Greg Garcia relies on partnerships in the race to stay ahead of the cyber ‘bad guys’
Leadership Home: Winter 2012 “Securing the Mobile Frontier”
Greg Garcia is not one to sit and spin his wheels. He thrives on speed, a little danger and the overall chase. So it’s little surprise that the bicycling enthusiast gravitates toward the intersection of information technology security and government policy.
“It’s speed, it’s endurance, it’s tactics, it’s strategy, and then there’s the adrenaline,” Garcia said of IT security. He was referring to the race to stay ahead of what he called the “bad guys” by anticipating their next move, a race that’s ultimately about safety and protection.
Those elements mimic the thrill he gets from cycling: “To be in a peloton of 50 cyclists, wheel to wheel, shoulder to shoulder, going 30 miles an hour,…the idea of sprinting to the finish and leaving the others behind and jockeying for the advantage, it’s a high-speed chess game. It’s tactical, it’s strategic, and it’s fast.”
Despite his love of competition, Garcia is a man who believes in partnerships. For example, from 2009 to December 2011, Garcia served as partnership executive for cybersecurity and identity management at Bank of America.
The bank has 29 million active online banking customers and handles trillions of dollars a day in financial transactions, many of which are done via mobile devices. Garcia’s background gave him an automatic edge in tackling the public/private challenges of the job: His extensive private-sector experience is complemented by stints on Capitol Hill and at the Department of Homeland Security.
CGI Initiative Fellow Barbara Fast discusses “Racing for the Advantage” profile of banking and homeland cyber executive Greg Garcia from “Securing the Mobile Frontier” the Winter 2012 edition of Leadership.
From 2006 to 2009, he served as the first assistant secretary of cybersecurity and communications at DHS. Earlier in the decade, he served on the professional staff of the House Science Committee, where he helped write the Cyber Security Research and Development Act of 2002. The law gave cybersecurity efforts a much-needed boost by providing nearly $1 billion in federal research funding to colleges and universities.
Along the way, Garcia has held leadership roles at prominent technology associations and his own consulting firm, where he advised companies that want to contribute to the national cybersecurity mission.
Securing ‘Mobile Everything’
Garcia has maintained his cadence in a race without a finish line. He has learned to be proactive and reactive to technology’s constant and lightning-quick evolution. Mobile technology is just the latest frontier. Mobile devices are becoming the preferred mode of communication for many people. As evidence, a recent Pew Internet and American Life Project study found that 87 percent of smart phone owners access the Internet or e-mail via their handheld devices, with two-thirds of them doing so on a typical day. Furthermore, 25 percent of smart phone owners say they mostly go online using their phone rather than a computer.
With the demand for mobile capabilities comes the need for fast-adapting security. Indeed, keeping up with a proliferation of applications and features that have no central owner is one of Garcia’s main challenges.
“What’s developing is mobile everything — mobile computing, mobile identities, mobile banking,” he said. “Many customers are rightfully cautious when it comes to financial services on a mobile platform. But I think the demand will continue to grow. We’ve got to meet that challenge and bring the bank to the customers in ways that are convenient and secure.”
To do it, he uses an old standby — partnerships. At the fundamental level, he said device and software developers need to include security in their frameworks. “We need to continually impress upon vendors that as customers, we demand high security so customers aren’t given devices or apps that are fundamentally insecure,” Garcia said.
“I think we need to be concerned mostly about the kinds of attacks that have the rippling effects that can cause loss of confidence in the Internet as a mode of doing business.”
Next, the commercial sectors must work together on cybersecurity. Beginning in 2003, the government called on various industries to work together to protect critical infrastructure and collectively find and eliminate vulnerabilities.
“The financial sector works very well together for one particularly compelling reason, and that is that we don’t look at cybersecurity in competitive terms,” Garcia said. “You might think that’s counterintuitive. Wouldn’t one bank want to say, ‘Hey, we’re more secure. We keep your money more secure than the next bank’? In cybersecurity, it’s not as easy to say that, and it’s because we are all interconnected. Banks realize they are all targets.”
Lastly, industry and the government must join forces. Threats range from hackers who are simply curious to those who are politically motivated, as well as cyber criminals and cyber spies. It’s impossible for one entity to monitor them all.
“What everyone should know is that the policy and business as they relate to cybersecurity go hand in hand,” Garcia said. “Because we are in the world of technology and the Internet and security, we’re all in terconnected, and if we’re all interconnected, we’re all interdependent. And if we’re all interdependent, it means we’d better be working together and collaborating and sharing the kinds of cybersecurity information and best practices that we can deploy to protect ourselves collectively. Information that isn’t shared is useless.”
“There is a fundamental understanding that major financial institutions that manage financial transactions over a technology network have a responsibility to partner with, coordinate with, collaborate with the government, with other financial institutions, with other industry sectors to be sure that collectively we’re not missing anything, that we’re able to join forces and share with each other so we have a common operational picture about what’s happening — not just in day-to-day cyberattacks, incidents or probes but what’s happening over time,” he said.
The Cost of Safety
Cybersecurity is important to any industry, but the financial sector banks on it; people need to know that their money is safe. With that in mind, Bank of America and other leading banks have instituted $0 liability protection for any fraudulent activity originating from online banking.
“I’m not concerned that we have something called a cyber Pearl Harbor that’s going to break down the Internet,” he said. “I think we need to be concerned mostly about the kinds of attacks that have rippling effects that can cause loss of confidence in the Internet as a mode of doing business.”
“I am concerned about what we cannot see,” he added. “This is where connecting the dots, as it were, in cyberspace is so critically important, where we have the ability of government and industry to share the kind of information that’s going to protect us.”
The challenge lies in making that sharing routine and the relationship natural. Garcia said we need to move beyond the past need-to-know mindset and embrace the need to share. “That’s a cultural shift more than anything else. It’s something that takes time and commitment.”
Of course, cybersecurity requires resources, too, which Garcia says is an ongoing challenge even when budgets aren’t tight. “It is often difficult to prove the negative,” he said. To illustrate, he describes a typical conversation: “‘Boss, we invested a million dollars in a security strategy, and we haven’t had any cyberattacks.’ And the boss says, ‘Is that because we invested a million dollars or is that just because we were lucky? Prove it to me.’”
To demonstrate the value of cybersecurity, Garcia turns again to joining forces by presenting a plan to managers that compels them to get onboard. “One way to look at it is to go through risk-based scenarios, do the what-ifs,” Garcia said. Once you do that, it’s easy to show that cyberattacks can affect every aspect of a company and its customers.
“I think any reasonable company can look across the threat environment in this country today and say the likelihood of a cyberattack happening against us is pretty good now because it’s proliferating, because it’s big business, because people can buy hacking tools online now. They’re freeware and open source.”
Connecting Government and Industry
Garcia began his career with a focus on business. He earned a bachelor’s degree in international business from San Jose State University in 1985. Interestingly, the school’s motto is “Powering Silicon Valley,” America’s technology heartland.
Ultimately, innovation attracted Garcia to technology, and government service attracted him to security. He joined the House Science Committee a week after the terrorist attacks of Sept. 11, 2001.
“I came into the technology field seeing how government policy, whether it’s legislative or regulatory, can affect the success of business generally and technology innovations specifically,” he said. “I knew early on that I wanted to be at that connect point where I could influence how government thinks about technology and make sure the technology industry was prepared for changes in government policy and that it can contribute to economic growth.”
“What gives me energy are the people who understand that collaboration isn’t just a word, it’s a path to success.”
He spent almost two years working with the Science Committee to promote political outreach to the IT community, but his proudest accomplishment at that time was helping to author and enact the Cyber Security R&D Act.
“I had come from the technology community to the Science Committee to do my part, and the first piece of legislation I ever wrote became law,” Garcia said. “Probably not a lot of congressional staffers can claim that notch in their belt.”
When he left the Science Committee in April 2003, he affirmed that commitment by becoming vice president of information security programs and policy at the IT Association of America. He resigned from that position when President George W. Bush asked him to join DHS.
Cybersecurity Czar
When Garcia was appointed assistant secretary of cybersecurity and communications at DHS in October 2006, then-DHS Secretary Michael Chertoff said, “Greg brings the right mix of experience in government and the private sector to continue to strengthen our robust partnerships that are essential to this field.”
Again, the word “partnership” appears. At first, Garcia felt inundated, but he pedaled through and found his rhythm.
“Shortly after I was appointed, somebody had sent me a link that went around the Internet and somebody had created a video that said, ‘If you were Greg Garcia, what would you do?’” Garcia said. “I actually listened to it and took some advice from these people. There was a big spotlight on me. It was a spotlight I certainly didn’t shrink from, but I rapidly realized that cybersecurity was becoming a very hot topic, and so there certainly was no shortage of federal government agencies that rightly had something to say about it.”
When Garcia took the job at DHS, he became the highest ranking cybersecurity official in the government and was referred to as the cybersecurity czar until Howard Schmidt was appointed cybersecurity coordinator at the White House.
As the first person to hold the position at DHS, Garcia had the opportunity to shape it. Top of his to-do list was — what else? — to partner with government agencies that had a variety of responsibilities, such as defense, diplomacy and law. Chief among his partnership initiatives was the co-called “Einstein” intrusion-detection program that enabled Garcia’s Computer Emergency Readiness Team, or US-CERT, to help government agencies protect their networks from cyberattacks that were increasingly targeting sensitive government data. Garcia also collaborated with the Defense Department’s Joint Task Force for Global Network Operations on threat data sharing and with the Federal Trade Commission on consumer awareness about cyber crime and security tips.
“I think those relationships are evolving within the government,” he said. “We’ve come a long way since the time I kicked it off with DHS, so I have only optimism for the future.”
During his two-plus-year tenure at DHS, Garcia oversaw the National Cyber Security Division, the National Communications System and the Office of Emergency Communications, where he helped establish a National Emergency Communications Plan and 56 plans for federal, state and local first responders.
When he left DHS in December 2008, he e-mailed colleagues at the department: “We have affirmed the urgency of cybersecurity across the nation and embarked on a comprehensive cyber initiative that will measurably strengthen the security of our nation’s networks against domestic and international threats.”
Three years later, he said DHS is still on the right track. “DHS is recognized as the principal interface between the government and industry as it relates to cybersecurity, and they need to strengthen that role and make sure they take leadership in that area,” he added.
After shifting gears between industry and government work, Garcia is happy to be back in the private sector. “I see dedicated people in both worlds,” he said. “What gives me energy are the people …who understand that collaboration isn’t just a word, it’s a path to success. And I saw it in government, at Homeland Security. There are people who are still there who were on my team at DHS and are still dedicated because they believe in it.”
“We often find ourselves in professions that we fall into, but I love what I’m doing,” he added. “I’m part of something bigger than myself.”
Disclaimer: The postings on this site are the opinions of the individual author, and do not necessarily represent CGI's strategies, views, or opinions. CGI expressly disclaims all liability for actions taken or not taken based on the content of this blog.
