Last Friday, I was on the Federal News Countdown on WFED, hosted by Francis Rose, along with Steven Bucci, Director of the Douglas & Sarah Allison Center and Senior Fellow for Defense & Homeland Security at The Heritage Foundation.
The way the News Countdown works is that each of the guests talks about their third most important story of that week relating to the Federal Government, then the second and finally the most important.
The following are the three articles I selected plus some additional comments.
Mobile apps are key to VA’s New Models of Care program
My third most important story was from Government Computer News, http://gcn.com/articles/2013/08/14/veterans-affairs-mobile-apps.aspx.
The Veterans Administration created a program called New Models of Care (NMOC), which deals with providing care outside of a VA facility. You can see a YouTube video describing the program: http://www.youtube.com/watch?v=X4lI8pVTjK8&feature=youtu.be.
The thought was that it would be possible to develop mobile apps that veterans could access to support the NMOC program implementation.
The article was interesting to me for a variety of reasons.
First, as I have mentioned before it is much more powerful to talk about how an IT project supports the mission of an organization than just focusing on saving costs. Even in the difficult budget environment the Federal Government finds itself, mission support remains the best way to obtain support.
Second, there is an increasing focus within the Federal Government on mobile app development, as well as how to organize and manage that development. A growing number of agencies and departments are creating app stores. The GCN article talks about the disciplined process that needs to be followed by VA developers to get a mobile app approved.
Third, even with this more disciplined approach there is the likely possibility that we will have stovepiped mobile app development by organization, in the same way we have had stovepiped data definitions and stovepiped non-mobile app development. One thought that I had was that OMB might consider creating a government-wide app ‘standards’ organization which would have to approve api’s and data definitions associated with mobile apps. A model for this could be how Sun Microsystems, where I used to work, created a Java standards organization or other organizations have lead various open technology standards, perhaps something similar could exist within the government.
DHS to standardize cyber protections through new contract
My second most important story was from Federal News Radio, reported on by Jason Miller, http://www.federalnewsradio.com/76/3420110/DHS-to-standardize-cyber-protections-through-new-contract-.
Congress provided funding for a continuous diagnostics and mitigation (CDM). The Department of Homeland Security awarded a contract to 17 companies to provide tools in support of this program.
The article notes that John Streufert, the director of Federal Network Resilience at DHS, that first he wanted to make sure the underlying networks at agencies were covered and then after that move up to look at specific applications. This contract was to deal with the first step, network coverage.
Streufert has been one of the leaders in pushing for continuous monitoring. When the original programs were established to provide cyber security oversight, the implementations were static. Agencies were required to check status on all of their systems on a three-year rotation. Thus, each system was checked at a single point in time, and that single point only came once every three years.
In today’s world, that kind of review is not very effective. The move to continuous monitoring, being aware of system status continuously, is a very good step forward.
I had two reactions to the article.
First, it is a compliment to the current administration and the IT leadership that the transition from static to continuous monitoring has achieved such widespread acceptance. This acceptance of the need for such a change is now widespread across the government. While the implementation change is not easy and the time to do so can be frustrating, it is clear that this change is inevitable.
Second, the goal of the DHS contract was to provide this capability as a service from an external provider. This is called continuous-monitoring-as-a-service (CMaaS). While little remarked upon explicitly in the article, the acceptance of such provisioning as ‘normal’ is a real sea change for the Federal Government. What was once unthinkable, obtaining services externally instead of individual implementations one-at-a-time at each agency or department is now accepted as a reasonable alternative.
Leadership of intell review group remains unclear
My most important story was from Federal Computer Week, http://fcw.com/Articles/2013/08/14/intelligence-review-group.aspx?Page=1.
Earlier in August, President Obama announced that he would create a group to review current intelligence activities. This was one of the reactions to the recent revelations of NSA intercepting foreign and domestic communications.
August 12th, the President released a memo ordering the Director National Intelligence (DNI) James Clapper to create the group. However, because Clapper was accused of lying to Congress his involvement was brought into question. Any implication that Clapper would be involved in actually running or participating in the review was denied by the White House. Further, the White House now said that they would be selecting the committee leadership.
My interest in the article was more about what I felt it represented, not the specifics of the story, which in large part were inside-the-beltway baseball, at least in my opinion.
The broad problem with cyber security issues flows from the lack of the definition of borders. Classically when there were good guys (us) and bad guys (them), there was a physicalness to the relationship. We were here, they were there. If we were attacked, they had to go from there to here, or thrown something from there to here.
Now that is less true. Electronic communications do not respect borders. They cross and recross boundaries. They may originate here and then attack here. It is often difficult to ‘prove’ where an attack came from, attack sources can be hidden. Further, who ‘they’ are becomes complex, especially when the attackers are often from non-government sources though sometimes associated with the government.
Normally in times or war, standard legal limits on behavior that we expect to be true domestically are not applicable in the field of battle. While there are standards of behavior that are expected to be followed, they are different from domestic rules. When the field of battle includes a domestic presence, it makes it very difficult for those charged with protection to define and operate in a successful fashion, perhaps acting one way some of the time and a different way other times. Not surprisingly, they make mistakes. If they are too aggressive, they are violating the law. If they allow a successful attack, they have failed in their mission.
A second somewhat more narrow issue relates to the role of General Keith Alexander. He is both Commander of the US Cyber Command within DoD, and Director of the National Security Agency.
From everything, I know about General Alexander he is a remarkable and talented leader. However, that dual role makes a complicated situation even more complicated, blurring the lines between the two responsibilities.
Competent decision makers, and General Alexander is a very competent decision maker, achieve efficiency amongst their responsibilities, which he is in the process of doing. When he eventually leaves his current responsibilities, it is very possible that there will be a desire to segregate the two roles. However, untangling the two by that time may prove difficult.