Bridging Silicon Valley and the Beltway
The forum is sponsored by the Security Innovation Network, whose chairman Robert Rodriguez contends ideas being created by entrepreneurs across the country can help the government battle cyber threats.
"If we do not look at new models, open innovation, partnership and collaboration models moving forward, the adversaries are going to break away at that wall and they are going to get in because they are out-innovating us," Rodriguez said in an interview with GovInfoSecurity.com (transcript below). "We are basically being out-innovated by the adversaries. They don't have to worry about corporate governance, privacy, budget, legal issues. They move at warp speed so there needs to be a balance between risk, taking some risk and being risk adverse."
Rodriguez, in the interview conducted by GovInfoSecurity.com's Eric Chabrow, assesses the current relationship between business and government in tackling cybersecurity challenges and the efforts by the Security Innovation Network to facilitate that cooperation.
ERIC CHABROW: What is the Security Innovation Network?
ROBERT RODRIGUEZ: Security Innovation Network is designed to bridge the gap between the Silicon Valley and the Beltway, to give the entrepreneurs a voice. I use the Silicon Valley and the Beltway as a metaphor, essentially not that all innovation comes out of Silicon Valley there are other centers of innovation in America, Silicon Hill, Silicon Prairie, Boston and the Wharf up in Wisconsin, etc. The Beltway I describe as the industrial military complex that Eisenhower warned us about when he was President.
I think we have a greater opportunity now to increase awareness of available technologies to advance the security field. The situation continues to get very series, if you look at the Google situation and the partnership with NSA (National Security Agency), some of the inherent procurement acquisition language and processes within the government and industry, system integration community, suffocate innovation and when we are dealing with a dynamic environment such as the Internet we can't wait two years or 18 months, whatever it is, to identify technology to advance in protecting these command and control systems in critical infrastructures. We are trying to give the entrepreneur a voice to raise awareness of their technologies to the industry, government and system integration markets.
CHABROW: When you say suffocate innovation, what do you mean by that?
RODRIGUEZ: I think that some of the language sets a common criteria and some of the antiquated language within procurement acquisition does not enable the early adoption of innovation or technologies into the government critical infrastructure, or command and control systems.
CHABROW: What do you suggest should be done about that?
RODRIGUEZ: Well, I think there needs to be number one, a greater awareness of available technologies in the marketplace. For example, a data point would be when the CTO of a large integration company came to the IT Security Entrepreneurial Forum at Stanford University last year and he met 60 to 70 companies and he had never even heard of over 70 percent of the companies. By having awareness of innovation in our country I think is a first step, increasing awareness of available technologies. I am not saying you need to marry that technology, but be aware of these companies that are bringing product to market.
CHABROW: You are suggesting the procurement rules that the government must follow are antiquated, but I guess they are designed in part to make sure that there is either fair competition or that there is no wrongdoing going on in awarding contracts. How can you provide for those protections at the same time as speeding up delivery of what could be innovative and very important products to secure government IT?
RODRIGUEZ: I don't know the history of how long the language has been around, I think they were designed when the Internet was not as pervasive and dependent as it is today. We are not talking about toilets and hammers here we are talking about a dynamic environment with the threats and risks emerging on a daily basis.
If we do not take a little bit of risk and we do not change some of the language, we are going to be in a very serious situation. The dependence on the legacy systems, which I understand and respect, because a government is a risk-adverse environment, and it has to be to a certain degree because it is all about mission readiness, mission assurance, everything from the command and control systems that support a war fighter to getting your tax rebate check or Social Security check out to American citizens and what have you. The 12-foot wall and the mote to me is a like a legacy system that you depend on; however, if we do not look at new models, open innovation, partnership and collaboration models moving forward, the adversaries are going to break away at that wall and they are going to get in because they are out-innovating us. We are basically being out-innovated by the adversaries. They don't have to worry about corporate governance, privacy, budget, legal issues, they move at warp speed so there needs to be a balance between risk, taking some risk and being risk adverse.
CHABROW: When you talk to the government, I don't know whether it is the GSA or other agencies, what do you hear from them and are there ways to speed up the process?
RODRIGUEZ: Some of the things that I am hearing from the intelligence community - and these are from high-level people - three points:
The usual suspects - contractors and integrators -- are coming in and I am going to assume here that maybe they are not advancing the field fast enough to keep ahead of the adversaries.
The second point that they made to me is that they wished that they had greater awareness of companies at an early stage so they could then shape to mission need. Sometimes, the companies that they come across are too mature and too robust and down their path that it is too costly and just not effective to alter to a unique infrastructure within some of these government agencies.
The third point is they are starting to look outside of the box. They know that the existing technologies, architecture and what have you, is they are having challenges so they are looking for new models. They are starting to look at innovation across America and not just so much in the industrial military complex or the Beltway.
CHABROW: You mentioned innovations that could be available to government and you mentioned possible entrepreneurs out there who would like to have their wares known. Please cite one or two examples of some entrepreneurs out there that might have good products for the government as it relates to cyber security and what those products are.
RODRIGUEZ: For example, someone in the intelligence community called me last month that they are looking for mobile device security products, technologies, software, firmware, hardware, to mitigate risks to the Android, the iPhone and the Blackberrys, so that is one space. The other space is cloud computing.
CHABROW: So you have a number of members in your alliance that are entrepreneurs that have solutions to these problems, these challenges?
RODRIGUEZ: Yes, yes. It is kind of like this Eric; I view it like the CISO (chief information security officer) of a corporation or a government entity will meet - let's talk about corporations, holding this rubber band that is a half-inch thick and at the other end of the rubber band are the business enablers, executives driving revenue and they are going to more unchartered waters such as cloud computing and VoIP (voice over Internet). The CISO is saying time out, hold on, before you go into this arena let me see if I can't cure what we have today and that rubber band is getting stretched from a half inch thick to an eighth or sixteenth inch thick and I am concerned that it could break because we are not really securing the existing infrastructure and command and control systems as we go into these other business processes, business enabling types of technologies.
How do you secure the Internet, something that we really don't understand fully and if we did understand it fully we would be able to probably secure it better. It is like the Wild Wild West or sea; you know the first laws of sea came in 1609 by the Dutch and look how long it took to understand safe harbor, 50-mile zones, etc. The Internet is only 40 plus years old.
CHABROW: So how would you characterize the current relationship between government and business in developing solutions to cybersecurity?
RODRIGUEZ: The government is starting to welcome and embrace small business more than ever, and in particular in the cyber domain. They are understanding the importance of partnering and collaborative models. If you look at some of the public/private partnership initiatives since DHS has been formed, before that we didn't have such entities. I am not saying that they are completely successful because these things take time, but we do have some leadership that believes in it. I mean Howard Schmidt is a big believer in public/private partnerships.
The ones that seem to be most effective are the smaller ones, kind of the asymmetrical model, cells for example, the FBI InfraGuard groups, the Secret Service Crime Task Force, within their own communities are having success and building that trust and relationships with private industry.
CHABROW: Despite procurement rules that may seem cumbersome, if there is an entrepreneur out there that does offer a good solution to the government for their cybersecurity needs and an agency understands that, do you think that they will be able to sell that product or service to the government without much problem?
RODRIGUEZ: I still think there are challenges. However, there are certain programs I think in the government from what I have heard that if they identify a technology that will advance a field more than others, or they don't have anything available in their tool kit that can address the problem, they will basically guide that company to adopt it in a faster and less cumbersome fashion.
Most of the companies are coming to the IT Security Officers Forum and want to partner with the government. In fact, 86 percent last year wanted to partner with the government but they don't know where, how, who, what and when to start. It is a very complicated process and if you told them to go to the NIST (National Institute of Standards and Technology) website or DISA (Defense Information Systems Agency) website you would go blind.
There needs to be some handholding by the integration community and contractors and consultants that understand that space. I recommend to the entrepreneurial community that they really don't try to figure it out but just partner with subject matter experts to try and expedite the whole process here.
CHABROW: If there is one thing that you would want government to do to help facilitate getting these processes and services from these entrepreneurs to government what would you want the government to do?
RODRIGUEZ: I would like to see them improve their ability to get the messaging out on their needs and requirements better. I mean how can you build to specific needs and requirements if you are not aware of them? That is number one.
Number two, I would like to see the government be more creative in terms of addressing the acquisition procurement process reform. Maybe there is leeway or guidelines that can be applied to the cyber domain. It is a very, very fast area so the old models don't work in this area, especially when we are being out-innovated.
The third point is I would like to see the government be more of an early adopter of technology.