Panel on Cyber Security
Moderator: Robert Rodriquez, retired secret service agent
Panelists: Richard Russell, Deputy Associate Director of National Intelligence for Enterprise Solutions, Office of the Director of National Intelligence; Lt. General Minihan, USAF, Managing Director Paladin Capital Group; Alan Wade, President, Wade Associates (former CIO of the CIA, 2001-2005)
Robert. Why is it difficult to conduct business with the federal government?
Al. My background was CIA, working with technical programs. I was CIO when I retired. I had gotten involved in adoption of technology by the government, and why the adoption rate became so slow. This was particularly relevant after 9/11 as we saw bad guys do things quickly, and we wondered why we were slow. So I went to work with some smaller companies to see how adoption rate could be faster.
Robert. I run an organization for the intelligence community to look at web and web technologies. We get requirements or needs. They come to us. We discuss it. We research the universe to see if there is a capability that meets the need. We bring it in. Pilot it. The function we perform is taking a look at where we are going. We may not be providing the long-term future. We have intelligence agencies with far more robust staff to look at those things. We help the intelligence community make business decisions.
Alan. If I were to point to one aspect of technology that makes it difficult for the govt to adopt product of small entrepreneurs, it starts with the -ilities. Scalability is one. Government looks at things at scale. Most small entreprenreuers don’t think about this at scale. Reliability is incredibly important. All these questions come out in your first interaction with government officials and if you are not prepared, it will affect your discussions.
Richard. Some businesses have technology we like but they haven’t thought about scalability, they like the product the way it is. Since there are thousands of IT elements within government, so how flexible is your technology? I’ll ask what is the seat cost for this capability and what is the total cost of ownership. When you ask that question, some people don’t have an answer. That stops the proceeding. I have to make businesses decisions on behalf of the taxpayer. Sunsetting old products costs money, so if I replace it with yours, I need to know the training costs, etc. Be prepared for these tough questions–how the product works, security of it, scalability of it, flexibility of it, and what is the real cost vs. the product we are already using. Do homework, be prepared, the meetings will go well.
Robert. What should small business entrepreneurs do to partner with the federal government?
Lt. General Minihan. I’ve used trust, familiarity and leadership, and I’ve signalled that the govt is risk averse. So coming here and getting that understanding is good. The govt is not gadget driven. You have to be able to answer the questions Richard and Alan brought up. The government is more receptive to entrepreneurial solutions than it was 10 years ago. I want to be able to see deployments of your technology, so I can certify that it will meet my needs.
Robert. You mentioned risk-averse and no option for failure. But things are moving so fast. The adversaries move fast. Are we are greater risk if we stay with legacy systems?
Alan. The question is, where in the overall stack is this application? We can move very quickly in some parts of the stack. You should be able to explain your technology in terms of the mission, if you can show how you can move quickly without affecting the entire enterprise. The agencies won’t take risks in the deep dark part of the enterprise where something goes wrong and brings the whole mission/agency down.
Richard. Defense and intelligence created my department, to create an environment where technologies can be deployed and fail without taking out overall capabilities. That is not to say that some of our deployments haven’t become enterprise-wide. But you should be able to say what is the niche that you have, what can you do better than others? You should find a mission partner, build a relationship of trust with them. I just had one case where people came to me and said we need this capability. They said, we’ll give you our money to get this. DOD joined it too. That made it a going proposition. If I have a mission demand, someone wants something piloted and tested, then it makes my job a lot easier with my leadership than if I just surfed the web and found something cool. We have to know what the mission is.
Richard. Presidential directives, 14 bills on the Hill relevant to Cyber; Rand and Heritage focused on Cyber. What areas of Cyber are important today, for the entrepreneurs here?
Lt. General Minihan. You see a maturing process. DOD has been doing this for a long time. We have a Cyber Command at Fort Meade with the NSA. Many issues are kind of settled. You have the DAI, DHS, teh whole piece, that’s looking at how … You’ve got Melissa Hathaway. Piece that hasn’t come to fore yet, is the leadership piece out of the White House. Then you’ll see the priorities set. As soon as there is sharing, the focus will shift back to the private sector. If you are an investor, you should make your way horizontally across the government to the private sector, to see how you can make use of the dual use opportunity. Assurance. Authentication. Response–diagnostic (real time) not forensic (after the fact.)
Richard. My person view is, if you want to see the govt do something badly, get them to do it really fast. So much of our economic power rests squarely on Cyber Security. We can be attacked with horrendous effects. But if you want to see an attack of biblical proportions, look to cyber security. Over the past years we’ve seen how banks, govt agencies, can be shut down, because the only way to protect themselves is to shut down. If suddenly, all the banking institutions on planet earth had to stop doing business, what effect would that have on us? If you couldn’t go to Walmart, or get gas. That’s why the federal government needs to be involved in cyber security. We need to be able to depend on everything to work. How many of you have checked to see if anyone from a foreign company has tapped into your intellectual property and copied it? That’s another aspect of cyber security–competitive espionage.
The question is, what is the holistic view for the future? How will public private partnerships work in this regard?
Robert said something about China and $50 billion per year in industrial espionage.
Al. In some ways, this isn’t a technology issue, it’s about how humans interact. The reason this is so huge, is that technology gives us so many advantages, that we want it and we want more. Every new system gives you some frustration, but we still want more at a human level. The White House reports correctly focus on the human dimension of this. We start with how humans understand how interactions happen, what policies there are. We need better tools for understanding what is going on right now, in the networks. The effect of changes in the network. We need tool for this. We need ways to measure security. We don’t have fundamental concepts on how to measure security. I think we are at the very beginning of this. This is not a mature market. it’s a rich area, from policy to implementation.
Robert. How would you compare the need for tools from 2001 to now? And where you would look for them?
Al. As the pace of innovation continues, more and more the govt will have to interact with people who understand commercial technologies. To pick up from General Minihan’s remarks, the speed with which decisions have to be made. We don’t need retrospective audits. We need to know about right now–if there are bad things going on.
Robert. How difficult is it to manage something you don’t own?
Lt. General Minihan. I like the notion, that it’s not the governments’ to manage. But that means you have to wake up and ask yourself what you must do to protect the security of your product or service. If you enter it like this, the cyber domain is something we can dominate for decades to come, as weaponry was in the 20th century. The strategic coin of the future is the intellectual property you have developed–not the industrial base, which we did a good job protecting before.
Audience question about different threats we are facing, we hear that China is our biggest trading partner but also our biggest cyber threat. What tools do we have to deal with them?
Al. I wouldn’t get too hung up on where the threat comes from. If there is something bad happening, as an enterprise manager you don’t care if its self-inflicted or externally. You just want to get systems back up. We don’t have to think about all these tools as a response to an external threat. Many of the tools will protect the enterprise from self-inflicted wounds. There is a close alignment between best practices in this area and how well run enterprises are.
Audience question about the horses already being outside the barn.
Lt. General Minihan. I would rephrase the question. There is a vulnerability to IP right now. All of us are exposed to this right now. It’s limited partially by the inability of most adversaries to process all the information they can get. So I don’t think it’s near too late to act strategically against the lower half of the iceburg that I talked about. But we need to shift our conversations. We need to share the responsibility–the public/private partnership has to work.
Audience member referred to Minihan’s comments about more private access to security risks.
Minihan. The government is not asleep at the wheel. There are some things you don’t have to share publicly. But there are many things that could be shared, in my view, that would share the responsibility for solving the security problem. Until we release enough of this classified information to get people saying, oh, now we understand why you are emphasizing this.
Audience member asked about open letter to Pres Obama that applauded innovation strategy, called for more spending on cyber initiative, it was signed by 12 CEOs of major IT companies.
Robert. Govt conducted 2/3rd of R&D in 1960, now they don’t. Our major corporations spend more on marketing. H1B issues–some of the top entrepreneurs and innovators are leaving the country. The liquidity in our markets is weak–almost frozen. 9.6 years to get to return, it used to be 4.6. IPO market is down substantially. M&A is up, but people get fired after acquisitions. Most job growth is after IPOs.
Al. I think govt is on the same side here. NSF is calling this national cyber leap year — leap ahead with technologies. Sponsoring academic research, create communities of interest. Government is beginning to move forward on R&D side.
Minihan. How I reacted to that letter: I would be asking where are the dollars for shared opportunities for private/public. I thought it was a reasonable way to suggest that the White House should be thinking beyond the federal side of cyber security. They don’t know and own the systems. I thought it was a decent shot at that. The signatories were a normal cast of characters.
Robert. How would you rank the opportunities in cyber security on a 1-10 scale.
Richard. I’m least qualified to talk about this. Because of the emphasis of the government there is a substantial opportunity here. I would ask, what is the quantum leap relative to cyber security that you can offer? The only way you can stay ahead of the enemy is with substantial leaps. Mike McConnell said there has never been a system created that cannot be hacked. So if the other guys can watch what systems we are creating, we have to make a quantum leap ahead.
Alan. You can align defensive strategies with best practices.
Minihan. It’s unprecedented, fully funded, and will not be finished in your lifetime.
Robert. I view this as a great opportunity for innovators and entrepreneurs. We are looking for disruptive technologies.