I can’t take credit for any of these principles.  I really just wrote them down.  Many are things I observed or heard from others in the JTF at that time, like Marc Sachs, John Owens, Jay Healey and Michele Iverson.  There are also many common themes I learned from Rick Forno, Dan Kuehl and Matt Devost and others.

Now about a decade after I started briefing these principles I just reviewed them and think they still meet key requirements you would expect true principles to hold.  They still ring true and they still have insights relevant to operational decision-making, and, although they are definitely general in nature, I believe they still have a role in helping orient people to the missions of computer network defense (CND), computer network exploitation (CNE) and computer network attack (CNA).

Please give these a glance, and if you know a cyber warrior somewhere who you think would appreciate them please route them on.

One of these days I’ll re-write this to update the acronyms and get rid of the reference to the ancient US Space Command. So please let me know if you think I’ve missed something that should be captured as a principle, or if you think I have put any of these in the wrong context.

Twelve Principles of Computer Network Operations
June 2002
Bob Gourley

A growing number of uniformed military and government civilians practice the new military discipline of Computer Network Operations (CNO). CNO in the Department of Defense (DoD) consists of two specific yet complementary mission areas: Computer Network Defense (CND) and Computer Network Attack (CNA).

The CND mission is to protect and defend DoD computer networks, systems and the data that resides in them any unauthorized event whether it be a probe, scan, virus incident, or intrusion.¹ The CNA mission is to coordinate, support and conduct, at the direction of the National Command Authority (NCA), computer network attack operations in support of regional and national objectives. CNA operations are designed to disrupt, deny, degrade or destroy adversary information resident in computers and computer networks.²

Operational lead for the DoD’s CNO efforts is USSPACECOM’s Joint Task Force for Computer Network Operations (JTF-CNO). But increasingly, traditional military forces are being called upon to conduct CNO operations by enhancing the defensive posture of networks under their control, by taking action against attacks, or by participating in attack planning or operations.

In most other warfare areas, Commanders can rely on established military doctrine to guide them in implementing and executing their missions. ³ The CNO mission is new, however, and little formal joint doctrine exists in this mission area.

This article provides firsthand observations on twelve key principles of CNO. I believe these observations can provide other CNO practitioners with a critical foundation required for successful CNO. These principles will also be of use to officers who whish to engage in the ongoing national security and policy discussions concerning CNO. After further examination and feedback from the field and the fleet, we expect them to become cornerstones of a new joint doctrine for CNO. Until then, I offer, Twelve Principles of CNO. They are:

#1 The Chain

#2 The Perimeter

#3 Interconnection

#4 The Laundry

#5 Prior Planning Prevents Poor Performance

#6 Know the Enemy

#7 Experience Counts

#8 Users Need Help

#9 Relativity

#10 One Basket?

#11 Unintended Consequences

#12 The Beauty of Attack

A bit more on all of the above is provided below:

#1 The Principle of the Chain. CNO is a chain; it’s only as strong as the weakest link. Like most of the rest of the principles outlined here, this sounds intuitive. But it is very important to stress this concept in the CNO world. Inattention to detail will ruin your CNO plans, whether for defense or offense. Two short illustrations:

- You fortify and protect an enclave by putting firewalls and IDS’s on gateways and hardening workstation software. But there are so many configuration choices for your IDS and firewall, and so many other settings you must make to ensure your enclave is secure. Did you overlook anything? Are your users trained? Do you have a response policy in place? Are you running the most up to date anti-virus software on your mail server? Should it be on individual workstations? These and many other questions must be considered by security professionals or any one could be the link that breaks the security chain.

- The chain for attack will also have weak links. This is easy for military professionals from any discipline to understand. All combat actions in any warfare area have potential weak links that can frustrate your attack or even lead to exploitation of your own forces. In the CNO realm the weak link may be the ability of an adversary to repair a patch in an application or the ability of an adversary to re-boot a router.

How do you protect against the weakest link? Attention to detail.

#2 The Principle of the Perimeter. Defenders must protect against every vulnerability. Attackers must only find one security flaw. A rough analogy is the requirement to continuously defend an Aircraft Carrier Battle Group in a high threat environment where attacks might come from below the sea or from the air or even from land. This principle calls for constant vigilance along every potential avenue of approach. CNO defenses must be robust and mobile.

#3 The Interconnection Principle. CNO is a multi-faceted discipline that includes military, civil, foreign, domestic, offense, defense, technology and human factor issues. It is an observable fact that we are all interconnected in this business. Decisions made in one area frequently have impacts in the other areas. That makes coordination between stakeholders and leaders in those areas an important goal that will result in better community-wide solutions. However, if taken to the extreme, this coordination can be a recipe for paralysis. Sometimes unilateral decisions must be made.

#4 The Principle of the Laundry. CNO is a continual process (like laundry, something always needs cleaning). Vulnerabilities in old software are discovered daily and new software is continually being produced and integrated into our architectures. All indications are that new software is just as buggy and has just as many vulnerabilities as old software, so we can expect the continued stream of vulnerability announcements to continue. Vulnerabilities that must be cleaned up and repaired as they are discovered. This is a never ending process.

#5 The Principle of Prior Planning. CNO must be pre-planned; you don’t just do it at the last minute and expect it to be done well. Too frequently the developers of systems and networks pay too little attention to security when they design their systems. We have found out the hard way that tacking it on the end just doesn’t work. This adage applies to users as well. If an organization does not think through the policies its users must adhere to, and does not train its users to be secure till it is too late, then the result will be poor security. The same thoughts hold true in the offensive sides to CNO. CNA requires extensive planning and coordination in advance.

#6 Know the Enemy. You must know your enemy better than your enemy knows you. This is easy to say but in practice very hard to accomplish, especially in the interconnected world of the Internet, where adversaries can take steps to hide their identify. But steps can be taken that let you make reasonable assumptions about your adversary before you know exactly who it is. These assumptions, combined with a continual study of threat actors will lead to a better ability to prevent, detect, react and defeat adversary activity.

You can and should also take steps to hide key information from your adversaries. All DoD unclassified networks should be under the umbrella of the NIPRNET, which affords some obscurity and protection from enumeration by an adversary. Enclaves should be configured to deny as much information as possible to potential adversaries. There is no reason why we should make the attacker’s job easier.

#7 The Principle of Professional Experience. Inexperienced CNO professionals are not CNO professionals. It is so easy in this business to find pseudo experts who can give a great brief or can market a CNO concept but have no first hand knowledge of how networks work or how to defend them. How do you tell a pseudo expert from a real expert? Be skeptical of anyone in this field till they have proven themselves to you. Ask for credentials, certifications, degrees or what their on the job experience is. Don’t be afraid to quiz them. No matter how polished they look, you want experience in this business.

- An important corollary for Commanders is that like in every other warfighting area, your people are paramount. Commanders must take responsibility to ensure that their CNO operators are trained and ready for the tasks that will face them.

#8 The Principle of User Faith. Users have no good way of comparing the security or vulnerability of systems. How can an individual user really tell that a system is secure? Is PKI secure? Is DMS secure? Who and what should a user trust? The current answer in DoD is that users must trust the systems managers in their organization, and those leaders must in turn trust accrediting authorities and program managers. We hope the corollary to this adage becomes “Trust, but verify.”

#9 The Principle of CNO Relativity. CNO is relative; no system will ever be 100% secure. This truism was realized long ago by the greats of the information security business, and has been witnessed again and again in DoD’s efforts.

- This truism is especially important in DoD, where we face some very sophisticated adversaries. Since no system can ever be 100% secure, if you want to be 100% certain that your information is protected, do not store it in any computer system anywhere. Of course this is unrealistic. But the point is that owners of information should weigh the risks vs. rewards of storing information in a computer system, and should take appropriate steps to protect computers and networks storing sensitive information.

#10 The Principle of the Single Basket. Never rely on technology (or anything else) as your only line of defense. This principle should seem intuitive to any operational military professional. No defender in combat would try to mount a defense with only one type of weapon, tool or technique. This is just as important in the CNO world, where true hackers will never give up, and where more sophisticated adversaries will try attacking through paths we may not have even considered yet.

#11 The Principle of Unintended Consequences. This applies to all aspects of the art of CNO, both offense and defense. Keep in mind that no matter how much you think these things through, there will age some risks of unintended consequences.

#12 The Principle of the Beauty of Attack. Sometimes you must take the fight to the enemy. To the military this frequently means the ability to use force on a battlefield to compel an enemy to do our will. But this principle is meant to bring to mind far more than that. In some cases, the US Government will have an ability to carry the fight to an adversary by attacking their computers. Individuals and individual units cannot do this, of course. This is a response reserved for decision-makers at the highest levels of government. But there are means for individuals and individual units to take action against attackers. Action can be taken by collecting detailed logs of the attacks and contacting law enforcement officials at the earliest possible moment.

The principles presented here are meant to explain the workings of a well-functioning computer network operations effort. They will be of use to any military professional struggling with the best ways to implement successful CNO in their organizations.

Are there other principles of CNO? Almost certainly. The disciplines of Computer Network Defense and Computer Network Attack are still new ones, and as they spread throughout the combat forces of DoD more principles, best practices and even doctrine will arise to help guide us as we prepare for combat. Consider the list above a start. It contains basic generalizations that I hold as true, that I propose to you as a starting point as you reason through your role in this mission.

Related posts:

1. The Future of Cyber Security and Cyber Conflict
2. Melissa Hathaway Op-Ed on Cyber Security
3. New Command to Focus on Cybersecurity for DoD and IC

This is a very good presentation of policy worth a complete read by all, but I looked through it for statements indicating what we technologists should focus on.  I tried to find the phrases indicating what the Secretary was saying the US should or will do, since that should drive many other government actions and should help technologists think through what we may be asked to do/support.

Key points of this speech include:

• “We stand for a single internet where all of humanity has equal access to knowledge and ideas.”
• “We believe it’s critical that its users are assured certain basic freedoms. Freedom of expression is first among them. This freedom is no longer defined solely by whether citizens can go into the town square and criticize their government without fear of retribution. Blogs, emails, social networks, and text messages have opened up new forums for exchanging ideas, and created new targets for censorship. “
• “We do not tolerate those who incite others to violence.”
• “Those who use the internet to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities.”
• “These challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes.”
• “We must work to advance the freedom of worship online just as we do in other areas of life.”
• “States, terrorists, and those who would act as their proxies must know that the United States will protect our networks. “
• “Countries or individuals that engage in cyber attacks should face consequences and international condemnation.”
• “The freedom to connect – the idea that governments should not prevent people from connecting to the internet, to websites, or to each other. “

My first general thought upon reviewing those compelling actions is- “I’m on board!” It is good getting policy guidance from the Secretary of State on this.  It is fine, of course, for academics and citizens to scrutinize those and offer opinions and thoughts and argue.  That is just the nature of democracy.  But we lack so much official vision in the cyber domain I’m going to default towards following the leader here, at least for now.  My hope is we can all pull behind the Secretary of State and others and execute on these goals (but hey give me time and I may decide to mount some arguments for change… just for now I think it is best to salute and follow).

My second general thought is that the Internet was not designed to be a platform to enable any of those actions.  Oh boy, that is going to make it tough.  And since there is huge lock-in on the current standards and design we are not going to be able to simply build a new Internet with new design criteria and then switch everyone to that.  Nope, we are going to have to find ways to change the fabric of the current Internet to make it possible to achieve these objectives.

Some other non-technical thoughts I think relevant to follow-on work:

• Meeting these goals will require connection to “all of humanity.”  That piece is more achievable than it may sound.  There are already 4B cell phones active in the globe for about 6B people.  So we are two-thirds of the way there.   This will require much more infrastructure work but we can do this.  And in places where ground-based infrastructure is not possible then space-based access is also possible (maybe via Cisco’s IRIS?).
• We must have ways to protect anonymity of good people, but not allow anonymity of bad people.   This is going to be much harder to do than it is to say.  I believe a structure could be put in place, with massive engineering, where all people are given some means to stay anonymous but when a certain key is applied their cloak can be peeled back.  Hmmm.  Who wants to keep those keys?
• The US is now on the record saying we will protect our networks.  How, I wonder, will we do that?  This is not the first time this question has been asked.  I know many great thinkers have been noodling over that one for a long lone time and that one is also easier said than done.  I know we can engineer in more security and have heard of some powerful ideas on how to do it.  But we have to move the ideas to action quick.  And we need to do that not just for the federal government but the entire US infrastructure.

Who can make these goals real?

The many technologists who design and field components of the modern Internet come together in multiple forums, many of which are key standards bodies.  Any significant re-design of Internet functionality is going to be done by collegial coordination in standards bodies. A short list of standards bodies is here.

A few standards bodies particularly relevant to designing Security into the Internet fabric are:

• ANSI – American National Standards Institute
• IEEE – Institute of Electrical and Electronics Engineers
  IETF – Internet Engineering Task Force
• ISO – International Organization for Standardization
• ITU – The International Telecommunication Union
  • ITU-R – ITU Radiocommunications Sector (formerly known as CCIR)
  • ITU-T – ITU Telecommunications Sector (formerly known as CCITT)
  • ITU-D – ITU Telecom Development (formerly known as BDT)
• OMA – Open Mobile Alliance

Another key body is ICAAN.

So, what’s next?  I don’t know but I expect to see follow on action to be coordinated across the federal government and expect to see continued action on making these policies real.

Any thoughts on that?

Related posts:

1. One to watch regarding standards and security
2. CTOs: Keep your focus on security and functionality
3. Current Internet Explorer security flaw even worse than usual ones: Use Firefox or Chrome

• An organization of malicious computer experts who have access to many of  Microsoft’s most sensitive secrets and the resources of a nation state have built attacks that exploit Microsoft’s browser, Internet Explorer.
• When a malicious organization like that decides to hack a system, it can be very hard to stop them. They probably also have ways to attack other web browsers.  But we have no indication of that yet.
• Since other people now know how the exploit works, far more attacks can be expected, from a wide range of attackers.  Automated programs (bots) and virus attacks can also be expected to exploit this Internet Explorer hole.
• For now, the most important thing you can do is to stop using Internet Explorer and switch to the most recent version of Firefox or Chrome.
• You also need to keep your entire computer system patched and you must keep your anti-virus signature files up to date.  And don’t click on strange links or visit shady/ugly/evil parts of the web with any browser (ok that can be easier said than done, but you need to watch out to make sure you stay safe).
• Also, stay aware.  It might be weeks or even months before Internet Explorer is safe again (when it gets the right patches you should update it).
• And, there is a chance that sometime in the future one of the other browsers will be the most vulnerable. That is the nature of life in the modern world.  You may need to switch back to IE at sometime in the future.

ACTION:

1. Download and use either Firefox or Chrome
2. Keep your system patched
3. Do not open Internet Explorer
4. Follow the news closely.

Key References:

• Major flaw revealed in Internet Explorer: users urged to switch (from Christopher Null on Yahoo).
• Operation “Aurora” Hit Google, Others (a great report by George Kurtz of McAfee).
• Should you dump Internet Explorer, NOW? (by Joe Wilcox on betanews).

Thanks to friends from Twitter:

• http://twitter.com/tericee
• http://twitter.com/george_kurtzCTO
• http://twitter.com/8huit
• http://twitter.com/c4i
• http://twitter.com/rogery33
• http://twitter.com/ZachTumin

Related posts:

1. The Future of Cyberspace Security: The Law of The Rodeo
2. Foreign Spies Make Recession Worse and Steal Part of Our Future
3. The National Security Implications of Free 3D in a Browser

There are other mitigating factors to watch, however.  Some that come immediately to mind are the steady pressures to reduce budgets and the constantly increasing security challenges.  Mission requirements are also continuing to accelerate.

So what will the net assessment be by the end of 2010? There are many variables at play here, but in theory the greatest determinant of technological outcomes are the leaders of the IT enterprise.  What you decide will have a great impact on how well your mission is served.

As an aid to your decision making, the CTOvision.com site tracks the megatrends we see sweeping across the IT landscape.  The following is an update on six we believe to be of significant relevance to the enterprise Chief Technology Officer (CTO) and Chief Information Officer (CIO).  They are:

• Convergence and trends towards unified communications and user empowerment
• The continued dominance of American IT
• Increasing open development of software and hardware
• Cloud Computing and massive ingest/parsing of data
• Green IT and support to total mission effectiveness
• Increasing pace of technology improvement/development

Convergence and trends towards unified communications and user empowerment. Consumerization and its impact on IT development has been a trend for the last five years and it shows no sign of slowing. All IT around the globe is being impacted by this trend, and IT development is focusing increasingly on consumers vice government or enterprises.  The good news here is that enterprise employees are increasingly becoming technology savvy power users that should be fast studies when it comes to learning the power of enterprise IT. The bad news is many enterprise users will have very high, frequently unrealistic expectations of what their enterprise IT will be able to provide for them, since enterprises have special security and regulatory (as well as budgetary) concerns that many home uses do not have.  Another important impact of this trend is that most enterprise users are becoming very used to social media, which can enable enterprises to support mass collaboration on problems.

Consumers are also a big reason the IT industry is fielding increasing location-aware capabilities, and many of these will be of use in enterprise solutions (one we are watching closely is SenseNetworks).

Individual enterprise users are also the reason IT departments must focus on information discovery capabilities vice the old style information search tools. Users are demanding this and other productivity advancements.

The continued dominance of American IT. The fact that US stockholders own and US citizens run most all enterprise IT firms is something we should all be proud of.  Our American way of education and competition has generated great firms that dominate, for now, the IT landscape (see the CTOvision.com Tech Titan List). For enterprises with special national security concerns this can be one factor that helps in assessments of threats to IT supply chain attacks.  But also of importance, the leadership of these firms and their corporate headquarters are all very open to interactions from enterprise IT leaders from the federal government, and in every interaction I’ve ever had with them they are all very appreciative of the missions supported by federal IT leaders.  The availability and proximity of these great firms is something our federal enterprise should take continued advantage of.

Increasing open development of software and hardware. All major IT firms, including the powerhouses that produce proprietary software and hardware, are now embracing the open source movement.  Even Microsoft has an open source strategy that applies to some of their offerings.  The open source community has long benefited from the developer talent in big companies that help produce and further code in Linux (see Red Hat for a supported variety), OpenOffice and many other open source solutions.  We can all expect proprietary software will be the most full featured software (for many market reasons), but even that will be built in a way that works well with open source. The benefit to enterprises is a wider range of choices in solutions, and in many cases an ability to field solutions faster and with more security and lower cost.  We can also expect all federal enterprises will find ways to enhance internal collaboration on software development projects, for example, the Forge.mil collaborative development capability.

Cloud Computing and massive ingest/parsing of data. After years of planning and hard work and design enterprise technologists have finally begun to see benefit from the concept of “private clouds,” where the scalable, elastic access to resources leveraged by public clouds can now be used in more secure enterprise infrastructures.  And the cloud computing trends in the IT sector have resulted in a great suite of interoperable capabilities ready to improve private cloud security, reliability and performance.  Private clouds also strongly support continued requirements for large scale ingest and parsing of data to support enterprise missions, and they can do this in a way that makes disaster preparedness and recovery much easier to plan for.

Green IT and support to total mission effectiveness. The movement to Green IT first began as a way to do the right thing, with government and industry realizing the PC’s and monitors being fielded should be built in more energy efficient ways. Perhaps the most visible activity in this area is Energy Star, a government-backed program designed to help businesses and individuals save energy.  But many other activities have arose including an executive order requiring all federal IT efforts to support strict new Green IT rules.  The cost of energy has also been a continual driver.  As enterprises look for ways to save power they are also looking at travel budgets and the cost of sending people to distant meetings and this is placing more demand on capabilities that enable collaboration from a distance.  Energy efficiency is also another driver of telecommuting, which will put pressure on IT departments to enable secure access to enterprise clouds from anyplace a worker is.

Increasing pace of technology improvement/development. The CTO’s of federal enterprise are a busy bunch.  Not only do they have to articulate standards and guidance for their enterprise, but they must continually track the many changes coming out of IT companies big and small.  There is never enough time to do this, and all indications are that the speed of technology advancement will only increase.  All enterprise technologists should consider the mechanisms they can put in place to learn of and evaluate technologies which may be of interest.  My hope is that one of your resources in doing that is my blog at http://ctovision.com This site tracks megatrends, including the six in this post. We also list firms big and small that are fielding capabilities which can dramatically enhance mission effectiveness, and do so in order to provide advanced warning for enterprise technologists who must maintain awareness of what is coming.

These trends are relevant to all, and an awareness of them should help your planning process.  They call for an acceleration of green IT, virtualization systems, social media, collaboration tools and new user-focused devices into the enterprise.  They also call for more direct dialog with users since many of these capabilities can transform their way of work.  And they call for enterprise technologists from every agency to continue to scan the horizon to look for what’s new.  That need will likely never stop.

Related posts:

1. Cloud Computing vs. SOA: Look for a cross-over in hype
2. Vision for the Enterprise CTO: Lessons from DNI Vision 2015
3. The Technology Implications of the Obama Win

Aneesh Chopra and Vivek Kundra discuss the Open Gov Initiative

One of the great resources for tracking trends in Open Government, Gov2.0 and related activities is GovFresh.com, a site I recommend all visit and bookmark and track.  GovFresh founder Luke Fretwell can be found on GovLoop, LinkedIn, Twitter.

Luke recently asked several folks who track the Gov2.0 scene for thoughts on the recent Reactions to the White House Open Government Directive.  The directive itself is well worth a read:

(Another great perspective is on the site of the Red Hat Government senior architect/CTO, Gunnar Hellekson, at his blog).

The comments on Luke’s site, including my comments, tend towards the very positive. This directive is a good thing and my gut tells me comments should be positive.

But we the citizenry also have plenty of reason to be cautious.  One reason to be cautious is the clear indication that OMB and the White House don’t seem to believe these ideas of openness belong to them.  In general, these are the people the citizens need to watch the closest.

I’ll highlight another caution by pointing out another lead I got from Luke’s govfresh site.  A clip of a little Gov2.0 humor brought to you by the Daily Show:

So that is just funny! But the caution I would like to make is underscored by this humor. TSA screwed up in a big way, by widely releasing information into the public domain that should have never been there.  The big part of their screw up had to do with people not understanding technology being allowed to make decisions (which is increasingly a no-no, folks that don’t understand how to work tools should not be able to use tools).  But I have to wonder if pressure to release before thinking or a bias towards openness first had anything to do with the release.

This is an area I hope Vivek Kundra and Aneesh Chopra pay attention to.  Just like President Obama now owns the Afghanistan war, Vivek and Aneesh now bear responsibility for the smooth functioning of our government’s IT.  It is pretty clear now that both should focus more on ensuring 100% of the federal workforce, including contractors, are either qualified to operate our federal IT or are supervised prior to making decisions.

I should also point out that Vivek now owns 100%, responsibility for the protection of all federal networks against unauthorized use.  That is the topic for another post, but clearly, if Vivek is the senior IT guy in the federal space and are operating with the President’s authority in this area he is responsible for how our enterprise functions.  More on this topic later.

Related posts:

1. A CTO’s views on the new Fed CTO
2. How can we judge enterprise-class CTOs and CIOs? Rank them on the Kundra Scale
3. A proposal for government certification of open source software

A great deal has changed over the last year and a half and I think it is time to update the paper.   I’ll be sending it around to friends in the Cyber Conflict Studies Association and asking if they can point me to related research.  I’ll e-mail it to government and national security thought leaders and ask if they have comments/thoughts they can share.  I would also very much appreciate the views of technologists, since so much of this topic must be discussed with a good understanding of the technology foundations of Cyber.

So, I wanted to ask… If you have a few minutes would you please look over the May 2008 version of this paper and give me your thoughts?  It is here:

http://ctovision.com/references/towards-a-cyber-deterrent/

Related posts:

1. Cloud Computing and Net Centric Operations
2. White House Cyber Policy Review: And a Cyber Czar
3. Intellectual Rigor and Cyber Conflict

Organizationally they have a team of strong cyber players that have been honing their craft for years.  The US CERT serves a significant mission– they are there to strengthen the defense of the Federal government’s networks, especially those in the civil executive branch (the “.gov” of the Internet).  In executing that mission they help many others and are a critically important part of our nation’s defensive fabric.   The US CERT is run by the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS).

Today the US CERT opened its new operations center.  Their facility is called the National Cybersecurity and Communications Integration Center (NCCIC).  It is a “Unified Operations Center” designed to enable the co-location of other key components of the NCSD and DHS, including the National Coordinating Center for Telecommunications (NCC), the National Cyber Security Center (NCSC), and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).  This new operations center also hosts liaison officers from many other related watch centers which will make it a key information clearing house and a critically important capability for the nation.

I was allowed into the combined watch floor today and was excited to see the tremendous visualizations analysts and watchstanders will be able to leverage as they seek enhanced situational awareness.   Even though all the organizations in this room have different “chains of command” they all share common needs for fast, accurate information and their ability to dialog over visualizations will enhance their ability to jointly figure out what is going on.

On a personal note:  I am very optimistic about this new unified operations center and its ability to make a positive impact– and– although I have seen and believe in the technology they are using, the real reason I’m so positive is the quality of leaders involved.  I’m upbeat because of the folks I know who are driving the right actions.   They include Phil Reitinger , a savvy professional and executive with understanding of the law and technology and mission, RADM Mike Brown, one of of our nation’s greatest military leaders and a key driver of our nation’s cyber posture for over a decade, and a past associate from DIA who had been responsible for ensuring the DoD’s JWICS network survived and thrived and continually enhanced support to the DoD mission.   These folks have many hard tasks ahead and their work is by no means complete but they are some of the best the nation has and deserve our collective support.

Related posts:

1. Rod Beckstrom and the National Cyber Security Center at DHS
2. New Command to Focus on Cybersecurity for DoD and IC
3. Enhancing US Cybersecurity

This has been a problem for as long as consumers have had computers.  It was highlighted again when stories of a data eating glitch in Apple’s latest OS surfaced. According to multiple sites (including The Register),  when some Apple OS users logged into a guest account then back to their user account on their system, all their data was deleted.  Good security protects data and keeps it available. Good security does not delete the data you want access to!

For the last 40 years (since CompuServe in 1969) there have been clear trends towards consumers keeping more data in the cloud.  That trend has been accelerating of late and multiple angles have been studied and dissected here.  Security has always been an issue with consumer data in the cloud, but now it is becoming even more critical.  Many consumers are hosting large parts of their personal, private and sensitive information in cloud based services.  Some are using the cloud for all their finances.   In the mobile world we live in many are leveraging cloud services as part of their handheld/cell solution.  One of the most famous cases of data loss in this area is the news this week of Microsoft’s destruction of consumer data associated with the T-Mobile sidekick.  The cloud can let you down in many other ways.  Poorly configured cloud settings can contribute to social engineering hacks against your data, and there is a wide range of other unknowns that consumers face when deciding how much to host in the cloud.

So lets do a quick net assessment: If you keep your data at home, you can choose an operating system which has a high likelihood of being attacked by malicious code which can compromise your data’s confidentiality, or you can chose an operating system that has been found to totally destroy your data, or you can put it in the cloud where it can be destroyed or leaked by someone you don’t know.

What is a consumer to do?

In my opinion, the first thing a consumer should do is to understand who is responsible for protecting data.  I’m talking to you here.  You are responsible for protecting your data.

If you decide to trust someone else with protecting your data you are taking a risk.  So try to understand that risk and mitigate it.

For example, I use several OS’s at home, including the Mac OS.  All data from my home computers is automatically backed up into encrypted archives.  That reduces risk a bit.

I am also a big cloud user, both for my business and for some personal uses.  But still I’m careful about what data goes into the cloud and how it is protected.  And a key segment of my data in the cloud is backed up locally.  I get cloud benefits and a little more protection.

One thing I don’t do enough is print out important info like my contacts.  After the lessons of the last few weeks I’ll be doing that more.

One thing I’ve never done is use the cloud for sensitive financial data.  I’m just not ready to accept that risk.

On all OSs in my house I work to keep them patched.  And I ensure the anti-virus is up to date.  This is not perfect protection (there is no such thing), but it helps reduce risk.

In choosing cloud providers, I think through the company’s approach to security and their reputation in the area.  We all have to hold these big companies more accountable. And it is just too risky to do business with companies that don’t respect consumers the way we should be respected.

Those and many other steps flow from an understanding that it is my responsibility to protect my data.

I hope those actions are similar to your approach.  Let me know please if you think I should have highlighted something else relevant to consumer data protection.

Related posts:

1. Thin Client Laptops: Functionality, Security, Mobility
2. Protecting Federal Networks Against Cyber Attack
3. Securing Enterprise Data and Computer Power

The largest, hardest to change bureaucracy in the Western world is the US Federal Government.  The US Federal Government arguably has the most important missions in the globe and requires an extensive, large, complex IT environment to carry out those diverse missions.  And this IT, like the rest of the US Government, is funded by Congress in ways that are not always strategically aligned with the desires of the federal IT leadership (I’ve heard it said that it is like having a board with 535 directors controlling your funding).  And the many acquisition, security and IT laws are complex and tough to operate under.  Add to that the fact that the critically important federal missions drive IT decisions and you get the point.  Federal IT is hard.

I didn’t mean to whine there, but wanted to give some context relevant to this assessment:  The most relevant measure of a CIO or CTO is what they can get done.  Of course it matters how they get things done.  Like other executives, CIOs and CTOs must be honest and ethical and should treat others with respect.  But in most cases the CIOs and CTOs I know who have issues in those areas don’t get things done to begin with.  So, back to my key point: The real measure of a CIO or CTO is what they get done.

Hold that thought for a minute while I make another point.

Vivek Kundra has proven himself by excelling as the CIO of the largest IT environment on the globe.  I don’t know of anyone else who could have gotten the results he did.

Which means, if we are grading on a curve, Vivek gets the A+ and we measure others against his accomplishments.

Lets do a quick review of what he has done in his short time in the federal enterprise:

a) He has made the federal CIO council cool.  CIO’s I have chatted with are really excited and happy to be engaged in that collective.  That group has been operating for years and there has long been some great civil servants working with the CIO council, but it is something different now because of Vivek Kundra.  You can get a bit of feel for that yourself if you check out the new way their site looks at http://cio.gov Don’t the faces there look happy? Doesn’t the site make you want to work in federal IT?

b)  He has encouraged agencies to explore new ways of reaching out to citizens and new ways to serve their employees.  This has the backing of the President, who issued a memo on Transparency and Open Government the day after taking office.  But we have to credit Vivek with the constant follow-up.

c) He rolled out new ways to visualize IT information, and did it in a way that we citizens can interact with the data ourselves. For more on that see: http://it.usaspending.gov/. And he did that in a way that makes it easy for users to extract that data and graphics in multiple ways and embed them in other sites.

d) He led establishment of new ways to expose data from the federal space, and brought together new interfaces via http://data.gov

e) He has helped bring about new implementations of cloud computing in the federal space, including constructs for private clouds and also a new apps store.  Casey Coleman of GSA just announced this new apps store at http://apps.gov and it is already a big hit.

f) He has leveraged social media in ways that show federal agencies the power of social media.  Without that leadership many would not be moving in that direction.  This leadership by example is very important in a large enterprise.

g) And, Vivek Kundra has embraced constructs like Gov2.0 and takes time out to engage the community in conferences like the Gov2.0 Summit.  That is very much appreciated.

That’s a short list.  Now I wonder what Vivek has in store for us next.  I’m hoping he will tackle ways to enhance both functionality and security in the federal space.  We really need some fresh leadership there.  Federal missions require IT that is reliable and resilient, and all federal missions require special protection for the data.  Some federal data contains information on citizens and for privacy purposes must be protected.  Other federal data contains information on military secrets and intelligence sources and Presidential intentions and all that must be guarded.  I imagine these are things that Vivek will be working on next.  These are hard problems.  But clearly he is up to the challenge.

Related posts:

1. Vivek Kundra: The Alpha CTO
2. OMB on CIOs: Some context for the enterprise CTO
3. Vivek Kundra: Still the Alpha CTO and now the First Fed CIO

Cloud Computing

I have said, and still say, the same thing about design approaches like Service Oriented Architecture (SOA).  The constructs, methods and models of SOA are good practices that result in good designs for enterprises.   It is smart to separate data from application logic and smart to enable agility and mashups the way good SOA design does.

But a key problem with SOA was the hype associated with it.  Everyone started using the term the way they wanted to.  And every IT vendor came out with their definition of SOA.  And every system integrator tried to sell us buckets of their SOA.  And every trade journal ran SOA articles.  And too many CTOs, myself included, said too much to our customer/users about the promise of SOA and that contributed to our users increasing their expectations over what SOA would deliver.   The result of all of that, the over hype on SOA sometimes caused distractions.  The cure: CTOs focused on what SOA meant for their specific organizations.  It is still a great construct and by focus it is delivering value.

There are now clear indications that the hype around Cloud Computing is going to ramp way up.  In fact, a quick search on Google Trends indicates searches on the topic of Cloud Computing, while still lower than searches on the topic of SOA, are rapidly gaining while searches on SOA are declining.  The two are headed for a cross-over.

The graph below reflects this (a live version of this graph is at Google Trends).

Here are my views of the “So What” of this information.  For the Chief Technology Officer or Chief Information Officer or other enterprise technologist who must really deliver, I’d recommend you brace yourself for a flood of hype.  You have probably already seen indications of this.  But if trends continue the amount of views you (and your bosses) will be asked to consider and deal with will accelerate dramatically.  Your defense against this will be the strength of your own position in Cloud Computing.  Therefore, I strongly recommend you personally think through what Cloud Computing means to your enterprise.  Also, think through your definition of cloud computing.  Hopefully the NIST definition will suit your use, since the more people who form up on that the better.

And you may want to think through which Cloud Computing related events you will attend and speak at.

And you may want to think through you who personally believe the strongest IT players are in the Cloud Computing world.  I have my list.  Let me know if you want to compare notes sometime.

Any thoughts?

Related posts:

1. Update on Federal Cloud Computing
2. What is Cloud Computing: I’m forming up on the NIST view
3. Cloud Computing and Net Centric Operations