Turf wars hinder federal IT security

When Securify Inc. in June named Carl Wright vice president for federal operations, the Mountain View, Calif., company tapped 11 years of experience in the Marine Corps.Securify last year went from being a managed services provider to a product company, marketing its SecurVantage system for configuration control and management. Government sales of IT security products and services have been critical to the company during the economic downturn, Wright said. 'The federal side is carrying the company right now,' he said. Wright capped his military career as chief information security officer and operations officer for the Corps' IT and Network Operations Center. He was responsible for the Marine Corps Enterprise Network, which has more than 120,000 users around the world.After leaving the Marines as a major, Wright became chief technology officer at Smartronix Inc. of California, Md. In 1999, he received the National Security Agency's Rowlett trophy.Wright received a bachelor of science degree in management from Augsburg College in Minneapolis and a master's degree in IT management from the Naval Postgraduate School in Monterey, Calif. He is completing a doctorate in IT at George Mason University.GCN senior editor William Jackson interviewed Wright at GCN's Washington offices.WRIGHT: Yes. The reality has always been that the federal government is a consumer of new and emergent technologies. Coupled with significantly increased spending on IT security and services, that makes it an extremely viable market.WRIGHT: There aren't many IT professionals in this world who get the opportunity to install, operate and maintain a global, enterprisewide, defense-in-depth security architecture for a 120,000-user network. The Marine Corps provided me with an excellent initial opportunity and experience.But retention in the federal sector is a real problem. Most people believe that IT professionals leave for more money. The reality is that most leave because of poor opportunities for advancement and the lack of organizational commitment to aligning IT objectives with capital investments.As an example, why do some departments have 14 or more enterprise accounting systems? There is rarely an enterprise plan being executed. This makes it tough on already under-resourced IT departments.I left the federal sector because I had accomplished all of my career goals at that level. Timing is everything. To continue to expand my knowledge, skills and abilities as an IT executive, I had to make a transition.For small companies, doing business with the federal government has many barriers: jargon, politics, culture, the Federal Acquisition Regulation, contract vehicles, departmental budget processes and security clearances, to name a few.The federal sector can be rewarding, but it requires significant up-front commitment to navigate the hurdles.WRIGHT: Extremely poor. It's simply a function of departmental stovepipe IT procurements and deployments and a failure to address security as an enterprise lifecycle issue.It is actually easy to solve from a technology perspective. It's the culture and politics that turn it into an extremely complex problem.Every agency and organization ultimately believes that no one else really understands its core IT requirements. The reality is that the provisioning of unclassified Layer 3 and lower services, including security, is the same for every federal organization. The only difference is the amount of bandwidth.But each agency believes that it has to control all these services to ensure it gets the level of support it requires. That is a trust issue.The No. 1 problem with federal security is lack of a security-centric systems development lifecycle for applications. The government's legacy application environment'the poor execution of ports and protocols to transport mission-critical data'is the ultimate reason for security failings.It's amazing to see new applications being fielded with communications requirements that have been vulnerable for 15 years.WRIGHT: It's proportional. The government has more data sharing going on, government-to-government and government-to-industry, than ever before. Most private-sector entities are restrictive about data sharing and incur substantially fewer transitive trust issues.But I recently saw some utility companies with their supervisory control and data acquisition networks erroneously connected to the Internet.WRIGHT: Not to be parochial, I would recommend that every federal organization take a look at the Marine Corps Enterprise Network.Prior to 1998 it was like what I describe as free love and peace, every major organization doing whatever they wanted'as much of the rest of the federal government still is doing today.In late 1997, as a result of the Solar Sunrise hack, senior Marine leaders made a commitment to change the way they did business and at the same time change the culture. We focused on education, re-engineering of network and information architectures, and IT procurement strategies.We centralized everything and ensured that users received better, more secure services than ever before. We learned a tremendous amount in a short time.WRIGHT: Education, particularly of senior leadership. At the end of the day, they write the checks; they had better know what they are buying and how it fits into the enterprise IT and security strategy. There are broad-reaching impacts if the organization is not strategically aligned.The only ones who can ultimately effect meaningful change in a bureaucratic environment are senior leaders. They need to empower their staffs to embrace new ideas.GCN: Has this changed in the past year?WRIGHT: The requirement for securing government systems has always has a sense of urgency, and the deficiencies are becoming public knowledge.You can't turn an aircraft carrier on a dime. This is going to take many years to fix. Most security budgets are not as comprehensive as they should be. For instance, I have never seen a line item for dollars programmed to re-engineer legacy applications that do not communicate securely.Most organizations that have a firewall think they are executing a meaningful security program. A firewall with a bunch of holes in it as a result of insecure legacy application ports and protocols is called a router.Agencies need more resources, but they also need to develop performance measurements. Each dollar spent should incrementally increase the overall security posture.There are some exceptional security professionals working in the government. They can design, deploy and sustain the security technologies that the American public expects. The problem is that in many cases these security professionals' hands are tied by managers who continue to let functional application sponsors deploy insecure applications.We have been out of balance, and now the security professionals are working 24-7 to find compromises that ensure the continuity of business operations. In the end, this is a war against insecure legacy applications. As with any war, we will ultimately win. It just might take a few unfortunate cyberincidents to wake the sleeping giant.WRIGHT: It is unclear to me at this time. I don't like the way the federal government has approached the problem. No one likes the Office of Management and Budget or other regulatory agencies to micromanage.In this case, though, I believe that it's time to put a single agency in charge of all things cyber. It is time to hold organizations responsible for not complying with policy based on strategic cybersecurity objectives.We need a phased plan that would start with something as simple as a federal firewall policy and toothy audits. Eventually, we need to move to centralized provisioning of Layer 3 boundary security services for each agency.If one of the objectives of the Homeland Security Department is to provide for centralized statistical measures of performance, then I will be one of its biggest supporters.