Marrying Physical, Virtual Security - Interview with Honolulu CIO Gordon Bruce
Shortly after his election as Honolulu mayor in 2005, Mufi Hanneman assembled the city's public safety and IT officials together to develop an integrated security program, forming a public safety oversight committee, chaired by chief information officer Gordon Bruce. "Anything that has to deal with security; anytime the issue of security came up, we put it on the list," Bruce says, in an interview with GovInfoSecurity.com (transcript of interview below). "We took an entire, enterprise approach."
Four years later, the technology employed to help secure the Hawaiian municipalities physical infrastructure - credentialing, for one - is being adapted to safeguard Honolulu's digital assets, Bruce says.
Bruce spoke with GovInfoSecurity.com's Eric Chabrow about the benefits of linking governmental physical and IT security.
ERIC CHABROW: Please tell us about the IT security organization in Honolulu.
GORDON BRUCE: IT security within Honolulu took a major leap forward in 2005, when our mayor, Mufi Hannemann, was elected into office. He saw a tremendous importance behind technology, and what services it could provide to the citizens, but at the same time, he realized that there was security issues that covered a number of areas. With that in mind, he formed the public safety oversight committee, and asked me to chair it, and bring together all the necessary parties, including first responders, to look at the entire area of physical and computer/network securities.
CHABROW: And how did it evolve from that point?
BRUCE: We brought all the groups together, which was police, fire, ambulance. It was then known as County Civil Defense, which has subsequently changed to the Department of Emergency Management. We brought all those players together, who typically had not been brought together in the same room, along with various administrative personnel within the City -- my department, the Department of Information Technology, to sit down and clearly identify what the security pluses were, and what the security shortfalls were, within the city and county of Honolulu. And that covered everything from first responder communications, all the way down to our wire line and wireless networks, our phone systems, our credit card processing systems, anything that had to deal with security. Anytime the issue of security came up, that was the things that we put on the list.
CHABROW: What is the advantage of looking at physical security and virtual security at the same time?
BRUCE: Well, that's a great question. We took an entire enterprise-wide approach, when we looked at the city and county of Honolulu. The City is the 12th largest city in the country. Not many people realize that. We are isolated, in the fact that we are sitting on this island in the middle of the Pacific. It's not like I can pick up the phone and one of my neighbors in the next county, or state, can come over and help us out. We had to take a look at an enterprise-wide solution. And, when you look at an enterprise-wide solution, you can certainly take a look at costs, and how you can manage those. You can look at standards and how they can be deployed. And, the thing that we found one of the most challenging is the procedures, how the various disparate agencies can come together and work together and set up standards and processes across all those agencies. The city and county of Honolulu, we're in practically in every business you can think of, whether it be revenue production, tax collection, we manage the zoos, golf courses ... We are the only city and county in the country that runs driver's licensing and motor vehicle registration for the entire state. The economies of bringing all of those pieces together are key.
CHABROW: Can you cite an example of, whether it's the standards or processes where cybersecurity and physical security are similar, or the same?
BRUCE: Well, I'll use recent projects that we've deployed. We, through access to a number of grants, back in 2006 and 2007, contracted out for a consultant to come in and look at an enterprise-wide physical security solution for the city and county of Honolulu. Their goal was to design a system, without selecting a vendor, that met our need. Once that was done, we brought in another expert, to take a look at what applications and what systems were out there, and identify, through the RFP process, a system that would meet our needs. And that system had to address everything from credentialing, who the person is, all the way to what door they are allowed to go through, in what particular building. All of that was laid out. Now that credential that we have created is a national standards. It's called 6201 HSPD 12 Credential. And we are rolling those credentials out now.
We've deployed the physical security systems in five waste water treatment plants, Fire department headquarters, Frank Fasi Municipal Building, City Hall, and the mayor's office, the Office of Transportation Services, which is the bus. We're going to be letting the contract to start rolling out the police department headquarters. Of all the strange things, to give you a sense of the system, we have surf lockers here in Honolulu. We actually rolled it out last week, at the surf lockers, to control what goes on at that particular location. All, an integrated solution set.
Now, the credential, as we roll it out, for the first responders, and for the employees, identifies what, from a cybersecurity standpoint, these individuals have the right to do. So, if there was an incident that occurred, and I come up to that particular incident, my credential, with a wireless handheld device, identifies me as that person on the picture, there is a fingerprint read, and at the same time, it identifies what I am qualified to do. Am I hazmat certified? Am I certified in these certain areas? And it will allow or not allow me into that particular site. It really brings those two pieces of the physical security and the cybersecurity together.
People tend to think of cybersecurity like "Oh, what can my PC get access to?" That's just a piece of it. It gets deeper than just the device that's sitting out there on the edge. That's one of the pieces. The person is another one of the pieces. The network is another one of the pieces. The applications that are being run on that network are all of the other individual pieces. Taking the physical side, as well as the cyber side, and bringing them together allows an organization, especially like government, to take the disparate pieces, and run with the standards that are created, on a daily basis, so that we are monitoring, we are tracking, we are reacting, we are pro-acting to anything that many occur, not only from a public safety standpoint, but from a security standpoint, of the citizen's data and the employee's use of all of these systems that have been funded by the citizen.
CHABROW: How is this governed?
BRUCE: We govern it through two entities. The first entity was the one I mentioned earlier, the Public Safety Oversight Committee, which is now headed up by the Department of Emergency Management. The long-term plan under the mayor's direction was once public safety oversight was established, and all the programs identified and the plans put in place to move forward, was to create a department of emergency management that would oversee that. That has occurred. They oversee credentialing, physical security, first responder communication. So, they oversee the operations of that, if you will.
The other piece of the puzzle is the Department of Information and Technology, which is responsible for supporting all of those pieces. So, we support all first responder radio communication, 800 megahertz, microwave, we support Wi-Max, we support the WiFi, we support the physical fiber network that we have deployed around the entire island. We support the security systems that monitor what goes on on the networks. We support routers, the switches and everything else. We support 911. The 911 infrastructure, that's supported out of the Department of Information Technology, even though it is handled by police, fire and ambulance, as the consumer, or the user of the product, all of that information is supported by DIT. Instead of having to deal with multiple agencies and multiple players and multiple issues, we have kept it nice and tightly fit around these two entities.
CHABROW: Is there any other kind of relationship to other types of IT security with physical security? For instance, is does of the information that you deal with, credentialing, help in other aspects of IT security?
BRUCE: We are hoping to. As I mentioned earlier, we just started rolling out the new credential, that identification part. The long-term goal is now taking that credential and having readers on portable devices that will require this credential to be used to get access to the various systems. It is being able to take that credential and blend it into what is happening on our physical security side. We are constantly doing upgrades to the physical security side. Whether it be the network, whether it be the firewall or it be the applications that are being deployed onto the systems. They all have to be somehow brought together under a standard set of tools, which we have identified, and are in the process of once again doing continuous and additional upgrades to the "cybersecurity" pieces of this puzzle.
The cybersecurity part of this puzzle is probably the most complex of all of them, because of all the different pieces, whether it be from the edge all the way back to the core systems that we run, it's perhaps more complicated for us, in the fact that we not only, we run over two hundred different servers, that's on the Windows side, we have AIX boxes, we have mainframe, we have multiple flavors of operating systems that we are running. So, that whole cybersecurity soup mix, if you will, is in a constant state of change.