Robert Carey steers the Navy to its 'new normal'
Connecting state and local government leaders
Department of the Navy CIO Robert Carey is pushing to improve security across the department while promoting the use of Web 2.0 tools and open-source software.
Guiding the Navy to a progressively more secure network environment calls for a better understanding of routine operations, or the “new normal,” as Robert Carey, the Department of the Navy’s chief information officer, puts it.
See all of the 2009 Executives of the Year
Visit the 2009 GCN Awards home page
However, to get to the new normal “you must actually know what normal is,” Carey said.
“You have to know what is going across the firewalls, what is going across port X, inbound and outbound. Once you understand that flow, you can determine, hey, that is [a threat] and have the network sensors shut it down,” he said.
Carey’s focus on the details reflects the department’s plans for a proactive approach to security.
“Today, anomalous activity on the network is generally detected after the fact,” Carey said during a recent interview in his Pentagon office. The Defense Department's evolving, multilayered cybersecurity strategy relies on a culture shift and an array of new technologies that will pinpoint and counteract threats during or even before they strike, he said.
Those and similar IT security plans appear in the Pentagon's Computer Network Defense Roadmap. The plan also goes by the name Gladiator Phoenix, and includes measures devised and promoted by the Federal CIO Council’s Information Security and Identity Management Committee, where Carey is co-chairman.
Carey joined the Navy CIO's office in 2000 and received a promotion to deputy CIO in December 2002. Then-Navy Secretary Donald Winter named Carey – at the time stationed in Iraq with a Navy Reserve unit -- as the service's CIO in December 2007, That was after Carey's his boss and mentor, Dave Wennergren, had been appointed DOD's CIO and deputy assistant secretary for information technology.
Among ongoing initiatives, Carey described DOD's negotiations with Navy Marine Corps Intranet (NMCI) contractor EDS for pending upgrades to NMCI as pivotal for IT security. The Navy is negotiating a sole-source bridge agreement to assure a smooth transition from the EDS contract to DOD's planned Next Generation Network.
EDS' contract for the Navy network expires in September 2010, but the transition to the next generation net may take as long as 28 months.
The Navy's EDS negotiations will help continue the adoption of host-based security methods across the NMCI.
Recent projects to consolidate data centers, exploit virtualization technologies and reduce the number of servers with outward-facing, publicly-available Internet addresses spur security as much as they help control IT costs, Carey said.
“Any time you reduce the footprint [the Pentagon makes on the unclassified Internet], you improve security,” he said. “As for saving [money] during that process, that depends on the ability of the service or agency to have visibility into its costs.”
A server that operates far below its potential capacity, together with the personnel costs needed to maintain it, is just as expensive as a much more fully-loaded unit, Carey said.
Navy and DOD policies weave those security enhancements in an interlocking “broad and deep” approach with technologies such as public-key encryption, firewalls, intrusion detection systems and workforce education, Carey said.
“We're educating our workforce every day,” he said. “You can either be a strength, or you can be a vulnerability. If you do things wrong, you become a vulnerability.”
The Navy's cybersecurity education mission focuses especially on the Web 2.0 tools that Carey promotes, including his award-winning CIO blog and the podcasts he launched in August 2007.
The Navy CIO shop uses a wiki to help develop the service's strategic plans and policies and the Navy CIO Web site includes a Really Simple Syndication feed.
Carey's blog isn't just a cheerleading megaphone, but a forum for technical IT security information.
For example, in mid-September, the blog described the department's campaign against sneakernet (portable storage media) security risks. In November 2008, the U.S. Strategic Command issued an across-the-board ban on connecting flash media to DOD networks at all classification levels, the Sept. 16 blog entry recounted. Media such as USB thumb drives, memory sticks and camera flash cards were providing a route for malware into DOD networks.
The malware risks arose because DOD workers were flouting flash media security rules, Carey wrote: “This [security regime] included procedures for data transfer between network domains and classifications, malware scanning guidance for all forms of removable storage media before connecting to the network and guidance for protecting data stored on removable media.”
Since then, Carey continued, DOD's Removable Storage Media Tiger Team, under the auspices of the Defense-wide Information Assurance Program, has been planning flash media reintroduction based on DOD-acquired thumb drives and similar units.
“I am a huge fan of social networking,” Carey said. “I believe it has great benefit and value.”
“I recently met at the DOD Web 2.0 Summit with many of the providers of the tools, such as Craigslist, Facebook, Google and MySpace, to talk about what are the inherent safety features that they have in place,” he said. “What confidence would we have in just engaging their toolsets?”
Carey spoke with Craigslist founder Craig Newmark at the meeting. “They do their best to make sure that any kind of scams are taken off. They try to make it a real live forum to buy and sell goods or services. For the most part, he tries very hard to keep this above board.”
“We have to move out of the industrial age mindset,” Carey said, dismissing complaints from business owners that online services such as Ebay create a criminal resale market for stolen property.
“No-one is going on Ebay and saying, is that generator a $2,000 model or a $4,000 model,” Carey said. “How would they know?”
Because of his own DOD cybersecurity training, Carey recognizes risky e-mail messages and deletes them unseen. “You wouldn't be able to do that because you are not trained in cybersecurity,” Carey said.
He added that the Pentagon's PKI signature technologies provide almost infinite assurance that a signed message is authentic.
Carey has endorsed the use of open-source software as acceptable for Navy, a result of studies launched by Wennergren.
The open source policy shift reflected the Navy's adoption of the standards-oriented approach that Wennergren and Carey have advocated.
Carey noted in the interview that the administration's drive for accountability and transparency will increasingly influence other efforts toward improving IT planning and acquisition.
The IT acquisition process itself remains a focus for concern by DOD and Congress, Carey acknowledged: “Looking at the history of Pentagon IT acquisitions over the past five years, you'd be hard pressed to find one that came in on time and within budget,” he said.