With the launch of its new U.S. Public Sector Cybersecurity Practice, HP Enterprise Services brought in top cyber talent to ensure success and to have the right strategic direction in delivering solutions that meet the needs of federal clients. Betsy Hight, a retired U.S. Navy rear admiral and DISA alumna, took the reigns as vice president of the cybersecurity practice, with the vision to transform HP into the leading solutions provider for cybersecurity. She recently spoke to The New New Internet about her role at the practice, the problem with Advanced Persistent Threats and the evolution of information technology.
The New New Internet: What do you mainly focus on as the vice president of the HP Cyber Security Practice?
Betsy Hight: I work within the U.S. Public Sector side of HP Enterprise Services. The public sector team has people who engage with many of the federal, state and local departments, such as the Department of Defense or the Department of Homeland Security. We also have organizations which work with agencies that have a particular government interest or area of responsibility, for instance Medicare and Medicaid. The cybersecurity practice looks across all of those organizations to understand the requirements of our clients and what solutions are being developed across the board for those clients. We are also working to integrate diverse capabilities and reduce costs for our clients by applying best practices from one area to another. In addition, we review the products and services as they are launched by HP to understand how they can be integrated to provide a complete solution instead of a single product or a single service.
The New New Internet: How have your previous roles at DISA and in the Navy helped you in your current role?
Betsy Hight: My experience has certainly given me firsthand knowledge of how the Department of Defense works, clear insight into congressional funding mechanisms for federal components and a good understanding of the threats that impact many other federal agencies outside of the Department of Defense. After all, cybersecurity knows no geographic or organizational boundaries. Cyberspace is ubiquitous; it is not limited to specific people or technologies or industries or endeavors. It is everywhere!
The New New Internet: What do you see as the most dangerous cyber threats facing the government and agencies?
Betsy Hight: I think there are two. One is the lack of awareness on the part of people who use federal government systems ““ whether they are government employees or consumers. The second is the attempt by others to intrude on government networks and either insert false information, change information or delete information that is there for a governmental purpose.
The New New Internet: I just wrote an article about the aftermath of the Aurora attacks. Has the Advanced Persistent Threat become more of a problem?
Betsy Hight: The Advanced Persistent Threat has been a problem for a lot longer than widely recognized. What makes Operation Aurora unique is that the perpetrators targeted a system which millions of people use in cyberspace everyday; it was not confined to a government system. In other words, it is something that could have impacted all of us personally. The attack resulted in raising the awareness of why we should all be aware of how this particular domain works and the threat that lurks there. In my mind, cyberspace is a lot like airspace. You can either have chaos in the air with airplanes going anywhere the pilot wants or you can have organized ‘rules of the road’ that allow those airplanes to take off and land safely at their destination. Cyberspace is very similar in that there needs to be recognized ‘rules of the road’ established so that people can use it without fear that someone or something will intrude upon them.
The New New Internet: What are some of the changes you have seen in the cyber landscape throughout the course of your career?
Betsy Hight: I have seen this revolution in information technology firsthand. The Internet, of course, was originally developed to increase internal information sharing so concerns with respect to cybersecurity were an afterthought. Consequently, for many years we were forced to ‘bolt-on’ security capabilities after-the-fact, rather than developing secure applications and networks from the beginning. It's kind of like building a bicycle with two wheels, but forgetting to put the chain on so you are always headed downhill in order for the bike to move. Only in the past few years have we been able to use cybersecurity capabilities to their fullest extent on our networks, but at a high cost and without a 100 percent guarantee of security. Now that we have developed security mechanisms for applications and networks, and built situational awareness capabilities that display information regarding abnormalities, both the consumer and public sector markets are recognizing the importance of these capabilities. Today, there is a plethora of products and services on the market to protect from a wide range of malicious activity, whether it is someone stealing your identity to stealing dollars out of your bank account to stealing national secrets. Those capabilities are now becoming essential to effective network design and architectural reviews, as well as hardware and software development. I've seen cybersecurity capabilities go from few to many in the span of just a few years. In fact, there are so many choices that it takes real expertise to understand the risk equation appropriate for an organization's network and the balance of products and services needed to mitigate that risk.
There is, however, a long way to go. And even though you didn't ask me this, I would like to make a comment on how social media has increased security vulnerabilities. Social media puts us in a situation similar to the mid “˜80s, when we were just introducing the Internet. There are vulnerabilities associated with social media that we are just beginning to understand. We all have friends or relatives who use social media without understanding the potential impact of their personal information being out in the ‘wild.’ In fact, we're almost at a point where we have simply got to develop the right products, services and education so people can understand the risks that they run when they put personal information out on social media websites and allow them to make that decision consciously, given the risk.
The New New Internet: I recently did an interview with Aaron Barr, the CEO of HBGary Federal, and he talked about social media and how hackers use social link analysis to determine the relationships between people who use a social media network to gather a lot of background information. It seems like social media is one of those things you have to figure out how to balance posting all of that information and still protecting your privacy.
Betsy Hight: I think you are right, and I think that a lot of young people don't really understand how all of that information can be used against them either now or in the future. There are software packages out there today that will crawl the web and all the social media sites you use, linking all of that information in order to put together a pretty well-defined picture of whom you talk to, when you talk to them, what you talk to them about, and reveal patterns of your behavior that you probably never realized was in the public domain.
The New New Internet: How can HP help counter the multitude of cyber threats?
Betsy Hight: HP is in the remarkable position of not only developing and building hardware and software, but we also operate that hardware and software, in the hundreds of networks we manage for a wide variety of clients. We have a built-in feedback loop on what works and what doesn't between our operators and our developers. HP products cover the entire spectrum ““ everything from network/computing/storage hardware and software to application and network security. HP services include providing consultation on the security of software under development as well as a risk assessment of an organization's network; we can prevent or detect intrusions in a network and we can provide the intelligence surrounding malicious software on the Internet. As a matter of fact, we can provide the full gamut of products and services with over 90 different capabilities a client can choose from either individually or as an integrated package. We can deliver networking, storage, computing, and printing hardware/software and network management services. We can deliver risk methodologies. We can assess. We can diagnose. We can fix. We can provide infrastructure, operations and security-as-a-service. HP does it all. It's really a remarkable place to be, and it's the breadth and depth of the HP cybersecurity portfolio which allows us to develop not just one or two products, but a full-spectrum integrated package to protect a client's mission or business outcome.
The New New Internet: Looking at the near future, how do you see the threat landscape evolving?
Betsy Hight: I think the Advanced Persistent Threat will continue to become more and more sophisticated as the world we live in becomes more globalized. That threat will not go away and I suspect that it will have a greater impact on the way we live our lives and the way we perform our professional and personal roles. We will never be able to secure information 100 percent of the time. I think that we will always need to maintain our vigilance and ensure that we constantly update our technical capabilities, as well as our personal and professional habits.
The New New Internet: What's your vision for the cybersecurity practice? What’s one of those milestones you would like to achieve, personally?
Betsy Hight: The ultimate goal of our practice would be for a government client to say to themselves, ‘I have a cybersecurity problem and HP is the company that can come in and fix this problem.’
The New New Internet: What is your personal goal?
Betsy Hight: To achieve that state, sooner rather than later.
The New New Internet: Those were all of the questions I had. Is there anything that you would like to add?
Betsy Hight: I'll just add this point. I may have already said it, but one of the things that drew me to HP after 33 years in the government was that HP builds things and it operates things. It doesn't just create a methodology and try to convince a client that this is something they should adopt; HP men and women actually perform the job of operating some of the largest networks in the world every day, 24 hours a day. HP knows what works and what doesn't work. Being able to share that with our government clients is exactly what we should be doing, because quite frankly, we're very good at it. Having spent so much time in the government, my primary goal is to ensure that their cyber-based activities are as secure as possible while allowing for mission-critical information sharing.
The New New Internet: What drew you to cybersecurity in the first place?
Betsy Hight: Everything we do today has a cyberspace component to it. You can't bank, you can't find entertainment, and you can't keep up with the news or your family or with academic endeavors and community activities, without using cyberspace. It touches every part of our lives. The whole field of cybersecurity and protecting that domain called cyberspace is critical for everything we do. That's one of the things that make it so exciting for me.