tv The Communicators CSPAN October 15, 2011 6:30pm-7:00pm EDT
i certainly would not have started kevin o's in today's regulatory environment. todays entrepreneur can be tomorrow's employers, but not if they have to cope with yesterday's regulations. that is why i propose, and sells legislation that will repeal this burdensome 1933 mandate. this way, entrepreneurs can go out and get the resources they need to create the jobs we need. this can and should be another area of common ground. the power of your voice is stronger than ever . you want to know that the american dream will exist for future generations. you want solutions to get people back to work. all told, the house has passed more than a dozen bills as part of our plan to get americans working again. unfortunately, the democrat-led senate has failed to vote on them. that is unacceptable. the president needs to get off the sidelines and get involved. the president needs to come off the campaign trail and get to work.
the president called on leaders in his party to follow the house. listen to the american people. stop pushing ideas we know will not work and pass these jobs bills. and to everyone listening today, let's seize this moment to build on our common ground and do what is right for the common good with a vision and hard work, but also with history as our guide. i believe our country can prosper in ways we have never seen before, by supporting individual freedoms an entrepreneurship. we can watch our country grow to new heights and restore the american dream. thanks for listening. >> this week on "the communicators". we look at the future of cloud computing by the u.s. government. a member of congress and internet executive discuss the benefits and challenges of the government easing towards cloud computing. >> dan lungren is chairman of
the homeland security committee on cyber security. he is a republican of california and his subcommittee held a hearing on cloud computing. congerssman lungren is our guest on "the communicators.:" i9s cloud computing inevitable? guest: it is already part of the mix. and one of the serious but concerned i have is not that it is inevitable but the fact that we ensure that the security aspects of cloud computing are ahead of time and incorporated into this new computer world. host: jennifer martina's of politico is a technology reporter. she joins us this week. guest: the hearing was focused on the, like his said, the security of cloud computing, and the federal government moving its system towards the cloud. at that hearing you described
administration officials touting the benefits of the cloud as glass half full people. and then there was a gao official who was a little bit more skeptical of cloud computing and its security. and you described him as the glass half empty person. so the hearing is done and you have heard what folks have to say. so are you a glass half empty guy or a glass half full by when it comes to security? guest: you may recall at the hearing i ask, which glass to have to pick up? i have to pick up both glasses. the reason for that is that we should not shy away from or somehow be afraid of cloud computing. it is a part of the advanced development of the computer world, as explained to me by people that are far more technically advanced than i am. at the same time, some would say, look, this gives us a greater opportunity to share our
data. well, if you got a cloud that contains bits of information from a thousand sources, there is more capital investment that could be made into that cloud then they would do individually. and number two, they can keep up with it on and every second basic and adapt more quickly the fixes that need to be done. i happen to think that makes sense. on the other side of the equation is, that that makes this a greater target rich environment. if i can go after one a particular target instead of 1000 or 1700, isn't it more worth my time to do that? like everything else, there is a good and bad. what i have tried to advance was the idea was that sometimes in the past, as we have applied computers to other models, command and control systems
running our electric grid, running our water systems, they were not initially engineered with the idea of security in mind. much of it was before 9/11. it would not think of someone wanted to blow things up to blow them up. or to do damage for the terroristic psychological impact as opposed to gaining land or gaining a prize. and so, from that standpoint, we have had to do patchwork ever since. and we have done some pretty good work. the question is, do we engineer in door systems, security from the beginning? i was pleased to hear from both representative from the department of homeland security and the general services administration that they are building at into the system. does not mean that it is easy. guest: the two administration officials were talking about the
launch. and they were finalizing the security requirements for cloud computing services for the federal government to use, but that launch has been pushed back. that draft was released last year. it has been pushed back and pushed back to do with concerns from stakeholders. does that concern you, that the launch has been pushed back? and also, agencies are still moving to the cloud, even though it is not finalized. guest: we have to get it right. it would not do was very good in the long run for us to end up with an incomplete model where we ignored things that we learned going on. secondly, what i am concerned about is whether or not the different government agencies or departments have included this notion of security as they go for. it is no excuse that one program is not available. they have an independent responsibility as far as running a government agency and
departments. if we are moving to a series of clouds or public clouds, that they do it in the right fashion. the third thing i would say is this -- there are different levels of data that would require different levels of security concerns and security application. and getting that right is extremely important from the very get go. if you make a huge mistake with respect to the kinds of data, identifying it, wall once identifying, misapplying the security that needs to go to it, then we are in a huge mess that we have to deuigig our way out of. it does not bother me to say they are taking their time. it is government. i get frustrated, in part because what my dad was one of those great people of world war ii, landed on the beaches in normandy. several days after d-day. they went from there to berlin faster than we're able to do most things in d.c.
i do not get the sense they are dragging their feet. i do not get the sense they have a less than an urgent and sophisticated concern about security as we go forward with cloud computing. host: what about the issue of turning over so much government data to private vendors? guest: that is a very good question and one that we raised. we rely greatly on private vendors to begin with. we understand that. the other thing i would say is that the private vendors, frankly, are the ones on the cutting edge of both new computer developments, both in terms of the actual transactional work they do, the competition that they do, but also with the security they do. and if we would totally rely on government-owned enterprises, frankly, we would be doing a disservice. however, what does that require us to do? it requires us to be concerned about proper vetting for their
employees, about proper understanding of physically were their operations are located. and thirdly that if we have, and this was brought by mr. kern in his testimony, if we have particular type of security methodologies and procedures that we adopt in the federal government, we need to make sure that any vendor that we utilize is well aware of them, is understanding of how they operate in that environment, and therefore, can apply the same things to the way they operate. then last week, and i think most importantly, you have to have a level of awareness of what i call good computer higygiene. we have private and public briefings, our task force on server security, 85% of the intrusions, the malware, the
unauthorized access to computer system could be avoided by good computer hygiene. by those of us as individuals, by our systems directors, by the network providers. and so, a major portion of that is awareness. and that is a general proposition to have. in terms of cloud computing we need to make sure that there is an awareness from the design phase, but also in terms of those of us that will operate within that. whether we are in the government sector or private sector, that we understand that the computer hygiene will allow us to eliminate a good portion of the vast majority of those intrusions. and sometimes, when we do not get rid of that, that creates the clutter that makes it more difficult for our systems operators, for the federal government, for the private sector to be able to focus on the worst kinds of attacks that
we have on the system. so it behooves all of us to do that. what was one of the simple things i tried to stress at the meeting -- what is our level of awareness as we go forward with cloud computing, and how we do a better job both in terms of regulating our computer operations but also as we move towards cloud computing, how we make sure we are anticipating the unique security concerns that may be involved in that? guest: and with the public cloud vendors, we've seen a couple of them in the past year, -- a couple instances where the cloud is not perfect. for example, amazon's service was down for a couple of days. that effective government public websites that work out for a little bit. and also, google has said a year agao that some hackers had
compromised its system and taken some i.t. fomrom it. that attack stemmed from china. does that cause you some concern? guest: sure it does. if i had my own system where i control it, there is a sense of proprietary security their versus when i send it out to somebody else. i guess the best thing they analogize it to is if you are at home and you have to run your own batteries, or your own generator for electricity, that may make sense in the extreme situation, but of all listed that it would be impractical. we buy energy off the grid. that means we use it when we needed. it is the same sort of concept with cloud computing. in that sense it makes perfect sense for government to move in that direction.
however, there are certain things that may never be able to be put on the cloud. guest: like what? guest: probably the most classified information that we have . health systems. we have to think through that in terms of how we provide the kind of privacy protections that would give the everaverage persn that they are going to be protected? as some of the experts we have to testify before us, they said, this is no different from when we moved from the small computer that you used -- they were the geniuses' there were able to do that to moving to mainframes. then we move to networks. now we move to cloud computing. we have to be smart about it. there maybe some day you did not want to put on the cloud. then you have private clouds and
ork ic and netweor clouds. and doesn't make sense to diffuse the information? it is the next stage in computing operations -- and does diffuse thee to information? we have to understand the security is wrapped into it from the beginning. host: final question. guest: so you have a cyber security bill that you are working on any circulated it to some folks in the industry. so when we going to see that, and what is the main aim of that bill will let you are coming out with? guest: it should not be look is a bit of competition to the administration's proposal. i very much admire the administration for coming up with a comprehensive cyber security legislative piece.
i think there are things i like in it and things i do not like, but they made a good attempt. if i would suggest that one of the things that would be somewhat different in terms of my bill, and i think generally the bills are going to come up as a result of the republican taskforce effort on this, it would be less reliance on heavy regulatory schematic from the government to more of a voluntary private-public partnership going forward. it is easy to say. it is much more difficult to articulate. if you look at our legislation, that is a key part. guest: is there corner start of the bill that there is a non- profit organization -- is the cornerstone of that bill that there is a non-profit organization . guest: we are trying to figure out what is the facilitator that will allow the exchange of information public-private. one of the things we found is a lack of confidence going in both directions. so i do not have the exact
model. we have come up with the idea of a not prfor profit operation that is not federal or private, but is a consortium. and it is built on a design of cooperation, but it will rely on a sense of trust on the people that operated. we are open as to whether it should be one or several for different sectors. if someone wants to put their name on it, that is fine with me. i want to get it going. host: congress dan lungren is chair of the subcommittee on cyber security. thank you for being on "the communicators". now joining us on "the communicators" is john kern. he is president and ceo of the american registry of erin. and he has many years of experience in the internet industry. when you testified at the cloud computing hearing this past week, you talked about some of
your concerns with regard to cyber security and sensitive government programs. what are your concerns when it comes to cloud computing? guest: absolutely. thank you for having me on the show today. i testified, i focused on the fact that there are new aspects and old aspects to having the federal government make use of cloud computing. to some extent, the federal government has been using cloud computing or outsourced computing for years. metal -- many of the federal i.t. systems actually do not operate in federal data centers but operate on contractor facilities. so there is experience in using federal computing systems that are located outside of federal facilities and using contractors and using their services. that aspect of using cloud computing is actually well known and is something that the
accreditation framework that is used for federal systems is actually quite capable of handling. the nuance with cloud computing instead ofed is that using the schultze source facilities, were using the public internet. and we are using clouds. it means we do not know the location of where the computer that we are doing is taking place. so i spoke at the hearing regarding some of the nuances of making use of the internet for doing cloud computing, for accessing cloud resources or vendors and the fact that that raises a number of concerns. the concerns in particular are the internet itself is a changing environment, in new technology is coming. we have to make sure the cloud keeps up with that. also, the use of the internet by the federal government is governed by a government wide initiatives. we have to make sure the cloud use of the government also
follows those initiatives for securing the internet. and then the fact that the cloud itself has capabilities for a long recovery of federal systems' does not mean that we don't need to worry about the migration of data from one provider to another. host: jennifer martinez? guest: i just wanted to jump into one of the gaps you identified. and that was the migration of data from one cloud service provider to another. and i wanted to see when the government is moving its service from one provider to another, how we know that that information on the original provider is not still being stored, and they do not have that anymore? guest: that is an excellent question, jennifer. if you think about the framework for securing federal systems,
there are controls that exist today that require federal agencies to do contingency planning. so if they have systems in three locations in the country and they lose the facility, they have to be able to recover and the other two. but the fact of the matter is that that recovery is all within one federal agency. when you switch to cloud computing, we know the cloud providers are very robust and have the ability to recover probably more so in many cases than the federal government can, because they have many facilities distributed globally. and that is a good thing. the problem is, what if you have the cloud provider who has and irrecoverable compromise in its security? or shows for some other reason that they cannot be used? the problem that we face today is, there are no standards to quickly move data from one provider to another. yet, this capability is required
for good, responsible contingency planning. it is not enough to simply say that there will be standards or they will be coming. a federal agency has to be prepared for the fact that a provider could fail in a way that requires a rapid transition. so we need those standards for migration of data and systems. and then we need to make sure contractually the cloud providers are obligated to work with those migrations, including clearing the data off their systems when they're done. guest: and to that end, too, kind of backtracking a bit. since last december, the former obama administration cio spearheaded the cloud first policy where he test all federal agencies to identify three services that they should use for the cloud. one of the services should make that jump in the year and the other two within 18 months.
are we moving to the cloud too fast? do you think we are putting security concerns second? guest: i actually think we are moving to the cloud at the right way but we have to pay attention to the details. if you look of the testimony of dhs spires during the hearing, he identified how dhs is being careful about what it was moving to the cloud, and that it was using a private cloud for fulfilling its cloud first strategy. and it was limiting that two prominent republic and issues that are predominately public already within dhs. that is a typo balanced risk- taking that is encouraged and actually -- that is the type of baluster risk-taking that is encouraged. and that should be encouraging other agencies. i think the short answer is -- we are moving aggressively. and i think that agency should
continue to do so. but i think they need to do a realistic, risk-management when they do that. in choosing which applications they move and how fast they do it . host: john kern, if dhs is developing its own private cloud, is there going to be a tendency for all government agencies to develop a private cloud, thus, nullifying the proposed benefits of cloud computing/ guest: well, in 2008, when the federal government did its inventory of i.t. systems, bomb published some of the last statistics from that time. there were in excess of 10,000 federal i.t. systems. many of those i.t. systems were i.t. systems that operated with fairly high risk and impact data, data that if it got out would hinder the opportunity of
the agency to operate. many of them were low or moderate risk. the moderate risk are those that are suitable for the cloud. of the program that has been dhsloped by tgsagsa, omb and encourages looking at those applications. i think you will see private clouds, particularly for the moderate risk applications, but there are many applications that are suitable for the cloud today. the public cloud offers all the benefit. i think it is good to make that evaluation of private versus public. in the case of dhs, they chose private for the initial. it does not mean all their applications will end up there. guest: i wanted to ask you about, for example, one of the major cloud service providers and that is google. about a year ago, they published a blog saying hackers had
compromised their system and had stolen some intellectual property in the process, and that attack had stemmed from china. so if google is able to be breeched and google is offering an array of cloud services, not just google, but other well-known, innovative tech companies are providing cloud the services to the government, is that a concern when you have news of a bridge coming from another country? guest: i think the way to look at this is that it is true that cyber attacks are increasing. your communicator program has interviewed many people that testified to that. the fact is that we are seeing rapid increases in cyber attacks, and they are coming from all corners of the globe.
the federal government has formal structures on how to secure its systems, but even with those, there are federal systems with security issues. those are well documented in headlines. when you look at using service providers who is a public tender, regardless of what that banderillas, there are advantages and disadvantages -- when you look at using service providers who is a public vendor, there are advantages and disadvantages. they are exposed and have to respond in a timely manner to a lot more security threats that are seen by any given agency and its security personnel. obviously a globla cloud service provider may have more expertise and experience because of the exposure that they have on an ongoing basis. the countervailing view is simply that yes, it is true that
if a compromise occurs, it is necessary for the government to know where the data went and what it does about that. that is what's the fed ramp programs specifies. it specifies a list of control that specifies where the data resides. it looks as who is managing it and how it is backed up. and a long list of controls. by using public cloud providers to certify themselves through the gsa fed ramp to be authorized for use, the government picks up the benefit of the cloud computing provider and their security experience as well as the list of controls they have accredited systems for over the last decade. it is not going to be perfect. and there will be issues. but we have to recognize that there is a benefit in using cloud providers because they have a visible public presence and they have a lot of experience. host: 01 of the areas of your testimony was about emerging
threats to cyber security and cloud computing. what are some of those emerging threats? and are we thinking about things that have not happened yet? guest: we actually are. i spoke about emerging threats and also about evolving nature of the internet to secure those threats. there are a number of initiatives that the federal government has launched including domain name system security. the ability to know that the name is actually going to be mapped to an organization to a way you can verify. our current name system is not 100% locked down. the federal government has worked hard to make that happen. there is another initiative with ip 6, which is the new internet protocol. these initiatives are designed to secure the underlying nature of the internet. and we are making great progress in both of those.
right now across the federal government. my testimony specifically reference to the fact that, as we authorize cloud computing providers, we have to make sure that they also have those federal initiatives, because they are designed to secure not just cloud computing providers but all of the federal got mad. so there are emerging threats, and what we are trying to do is make sure we had better authentication and a better identity on were the cyber attacker is coming from. the ip version 6 initiative will get us there long term. we cannot exclude the cloud computing providers in the process of authorizing them to hold federal systems. host: final question from jennifer martinez. guest: the ranking member of the cyber securities subcommittee passed the first panel, the administration officials, what type of data should never go type of data should never go in the