David Helms of Salient Federal Solutions sat down with WashingtonExec to discuss cyber security, our nation’s critical infrastructure and mobile computing. Helms, leader of Salient’s Cyber Security Center of Excellence, has worked in the industry for over 20 years.
We also asked Helms about his company’s BYOD policy and “what keeps him up at night.”
WashingtonExec: Please tell us about your background and your role at Salient Federal Solutions.
David Helms: I’ve been involved in network and cyber security for over 20 years now. At Salient I lead our Cyber Security Center of Excellence where we develop cyber security technical solutions and services in support of federal and commercial customers. We have a team that’s built, in cooperation with the Air Force, the industry’s first intrusion detection system for IPv6 technology. Salient’s Assure6 IPv6 Intrusion Prevention System provides the ability to secure networks against this emerging attack vector.
WashintonExec: How have you been able to “monetize mobile?”
David Helms: Mobile computing is a significant part of the solutions we deliver to customers, and growing larger everyday. What we call “mobile” today is really the future of computing: appliance-like systems with ubiquitous connectivity, accessing cloud-based resources.
“In the end I think mobile is going to allow us to offer services in a much-expanded way to whatever their client constituents are. What mobile is going to do is make government data and government services much more accessible to the citizen, or much more accessible to the war fighter.”
WashingtonExec: Do you think that mobility is a way to save the government money?
David Helms: I don’t think that necessarily saves money, but I do think that does push the mission forward – whatever that mission might be. In the end I think mobile is going to allow us to offer services in a much-expanded way to whatever their client constituents are. What mobile is going to do is make government data and government services much more accessible to the citizen, or much more accessible to the war fighter.
WashingtonExec: How do you view BYOD in your own company?
David Helms: Salient’s BYOD policy allows our employees to use their personal devices while maintaining a strict separation from the enterprise IT resources. All computing platforms are targets for cyber attack; it’s just a matter of degree. Your security posture has to be layered and robust enough to still protect your corporate and client assets. Putting those types of investments in place allows our employees to leverage BYOD, but limit the impact on our corporate environment. I think BYOD is a great opportunity for us to separate personal Internet activity from work activity. Your work computer assets are going to be used for work, and since you have in your pocket or briefcase a phone or a tablet, you are just going to be expected to do your personal business on your personal device.
WashingtonExec: What is the biggest difficulty you have experienced when managing mobile assets?
David Helms: The problem with mobile devices right now is that since they are largely under the control of the user or the consumer, they are in charge of the updates. As a corporate entity it’s almost impossible to force them to maintain software updates. If the ecosystem doesn’t make that easy for the user, then that can definitely be a challenge for us. The Android ecosystem does not encourage and support installing software updates. The result is that the vast majority of Android users are not running up-to-date software. So even if vulnerabilities are identified and fixed, most Android phones never get updated and are vulnerable to a wide range of exploits.
WashingtonExec: Do you see developing countries having an easier time with establishing this kind of mobile lifestyle and environment because they don’t have the original infrastructure that we have to overcome?
David Helms: Mobile has been a huge win for U.S. technology leadership. The hardware may be manufactured overseas, but mobile computing is really all about the software. The impact of these software ecosystems is centered in the U.S. Their influence radiates outward to the rest of the world. Standards are being set here in the U.S. and then pushed out. I was in Germany and the Czech Republic about three weeks ago. It was pretty impressive to see the impact that the US technology has set on the world, in terms of our defining of the standards and expectations of these mobile solutions. The rest of the world is really following us, not the other way around.
WashingtonExec: What are some of the infrastructure issues that the United States needs to address for better mobile computing and/or security?
David Helms: The biggest challenge in mobile security is identity and trust management. We still lack a way of determining the identity of the user and system on the other end of that connection, regardless of their organization. We used to depend on perimeter security to separate the good guys from the bad guys, but mobile computing obsoletes the perimeter approach to security. And identity and trust management doesn’t just apply to users, but also to the trustworthiness of the operating system and software providers as well. In the end we are going to have to establish an environment where the users, the devices and the software they are utilizing are authenticated and trusted. That’s both a huge challenge and a great opportunity to innovate.
WashingtonExec: What keeps you up at night?
David Helms: I worry about nation-state targeting of our industrial control systems. The Stuxnet attack on Iranian uranium enrichment facilities demonstrated the effectiveness of cyber attacks when the objective is industrial sabotage. Similar industrial control systems are used to generate and deliver power across the electrical grid, run oil refineries and manufacture semiconductors, etc. The potential economic impacts of these types of attacks are of great concern to me.
I think we might be a little complacent because cyber attacks in the past have really been focused on information security and keeping sensitive data or users private or financial data secured. I think we are moving into a new phase where the possibility of economic sabotage as a war fighting technique is real. We are moving to a new stage of cyber warfare, and it’s much more about impacting our economic base. That really does have me worried. I don’t think we are taking it seriously enough.
WashingtonExec: What should the entry-level employee be doing to protect the infrastructure?
David Helms: First, follow the security policies. I know it can be frustrating, but they really are there to try to keep you out of trouble. Second, view every email and attachment with suspicion. It’s still true that phishing is the most effective way to penetrate an organization. Third, avoid doing personal Internet activities on your work machine. It’s so easy now with BYOD. Check your Facebook and Twitter and Gmail on your phone or tablet, and leave your work computer out of it.
WashingtonExec: How is biometrics changing the intelligence community?
David Helms: I think biometrics has definitely played a role, especially in the last two wars. We’ve used biometrics as a way of identifying people on the battlefield. From the point of view of intelligence collection and quickly identifying folks who might be operating under aliases, biometrics is really important. With regards to traditional cyber security using biometrics for authentication or identification – in those cases I think it’s going to play a role but I don’t see it as sort of a major new wave .For high value solutions with requirements that warrant that type of thing, sure; but I don’t think, at the consumer level or the general workforce level, that biometrics is going to be one of the major factors that we are going to be leveraging in the future.
WashingtonExec: What’s your favorite application or gadget?
David Helms: Oh, hands down it has to be my iPhone. My days are so packed that I try to make the most of every moment, and I am just straight-up addicted to podcast. When I’m not in a meeting or I’m not doing work, then I am generally listening to some technical or security-related podcast to understand what’s happening in my industry and my space. It is so integrated into every aspect of my daily existence that I can’t imagine how I ever ran my life without it.
WashingtonExec: Do you prefer to go out in D.C., Virginia or Maryland?
David Helms: I love living in Washington, D.C. The restaurant scene is great. We are always out looking for new places to try and new things to do. Salient is a young and explosively growing company, so spare time is not something we have a lot of around here. But when I do have any spare time, you will find me at a cafe or restaurant downtown, sitting across from my wife, intensely discussing something that has nothing to do with cyber security.
WashingtonExec: You’ve been in cyber security for over 20 years. What would you tell someone going into the field today?
David Helms: I would tell them that they are entering the field at a major transition point. The traditional enterprise boundaries are being blown away by mobile computing and BYOD and the speed of change in the challenges and the solutions required to meet them are accelerating. This is a great time to enter the field and have the opportunity to make a lasting mark on the future.