Rep. William Hurd’s IT modernization bill passed the House last week, moving it and the federal government one step closer to having not only a legal mandate but also dedicated funds for modernizing its aging infrastructure. Both federal and industry executives welcome the move, especially in the wake of the major cyberattacks that have occurred over the last few weeks.
Federal Communications Commission Chief Information Officer David Bray spoke to WashingtonExec members at an event earlier this month. “At the FCC when I arrived in 2013, it was never a question of could we wait or not to embrace cloud services,” he said. “We had to make the leap—and did.” He said the public will lose trust in the government’s ability to function if it doesn’t modernize soon.
But the government can’t do it on its own, nor should it, according to Bray. While it’s estimated that less than one-third of government agencies have adopted even one public cloud solution, he believes that number could more than double in the next two and a half years if agency executives are willing to step out there.
“We have shown it’s possible at the FCC, and other agencies can do it too,” Bray said. “In less than two years, we moved to public cloud and a commercial service provider. This move reduced how much we spend to maintain systems from 85 percent in 2013 to less than 50 percent today.”
Simple, Open and Automated
Maintaining legacy IT is less capable and more expensive than adopting modern cloud-based systems. The way forward, said Cisco’s Public Sector Cybersecurity Director Will Ash, is simple, open and automated. IT systems need to be simple to procure and install. More importantly, it’s simple to scale both capability and capacity on the cloud. Finally, it must be simple to manage.
‘The simplicity piece also addresses the workforce challenge,” Ash said. “If it’s simple to scale and to manage, that provides efficiency.”
The same is true of an open architecture in general. It’s easier—and cheaper—to add in different tools as needed. Bray predicted this would be a major disruptor for industry.
“You should get away from custom or proprietary code,” he said. “Custom code becomes expensive to maintain. You should only adopt it if you have no alternative—otherwise, look to remix commercial cloud services to meet your mission functions across the enterprise.”
From a security perspective, an open architecture is also highly beneficial. When everything is common across the security ecosystem, it’s easier to share data across the public and private sectors.
Finally, maintaining modern IT systems should be automated.
“Automating the integration of threat intelligence across an open architecture means as threats and vulnerabilities are known and addressed in one place, the entire architecture can be protected and you can block that particular threat everywhere,” Ash said. “If you put that all together, and you have an architecture that’s integrated, from the traditional IT infrastructure to the cloud—it’s important to have that entire continuum—providing effective security everywhere is critical.”
“In parallel to streamlining public service, we also need to establish a baseline ‘health of the internet’ that could inform both the private and the public sector,” Bray said. Currently, there are a number of threat information sharing systems, like the FBI’s’ InfraGard or the sector-specific Information Sharing and Analysis Centers.
“Those are human-dependent,” Bray said. “We need something that’s automated and in near real-time.”