Government Modernization Plans Come with Cybersecurity Concerns
The path to federal IT modernization is beginning to smooth out, but agencies are still finding rocky spots in the process, especially when it comes to security, speed and user acceptance.
“Data center consolidation — people hold on to their servers with a vigor you cannot imagine,” said John Zangardi, chief information officer for the Department of Homeland Security. “It’s a big change culturally and technically.”
He spoke at the AFCEA 2018 Cybersecurity Technology Summit, where top government officials discussed the progress being made toward a more agile government IT infrastructure.
A few officials talked about their ongoing migration to Windows 10: “We got there,” exclaimed Army Maj. Gen. Garrett Yee, acting director of networks, services and strategy for the Army CIO/G-6. “We’ll all be baselined on the same operating system for the first time in a long time. One million computers upgraded — I’m not kidding.”
DHS is moving “very aggressively” to Windows 10, Zangardi said. Upgrading, however, comes with “a lot of cybersecurity considerations.”
Agencies Must Monitor Networks and Take Stock of Devices
For the Defense Department, that means taking inventory of its sprawling, multimission system to get details on what the department owns. “We don’t know what we have out there,” said Essye Miller, DOD acting CIO. “We’re taking a holistic look at risk — not only our network, but our control systems and our weapons systems.”
For example, a few weeks ago DOD disabled websites that were not public-facing and that had not been updated recently; those unwatched sites could provide entry points for hackers or other bad actors, she said. Even a system as basic as a new heating, ventilation and air conditioning unit could include a smart endpoint through which a hacker could enter.
In January, the DOD discovered that service members’ locations could be mapped through data sent by their smart watches and fitness devices to an app that tracks personal fitness information, an outcome that few had considered. “The risks have to be taken into consideration at the inception of a project,” Miller said.
Zangardi, who would like to see more of DHS on the cloud — of the agency’s 484 apps, only 23 are in the cloud — said that DHS is taking lessons from what other agencies have done as they modernized. DHS’ OneNet, which provides enterprise IT services to the agency, is one target.
“We’re looking at taking OneNet from something we own and we operate to something that will be managed as a service,” Zangardi said. “The best way to get modern is to put it out there in the marketplace and leverage the expertise of the community out there in industry. The core competency of the Department of Homeland Security will never be data centers.”
Some consolidation could mean that services leave the Washington, D.C., area, he said, but he wasn’t specific.
DHS is also looking to complete the first two phases of its Continuous Diagnostics and Mitigation program by September; by then, Zangardi said, the agency should know what devices, vulnerabilities and software are on its network, as well as who has network privileges.