Archive

Archive for August, 2015

Why cybersecurity requires hardware, software and meatware to work together

August 25, 2015 Leave a comment

Unless you are inherently fearful, danger tends to live in the realm of abstraction until something bad happens in reality. Recently a couple we know insisted my wife and I go out and try tandem bicycling with them. My wife regularly goes for 60-, 70-, 80-, even 100-mile rides on her own bike. I’m more of an occasional rider, but I’ve owned and ridden multi-geared bikes of one sort or another since about 1970.

The $10,000 bike this couple let us borrow didn’t feel right to either one of us. Custom-made, titanium beauty that it was, it felt hard to tame, even when I tried it myself in a parking lot. Uneasily, we climbed on and plunged out onto Rock Creek Parkway in Montgomery County — a narrow road with plenty of car traffic. I wasn’t comfortable with the shifters. The thing felt wobbly and too tall. We didn’t make it a half mile before crashing, one of us landing on either side of this elongated contraption. Cars stopped, people jumped out to help. Other bikes stopped to see if we were alive. The biggest cost was pride. But my left hand still hurts nearly a month later, as does my wife’s tailbone. And the episode set us back $310 for a new shifter.

Lessons learned: Practice where there’s no traffic and you can weave a lot. Learn to use foreign shifters beforehand. Get your road legs on a cheap, low-slung bike (you can buy a whole new tandem bike for $310). Don’t ignore your misgivings.

If we were a government agency, I’d say we didn’t do a good risk assessment, and we didn’t integrate our software with the hardware very well. We had what could have been a doomsday scenario, literally.

Until now, it seems as if federal cybersecurity has been operating on a wing and a prayer, too. The OPM data breach shattered whatever complacency anyone might have had. As it recedes into the past, the 30-day cyber sprint  has left a lasting legacy. Not simply that federal systems are more thoroughly protected than they were. They may well be, but success in cybersecurity is ephemeral. Like a sand castle, you can never stop shoring it up.  In one sense, every month should be a 30-day sprint.

And not simply that the sprint got everyone to realize at once how basic cybersecurity is to everything else the government has to do. And how poor the government is at it. That also may have happened.

Read this summary of the Office of Management and Budget’s after-action report from the sprint. Not the one for public consumption, but the internal one, which Federal News Radio’s Jason Miller got to see. It showed:

  • Some 75 open vulnerabilities identified, two thirds of them festering for more than 30 days. Only 60 percent of them patched, and new ones keep popping up. At least agencies know to look for them now.
  • Old software running past the end of vendor support, including new patches.
  • The weakness of two-factor authentication in the face of super-realistic phishing e-mails.
  • Privileged access rights to networks given out willy nilly.

I think the most important effect of the near-doomsday breach and subsequent sprint was driving home the need for an architectural approach to cybersecurity, taking it down to the storage hardware level. Here’s one example. The White House called this week for ideas pursuant to its Precision Medicine Initiative. The idea is to eventually gather health information on millions of people so it can be mined for trends leading to more personalized medical treatments than people have now.  Among the areas for which it seeks suggestions: “Technology to support the storage and analysis of large amounts of data, with strong security safeguards.” Cybersecurity is embedded throughout the call for comments. That’s a good sign.

Industry is starting to offer new approaches. The other week I was talking to people from Seagate, a disk drive and storage subsystem OEM. It’s part of a coalition of network equipment and software companies that contribute to what they call a Multi-Level Security Ecosystem. In the federal market, Lockheed-Martin and Vion offer it as a secure storage and file system for high-performance simulation and modeling applications that fuse together large, disparate data sets.

Seagate Federal’s Henry Newman explains, the company built a set of services on top of SELinux to accommodate functions such as network communications, database access and data sharing across parallel file systems. So, for example, a large set of video surveillance could be engineered such that access to individual files are restricted to certain individuals based on their authorities. Personally identifiable information, compliance information or intellectual property within a system can be made subject to access controls and auditing, while limiting the need for expensive hardware redundancy.

Other contributors to the MLE ecosystem include supercomputer makers Cray and SGI, log analytics vendor Splunk, and Altair, a maker of job scheduling and management software.

Government practitioners like to say security should be built in, not bolted on. But they usually bolt it on. The Multilevel Secure group is just one example, but it shows where systems deployment is heading where security is baked in.

Want fries with that treatment, soldier?

August 14, 2015 Leave a comment

Customer service is all the rage in the federal government.

Again.

A series of lapses that includes the healthcare.gov rollout and the well-documented problems with service provided by the Veterans Affairs Department have alerted the administration to the need for better customer experiences, whether in person, on the phone or online. The digital strategy is supposed to take care of improving the online part. It is one in a series of initiatives dating back to the Clinton administration’s E-gov project. That in turn had antecedent in the “Service to the Citizen” movement of the George H.W. Bush administration of the pre-Web days. E-gov’s offspring was the Quicksliver series of projects of the George W. Bush administration.

It’s good that these efforts are revisited periodically. Technology and expectations change. Too bad the government has to lurch from crisis to crisis to get with it, though.

I had to chuckle when discovering that VA Secretary Bob McDonald brought in former McDonald’s executive Tom Allin, the fast food chain, as the chief veterans experience manager. As a habitue of McDonald’s for its coffee and occasional Egg McMuffin, I’ve seen customer service there up close. Don’t tell me you don’t go to McDonald’s. Nobody goes to McDonald’s like nobody watches television or listens to the radio unless it’s NPR. Yeah, sure.

At McDonald’s, I noticed the other day that counter employees work in an incessant cacophony of beeping food preparation apparatus, back-shop employees shouting at one another, and piped in Musak. They have to scurry to and fro for all of the detritus — bags, napkins, cups ketchups, and the food itself — that make up an order. Something’s always broken, like the receipt printer, the credit card reader, the machine that squirts out “ice cream,” … something. When the young lady finally collected herself and met my eyes, I couldn’t help but ask, “Are you still taking orders?” To myself, I thought, if this is fast food, what the heck is slow food? As one of only two people in line I wondered, How do they cope when it’s crowded?

I’d walked over from my car dealer, where I’d left my car for an oil change. It was quieter there, but the customer service representatives had all of this elaborate paperwork, had to dart back to a bank of printers, and out of their booths to the rear. It felt like it took as long to check in a car for an oil change as to actually change the oil.

These service employees face the same bureaucratically-induced barrier of process complexity and unreliable systems as their counterparts in the government. It’s a fine step for VA to have metrics for appointment wait times, or the IRS for phone answering times. But unless the systems are geared to enable people to reach these goals, they won’t happen. Insufficient staff, crappy software, an overly complex process — these can all get in the way of the even the most dedicated humans who are trying to do a good job.

I spoke about customer service the other day with Deloitte principal Greg Pellegrino, who headed up a survey on the state of customer service in the federal government. The survey’s basic finding, to not put maple syrup on a pickle, is the government thinks it gives better service than the public thinks it does.

Pelligrino points out three data points. One, the latest American Customer Satisfaction Index shows federal service getting worse, at the bottom of the heap. Two, Gallup polls show a slippage in public confidence in the government. Three, the most recent Viewpoint survey of federal employees shows a decline in job satisfaction. The third point is related to the first two, Pellegrino says. Basically, a combination of stingy budgets, lack of focus on customer service and unhappiness on the job have combined to weigh down the experience have with federal services.

All that plus a mismatch of intent and the technology to carry it out.

A new way to think about this, or perhaps it’s an old way dusted off at a time of great technological change, is outlined in a Harvard Business Review article by Jon Kolko, a vice president of Blackboard. He describes an approach called design centric thinking. It’s a “set of principles [encompassing] empathy with users, a discipline of prototyping, and a tolerance for failure” all aimed a creating a customer-centric culture. Translation: You combine clear thinking with agile development principles.

Kolko says design-centric thinking applied originally to physical objects. Now organizations are applying it to services. And get this: There’s a great example at the Veterans Affairs Department, of all places. VA’s Center for Innovation used this kind of thinking to envision a “customer journey map to understand veterans’ emotional highs and lows in their interaction with the VA.” A map like that can point the way to better customer service by aligning systems, processes and what the customer wants.

Image that.