Lockheed Martin's Point Man on Fed Cybersecurity
Still, Croom sees the question of who provides the leadership as less important than the necessary cooperation of all parties to collaborate on securing federal IT systems and the nation's critical IT infrastructure.
"We all have knowledge and experiences that when shared make us better than we individually could be," Croom said in an interview with GovInfoSecurity.com (transcript below). "I clearly believe that information technology is a team sport, but teams need leaders. ... As far as I'm concerned, pick a place; Homeland Security is as good as any, and provides that leadership to provide that strategic guidance, to provide the rules of the road to set priorities. And, if it is done in a collaborative way with the other federal agencies, you'll see great progress, and as far as I know that is what they are intending to do."
In an interview, Croom discussed the:
Croom spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.
ERIC CHABROW: Tell us a little bit about your job at Lockheed Martin.
CHARLIE CROOM: I've been with Lockheed Martin about 10 months now. I retired from the Air Force after 35 years. My last job was director of the Defense Information Systems Agency. Lockheed Martin hired me to assist in developing their cybersecurity strategy for the future. We do about 90 percent of our business with the federal government, both on the Department of Defense side and within the federal agencies.
CHABROW: What are some of the key research and development activities Lockheed Martin is doing in the area of cybersecurity?
CROOM: Thanks for asking that because I think it really is important. I see a sea-change in the way Lockheed Martin and other companies are going to address cybersecurity in the future ... because, and I can speak from experience, the government and most of us who are in the cybersecurity business, we deliver cybersecurity defense from a reactive load. As an example, a burglar enters the house, the alarm goes off and hopefully, at some time later, the police arrive to arrest the burglar. The question is, how long did the police take to arrive at the house? That is sort of the way cybersecurity is addressed. We have the intrusion, we may not know about that intrusion for some time, we finally discover it, we may take some time to develop a patch test and then implement the patch. But over that time period, the harm is being done to our networks.
This question of how do you get out from being a reactive mode to being a more predictive and more pro-active, and that is where Lockheed Martin is spending its research and development. We are investing millions to address the specific need of how to be more proactive and more predictive, so we can get ahead of that intruder doing lots of things. Some things that we already know about, and have been trying to do for years: end to end visibility and control of our enterprise. Automate the routine; if you can automate the routine, it allows people to do better and smarter things. We want to make sure we can automate configuration management compliance for every case and patch, etc., so that the human being can spend more time on the predictive and behavioral analysis, and we are looking at a lot of ways at doing this predictive behavior analysis, looking at data strains for anomalies and patterns. We want to provide indications and warning. Clearly, our job in our research and development is looking at, how do we eliminate the surprises? Once we can eliminate the surprises and improve the way we automate our processes, we add speed and cut down the time in which that burglar is in our house.
In the end - what we want as Lockheed Martin, a large integrator - we want integrative solutions end to end, we want proactive predictive services to eliminate those surprises and we want to ultimately end up with a resilient system so that the mission is always on.
CHABROW: That's talk a little bit about the partnership between the private sector and companies like yours, and the government in developing cybersecurity policy to protect the nation's critical IT infrastructure. Do you think the foundation is there to have that kind of collaboration?
CROOM: I think it is. That doesn't mean it can't be improved on. First of all, federal policy should not be developed in a vacuum. It doesn't come out well when that happens, because in the end the policy must work for all parties involved. Democracy is all about participation. It is up to the federal government to the get the ideas on the table, to encourage good open dialog and exchange of information. When they are doing that dialog, when you are talking about, for example, security the energy grid, a critical infrastructure, it's more than just technology. It includes best practices, it includes risk management decisions, it includes research and development, it includes training, it includes education. Many folks associate being a general in the military as someone who can just give orders and direction that people follow, but I found it more beneficial if I could provide incentives for those who I wish to do something, as oppose to ordering them to do it and expect it to happen. If we can help the government find some incentives for private citizens, for commercial industries to incorporate best cybersecurity practices and technologies, that would be the best road ahead.
CHABROW: Do you have any suggestions of what incentive from the government to business would be?
CROOM: Sure. There are all types of ideas floating around. I didn't develop them. But, let's take an example of one the government wanted folks to use: seatbelts in cars. They delivered a policy, and then all of a sudden you saw insurance companies delivering discounts on insurance policies if you used your seatbelt, discounts on your car insurance if you had anti-theft or special brakes.
This type of cooperation between the commercial industry and government, (you) can and should expect. A small business that wants a loan, maybe part of that loan requirement could be they have to meet a minimum set of cybersecurity requirements. Cybersecurity ought to be treated like we do our software builds and capabilities maturity model, where you have different levels of sophistication so that people can measure their progress. Certain incentives by the government to achieve certain levels within federal contracts, maybe capability maturity model of a level "C" could be required for certain businesses to enter into a contract. So yes, I think there are incentives that can be provided and encouraged all of us to do better in terms of cybersecurity.
CHABROW: Legislation before the Senate would give the Department of Homeland Security additional powers over other departments and agencies to develop cybersecurity policy at least among civilian agencies. Some critics say that gives to much power to DHS. Do you have a problem with that? Do you think that is a good idea?
CROOM: First of all, if you've known me or known my comments from my previous life, you would have heard me say over and over again that delivering information technology and the securing of that information technology is a team sport. And I truly believe that. We all have knowledge and experiences that when shared make us better than we individually could be. I clearly believe that information technology is a team sport, but teams need leaders. They need direction, strategic direction, they need guidance, they need policy, they need the rules of the game, they need to come to understanding terms of collaboration of what the priorities are, etc. As far as I'm concerned, pick a place; Homeland Security is as good as any, and provides that leadership to provide that strategic guidance, to provide the rules of the road to set priorities. And, if it is done in a collaborative way with the other federal agencies, you'll see great progress, and as far as I know that is what they are intending to do.