Information security is too often MIA

Duane P. Andrews bio

Age: 57

Family: Wife, Opal; son, Terrill, and daughter, Peyton

Last concert attended: Elton John's Face to Face Tour

Favorite Web site: www.google.com

Leisure activity: Shopping for treasures at auctions

Hometown: Lake Worth, Fla.

Hero: Vice President Dick Cheney

Duane P. Andrews, SAIC's security insider

Henrik G. DeGyor

Both inside and outside the government, Duane P. Andrews has built a career in information security.

As corporate executive vice president of Science Applications International Corp., Andrews manages projects related to national defense, law enforcement and information assurance. He joined SAIC's McLean, Va., office in 1993.

From 1989 to 1993, Andrews was assistant secretary of Defense for command, control, communications and intelligence'the Defense Department's CIO. He spent the previous 12 years dealing with cryptology, tactical intelligence and agency budgets as a staff member of the House Permanent Select Committee on Intelligence.

Andrews got his start in intelligence analysis and resource management while on active duty with the Air Force from 1967 to 1977.

He has received numerous civilian and military awards, including the DOD Medal for Distinguished Public Service, the National Intelligence Distinguished Service Medal and the Bronze Star. Last fall, he was inducted into the Post Newsweek IRM Hall of Fame for his substantial and long-term contributions to government IT.

Andrews received a bachelor's degree from the University of Florida and a master's in management and supervision from Central Michigan University.

GCN associate editor Patricia Daukantas interviewed Andrews by telephone.

GCN: How is IT security changing in the Defense Department?

ANDREWS: One of the biggest differences between the Pentagon back in my time and today is that we were basically having to look at information management as a discipline for the first time, and we had a lot of challenges. Right at the beginning of my tour, we had the Iraqi invasion of Kuwait.

What came out in those early reviews was how inadequate security was. As we build more of the force around information, we depend on the transfer of large amounts of data and finished intelligence. We've become more dependent on those information systems and communications links.

One of the things we spotted 10 to 12 years ago was that we needed to deal with information security or we, as a superpower, would be put at a great disadvantage by an enemy that could attack systems effectively.

Over the last decade, there's been little progress. Despite warnings from multiple defense science boards, DOD's still figuring out how to deal with the problem. And industry long ago figured out that the way to deal with it is to spend some money to educate people and improve the system security barriers.

Too many people'even today'think of it as just something that IT guys worry about, when really it is something that warfighters and commanders need to worry about. If they pick up the phone to give a command to go to war and there's no dial tone, or they send an ops order and it gets garbled or misread or doesn't get to its intended recipients, the war slows down. It doesn't necessarily stop'we're pretty innovative people, and we can find ways to work around security problems'but it does slow down the tempo and put us at some risk.

GCN: What's the biggest difference between the way DOD managed IT during your tenure and the way it is now?

ANDREWS: The biggest difference is a lot more information. At the height of Desert Shield and Desert Storm, we had less than 150 Mbps of data being transported across command and control systems. Nowadays, small incursions are going to take two or three times that amount. So we need bigger pipes and more capacity, and it's got to be secure.

GCN: How can agencies balance their need for information assurance with their need to connect to citizens?

ANDREWS: Many of us could design systems that put information on the Web to support citizens' right to access without putting agency systems at risk. You use security tools like firewalls, for example.

When we've long since retired, the government is still going to be struggling with a trade-off because the citizens want everything, and everything would in fact put the government at some risk. But the legitimate information that people need should be provided in a way that doesn't compromise the government's data.

GCN: As more federal employees use wireless devices, how will that affect IT security?

ANDREWS: Computers have been around for a long time, and people still don't understand them and their security very well. Wireless is brand-new.

I think it's a major challenge to get people educated. A lot of these products ship with the security features turned off. They perform better that way. If you don't turn it on, you don't have it, and anybody can cruise down the street and monitor the wireless LANs that are operating.

GCN: The Navy has a new Network Warfare Command [GCN, March 29, Page 34], and the Army added two commands to standardize its software and networks. Also, the Air Force has launched an office for warfighting integration. How are they doing?

ANDREWS: The services and their bosses in DOD are realizing that properly managing information is a critical warfighting tool.

The Air Force office's job is to integrate all the command, control, communications, computers, intelligence, surveillance and reconnaissance systems together.

The interesting thing is that while you're having all these commands formed to better integrate C4ISR, people in the Pentagon are looking at wanting to break up C4I. My argument has always been that if you didn't have it, you'd have to invent it. You need to be able to integrate all of this information or you don't have a Department of Defense. If the bad guys can attack and shut down your systems, you cannot operate.

So the integration of C4ISR, which is what all those offices are intended to do, is absolutely essential for the modern military. I really applaud them.

GCN: Are your government customers asking for different things since Sept. 11?

ANDREWS: They're asking for many of the same things as before, but more of them, and they're asking in a more timely way. They don't want five-year development plans. They want stuff that can be delivered in six months or a year, or 18 months at the outside.

Tools and systems to help manage large amounts of data, better ways to bring information sources together so they can look for indicators of terrorists or criminal activity'these are all things they were thinking about or had started doing before Sept. 11. We're seeing these programs being brought to the top of the stack and adequately funded. And we're seeing a sense of urgency.

A lot of people are looking at how to more effectively use the abundance of bandwidth and communications and how to share data. We're seeing more use of modern IP networks'converged networks with voice and data and video and other things all combined.

You'll continue to see improvement in the performance of information systems. The trend is to faster and more compact data, much faster processing speeds. In all sectors we're seeing large amounts of data being collected and new schemes on how to effectively process it and cull out real information. We're seeing vast increases in capacity and speed in both telecommunications and computing for moving, analyzing and correlating data.

GCN: What's the most important lesson you've learned as a government contractor?

ANDREWS: The first thing I learned was that the customer is always right. The second thing I learned is that the customer is always right, but you may need to help him understand the contractor's view.

One thing I wish I had had when I was in government was more understanding of the impact of some of the decisions I made. It's easy for government to pass rules or delay milestones and procurements. It's much harder for the contractor sometimes. If the government better understood the plight of the contractor and the impact of the decisions, we would all be better off.

I look back and say, 'Why didn't somebody tell me that when I was in government?' I would never have made some of the decisions I made. I'm talking about procurement decisions like flipping programs or delaying reviews, when the impact turned out to be contractor layoffs or work force terminations.

We've got to find ways to communicate that so well-meaning people in the government don't do things inadvertently that harm their industry partners.

Industry and the government work hand-in-glove. I spend my whole day worrying about supporting the government. It's important that the government also understand that I'm running a business.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above