Kevin Tierney 0:06
Hello, and welcome back to the Government Technology Insider Podcast. I’m your host Kevin Tierney and today we are concluding our conversation with Dan Carroll, Field CTO for Dell Technologies Federal. For those just tuning in, Dan has joined me to discuss what a digital first government looks like, and the role that data management plays in enabling it. In our previous conversation, we touched on the many ways tech can enable a better system for federal agencies, I highly recommend listening to parts one and two of our conversation if you haven’t already. But today, Dan, and I are looking at the role that data management specifically plays in data security. It is no surprise that there have been many changing and evolving threats facing government IT, but what can agencies do to prepare for these attacks? So Dan, it’s obvious that data management has become the backbone of a proper federal IT strategy as we embrace this digital first government, as we’ve been discussing, how can federal agencies keep pace with the ever evolving cyber threats, you know, that are out there as we navigate this relatively new data management territory?
Dan Carroll 1:08
So here is the challenge and what is interesting as it relates to the cyber threats and where we’re going. The President released the executive order last year on national security and protecting infrastructure. And one of the key terms that came up within that order was zero trust. What is always fun when you’ve worked in IT for any amount of time is it’s, it’s like fashion old is new again, right? So the ideas of distributed networking, and cloud and edge all that stuff. They borrow similar frameworks and concepts from the mainframe days of the old government systems that used to work in the 80s, and even late 70s. So zero trust the idea that you need to worry about insider threats and implement stronger principles to limit you know, lateral movement within a network. This is not new thinking. It’s the challenge that IT systems or IT practices and the tools to support them maybe didn’t exist earlier. So we need to do a better job of basically revisiting these principles around zero trusts that have been around since the late 90s. and evaluate what we’re doing today to more strongly implement them. So that’s one key element is basically going back and not starting over. And whenever I talk to anybody within the federal agencies, and they’re asking us about zero trust, what I stressed with them is don’t go into a panic, throw out what you’re doing, you have put a lot of planning in what you’re doing and your roadmaps around cybersecurity frameworks, what you want to do is look at it with a critical eye, and see if you’re doing everything you can be to support your zero trust principles. That’s one key element. So assess what you’re doing. And then assess what tools you have in the toolbox. So we mentioned a little while ago, that you probably as an organization have a large amount of assets that you are using, assess and make sure you’re using those effectively, look at the other assets and see if there are tools within them that you’re not using, right, use what you bought, right and talk to your integrators, OEM vendors and have them go into more detail about the full capabilities of things you already own. Then assess where your gaps are, right what you want to do from a policy perspective as it relates to improving your zero trust and cybersecurity profile, and what you need to support those policies and practices, then go forth and you know, work on procurement and other things to fill the gaps. Right. And the second thing is partnership. For a long time, every, you know, commercial organizations and agencies and companies would keep their secrets very tight on how they do development and how they make IP and the government was the same way. And we’ve all realized that that really doesn’t help us protect ourselves. What it does is it creates little islands for the bad people to try to get to you. So when we band together, and we start sharing things through open architectures, and open programming, models and things like that, where we can look at it and provide more scrutiny to each other and evaluation to each other, and how we’re doing business and development and use a common approach, it makes it easier for us to build stronger protections and stronger, you know, quote, walls against threats both internally and externally. Because the fact of the matter is, if you take all of the IT personnel and services within the federal government and within commercial organizations and within the United States and stack that up against all the people that are working against us, we are very small. We are an undersized army because there are more bad people and good people unfortunately. So the only way for us to win is for us to come together win together. And again, I’ll tap on organization like NIST cybersecurity Center of Excellence, and other similar organizations like meter or mitre, who helped define and push for this kind of collaboration between federal government and private industry as it comes to how we can work together to help improve cybersecurity models.
Kevin Tierney 5:25
So in this collaborative environment, you know, obviously setting priorities, making sure everyone’s working towards similar goals is really important. So if you had to rank them, what are the top vulnerabilities in the current cybersecurity posture that make keep federal IT decision makers up at night?
Dan Carroll 5:42
Probably the ones that are keeping the federal IT decision makers up at night, as it relates to, you know, what are the biggest threats that they have to face? It’s not really changed that much is the insider threats, right, which is why this approach to zero trust is so critical. I’ll give you a perfect example of that. The Edward Snowden situation, so setting politics aside whether you think he’s a good guy or a bad guy, let’s just look at this from a cyber approach in and of itself. You had a person who did they do the appropriate background checks to validate, you know that he was a good person, you know, that’s up for the NSA to decide. But then you take a step after that, we know that he did walk into a facility. He didn’t do any fancy hacking, it wasn’t like you see in TV, where he was sitting down at six keyboards and smashing on them to try to break through firewalls. He walked up to a system, he plugged in a USB drive, and he downloaded massive amounts of data. So from a cyber perspective, the challenge here was that he had way too much access. And then when he started accessing massive amounts of data, there wasn’t the systems in place to notice that the person yesterday who was accessing a couple of 100 files, was now accessing possibly a couple of 1000 or million, and that didn’t set off any alerts or let anybody know and put anything in action to stop them. And then he walked out with that data. That is the reality of what I think keeps a lot of federal IT people up at night is how do you protect against those insider threats, because those are the ones that are really going to give you the most problem. The second is a massive amount of systems that exist within the federal IT agencies and getting your hands around it to make sure you’re doing everything you can keep them up to date and secure. When you look at all of these different malware for for ransom scenarios where data gets taken for ransom and encrypted 99% of those scenarios, there was a system that was unpatched, right, a known vulnerability was exposed. And somebody took advantage of that to get into the system and do something that you didn’t want them to do. That wasn’t some new, crazy, you know, exploit that was taken advantage of it was an exploit usually that was anywhere from six months to several years old that hadn’t been resolved. So how to get your hands around the massive IT infrastructure that is the federal government and make sure you’re doing everything you can to secure what you have in place is, I think, one of the bigger challenges they’re facing, and that keeps him up at night.
Kevin Tierney 8:30
So I guess my final question is, then what approaches what methods could and should be utilized to mitigate the threats we’ve discussed in a digital first government?
Dan Carroll 8:41
In additional first government, there’s two things so the President’s push for a zero trust and implementing those principles is key. Because if you do those kinds of practices, that starts to decrease your exposure. The second is the continued adoption of AI and machine learning. We will never have enough human resources to go and look at everything that’s out there, within the federal government IT infrastructure and be able to update it and make sure that it is where it’s supposed to be and do patching and all that stuff. So we have to count on the machines to help us. So that means building stronger AI/ML capabilities and how you monitor, explore account for and remediate everything on your network. Those two things tied together are the key components moving forward to making a stronger, more resilient cybersecurity approach for the federal government.
Kevin Tierney 9:38
Well, Dan, before we wrap up here, do you have any final thoughts or last comments to share with our listeners?
Dan Carroll 9:43
My last comment is always my first comment with any of these conversations. It sounds repetitive because I said it several times throughout the interview, but data governance is the key. I f you don’t understand what you’re trying to protect and the sensitivity and classification and who should have access to it, you’re already in a losing scenario, you don’t know how big, how big to spread your arms if you don’t know what’s behind you. So really getting your arms around your data governance model is key.
Kevin Tierney 10:11
Well, that’s gonna do it for us here today. Dan, thank you again for joining us and for sharing your insights on the role of data management in the digital first government. I think I can speak for everyone listening when I say it’s great to get your insights and we hope to hear from you again.
Dan Carroll 10:24
I look forward to it and this was a wonderful experience.
Kevin Tierney 10:29
To learn more about the best practices, lessons learned and proven strategies for using innovative technologies to address the challenges faced by federal, state and local governments, please visit governmenttechnologyinsider.com. I’m Kevin Tierney, and until we meet again, so long