VanRoekel on Infosec and SequestrationFederal CIO Says Smart Spending Should Keep Gov't IT Secure
U.S. Federal Chief Information Officer Steven VanRoekel says he likes to make this point in his speeches: "The securest data center is the one that's unplugged from the network, but that's not going to get you the service that you need."
The federal government, like the private sector, is under pressure to adopt new technologies such as mobile and the cloud, but cybersecurity must be in the forefront of thinking, VanRoekel says in an interview with Information Security Media Group [transcript below].
"Just using technology for technology's sake is never a good tactic," he says. "Instead, the job of a CIO, the job of a technologist and leadership inside government, is waking up everyday and making a decision about risk-based on a spectrum."
VanRoekel says the government is getting smarter about defining that spectrum and deciding where it can go and not go based on the type of information it's protecting, adding that security must be coupled with wise spending and meeting citizens' expectations.
"We've got to be ever vigilant about protecting taxpayer dollars and making sure that we're great stewards of that," he says. "Citizens are expecting more and more of their government every single day and the capabilities and technologies we bring to bear have a great impact on that. We want to think about how we are providing the best experience for citizens with their tax dollars paid. "
In the interview, VanRoekel also discusses:
- Implementation of secure cloud computing services, including the government's FedRAMP initiative to vet cloud vendors [see Feds Explain How FedRAMP Will Work];
- Adoption of the federal mobile strategy;
- The responsibility of departmental and agency IT and IT security leaders to make smart spending decisions in the face of massive, across-the-board budget cuts that Congress has yet to rescind.
VanRoekel's statutory title is administrator for e-government and information technology in the White House Office of Management and Budget. President Obama, in naming VanRoekel's predecessor Vivek Kundra to the post, gave the position the additional title of federal CIO.
Before being tapped as federal CIO, VanRoekel served as executive director of Citizen and Organizational engagement at the United States Agency for International Development. Earlier, as managing director at the Federal Communications Commission, VanRoekel oversaw operational, technical, financial and human resources and helped lead the introduction of the use of social media at the FCC.
Beginning in 1994 and until he left for government service in 2009, VanRoekel held a variety of midlevel executive and staff jobs at Microsoft, the most recent as senior director for the Windows Server and Tool Division, a post he held for five years. Other Microsoft jobs he held included director of web services and premier support and presales technical adviser. He served as Microsoft founder Bill Gates' speech writer and strategy assistant from 1999 to 2002.
ERIC CHABROW: It's been nearly three years since your predecessor, Vivek Kundra, announced the creation of FedRAMP, the Federal Risk and Authorization Management Program, an initiative aimed at vetting the security standards of cloud providers federal agencies can retain. The government in the past couple of weeks has just certified its first provider. It's a complex process. What does this say about the challenge government agencies face in adopting secure cloud computing?
STEVEN VANROEKEL: I think it says that not only the cloud computing marketplace is ever evolving, the security posture is ever evolving. It's one of both the challenges and opportunities we have in this space. FedRAMP is a great process. We've been very heads-down on getting it launched. It's really to start to shape a common understanding and a common platform for secure cloud computing. It starts to introduce concepts like continuous monitoring and other baseline controls that are essential, we feel, to the secure adoption of cloud, and it's a way that I think is going to really catalyze a new phenomenon around computing in the federal government.
Cloud Security Challenges
CHABROW: In rolling this out, were there certain kinds of security challenges that came up that were unexpected?
VANROEKEL: I wouldn't say unexpected. I think the marketplace was still in the midst and is still in the midst of evolving in the concept of cloud computing. The notion of cloud computing is still a very loose one across many spaces and we're landing on definitions. The challenges we faced were really getting out and educating people that federal government requirements are both unique and I think special in the way we approach security and cloud computing. Getting the marketplace to, one, understand that and, two, work with us on getting their capabilities up-to-speed was part of the work we had to do. I'm encouraged by not only the first entrance into the FedRAMP family but I think there are many more coming behind.
Measuring FedRAMP's Success
CHABROW: How will we know that FedRAMP works?
VANROEKEL: I think you'll know that FedRAMP works once we start seeing federal agencies acquiring cloud computing resources through the FedRAMP vehicle and we start to see products and services start to come online in the next few years that utilize some of the continuous monitoring technology and some of the other security technology. We're going to sort of create a marketplace phenomenon for innovation in the space.
The other thing we're watching closely is the dual asset here of not only consistency in the ability to utilize cloud computing, but also the cost savings associated with it. Spending at the federal agencies should be much more manageable in the cloud space, and we'll start to really utilize the advantages here. Part of the challenge you always have is the promise of cloud computing, especially through the private sector, is one where you get these massive economies of scale. If you overlay that with varying security requirements and different security requirements from different agencies, that starts to break down and what FedRAMP does is it brings more consistency and brings predictability to the marketplace on what security can be delivered, and by such the private sector providers that are building these cloud solutions can build these capabilities at scale and we can start to see the cost benefits to go right along with the security benefits.
CHABROW: If we talk about this a year from now, will we see a lot of movement toward the cloud?
VANROEKEL: We're seeing a lot of movement toward the cloud now, and we're going to continue to do this FedRAMP, and the capabilities we're building there are going to have a catalyzing effect on adoption of cloud computing. We needed that market predictability and consistency.
Federal Mobile Strategy
CHABROW: A year ago, you outlined an initiative known as the federal mobile strategy. You said the government should seize the mobile revolution. Among the goals of the strategy outlined in the presidential executive order was insuring the safe and secure delivery and use of digital services for tech information and privacy. Some agencies, in developing their policies, find it difficult to integrate mobility into their IT systems because of security concerns, especially with BYOD, bring-your-own-device. What's your assessment of the mobile strategy, the security challenges it presents and how the government can overcome those security concerns to maximize adoption of mobile technologies?
VANROEKEL: The mobile strategy was actually part of a broader strategy that focused on information generally and machine readability of information, and other things where we're taking a very hard look at security and privacy as it relates to opening up data generically in government and looking at adoption of mobile technologies both for delivery of services to citizens and for use inside the walls of government for employee productivity. We're actively in the middle of delivering these milestones against this.
What I'm most encouraged by is the enthusiasm we have inside government to collaborate on this front. I think everyone knows that even five years ago, when you were sitting around a table in government, there weren't the number of smart phones and other things that people were using in their home life that are now coming into the work place. That inflection point we found ourselves in is really driving a level of engagement inside the federal space to get people really thinking about, "How do we really craft BYOD that can keep pace with technology? How do we think about security in a world of multi-device-type scenarios that agencies that are going to get us best cost and highest capabilities?" I think we'll get there. I think we're very much taking an approach that we're going to learn and move forward as we learn more and think through this stuff. The private sector is also struggling with this. If you look at private-sector companies, they're thinking about bring-your-own-device and how does that factor with their security guidelines as well. We could really come together as both an industry and a government to think about the future here.
Navigating New Technologies
CHABROW: As you look at new technologies or relatively new technologies, such as the cloud, mobile and other things that come along, is it just a matter of when we'll figure out how to securely use them?
VANROEKEL: Security has to be at the forefront of thinking around these technologies. Just using technology for technology's sake is never a good tactic. Instead, the job of a CIO, the job of a technologist and leadership inside government, is waking up everyday and making a decision about risk based on a spectrum. I love to use the anecdote in speeches where I talk about the securest data center is the one that's unplugged from the network, but that's not going to get you the service that you need. So, you have to decide, where is good? Where is good enough? What's too far and where do I decide on that spectrum of risk where I actually deploy the technology, where do I use things?
Us getting smarter about defining that spectrum and then deciding where we can go and not go based on the type of information we're protecting, the type of scenarios that are may be involved, has to be decided across this. Then, couple that with the other two forces kind of acting in this space. One is the fiscal pressure that we've got to be ever vigilant about protecting taxpayer dollars and making sure that we're great stewards of that, as well as citizen expectations. Citizens are expecting more and more of their government every single day and the capabilities and technologies we bring to bear have a great impact on that. We want to think about how we are providing the best experience for citizens with their tax dollars paid.
CHABROW: Congress is said to address sequestration, $1.2 trillion across the board budget cuts. How can the administration assure that steps are being taken to provide sufficient funds or provide adequate cybersecurity for the government?
VANROEKEL: Like the risk-based decision I just mentioned, sequestration is very similar. We're encouraging CIOs and leadership of inside agencies to really look across the spectrum of their spend and understand, "How am I meeting the mission of my agency or my department, and what impact would a budget cut or an across-the-board cut have on that?" Take a look at where I end up on that spectrum. When you make that mission decision, regardless of what happens inside Congress, we should do this diligence every single day.
Now that being said, cybersecurity is a top priority and I think when people are making the stack rank of the priorities to meet the mission at the agency in the most, safe, secure and protecting-citizen-privacy way, they will make the right tradeoffs to ensure that's happening and things are going in line. Technology is an interesting one in that, in many cases, technology is in almost everything we do in government, and so you can't just take it as one category and say, "I'm going to cut back on that."
In the same way, cybersecurity is in everything we do in government, so we can't just say, "Oh, we're just going to cut back on our capabilities around cyber." We have to think about what programs actually may get cut back and then what's the impact on any stance we may have in the realm of cybersecurity.
CHABROW: So not necessarily throw money at it, but to spend money more smartly?
VANROEKEL: That's right.