Supply Chain Risk Management Awareness, a white paper released in April 2012 by AFCEA’s Cyber Committee that  I had the privilege of co-authoring, lays out key issues, current initiatives and ongoing challenges as a means of fostering discussion and collaboration on this crucial topic.  To read the whole AFCEA paper, click here.

While there is a lack of metrics to fully characterize the supply chain issue, it is important to look at the some of the key factors surrounding the SCRM issue.  In the paper, we call several of these points out:

• SCRM is a global problem.  When developing solutions for supply chain risk, it is important to remember the worldwide implications of the issue – and that the issue is too big for any one organization or government entity to address alone.
• There is value in pursuing SCRM as active public-private partnership initiatives. By addressing supply chain risk through voluntary public-private partnerships, we can build the potential for a greater number of positive outcomes compared to prescribed laws or regulations. The keys here are dialogue, incentives, voluntary risk assessments, and information sharing (both public and private).
• We need to understand the full spectrum of the SCRM risk.  Action items for decision-makers include: determining the actual threat, identifying the vulnerabilities in our systems, calculating the capabilities of our adversaries, determining the intentions of malicious actors, and evaluating the actual cost/impact of compromised component.

• More effort is needed to bring current SCRM efforts into focus.  While there are a number of efforts underway to address the SCRM issues, there is no established consensus on the scope of the problem of a mitigation plan.
• We can cut risks using SCRM standards. We are seeing supply chain risk mitigation standards becoming incorporated into the engineering phase of products, rather than just an inspection of the product.  However, this does not cut risk entirely. We determined the focus of mitigation from an engineering point of view then becomes: “How can I mitigate the risk of a faulty or compromised component?”

To address these SCRM challenges, we need to approach the situation as we would living in a bad neighborhood. Rather than taking on the problem with a piecemeal method, we find that, as the AFCEA paper says, “a new business paradigm encompassing a systematic approach is required along with recognition that not all countries share the same set of economic values and business models.”

While the threat of cyber attacks is well documented, the philosophies, strategies and actions in combating these dangers are an ongoing point of conversation for industry experts and end users alike.

In an effort to facilitate dialogue on this issue, the CGI Initiative for Collaborative Government along with academic partner Virginia Tech, hosted an executive discussion on February 16, 2012 at the Ronald Reagan Building and International Trade Center in Washington, D.C., featuring insight from an expert panel of leaders from government and industry.

To listen to the event in its entirety, click here.

Moderated by CGI Initiative Fellow Barb Fast and Hume Center for National Security and Technology, Virginia Tech Research Center @ Arlington Director Dr. T. Charles Clancy, the panel covered a variety of points central to the issue, including the security responsibilities of end users, automation of mobile security, the role of cloud computing technology, the supply chain and the rapidly evolving nature of cybersecurity.

With over 100 attendees, the discussion was held in conjunction with the launch of the new edition of the Initiative’s Leadership journal, “Securing the Mobile Frontier.” For more information, see the “In-Depth Perspectives” portion of this guide.

Panelists included:

• Greg Schaffer, Assistant Secretary, Office of Cybersecurity and Communications, Dept. of Homeland Security
• MG Steven Smith, Director for the U.S. Army CIO/G6 Cyber Directorate
• Dr. Peter Levin, Senior Advisor to the Secretary and CTO for the Dept. of Veterans Affairs
• Christopher Painter, Coordinator for Cyber Issues, Dept. of State
• Dr. Ed Amoroso, Chief Security Officer of AT&T
• Greg Garcia, former senior security officer at Bank of America and the Dept. of Homeland Security

Key Takeaways

Framing the Discussion

(Note: Time of discussion noted at end of quote)

Clancy -“There has been a lot of work going into securing the device and securing the network, but these are just pieces of an overall puzzle and we need to secure the user and service on either end of the spectrum.”(17:55)

Dr. Clancy provided the above image as a framework for the discussion around layers of security, COTS & GOTS and security & cost.

“Seeing what the federal government is doing will trickle down into enterprise and small businesses as well.”(19:45)

Application Security

Dr. Ed Amoroso on application security.

Amoroso – “Remember when computer security was making sure you weren’t putting an infected floppy in your computer? ( App Stores are a similar situation) you have no idea where that software came from – and if you think the vetting that goes on there is sufficient, then ask your auditor if that vetting is sufficient, and you’ll find it isn’t.”(42:30)

Schaffer – “We have seen just in the last couple of years, the number of providers of apps for mobile devices explode – in a way that is not easily controllable by the enterprise.  The ability to test everything and look at all of the issues with each app is a much more challenging proposition that just a couple of years ago when the enterprise was in a better position to take those steps.”(24:45)

Automation

Levin – “We’ve got to be able to come up with tools, systems, protocols and licenses that allow for (automation).  Also, a design philosophy that we haven’t considered that we should: these chips that we make ought to suffer an inevitable death – you just turn them off.”(33:34)

End-User Responsibility

Greg Garcia on shifting security tasks from end users.

Amoroso – “Everyone hates being a security administrator of their PC (or mobile device).  And you shouldn’t have to do it – you don’t have to be security administrator for your flatscreen TV, so you shouldn’t have to do the same thing for every device you’ve got.”(43:30)

Garcia – “We (as end users) have increasing anxiety about how our personal information can be stolen, but we still want (a given online action) done.  So end users are taking on a risk appetite – because there is a feeling that they shouldn’t have to deal with their own security – it should be automatic – it should be as invisible as the infections.”(53:52)

Cloud

MG Steven Smith discusses cloud computing solutions.

Smith – “We’re pursuing a zero-client on the device into a cloud environment.  So in that mini enclave on that device, we’re giving you the apps based on who you are so you can do your job and the rest of the device we don’t really care about.” (1:26:33)

Supply Chain

Levin – “In the world of hardware security, let me tell you (securing the supply chain is) a tough deal.  At the high end in semi-conductor manufacturing, you have chips that are designed in the US, and manufactured in Asia – so there are inherent supply chain exposures that frankly we just don’t think about in the defense establishment or in the civilian infrastructure.  You’re talking about chips that have 1 billion transistors and all you need to do is monkey around with a couple of them and you have a chip that has enormous configuration and control vulnerabilities.  This is a juicy, expensive problem.  If you don’t take care of the chips, the chips are going to take care of you.” (30:06)

“(Securing the supply chain) begins with things that are openly architected, standards based and modular – as well as open sourced, so you have as many minds looking at it as possible.” (1:01:30)

International Law

Painter –“All the same issues and challenges that we find in cybersecurity translate into these mobile devices.  We’re using them to interact with computers and computer networks around the world.” (37:10)

Christopher Painter discusses the relationship of international law with cyber crime.

“Part of this is looking at what the consequences are for the actors who break into these systems and working internationally.  This is becoming a priority not only in this country, but now something like 15 different countries have cybersecurity strategies, and they’re working together more. But there’s a lot out there that still needs to be done, and part of that is working with countries to understand what the risks are, what types of things they need to have in place – laws, policies – having good private sector to government communications.”(38:10)

Keys for Success

Dr. Levin shares his keys for success.

Levin – “I think that our goal should be to prevent the scalable breach.  We should be creating dragnets: whether we’re looking at the behavior of chips or operating systems or networks.  In other words, ‘I’m pretty good but I don’t quit’, is going to trump ‘I am the champion’ everytime.” (34:42)

Amoroso – “We congregate around mobile security almost as if we solved PC security so let’s move on to mobile.  My plea to all of you is we have to think through fundamentally different models for the mobile ecosystem.  In my opinion it has to be virtual. You have to have the service providers doing something that makes sense in real time to police real time activity.  We have to be able to innovate – we can’t just say ‘just do best practice and we’ll be fine.’”(47:02)

Gregory Schaffer on combating cyber crime.

Schaffer – “There is a misconception that someone is going to come up with the silver bullet technology that is going to solve this (cybersecurity) problem – and it really isn’t true.  The bad guys are people – not static.  This is not a disease we’re going to cure – there is no vaccine.  This is a journey, not a destination.  When are we going to solve the crime problem?  That’s when we’ll solve the cybersecurity problem.”(1:04:32)

In-Depth Perspectives

The new edition of the Initiative’s Leadership journal, “Securing the Mobile Frontier,” released in February 2012, provided in-depth analysis from the viewpoints of leading figures in the cybersecurity and mobility fields, including:

Securing the Mobile Frontier
Barbara Fast, CGI Initiative for Collaborative Government

Leadership – Resilience – Flexibility – Communication
Gen. Keith B. Alexander, USCYBERCOM & NSA/CSS

Securing the Airwaves
Edward Amoroso, AT&T

Racing for the Advantage
Gregory Garcia, former Bank of America and Department of Homeland Security Executive

Connected for Battle
Lt. Gen. Susan Lawrence, U.S. Army

Global Cyber Sleuth
Christopher Painter, U.S. Department of State

Running the Rapids
Gregory Schaffer, U.S. Department of Homeland Security

Chain of Security
Teri Takai, U.S. Department of Defense

Additional Resources

• Bios
  - Greg Schaffer
  - MG Steven Smith
  - Dr. Peter Levin
  - Christopher Painter
  - Dr. Ed Amoroso
  - Greg Garcia
  - Dr. T. Charles Clancy
  - Barb Fast
• Cybersecurity Act of 2012
• US-CERT Cybersecurity Tips
• NIST Report on Establishing Wireless Robust Security Networks
• AT&T Tech Channel, including content on Mobile Security & Cyber Threats
• VA’s Blue Button
• “Cyber Command, NSA Tout Benefits of Cloud Computing” Federal News Radio (3/29/11)
• National Cybersecurity Awareness Month – DHS
• Cybersecurity Incident Program – State Department
• U.S. Army Cyber Command

Top (L to R): Andrew McLauchlin, CGI Initiative for Collaborative Government; Greg Schaffer, DHS; Greg Garcia, Banking / Homeland Security Exec; Christopher Painter, Dept. of State; MG Steven Smith, U.S. Army; Bottom (L to R): Dr. Ed Amoroso, AT&T; Dr. T. Charles Clancy, Virginia Tech; Barb Fast, CGI Initiative for Collaborative Government; Dr. Peter Levin, VA

Thank you to each of our guests who joined us at our executive discussion on cybersecurity and mobility in Washington, DC. Co-hosted by the CGI Initiative for Collaborative Government and Virginia Tech, the event explored ideas shared in the Winter 2012 issue of the CGI Initiative’s Leadership journal, “Securing the Mobile Frontier,” that we released Feb 1, 2012.

I want to extend a special thank you to the executives who participated as speakers in the panel discussion, including:

• Greg Schaffer, Assistant Secretary, Office of Cybersecurity and Communications, Dept. of Homeland Security
• MG Steven Smith, Director for the U.S. Army CIO/G6 Cyber Directorate
• Dr. Peter Levin, Senior Advisor to the Secretary and CTO for the Dept. of Veterans Affairs
• Christopher Painter, Coordinator for Cyber Issues, Dept. of State
• Dr. Ed Amoroso, Chief Security Officer of AT&T
• Greg Garcia, former senior security officer at Bank of America and the Dept. of Homeland Security

The panel was moderated by Barb Fast, our lead CGI Initiative Fellow on cybersecurity and the “Securing the Mobile Frontier” project and Dr. T. Charles Clancy, Director, Hume Center for National Security and Technology, Virginia Tech Research Center @ Arlington.

To listen to the full podcast of the session, click here.

Highlights of the discussion included:

• An emphasis on the high potential value of shifting mobile security responsibility from the end user (“Everyone hates being a system administrator.” – AT&T’s Ed Amoroso) to more virtualized security provided by a centralized service provider in the cloud (“We’re really assuming a zero client device connecting to a cloud… We want to get out of the problem of data at rest [on the device].” – MG Steve Smith)

U.S. Army MG Steven Smith (center) discusses using the cloud to help secure mobile devices.

• The need to increase automation of mobile security to keep pace with the exponential growth in hardware “Trojan horse” threats given the linear growth of people fighting to protect us against those threats (“If you don’t take care of the chips, the chips will take care of you…. We must have automation of cybersecurity.” – VA’s Peter Levin) (“We need to make security as invisible as the threat.” – Greg Garcia)

• Yes, we need to deploy all the preventive tools we have, but we also require innovative people to rapidly and continuously adapt cybersecurity approaches to keep pace with the bad guys. (“It’s a misperception that there’s a silver bullet technology. It’s not true. Because the bad guys are people, they’re not static.” – DHS’s Greg Schaffer)

Check back soon for an in-depth executive summary of the discussion.

Thank you, again, to all who participated!

Cybersecurity in the mobile age is everyone’s responsibility, requiring strong partnership among businesses, governments and citizens

We are living in an information age that has changed the way we conduct business and share information.

For government and industry, technology has allowed a level of interconnectedness that we have never experienced before.

The ability to connect with anyone at any time and quickly access the data we need is a great convenience that has made it easier for us to conduct business and military operations, improve services and stay in touch with our customers.

But living in a digital world is like living in a bad neighborhood. It doesn’t mean you shouldn’t leave your house, but you have to take some precautions. Just as you wouldn’t open your door to just anyone, you don’t want to invite an unfamiliar application or attachment into your network, and you want to make sure you have the security necessary to protect your data.

A couple of decades ago, there were very few people involved in cybersecurity, but now it’s everybody’s responsibility — from the person who wants to bank online to any organization or nation conducting business online.

CGI Initiative Fellow Barbara Fast outlines the increasingly complex topic of mobility security, as part of the Initiative’s newly-released edition of Leadership journal, “Securing the Mobile Frontier.”

As we learn from our experts in this journal, the mobile environment has added a whole new dimension to what it means to secure our enterprise. It’s not quite the Wild West, but we are still on the frontier when it comes to securing mobile devices and determining how they connect reliably to an overall network. There is a cyber ecosystem that must be managed, and mobile devices are just a part of the bigger picture.

A Way of Life

From veterans who download their health records via the Veterans Affairs Department’s website to soldiers who use smart phones on the battlefield, more individuals, businesses and government organizations are using mobile devices as part of their daily routines and creating a global interconnectedness. Just as doing business on the Internet became the norm, operating in a mobile environment is not a choice any more but a way of life.

Why has this happened? Today’s technology is more robust, bandwidth has increased, software advances have made it easy to download an application to a mobile device, and there is much better interconnectedness — from a mobile device to the cloud to the enterprise. That combination of technology and human development has allowed us to take advantage of connecting from anywhere and freed us from the desktop.

That’s why it’s important to treat cybersecurity as an ecosystem and recognize that all the parts are interdependent on one another. Organizations must rely on a multilayered set of solutions to protect the most valuable resource we have: the data that resides on our networks. This includes sound supply chain production and procurement practices. We can’t expect to secure anything 100 percent, but we can mitigate the risk of being attacked, and if we are attacked, we can mitigate the risk of being compromised and more quickly react and restore service.

We have to make sure we know where the knowledge points are, where the valuables reside that need protection and how to develop a defensive posture to protect them. When it comes to securing mobile devices, the connections must have integrity.

How Much Security is Enough?

The million-dollar question is: How much security is enough? If we had the answer to that, we would buy only what we need. But there are a lot of unknowns, and the situation is not static. Furthermore, the tolerance for risk differs from organization to organization and even from department to department. The key is risk management and deciding what you should spend your money protecting. I come from a military background, so I start with the commander’s information requirements and look for high-value capabilities that would cause an organization to fail if they weren’t available. It’s the same basic principle for commercial and private risk management considerations.

Prioritizing security is a challenge because it is difficult to measure how well your investment is doing. How do you know what you’ve been able to prevent? The sign that no intrusions have occurred is obviously a good thing, but how do you measure that? More and more organizations are incorporating a new technology into their game plans. For example, cloud computing makes accessing mobile applications easier, but it has to be secured just like the rest of the environment. Whether it’s a public, private or hybrid cloud, it is part of the cybersecurity ecosystem.

For AT&T Chief Security Officer Edward Amoroso, the future of security lies in virtualization, which means moving identity management and threat detection to the cloud. In that scenario, Amoroso said, “I just tell the ISP, ‘Here’s my policy: I want you to filter the viruses from my e-mail, I want you to filter spam, and I’d like these services to be allowed and these services to not be allowed. I don’t want my employees on Facebook, for example.’ The Internet Service Provider can very easily do that for wired and wireless service.”

“Organizations must rely on a multilayered set of solutions to protect the most valuable resource we have: the data that resides on our networks.”

There are other security considerations as well. Increasingly, cybersecurity has become an international concern as digital communications and business transactions transit the globe. Many countries have leapfrogged from having little to no infrastructure to modern digital and wireless technologies.

Just ask Chris Painter, who is responsible for implementing the U.S. International Strategy for Cyberspace as cyber coordinator at the State Department. When the strategy was released in May, Painter sent a cable to State Department posts worldwide asking them to talk to their host governments and identify the officials who were tracking cyber issues in those countries so they could “be our eyes on the ground” and find opportunities to work together. That won’t be easy, however. Although data can be sent around the globe in nanoseconds, our ability to act and react is still functioning in the 20th century. The mobile environment doesn’t recognize sovereign boundaries, and today we still lack international laws to enable us to act against bad actors.

A Challenge We Must Accept

Although more work needs to be done, it’s reassuring to know that there is more government-to-government and government-to-industry collaboration today than there has been in the past, and we have made progress on advancing cybersecurity issues with our allies. Having appropriate laws in place, as well as national and global standards, will help. And there are bonafide privacy concerns that must be factored into solutions.

There is also a huge education component to securing networks. Better awareness, from Congress to institutions and individuals, will help create the conditions and framework for a comprehensive approach. People need to understand that they have to play a role in security. And that they are the first line of defenders. There will be some tough lessons along the way, but it’s a challenge we must accept.

When it comes to enforcement, it’s better to use more carrot than stick because people respond better to incentives. Consider the Defense Department.

Teri Takai, DOD’s CIO, said that by adopting a pragmatic leadership stance and offering a carrot instead of brandishing a stick she hopes to convince the military branches that moving to a common identity management infrastructure is in their best interest.

“One of the tricky things about information technology implementation, unlike some weapons systems, is that it’s as much about customer experience and the way people feel about their technologies as it is about the technology,” Takai said. “Otherwise, these migrations would be pretty easy.”

“You Now Have Your Data. Be Careful.”

With cybersecurity, it’s important to strike the right balance and make it easier for end users to operate securely without expecting them to do too much, especially with mobile computing. Some organizations, particularly in the military, are struggling with whether to allow people to download applications to mobile devices or access Facebook on their operational network. Those are the kinds of struggles that mobile technology brings to bear. Some security solutions will simplify things for users, but personal responsibility is essential.

That is evident at the VA, where CTO Peter Levin said one of the biggest concerns about a Web-based function that allows patients to download their health information was more human than technical. Once downloaded, the information was much more susceptible to being lost, stolen or otherwise compromised. Levin said he posted a warning to veterans “with big bold letters on the website: ‘You now have your data. Be careful.’”

Ultimately, cybersecurity is everyone’s responsibility. Whether you are a government agency, military service or global business, we share more similarities than differences when it comes to cybersecurity. We are all operating on the same network, so the problems are bound to be similar and some of the solutions are similar, too. It’s how they are applied that will be different. As the articles in this journal illustrate, you can’t underestimate the power of strong partnerships and leadership when it comes to cybersecurity.

BARBARA FAST is vice president and senior advisor on cybersecurity at CGI and a CGI Initiative for Collaborative Government Fellow.

Leadership Home

Gen. Keith B. Alexander, Commander, U.S. Cyber Command and Director, National Security Agency/Chief Central Security Service shares insights on leading for success in the mobile frontier and amid the rapid evolution of technologies and threats.

Organizational Leadership

Q: October 31, 2011, marks the one-year anniversary of US CYBERCOM active operations. You had to stand up a new organization quickly with multiple major changes happening simultaneously across very senior stakeholders. What do you feel were the biggest challenges you faced in standing up CYBERCOM? And how did you overcome them?

A: Fundamentally, CYBERCOM represents a new approach. The scale and rapid evolution of technology requires a resilient, flexible approach, changing our conduct and culture to one that features a dynamic, active cyber defense – using our understanding of adversary capabilities to dynamically and rapidly defend military networks. Our military relies on its networked systems for every facet of force projection and, when establishing CYBERCOM, we were keenly aware of the gap between the sophisticated capabilities available to exploit and degrade those networks and the defenses in place to protect them.

CGI Initiative Fellow Barbara Fast discusses “Leadership – Resilience – Flexibility – Communication: Perspectives from Gen. Keith B. Alexander,” from the Winter 2012 edition of Leadership.

There were several significant challenges on the ground to achieving that vision. First, we had to merge the two legacy organizations (Joint Functional Component Command for Network Warfare [JFCC-NW] and Joint Task Force for Global Network Operations [JTF-GNO]), representing the military’s cyber “offense” and “defense” to operate effectively as one unified force – CYBERCOM.

Then, we focused on merging their actual operations. We established a Joint Operations Center, transferred operational control of the JTF-GNO mission set to Ft. Meade, Maryland, and stood down JTFGNO’s 24/7 watch center in Arlington, Virginia.

That task involved careful planning to ensure that the daily functions of the Department of Defense’s networks were unimpaired, given that they are constant targets. We also established effective operational command and control processes for the consolidated mission sets.

Once we had begun to operate as one synchronized force, we focused on serving our customer requirements and building relationships with key partners. We trained and embedded liaison officers at the Combatant Commands and began working closely with the Commands to help understand and define their requirements for operating effectively in cyberspace. We also worked to ensure that these liaison officers were setting the foundation to grow into larger Cyber Support Elements over time.

We were able to accomplish these critical milestones because we have great people. Thanks to their exceptional efforts, we were able to stand up and lay the foundations for our vision of a rapidly evolving and effective active defense.

Q: What advice would you have for other executives who are faced with similar complex and rapid changes in their organizations?

A: In one sentence, I will share the best advice I’ve learned from one of my mentors: communicate, communicate, communicate. CYBERCOM represents a new way of operating in a rapidly adapting domain. We needed to communicate the core principles of our strategic vision and then work closely with the leaders and staff of the Command to get the Command to full strength and capacity as rapidly as possible.

Q: What are some core management principles and approaches that you have relied on in standing up CYBERCOM?

A: First, teamwork. We knew that this command would have to operate as part of a cohesive and comprehensive team— Team Cyber. I firmly believe in teamwork – within the Command, and with our interagency and international partners. We must marshal all of our respective talents to develop innovative solutions for mutual concerns.

Second and perhaps most important: people. Amazing people are capable of amazing achievements. Let your people know how amazing they are, support them and step back. The military and civilian personnel of CYBERCOM have challenging jobs. Their creativity and ability to rapidly innovate and execute are what have underpinned the Command’s achievements in its first 18 months.

Q: What experiences in your life were major influences for you in shaping your management style? Why?

A: Over the past three decades, I have served in a wide variety of Joint and Army positions, including 15 years in command. I have served as the Deputy Chief of Staff of Intelligence, Headquarters, Department of the Army; Commanding General of the U.S. Army Intelligence and Security Command; Director of Intelligence, United States Central Command; and Deputy Director for Requirements, Capabilities, Assessments and Doctrine, J-2, for the Joint Chiefs of Staff. These roles of increasing responsibility provided the set of experiences and relationships I draw upon each day.

Extending our information reach through new technology gives us great capability, but it also extends our vulnerability.

Perhaps most importantly, I have had exceptional mentors throughout my career. While I learned a great deal, technically, from them, the most important lessons they taught me were those of leadership. People are our greatest assets, and I believe they perform the best in a positive leadership environment.

Focusing more exclusively on cyber, the knowledge gained serving as Director, National Security Agency, Chief, Central Security Service and Commander, Joint Functional Component Command—Network Warfare (JFCC-NW) were instrumental in shaping my vision of how the military needs to operate effectively in cyberspace. NSA’s cryptologic work in SIGINT/Computer Network Exploitation, Information Assurance and Network Threat Operations is superb and foundational to the nation’s future success in the cyber domain.

That knowledge has led me to champion NSA’s work and greatly value the outstanding professionals and expertise at NSA/CSS.

Leading for Success in the Mobile Frontier

Q: What do you see as the most critical challenges in achieving the right balance between taking advantage of mobile technologies to gain a communications advantage over the enemy and making sure communications are secure from enemy interception or interference?

A: I am an advocate for using mobile technologies. As I said, the key to managing complexity, from the battlefield to the office, is to communicate — which means access to, and movement of, information.

Extending our information reach through new technology gives us great capability, but it also extends our vulnerability. We’ve all seen the significant increase in malware focused on mobile devices as the new frontier. Today’s mobile devices are targeted as access points to enterprise networks and the valuable information stored either in e-mail, on the device or on the home network.

The Department of Defense, and government, writ broadly, have all learned that technology built only for government use is not a cost-effective or rapid way to deploy information technology. Rather, leveraging commercial technology while implementing careful configuration and best practices to maximize security is the best approach.

And as the technology across government and industry converges, we are also seeing a similar convergence of mission interest in security. Corporations are worried about threats to their intellectual property and the integrity of their networks via mobile devices, and so we are seeing a move to incorporate security into commercial devices. We are actively supporting that via our information assurance partnerships with industry and across the USG.

Q: What is CYBERCOM doing today to create a team approach with the military services to secure the use of mobile devices?

A: The addition of mobile devices to DOD’s inventory does create some unique challenges, but they’re ones we face regularly. CYBERCOM is leveraging work that NSA is doing to secure mobile devices and championing these efforts for the services. The key is to leverage this new technology, ensure it is secure and work with the services so that we can acquire and deploy these technologies for best operational and defensive effect.

We also have to remember that security (or insecurity) is fundamentally a systemlevel problem. The adversary attacks the system where it is weak. So we have to secure not only the mobile device, but also the transport of information, the infrastructure at the backend that supports it, every partner in the system, and everything in between. So the notion of team is much broader than ever before.

Q: How do you view the future for network defense with the influx of mobile devices, particularly in regard to mobile security and network situational awareness?

A: We believe that both the private sector and the USG value secure mobile devices – devices that protect the corporate and personal data resident on the devices and on the enterprise networks they access. As greater and greater capability moves to mobile devices (e.g., banking), security becomes more and more valued. We are working closely with the private sector to ensure that the lessons learned from the last two decades of PC security are applied to mobile devices.

We believe that the future of network defense is a much more dynamic problem than in the past. New technologies and devices will continue to appear in our environment. So we can never secure the defense one device at a time. We need to improve the whole ecosystem through standards, best practices and improvement to the supporting infrastructure.

Q: How will Cyber Command work with the department to grow the cyber workforce of the future to defend and secure mobile networks?

A: The Department must grow the cyber workforce to operate and defend both mobile and fixed networks. Working with our Service Component Commanders, we have identified the base set of personnel resources needed to meet a subset of Operational Plans in support of the Geographic Combatant Commands. The Chairman, Vice Chairman and Service Chiefs are working together to generate the forces we need.

“We believe that the future of network defense is a much more dynamic problem than in the past.”

More broadly, we are leveraging the work of government partners like DHS to increase the nation’s overall cyber workforce capacity through programs like the Centers of Academic Excellence in Information Assurance (CAE-IA) and the National Initiative for Cybersecurity Education (NICE). We also fully support efforts to interest American teens in science and technology. Various states and not-for-profits have launched contests and scholarships to interest American high school students in S&T. Attracting the nation’s best and brightest to science will ensure our finest minds drive the nation’s economic growth and national security.

Q: What key challenges have you seen that you expected? That you didn’t expect?

A: The key challenge is, of course, the threat. The cyber threat continues to mature, posing risks to the nation. Our leaders— from President Obama on down— have emphasized this point, and for good reason. Our nation now depends on access to cyberspace and the data and capabilities residing there; we are collectively vulnerable to an array of threats ranging from network instability to criminal and terrorist activities to state-sponsored capabilities and actions that are continually evolving. While I emphasize that we have not suffered disastrous or irreparable harm in cyberspace from any of these risk categories, we must be prepared to counter this evolving threat. Building a common understanding of the threat is key to achieving a whole-ofgovernment and whole-of-nation effort.

On a more tactical level, what we have found as we improve our common operating picture, our intelligence and our operations to create effects is that DOD does not have the capacity to do everything we need to do to defend our military networks. To put it bluntly, we are very thin, and a crisis would quickly stress the military’s cyber forces.

The problem has two facets—there are too few trained service personnel out there in the first place, and the services need to hold on to as many of them as they can. Thus, the biggest issue I see is the need for collaborative force development— including joint standards, recruitment, training, deployment, sustainment, and retention across the services.

Q: How have you overcome those challenges? And what lessons have you learned that will reshape your approach in the future?

A: First and foremost, we are communicating the threat to educate key decisionmakers on our nation’s vulnerabilities to cyber threats and the steps that we need to take to protect our critical networks. It will take a team — across the government and private sector — to measurably improve the nation’s security in cyberspace. At CYBERCOM, we are focused on working with NSA, DISA and the services — our core partners — to measurably improve the security of military networks.

Q: What recommendations do you have for other senior leaders as they work to take advantage of mobile technology while securing its use?

A: I recommend we challenge our people to push the envelope in using commercial technologies while working to configure and use them in the most secure ways possible.

I also urge senior leaders who are considering mobile technology (or any technology) to stand back and realize that their mission needs are not likely unique. We need to think of these as enterprise-level problems – shared problems requiring shared solutions. We cannot afford to have every organization independently chasing the latest technology. By working together, we can bring together our best minds in technology and security, bring critical mass to the marketplace, put in place enterprise-level security infrastructure and help improve security at national scale.

Q: How is managing cybersecurity programs different from other programs you have led?

A: The information technology environment is the fastest-changing environment in the DOD and the nation. Conventional approaches will not work. To adapt, we work our efforts in 90-day spins, leveraging what we have done, constantly trading technical advances and adjusting our plans. We have had tremendous success with this approach, which we are now applying in our IT efficiencies and effectiveness programs.

Hardware Security and Supply Chain Risk Management:

Q: With the proliferation of mobile devices, what is your perspective on how U.S. organizations can best secure their mobility supply chain to prevent bad actors from inserting hardware components containing malicious software code and the like (mobile devices, servers that operate mobile applications, etc.)?

A: Supply chain risk mitigation is a national effort under the Comprehensive National Cybersecurity Initiative. The global technology supply chain affects mission-critical aspects of the DOD enterprise, as well as core U.S. government and private-sector functions, and its risks must be mitigated through strategic public/private-sector cooperation. DOD is supporting interagency efforts to increase assurance in our information and communication technology supply chain. (Public Affairs Guidance DOD Strategy for Operating in Cyberspace July 2011)

Q: Mobile computing poses different hardware security challenges than desktop environments, with two leading platforms (iOS and Android), and more platforms continuing to mature (e.g., Windows and BlackBerry). How can we best secure mobile device hardware in an extremely heterogeneous environment?

A: First, there is great value in leveraging the lessons learned from the work done to improve the security of PCs over the last decade. The private sector began incorporating roots of trust in devices (e.g., Trusted Platform Modules [TPMs]) over the last decade, providing a “root” for further security to build upon in the device.

The second is to evolve our thinking from securing devices and systems to securing data — ensuring that the most valuable IP, whether source code or R&D designs, is protected and kept on networks where access controls are carefully managed. I think roots of trust and smart data will help reduce these risks.

We must recognize that there has been a fundamental change in our information environment. New devices and technologies will appear rapidly, so we must plan for that. Everything from our gathering of requirements, acquisition and security decision-making must be more rapid and nimble. We must also reshape the entire ecosystem through standards, better security infrastructure and improvements “upstream” in the life cycle with key vendors. We cannot get what we need by waiting for it to appear, then trying to secure it.

Q: How are you shaping DOD partnerships to incent innovation and arrive at solutions that are platform neutral and trusted, while building in supply chain security?

A: The evolution of commercial technologies like cloud technology and smart data offer tremendous opportunity in ensuring the security of our infrastructure. They give us the opportunity to implement and manage security at enterprise-level scale, in addition to the IT benefits. DOD is aggressively pursuing these technologies in our IT effectiveness program. We also strongly support the evolution and use of open standards to enable us to choose “best of breed” security solutions and integrate them more effectively.

In today’s fiscally constrained environment where cyber operations and threats are global and exponential in growth, we cannot afford to rely solely on Department of Defense resources. We must leverage partnerships with other governmental agencies, countries, industry and academia to form a comprehensive defense against cyber adversaries.

Leadership Home

AT&T Chief Security Officer Edward Amoroso patrols the 21st century battlefield of the mobile network

Now, as chief security officer at AT&T, Amoroso oversees a strategic defense initiative of a different nature — securing billions of bytes of information as they travel over the airwaves and wires.

On an average business day, nearly 24 petabytes of data travel over AT&T’s global backbone. Although that backbone includes 46.6 million access lines and 19.3 million wired broadband connections, a huge share of that information moves via wireless networks. In 2010, wireless connections on the company’s network increased by 8.9 million, the largest jump in AT&T’s history. The company also operates the country’s largest Wi-Fi network with 29,000 hot spots nationwide.

“If I look back over the decades, it becomes crystal clear that security in the mobile ecosystem has to become virtual.”

Almost 18 million broadband customers in more than 150 countries use home Internet services, smart phones and other mobile devices to share information ranging from innocuous tweets and Facebook status posts to purchases containing highly sensitive personal banking information, tax returns with Social Security numbers, confidential medical records, and even commercial and state secrets.

In many ways, Amoroso’s challenge hasn’t changed: Allow people to conduct their daily lives blissfully under a transparent, trusted security umbrella they never see or want to see. But the cyber threats he now seeks to block, root out and destroy are much more subtle than an incoming ballistic missile.

Shifting the Front Line

The cybersecurity world has become much more complex in the intervening years. Today the term “hacker” connotes malicious intent, but 25 years ago, Amoroso used Unix operating system commands to access others’ machines and understood they were doing the same to his computer. The environment was collegial, but that changed when commercial and public entities began adding important information and transaction capabilities, he said.

“As soon as mobile became part of the infrastructure of a company, the military, power companies and so on, it’s not enough to say, ‘Oh, well, I’ll just promise to not [use what I find],’ which is what we did in the early days of the Internet,” Amoroso said.

“When you go from convenience to necessity, then suddenly the underlying infrastructure becomes important, and that’s where the security comes in.”

As the Internet has evolved, it went from being a tool for technologists to being a required part of personal and professional communication. We now expect to be able to communicate on the go anytime, anywhere with confidence and security.

“Remember when your BlackBerry or your smart phone was a convenience?” Amoroso said. “Today, it’s a necessity. When you go from convenience to necessity, then suddenly the underlying infrastructure becomes important, and that’s where security comes in.”

CGI Initiative Fellow Barbara Fast discusses “Securing the Airwaves” profile of AT&T Chief Security Officer Dr. Edward Amoroso from “Securing the Mobile Frontier,” the Winter 2012 edition of Leadership.

Hackers’ intent is of little consequence to Amoroso; his response is the same regardless of whether the suspicious activity comes from a curious kid or a malevolent nation state.

“The problem for us as [Internet service providers] is that a kid in a garage hacking and a nation state hacking look the same,” he said. “It doesn’t do you much good to get yourself wrapped up in the intrigue because we’ve seen teenagers who are really, really good, and we’ve seen nation states that are really, really bad.”

Amoroso said it’s unfair to expect consumers who are largely untrained in technology to be systems administrators fighting toe-to-toe with expert hackers. In the early days, the contracts between ISPs and their customers stated that all the providers had to do was move traffic the way a phone company connects callers.

Today, customers don’t want every piece of data coming to them out of fear of hackers and viruses, Amoroso said. They want a virtual Do Not Call list. He believes the future of security lies in virtualization, which means moving identity management and threat detection to the cloud.

In that scenario, Amoroso said, “I just tell the ISP, ‘Here’s my policy: I want you to filter the viruses from my e-mail, I want you to filter spam, and I’d like these services to be allowed and these services to not be allowed. I don’t want my employees on Facebook, for example.’ The Internet Service Provider can very easily do that for wired and wireless service.”

Virtual makes sense to the next generation of mobile users. They accept that systems are maintained virtually, he said, and they easily relinquish control.

“If I look back over decades, it becomes crystal clear that security in the mobile ecosystem has to become virtual,” Amoroso said. “If the computer was basically a virtual terminal or virtual desktop and there wasn’t as much software there and more of it was in the cloud, then you wouldn’t have so much to break, right? The way Facebook doesn’t break because it’s out there somewhere.”

Amoroso puts the alternative in perspective by asking, “Do you really want to have to worry about doing security administration on your BlackBerry? No, not in a million years. Let somebody else do it.”

“As soon as anybody under 25 is in a position of leadership, you know it’s going to be mobile, you know it’s going to be virtual, you know it’s going to be cloud,” he added. “All those words are things that are connected to youngsters.”

One way to secure what’s “out there somewhere” is to create decoys, Amoroso said. Deception is a highly understudied and underused, although well-proven, form of defense. Setting up decoys that mimic actual infrastructure can trick adversaries into thinking they’re attacking something real, he said. “You can imagine the uncertainty [for attackers] that comes out of that type of arrangement and the value to anybody protecting critical infrastructure,” he said in a video about protecting the national infrastructure from cyberattacks on AT&T’s Tech Channel.

Securing the Insecure

The root of the problem with cybersecurity lies in the fact that the Internet was not built with security in mind, Amoroso said, and retrofitting it for protection is an ongoing, inherently faulty process.

“The infrastructure was built to support cooperation and communication and the collaboration between different groups,” Amoroso said. “Protocols were designed that way, systems were designed that way, software was designed that way. The computer you have at home was designed that way. There’s no inherent or intrinsic security, you just plug into an Internet service provider.”

When the Internet went from being a tool of the Department of Defense to one of the people, every sector of the U.S. economy wanted to be part of it. “We had a big time-out and retrofit security onto the whole thing, and it was never retrofit properly and it’s still not retrofit properly,” Amoroso said.

To address the problem, he said, two main problems with the Internet have to be solved: domain names and routing.

“The Domain Name System to this day is a pretty easy thing for someone to go in and muck around with and cause problems simply because it was designed as a very collegial thing,” he said, adding that “it’s tremendously easy for someone at the ISP level to redirect you around.” For example, in April 2010, the networking hardware that routes Internet traffic sent requests from 15 percent of IP addresses through China, knocking many websites, including U.S. government ones, off-line, according to a Nov. 23, 2010, article by the Massachusetts Institute of Technology’s “Technology Review.”

“We haven’t gotten to the point yet where we’re all comfortable that there are appropriate protections for things that we would connect to the Internet.”

One of the steps Amoroso recommends for improving security is diversification, as opposed to the current practice of interoperability. He acknowledges that interoperability has its advantages, including reduced training costs, ease of use and ease of procurement. But the pros don’t outweigh the cons. Interoperability “is a situation where an attack, a worm, a botnet — some sort of malware — once it finds its way into the enterprise has an almost trivial path to the rest of your infrastructure,” Amoroso said in the AT&T video.

The rise of mobile applications and the ease of simply clicking and downloading an app have further complicated the security puzzle. Gone are the days when no one would insert a disk into a hard drive unless it came in tamper-free shrink wrap from a reputable store. “All of that is broken down now with the concept of an app store,” he said. “Some of us still think about buying ashrink-wrapped copy of Microsoft Office and here it is, I can put my arms around it. It’s mine. It’s not off in Neverland. Kids don’t think that way. I buy shrink-wrapped Office for my kids and they say, ‘Dad, that’s stupid.’”

Fixing the Information Superhighway

In “Cyber Attacks: Protecting National Infrastructure,” published in November 2010, Amoroso suggests actions government and commercial leaders can take to improve their security posture, such as separating internal assets, using multiple layers of protection and being aware of indicators that suggest problems before harmful effects are seen. He also offers larger policy recommendations to tackle the difficult work of overlaying security on top of something that was built to be open.

“We haven’t gotten to the point yet where we’re all comfortable that there are appropriate protections for things that we would connect to the Internet,” he said. “One of our goals as an ISP is to get to that point of ubiquitous trust in network infrastructure.”

Security takes time, Amoroso acknowledges, and he cites examples of technological advances whose safety concerns were gradually eliminated. “Lighting fixtures were dangerous things in the early days, and people were very nervous about using AC power,” he said. “Even cars in the early days were relatively dangerous.”

Computer science is still new and therefore open to vulnerabilities, he said, adding that people write software, the building blocks of the cyber world, and human error is inevitable.

“It’s almost as if we were building bridges out of blocks that we knew would fail,” he said. “When you drive up to a bridge, there’s a big sign that says, ‘Wait a minute, before you go over this bridge, you have to click on this I accept button.’ If you read the ‘I accept’ screens for software it says, ‘This really doesn’t work and if there’s a problem, it’s your fault.’”

“Security generally is something that comes in after a particular device, system or infrastructure becomes important,” he said. “As an engineer, I wish security were incorporated in advance because we all know that’s the time to do it, but unfortunately — maybe it’s an American thing, maybe it’s a human thing — we often don’t want security to get in the way of adoption, and that’s happening over and over again.”

Vulnerabilities can run from trivial to potentially catastrophic, as in the case of nuclear power plants, Amoroso said. Ten years ago, engineers with minimal computing knowledge linked dial-up modems to electromechanical controllers to enable remote maintenance and administration.

On the surface, that capability saves workers time and organizations money, but Amoroso pointed out that if workers can access critical infrastructure from home, so can hackers.

“These are extremely intelligent people who run these systems, but they’re not computer scientists and they certainly haven’t been trained in computer security,” he said.

Amoroso is on a mission to adapt security to the existing information superhighway so everyday people can use mobile solutions with confidence. It won’t be easy, but drawing on the 10 principles outlined in his latest book, he believes achieving that kind of assurance is possible. For example, he recommends being discreet about the details regarding your technology, software, systems and configurations to help avoid or at least slow some attacks. He also emphasizes raising awareness among IT managers so that they can understand and recognize the difference between normal activity and potentially dangerous anomalies.

Geek-Ridden Start

As a kid in Fort Monmouth, N.J., Amoroso knew two things: He liked computing and he wanted to work at Bell Laboratories. In fact, he said computing is in his DNA. His father was a computer scientist at the Army’s Communications-Electronics Command, and both his brother and sister are computer scientists.

“The whole family is pretty seriously geek-ridden,” Amoroso said. “I grew up in and around the Internet. When I was a young teenager, I was sitting in front of a computer terminal logging into the ARPANet in the mid-’70s, poking around and looking at things, so I always had an interest in computing.” ARPANet — the Advanced Research Projects Agency Network — was the precursor to today’s Internet.

Amoroso fulfilled his dream of working at Bell Labs in 1985 and became one of a small group of people who were paying attention to cybersecurity in that decade. He notes that only about 300 to 400 people attended the annual National Computer Security Conference (now the National Information Systems Security Conference) as recently as the mid-1990s.

“At the time, this security discipline was a sleepy sort of thing where you had some hackers and weirdos doing it and people doing cryptography,” said Amoroso. “I loved it because for the first 10 years of my career I was in the lab. I was in bliss.”

Between studying the ills of cybersecurity and the potential cures, Amoroso continues to revel in technology, particularly how it helps him stay in touch with his daughter, who’s away in college.

“I know my daughter’s schedule. I know what kind of day she’s having,” he said. “Now I have instantaneous, ongoing communication with everybody, which is both good and bad, but the point is that the technology bends to fit our lives.”

Amoroso recognizes that just as his focus has shifted over the years from ballistic missiles to even more nuanced warfare, his children’s generation will continue the fight. But his job today is twofold: filling the security gaps created by a technology that has experienced unprecedented and exponential growth while anticipating and warding off new threats in the increasingly mobile world.

Leadership Home

Greg Garcia relies on partnerships in the race to stay ahead of the cyber ‘bad guys’

“It’s speed, it’s endurance, it’s tactics, it’s strategy, and then there’s the adrenaline,” Garcia said of IT security. He was referring to the race to stay ahead of what he called the “bad guys” by anticipating their next move, a race that’s ultimately about safety and protection.

Those elements mimic the thrill he gets from cycling: “To be in a peloton of 50 cyclists, wheel to wheel, shoul­der to shoulder, going 30 miles an hour,…the idea of sprinting to the finish and leaving the others behind and jockeying for the advantage, it’s a high-speed chess game. It’s tactical, it’s strategic, and it’s fast.”

Despite his love of competition, Garcia is a man who believes in partnerships. For example, from 2009 to De­cember 2011, Garcia served as partnership executive for cybersecurity and identity management at Bank of America.

The bank has 29 million active online banking cus­tomers and handles trillions of dollars a day in finan­cial transactions, many of which are done via mobile devices. Garcia’s background gave him an automatic edge in tackling the public/private challenges of the job: His extensive private-sector experience is comple­mented by stints on Capitol Hill and at the Department of Homeland Security.

CGI Initiative Fellow Barbara Fast discusses “Racing for the Advantage” profile of banking and homeland cyber executive Greg Garcia from “Securing the Mobile Frontier” the Winter 2012 edition of Leadership.

From 2006 to 2009, he served as the first assistant secretary of cybersecurity and communications at DHS. Earlier in the decade, he served on the profes­sional staff of the House Science Committee, where he helped write the Cyber Security Research and Devel­opment Act of 2002. The law gave cybersecurity efforts a much-needed boost by providing nearly $1 billion in federal research funding to colleges and universities.

Along the way, Garcia has held leadership roles at prominent technology associations and his own con­sulting firm, where he advised companies that want to contribute to the national cybersecurity mission.

Securing ‘Mobile Everything’

Garcia has maintained his cadence in a race without a finish line. He has learned to be proactive and re­active to technology’s constant and lightning-quick evolution. Mobile technology is just the latest frontier. Mobile devices are becoming the preferred mode of communication for many people. As evidence, a re­cent Pew Internet and American Life Project study found that 87 percent of smart phone owners access the Internet or e-mail via their handheld devices, with two-thirds of them doing so on a typical day. Further­more, 25 percent of smart phone owners say they mostly go online using their phone rather than a com­puter.

With the demand for mobile capabilities comes the need for fast-adapting security. Indeed, keeping up with a proliferation of applications and features that have no central owner is one of Garcia’s main chal­lenges.

“What’s developing is mobile everything — mobile computing, mobile identities, mobile banking,” he said. “Many customers are rightfully cautious when it comes to financial services on a mobile platform. But I think the demand will continue to grow. We’ve got to meet that challenge and bring the bank to the customers in ways that are convenient and secure.”

To do it, he uses an old standby — partnerships. At the fundamental level, he said device and software developers need to include security in their frame­works. “We need to continually impress upon ven­dors that as customers, we demand high security so customers aren’t given devices or apps that are fun­damentally insecure,” Garcia said.

“I think we need to be concerned mostly about the kinds of attacks that have the rippling effects that can cause loss of confidence in the Internet as a mode of doing business.”

Next, the commercial sectors must work together on cybersecurity. Beginning in 2003, the government called on various industries to work together to pro­tect critical infrastructure and collectively find and eliminate vulnerabilities.

“The financial sector works very well together for one particularly compelling reason, and that is that we don’t look at cybersecurity in competitive terms,” Garcia said. “You might think that’s counterintuitive. Wouldn’t one bank want to say, ‘Hey, we’re more se­cure. We keep your money more secure than the next bank’? In cybersecurity, it’s not as easy to say that, and it’s because we are all interconnected. Banks re­alize they are all targets.”

Lastly, industry and the government must join forc­es. Threats range from hackers who are simply curi­ous to those who are politically motivated, as well as cyber criminals and cyber spies. It’s impossible for one entity to monitor them all.

“What everyone should know is that the policy and business as they relate to cybersecurity go hand in hand,” Garcia said. “Because we are in the world of technology and the Internet and security, we’re all in­ terconnected, and if we’re all interconnected, we’re all interdependent. And if we’re all interdependent, it means we’d better be working together and col­laborating and sharing the kinds of cybersecurity in­formation and best practices that we can deploy to protect ourselves collectively. Information that isn’t shared is useless.”

“There is a fundamental understanding that major financial institutions that manage financial transac­tions over a technology network have a responsibil­ity to partner with, coordinate with, collaborate with the government, with other financial institutions, with other industry sectors to be sure that collec­tively we’re not missing anything, that we’re able to join forces and share with each other so we have a common operational picture about what’s happen­ing — not just in day-to-day cyberattacks, incidents or probes but what’s happening over time,” he said.

The Cost of Safety

Cybersecurity is important to any industry, but the fi­nancial sector banks on it; people need to know that their money is safe. With that in mind, Bank of Ameri­ca and other leading banks have instituted $0 liability protection for any fraudulent activity originating from online banking.

“I’m not concerned that we have something called a cyber Pearl Harbor that’s going to break down the Internet,” he said. “I think we need to be concerned mostly about the kinds of attacks that have rippling effects that can cause loss of confidence in the Inter­net as a mode of doing business.”

“I am concerned about what we cannot see,” he added. “This is where connecting the dots, as it were, in cyberspace is so critically important, where we have the ability of government and industry to share the kind of information that’s going to protect us.”

The challenge lies in making that sharing routine and the relationship natural. Garcia said we need to move beyond the past need-to-know mindset and embrace the need to share. “That’s a cultural shift more than anything else. It’s something that takes time and commitment.”

Of course, cybersecurity requires resources, too, which Garcia says is an ongoing challenge even when budgets aren’t tight. “It is often difficult to prove the negative,” he said. To illustrate, he describes a typi­cal conversation: “‘Boss, we invested a million dol­lars in a security strategy, and we haven’t had any cyberattacks.’ And the boss says, ‘Is that because we invested a million dollars or is that just because we were lucky? Prove it to me.’”

To demonstrate the value of cybersecurity, Garcia turns again to joining forces by presenting a plan to managers that compels them to get onboard. “One way to look at it is to go through risk-based scenarios, do the what-ifs,” Garcia said. Once you do that, it’s easy to show that cyberattacks can affect every as­pect of a company and its customers.

“I think any reasonable company can look across the threat environment in this country today and say the likelihood of a cyberattack happening against us is pretty good now because it’s proliferating, because it’s big business, because people can buy hacking tools online now. They’re freeware and open source.”

Connecting Government and Industry

Garcia began his career with a focus on business. He earned a bachelor’s degree in international busi­ness from San Jose State University in 1985. In­terestingly, the school’s motto is “Powering Silicon Valley,” America’s technology heartland.

Ultimately, innovation attracted Garcia to technol­ogy, and government service attracted him to secu­rity. He joined the House Science Committee a week after the terrorist attacks of Sept. 11, 2001.

“I came into the technology field seeing how gov­ernment policy, whether it’s legislative or regula­tory, can affect the success of business generally and technology innovations specifically,” he said. “I knew early on that I wanted to be at that connect point where I could influence how government thinks about technology and make sure the technology in­dustry was prepared for changes in government pol­icy and that it can contribute to economic growth.”

“What gives me energy are the people who understand that collaboration isn’t just a word, it’s a path to success.”

He spent almost two years working with the Sci­ence Committee to promote political outreach to the IT community, but his proudest accomplishment at that time was helping to author and enact the Cyber Security R&D Act.

“I had come from the technology community to the Science Committee to do my part, and the first piece of legislation I ever wrote became law,” Garcia said. “Probably not a lot of congressional staffers can claim that notch in their belt.”

When he left the Science Committee in April 2003, he affirmed that commitment by becoming vice pres­ident of information security programs and policy at the IT Association of America. He resigned from that position when President George W. Bush asked him to join DHS.

Cybersecurity Czar

When Garcia was appointed assistant secretary of cybersecurity and communications at DHS in Octo­ber 2006, then-DHS Secretary Michael Chertoff said, “Greg brings the right mix of experience in govern­ment and the private sector to continue to strength­en our robust partnerships that are essential to this field.”

Again, the word “partnership” appears. At first, Garcia felt inundated, but he pedaled through and found his rhythm.

“Shortly after I was appointed, somebody had sent me a link that went around the Internet and some­body had created a video that said, ‘If you were Greg Garcia, what would you do?’” Garcia said. “I actu­ally listened to it and took some advice from these people. There was a big spotlight on me. It was a spotlight I certainly didn’t shrink from, but I rapidly realized that cybersecurity was becoming a very hot topic, and so there certainly was no shortage of fed­eral government agencies that rightly had something to say about it.”

When Garcia took the job at DHS, he became the highest ranking cybersecurity official in the govern­ment and was referred to as the cybersecurity czar until Howard Schmidt was appointed cybersecurity coordinator at the White House.

As the first person to hold the position at DHS, Garcia had the opportunity to shape it. Top of his to-do list was — what else? — to partner with gov­ernment agencies that had a variety of responsi­bilities, such as defense, diplomacy and law. Chief among his partnership initiatives was the co-called “Einstein” intrusion-detection program that enabled Garcia’s Computer Emergency Readiness Team, or US-CERT, to help government agencies protect their networks from cyberattacks that were increasingly targeting sensitive government data. Garcia also collaborated with the Defense Department’s Joint Task Force for Global Network Operations on threat data sharing and with the Federal Trade Commission on consumer awareness about cyber crime and se­curity tips.

“I think those relationships are evolving within the government,” he said. “We’ve come a long way since the time I kicked it off with DHS, so I have only opti­mism for the future.”

During his two-plus-year tenure at DHS, Garcia oversaw the National Cyber Security Division, the National Communications System and the Office of Emergency Communications, where he helped establish a National Emergency Communications Plan and 56 plans for federal, state and local first responders.

When he left DHS in December 2008, he e-mailed colleagues at the department: “We have affirmed the urgency of cybersecurity across the nation and em­barked on a comprehensive cyber initiative that will measurably strengthen the security of our nation’s networks against domestic and international threats.”

Three years later, he said DHS is still on the right track. “DHS is recognized as the principal interface between the government and industry as it relates to cybersecurity, and they need to strengthen that role and make sure they take leadership in that area,” he added.

After shifting gears between industry and govern­ment work, Garcia is happy to be back in the private sector. “I see dedicated people in both worlds,” he said. “What gives me energy are the people …who understand that collaboration isn’t just a word, it’s a path to success. And I saw it in government, at Homeland Security. There are people who are still there who were on my team at DHS and are still dedi­cated because they believe in it.”

“We often find ourselves in professions that we fall into, but I love what I’m doing,” he added. “I’m part of something bigger than myself.”

Leadership Home

Lt. Gen. Susan Lawrence leads the Army’s charge to go mobile, secure its networks and protect its information

Lawrence enlisted in what was then the Women’s Army Corps one week after her 18th birthday, specializing in home econom­ics, typing and shorthand. Today, Lawrence is a lieutenant gen­eral and chief information officer of the Army overseeing a $10 billion information technology budget.

Throughout her Army career, where she has com­manded at every level from platoon to signal com­mand, Lawrence said she has relished challenging assignments. And her current job is no exception.

A Sea Change

The Army is in the throes of a modernization effort that will transform the way it develops, buys and fields new technology. The plan centers on creating a capable, reliable and trusted network that allows the Army to collaborate with anyone anywhere in the world and provide every soldier access wherever they are.

This will be a sea change for the Army, which has been spending time and money on multiple net­works that don’t talk to one another, data that is hard to access and technology that takes too long to acquire and field, Lawrence said.

“You cannot share information across 30-plus networks,” she said. “They are all built differently with different standards with different configura­tions. We will have to direct the standards, direct the configurations and direct the common operating environment.”

The Army, like other government organizations, is being forced to do more with less, which means that it can only afford one networking environment, and that is the LandWarNet. “We’ve talked about it for a long time, but we have never enforced it,” Lawrence said.

Cybersecurity underpins everything in the Army’s modernization plans. It is a challenging opportunity, Lawrence said, because the Army has to balance the need for sharing information with the need for protecting the information.

CGI Initiative Fellow Barbara Fast discusses “Connected for Battle” profile of Lt. Gen. Susan Lawrence of the U.S. Army from “Securing the Mobile Frontier” the Winter 2012 edition of Leadership.

In Congressional testimony in April, Teri Takai, De­fense Department CIO, said that DOD networks are under constant attacks from cybersecurity threats launched from the Internet and malicious software embedded in e-mail attachments or removable media. DOD spends more than $2 billion a year on information assurance and cybersecurity.

Some of the plans the Army has on tap to counter those threats include enabling constant monitoring of machine-to-machine activity, reducing the num­ber of access points into the network by creating re­gional hubs, giving each person a single identity on the network so they can access data from anywhere even via a handheld device from the field, and mov­ing data to the cloud.

Constant monitoring automatically flags anoma­lies on the network, similar to when a credit card company calls to check on suspicious charges on an account. It is easier to monitor five regional hubs, Lawrence said, than it is to monitor numerous ac­cess points.

“It takes very little money to attack us in the cyber environment,” she said. “You just need a computer and to be hosted somewhere. So that’s why those kinds of monitoring and architecture reviews are im­portant.”

Data Access from Anywhere

The Army has just finished setting up its fifth regional hub node at Camp Roberts, Calif. Using a suitcase-size satellite terminal, soldiers can connect to one of those regional hub nodes from anywhere in the world and have access to their network and data. Soldiers in Afghanistan are testing droid-like devices that connect to LandWarNet via a secure tactical radio. The devices, which they wear on their sleeves, give them real-time reports and data so they know, for instance, where enemy or friendly forces are.

“Whether it is a squad going out on a humanitarian effort or an entire division in major combat opera­tions, you will connect to the network and your data will be there,” Lawrence said.

Having an end-to-end network also helps the Army maintain continuity in wartime situations. For in­stance, before the 82nd Airborne Division deployed to Afghanistan, the Army installed the Afghan mis­sion network in Gen. James Huggins’ headquarters, Lawrence said.

“He wasn’t on the tactical network, he was on THE network,” she said. “Every day he had the op­erational update and the intelligence update, and he knew exactly what his mission was going to be when he landed in Afghanistan because he was part of it every single day.”

Soldiers in Afghanistan are testing droidlike devices that connect to LandWarNet via a secure tactical radio. The devices, which they wear on their sleeves, give them real-time reports and data so they know, for instance, where enemy or friendly forces are. Image courtesy of the U.S. Army.

Having a single identity on the network makes it easy and safer to access data from anywhere. DOD’s Common Access Card provides that single identity to Army employees and gives them access to their e-mail and other data on the network, no matter where they are located.

The Army is testing a plan to allow users to connect their personal mobile device to the network using the CAC as a means of identification and authentication. Because the Army has embraced virtualized comput­ing, the data is kept in the cloud, not on an individual device or a server under a desk, which improves se­curity.

“You connect to the network, we authenticate it’s you, we scan your device so we can be sure there is no virus or malware on it, and then you have access to your authorized portion of the cloud,” Lawrence said. “At the end of the day, when you unplug, that data stays in the cloud. If you lose your Droid, we don’t care because our data is not there. It remains in the cloud. That will go a long way to securing our information.”

“Disciplining Ourselves into Compliance”

Taking personal responsibility for network security is also essential, Lawrence said. “When you read about our security infractions, it’s almost always be­cause someone did not follow policy or procedures,” Lawrence said. “Disciplining ourselves into compli­ance is a big part of what we must do in security operations. I am glad we are recognizing it for what it is. It is a warfighting domain; it is a threat.”

Another important effort is under way to introduce new technology such as mobile devices and wire­less technology into the Army much faster through Network Integration Evaluations, which take place at Fort Bliss twice a year. During the evaluations, the Army tests products to see if they can fill a ca­pability or technology gap. For instance, at the last test, the Army found a commercial product that solved a radio interoperability problem.

“If we build this environment and it doesn’t meet the needs of what our soldiers and leaders need, then we won’t get it right.”

“We have to acquire IT much faster than we do today,” Lawrence said. “Today we are held under the same standards and regulations for how we ac­quire a tank or a helicopter, and as we all know, IT turns over every 12 to 24 months.”

How security is incorporated into the network is part of the exercises. “If you think about security as an afterthought, it will never be secure,” Lawrence said. “Security has to be in the design of a product from the very beginning or we won’t achieve what we want to achieve.”

However, all those efforts will be futile without enforcement of a common operating environment. As a result, the Army is directing the LandWarNet architecture and standards “so everybody can’t bring their own products and build their own envi­ronment,” Lawrence said.

At one point, the Army had 13 types of handheld devices and 28 network management tools on the network. “When you are trying to put together a net­work with 28 different network management tools, it’s almost impossible,” she said. The Army also plans to reduce its network applications — mainly old applications — by 30 percent to 50 percent.

Those are lofty goals, and Lawrence knows it won’t be easy. “Sometimes it’s hard for someone to understand, but it will make their lives easier,” she said. “It will make industry’s lives easier if we publish these standards.”

Out of The Comfort Zone

Change comes with the territory. Lawrence has a sign hanging in her office that reads: “Change is good. You go first.” But the Army’s shrinking budget will act as a great motivator. The secretary of the Army has tasked Lawrence to return $1.5 billion to the Army by fiscal 2015. Where will the savings come from? Enterprise e-mail will give back about $100 million annually, data center consolidation will return another $100 million, and enterprise licensing will save millions. This is just a start.

But despite all the efforts to become more efficient, Lawrence points out that in the Army, overall mission accomplishments and effectiveness outweigh efficien­cies. “Everything I am doing is not necessarily about efficiencies. It’s about building an interoperable net­work that can collaborate with our partners and being able to secure our networks and protect our informa­tion. The great second order of effect is that we are gaining efficiencies as we’re doing it.”

It’s also important to understand and try to meet users’ needs, Lawrence said. “If we build this environ­ment and it doesn’t meet the needs of what our sol­diers and leaders need, then we won’t get it right. They want mobile devices on the network. I hear them. I got it. Now how are we going to do it while securing our networks and protecting our information?”

Being a good listener is important to Lawrence, and she is in constant contact with the senior civilians and colonels “who really run the organization” to get them to think strategically. One of the ways she has learned from her bosses: “They never let me get into my com­fort zone. They always pushed me into something big­ger and better than just doing my job. Now I say to my team, ‘I will never let you stay in your comfort zone.’”

Every week she asks her young leaders to tell her three things they did to make the Army a better Army. Although it was hard at first, they are catching on, Lawrence said. “I think most of them realized how important they are to our success. If we’re going to be successful in the CIO’s office and do all the things we’ve been asked to do, it will be because of them.”

It’s important to share ideas as the Army goes through its changes. “The thing that has been the best for me is my collaboration with my partners in indus­try, in academia and in the other services. I don’t need to learn the lessons again if they already have,” Law­rence said. “In fact, I redesigned one of my director­ates based on the Air Force and how they look at their enforcement of policies. So the time I spend with those individuals is very important.”

Lawrence knows that her job requires perseverance, something she understands intimately.

She has served in operational assignments in Europe, Korea, Southwest Asia and the United States and has held positions in three different divisions, two corps, and now as CIO/G6. During this time, she earned her bachelor of science degree from Campbell University in North Carolina and a master’s degree in information systems management from the University of Georgia. She is also a cancer survivor.

When Lawrence was going through her cancer treat­ments, her team commissioned a mosaic that sits framed in her office. It depicts her life story from when she enlisted in the Army up until she made general.

Still, Lawrence hesitates to take all the credit for her success. “How did I get here? I worked with some fabulous people and I had bosses who had a lot of faith and confidence in me and continued to challenge me,” Lawrence said. “As an 18-year-old private at Fort Leavenworth, Kansas, to even dream of being the CIO at the U.S. Army was impossible.”

Leadership Home

The VA’s Peter Levin believes openness, not secrecy, is the key to mobile security

“What the success of Blue Button really is indicative of is not the overall quality or insight of the program, it’s the absolute, acute need of people to get access to their data.”

Appropriately, Levin has come to think about cybersecurity and mobility in a biological sense, with a focus on minimizing the threat of an intruding antibody.

“You want to surround the threat that you know is going to get in, just like your body knows it will be infected someday, it just doesn’t know when and it doesn’t know how,” he said. “But it has, over millennia, developed an extraordinarily effective response to disease. It’s a biological example, but it’s a metaphor that translates well to electronic threats in the context of network security.”

CGI Initiative Fellow Barbara Fast discusses “Open Warfare” profile of the Dept. of Veterans Affairs’ Dr. Peter Levin from “Securing the Mobile Frontier” the Winter 2012 edition of Leadership.

He has a less-than-conventional vision for creating a mobile, agile VA while ensuring the security of millions of personal records in the cloud and in telemedicine. “My vision is not that we’re going to be perfectly secure,” he said with characteristic honesty. Instead, he is working to defend against scalable breaches using a “configurable, nuanced, rapid response that’s triggered by the detection of intrusion.”

That realistic viewpoint is behind the VA’s groundbreaking effort to securely add smart phones and tablet PCs to its network. In October 2011, the department issued a request for information for vendors to help build a national mobile device management (MDM) system that would allow at least 10,000 and as many as 100,000 mobile devices running iOS, Android and Windows operating systems to securely connect to the VA’s network — the largest such deployment in the federal government.

MDMs manage and protect information from a central location, which VA officials said will be in the cloud for their system. The devices will be managed remotely and provide encryption and reporting capabilities so VA officials can keep track of the devices while enforcing the department’s security, management and other policies. The MDM system will also allow iOS devices to connect to a VA app store where users can download applications.

Security Through Openness

As the VA and the veterans it serves expand their use of mobile devices, Levin applies an unexpected twist to secure the software and data they access: He is a vocal advocate of open-source technology development and the open sharing of health data. That perspective is grounded in the knowledge that security breaches happen in large numbers on a daily basis. The VA is particularly vigilant about the issue, given the 2006 breach in which 26.5 million personal records were compromised when a laptop computer was stolen from a contractor’s home. The incident led to a re-examination of cybersecurity policies governmentwide and to the VA sending Congress monthly updates on its security efforts.

“Proprietary system are the ones that are inherently more vulnerable because if you think that there aren’t people who are trying to break into those systems just as much, you’re wrong.”

As a result, VA officials including Secretary Eric Shinseki and Deputy Secretary W. Scott Gould have undertaken a big push to shore up the agency’s information technology system in recent years. Part of that effort involved naming Levin CTO and senior adviser to Shinseki in May 2009 and increasing his influence, as well as that of Chief Information Officer Roger Baker, who is responsible for the agency’s operational IT requirements.

Those moves have borne results. In September, Levin was justifiably proud that President Barack Obama had publicly referred to three breakthroughs in which Levin had played a key leadership role: the Blue Button program, which gives veterans access to their health information and allows them to share it with doctors outside the VA; the progress being made on processing a backlog of claims, some dating to the Vietnam War, via an innovation competition; and definitive steps toward the long-standing goal of creating a single electronic health record (EHR) for military service members to be shared between the Department of Defense and the VA.

Still, Levin knows that plenty of work remains. For example, the VA is enabling the 134,000 medical professionals who work at 152 VA hospitals to securely access patient records using mobile devices and cloud-based applications through a groundbreaking initiative Levin led: a platform for improving veterans’ EHRs called the Open Source Electronic Health Record Agent. The system’s underlying principle is in keeping with what Levin said is a key tenet of his approach to cybersecurity: Open-source development offers the fastest, safest and most transparent way to accelerate progress.

“The reason you do open source is because you level the playing field,” he said. “You make it completely transparent, and you make it so anyone can participate. Those three factors, combined with a standards-based, openly architected, modular system, will keep you on the cutting edge.”

Public Servant, Private-Sector Mentality

Levin relishes the challenge of balancing openness and security. After all, he has built a career on doing the unexpected. The Washington, D.C., native didn’t have much interest in school until he realized he was better at math than he thought. He went on to study electrical and computer engineering at Carnegie Mellon University, conduct post-doctoral research at the Technical University of Munich, and eventually become associate dean for research at Boston University’s College of Engineering. Today, he is a consulting professor of aeronautical and astronautical engineering at Stanford University.

Along the way, he spent many years as a successful tech entrepreneur in the private sector, including the semiconductor industry, which lies at the heart of all computerized technology.

Levin has never taken the easy road. At Carnegie Mellon, he wrote a simulation program for electromagnetic field theory, which, for most people, is the least enjoyable part of an engineering curriculum, he said.

“So, of course, that’s what I wanted to do,” Levin said. “The thing that nobody wanted to do is what I absolutely had to do.”

That drive paid off. Working in collaboration with Professor Jim Hoburg, Levin wrote a program that attracted the attention of Hans Steinbigler, a pioneer in the field of simulation programming. Steinbigler invited Levin to do his post-doctoral research in Germany.

After completing his studies, he went into private industry, where he was founding chief executive officer of the cybersecurity software company DAFCA Inc. and executive director of Astaro, an Internet security company based in Karlsruhe, Germany. Shortly before joining the VA, he co-founded and led an award-winning semiconductor software design company and was a partner in a venture capital firm based in Dusseldorf, Germany.

It was serendipity that brought Levin to the VA. In 2008, he escorted a close friend who was receiving an award at the White House and met James Peake, then VA secretary, in the Green Room.

“I asked a question about the lack of telemedical services offered,” Levin said. “It happened to be on my mind.”

Shortly after Obama won the presidential election, Levin got a call from Peake asking to meet with him. After learning everything he could about telemedicine and distilling it into a few PowerPoint slides, Levin went to the VA headquarters in downtown Washington, D.C., for the first time.

“I had to look it up on a map,” Levin said. “I had no clue where it was. I had never served in uniform. What do I know about health care delivery? I’m a semiconductor guy.”

The opportunity Peake offered was one Levin couldn’t pass up.

“You can imagine my grandmother’s small apartment in Forest Hills, with the gold-framed iconic picture of Franklin Roosevelt,” Levin said. “Math and science were an expedient way to education, to make money. But I still believe that the best thing you can do is care for the public interest.”

That lifelong affinity for politics and government has found expression in the CTO position, where Levin guides improvements in veterans’ health and benefit services “by promoting a deeply collaborative culture, renovating business processes and leading the development of new technology platforms,” he said.

Going for the Layups

Levin arrived at the VA in June 2009 with a strategy for establishing leadership early on. In close cooperation with the secretary, deputy secretary, chief of staff and CIO, Levin decided to go after the “layups.” Inspired by the strategy Peter Sims outlines in his book “Little Bets: How Breakthrough Ideas Emerge from Small Discoveries,” Levin wanted to build momentum for transformational change by systematically taking small, exploratory steps and being open to new ideas along the way.

“He wrote down my playbook,” Levin said of Sims. “It’s exactly what I did and still do — not try to boil the ocean or solve every problem in the first two weeks.”

Levin said his first layup was not in an area his bosses expected. “For personal reasons, I was keenly focused on suicide prevention,” Levin said, referring to the fact that he lost many family members to the Holocaust and knows that survivors and their descendants have high rates of suicide, divorce and mental illness. “For me, that was a place where a morally transcendent problem met personal interest, met the opportunity to actually do something meaningful and worthwhile quickly.”

He proposed augmenting the Veterans Crisis Line with an anonymous online chat service for veterans who didn’t feel comfortable talking on the telephone. One month later, the service was a reality.

“With Roger Baker’s help, we got that stood up quickly, and today we have had more than 3,000 interventions,” Levin said. “It’s hard to say how many would have led to tragedy, but I bet it’s more than one. In my faith tradition, if you save one, you save the world.”

Acute Need for Data

After that, Levin turned to what he describes as an “almost trivial project called Blue Button” — a Web-based feature that allows patients to download and share their health information with health care providers, caregivers and others they trust. Blue Button is a collaborative effort with the Department of Health and Human Services’ Centers for Medicare and Medicaid Services, DOD and the Markle Foundation, a private, not-for-profit philanthropic organization.

Many colleagues advised Levin against confronting layers of bureaucracy and red tape to unify data from different platforms in a single, accessible, user-friendly format. But Levin feels strongly that veterans should be able to access their data, and he said he won approval from the secretary to “just try to drill a hole through the fortress.”

Levin told Shinseki he’d have 20,000 to 25,000 users within a year. “He looked at me kind of sternly and said, ‘That’s a big number. Just make sure you hit it,’” Levin recalled. Blue Button had 25,000 users within six weeks.

Since launching in October 2010, the system has attracted more than 500,000 users and has been adopted by major health insurance companies such as Aetna and UnitedHealth Group. Still, Levin insists that Blue Button is merely a good platform that “a freshman at any junior college could have come up with.”

Others view it less modestly. At a recent Consumer Health IT Summit sponsored by the Department of Health and Human Services, Dr. Donald Berwick, administrator of the Centers for Medicare and Medicaid Services, called Blue Button “iconic and magical.”

“What the success of Blue Button really is indicative of is not the overall quality or insight of the program,” Levin said. “It’s the absolute, acute need of people to get access to their data, and that’s why you’re seeing it run like this.”

The program is revolutionizing the approach that has been in place since 2004 when HHS’ Office of the National Coordinator for Health IT proposed a national infrastructure that would let health providers share information.

The office’s model is “institution to institution or provider to provider, and Blue Button shows up frankly as an idea that nobody thought of,” Levin said. “What about the voice of the patient? What about the patient’s access to data? What we’re discovering to our delight is that patients want to be involved.”

Blue Button downloads health information in a simple text file or enhanced PDF that can be read, printed or saved on any computer. Implementing it raised several security concerns, however. Because thousands of veterans would be downloading their personal health data via mobile devices, Levin used encryption technology to protect the data as it moves between VA’s secure MyHealtheVet system and other data assets. That way, any breach that might occur would at least be containable.

Levin acknowledges that favoring transparency comes with risks. “There were folks who were nervous about it, and there are still plenty of them,” he said. “They’re jittery for a reason, but that was the choice we made.”

It came down to a fundamental policy choice. “Are you going to give them the information that they asked for, even if there’s a cybersecurity risk, which you can train them to remediate or at least to lessen?” he asked. “Or are you not going to give them the info and tell someone who carried a gun in your name, who shot bullets to defend your liberty, that you are not going to have access to your information because we don’t think you’re smart enough to keep it private?”

The argument proved compelling, Levin said.

“More Eyes, More Brains, More Secure”

As recently as three years ago, the VA did not have a Facebook page or a Twitter account for keeping in touch with its constituency. Today, the department’s Facebook page is one of the most popular in the federal government, with more than 143,000 friends. Levin often reads the comments to keep tabs on how people perceive his work.

In one case, intuition told him that a veteran was in trouble, and he decided to reach out to the man from his private e-mail account. The man replied, and the two have become close correspondents.

“To make a long story short, we write to each other very often, and I rely on him for a lot of things, not the least of which is to tell me what’s really going on,” Levin said. “How does a Vietnam-era veteran see the things that I think are so transformational, so earth-shaking and important that I interrupted my career, moved my family, and maniacally, obsessively devoted myself to the care of veterans?”

Looking forward, he plans to forge ahead with his open-source plans, a term he says is misleading. “It implies that because the code is exposed, you’re inherently more vulnerable to hackers exploiting something that you haven’t discovered yourself. And what is scientifically known, well-studied, quantified and stress-tested is that exactly the opposite is true. Proprietary systems are the ones that are inherently more vulnerable because if you think that there aren’t people who are trying to break into those systems just as much, you’re wrong.”

Levin sees open-source development as an important way to anticipate and defend against the unexpected in the ever evolving mobile frontier. “Open source has the added advantage that you’ve got a lot of people looking at it at the same time,” he said. “It really is a blunt-instrument argument: more eyes, more brains, more secure.”

Leadership Home