Cybersecurity: whistling past the graveyard?

Melissa Hathaway, who led President Obama’s Cyberspace Policy Review, now says the Administration and Congress don’t seem prepared to make the short-term sacrifices necessary to secure the Internet.

Hathaway co-signed an op-ed article in today’s Washington Post with Jack Goldsmith, a former assistant attorney general in the Bush Administration.  The bipartisan byline captured my attention.

Citing the numerous reviews (including the one Hathaway just completed, the authors conclude: “We know what the road toward security looks like; the hard part is getting the government to travel down it.”

Threats from cyber-attackers, some sponsored by governments, are becoming more apparent every day (see my recent post.)  And our exposure and vulnerability to computer disruptions are growing.  Tomorrow it won’t be only Google, or (heaven forbid) the power plant  or hydroelectric dam.  Networked computers are playing a bigger role in traffic management, and are creeping into our health care records and even into our home appliances.

Hathaway and Goldsmith hint at how truly addressing the problem would restrict the private sector, change government and make our online activities more expensive.  Looking at some bills in Congress on the subject gives an ideas of some of the adjustments business and consumers would have to make.  One would require your ISP to notify you if your computer has become infected with a virus.

If you want a contrary view, read the recent article by Evgeny Morozov in the Wall Street Journal.  Still, the stronger software standards and better cross-government coordination advocated by Hathaway and Goldsmith seem reasonable to contemplate.

Any real solution will be a classic case of short-term pain versus long-term gain, with the gain hard to imagine until we encounter a worst-case scenario.  The situation is kind of like the uncontrollable oil spill in the Gulf of Mexico.

Disclosure: I work for CSC, a global information technology services company that has a strong suite of offerings in cybersecurity.

 

The Internet – Commons or Battle Ground?

Secretary Clinton’s speech about Internet freedom and security at the Newseum last January pulled cybersecurity out from under the radar.  It also planted another major issue on the capacious platter of Sino-U.S. relations.  Developments since then seem to place the emphasis on security more than on promoting freedom.

Media reports of cyber attacks on government and business Web sites and networks have multiplied this year, as the U.S. has begun taking steps to put comprehensive cybersecurity measures into place.  The “advanced persistent threat (APT)” attack on Google, which prompted a threat to withdraw from the Chinese marketplace, aimed to steal information from the company’s network.  Experts traced the attack to hackers with connections to Chinese technical schools.  Similar attempts against U.S. agencies including the State Department are rife.  My impression is that the government of China is secretly encouraging attacks like these while denying any involvement.

It’s now in the interest of all countries to define and enforce norms of behavior, as Secretary Clinton stated.  Our country cannot afford to be self-righteous about the issue.  Many of the attacks rely on armies of personal computers that have been compromised by software that allows hackers to use them at will.  McAfee, the computer security company, estimated over a million infected computers in both the United States and China.  McAfee also sponsored a survey recently, carried out by the Center for Strategic and International Studies, to probe the views of 600 IT and security executives in 14 countries.  Respondents in Brazil, Spain and Mexico said the United States was to be most feared with regard to cybersecurity.

The new cybersecurity command at the Defense Department and the recent appointment of a White House cyber coordinator (Howard Schmidt) promise further development of a U.S. doctrine with offensive and defensive sides.  This aims to prevent the nightmare scenario of an attack that reaps destruction by disabling power stations, communications and other strategic national capabilities that are owned and operated by the private sector.  I’ve heard mixed assessments of how likely such a dire scenario may be.  However, former government officials in a simulation exercise this year called Cyber Shockwave found they had no powers to stop a cyber attack.

The government and a council of private companies (including CSC, one of my employers) have been consulting on cyber warfare defenses for a year or so.  On Capitol Hill, Senators Jay Rockefeller and Olympia Snowe have proposed legislation.  However, the U.S. has a road ahead before it can be confident that our Internet communications are well protected against outside interference.

Clearly, establishing some laws of cyber war is a big part of the solution.  James Lewis, director of SAIC’s Public Policy Program, described Secretary Clinton’s speech this way.  “This isn’t a declaration of war.”  [To the Chinese and others]  “It’s saying, ‘Hey, listen we’ve really got to talk.  There are rules, we need to make them clear, and we have to obey them.’”

 

Gaps in new media for diplomacy?

The State Department continues to exploit social media for internal collaboration and for public diplomacy.  But there is a third dimension where progress is less visible: using technology to conduct foreign relations.  It’s hard to find a consistent push in this direction — arguably the area where technology can produce the most concrete results.

State emphasizes mobile and interactive Web technologies for public communication, and appropriates new media organizations like Twitter and Facebook.  In the social media arena, Department headquarters is on par with standard commercial public relations; the embassies, less so.

New media also abound inside the State Department’s IT networks.  This year, e-mail will finally replace the venerable diplomatic cable as SMART rolls out to all embassies.  The best read on this development comes from Dr. Barry Fulton, describing the new SMART messaging system in the online journal American Diplomacy.  SMART cables will be available across the enterprise to anyone with the proper clearance (and special permissions for cables dealing with personnel and like topics.  Diplomats can arrange feeds and alerts on topics of interest among the stream of internal messages.  SMART is really a family of new ways to communicate, including instant messages and Sharepoint, which have already been in use for some time.

Internal blog pages and wikis allow employees to form groups to pool information.  Sixty communities share ideas about subjects ranging from desk officer tradecraft to Afghan strategic communications to IT technical problems.  The Secretary’s Sounding Board, an exercise in “ideation,” collects and displays ideas for more effective diplomacy and posts comments from readers.  The Diplopedia wiki hosts thousands of articles created by more than a thousand employees for internal reference.  For example, most every embassy publishes post reports, fact sheets and newcomers information.  Department employees have the tools and the will to share far more updated information than they did ten — even five years ago.

In fact, State is considering a new level of internal collaboration: a social network that might be compared to LinkedIn.  This would move the Department from the communal blog or wiki to a peer-to-peer style of networking.  Those who have worked in the Department can imagine the implications for hiring, selection and career advancement — not to mention the possibility of seeking out those other people on the network with a deep interest in, say, the Transnistria border dispute.

In other words, the State Department is only a step behind the private sector in the tools and traits of internal collaboration.  But what about using information technology to expand the communication channels with other governments?  Or to support broad U.S. interests in human rights or economic development?

Here the picture is less clear because there is no sponsoring office.  State’s eDiplomacy office has created and maintains the social media mentioned above, but its mandate outside the Department goes no further than other government agencies and NGOs — and this is not its main thrust.

Yet it’s hard to find innovation in communication between governments.  A generation ago, State set up hot lines with Russia to prevent unintential nuclear strikes.  Where are the ideas to expand risk-reducing communications with today’s adversaries like Iran?  And what role could online collaboration play at a global negotiation like Copenhagen?  The U.S. military has improvised technology to manage joint operations, exercises and humanitarian relief.  Am I missing similar efforts at State and USAID?

As for using innovation to advance U.S. interests,  there are points of light but — lacking a sponsor — there is no discernable path toward innovation.  USAID delivers technology training and works to narrow the digital divide.  It also develops economic opportunities by encouraging information sharing among entrepreneurs and even services like banking through mobile phones, which are becoming the poor man’s computer throughout the developing world.  But USAID’s information technology page is blank.  You have to look through its “success stories” to see how technology is being used.

This is the brief of Alec Ross, the Secretary’s advisor on innovation.  He spoke recently at Brookings Institution about using technology to effect change abroad, rather than to persuade or coordinate.  It was a wide-ranging presentation that balanced every point of light with the dark side of technology.

• An U.S.-supported anonymous SMS service enables citizens to report crimes in Ciudad Juarez without fear of retribution.  But criminals use the Internet for illegal trafficking of drugs and humans.
• Banking by mobile phone allows Kenyans to transfer and save money securely.  But the Internet also facilitates financial crime.
• Iranians and Chinese activists use Twitter and similar media to organize.  But authoritarian regimes penetrate citizen networks to stifle dissent.

Ross didn’t want to discuss the subject of cybersecurity (The Administration had just named a government coordinator for that.)  However, the subject kept popping up during the Q and A period.  Penetration of infrastructure technical systems and agency networks is among the United States’ many vulnerabilities.  On the policy level, the use of technology to combat international crime and promote human rights poses many trade-offs where technologists need to be conferring with foreign policy experts.

Perhaps more than an institutional sponsor, State and USAID need a review of initiatives and ideas that are surely percolating throughout their organizations.  An inventory of projects and innovations, with some case studies shared throughout the civilian foreign policy agencies, might identify successful approaches and stimulate new ones.

This may be one of those rising subjects for the Teens, or whatever we wind up calling the next decade.

 

You Are What You Write?

We’re all aware that hiring managers are checking the Facebook page of prospective employees for any negative or embarrassing information, but it’s growing easier to evaluate existing employees’ intellectual contributions, as social networking expands both on the Web and inside organizations.

Most of us are familiar with the restaurant ratings on sites like www.yelp.com.  As annoying as I find the misspelled words, sloppy grammar and evident poor taste of the customers writing in, I’ve developed the habit of checking Yelp before I book my table.   

A recent Financial Times article by social software expert Paul Pluschell points out that as individuals contribute more on line, astute researchers can search, compile and evaluate their thinking and modes of expression.  Pluschell writes:

“Online reputations are now easier to calculate, and they are being used to improve the distribution and consumption of information online.

“The generation and benefits of online reputations are not limited to social media on the web. Inside large enterprises with thousands of geographically dispersed employees, it can be surprisingly hard to know who provides input of consistently high value.”

Pluschell goes on to quote another expert.

“Gary Hamel, a Visiting Professor at the London Business School, sees this changing. At the recent World Business Forum in New York, he stated: ‘In the next few years, it will be possible to attach a leadership score to any employee.’”

This is not just theory; it’s happening where I work.

·          Online idea forums are running inside both the State Department and CSC  networks (not on the public Web).  On these electronic suggestion boxes, you can see the names of contributors and judge their value for yourself.  Most allow comment and some invite other employees to vote for the best ideas.

·          I recommend and am recommended on LinkedIn.com , where you can see my “official” profile plus comments I make on discussion groups.  Same on GovLoop. 

·          The State Department is considering the establishment of an internal social network that could allow users to build their own profiles and build their own personal groups. This would be on top of its already robust Diplopedia wiki and function-based communities.  CSC already has a beta social networking site running inside its private network.

Over the next few years, active thinkers and people who take time to write down their thoughts will build “corridor reputations” in these places.  Then it will be up to management to determine whether that translates into their next promotion.

 

Management psience?

After so many Dilbert cartoon panels, it was inevitable that thinking people would begin to probe the mystique of management consultants.  Having got near the business, I must take note of recent articles in my two lodestar publications.

The New Yorker published last October 12 a review of the book In the Management Myth: Why the Experts Keep Getting It Wrong.  Critic Jill Lepore goes back to the origins of the industry: Frederick Winslow Taylor, called the “father of scientific management,” who made a career of studying worker efficiency in industrial plants in the early 1900s.  Now fast forward to the era of knowledge workers.   In the company I work for — CSC — we sell computer software to simulate and automate organizational business process, along with many competitors.

According to Lepore, the book makes a pretty good case that the original “Taylor fudged his data, lied to his clients, and inflated the record of his success.”  In the process, the author Matthew Stewart examines and criticizes Taylor’s legacy of business school theories and modern management consulting.

Later in October, The Economist published a clever article called “The Three Habits…” (of “highly irritating management gurus.”)  This takeoff on the popular Stephen Covey book back in 1989 questions the loose methodology of Covey, Tom Peters and other successful business book authors.  “Stale ideas … numbered lists … and false principles” abound among these writers, who take to the lecture circuit with PowerPoint slides.  At a recent webinar, Peters delivered a series of quips and random ideas that were handed out in booklet form.  They reminded me of Chinese food: tasty, but not satisfying.

McKinsey, CSC, Booz-Allen and other companies have provided brilliant advice and made a difference in organizational performance both in the private sector and public sector.  My question is how the true success stories compare in numbers to the failures.  For example, we know the majority of new IT projects fail.  There’s a statistic that could make next year’s best seller among the Top Ten Business Books.

 

The Web, now more world-wide

Today’s vote by the board of the Internet Corporation for Assigned Names and Numbers (ICANN) is worth a note.  As expected, ICANN has decided to allow Internet addresses’ top-level domains (.us, .it etc) to be expressed in scripts other than Latin.

The results, as reported by the Associated Press, may be less than dramatic for that half of the world that writes in Chinese, Arabic, Russian, Korean and other scripts.  Still, over time the decision will encourage new Internet users and possibly open new business opportunities.  It may preserve international governance of the Web.  And it will certainly open new issues for business and government whether in “the West” or elsewhere.

Vive la difference!

 

A new shopping cart for government CIOs

The Obama Administration’s technology policy took a step forward with the advent of www.apps.gov where government agencies can purchase standard software and “cloud computing services” from the General Services Administration.

Federal Chief Information Officer Vivek Kundra has touted this electronic storefront; his agenda is to press agencies to lower costs by accepting standardized software and data stored on the Internet rather than in government-owned centers.  (See my post of July 15.)

One obstacle is data security, where the hard piece is to fashion services that comply with the Federal Information Security Act.  That’s in progress now.

The more difficult barriers have to do with management and culture.  CSC, where I work part-time, just published a paper that lays out the technologies which have made cloud computing possible: cheaper hardware and higher bandwidth.  But it’s the new practices of the cloud providers — the mingling of data in large cyber-warehouses and the  “pay by the drink” charges — that pose challenges to federal CIOs.  Will this really be cheaper?  What are my responsibilities in a new type of contract?

Reader, you should take a look at www.apps.gov and its offerings: business, cloud services, productivity and social media.  Many are free.  Others are “TBD.”  All are standard, and that may be another challenge to State Department decision-makers who think they need to build their own apps because “we’re special.”

 

Clearing up the Cloud

Six years ago, Nicholas G. Carr wrote an influential article in the Harvard Business Review titled “IT Doesn’t Matter.” Carr pointed out that since everybody was using information technology, computing was becoming a kind of utility.

Carr’s insight came to mind today at the Cloud Computing Symposium at National Defense University.  With heavy industry sponsorship, 800 people from government and government contracting filled the large auditorium — probably just to figure out what the heck cloud computing really is.  Turns out that cloud computing amounts to IT services delivered as a utility, over the Internet.

If I buy a word processing program, I save my brilliant essays inside my computer; if I write this blog post on WordPress’ editing screen, WordPress saves the bytes somewhere in that Internet “cloud.”

Vivek Kundra, the Federal Chief Information Officer, wants the U.S. government to get a lot of its computing done from the “cloud.”  (Techies visualize the Internet as a cloud, since they can’t draw a good diagram of it.)  He wants agencies to get away from building their own software and data centers, and to be able to buy them as they need them from commercial vendors. In his last job, Kundra saved the District of Columbia lots of money by adopting applications for word processing, spreadsheets and the like from Google.

Google Enterprise President Dave Girouard got to give a keynote address, which enabled him to give a sales pitch for Google applications and other cloud services and also to skip questions from the audience.  Google has really upped its game in Washington over the past few years.  (I should disclose that the company I work with, CSC, helped underwrite the event and presented its wares at the conference.)

Subsequent panelists, however, weren’t quite so sanguine about storing their data in the cloud.  Most govvies worry: if your data is in the cloud and not in that box in the back office, how do you know it’s safe?  How do you know you can get to it if you must?

The panelists — from the Gartner Group, industry and government agencies — were satisfied that data security could be guaranteed.  One pointed out that his personal information had once been compromised through the loss of a government laptop computer.

However, some IT cloud services are more reliable than others, and one speaker noted that renting IT doesn’t always cost less than buying your own.  Government customers have to understand their own needs at a different level to buy smart.  (To get an idea of emerging industry standards, you can go to the Cloud Standards Alliance page.)

Information technology seems exceptionally given to fads.  The Gartner Group, an IT consultancy, created the hype cycle.  One panelist said cloud computing sits at “the biggest peak [of inflated expectations] I’ve ever seen.”  The next stage in the Gartner Hype Cycle is the “trough of disillusionment.”

Icarus fell into the sea after flying too close to the sun.  Maybe if he had stayed in the cloud, it would have been different.

 

Is State Finally Getting SMART?

After a nearly-ten-year quest, the State Department is about to get a new official communication system, replacing cables with electronic messaging.

 I recently glimpsed a developmental version of SMART Messaging, which is undergoing tests at several foreign posts and in selected bureaus of the Department.  If the remaining pilots are successful, State will roll out the system to all embassies starting late this year or early next.  During 2001 – 2003, I was privileged to serve on the Steering Committee that set the basic parameters of the new system.  It was refreshing to see that SMART preserves the essential characteristics that the Committee called for when we gave SMART its name.  (Back then, the moniker was not so overworked.)

 The new messaging application matters to diplomats because it dramatically expands who can see their reports.  It matters to the public because more messages, which shape and implement foreign policy choices, will be archived and potentially available to historians and other interested parties.

 The present diplomatic cable technology dates back to World War II, patched and digitized to fit with modern communications networks.  But only so much can be done.  For example, if an embassy is not on the distribution list of a message, its officers cannot see the message without making an express request — if they learn of the message’s existence in the first place.  Official cables carry text only – no pictures, much less sound or video.   Unclassified messages are not accessible on the computer screens of diplomats who are using the classified network.

 Because of limitations like these, diplomats have done more and more business and reporting via e-mail, which is not archived according to government standards as cables are.  For every cable that goes out, thousands of e-mails are sent, meaning that a great deal of the official record is being lost to future historians.

With SMART, e-mail will take the place of cables.  A special Microsoft Outlook application on every State Department classified and unclassified computer will let the user create a simple non-record message (“the embassy library will be closed tomorrow”) or an official message for the archive (“2009 Human Rights Report” or “H1N1 flu update for Honduras”).  The same user can query that archive for others’ messages, using a Google search engine inside the network, and can set up alerts specifying topics.  SMART has the appearance of Outlook, but it is, well, smarter.  Think of one of those NASCAR racers that looks like any old Dodge on the outside, but is rather complicated under the hood.  SMART, by the way, stands for State Messaging and Archive Retrieval Toolset.  It has lots of features that I don’t mention here.

 To establish this new system involved more than a lengthy software development program.  It took a decision by Secretary Colin Powell in 2002 to change the “need to know” rule and to permit general access to messages by cleared personnel.  Before, technology and need-to-know security rules conspired to limit what officials could see – even if they held the proper clearance.

 Sending record e-mails that are searchable within an official government archive will surely concentrate the mind.  Ambassadors, senior reporting officers and officials in Washington will know that their record e-mails can be seen by anyone in the Department (and other agencies of government) with the right clearance, and that they may at some time be subject to Freedom of Information Requests or even legal demands.  Every time they initiate a message “for the record,” SMART will prompt them to make conscious decisions to justify classification and to tag the message for retrieval.

 Knowledge is power, and State has been described as a knowledge machine.  To exploit SMART technology, however, diplomats will have to learn its technical nuances and will also have to exercise judgment about what belongs in the government archive and what doesn’t.  All part of smart power.

 

Drowning in data

“We have to make this site robust enough to accept this huge tidal wave of data that’s going to come rushing in here in October.”  That’s Earl Devaney talking to the Washington Post about www.recovery.gov, the Administration’s Web site established to track federal stimulus funds.  (See my post of March 7.)

 Devaney is chairman of the Recovery Accountability and Transparency Act Board, which is looking for ideas from the public about how to employ information technology to improve stimulus funds management.  Idea categories include data collection, storage and analysis; detecting waste, fraud and abuse; and Web site design.  The Board’s online forum closes today.   They will spend as much as $84 million on oversight, according the Post’s article.

 Can the Board make Recovery.gov more than a pretty Web page?  You can take a look and make your own judgment.