Daniel

Reflections At ELC: Why Klososky’s Keynote Missed The Mark

This last weekend I attended the Executive Leadership Conference (ELC) sponsored by ACT-IAC in Williamsburg.

The opening night keynote speaker Scott Klososky, presented some interesting points but I felt left out some key issues; probably a bit of an unfair feeling since he only had an hour to cover a lot of material.

I wrote up my summary of what I thought was missing at AOL Government where I am a contributing blogger:

http://gov.aol.com/2011/10/25/reflections-at-elc-why-klososkys-keynote-missed-the-mark/

The first, and as of now only, comment came from Scott Klososky himself who graciously said he agreed with most of my points.

Moving Into the Cloud – Practical Experience

For all those who are near the Washington Convention Center today and tomorrow there is an interesting conference on Cloud Computing and Virtualization, http://govcloudconference.com/Events/2011/Home.aspx,

Best of all, they reached back into ancient history, and asked me to moderate a panel Friday, September 9th, from 10:15 – 11:15, entitled Moving Into the Cloud – Practical Experience.

We will four great panel members:

Fred Whiteside, NIST; who will focus on the Government policy issues
Wolf Tombe, Customs and Border Protection, DHS; who will take the perspective of the Government implementor
Bob Hansmann, Blue Coat; who will discuss what it is like to be a commercial provider supporting cloud initiatives
Dmitry Sokolowski, BAH; who will talk about the issues in providing support as an internal to Government consultant

I am lucky to have asked, it should be an interesting discussion.

Earthquakes, Emergency Training, and COOP

When I was at the Department of Transportation …

It occurs to me that a lot of my writing starts with that phrase. I haven’t yet decided if I use it because I learned a lot there or because I think people will be more likely to listen if I start a discussion with it.

Regardless, when I was at the Department of Transportation we would do emergency training. What if there was another 9/11 attack, what if there was a cybersecurity attack, and so forth. Some of us got to go to semi-secret locations and stay underground, walk down long corridors with lights along the top casting shadows, lots of clacking of shoes on the floor, eating together in the cafeteria, periodically getting messages of incident updates, doing reports, watching the pretend (or real) Secretary, talking to the (always) pretend President, and so on. It was pretty cool, like getting to go back to camp for a day. Some of the exercises were pretty extensive involving multiple Government agencies including in some cases State and Local governments. Continue reading “Earthquakes, Emergency Training, and COOP”

How I Survived the Great Washington Quake of 2011

Earlier this afternoon I had a meeting in my office with one of my staff to go over a number of difficult issues.

We went back and forth over a number of topics. I, of course was up at my whiteboard drawing things on it and proving key points with insight and wit, or I suppose using the fact that I was the senior person in the office to dominate some of the conversation.

Suddenly my office, on the second floor of our four floor office building, started to move up and down and shift seemingly back and forth. I had no idea as to what was going on.

If I might digress for a bit, the human mind, or at least mine, tries to interpret completely unexpected events by relating them to something familiar. Many years ago at our previous house in a neighborhood that backed on a small park. I was reading and happened to look out the window. “Funny”, I thought, “when did my wife buy a deer statue to decorate our back yard with.” It seemed so large for something Ellen would get. Of course then the head of the deer statue leaned down and munched on a plant in our yard.

Back in my office, the only thought that occurred to me was that the floor felt like it would suddenly collapse, but then among the longest 20-25 seconds of my life stopped when the floor stopped shifting.

My staff person and I looked at each other, he said “What was that?”. We opened the door and looked in the hallway to see everyone else in the office milling around. Showing the executive decision making ability that I was hired to demonstrate as the COO at Powertek, I walked out the office door and down the one flight of stairs to the outside, moving away from anything that might fall on me.

After about fifteen minutes of milling about aimlessly, we all decided to go back in the building.

A friend of mine told me a story about when he was in San Francisco when one of the major earthquakes happened. He remembers putting his hands on the wall next to him and pushing as hard as he could to make sure the wall didn’t fall down. When the quake stopped he realized that this was one of the stupidest thoughts he ever had. When he walked outside, it was night, it was eerie since there were no lights anywhere in San Francisco.

During the time I was walking out and milling about, I checked in with my wife who was at home and confirmed that we had suffered an actual earthquake and my younger daughter who texted my wife that she had run down eleven flights of stairs and was safely protected by coffee at Starbucks.

By the time we went back in to the office and accessed the source of all current knowledge, Wikipedia, we were amazed (though we shouldn’t have been) that there already was a full story about the earthquake. Our CTO mentioned that he would have been more impressed if the entry had been made before the earthquake. It occurs to me that quantum computers could have that side benefit if designed correctly.

Bloody Crimes, A Book About Abraham Lincoln and Jefferson Davis at the end of the Civil War

Finished Bloody Crimes, http://www.amazon.com/Bloody-Crimes-Jefferson-Pageant-Lincolns/dp/0061233781/ref=sr_1_1?ie=UTF8&qid=1310434681&sr=8-1, by James Swanson, who has written a number of books related to Lincoln’s assassination.

This book tells parallel stories about what happened to Lincoln’s body after his assassination as it was taken on a train ride back to Springfield Illinois and what happened to Jefferson Davis during his escape from Richmond to his capture and then to the end of his life. It is well written and for those interested in the general subject area, a fairly short read with a lot of information that at least I was unaware of.

One of the events that was described toward the end of the book stayed with me after I finished. The Lincoln Memorial was dedicated in 1922, with among others, Robert Lincoln, Lincoln’s surviving son attending. The crowd listening to the dedication was in large part segregated.

It took many years before the serious beginnings of the promises made at the end of the Civil War to penetrate American society in a meaningful way.

July 4th & American Exceptionalism, Reposted

In December 2009, I was asked by the Inter-American Development Bank to participate in a project to look at eGovernment for the Brazilian Government.

During the time I worked on that effort, I got to know a number of the IADB staff. One of them who was born in Spain, married an American wife, and now lives in the US, told me that in his opinion there was one particular thing that made America unique. It was that unlike any other country America was founded on the principal that all Governmental power was derived from the people. In most countries, he said, the opposite was the case. In other countries, rights were conferred by the Government.

I am not enough a student of International Political Science to know how accurate that conversation was. But I do believe in the first part, that is that the premise of the American experiment was that Governmental power was “derived from” not “established for”.

Quoting from the Declaration of Independence, a document which will be often quoted today, July 4th, but not paid enough attention to:

“”We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the pursuit of Happiness.—That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed.”

As a second generation American, all of my grandparents were born in Europe, I remain thankful that I am able to be a small part of this continuing attempt to expand the barriers to freedom that America has and continues to represent. I continue to believe that freedom is at its most basic not “freedom from” but “freedom to”.

While I worry that currently we are losing our way a bit, like most American’s for these over 200 years, I remain optimistic that the experiment will continue unabated.

Happy July 4th to all friends of liberty.

Dave Wennergren – Solving Problems vs Managing Dualities

I recently had the pleasure of listening to Dave Wennergren, one of the more thoughtful Government IT and Management leaders, discuss the areas he was focuse on in his current job as the Assistant Deputy Chief Management Officer for DoD.

There was one particular anecdote that Dave told that I thought was in particular worth repeating – just so I am not misinterpreted, this was just one of many.

He noted that most people that are successful became that way by being very good at problem solving. Thus most issues that come up are looked at as problems to be dealt with and the right answer discovered and acted upon.

In reality, however, much of the challenges we face are in fact dualities that need management.

For example, Dave pointed out, consider inhaling and exhaling, functions of the body that serve to a large extent different purposes. It would be unwise to only optimize one of them to the exclusion of the other. The result would not be positive.

My GWU Discussion – Part 3 – What to do About Cybersecurity

This is my third (and thankfully to most readers, last) post about a class at I gave at George Washington University earlier this year. The professor, Dr. Robert McCreight, invites me to be a guest lecturer on cyber-security from time to time. I posted a copy of my slides in the previous two posts and do so again here:

George Washington University Slides on Cyber-Security

In the last post I returned as I often do to the question “How to be secure when each component of your solution is itself insecure?”. I find that most practitioners, and in particular their management, are in denial on this issue. While my first suggested step which is to practice security hygiene is useful it does not help against a determined attacker.

While I am not sure if anything short of not connecting to anyone will work all the time, two possible approaches seem promising.

Continue reading “My GWU Discussion – Part 3 – What to do About Cybersecurity”

My GWU Discussion – Part 2 – What to do About Cybersecurity

Previously, I had written about a class at George Washington University to which the professor, Dr. Robert McCreight, invites me to be a guest lecturer on cyber-security from time to time. I posted a copy of my slides then and do so again here:

George Washington University Slides on Cyber-Security

I wanted in this entry to talk about my thoughts on what organizations should consider when dealing with cyber-security issues. My discussion here is based on slide 18 – Thoughts On What To Do (duh). I will cover the final slides in a following entry.

I believe a lot of people start with the wrong premise. They assume that the goal of cyber-security implementation is to end-up with a secure systems architecture. In fact, at least in my opinion, that goal is unrealistic and planning with that objective in mind can lead to negative results.

Money is wasted playing what I refer to as whack-a-mole security, chasing after incidents that have already happened, and spending too much of an organization’s limited resources defending everywhere when the bad guys only need to find one vulnerability.

As I write “The fundamental question is how to be secure when every component is insecure.” I suggest two parts to the response, the first of which I discuss here.

As step one, practice security hygiene. Make sure that you have not made it easy for your systems to be penetrated. The reason we put locks on the doors of houses is not because this makes it impossible to break in, but at least we make it hard for the casual intruder and we slow them down to increase the chance of apprehension.

Much of what I talked about while I was at the Department of Transportation is in fact being accomplished, better than I did for that matter, currently in the Federal Government. There is an increasing movement away from the static oversight of FISMA report creation to the dynamic oversight of real-time situational awareness.

You cannot defend something when you do not know what is happening. Integrating sensors into your network or even better developing systems that themselves provide situation status are a big plus.

Second, it is important to build security into the budget process. My not well-formed thoughts at DOT were that depending on the categorization of software projects, low/medium/high, from a criticality (or some other kind of measurement) there should be a percentage range of the total budget that was required to be associated with security explicitly with a separate plan as to how the money would be spent. I found that when I went back and looked at systems that had been developed at DOT before I joined, the security investments were often not documented and when documented, the percentage of the total expense varied very dramatically.

The key point here is that security dealt with after development generally has little value and even then costs much more than when designed into the system development process.

Third, it is important to be as transparent as possible. There is a tendency to try and hide security status with the excuse that this makes a system more vulnerable by exposing weaknesses that would otherwise not be known.

This premise is generally wrong for at least two reasons. Bad guys will eventually find all of these weaknesses anyway; they spend more focused time doing so then most of us have in protecting. Most important, it is only with transparent exposure of status that we are likely to focus on fixing problems.

It is just as likely that resistance to transparent exposure of status is fear of oversight more than security protection. Management visibility is the biggest cure for problems.

This last issue is representative of the broad issue of information sharing versus information protection, a topic I have discussed many times. I remain convinced that while both have to be paid attention to, organizations that want to be successful in accomplishing their mission need to lean to the information sharing side of the argument.

Next will be my wrap-up of the presentation continuing the conversation about what to do about security while having inherently insecure systems.

My Guest Lecture at George Washington University on Cybersecurity

Every year or so I am lucky to be invited by Dr. Robert McCreight who teaches a graduate class on National Security and Technology to be a guest lecturer on Cybersecurity.

Since the classes I teach at the University of Maryland and Syracuse University are on-line distance learning, it is always a treat for me to have actual live students in the same classroom as I am to interact with. This year the exchange of information was really great, Dr. McCreight has a wonderful class. For all of these activities, I deal with what I call the “avoidance of appearing like an idiot in front of people syndrome”, which forces me to at least to scan and keep up with the literature before the class is held.

While I am one of those people who learn best by doing, being able to talk to and/or discuss with bright students is still very helpful and fun to do.

I have posted my presentation below and during the next few weeks hope to write a few columns based on the later slides, of course I have still not written my last two posts I promised on cloud computing, as as usual what I plan to do with this blog and what actually happens continues to diverge.

Continue reading “My Guest Lecture at George Washington University on Cybersecurity”