VA’s former acting CIO reflects on his tenure

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

This Trump Administration has seen a great deal of turnover in career senior executives. The Veteran Affairs Department has definitely seen its share. For this month’s show, Cyber Chat’s host Sean Kelley sat down with a reflective Scott Blackburn. Blackburn served in many capacities while at the VA, including executive in charge of Secretary Robert McDonald’s MyVA Initiative, acting deputy secretary of VA and acting CIO.

Blackburn graduated from both MIT and Harvard and is an Army Veteran and a partner at McKinsey. He comes from a family of veterans and he is a disabled veteran, himself. He says he chose to work at VA because he “was called to serve.”

Blackburn’s leadership ushered in a great deal of progress in Information Security. He credits the leadership of the Dom Cussatt, VA’s chief information security officer (CISO) and the Enterprise Cyber Security Plan as some key pieces of the success.

Blackburn said VA’s cyber program is robust. “The past year, they handled 220 million intrusion attempts, 50 million blocked or contained cases of malware, and 366 million suspicious emails that have come into the system to name a few.” He said sustainment is the key to having the Agencies Material Weakness removed.

Blackburn said it’s difficult to attract the highest quality CIOs and CISOs because the federal government won’t offer the highest salaries. But it will never happen without an overall federal strategy to attract but also maintain IT leaders.

“[Leadership drain] happens in the private sector, but I have never seen it like this … it is a reality of government,” Blackburn said. “Any leader coming in can’t sit back for six months. You have to get up to speed very quickly. You have to trust the career employees. Where do you want to make change that really matters?”

Blackburn said he is “most proud of always putting the veterans first. VA is now more veteran-centric than it was four years ago. It is more principle based rather than rule based.”

Blackburn’s message for the folks who still work at the VA: “Keep pushing.”

Takeaways:

  • Leadership is needed for any sustained change.
  • Empower the team, stay out of the way, support the team.
  • The Enterprise Cyber Security Program has five parts:
  1. Protects Veteran Information and Data
  2. Protect VA Information and Infrastructure
  3. Ensure VA Cyber Ecosystem is resilient to existing and emerging threats
  4. Ensure a secure operation environment that supports effective operations
  5. Ensure VA recruits, develops and retains a talented cybersecurity and privacy workforce
  • VA’s investment in front line employees made a huge difference.
  1. Ensure they are aware of handling sensitive data.
  2. Ensure they are aware of spoofing and phishing attacks.

The post VA’s former acting CIO reflects on his tenure appeared first on Federal News Network.

How to improve cybersecurity and workflow by consolidating systems

Cyber risks transform at such rapid speeds that antiquated systems cannot keep up with security needs. While many businesses and institutions have focused their efforts on upgrading their existing systems, innovators have concentrated on building new programs and IT solutions to combat modern-day threats.

On this episode of CyberChat, host Sean Kelley, former chief information security officer at the Environmental Protection Agency, is joined by Dr. Paul Tibbits, deputy chief information officer for the Veterans Affairs Department and program executive officer for the Financial Management Business Transformation (FMBT,) for a discussion about FMBT’s present and future functionality.

Tibbits explains how FMBT will implement federal best practices in finance and acquisition by replacing old systems with a new one. Eventually, all financial management systems will fall under one umbrella. Instead of multiple systems talking to each other, all data will live in one location.

“We’re going to a more modern system with stronger security controls built into it. We’re going to a cloud environment,” Tibbits said.

Are there cyber risks when consolidating all financial systems into one managed service?

“We are cognizant of all the controls that are relevant to our cloud environment,” Tibbits said. “So I would say our cybersecurity posture, based on where we’re coming from, if anything, is going to be better than it was before. We’re reducing risk, not adding risk.”

In other words, the system was built for the security standards of today rather than when the original assessments were put into place.

“The staff that I deal with are all very excited about moving the VA forward, being actual participants in the VA, [and] efforts to modernize itself including the movement to manage services,” Tibbits said.

Tibbits noted their enthusiasm, in part, is likely due to the potential for improved productivity
“It is, for the first time, that I have come across a cybersecurity notion that actually facilitates workflow,” Tibbits said.

Using the medical field as a real-world example, tagged data can disseminate through the system to expedite work more efficiency. For example, if a provider knows which patients are scheduled to come in at various times throughout the day, the system can take the provider’s information along with the necessary patient data and pre-fetch it the night before, rather than waiting for the provider to manually do it. This speeds up the patient experience and keeps the provider’s schedule on track.

Another way a single management system helps improve productivity is one sign-on to access it. Providers no longer have to memorize dozens of passwords, since all of the systems are in one location for easy access.

Giving numerous individuals access to that much sensitive data also risks a security breach. That is why Tibbits stresses the importance of role-based access control for risk mitigation from a cybersecurity perspective.

As long as user roles are properly classified and data is properly tagged “only the right person, can get to only the right data, at only the right time,” Tibbits said. “It can both strengthen cybersecurity and facilitate workflow.”

Top Takeaways

  1. Today’s heightened cybersecurity needs lead to new innovations for more efficient programs and IT solutions to combat modern-day threats.
  2. Outdated networks comprised of multiple systems talking to each other are being replaced with cloud-based, single-system solutions.
  3. New single-system solutions facilitate workflow and improve productivity by housing all the data under one umbrella.
  4. Single management systems improve cybersecurity because they were built to meet contemporary standards, and implement role-based access controls.

The post How to improve cybersecurity and workflow by consolidating systems appeared first on Federal News Network.

Why application security should be a priority

Gartner estimates 80 percent of all attacks are at the application security layer-making it critical that federal organizations get ahead of the legacy application issues and the development of new applications.

On this episode of CyberChat, host Sean Kelley, former EPA CISO, is joined by Nick Sinai, senior adviser at Insight Venture Partners and Matt Rose, director of Application Security Strategy at Checkmarx.

“There is a huge effort and focus on cybersecurity in today’s environment. The Modernizing Government Technology (MGT) Act has been approved and IT modernization plan is part of the President’s Management Agenda. We are really seeing greater integration of cyber security with IT modernization,” Sinai said.

But does that mean we are more secure?

“To become more secure, organizations really have to support one another. There has to be robust partnerships within the government and contracting community. There has been increasing focus on DevOps and how the federal government builds applications, coupled with increased user centered design,” Rose said.

The government is also grappling with how to deal with data security and encrypting data at rest.

Agile development also brings another capability embraced by federal executives. “More and more CIOs from the White House and federal agencies are talking about agile and DevOps and really putting user needs as that core,” Sinai said.

Sinai added the federal government is going to continue to build or build with contractors and, in those cases, IT has to deliver more continuously in smaller sprints, rather than quarterly or annual deliverables.

Rose said developing and maintaining an application threat inventory is critical. “A lot of times when an organization is asked about their riskiest application, they don’t know the answer. Develop a process to maintain a threat inventory,” Rose said.

Top Takeaways

  1. There is integration of IT security and modernization – especially with this administration.
  2. Developers should include and information security in process to include “continuous monitoring” rather than “security gates” within applications.
  3. Industry and government should focus more on DevOps.
  4. Scrum sessions allow stakeholders to articulate requirements up front.

The post Why application security should be a priority appeared first on Federal News Network.

Chinese economic theft

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

China’s ongoing cyber war against the U.S. has been underway for decades. Intent on stealing intellectual property from private industry, China’s hacking and spying fuels its economic prosperity.

On this episode of CyberChat, host Sean Kelley, former EPA CISO, discusses the Chinese military’s for-profit ventures with Joshua Philipp, an investigative journalist at the Epoch Times, which covers national security and politics.

When it comes to war against the U.S., China, Iran, and Russia are key players.

“China is the most aggressive and largest player in this field. Russia is more of a distant enemy in this age. A lot of what China is using now are methods Russia used during the cold war,” Philipp said. He noted their tactics are laid out in Unrestricted Warfare, a book on military strategy written by Chinese generals. The book details methods of waging unconventional war through political action to cause policy changes, economic warfare or cyber attacks.

Philipp said China is also targeting the U.S. through forced technology transfer, the “stealing of technologies and using them to surpass the West or replace the West as the world leader.” The essence of technology transfer is to transfer knowledge, skills, methodologies and technologies from one company or country to another. “This type of trans-economic theft requires a lot more planning or systems in place to achieve the goal, or a hacker army,” said Philipp. He added that unit 61298, one of the 22 operational bureaus of the hacker army, focuses on waging warfare against American companies, organizations and government agencies.

Philipp also said China’s surveillance system uses supercomputing powers. “In the U.S., there are a lot of private companies collecting the data, but in China, everything is collected under one centralized system. The Chinese communist party has information on every purchase you make, who your friends are, what your beliefs are, what your ideologies are, facial recognition, where you are going. All of this information is collected to give you a social credit score, which determines what you can and can’t do. Your freedoms are determined how well you adhere to the social credit system,” said Philipp.

Top Takeaways

  1. Iran, Russia and China are actively waging war against the U.S., but China is the most aggressive and largest.
  2. China has a hacker army, with over 22 operational bureaus.
  3. Unrestricted Warfare, a well-known Chinese military strategy book, lays out unconventional war techniques.
  4. The goal behind forced technology transfer is to surpass the West.
  5. China is the largest surveillance state in the world.
  6. The Chinese Communist Party collects information about citizens to enforce the social credit system.

The post Chinese economic theft appeared first on Federal News Network.

General Data Protection Regulation: an EU requirement?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

The General Data Protection Regulation requires businesses to protect the personal data and privacy of European Union citizens for transactions that occur within EU member states. Adopted by the EU in 2016, this major change in data privacy regulation will be enforced starting May 25. Non-compliance could cost companies dearly.

On this episode of CyberChat, host Sean Kelley, former chief information security officer at the Environmental Protection agency, is joined by Greg Cranley, vice president of Federal and U.S. Public Sector Sales at Centrify.

GDPR’s biggest change is its extended jurisdiction. According to EUGDPR.org, the new law applies to “all companies processing the personal data of subjects residing in the EU, regardless of the company’s location.”

Cranley says this is much different from the Health Insurance Portability and Accountability Act protections in the U.S. “[GDPR] strengthens the privacy rights of individuals. With a lot of compliances in the States, such as HIPAA, there aren’t really any rights [for the individual]. It’s an expectation that [the health care provider] will take care of your healthcare data.” But Cranley said it’s no guarantee.

“When it comes to data collection, the companies collecting the data [aren’t] necessarily the concern. The concern comes when the data breach happens,” Cranley said. He added people should be aware that majority of data breaches happens through stolen identities. “According to a recent survey published in New York Times, most CEOs believe malware is the biggest cause of breaches, which is not true.”

As the deadline for compliance for GDPR approaches, Cranley said many companies will be struggling. “The requirements are pretty strong and strict.” If companies are found not in compliance, they can be fined up to £20 million or 4 percent of gross profit for non-compliance.

Top Takeaways:

  1. GDPR strengthens the privacy rights of individuals
  2. GDPR is far more extensive than most U.S. privacy laws
  3. Most CEOs believe malware causes breaches, not stolen identities
  4. Many companies will struggle to make the May 25 GDPR compliance deadline

The post General Data Protection Regulation: an EU requirement? appeared first on Federal News Network.

Cybersecurity in the VA’s Connected Health

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

The advancements in technology are allowing medical systems across the world to have a greater reach and to care for patients in areas that have been difficult to access in the future.  Most view this as a great enabler for every health care system and it is especially helpful for the Veteran Affairs Department. This month, Cyber Chat’s Host Sean Kelley sat down with Dr. Neal Evans, the chieffficer for the Office of Connected Care in the Veterans Health Administration at the Veterans Affairs Department.  

Connected Health or Telehealth can mean many things to many people, but vans said: “at the simplest level it just means health at a distance. It’s allowing, in our case in the VA, veterans to connect with their health care teams using technology when they’re not face to face.” 

The Connected Health program at the VA assists them with access by getting patients access to health care or medical specialties that may not be accessible in the local community.  Similar to other settings, Telehealth improves accessibility by allowing the VA providers and patients to connect by video as well as improving the quality of healthcare by connecting patients with the health care provider who’s best suited to serve them. According to Evans, the veterans are very enthusiastic about using Telehealth “because it’s what helps them connect with the person who can help them with their health challenges.” 

So, what are the challenges with this approach? “With advances they’re also becomes greater risk right where things are no longer completely in the VA environment,” Evans said. The security of information and communication is absolutely critical and something the VA is constantly addressing.  

“It is imperative that VA does IT thoughtfully and that we make sure that that we are building a system that is secure and that protects the data and the information of the veterans,” Evans said.

One of the ways they are ensuring the security and protection of patient data is through the maturing of the ATO process. In addressing the Authority to Operation (ATO) process, he said “there is a clear path to answer the control and to provide for those controls.” The VA has a team in place that manages not only the ATO process, but reinforces the move towards continuous monitoring. According to  Evans, “the idea of AOT is really just a means to enforce good quality IT development.” 

When discussing mobile application in the VA, Evans highlights the VA Online Scheduling application and VA Video Connect. The VA Online Scheduling signifies the reason why they are in the business of mobile applications. “We’re doing mobile health to put tools in the hands of veterans to help them better manage their own health and provide the convenience of being able to book their appointment with VA providers from their mobile phone.”

“The VA Video Connect, announced at the White House in August, is a platform that allows patients and their VA providers to connect by video and have real-time video visits online”, Evans said. It provides encrypted video point-to-point video connection between a patient and their provider. Since its launch, the app has increased provider and patient virtual interaction drastically, but more specifically, “48,700 video sessions have been stood up by providers.” 

Takeaways:

  • VHA is in the business of delivering health care, priority number one is delivering health care and making sure that the VA is providing veterans access to health care
  • Telehealth is just delivering health at a distance
  • Telehealth gives patients access to health care or medical specialties that may not be available in the local community 
  • With the advancement of Telehealth, the VA is addressing the challenges of security
  • The ATO process has matured greatly at the VA 
  • VA Online Scheduling application and VA Video Connect are two mobile applications making significant impact in the VA 

The post Cybersecurity in the VA’s Connected Health appeared first on FederalNewsRadio.com.

VA’s former acting CIO reflects on his tenure

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

This Trump Administration has seen a great deal of turnover in career senior executives. The Veteran Affairs Department has definitely seen its share. For this month’s show, Cyber Chat’s host Sean Kelley sat down with a reflective Scott Blackburn. Blackburn served in many capacities while at the VA, including executive in charge of Secretary Robert McDonald’s MyVA Initiative, acting deputy secretary of VA and acting CIO.

Blackburn graduated from both MIT and Harvard and is an Army Veteran and a partner at McKinsey. He comes from a family of veterans and he is a disabled veteran, himself. He says he chose to work at VA because he “was called to serve.”

Blackburn’s leadership ushered in a great deal of progress in Information Security. He credits the leadership of the Dom Cussatt, VA’s chief information security officer (CISO) and the Enterprise Cyber Security Plan as some key pieces of the success.

Blackburn said VA’s cyber program is robust. “The past year, they handled 220 million intrusion attempts, 50 million blocked or contained cases of malware, and 366 million suspicious emails that have come into the system to name a few.” He said sustainment is the key to having the Agencies Material Weakness removed.

Blackburn said it’s difficult to attract the highest quality CIOs and CISOs because the federal government won’t offer the highest salaries. But it will never happen without an overall federal strategy to attract but also maintain IT leaders.

“[Leadership drain] happens in the private sector, but I have never seen it like this … it is a reality of government,” Blackburn said. “Any leader coming in can’t sit back for six months. You have to get up to speed very quickly. You have to trust the career employees. Where do you want to make change that really matters?”

Blackburn said he is “most proud of always putting the veterans first. VA is now more veteran-centric than it was four years ago. It is more principle based rather than rule based.”

Blackburn’s message for the folks who still work at the VA: “Keep pushing.”

Takeaways:

  • Leadership is needed for any sustained change.
  • Empower the team, stay out of the way, support the team.
  • The Enterprise Cyber Security Program has five parts:
  1. Protects Veteran Information and Data
  2. Protect VA Information and Infrastructure
  3. Ensure VA Cyber Ecosystem is resilient to existing and emerging threats
  4. Ensure a secure operation environment that supports effective operations
  5. Ensure VA recruits, develops and retains a talented cybersecurity and privacy workforce
  • VA’s investment in front line employees made a huge difference.
  1. Ensure they are aware of handling sensitive data.
  2. Ensure they are aware of spoofing and phishing attacks.

The post VA’s former acting CIO reflects on his tenure appeared first on FederalNewsRadio.com.

How to improve cybersecurity and workflow by consolidating systems

Cyber risks transform at such rapid speeds that antiquated systems cannot keep up with security needs. While many businesses and institutions have focused their efforts on upgrading their existing systems, innovators have concentrated on building new programs and IT solutions to combat modern-day threats.

On this episode of CyberChat, host Sean Kelley, former chief information security officer at the Environmental Protection Agency, is joined by Dr. Paul Tibbits, deputy chief information officer for the Veterans Affairs Department and program executive officer for the Financial Management Business Transformation (FMBT,) for a discussion about FMBT’s present and future functionality.

Tibbits explains how FMBT will implement federal best practices in finance and acquisition by replacing old systems with a new one. Eventually, all financial management systems will fall under one umbrella. Instead of multiple systems talking to each other, all data will live in one location.

“We’re going to a more modern system with stronger security controls built into it. We’re going to a cloud environment,” Tibbits said.

Are there cyber risks when consolidating all financial systems into one managed service?

“We are cognizant of all the controls that are relevant to our cloud environment,” Tibbits said. “So I would say our cybersecurity posture, based on where we’re coming from, if anything, is going to be better than it was before. We’re reducing risk, not adding risk.”

In other words, the system was built for the security standards of today rather than when the original assessments were put into place.

“The staff that I deal with are all very excited about moving the VA forward, being actual participants in the VA, [and] efforts to modernize itself including the movement to manage services,” Tibbits said.

Tibbits noted their enthusiasm, in part, is likely due to the potential for improved productivity
“It is, for the first time, that I have come across a cybersecurity notion that actually facilitates workflow,” Tibbits said.

Using the medical field as a real-world example, tagged data can disseminate through the system to expedite work more efficiency. For example, if a provider knows which patients are scheduled to come in at various times throughout the day, the system can take the provider’s information along with the necessary patient data and pre-fetch it the night before, rather than waiting for the provider to manually do it. This speeds up the patient experience and keeps the provider’s schedule on track.

Another way a single management system helps improve productivity is one sign-on to access it. Providers no longer have to memorize dozens of passwords, since all of the systems are in one location for easy access.

Giving numerous individuals access to that much sensitive data also risks a security breach. That is why Tibbits stresses the importance of role-based access control for risk mitigation from a cybersecurity perspective.

As long as user roles are properly classified and data is properly tagged “only the right person, can get to only the right data, at only the right time,” Tibbits said. “It can both strengthen cybersecurity and facilitate workflow.”

Top Takeaways

  1. Today’s heightened cybersecurity needs lead to new innovations for more efficient programs and IT solutions to combat modern-day threats.
  2. Outdated networks comprised of multiple systems talking to each other are being replaced with cloud-based, single-system solutions.
  3. New single-system solutions facilitate workflow and improve productivity by housing all the data under one umbrella.
  4. Single management systems improve cybersecurity because they were built to meet contemporary standards, and implement role-based access controls.

The post How to improve cybersecurity and workflow by consolidating systems appeared first on FederalNewsRadio.com.

Why application security should be a priority

Gartner estimates 80 percent of all attacks are at the application security layer-making it critical that federal organizations get ahead of the legacy application issues and the development of new applications.

On this episode of CyberChat, host Sean Kelley, former EPA CISO, is joined by Nick Sinai, senior adviser at Insight Venture Partners and Matt Rose, director of Application Security Strategy at Checkmarx.

“There is a huge effort and focus on cybersecurity in today’s environment. The Modernizing Government Technology (MGT) Act has been approved and IT modernization plan is part of the President’s Management Agenda. We are really seeing greater integration of cyber security with IT modernization,” Sinai said.

But does that mean we are more secure?

“To become more secure, organizations really have to support one another. There has to be robust partnerships within the government and contracting community. There has been increasing focus on DevOps and how the federal government builds applications, coupled with increased user centered design,” Rose said.

The government is also grappling with how to deal with data security and encrypting data at rest.

Agile development also brings another capability embraced by federal executives. “More and more CIOs from the White House and federal agencies are talking about agile and DevOps and really putting user needs as that core,” Sinai said.

Sinai added the federal government is going to continue to build or build with contractors and, in those cases, IT has to deliver more continuously in smaller sprints, rather than quarterly or annual deliverables.

Rose said developing and maintaining an application threat inventory is critical. “A lot of times when an organization is asked about their riskiest application, they don’t know the answer. Develop a process to maintain a threat inventory,” Rose said.

Top Takeaways

  1. There is integration of IT security and modernization – especially with this administration.
  2. Developers should include and information security in process to include “continuous monitoring” rather than “security gates” within applications.
  3. Industry and government should focus more on DevOps.
  4. Scrum sessions allow stakeholders to articulate requirements up front.

The post Why application security should be a priority appeared first on FederalNewsRadio.com.

Chinese economic theft

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

China’s ongoing cyber war against the U.S. has been underway for decades. Intent on stealing intellectual property from private industry, China’s hacking and spying fuels its economic prosperity.

On this episode of CyberChat, host Sean Kelley, former EPA CISO, discusses the Chinese military’s for-profit ventures with Joshua Philipp, an investigative journalist at the Epoch Times, which covers national security and politics.

When it comes to war against the U.S., China, Iran, and Russia are key players.

“China is the most aggressive and largest player in this field. Russia is more of a distant enemy in this age. A lot of what China is using now are methods Russia used during the cold war,” Philipp said. He noted their tactics are laid out in Unrestricted Warfare, a book on military strategy written by Chinese generals. The book details methods of waging unconventional war through political action to cause policy changes, economic warfare or cyber attacks.

Philipp said China is also targeting the U.S. through forced technology transfer, the “stealing of technologies and using them to surpass the West or replace the West as the world leader.” The essence of technology transfer is to transfer knowledge, skills, methodologies and technologies from one company or country to another. “This type of trans-economic theft requires a lot more planning or systems in place to achieve the goal, or a hacker army,” said Philipp. He added that unit 61298, one of the 22 operational bureaus of the hacker army, focuses on waging warfare against American companies, organizations and government agencies.

Philipp also said China’s surveillance system uses supercomputing powers. “In the U.S., there are a lot of private companies collecting the data, but in China, everything is collected under one centralized system. The Chinese communist party has information on every purchase you make, who your friends are, what your beliefs are, what your ideologies are, facial recognition, where you are going. All of this information is collected to give you a social credit score, which determines what you can and can’t do. Your freedoms are determined how well you adhere to the social credit system,” said Philipp.

Top Takeaways

  1. Iran, Russia and China are actively waging war against the U.S., but China is the most aggressive and largest.
  2. China has a hacker army, with over 22 operational bureaus.
  3. Unrestricted Warfare, a well-known Chinese military strategy book, lays out unconventional war techniques.
  4. The goal behind forced technology transfer is to surpass the West.
  5. China is the largest surveillance state in the world.
  6. The Chinese Communist Party collects information about citizens to enforce the social credit system.

The post Chinese economic theft appeared first on FederalNewsRadio.com.