October 5th, 2011 Cyber is no longer the responsibility of the CIOs and CISOs. New threats and technologies are compelling Federal agencies to manage their risks and do business in fundamentally different ways, whatever their mission. New OMB directives are challenging leaders across agency functions to accelerate their adoption of a more mature cyber discipline to not only detect and deter threats, but to achieve higher levels of efficiency, performance, and innovation. How far have we come and what are our biggest challenges—and opportunities—ahead as Cyber comes of age? Hear what Lt. General Harry Raduege. Jr. and Karen Evans have to say about this compelling discussion.
Show Highlights: • Cyber challenges amongst government agencies now and in the future • New approaches to sustainable risk management in the cyber space • August 8 OMB Memo expending CIO authority as top business and mission priorities • Pending legislation to evolve cybersecurity missions • The human capital crisis in cyber
The following is a full transcript of FedCentral’s interview with Lt. General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP and Karen Evans, Partner, KE& T Partners, LLC conducted by Jane Norris on Oct. 5th, 2011.
Jane Norris Welcome to FedCentral brought to you by Deloitte, a program where executives and federal government leaders talk about issues and initiatives that are making a real impact on the business of government today, to help government help America. Today we’re talking about the coming of age of cyber. It is cyber security month in October, after all. It’s no longer for just Halloween anymore. Cyber is no longer the responsibility of just the chief information officers and the chief information security officers. It has become a real coming-of-age story as cyber has moved out of the IT shop over the last few years. New threats in technologies like cloud and social computing and mobility are compelling federal agencies to manage their risks and to do business in fundamentally different ways, whatever their mission.
New O&B directives are challenging leaders across agency functions to accelerate their adoption of a more mature cyber discipline, to not only detect and deter threats but achieve higher levels of efficiency, performance, and innovation. How far have we come and what are our biggest challenges and opportunities ahead as cyber security comes of age? Joining us to discuss this are two former government executives who have played pivotal roles in this issue over the last ten years.
Karen Evans is currently a partner at KE&T Partners, and she’s a member of the Center for Strategic and International Studies Cyber Security Commission for the 44th Presidency, and the national director of the US Cyber Challenge. Prior to holding these roles, Ms. Evans was the administrator of eGovernment and Information Technology for the executive office of the President, for the office of Management and Budget. Hi.
Karen Evans Hi, thanks you for having me back. I’m looking forward to our discussion.
Jane Norris It’s great to be here, and then of course, Lieutenant General Harry Raduege who is the former director of the Defense Information Systems Agency and a four-time federal agency CIO. He is now the chairman of the Deloitte’s Center for Cyber Innovation and director with Deloitte Services. General Raduege is also co-chair for the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency, senior cyber security advisor for the East-West Institute, senior advisor at the Cohen Group, and the Cyber Tiger Team chair for the University of Maryland University College. General Raduege, good to see you.
General Raduege Great to see you, Jane. Karen, it’s great to be here with you.
Karen Evans I’m excited.
Jane Norris All right, so you’ve both seen major changes come down the pipe for cyber security and as government executives, you took on some of these challenges. So what do you think has changed in the field of cyber over the last few years?
General Raduege Well, I’ve seen a number of changes. First off, I think there’s been a 180 degrees shift in the emphasis in the areas of seeing the cyber threats as they come at us. In the past, the hackers used to want to make their presence known. They’d attack our networks and want to deface our websites, and the 180 degree shift I talk about is one that now, the hackers want to be hidden. They don’t want their presence to be known so that they can do all kind of insidious things to your networks. Some of the other changes I’ve seen are the serious cyber threats that are coming. It’s no longer in the back rooms of our organizations. It’s moved into the boardroom, and over these last years, these cyber threats have evolved from relative insignificance in the past with just the hackers getting to us— to areas that really get into serious criminal activity, mission disruption, and life-threatening implications.
Also another area I think that I’m seeing so much of a growing emphasis on an evolving threat is advanced persistent threats. It’s no longer the well-resourced foreign government operations but it’s now really moving into independent cyber organizations and even sophisticated gangs that are developing these types of advanced persistent threats.
Karen Evans So one of the things that I would say has really happened here is that they’ve gotten better organized, faster and when I say they, it’s multiple different levels. So as an operational person, and I know, General Raduege, you are, as well, I did experience a hacking incident, and it was just to make a mark and for kids to become famous and it’s still out there. It’s one of the most known ones out from the Department of Justice, but it has evolved into very mature, organized types of activities that are happening, and as they get more organized, we have to get better at what we’re doing and more organized, as well. It has moved out from an operations nuisance and it really does affect the way a business works and could affect profitability, intellectual property, national security. All of those types of things, and there’s a lot of competing interest coming at departments and agencies.
Jane Norris So are we where we need to be in terms of responding to threats or what happens in the future? How do we get more sophisticated?
General Raduege Sure, well, when you think about what it’s going to take to be successful in the future, the reality is that we’re faced with an estimated 1.8 billion attacks on government agencies and Congress per month. So that’s a daunting area of threat to us and attacks that are coming at us from all angles, and the government and industry executives are really realizing now more than ever that they’ve got to manage the risk that is associated with this evolving cyber threat. Primarily in the defensive areas for protecting these resources and operations is, as Karen has mentioned here, and the new approach really is sustainable risk management, and by that I mean, we’re evolving into an area where we need to plan for the smart integration of information, operations, and risk management all together, and so today, the key question that’s in our minds and in the business minds is what’s acceptable risk, and unfortunately, it’s not a question any longer as of whether you’re going to be attacked. It’s when your network is going to be breached.
And this has moved actually out of the area of the CIO and the CSO into the C suite and into the board of director’s office, into the boardroom because they need to determine what’s the acceptable risk to an organization and to the proper operations. So policy, as far as acceptable cyber risk, is now in the C suite.
Karen Evans I would add a lot onto this based on the framework that has been laid out for the last 10 years. When you take a look back and you celebrate some of the successes, the Federal Information Security Management Act, when it came out, good, bad or indifferent, actually made agencies go back and take a look at what kind of information do I have and what is the category associated with that. So they’re at that point where really the federal government, private industry, what everybody owns, really, is information, and information is the power, whether you’re trying to get intellectual property from a competitor or you’re trying to find out nation secrets. You have to categorize that risk and what has to happen or what should’ve happened but now you’re starting to see it happen even more because agencies such as the Department of Veterans Affairs, when they lost all of that data— it wasn’t because of some hacker, I would say it was poor practice, poor cyber security practice in that particular area.
Jane Norris That was when the laptops went missing?
Karen Evans And they didn’t really – thank you. They didn’t necessarily think that acceptable risk is to let one person download 26 million pieces of information and take it off premise? I mean, today, we would really question that. Back then, it made sense because it was a research analyst who wanted to go home and do some work from home, so it made sense, but when the laptop got stolen, that was when a whole other set of criteria that had to go into place, and you should have those discussions, plans and risk strategies in place before an incident happens.
General Raduege Yeah, Karen, this is what I refer to in organizations these days in developing a cyber mindset because this individual was well-intentioned and took the laptop home…but I ended up getting my letter from the Veteran’s Administration, and being a veteran, that’s kind of a frightening thing when you get mail that your personal information may’ve been compromised or violated.
And you know what’s really serious, I think, on the international front, we’ve had some worldwide cyber security summits and we’ve had an international group of cyber experts, and interestingly this survey we took, 54% of those cyber experts from around the world doubt that their organization that they currently work in can defend against a sophisticated threat and since it was an international audience, 69% of those experts doubt that their country could defend against a serious cyber threat. So these are pretty big challenges that seem to be growing.
Jane Norris Well, let me ask both of you, if you think that agencies are assessing their risks at this stage appropriately, are they going through the risk assessment process? Where does that all stand?
Karen Evans So I would say yes but I would also agree with all the statistics that General Raduege just laid out is because it’s being done and you can correct me if I’m wrong and we can have a huge debate over this is that I still think that it hasn’t matured enough that a CSO or a CIO has that business type of discussion with the secretary or the deputy secretary. What happens is that it a lot of the times, it says give me millions and millions of dollars, but you know what? You’re still not going to be secure, and so when a Deputy Secretary has to choose between something that may never happen or you can’t really explain to me how you’re going to secure it or reduce my risk or putting up a service online so – to help veterans or those types of things. They’re going to make a business decision just like you would in business area, right? It’s a cost center. It ends up being a cost center and what you have to really start talking about is how do we reduce the risk, right, that this is really an investment that’s going to help you leverage your intellectual property or leverage your position in the marketplace so that you are managing peoples’ information appropriately. So I think they do the assessments. I think it’s the next evolution and they have to be able to talk about it and articulate it in a way that makes good business sense.
General Raduege Absolutely. Well, you know, the CIO’s role has really been evolving over time, but it’s really a mixed bag out there with the different organizations whether they’re government or industry. As I travel around, I see different organizations that seem to be further ahead and frankly, it’s because they’re getting emphasis in this area of cyber security from the front office. They’re getting it from the CEO. They’re getting it from the admirals and the generals. They’re getting it from the secretaries and the boards of director. They are really starting to question this area because so many people are ending up on the front page of global media and the threats are there. People that we thought were secure are failing, and so people are saying how safe are we to their internal organization?
Jane Norris Well, that’s interesting. All this is really interesting in light of the fact that there seems to be an anticipation of a major cyber intrusion. Do you think that we’re on the precipice of creating legislation that would assist with assessing risk or doing the things that agencies need to do to really put up those parameters?
Karen Evans I think we’re going to get legislation whether we want it or not, but I do think that there are a series of initiatives that have been launched that if agencies really implement them – for example, reducing the attack surface space, which is related to what they called the trusted internet connections, which is really reducing external connections or what DoD has done by implementing what they call the cat card, and now that has gone out into Homeland Security Presidential Directive 12, which is really about knowing who’s on your networks. If you know who’s on your networks, you can reduce some of the noise and then put in some of the other types of additivites. These things are out there. Agencies have to implement.
General Raduege Well as you know, as I take a look back in time, 15 years ago, there was landmark legislation, the Clinger Cohen Act because at that time, Senator Cohen was sitting there in in Congress and watching these large amounts of money and these requests, and it didn’t seem like anybody that came to testify had a clear understanding of how much they were spending on information technology and the related security aspects of those investments, and so the Information Technology Reform Act of 1996 was enacted and actually one of the biggest parts of that was putting the CIO into the boardroom and working directly for the agency head of all federal government activities.
As a matter of fact, in 1996, I was on active military duty, and one of my new responsibilities was becoming the CIO of the organization that I was involved with.