Cybersecurity expert at EDS ,an HP Company, Sam Chun, shared his views of FISMA, the new U.S. Cyber Command Center and where he believes the future of cybersecurity lies with TheNewNewInternet. Chun believes FISMA is outdated and inefficient. Lawmakers must begin to audit FISMA through dashboard technologies and also suggests a new ranking system be used during evaluations. EDS, an HP Company will continue to support the Department of Defense including the new U.S. CyberCom and is working to maintain the highest security standards in its technology. Chun specifically cited cloud computing security as a priority for EDS, an HP Company.
TheNewNewInternet: Could you briefly describe your cybersecurity background at EDS, an HP Company?
Sam Chun: I serve as Director of our U.S. Public Sector Cyber Security Practice for EDS, an HP company. My most recent focus has been on the federal government market, but I have information security experience across multiple industries. I joined EDS almost two years ago to support the very broad set of security services and solutions that we provide to our public sectors clients.
TheNewNewInternet: Could you comment on what you thought of Melissa Hathaway's 60-Day Review as it relates to the government contracting community?
Sam Chun: I think a lot is still to be determined, but it's a good start. We will have to wait and see what programs will eventually come out of this and other policy directives at a national level. In the meantime we will continue to focus on delivering services and solutions to our customers, including the government, that will have security integrated as the heart of everything we do, as what we've been doing for over 45 years.
TheNewNewInternet: What is your view of the DOD Cyber Command?
Sam Chun: The DoD Cyber Command is a new command that will assume responsibility for the defense of the military's computer networks and cyberspace. However, U.S. Cybercom's capabilities and the components have been around for a while and they are well known to the industry. Securing the Defense information grid has been a longstanding priority for the Department of Defense. Prior to the establishment of U.S. Cybercom, it's mission has been supported by other components commands of the United States Strategic Command such as the Joint Task Force-Global Network Operations and Joint Functional Component Command – Network Warfare. These existing commands are being consolidated and have expanded their mission while continuing to focus on the .mil (defense) network. The new U.S. Cybercom seems to be an attempt to consolidate the objectives of the STRATCOM initiatives I mentioned. As a large DoD contractor, we have established close working relationships through the delivery of secure operational technology environments for a variety of DoD agencies. Therefore, we are certainly looking forward to learning more about U.S. Cybercom as the command nears it's start date.
TheNewNewInternet: In your testimony before the house you talked about FISMA. Could you give our readers a sense of what your suggestions are for updating and improving FISMA?
Sam Chun: When you talk about the cyber security of the nation and information and communication infrastructures as a strategic national asset, there is an enormous role for the government to play. I believe we are at our very best when we serve as a model to others. The federal government has a real opportunity to be a global leader in cyber security by improving security postures of federal information systems and networks. One of the mechanisms and engines to do that is FISMA. It's been around for a long time and over its seven years it has become dated. To update and improve FISMA, we first need to reduce the administrative burdens that are on agencies to comply to the law by using automation, dashboarding technologies and decreasing raw paperwork that is required for certification and accreditation. Another suggestion for FISMA improvement is tying FISMA reports and ratings to what that information is used for in terms of accountability and rewards for agencies.
To update and improve FISMA, we first need to reduce the administrative burdens that are on agencies to comply to the law by using automation, dashboarding technologies and decreasing raw paperwork that is required for certification and accreditation. Another suggestion for FISMA improvement is tying FISMA reports and ratings to what that information is used for in terms of accountability and rewards for agencies.
TheNewNewInternet: What is the future of cyber security at EDS, an HP company?
Sam Chun: The cyber infrastructure of this country is a massive interwoven ecosystem that spans all sectors both public and private. That is why we have such an important role to play in the cyber security of this country. Not only do we make innovative technology solutions for our customers as HP, we also integrate and manage systems for our customers as EDS, an HP company, across a diverse industry base for nearly every critical infrastructure sector. As a combine company, we are exercising our commitment to deliver secure operational excellence through the global contracts we hold, across a diverse base of industries, to build and manage some of the largest IT infrastructures. As a result of this commitment, we are employing technologies that have more security embedded in them, that are more resilient and more operationally secure. As apart of HP, we are taking advantage of IT innovations developed in the HP Labs. We use the combine strength of HP Lab R&D technology with HP best-in-class technology and technology gained from our highly skilled partners to form resilient operational systems and networks that support the critical missions of our customers.
TheNewNewInternet: In your testimony you called for advanced training of cyber security within government agencies. Do you think a “˜cyber academy,' similar to the Naval Academy, would be is a good idea?
Sam Chun: I don't think so. You really don't want to federalize or militarize the IT workforce. One of the main advancements of security that I've seen in the last ten or 15 years is that security has become a professional workforce. It's a very specific delineated career structure. Improving that and moving it forward would be a lot better for all of the global stakeholders than having a government sponsored entity focused on the militarization of cyberspace. At the end of the day we have to balance national and economic security, individual privacy, and global community concerns, and we need to do that in harmony.
TheNewNewInternet: Where do you see cyber security in five years?
Sam Chun: There need to be advances in a number of different places and, in time, these advances will all intersect into more secure cyber environments for everyone. This could take a long time, perhaps decades. In five years there will be some real tactical improvements in specific technologies and realms. For example, the understanding of the vast amount of information that is being provided by the portfolio of security tools that we use in the mission context is one area. How we really provide trusted computing infrastructures, especially in a cloud environment is another. I think this is one key area that differentiates us from others as part of HP's family of companies. Our company is focuses on understanding where computational science and technological innovation, including security, are going in the future. We specialize in providing thought leadership/consulting in this area so that we are able to help our customers manage, integrate, and navigate rapidly changing technologies such as cyber security.
TheNewNewInternet: What is something most people don't know about you personally?
Sam Chun: When I speak at industry forums, people assume that I have a very technical engineering background, which I actually don't. My undergraduate and graduate training is in Human Behavior. At the end of the day, it's human beings that are interfacing with these devices that comprise our information infrastructures. Understanding the human aspects of security and entertaining interdisciplinary ideas is something we should all consider as we move forward in our cyber security effort.