realize that we don’t all need to be in the same place to get our jobs done.
The proliferation of notebooks and other devices forced us to look at the way we do business differently. We can engage web-enabled applications if we put our information inside the dot-mil environment on the network, and not on thumb drives or hard drives. If I am merely engaging the network to search, discover, analyze, make decisions and act on information in the network, I am not transporting it around on e-mail.
The bottom line is that, while we operate in a highly secure environment, the rapidly changing pace of technology affords us the opportunity to constantly improve security while advancing mobility. I can access the network and encrypt my e-mail from my smartphone. This is a prime example of how we’ve secured information and allowed workers to untether themselves from their desks. These things are all expanding and evolving at a rapid pace, and I think we’re going to see some big changes over the next couple of years.
The 3G phones will allow a lot of activity that we are just starting to scratch at, such as downloading applications and tools that help you do your job. Imagine if we were able to ensure that these apps were secure and take advantage of them in the dot-gov or dot-mil domain — suddenly, we are affording the flexibilities the general public has, as a part of the way we do our work in dot-mil.
FEDTECH: Plus, much more quickly — for deployments and things like that.
CAREY: The good thing is that technology is affording us choices. That’s what you want.
If you have got only one choice, then the path is pretty clear. If you have two or three choices, then you have trade-off studies so you can decide what’s the right way to proceed and be certain which of your choices is the best candidate.
For instance, I think information behind secure portals is a candidate. There are several things that can fulfill that mission and provide universal access.
FEDTECH: This goes with all the things we have been talking about — the network issues, different types of devices, cloud, Web 2.0. Everyone seems to be moving to an everything-over-IP mentality. What does that mean for the security dynamic for large organizations like the Navy?
CAREY: IP-based computing and IP-based communications are where we are headed, and I see it as the digital tsunami. You have to take advantage of it, grab your surfboard and get on top of it. If you don’t, it’s going to be overwhelming. How do you do that?
We need to be mindful of identity management solutions and managing security at the data level, because if it’s encrypted and you are confident of that encryption, then once the data is in the cloud, it doesn’t matter.
That being said, we need to be sure that our security solutions afford us the right level of control and assurance of that information. That’s why we are investing in things like host-based security systems and demilitarized zones — you name it.
Our goal is that we understand and identify what we would say is anomalous behavior, so we can automatically take network actions to quarantine it and shut it down. Another goal is to keep the information on the right side of the firewall and afford access only to designated users. We don’t want that information streaming out through a port that it isn’t supposed to be. That’s not happening today. It’s a difficult problem, a very complex problem.
Over the last 20 years, the legacy systems have grown to meet mission needs in a somewhat uncoordinated manner. That’s why every agency has tons of legacy applications out there — they have lots of computing infrastructure. Even today, as we move toward user-generated content and the Internet moves toward a complete self-service model, people can just post stuff to a website. You have to harness that — you can’t try to shut that down.
FEDTECH: People have differing views of cloud computing. Could you go back for a second and explain what your definition is?
CAREY: Sure. I view it as — and I am going to use a nontraditional “Rob Carey” definition — a set of computing resources made available to an organization to leverage broadly for various users and/or applications. What the General Services Administration is working on for a “public cloud” (which is really a huge private cloud) will give us the opportunity to share resources to do things like software as a service and infrastructure as a service. That really gets at the efficiency levels that are the next step in computing.
My definition of cloud computing is very broad right now because I have a legacy environment and I want to move it into the future. So how I define cloud is very loose because I want to make sure it’s going to get me to the universal-access, ubiquitous-user concept.
FEDTECH: Do you think that the nature of the government’s work and the extensive legacy data require a different set of criteria or steps to get there?
CAREY: I think it makes it more deliberate, and when I say that, I don’t mean longer. There are many more steps that we might go through than a private entity might go through to leverage this.
Similarly, certainly DON information and DOD information is generally not suitable for public consumption and transfer across the Internet. It drives you down a more deliberate path toward cloud computing.
FEDTECH: How do you approach these deliberations?
CAREY: I am a pragmatist — I love looking into the future and then connecting where I am today to that future state and then moving up a particular trajectory to get there. But I am also the first one to say, “Show me that this makes sense.” Why? Because I have to convince people who are not IT experts why I want to do something, why they should give me investment money, what the return on investment will be in what amount of time. I can’t just do cloud — or anything — just to do it. I have to justify it because our resources come from taxpayers.
FEDTECH: You have spoken about the idea of using Web 2.0 tools inside private domains. How is that evolving, and where do you see that going for the services?
CAREY: We at the DOD level have met with Facebook and YouTube and we are going to continue to engage with social-networking companies. We must look at where it is appropriate for our information to go. Does it stay within the Nonsecure IP Router Network (NIPRnet), or is it appropriate that it goes out across that boundary to the Internet? There are very discrete business areas for which Web 2.0 is extremely appropriate — for strategic messaging and public affairs, for interfaces with recruiters and things like that.
FEDTECH: Isn’t the Pentagon already doing some of that?
CAREY: Yes. Every service — I think I can speak for the Army, Navy, Air Force and Marines — is using social networking for those particular business areas.
But there are things popping up inside of legacy networks. The benefits of social networking — the building of trust, the building of community, the solving of problems with many, many minds attached to the problem compared with two or three or four who are directly responsible for it — that’s popping up, too. I am trying to create a strategy that shows that there is a great benefit to the department in enabling collaboration and information exchange in support of any problem, not just public affairs, strategic messaging, and recruiting.
There is a move afoot to create this capability inside the dot-milframework. I am the biggest cheerleader and champion of social networking, trust-enabling and collaboration-enabling tools inside dot-navy-mil or dot-dod-mil.
FEDTECH: Is this more an issue of identity management and policy settings?
CAREY: Not really. I see identity management as a key to accessing data. How that intersects with social networking tools is something that we will have to sort through.
The engineering isn’t particularly challenging — it’s the integration of the legacy toolset that we have and the future toolset that we want to have. For instance, we are building a website that is an extension of the DON CIO website, but it will allow instantaneous feedback from a user inside the dot-mil domain. For example, if you read my blog on our public website and want to make a comment, it goes to a moderator, and then it is posted. We are creating one that is accessible via a Common Access Card and PKI credentials, so that we can have an unmoderated dialogue about IT in the DON and what the DON CIO is doing, and then be able to harness many minds in the department to shape what we are doing in support of them.
There is some identity management to this, but it is more about needing to get the tools in place. I think we will find that there is a stickiness factor to this type of tool. Eventually, we will come to view this as the way we do business.
If you remember before e-mail was around, we did a lot of phone calls and we did a lot of writing notes. Could you imagine a world without e-mail now? The answer is not really. It would be extremely inefficient.
Now, we have this integrated information environment that is sitting in front of us. You can search for people who have certain skills, you can ask questions of the community in a forum, you can get answers out there.
This will hierarchically challenge the way we do business today, which is the source of some of the resistance. Because if I post a problem on a forum that everyone in the Department of Navy has access to, I might get a hundred people telling me what the answer is.
FEDTECH: And then you have to sift through all of that information ...
CAREY: But that’s actually OK because I am sure the answer will be there. People might have spent two or three hours to give me the answer, and it probably wasn’t on their work list for the day. But they are contributing to the greater good of the department and the answer may have come faster, and may have been better, than if it had come through another route.
FEDTECH: You will be pushing innovation forward.
CAREY: That’s right. It really will open up the way we do business.
FEDTECH: When it comes to security, what about tiered levels of access based on risk and the value of the data should it get out?
CAREY: Risk management is the buzzword of the day. Each data set, each engagement, has to be understood. What’s the risk associated with the particular information? What is the security paradigm that must accompany each transaction? Some things we do are completely unclassified and are not even marked “for official use only.” It’s fine if that data is exposed in the public. Other data is for official use only — that’s not suitable for public consumption.
As we go into secret-level information and higher networks, the amount of money or resources we will expend in protecting that information, because of the risk associated with its loss, is very high. It isn’t avoiding risk or making the risk zero — it is risk management.
FEDTECH: Is there some point at which automation can help you with that?
CAREY: Oh, yes. In the Internet age, you can’t rely on having a person in the loop. You have to have machine-to-machine anomalous detection and then let the machine alert you to take action or at least alert the users and network operators when something’s going on. We have got to be able to shut firewalls down and close the gates.
FEDTECH: So your network operations centers and network monitoring tools become the hub of that activity?
CAREY: That’s correct. But there are issues. Can you do this when you have hundreds of networks? Can you do this if you have a fairly homogeneous network architecture? Do you establish a large boundary layer because it is difficult to secure both depth and breadth? I think those are things we need to think about. The Navy Marine Corps Intranet has afforded a great deal of consistency in network monitoring across the department.
FEDTECH: Do you think the Federal Desktop Core Configuration is helping with that?
CAREY: FDCC is a tremendous concept. Practically speaking, for implementing FDCC, we’ve really got to take the goal and run hard toward it by reducing configurations. Because up until the FDCC concept hit the street, the legacy operating system environment in the government was as broad as a day is long.
FEDTECH: Whatever you wanted to do, you could.
CAREY: Or, whatever your system and your resources afforded you.
For example, our ships: Every five years a ship comes in to the pier and we physically go upgrade the backbone of the ship — if we can. Well, if that doesn’t happen in one cycle, the next cycle isn’t a year away; it’s probably another five years away. So, did we get to upgrade the operating system on certain networks on the ship? The answer would be maybe, maybe not.
And, we might have had to change an application or two if we did change the operating system because some of our legacy apps are not compatible with later versions of the same software. So it gets complicated. I think FDCC is a great opportunity for us to really press hard and achieve the outcomes that it was intended to achieve.
FEDTECH: It’s very tied to the ability to do network monitoring and to spot anomalies, right?
CAREY: When you want to push information assurance vulnerability patches, if you have one operating system, you merely hit a Send button. If you have seven or eight operating systems, and each of those has a variation, suddenly you can see how complicated and how time consuming it gets. And unfortunately, time is the enemy in the IT world — you can’t patch something weeks and months later because during that time lapse you are vulnerable.
FEDTECH: The Navy has been working on consolidation and virtualization for quite some time, which obviously help achieve green IT objectives. Do you have any best practices?
CAREY: I don’t know that I have what I would call a best practice. We seized the opportunity to move into the green domain and then the message on green IT from the administration came out. Now it gives us credibility and the ability to accelerate something we were already doing, to apply resources to it.
I think it is really about gaining centralized management control of network resources. If you have a decentralized environment, you will find that things will just crop up everywhere because they can. People will be doing the things they think they need to do to accomplish their mission, but they won’t necessarily have an enterprise perspective.
But if you apply an enterprise perspective and you decide to manage this at the highest level — or at the highest appropriate level — you might start asking yourself some questions. You might suddenly think, if I had, for example, 15 data centers do I need all 15? What’s the power they are consuming? What’s the load on the servers? The answer you quickly come up with is, probably not. Then, you look at how many servers you have. What’s the right footprint? Do we need to keep all those buildings that house servers at 68 degrees?
All this thinking about your network environment is at the enterprise level, and then you quickly get into talking about, in essence, your own cloud. But you can’t jump into the cloud without actually understanding, in the macro, the applications and the data that you use to get your job done.
FEDTECH: How do you feel that technology tools and products are keeping up with that sort of vision?
CAREY: The tools are appropriately out in front. Companies come visit us often with their ideas and their concepts and generally it all works. Where the gap is — and where the work is — is in understanding legacy right now and how to bolt it on to that future opportunity. Because you can’t just decide you are going to be in the future state. You have to connect the dots from the present legacy environment to the future and then build that path. Sometimes that path is short, and other times the path is complicated.
FEDTECH: Maybe not long, but zigzagging.
CAREY: It can get complicated. It is a contact sport — IT and being a CIO. And it does require that you always look for more resources than you have to get your job done. You are always making trade-off studies: What am I not going to do today because I can’t afford it, even though it has ROI? We are raising the bar of information management in support of the warfighters, and we think we are doing pretty good at it today and look forward to the challenges in the future.
[To learn more about Department of the Navy CIO programs, go to www.doncio.navy.mil.]