Robert Carey steers the Navy to its 'new normal'

 

Connecting state and local government leaders

Department of the Navy CIO Robert Carey is pushing to improve security across the department while promoting the use of Web 2.0 tools and open-source software.

Guiding the Navy to a progressively more secure network environment calls for a better understanding of routine operations, or the “new normal,” as Robert Carey, the Department of the Navy’s chief information officer, puts it.


See all of the 2009 Executives of the Year

Visit the 2009 GCN Awards home page


However, to get to the new normal “you must actually know what normal is,” Carey said.

The Robert Carey file

Personal motto: Make a difference every day.

Mentors: Dan Porter and Dave Wennergren, both former Navy CIOs.

Best advice you ever received: When you hear "incoming" over the loudspeaker, find cover

“You have to know what is going across the firewalls, what is going across port X, inbound and outbound. Once you understand that flow, you can determine, hey, that is [a threat] and have the network sensors shut it down,” he said.

Carey’s focus on the details reflects the department’s plans for a proactive approach to security.

“Today, anomalous activity on the network is generally detected after the fact,” Carey said during a recent interview in his Pentagon office. The Defense Department's evolving, multilayered cybersecurity strategy relies on a culture shift and an array of new technologies that will pinpoint and counteract threats during or even before they strike, he said.

Those and similar IT security plans appear in the Pentagon's Computer Network Defense Roadmap. The plan also goes by the name Gladiator Phoenix, and includes measures devised and promoted by the Federal CIO Council’s Information Security and Identity Management Committee, where Carey is co-chairman.

Carey joined the Navy CIO's office in 2000 and received a promotion to deputy CIO in December 2002. Then-Navy Secretary Donald Winter named Carey – at the time stationed in Iraq with a Navy Reserve unit -- as the service's CIO in December 2007, That was after Carey's his boss and mentor, Dave Wennergren, had been appointed DOD's CIO and deputy assistant secretary for information technology.

Among ongoing initiatives, Carey described DOD's negotiations with Navy Marine Corps Intranet (NMCI) contractor EDS for pending upgrades to NMCI as pivotal for IT security. The Navy is negotiating a sole-source bridge agreement to assure a smooth transition from the EDS contract to DOD's planned Next Generation Network.

EDS' contract for the Navy network expires in September 2010, but the transition to the next generation net may take as long as 28 months.

The Navy's EDS negotiations will help continue the adoption of host-based security methods across the NMCI.

Recent projects to consolidate data centers, exploit virtualization technologies and reduce the number of servers with outward-facing, publicly-available Internet addresses spur security as much as they help control IT costs, Carey said.

“Any time you reduce the footprint [the Pentagon makes on the unclassified Internet], you improve security,” he said. “As for saving [money] during that process, that depends on the ability of the service or agency to have visibility into its costs.”

A server that operates far below its potential capacity, together with the personnel costs needed to maintain it, is just as expensive as a much more fully-loaded unit, Carey said.

Navy and DOD policies weave those security enhancements in an interlocking “broad and deep” approach with technologies such as public-key encryption, firewalls, intrusion detection systems and workforce education, Carey said.

“We're educating our workforce every day,” he said. “You can either be a strength, or you can be a vulnerability. If you do things wrong, you become a vulnerability.”

The Navy's cybersecurity education mission focuses especially on the Web 2.0 tools that Carey promotes, including his award-winning CIO blog and the podcasts he launched in August 2007.

The Navy CIO shop uses a wiki to help develop the service's strategic plans and policies and the Navy CIO Web site includes a Really Simple Syndication feed.

Carey's blog isn't just a cheerleading megaphone, but a forum for technical IT security information.

For example, in mid-September, the blog described the department's campaign against sneakernet (portable storage media) security risks. In November 2008, the U.S. Strategic Command issued an across-the-board ban on connecting flash media to DOD networks at all classification levels, the Sept. 16 blog entry recounted. Media such as USB thumb drives, memory sticks and camera flash cards were providing a route for malware into DOD networks.

The malware risks arose because DOD workers were flouting flash media security rules, Carey wrote: “This [security regime] included procedures for data transfer between network domains and classifications, malware scanning guidance for all forms of removable storage media before connecting to the network and guidance for protecting data stored on removable media.”

Since then, Carey continued, DOD's Removable Storage Media Tiger Team, under the auspices of the Defense-wide Information Assurance Program, has been planning flash media reintroduction based on DOD-acquired thumb drives and similar units.

“I am a huge fan of social networking,” Carey said. “I believe it has great benefit and value.”

“I recently met at the DOD Web 2.0 Summit with many of the providers of the tools, such as Craigslist, Facebook, Google and MySpace, to talk about what are the inherent safety features that they have in place,” he said. “What confidence would we have in just engaging their toolsets?”

Carey spoke with Craigslist founder Craig Newmark at the meeting. “They do their best to make sure that any kind of scams are taken off. They try to make it a real live forum to buy and sell goods or services. For the most part, he tries very hard to keep this above board.”

“We have to move out of the industrial age mindset,” Carey said, dismissing complaints from business owners that online services such as Ebay create a criminal resale market for stolen property.

“No-one is going on Ebay and saying, is that generator a $2,000 model or a $4,000 model,” Carey said. “How would they know?”

Because of his own DOD cybersecurity training, Carey recognizes risky e-mail messages and deletes them unseen. “You wouldn't be able to do that because you are not trained in cybersecurity,” Carey said.

He added that the Pentagon's PKI signature technologies provide almost infinite assurance that a signed message is authentic.

Carey has endorsed the use of open-source software as acceptable for Navy, a result of studies launched by Wennergren.

The open source policy shift reflected the Navy's adoption of the standards-oriented approach that Wennergren and Carey have advocated.

Carey noted in the interview that the administration's drive for accountability and transparency will increasingly influence other efforts toward improving IT planning and acquisition.

The IT acquisition process itself remains a focus for concern by DOD and Congress, Carey acknowledged: “Looking at the history of Pentagon IT acquisitions over the past five years, you'd be hard pressed to find one that came in on time and within budget,” he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.