While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Margie Graves, the acting federal CIO, knows a thing or two about IT modernization. She was formerly the deputy CIO of the Department of Homeland Security, and she has experience consolidating seven networks into one, 24 data centers into two, and moving systems into the cloud.
“I understand the challenges that are associated with it, and I also understand the opportunities that abound when you do it right,” Graves said Tuesday during a keynote appearance at FedScoop’s IT Modernization Summit in Washington, D.C.
Graves notes that now is a ripe time to pursue IT modernization across the government because of a confluence of several factors. Those include strong interest from Congress, changes to federal acquisition models that are more agile and match contracts to how agencies deliver services, and changes in technology that allow agencies to adopt new IT, like cloud services, more easily.
Cloud adoption allows agencies to achieve the scope and scale needed to migrate legacy systems to more modern platforms, Graves said. “We’re talking about billions of transactions at the border,” she said. “Tax season is upon us, [and] we’re talking about how we interact with the IRS. We’re talking about customer services that are available to the citizens. And mission delivery in areas where sometimes the citizen doesn’t even see it but they are actually protected by it.”
In terms of different types of cloud — Platform as a Service, Infrastructure as a Service and Software as a Service — Graves said that the government should be moving as many services as it can into the SaaS model. “If we can get out of certain businesses and really concentrate on the mission, we’re all going to be better off in the long term,” she said.
Successful migrations to cloud involve moving back-office functions to the cloud, especially SaaS, and getting “out of the data center business,” and “certain areas where we’ve historically delivered inside the walls of the federal government, and you push that out to the private sector capabilities, because those capabilities are of a stature now where we can actually adopt [them].” Such moves are not without risks, Graves acknowledged, but she said government is facing the same kind of challenges that consumer banks face. Those financial institutions are interacting with customers on a daily basis and are allowing customers to interact with their accounts via mobile devices. Banks must make those interactions seamless and fluid or risk losing customers’ business.
Agencies face similar challenges with their citizen-facing services, Graves said. They should be designed with users in mind, and government is moving toward more user-friendly design, she said.
The challenge for agencies is getting visibility into their entire IT ecosystem so that they can be convinced that the data they keep and manage, including citizens’ personally identifiable information, is protected. “It’s a very tough challenge,” Graves said. “It is one that we’re facing along with industry.”
The solution Graves said, is “to get a bunch of smart engineers in the room” and architect new kinds of network security so that agencies have “true visibility” into data traffic. They need to be able to see, in real time, whether there is nefarious activity afoot, and then be in a position to block or stop such activity if malicious actors do get past perimeter defenses.
“The expectation is that you’ve got to do all of that while you’re still maintaining the ease of use,” she said, and make it take longer for citizens to interact with government services online. The good news is that such technologies are available for agencies, she added.
The shift to security protections at the data layer is coming, and at some point in the future agencies are not going to have the opportunity to merely engage in perimeter cybersecurity defenses, Graves said. Getting visibility into entire IT systems and networks requires partnerships with internet service providers and contractual relationships so that agencies are not prevented from getting that full view.
Additionally, Graves said, agencies need to embrace a security model of fine-grained permissions that give federal IT users permission to exactly what they need to do their jobs but not to “certain other areas where it might just add more people to the equation and put more risk into the system.”
All of this — the shift to the cloud, reimagining business processes and technology — needs to be done in the service of making services more efficient, Graves said. “Automating a paper process is quite different than digitization,” she said.
Lyft and Uber “reimagined how you deliver transportation, as opposed to, ‘I think I’m going to do an upgraded taxi dispatch,’” Graves said. Government needs to embrace that model and make citizen-facing services customer-centric and easier to use, akin to the ride-hailing apps. “My expectation is that as more and more of those things happen out in the private sector that we’re going to adopt those within the federal government, too,” she said.