Every month, Digital Government Institute will profile an Education Advisory Committee (“EAC”) Member. This month’s Interviewee is the Chief of the Open Source Intelligence & Analytics Team, Army G-2 for Intelligence, Victor Robles who serves on DGI’s Cyber Security EAC. We hope you join us Thursday, May 31, 2018 in Washington, DC for the 11th annual  Cyber Security Conference.

Victor Robles, CISO for Analytics, Insider Threat, and Open Source Intelligence, Army G2(DAMI-IM)

How long have you been at your Agency and what do you do there?

I serve as Chief of the Open Source Intelligence & Analytics Team, Army G-2 for Intelligence. For the last 15 years, I’ve focused on document and media exploitation, including computer forensics. We’ve evolved to include open source intelligence—the advent of Internet has greatly expanded our role. The US Army is leading the way with what it’s doing with Open Source.

What is the hottest topic being discussed at the Agency?

The hottest topics include Open Source Intelligence and the role the Army plays into getting into the Dark Web to help enable intelligence disciplines—integrating more and more with cyber. With respect to cyber, asymmetrical adversaries are using social media and computer networks for their command and control and information operations campaign, we help the community understand implications of publicly available information and social media exploitation.    

What will people at your Agency be confronted with the next 3-5 years– what opportunities/hurdles (especially with respect to Robots, chatbots, Artificial Intelligence, etc.)?

We are at the tipping point for the next evolution in Open Source Intelligence described by environmental terms such as Big Data, Data Science, and Artificial Intelligence (AI). Our future will be impacted by AI—that derivative of AI—machine learning—enables us to perform predictive analysis. This environment is an unfathomably large, yet proven, source of information containing immense intelligence value. We are making efforts to better integrate with the science and technology communities that relate to AI. Rapid improvements in technology enable populations and nation states with an increasingly more powerful means to share, manipulate, and generate publicly available information. The National Open Source Committee and Defense Open Source Council offer the intelligence and defense communities an enterprise solution by providing tools, training and promoting information sharing.

Our biggest hurdle is making sure everyone is working in an integrated way to use AI.

What is your funniest/fondest memory/What are you most proud of during your government service?

The brotherhood created by shared experiences, in wartime, creates a unique bond. This bond, as well as enduring memories, present themselves throughout a person’s government service career especially when deployed. My fondest memory was when I was deployed being able to bring technology into theatre that allowed us to save lives based on intelligence we collected and shared across the force.

What are your top three recommendations for others entering the discipline within government?

  • Ensure you have proper education and certifications for cyber, intelligence, etc.
  • If you desire to be in the Intelligence field, ensure you “keep your nose clean”
  • Make sure you have a passion for the work—that will drive you to seek additional knowledge and help the community grow

 

One of the great challenges faced by operators of any network is the ability to have confidence in their systems’ access management. Without truly trusted identities, systems, and the information contained, cannot be trusted and leave agencies vulnerable.  With Government’s enormous level of complexity of the IT ecosystem and budget processes, both are challenged with ID management issues.  Identity, Access Management and Digital Trust are fundamental to any Information Governance Framework given its importance to security, as well as its (potential positive financial) impact on electronic discovery costs. End-to-end information management must be married to end-to-end employee management to address Insider Threats with “employee” defined as anybody given access to any system, device and/or information asset.

 

In a recent Market Connections survey sponsored by Unisys, survey respondents said external threats, mobile device use, and vulnerability patching were the areas of greatest concern in their respective agencies. Agencies are confronting these challenges via smart cards, endpoint security software, configuration management software, Network Access Control (NAC) solutions and more.  Nearly two-thirds of the respondents felt identity management systems are very important to secure operations of their agencies.

 

The proliferation of connected devices, adoption of cloud computing, and digitalization—individually and collectively— are also challenging those responsible for Identity and Access Management to find solutions in a rapidly changing and evolving technology landscape.  Government IT leaders need to ensure their Identity and Access Management teams are enabled to take advantage of the latest technological advances. 

 

In the last few years, just about everyone has come to appreciate the importance of having strong cybersecurity.  Confronting these ever-changing threats with limited budgets and in some cases very outdated information systems, will keep many Government leaders awake at night.  NIST’s Trusted Identities Group’s efforts are providing leadership and guidance everyone in government can leverage to improve their cyber risk posture.   To truly achieve Digital Trust, it will take government and industry support and enforcement of strict Identity and Access Management compliance. Our confidence in government depends on it.

FISMA History

The Federal Information Security Management Act (FISMA) was enacted in 2002 as part of the E-Government Act of 2002.  The purpose of this legislation was to spotlight the importance of information security to the security interests of the country.  The Act requires each federal agency to develop, document and implement an agency-wide program to provide IT security for the information systems supporting the operations and assets of the agency including those provided by contractors.  Since 2009, Digital Government Institute has provided FISMA training seminars 2-3 times per year.

 

There has never been a time when security has been more important; to not just government, but society itself. In our data-driven, globally connected world, economic security is national security. Government performs multiple functions and in doing so, must appropriately protect its systems and data. It must also work with the private sector in critical infrastructure sectors. Given the incredible rate of technological advances and the consumerization of IT, government is struggling to keep up.

 

One security professional who has lived through decades of IT/Security evolution is Jim Litchko. Throughout his career, including time spent in the Navy and at NSA, as well as working in the private sector (now as a renowned consultant), he has always been on the cutting edge. Mr. Litchko created (and taught) the first graduate computer security course at Johns Hopkins. A few times each year, he leaves his home in sunny Portugal and heads to DC to share his expertise with attendees at DGI-sponsored FISMA training.  Mr. Litchko’s goal is to decrease the complexity of security. Given the number of returning attendees, he must be achieving that goal. The training classes include students new to the subject as well as those with 30+ years of experience.

Important Documents

Two important documents covered in the course are NIST Special Publication 800-53 Rev. 5 (Draft) Security and Privacy Controls for Information Systems and Organizations[1] and NIST Special Publication 800-37 Rev. 2 (Draft) Risk Management Framework for Information Systems Organizations: A System Life Cycle Approach for Security and Privacy (Discussion Draft)[2]—both of which have their next iterations delayed “due to the full integration of privacy-related material”[3] still being in process.[4] He uses the NIST Cybersecurity Framework[5] as an outline for preparing System Security Plans. He prefers one document for Operations and Security—a Security Operations Plan; reasoning that they have the same goals and people should recognize the connection. The course will also cover Metrics,[6] relevant Frameworks (e.g., Risk Management Framework, System Development Life Cycle, System Security Engineering Framework, etc.), DHS activities (e.g., Automation such as Continuous Diagnostics and Mitigation,[7] as well as Trusted Internet Connections), and Cloud Computing Federal Risk and Authorization Management Program—FedRAMP.

 

The course has been offered for nine years.  The materials are regularly refreshed and guest speakers from NIST and DHS provide the latest . Last year’s Cybersecurity Executive Order seemed to provide a key ingredient previously missing—accountability at the Executive level within an Agency. Time will tell whether security has improved as result of that enticement. Agency reports are due to Congress and the Government Accountability Office by March 1, 2018.[8]

 

For more information, visit www.digitalgovernment.com

[1] https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft.

[2] https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft.

[3]Planning Note (1/8/2018): Due to the full integration of privacy-related material into key NIST publications such as SP 800-37 and SP 800-53, the original production schedule has been delayed.  NIST will be working with the Office of Management and Budget (OMB) to establish a new schedule of deliverables for all publications undergoing updates and will publish that schedule as soon as it is available.” https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft; https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft.    

[4] Planning Note from January 8, 2018 had not been updated as of February 7, 2018.

[5] https://www.nist.gov/cyberframework/draft-version-11.

[6] FY 2018 CIO FISMA Metrics Version 1.0 31 October 2017 https://www.dhs.gov/sites/default/files/publications/FY%202018%20CIO%20FISMA%20Metrics_V1_Final%20508.pdf.

[7] https://www.dhs.gov/cdm.

[8] M-18-02 MEMORANDUM FOR THE HEAADS OF EXECUTIVE DEPARTMENTS AND AGENCIES Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management Requirements (October 16, 2017) https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-18-02%20%28final%29.pdf.