Think big but think collectively. That’s the perspective that Maj. Gen. Steven Smith has adopted. Data, users, IT assurance — if you don’t think broadly, you can’t keep out in front of the challenge, says Smith, director of the Cyber Directorate in the Army’s CIO/G-6 Office.
To that end, he and his team emphasize understanding data, users and systems at specific moments in time, but — and it’s an important “but” — in the context of where a piece of information, a user or a system fits into an office, camp, station, base, the service, the military, the government and beyond.
In a world where all information becomes digital and depends on cyber, IT security becomes an issue for every citizen, Smith says. FedTech managing editor Vanessa Jo Roberts talked with Smith about the growing interdependence of systems globally, how the Army is tackling that challenge, and the changes in people and technology that are shaping that effort.
FedTech: How does your organization embrace cybersecurity? Obviously it’s not just a huge issue for the Army, it’s a huge issue for all of the federal government.
Smith: I would also say it’s a national issue. This is a national threat, not just a threat to dot-gov and dot-mil. We need to mobilize the nation similar to what we did in Y2K, for year 2000, because of identity theft plus the threat to national security — to infrastructure and other vulnerable aspects of U.S. life that our adversaries are trying to take advantage of. If we mobilize this nation like the world was mobilized for Y2K, I think we will be better able to combat the threats.
FedTech: What is the effect of today’s greater interconnection and interdependence of systems?
Smith: We and the Defense Department interface with industry, with academia, and we’re only as secure as our weakest connection. Some of the things that keep me up at night are about how we secure those connections. This is not just for the dot-mil and dot-gov domains. And then the other thing is understanding vulnerability management: how well we are taking care of our current vulnerabilities. And then, as in any business like this, you wonder about what you don’t know. If I am taking care of the things that we know and I am trying to secure the links that we have outside of the Army or outside of DOD, I don’t know what I don’t know.
FedTech: How is the Army focusing on identifying and resolving vulnerabilities that you know are out there in the systems? And how are you focusing more attention on the unknowns?
Smith: Well, primarily this is a leadership issue and a problem that any large organization would have. Our senior leadership understands the importance of information assurance and data security. Getting your leaders in front of whatever the problem is, that’s 80 percent of the challenge.
What we are working on is how to manage the known vulnerabilities in an expeditious way without human intervention. We are fixing things in an automated fashion, by either continual or continuous monitoring of compliance. That way we can deem if we have a problem at a certain post, camp or station or even a certain system, and we can make it a priority to get that fixed.
FedTech: How are you dealing with the amount of information that continuous monitoring provides? How do you make the best use of it?
Smith: In this particular instance, continuous monitoring enables us to pick what is most important at a given time. We talked about vulnerability management.
For example, let’s use software patches from one of our vendors; we may deem that is the most mission-critical problem at this instance this day. Continuous monitoring or continual monitoring can give us the ability to see an incident or give us situational awareness of where we are in terms of what we just deemed as our most important vulnerability.
Therefore, we can pinpoint a system, post, camp or station — whichever is most appropriate — where we need to apply the most resources now. And you can assess by normal continuous monitoring: It can be training status; it can be throughput.
It’s just an enormous amount of data, but you can apply statistical data with a ranking so that local leaders and strategic leaders can determine where they need to put their resources. [Click here to read more about the Army’s work on continuous monitoring.]
FedTech: You can use it, as you said, for an immediate vulnerability or concern, but you also then have the ability to tap historical information. How is the Army going to make that available and push it down the line for individual users?
Smith: You put it in a dashboard. Data is only good if you use it. The historical uses can be for a first-line supervisor or the Army chief of staff to use statistical or historical data to look at trend analysis. Otherwise, you are looking at data points. When those data points are meshed together with historical information or with standards that you are trying to set (whether industry standards or local standard operating procedures), that data becomes very powerful to leaders. They know where they need to look for resources or where they need to reallocate resources.
FedTech: Help you spot a gap.
FedTech: You have mentioned standards. Is one of those the Federal Desktop Core Configuration in terms of monitoring endpoints on the network?
Smith: You are limited only by your imagination and a little bit of time and money. So absolutely it can be desktop configuration, it can be how old your passwords are or how long they are, what is your individual training certificate level, how old your server is, the programs that you are using and etc., etc., etc.
It can be a phenomenal tool, and we are currently in a pilot with our friends at the State Department on this. They have made some monumental efforts that they are sharing with others in the federal government. We are very excited about the potential.
FedTech: Do you think that this is really just the start of a new way to use this data?
Smith: I think so. I think it’s a more efficient way to use the data to give situational awareness in an enclave, globally and everything in between. Now, we are talking about what’s the best way, what’s the best format to present this data and how we can best share it not only in the Army but with all of dot-mil and dot-gov.
FedTech: And with other allies when you have joint forces and you need to share that data.
Smith: Absolutely for joint coalition deployments.
FedTech: There is evolution of the threats and also evolution of technology — virtualization and cloud computing, for example. When you are looking at your slice of the pie in the CIO’s office, how does that affect security and the efforts you are making?
Smith: Well, I think security people in general want to ignore new technology unless they can absolutely control the creativity out of it. But that’s not helping the organization.
As a security professional and under the guidance of the Army CIO, Lt. Gen. Jeffrey Sorenson, we are looking at ways of embracing new technology but doing it in a cautious and expeditious way.
I think cloud computing and virtualization, let’s just call it virtualization — the ability for a military user to access what he or she needs regardless of where they are and not necessarily be so tied to a strict hardware and software configuration — could be monumental. It’s not only about the way we make purchases in the future but about providing just-in-time data that the soldier or a civilian or contractor needs to accomplish the mission. That is very powerful.
FedTech: As the Army’s IT operations become based more in the continental United States, supporting expeditionary forces, how does that help or hinder you in dealing with security? How does it change what you have been doing?
Smith: It doesn’t. Lt. Gen. Sorenson has designed a global architecture with the understanding that we are a CONUS-based Army, expeditionary in nature — that for our future conflicts for this nation, commanders will have to plan while en route and potentially attack upon entry in the theater of operations.
That puts a lot of requirements on the network and on our ability to have standards not only in information security but just regular operating standards. It doesn’t hinder or help, it is just our current environment. With global standards, we enable our commanders to do their missions.
FedTech: You talked a little bit about everybody getting access to the information they need — the Army model is the right information at the right time at the right place.
Smith: For the right cost.
FedTech: And that really encompasses all the way out to the edge even to the soldier in the foxhole. How do you deal with best practices in addressing security awareness?
Smith: It’s a leader-driven process. Leaders in the military or even in industry are responsible for everything their group does or fails to do. Particularly in our senior leadership, in the Army, they understand this new domain called cyber and its requirements and its capabilities. They also recognize that they need to get out in front of these issues and create that top-to-bottom, inside-out mentality of understanding what’s required. At the senior level, every one of our senior leaders gets an enabling battle command course. It’s mandatory for all the general officers in the Army; it’s taught by the CIO of the Army — at that level.
FedTech: So they realize how crucial it is.
Smith: Yes, how crucial it is. And then we are working on more innovative ways that we can get training tailored to the user community out in the field — not on an annual basis but nearly on a daily basis. How can we re-emphasize critical points, critical vulnerabilities, as we see them? Spear-phishing, for example — how do we get that out to the community? Because you want to teach it differently to a 19-year-old than you would to a 49-year-old, just based on the generation.
FedTech: Are your users very different now than even five years ago?
Smith: Sure. It wasn’t that long ago that no one had tweeted or heard of Facebook or anything like that and the wireless technology that’s coming out and the power that you can hold in a PDA …
FedTech: Do your users expect certain things of their military and of the infrastructure that they didn’t expect previously?
Smith: I think that our users are much more aware of what’s available in the marketplace and how much better they believe that their function or section could be if they only had __________ and then you just fill in the blank.
One of Lt. Gen. Sorenson’s innovations is Apps for the Army. Of those 100 or so projects that were submitted, the users were from literally all walks of life — from the reserve component, active component, civilians and of various ages. It’s not just the young 19-year-old and on various platforms. These are folks that recognize a problem that they might see, and with their interest in technology, they were tapping into a resource to see if that would help us accomplish our mission.
FedTech: How do you vet these apps from a security perspective?
Smith: In any application development shop, any IT organization, you have a basic set of standards that handle that kind of protection.
Let’s use personally identifiable information as an example. You just don’t send that out in the clear. You know you want to make sure that that’s encrypted. Do you really need to be transmitting that? It’s data at rest, it’s data on the move, it’s data being used and how you make sure that that’s protected and encrypted? It’s much more efficient to do that as part of the development process versus a bolt-on at the backend.
In some cases, somebody might build an app and have no consideration for security. They just wanted to get the function and it’s not very cost competitive to do it that way.
In most IT organizations, we have peer review or a beta test environment so that we can evaluate something before it goes to production. We are pounding on that application to make sure that it meets up at least to the minimum standards so that we can protect the data.
FedTech: But the idea behind programs like Apps for the Army is to get tools to the user more quickly. How do you speed up the security vetting process?
Smith: For that particular program, the users were all connected to the Army, so there was a level of awareness about information security that really helps. They all use their Common Access Card, so they understand dual authentication, they understand the importance of personally identifiable information. And in general, we don’t like to give away our secrets, so that’s kind of the ethos that we started with.
Then we give them the ability to look at standards based on the platform that they are working on and then any technical assistance that they might need for any current vulnerabilities. That’s part of a three-pronged approach. If you do that during the process, it’s much more efficient and you can get an app to market or to be used on the network much, much faster.
FedTech: In a sense, commercialize it for the Army.
FedTech: It seems like there was a great deal of interest in doing more of this — beyond the initial Apps for the Army challenge. How will you monitor those apps going forward to make sure that you are using the right ones?
Smith: Any application or any function that’s on the network is monitored not only for the health of that system, so you have a baseline of how much capacity it’s using (that’s memory, power and such) and then you look for anomalies. You also look at the efficiency of the application; a soldier will tell you if it isn’t working to their satisfaction.
FedTech: You mentioned the CAC program and two-factor authentication. How far along is the Army in providing access control to a single servicewide network?
Smith: We are working in conjunction with the Defense Information Systems Agency and our sister services, particularly in looking at enterprise solutions and where those ought to be hosted. I think that’s the beginning step toward a single-service network at various levels.
FedTech: What kinds of biometrics are you looking at, what are most commonly used now and how do you see that evolving?
Smith: Biometrics has been used for a number of years for access to high-security areas — iris scans, fingerprints, etc. It’s certainly used in the theater of operations for adversary tracking. We are looking at what’s the next generation, what’s the next level of authentication so that we do not have to put a Q-tip swab in our mouth every time we log on. And one of the greatest things about this nation is its innovation; we are actively pursuing what’s the best of breeds in terms of cost and ease of use.
FedTech: What are some emerging technologies that you are watching closely that you think will have far-reaching impact short term and long term?
Smith: We mentioned virtualization and the idea that I could get my desktop image from just about anywhere I am. It’s certainly something that I am keeping an eye on. Down at the desktop level or the personal level, there’s currently technology on the market that seems to be of interest. It’s possible that there will be a time when soldiers, after they finish their advanced individual training, could be issued a wireless-type device for the rest of their career.
FedTech: A device that just stays with them?
Smith: Yes and e-mail for life, regardless of where you are in the world.
FedTech: Your own little endpoint.
Smith: You might no longer have a Social Security number; you might just have an IP address.
Then there are some other interesting things: perhaps long-haul vendors providing clean pipes as they partner with some of the antivirus software security companies. That’s kind of interesting. There is a lot of interest in attribution and forensics, keeping an eye on things so that you can perhaps see who is tapping at the door.
FedTech: Is that important as you work on cyberwarfare?
Smith: Identity management and helping all Americans be aware of the cyberthreat. Whether you are part of dot-gov, dot-mil or dot-com, what you do in your server could affect the Army. Because if you are not doing your patches, information could actually look like it’s coming from ABC grocery just down the street, but it’s actually some foreign hacker somewhere.
FedTech: I have heard you discuss your concern about your users when they are at home, when they are using their own computers — that if they have some sort of identity problem, it can roll over and affect their work life too.
Smith: There are real opportunities for the home computer and the office computer to be linked from a vulnerability perspective. But there is also the effect that it could have on an employee or particularly a deployed soldier, losing their identity, having their bank accounts depleted. All that is linked to awareness, whether it’s at home or at work.
FedTech: Is there any one lesson learned or best practice that cannot be repeated often enough — that you keep sharing?
Smith: It always comes back to one thing: It’s people, process and technology. In my opinion, the area that’s most complex is the people part, so some of the best practices that I have seen involve how you provide awareness to Army leadership and the effect that has then on the rest of the user community.
We are constantly looking at how industry, academia, our sister services and our coalition partners train in this important area — and then collaboration in all of the areas.
The other thing that we try to promote is the need to increase math and science education in U.S. schools. We can no longer count on being able to import that knowledge base; it has to be done in America. There are a number of institutions that are increasing efforts to get kids interested in math and science. That’s our next generation. I can’t stress that enough.