October 5th, 2011

The following is a full transcript of FedCentral’s interview with Lt. General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innova...

The following is a full transcript of FedCentral’s interview with Lt. General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP and Karen Evans, Partner, KE& T Partners, LLC conducted by Jane Norris on Oct. 5th, 2011.

Jane Norris
Welcome to FedCentral brought to you by Deloitte, a program where executives and federal government leaders talk about issues and initiatives that are making a real impact on the business of government today, to help government help America. Today we’re talking about the coming of age of cyber. It is cyber security month in October, after all. It’s no longer for just Halloween anymore. Cyber is no longer the responsibility of just the chief information officers and the chief information security officers. It has become a real coming-of-age story as cyber has moved out of the IT shop over the last few years. New threats in technologies like cloud and social computing and mobility are compelling federal agencies to manage their risks and to do business in fundamentally different ways, whatever their mission.

New O&B directives are challenging leaders across agency functions to accelerate their adoption of a more mature cyber discipline, to not only detect and deter threats but achieve higher levels of efficiency, performance, and innovation. How far have we come and what are our biggest challenges and opportunities ahead as cyber security comes of age? Joining us to discuss this are two former government executives who have played pivotal roles in this issue over the last ten years.

Karen Evans is currently a partner at KE&T Partners, and she’s a member of the Center for Strategic and International Studies Cyber Security Commission for the 44th Presidency, and the national director of the US Cyber Challenge. Prior to holding these roles, Ms. Evans was the administrator of eGovernment and Information Technology for the executive office of the President, for the office of Management and Budget. Hi.

Karen Evans
Hi, thanks you for having me back. I’m looking forward to our discussion.

Jane Norris
It’s great to be here, and then of course, Lieutenant General Harry Raduege who is the former director of the Defense Information Systems Agency and a four-time federal agency CIO. He is now the chairman of the Deloitte’s Center for Cyber Innovation and director with Deloitte Services. General Raduege is also co-chair for the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency, senior cyber security advisor for the East-West Institute, senior advisor at the Cohen Group, and the Cyber Tiger Team chair for the University of Maryland University College. General Raduege, good to see you.

General Raduege
Great to see you, Jane. Karen, it’s great to be here with you.

Karen Evans
I’m excited.

Jane Norris
All right, so you’ve both seen major changes come down the pipe for cyber security and as government executives, you took on some of these challenges. So what do you think has changed in the field of cyber over the last few years?

General Raduege
Well, I’ve seen a number of changes. First off, I think there’s been a 180 degrees shift in the emphasis in the areas of seeing the cyber threats as they come at us. In the past, the hackers used to want to make their presence known. They’d attack our networks and want to deface our websites, and the 180 degree shift I talk about is one that now, the hackers want to be hidden. They don’t want their presence to be known so that they can do all kind of insidious things to your networks. Some of the other changes I’ve seen are the serious cyber threats that are coming. It’s no longer in the back rooms of our organizations. It’s moved into the boardroom, and over these last years, these cyber threats have evolved from relative insignificance in the past with just the hackers getting to us— to areas that really get into serious criminal activity, mission disruption, and life-threatening implications.

Also another area I think that I’m seeing so much of a growing emphasis on an evolving threat is advanced persistent threats. It’s no longer the well-resourced foreign government operations but it’s now really moving into independent cyber organizations and even sophisticated gangs that are developing these types of advanced persistent threats.

Karen Evans
So one of the things that I would say has really happened here is that they’ve gotten better organized, faster and when I say they, it’s multiple different levels. So as an operational person, and I know, General Raduege, you are, as well, I did experience a hacking incident, and it was just to make a mark and for kids to become famous and it’s still out there. It’s one of the most known ones out from the Department of Justice, but it has evolved into very mature, organized types of activities that are happening, and as they get more organized, we have to get better at what we’re doing and more organized, as well. It has moved out from an operations nuisance and it really does affect the way a business works and could affect profitability, intellectual property, national security. All of those types of things, and there’s a lot of competing interest coming at departments and agencies.

Jane Norris
So are we where we need to be in terms of responding to threats or what happens in the future? How do we get more sophisticated?

General Raduege
Sure, well, when you think about what it’s going to take to be successful in the future, the reality is that we’re faced with an estimated 1.8 billion attacks on government agencies and Congress per month. So that’s a daunting area of threat to us and attacks that are coming at us from all angles, and the government and industry executives are really realizing now more than ever that they’ve got to manage the risk that is associated with this evolving cyber threat. Primarily in the defensive areas for protecting these resources and operations is, as Karen has mentioned here, and the new approach really is sustainable risk management, and by that I mean, we’re evolving into an area where we need to plan for the smart integration of information, operations, and risk management all together, and so today, the key question that’s in our minds and in the business minds is what’s acceptable risk, and unfortunately, it’s not a question any longer as of whether you’re going to be attacked. It’s when your network is going to be breached.

And this has moved actually out of the area of the CIO and the CSO into the C suite and into the board of director’s office, into the boardroom because they need to determine what’s the acceptable risk to an organization and to the proper operations. So policy, as far as acceptable cyber risk, is now in the C suite.

Karen Evans
I would add a lot onto this based on the framework that has been laid out for the last 10 years. When you take a look back and you celebrate some of the successes, the Federal Information Security Management Act, when it came out, good, bad or indifferent, actually made agencies go back and take a look at what kind of information do I have and what is the category associated with that. So they’re at that point where really the federal government, private industry, what everybody owns, really, is information, and information is the power, whether you’re trying to get intellectual property from a competitor or you’re trying to find out nation secrets. You have to categorize that risk and what has to happen or what should’ve happened but now you’re starting to see it happen even more because agencies such as the Department of Veterans Affairs, when they lost all of that data— it wasn’t because of some hacker, I would say it was poor practice, poor cyber security practice in that particular area.

Jane Norris
That was when the laptops went missing?

Karen Evans
And they didn’t really – thank you. They didn’t necessarily think that acceptable risk is to let one person download 26 million pieces of information and take it off premise? I mean, today, we would really question that. Back then, it made sense because it was a research analyst who wanted to go home and do some work from home, so it made sense, but when the laptop got stolen, that was when a whole other set of criteria that had to go into place, and you should have those discussions, plans and risk strategies in place before an incident happens.

General Raduege
Yeah, Karen, this is what I refer to in organizations these days in developing a cyber mindset because this individual was well-intentioned and took the laptop home…but I ended up getting my letter from the Veteran’s Administration, and being a veteran, that’s kind of a frightening thing when you get mail that your personal information may’ve been compromised or violated.

And you know what’s really serious, I think, on the international front, we’ve had some worldwide cyber security summits and we’ve had an international group of cyber experts, and interestingly this survey we took, 54% of those cyber experts from around the world doubt that their organization that they currently work in can defend against a sophisticated threat and since it was an international audience, 69% of those experts doubt that their country could defend against a serious cyber threat. So these are pretty big challenges that seem to be growing.

Jane Norris
Well, let me ask both of you, if you think that agencies are assessing their risks at this stage appropriately, are they going through the risk assessment process? Where does that all stand?

Karen Evans
So I would say yes but I would also agree with all the statistics that General Raduege just laid out is because it’s being done and you can correct me if I’m wrong and we can have a huge debate over this is that I still think that it hasn’t matured enough that a CSO or a CIO has that business type of discussion with the secretary or the deputy secretary. What happens is that it a lot of the times, it says give me millions and millions of dollars, but you know what? You’re still not going to be secure, and so when a Deputy Secretary has to choose between something that may never happen or you can’t really explain to me how you’re going to secure it or reduce my risk or putting up a service online so – to help veterans or those types of things. They’re going to make a business decision just like you would in business area, right? It’s a cost center. It ends up being a cost center and what you have to really start talking about is how do we reduce the risk, right, that this is really an investment that’s going to help you leverage your intellectual property or leverage your position in the marketplace so that you are managing peoples’ information appropriately. So I think they do the assessments. I think it’s the next evolution and they have to be able to talk about it and articulate it in a way that makes good business sense.

General Raduege
Absolutely. Well, you know, the CIO’s role has really been evolving over time, but it’s really a mixed bag out there with the different organizations whether they’re government or industry. As I travel around, I see different organizations that seem to be further ahead and frankly, it’s because they’re getting emphasis in this area of cyber security from the front office. They’re getting it from the CEO. They’re getting it from the admirals and the generals. They’re getting it from the secretaries and the boards of director. They are really starting to question this area because so many people are ending up on the front page of global media and the threats are there. People that we thought were secure are failing, and so people are saying how safe are we to their internal organization?

Jane Norris
Well, that’s interesting. All this is really interesting in light of the fact that there seems to be an anticipation of a major cyber intrusion. Do you think that we’re on the precipice of creating legislation that would assist with assessing risk or doing the things that agencies need to do to really put up those parameters?

Karen Evans
I think we’re going to get legislation whether we want it or not, but I do think that there are a series of initiatives that have been launched that if agencies really implement them – for example, reducing the attack surface space, which is related to what they called the trusted internet connections, which is really reducing external connections or what DoD has done by implementing what they call the cat card, and now that has gone out into Homeland Security Presidential Directive 12, which is really about knowing who’s on your networks. If you know who’s on your networks, you can reduce some of the noise and then put in some of the other types of additivites. These things are out there. Agencies have to implement.

General Raduege
Well as you know, as I take a look back in time, 15 years ago, there was landmark legislation, the Clinger Cohen Act because at that time, Senator Cohen was sitting there in in Congress and watching these large amounts of money and these requests, and it didn’t seem like anybody that came to testify had a clear understanding of how much they were spending on information technology and the related security aspects of those investments, and so the Information Technology Reform Act of 1996 was enacted and actually one of the biggest parts of that was putting the CIO into the boardroom and working directly for the agency head of all federal government activities.

As a matter of fact, in 1996, I was on active military duty, and one of my new responsibilities was becoming the CIO of the organization that I was involved with.

Jane Norris
All right, well, we’re going to continue along, so stay tuned. This is the cyber coming of age, the very prescient show, especially now in October as we look at cyber security month. We’ll be back with more. You’re listening to Karen Evans. She’s a partner at KE&T Partners. She’s our guest today, as well as Lieutenant General Harry Raduege, who is the chairman of the Deloitte Center for Cyber Innovation and a director with Deloitte services, and you’re listening to FedCentral on Federal News Radio 1500 AM. I’m Jane Norris.

Welcome back to FedCentral brought to you by Deloitte. We’re talking today about the cyber coming of age. Our guest, Karen Evans, currently a partner at KE&T Partners and Lieutenant General Harry Raduege. He is the chairman of the Deloitte Center for Cyber Innovation and a director with Deloitte services. So we’re talking about cyber security, the coming of age, and I think probably the next coming of age for agency leadership will be these new budget pressures that they’ll be up against. Obviously, we’re having big discussions at a congressional level, at a presidential level, about you know, agency budgets and how we’re going to be spending money. So how do agency leaders consider their budgets while still making the adjustments that they need to, to preserve their cyber security Karen, I’ll ask you first.

Karen Evans
So this is actually a really exciting time. I know the agencies are having a hart attack with this answer that I’m saying right now, but because of those competing budget pressures, what it really does is allow you to stimulate a lot of the discussion around innovation and things that you normally would not do. The status quo is not going to be acceptable here. So things like maintaining some of the old security risk postures that they had, some of the solutions that they had in place will have to go away because they’re not necessarily cost effective. So you really are going to have to look at this across the board about okay, now I had a physical access system and I had a logical access system that allowed me to get onto the computers. Well, I can’t maintain both anymore, which means I have to really combine that infrastructure together to maximize that investment. So people can’t go down their separate paths anymore because we can’t sustain those operating costs, so this is a really great time for security officers because everything that they’ve ever wanted to do to bring all those groups together; the budget’s going to force that discussion because they’re going to have to reduce that footprint.

So it is an exciting time. I know it’s a challenging time, but it’s a really exciting time to get those questions answered about the risks and how to manage this.

General Raduege
Well, absolutely and you know, what they’re faced with now is sort of a double-edged sword. They’re being asked to take costs out but also to put investment in because in this era of information technology, the way it races ahead, you’ve got to have the modern technology so you’ve got to to spend some money, but you’ve also got to take the money out. This is that double-edged sword that our CIO’s and right into the boardroom today, the chief operating officers, the chief financial officers ,the chief security officers – they’re all wrestling with this, so it’s at the proper level. And there’s a lot of competing demands out there today for these resources and that’s why it’s so important, I believe, that you have to really plan and prepare at how to respond to the many different scenarios that come flying at you as a CIO in today’s modern operations, and cyber security, has to have equal parts of prevention and resilience, and frankly, no agency today can protect themselves perfectly against every attack.

Jane Norris
So is it just a prioritization issue that agencies have to go through?

Karen Evans
Well, I would say a great example of looking at this is the cloud implementation. It’s brand new technologies. It’s really out there to optimize how agencies provide services. The traditional model for an agency is they actually build to maximum capacity. So think, if I’m The Department of Homeland Security and I have an incident like Katrina or Cash for Clunkers is the great example that Vivek used to use, Vivek Kundra. They want to build to that one time maximum capacity, which means you have all this unused capacity that you’re paying for. Cloud services really offer you on demand, so think about it. I’m only operating at this time of the year at 10%, but I’m the IRS so during tax season, I have to operate at 150% so I pay for that peak utilization just like I do electricity bills, any of those types of things. You have to say okay, I’ll look at that, re-engineer it, but now I can build in cyber security to this, things like patch management and all the resources associated with that. I can build that into the contract and remove that risk, and manage it better. They manage it piecemeal but this is going to force that integration across the board in all the services.

General Raduege
And you know, Karen, you can’t do this by yourself. A new organization can figure all this out internally. It’s requiring a lot more collaboration. It’s trying to figure out who you can trust, building those trusted relationships, both inside your organization and outside as you work to try and address all these major issues today that are in our world, the ones that we have been involved with our entire career, and frankly, increasingly, now trust is built by sharing vulnerabilities. It’s about talking about vulnerabilities. No longer covering them up or trying to hide them but actually putting them out on the table and discussing them and trying to build those trusted relationships so you can address the issues together.

Jane Norris
So as you’re doing all of this, and it sounds as though, the ultimate goal is to get everyone inside the organization to cooperate. How does customer service, play a role in all of this because obviously baking in all of these new systems that protect your network are going to have an impact on the end user, so how does that all factor in?

Karen Evans
I would go back to some of the points that General Raduege made earlier, which is about your risk profile. So if you take a look at some of the services that you want to offer for customers externally like the Citizen, it isn’t necessarily going to be in your best interest to require them to have a solution where they have to pay $500, $600 in order to submit tax information to you that you’re requiring, so you’re going to have to work though what that solution should be, but it would make sense maybe in a national security area with the intelligence area to have that type of robust solution. That’s really a risk-based solution based on the type of information. So when you do that, if you want to take risk out of, say for example, the trading partners that I use internationally. There’s a cost associated with that, and if the secretary wants to reduce it, right – they want to lower their risk profile, that means you have to invest more money. And if you start talking about it like that saying okay, well, I want to only deal with this amount of trading partners, they may have an increased cost in order to do that but the tradeoff is okay, I have a higher level of trust now in the products and what I’m integrating into my system. That discussion is a new and evolving discussion that is now happening because you have to deal with all of those different types of information.

General Raduege
Absolutely, and you know, since we’re talking about government activities here, there’s an interesting dynamic going on out there, too, where we’re actually – we, as individuals, at least government agencies, we want to be protected by our government, but we also want to be protected from it, and so that’s an interesting dynamic that is going on, and this is why I think the give and take that’s so difficult sometimes for chief information officers is because they seem to have these competing requirements all the time laid on them, and now it’s no longer in the CIO’s domain alone to make these kind of decisions but frankly, it’s been elevated into the organization’s.

Jane Norris I think what you’re talking about is just having the privacy and the ability to trust your network and yet still have some measure of security from the people that you don’t want to receive this information, and Karen, I think what you’re saying is there is a hierarchy of information, some of which is more, necessary to protect than others.

Karen Evans
Absolutely, this little thing of privacy and civil liberties that our country is founded on is very important, so you can make a really secure system and you can share a lot of information and you can violate a lot of privacy and civil liberties going forward, and that’s the balance when you talk about customer service going forward of how to do this, but as a citizen, if I get a ticket going through Maryland with the camera, I’d like the convenience of paying for that online, and so this is where you’re going to start seeing new models, that allow a different distribution channel. So I’m going to give a little bit more information so that I don’t have to go down to the courthouse so that I can pay the ticket online which now allows Maryland to sustain that service, right?

So those are some of the things that you’re going to look at that’s a balance of privacy I’m willing to give up in order for the convenience of the service that I want to have. That discussion has to go across the board on all of these things, and then when you start looking about how you’re using the information or how you’re sharing the information, to General Raduege’s point, when you do have an incident, you want to make sure that’s shared in a way that is protecting privacy and civil liberties.

General Raduege
Absolutely. That was one of the key points, as a matter of fact, Karen and I had the privilege of working on the Center for Strategic International Studies Commission on cyber security for the president. It was one of the key points that in our discussions we talked about. Should we put the requirement in for privacy and civil liberties, and some people thought well, we don’t’ need to put that in. It’s sort of a given, but no, it isn’t a given, and I’m glad that the administration has endorsed those ideas.

Jane Norris
So you bring me to the Center for Strategic International Studies. Karen, I know that you participated in a white paper. General Raduege, more than one, several. One of the areas that you both dealt with is the human capital crisis that exists in cyber security. Have we or are we starting to make progress?

Karen Evans
I am seeing, since that paper has been released, there has been a lot of movement in this area. What is really promising is is that the Department of Homeland Security has really embraced the idea of putting together a comprehensive workforce plan, workforce planning across the board through critical infrastructure industry. They have a framework that is out for comment. A lot of it is based on analysis and things that were highlighted in the workforce paper from CSIS. So it’s very rewarding that the work is being looked at from that way. It’s really about roles and responsibilities because the key thing in that is again, what is a cyber security professional and the differentiation between a cyber enhanced workforce, which is a lot of what we’re talking about, to a cyber security professional.

General Raduege
We’re really dealing with numerous people that are players now in this cyber operation in any business or government activity. When you think about the multiple players that are involved – the chief operations officer, the chief financial officer, CIO’s, CSO’s, chief policy officers, chief management officers… all of those individuals now have a role to play in this cyber security which is broad based across any organization. This is why I think it’s been elevated and it’s the major change that I’ve seen in the last few years, no longer in the in the back room but now into the boardroom and into the situation room in our military.

Jane Norris
I know that both of you are engaged in these cyber exercises with young people, both high school students and college students. So are they up to the task?

Karen Evans
There is a lot of talent out there. I am very excited. We just finished up our last round of summer camps and we went from 55 to 210 just in one year, we are really attracting very different demographics and very talented people.

General Raduege
Absolutely, and I’m very proud to be part of the Air Force’s Association Cyber Patriot Program where we have competition in the high schools and then raising it up to the collegiate level. We’re proud that Deloitte is a presenting sponsor for the National Collegiate Cyber Defense Competition where universities are competing against each other for a national champion every year, and I’m real proud of what the University of Maryland University College has done in putting together cyber programs, degree programs, in Bachelor’s and Master’s degrees.

Jane Norris
Well thank you both for joining us. It’s a pleasure to speak with both of you. So professional, so knowledgeable about this topic, cyber coming of age, and thank you all for joining us today. This is FedCentral brought to you by Deloitte on Federal News Radio 1500 AM. I’m Jane Norris.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.