Agility Loop

Saw this article over at NextGov this morning stating that the Army wants to outsource the creation of one email service for the Army.  BUT, once you read this article it becomes clear that they actually mean one Exchange based email system for the entire Army.

The Army has wanted to do this for years, and in some ways had it with an antiquated email system in AKO.  I just wonder if other vendors out there will argue that there systems should be up to the task?  Seems like the Army has already made the decision on vendor without a fair competition…or at least that is an easy argument for  a vendor.

What’s also interesting is that the Army is “inviting companies to partner with the Defense Information Systems Agency” to house the email system.  Not sure how that contractual relationship would even work?  DISA’s DECCs are not typically vendor facing, and unless something is changed, I am not sure they are designed to work directly with industry.  When working on other enterprise level acquisitions, this same kind of thing was encouraged, and the only offers that were really considered were those that housed the system at DISA “inside the firewall”.

The Washington Post reported over the weekend that yet another cybersecurity official has resigned.  This follows the news of the pending resignation of the lead White House cybersecurity official Melissa Hathaway.  Ms. Hathaway’s quote from the Post article:

“I wasn’t willing to continue to wait any longer, because I’m not empowered right now to continue to drive the change,” she said. “I’ve concluded that I can do more now from a different role,” most likely in the private sector.

I think both of these resignations, as well as others, underscores the challenge that the U.S. Government is in trying to keep up in the technology sector…hiring people.  From reading the article, it is fairly clear that Ms. Hathaway’s resignation was a fueled by an inability to work in the system and get the right people hired.  DoD and other agencies desperately need talented, smart people to lead cybersecurity efforts.  However, from personal experience it is a very difficult sell.

From a contractor perspective, I see the folks who are hard working and attempting to be progressive in government.  It is HARD.  And many times, I think that more can be done from the contractor side simply b/c it is MUCH easier to build an effective team around a hard working and progressive leader.  The government’s hiring practices make it very difficult to compete with private industry.  It can sometimes take months to hire someone into the government.  How long does it take a beltway bandit to do the same?  It is measured in days or weeks instead.

Somehow the government needs to come up with a good way of attracting talented engineers to help run their programs.  Otherwise, our cybersecurity stance will continue to fall behind and beltway bandits will continue to take advantage of programs like FCS and NCES.

UPDATE: Looks like Mischel Kwon, the person who resigned, is joining RSA/EMC.

This is a somewhat refreshing approach.  Rather than ban social networking services altogether like the Marines, the British military has decided to encourage their troops to Tweet or post on Facebook their experiences in the military.  This past week the MOD issued a 13 page document outlining the guidelines for using these services.  Granted, the document has a bit of a CYA tone for the higher ups, but at least it addresses the issue head on rather than bury its head in the sand like some organizations.  Instead you have the Marines who have banned it outright, but the Joint Chiefs of Staff still tweets and has said he will continue to do so.

Of course DoD has kicked off a study to determine the vulnerabilities of technologies like Facebook and Twitter.  Wish I got that cherry contract.

My thoughts on this issue are fairly simple.  If you simply prohibit an effective way for people to communicate, they will find another way to do it, and it will NOT be on your terms.  Instead users will find a workaround that is probably less secure. and may even expose your data and network more.

Word is that E-Collabcenter, IBM’s NCES Collaboration Service offering (also referred to as “Button 1″) will be shutting down in early June.  This comes from a notice on their home page.

E-Collabcenter was the first of two NCES Collaboration Services acquired by DISA.  The intent was to foster competition between the vendors so that enhancements would come quicker in order to capture the DoD market.  The second service or “button” called Defense Connect Online (DCO) is based off of Adobe Connect and utilizes XMPP for IM/Presence.

The question is, will DISA purchase a third button, or extend DCO?

I actually used WordPress’s “Tag Surfer” feature for the first time today, and stumbled upon a post on Identity Blogger.   In his post, Jeff Bohren discusses the challenge of getting users to adopt passwords.  He also references a post by Mark Dixon on the same topic.

I think both articles make good points…intellectually it makes a TON of sense to get rid of passwords.  Mark actually makes an interesting point that passwords are like seatbelts.

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

What I do not agree with is why seat belts were adopted.  I don’t think it is just because seat belts are easy to use and they make us safer.  A lot of the reason that I think a lot of people started to use seat belts is it because it became law.  States started mandating seat belt use in 1984, and very quickly the states all fell in line and start adopting it.  So instead of choosing to use seat belts, people were required to use seat belts or they broke the law.  A fortunate side effect to making this a law is that now for generations that drive after this law was enacted (like my own), wearing seat belts is second nature.

I believe that a similar kind of action is going to be needed for web applications and enterprises to get off passwords.  However, it may not be the Government that actually steps in to mandate this…at least not directly.  As it stands now, banks and credit card companies have the ability to write off fraud when accounts are stolen.  So the cost is really passed on…they aren’t really paying the $40 billion plus in fraud every year.  But what would happen if banks and credit card companies were limited in how much fraud they could actually write off?  I think that all of a sudden you would see a HUGE uptake in the use of improved identity technologies and the discontinued use of passwords.  Users would be forced to stop using passwords b/c the banks and credit cards would be financially dis-incentivized to support them any longer.  Of course the financial institutions would still find a way to pass the costs onto the consumer or the government…

A quick and dirty case study for you.  DoD has been issuing smart cards to their population of 4+ million for years.  The primary use for a long time was secure email.  It wasn’t until it was mandated by DoD that the cards be used for log on to networks and applications that passwords finally started going away.  Sure it was painful, but the networks are now more secure b/c of it.

In my experience, people don’t necessarily change b/c it is good for them or b/c it is easy.  They do it b/c there is a dis-incentive to continue the status quo.

I have been a Blackberry user for some time now.  On of the reasons that I first received a Blackberry was to start testing the security of the device.  Years ago, when DoD was first rolling out PKI, secure email (S/MIME) was the killer app.  Although it took some working with Microsoft and the other email vendors to get proper S/MIME support (don’t get me started about Lotus Notes though…still have nightmares on that one), we eventually got most of the kinks ironed out.  The next frontier we wanted to tackle was mobile devices, and Blackberry was a logical choice.  At first we started with just getting S/MIME support.  RIM actually was a ahead of the ball on this one and fairly quickly released a package for their devices (granted I think it was $150-200 at first…it is now a free download).

However, the device itself had some security holes that needed to be filled.  DoD has continued to test and verify the security of the Blackberry and has worked closely with RIM to release a Secure Technical Implementation Guide (STIG) for Blackberries and other devices.  The STIG walks administrators through the entire Blackberry meta-system to ensure security for the BES and the device itself.  A new version of the Blackberry STIG was released in Feb 2009 and applies to any enterprise using Blackberries, not just DoD.

I also ran across a GCN webcast entitled “Best Practices for Hardening your Agencys BlackBerry Wireless Platform“.  I haven’t actually watched it and it is probably trying to sell something, but probably worth a quick glance (and if you do watch it and it has value please comment on this post).