Commentary

Commentary: Energy Sector Cyber Threat Is Real; Greater Collaboration Is Part of the Answer

By: Christopher Burnham & Brian deVallance

This piece originally appeared in Homeland Security Today, October 9, 2018.

In June of 2017, when Wired magazine published a harrowing account of Russia’s hack of the Ukrainian electrical grid, it quickly generated broad discussion about the state of our nation’s cyber defense in the critical infrastructure (CI) sectors. But Washington is nearly 5,000 miles from Kiev, and Russia’s ability to take control of a Ukrainian power company through its IT helpdesk seemed even more remote.

Remote no longer. Dan Coats, the director of National Intelligence, recently testified before Congress that “the warning lights are blinking red again” and that “today the digital infrastructure that serves this country is literally under attack.” In March, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint alert of Russian cyber activity seeking to disrupt the energy and other CI sectors.

While much remains to be done, the U.S. is headed in the right direction on cyber. First, there is growing consensus about what constitutes basic cyber hygiene or cyber defense – for example, the Critical Security Controls from the nonprofit Center for Internet Security. In addition, following the release of the federal government’s National Security Strategy last December, the White House issued its new National Cyber Strategy in September.

Earlier this year the Department of Energy unveiled its new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), and the Senate has confirmed cyber-savvy Karen Evans as the office’s first assistant secretary. Just last week, DOE announced $28 million in technologies intended to improve the cybersecurity of power and energy infrastructure.

At the DHS Cyber Summit in July, Secretary Kirstjen Nielsen announced the creation of the National Risk Management Center (NRMC), DHS’s intended home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure. It is significant that DHS is highlighting the need to continue to build and strengthen partnerships as a part of fortifying American cybersecurity. As former DHS Deputy Secretary Jane Lute has noted, we have not yet decided, as a society, the precise role that government will play in protecting our national cyber resources. This is consistent with DHS’s enterprise approach of needing more than a single federal department to secure the homeland. Instead, we need the active partnership of all of us: state, local, tribal, and territorial (SLTT) governments; federal and SLTT law enforcement; nonprofit best-practice providers; the private sector; and the American public.

Jeanette Manfra, DHS’s assistant secretary for cyber, provides a cogent roadmap: We need to “create this collective defense model, where we all provide capabilities, authorities, and competencies to make cyberspace safer.”

For their part, the various CI sectors have been diligent in working to combat cybersecurity risk. Some CI sectors, like the natural gas industry, have been investing millions in new technologies to improve distributed control systems, cloud-based services, and data analytics. Additionally, sector-specific Information Sharing and Analysis Centers (ISACs) have allowed for improved information sharing between industry and the federal government. Top ISACs include the Multi-State ISAC, the Oil and Natural Gas ISAC, and the Financial Services ISAC, among other ISACs. Other positive industry actions include adopting voluntary best practices like the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; participating in cross-industry exercises like Grid-Ex, where CI sectors practice responding to cyber-attacks; and continually educating employees on the latest cyber risks and threats.

With the establishment of the NRMC, Secretary Nielsen has issued a challenge and an invitation: private industry and the various national security agencies need to work together to help make this cross-sector, public-private partnership model a successful approach to increasing cyber defense in critical infrastructure.

The individual partners are making progress. We must now work together to create a collective defense.

Commentary: DHS’ Big Data Integration Challenge

By Francis X. Taylor

This commentary originally appeared in The Cipher Brief, August 8, 2018.

Department of Homeland Security Secretary Kirstjen Nielsen recently traveled from Washington D.C. to New York with her senior team in tow, to announce the creation of the National Risk Management Center.  It is intended to be DHS’ tip of the spear when it comes to information sharing between the public and private sectors about emerging and sometimes urgent, cyber security threats. 

In an opinion piece posted on CNBC, Nielsen said that the U.S. is not “connecting the dots” quickly enough and said “Between government and the private sector, we have the data needed to disrupt, prevent and mitigate cyberattacks.  But we aren’t sharing fast enough or collaborating deeply enough to keep cyberattacks from spreading or to prevent them in the first place.”

As DHS takes on a new collective defense strategy by putting a premium on public-private information sharing efforts, The Cipher Brief wanted to know a little more about how DHS itself stores and accesses the vast amounts of data it holds. 

Francis Taylor served as DHS’ Under Secretary for Intelligence and Analysis during President Obama’s second term.  One of his priorities was to figure out how DHS could better use data technology tools to increase its operational effectiveness.  It was an issue that he also had to tackle during his time in the private sector, where he worked as Vice President and Chief Security Officer for General Electric. 

Taylor shared his insights with The Cipher Brief, offering a better understanding of the current efforts within DHS to strengthen its capacities, especially at the enterprise level.  We also wanted him to explain what makes integration such a vexing task.

The Cipher Brief: Can you give us some strategic context around data analysis and integration?

Taylor:  Data analysis and integration is critical to how we protect our country and our border. After 9/11 the discussion was about “connecting the dots.” Today there are trillions of dots of information that are available to help us understand what individual, organization or nation- state represent a threat to our people, our country and way of life. Much of that information comes from around the world and allows us to push our analysis beyond our border to regions across the globe. Not only must DHS integrate the data that it collects in the performance of its mission, it must integrate that data with other data from open source, our international partners, and the intelligence and law enforcement communities to have a full picture of the threats we face.

The Cipher Brief:What kinds of data does DHS collect and store?

Taylor: DHS is the third largest department of our government.  DHS components comprise the largest number of federal law enforcement officers in our government and the department conducts its law enforcement mission worldwide.  It interacts daily (and collects information on) U.S. citizens, foreign nationals and U.S. and foreign businesses applying for benefits from the U.S. Government.  DHS also collects data in conjunction with its law enforcement and security missions enforcing U.S. immigration and trade security regimes, immigration violations, citizenship, refugee and asylum applications, and trusted traveler programs.  DHS stores all of this data in more than 900 unconnected databases and the information is kept in silos that are then accessed by the components to perform daily missions. Many of these databases were created long before DHS was established in 2003 and contain old technology that make it difficult to update and integrate.

The Cipher Brief:  How does the issue of data overload negatively impact DHS’ mission to protect the country?

Taylor: I believe that DHS has all the information it needs to proactively defend our country, but the information that is collected is not available to the operators for data analytics that would improve their understanding of threats to our homeland.  The amount of valuable intelligence sitting in DHS data systems is staggering and would be invaluable to DHS and the rest of the U.S. government if it was better analyzed and shared with the appropriate stakeholders.

The Cipher Brief:What is the DHS Information Sharing Enterprise and how does the National Vetting Center (NVC) support the overall mission?

Taylor: The DHS Information sharing enterprise is embodied in the DHS Information Sharing and Safeguarding Governance Board (ISSGB) which is chaired by the DHS Chief Information Officer and the DHS Under Secretary for Intelligence and Analysis. All of the components of the Department are represented on the ISSGB. Unfortunately though, the ISSGB has been largely ineffective in moving the needle within the Department to improve information sharing across the enterprise.  DHS component elements generally do not see value in integrating information across the enterprise.  And there is little incentive to change this paradigm, absent dedicated funding for the enterprise and a clear prioritization of this integration from the Department’s leadership.

The NSC established the National Vetting Center (NVC) in DHS to serve as a focal point for all USG vetting to support travel and border security. It is a logical enhancement to CBP’s National Targeting Center (NTC) that has developed and deployed significant capability in data analytics and integration that improves our understanding of threats to our travel and trade activities as well as our border. NVC envisions building on the NTC foundation to develop even more sophisticated tools and processes to vet individuals applying for benefits within our country.  As the Obama administration was transitioning, former DHS Secretary Jeh Johnson asked all senior staff what we would have done differently, based on what we had learned during our time at the helm.  My answer was that we should have moved ALL vetting for benefits administered by the Department to the National Targeting Center as a government-wide shared service.  My rationale was simple, the Secretary of DHS is the one official in our government that has the final say over who is allowed into our country, but the Secretary does not own the process to ensure that the vetting is effective and continues to improve.  I believe the NVC begins that process and will significantly improve how we make decisions across our government on applications for benefits.

The Cipher Brief: What is the state of DHS data integration and information sharing (i.e. HSIN)?

Taylor: The DHS Data Framework is a joint endeavor by the DHS CIO and Under Secretary for Intelligence and Analysis to build a data lake with the top 20 databases essential to the Department’s vetting and assessment mission. I understand the momentum of the data framework has slowed significantly. I also understand that CBP is driving the data framework as the next level of improvement in information sharing but that DHS headquarters support for initiative is lacking.

The Homeland Security Information Network (HSIN) continues to be the most effective system for DHS to communicate with its state, local, tribal, territorial and private sector partners. But it has real shortcomings.  It needs continued investment to make it more a data sharing platform and not just a communication platform.  HSIN does not allow for data searching and online queries.  This needs to change if the system is to continue to be valuable to DHS stakeholders at every level.

The Cipher Brief:Why is creating DHS-wide searchable data stores so difficult for the Department? Would DHS benefit from a data integration acquisition and standards czar?

Taylor: Most law enforcement organizations are organized to pursue investigating and interdicting wrong doers.  It is the most important aspect of the mission, and I share focus on these priorities.  However, the absence of an integrated data system denies DHS components and others the ability to fully exploitat the information stored in Department systems.  This is inefficient. The lack of an integration function at the headquarters-level makes fixing this shortcoming harder.  The original vision for the Department was to have little centralized-control of operations and to keep operational power within the components.  Each DHS component approaches its missions from its own narrow organizational mission perspective. The components have built processes and procedures from their individual operational perspectives and not from the perspective of how these procedures can be more effectively integrated to meet the collective mission of the Department.  Add to this the fact that budgeting and oversight of the Department is controlled by more than 80 Congressional oversight committees and you can imagine the dysfunction and disincentive to collaborate.

The Cipher Brief: Finally, how do blockchain, advanced encryption or other types of algorithms increase the likelihood of safe data sharing across the DHS Information Sharing Enterprise?

Taylor:  All of the new information analysis technologies will greatly improve information sharing in the Department. Some of this technology is already in use in some of the components; yet it is not systematic and does not optimize the use of these technologies.

Commentary: National Vetting Center a Needed, Not Controversial, Security Asset

By Francis X. Taylor

This commentary originally appeared in Homeland Security Today, June 11, 2018.

For decades the U.S. has screened and vetted those who wish to enter the United States or apply to come to U.S. as visitors, immigrants or refugees. While technology and threats have changed, what has remained the same is the need for our officials on the front lines to have the most up-to- date and accurate information to decide who should or should not be allowed to enter our country.

To that end, earlier this year the National Vetting Center (NVC) was created to strengthen, simplify, and streamline the complex, ad hoc, and sometimes inefficient ways that intelligence is used to inform operational decisions related to screening and vetting. Despite the hype, I believe the NVC should not be viewed as part of the heated national debate on extreme vetting. Instead, the NVC should be viewed as the continuing improvement of effective security processes to improve the security of our travel, immigration and trade infrastructure. Specifically, I believe there are three added benefits to the government and to America’s overall national security posture with the launch of the NVC.

First, the practices and procedures that the U.S. government uses for screening and vetting must be dynamic and continually evolve in terms of throughput, redress, privacy, and accuracy. The NVC is a positive step in that direction. Following the 9/11 terrorist attacks, the U.S. created a system to better protect the homeland against potential terrorists. Lessons learned after each attempted terrorist plot since 9/11 caused the government to incrementally mature the system but never fully institutionalize these best practices in one organization.

While U.S. intelligence, law enforcement and security professionals continue to scour the globe for transnational criminals, spies, drug smugglers and weapons proliferators trying to enter the country illegally or with bad intent, the NVC can serve as a single place to analyze a broader set of applicable government information – with the right privacy regime to ensure that the right analysts have access to the proper information at the right time.

Second, I believe the NVC is a smarter use of the government’s existing knowledge, expertise, and money, as well as a realization of the post-9/11 mission to connect the dots of those transiting to the homeland for nefarious reasons.

Threats are not the only thing that have changed since the turn of the century. Technology has clearly evolved at a near exponential pace. Through the NVC, federal agencies will have the ability to use the NVC’s tools and analytic programs in a consolidated, efficient, and streamlined fashion with greater accuracy and speed than ever before. This approach would allow for secure information sharing at a volume and speed that was not possible just five years ago.

Through the creation of the NVC, the U.S. government will have an agile center that can evolve as the threats to the homeland evolve. The threat picture is ever-evolving and the government needs to move quicker to counter the tools that our adversaries are using. Today’s technology will allow agencies to maintain control of their data and permit it to be accessed securely and only by those with the right and proper authorities for the purpose of a specific, legally authorized screening mission.

Finally, the NCV will allow for better coordination and collaboration. Right now, agencies are screening and vetting people properly and with much success – the system is not broken. But we can do it better. And we can expand the work beyond the counterterrorism-only focus of the past 17 years. The NVC will allow for a “task-force” approach to these activities rather than the ad hoc mechanisms that currently exist. Co-locating vetting analysts from different agencies will allow these trained professionals to collaborate, share information where appropriate and access the expertise that resides within each agency to make better, more timely and more informed decisions – including redress decisions. And this scalable model will provide agencies the flexibility to meet the evolving threats we no doubt will face in the coming years as terrorists, criminals and others change their tactics in an attempt to evade the latest vetting protocols.

As the former Under Secretary for Intelligence and Analysis at Department of Homeland Security (DHS), I helped to tackle these same issues while serving in the last administration. I commend DHS for picking up where we left off. And it is my hope that they can build on our path to strengthen this capability with the right outcomes from the start.

It is important that the NVC is a government asset and does not belong to one department or component. It is also important that the NVC is a truly joint facility that allows assignees from across the interagency to collaborate, co-train, and fuse intelligence and experience within the art of screening and vetting. I wish the first director of the NVC my very best: This problem is not insignificant and yet the solution is ever-critical to the protection of our homeland.

Commentary: Firewalling Democracy: Federal Inaction on a National Security Priority

This piece originally appeared in The Hill, January 31, 2018.

January marked the first anniversary of the U.S. Department of Homeland Security’s designation of elections as “critical infrastructure,” placing them into the category of other physical or virtual sectors — such as food, water and energy — considered so crucial that their protection is necessary to our national security. Naming “elections” as a critical infrastructure sub-sector was a key action taken by then-Secretary Jeh Johnson following an Intelligence Community report about ways Russia sought to meddle in the 2016 elections via a variety of hacking tactics aimed at election offices, voter databases and our larger digital democracy.

At the time, I was serving as DHS Under Secretary for Intelligence and Analysis — and I was encouraged greatly by the critical infrastructure move. Voting administration is a state and local responsibility, but these entities often are overburdened, under-resourced and not exactly versed in Kremlin-based cyber crimes. The announcement reflected a new reality that election security is national security — and it provided enhanced capabilities for the feds to coordinate on election cyber threats.

However, since that optimistic moment 13 months ago, there has been unwillingness at the highest levels of the federal government to act.

On Capitol Hill, it’s taken a year for the Secure Elections Act (S. 2261), to be introduced. Although a positive first step toward ensuring that states have grants and other support to protect their voting systems, the bill’s future is unclear beyond the six bipartisan co-sponsors backing it.

At DHS, scores of mid-level staff — especially within the National Protection and Programs directorate — are working to answer state and local election officials requesting cyber assistance, while at the same time gathering what limited resources exist to prepare for 2018.  But these folks are operating minus top cover from the White House or other cabinet-level leaders, many of whom continue to eschew that Russia is a concern altogether.

As I consider possible reasons for this federal lack of leadership, it appears the fear of attaching oneself to the politics of the past election — rather than tackling the real challenges of the upcoming one — emerges as the most plausible explanation.

For one, it’s not for lack of threat. The vulnerabilities within our democratic infrastructure are deepening every day. In June, DHS announced that voting systems and registration databases in at least 21 states had been the aim of Russian hacking attempts in 2016. Last fall, across the pond, the Brits laid claim that the same Russia-based Twitter accounts that targeted the 2016 U.S. election also employed divisive rhetoric to influence the Brexit referendum. Even as recently as November, news emerged that Russian bots flooded the Federal Communications Commission’s public comment systems — an important democratic forum for Americans to voice opinions — during the net-neutrality debate, generating millions of fake comments.

Federal procrastination is also seemingly not tied to lack of pressure. It is true that DHS’s initial offers for cyber assistance were not embraced by state and locals in past elections. But since last year, there’s been a backlog of requests pouring in. Meanwhile, local election directors such as Cook County, Illinois’ Noah Praetz, have taken it upon themselves to develop election cybersecurity plans, despite no federal backing. Even the hacker community — traditionally allergic to Washington — has been raising the alarm on election security. For example, DEFCON, the world’s largest hacker conference, held an educational voting machine hacking demonstration last summer to show how susceptible election equipment is to cyber attack.

Finally, I surmise absent response is not a factor of the arduous process that is federal policymaking. Historically, when a national security threat to America is imminent, I’ve seen leaders act swiftly, honorably and without regard for politics. In this case, we have waning time to act: The 2018 election season is weeks away with primaries starting in March in Illinois and Texas. And when it comes to Russia’s goal of undermining democracy, they’re not likely to take this cycle off. Indeed, they will most likely apply the lessons of 2016 with a more calculated approach.

After 47 years in working in national security — much of that spent in the military and federal government — I respect the evolving threats facing democracy today. Yet the urgent work at the state and local level to prepare for future elections will be insufficient if it is not fully matched and funded by the federal government.

With new leaders, including DHS Secretary Kirstjen Nielsen, assuming the helm, this is a moment to choose national defense over politics. A window, albeit closing, exists to support state and locals — along with mid-level civil servants — focused on the problem.

In the vital cause to reassure Americans that their democracy can withstand outside attacks, our enemies are counting on political division and chaotic discourse. I encourage leaders at every level to leverage the best of our national security resources, unite and then prove them wrong.

Francis X. Taylor, a senior advisor at the security consulting firm Cambridge Global Advisors in Washington, is the former under secretary for intelligence and analysis at the Department of Homeland Security. He also served as the former head of diplomatic security with the State Department and is a retired U.S. Air Force brigadier general.

Commentary: Pensions should avoid politics and invest for the benefit of our workers

This OpEd authored by Cambridge Global Chairman, Christopher Burnham, originally ran in the The Hill, December 10, 2017.

Why do public fiduciaries think they should impose their political agenda on other people’s retirement benefits? Is not the standard of care to manage public retirement funds with the highest return at the lowest reasonable risk? With more than 50 percent of all state pension funds significantly underfunded and at least five states, including my native Connecticut, facing immanent bankruptcy due to grossly unfunded state employee and teacher pension systems, why would both beneficiaries and taxpayers, who will be forced to makeup those liabilities, want to politicize the management of the money? As I will also be a beneficiary in a few years, please manage the money without a political agenda.

When I was elected state treasurer of Connecticut in 1994, I inherited the worst performing state pension system in America for the previous 10 years. Within the first six months we fired the vast majority of money managers and indexed 75 percent of the portfolio. Yet, I was attacked for holding tobacco stocks in the portfolio, by virtue of the fact that we owned an S&P 500 stock index fund. I refused to play politics with the pension, particularly after 10 years of politics had relegated pension fund performance to the gutter. Instead, we focused on the highest return at a reasonable risk, and performance skyrocketed from dead last to the top 25 percent in the country, overnight.

Now a new era of activists, without any regard to fiduciary responsibility, is injecting politics into pension systems, yet again, by trying to make states, counties and municipalities across the country divest of shares in energy companies. Why would we seek to undermine the integrity of a secure retirement for our teachers and government employees? If they, individually, want to invest in activist funds, they should force states to move to a system similar to the U.S. government employee retirement system, or to a full or partial defined contribution system, such as Rhode Island recently did. Then retirees can make decisions for themselves.

However, to force a political agenda to be shoved into the investment of their retirement accounts is wrong, and a clear violation of fiduciary responsibility. Moreover, if you divest from energy investments, where do you stop? If you remove energy companies, why not remove fast food companies? How about booze, gambling and producers of sugary drinks? As a combat veteran, I am very grateful for the strength of our American defense industry and believe we should invest more in defense companies. Would everyone else agree with me?

Additionally, pressure is mounting on banks. Recently, U.S. Bank, the leading provider of financial products and services to the federal government for over 30 years, has ceded to these activist groups and announced radical changes to corporate policies, including ceasing its investments in energy infrastructure. Its management announced that U.S. Bank plans to stop providing construction for energy pipelines, although it has not announced that that it will no longer service the major railroad carrier, which carry all of the coal Minnesota uses to produce over 30 percent of their electric energy needs. Fiduciary responsibility also means responsibility to shareholders.

We must not allow individual political and ideological agendas to break the special trust and confidence our government and teacher retirees should have in those who are elected or appointed to be the fiduciaries of retirement systems across our country. Unless mandated by law, such as owning shares in companies doing business in North Korea, there is no room for ideological agendas in the management of other people’s money, particularly our teachers and government employees.

Christopher B. Burnham is the former state treasurer of Connecticut, where he was sole fiduciary of the $16 billion Connecticut pension system, and former undersecretary general of the United Nations, where he was sole fiduciary of the $42 billion United Nations pension system. He is now chairman of consulting firm Cambridge Global Advisors.

COMMENTARY: DHS office leading the way on federal cyber innovation

This article originally appeared in Fifth Domain, September 26, 2017.

By: Chris Cummiskey

It isn’t often that the words innovation and government find their way into the same sentence. When they do, it is often to decry the lack of innovation in government practices. Silicon Valley and other corporate leaders have long lamented that the federal government just doesn’t seem to understand what it takes to bring innovation to government programs.

One office in the federal government is having an outsized, positive impact on bringing private sector innovation to government cybersecurity problem solving. The Cybersecurity Division (CSD) of the Science & Technology Directorate at the Department of Homeland Security has figured out how to crack the code in swiftly delivering cutting edge cyber technologies to the operators in the field. Some of these programs include: cybersecurity for law enforcement, identity management, mobile security and network system security.

The mission of CSD is to develop and deliver new technologies and to defend and secure existing and future systems and networks. With the ongoing assault on federal networks from nation-states and criminal syndicates, the mission of CSD is more important than ever.

CSD has figured out how to build a successful, actionable strategy that produces real results for DHS components. Their paradigm for delivering innovative cyber solutions includes key areas such as a streamlined process for R&D execution and technology transition, international engagement and the Silicon Valley Innovation Program (SVIP).

R&D Execution and Technology Transition

One of the greatest impediments to taking innovative ideas and putting them into action is the federal acquisition process. As a former chief acquisition officer at DHS, I certainly understand why there needs to be federal acquisition regulations. The challenge is these regulations can be used to stifle the government’s ability to drive innovation. I am encouraged by the efforts to overcome these obstacles by federal acquisition executives like DHS Chief Procurement Officer Soraya Correa – who is leading the fight to overcome these hurdles.

Under the leadership of Dr. Doug Maughan, CSD has created a process with the help of procurement executives that swiftly establishes cyber capabilities and requirements with input from the actual users. They have designed a program that accelerates the acquisition process to seed companies to work on discreet cyber problems. The CSD R&D Execution Model has been utilized since 2004 to successfully transition over 40 cyber products with the help of private sector companies. The model sets up a continuous process that starts with workshops and a pre-solicitation dialogue and ends with concrete technologies and products that can be utilized by the operators in the various DHS components. To date the program has generated cyber technologies in forensics, mobile device security, malware analysis and hardware enabled zero-day protections and many others.

International Engagement

Maughan often states that cybersecurity is a global sport. As such, many of the challenges that face the United States are often encountered first by other countries. Maughan and his team have worked diligently to leverage international funding for R&D and investment. CSD is regularly featured at global cyber gatherings and conferences on subjects ranging from international cyber standard setting to sharing R&D requirements for the global entrepreneur and innovation communities.

Silicon Valley Innovation Project (SVIP)

It seems like the federal government has been trying to get a foothold in Silicon Valley for decades. Every president and many of their cabinet secretaries in recent memory have professed a desire to harness the power of innovation that emanates from this West Coast enclave. One of the knocks on the federal government is that it just doesn’t move fast enough to keep pace with the innovation community. Maughan and the folks at CSD recognize these historic impediments and have moved deftly to build a Silicon Valley Innovation Project (SVIP) that is delivering real results. To help solve the hardest cyber problems facing DHS components like the Coast Guard, Customs and Border Protection, the United States Secret Service and the Transportation Safety Administration, SVIP is working with Silicon Valley leaders to educate, fund and test in key cyber areas. The program is currently focusing on K9 wearables, big data, financial cybersecurity technology, drones and identity. The SVIP has developed an agile funding model that awards up to $800,000 for a span of up to 24 months. While traditional procurement processes can take months, the SVIP engages in a rolling application process where companies are invited to pitch their cyber solutions with award decisions usually made the same day. The benefits of this approach include: speed to market, extensive partnering and mentoring opportunities for the companies and market validation.

Conclusion

Moving innovative cyber solutions from the private sector to the federal government will always be a challenge. The speed of innovation and technological advancement confounds federal budget and acquisition processes. What Maughan and CSD have proven is that with the right approach these systems can complement one another. This is a huge service to the men and women in homeland and cybersecurity that wake up every day to protect our country from an ever-increasing stream of threats.

Chris Cummiskey is a former acting under secretary/deputy under secretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

COMMENTARY: A Political Surge is What's Needed in Afghanistan

By: Doug Lute

As the Trump Administration considers options to break the stalemate in the 15-year war in Afghanistan, it is important to look beyond military approaches. 

The roots of Afghanistan's problems require a political surge in support of President Ashraf Ghani’s government.

For too long American policy has fixated on the security situation and the military means required to address it. The military effort has been a shiny object that has captured our attention while the political roots of the war and potential political approaches to resolving it have been discounted, under-resourced, or even ignored.  Military tools alone can sustain the current stalemate, but not reverse it.  Adding a few thousand or even many more troops will not substantially change the situation. Ending the war primarily through military means is a mirage.The security stalemate is a symptom of three inter-related political stalemates: in Kabul within the Afghan government, regionally with Afghanistan's neighbors, and ultimately between the Afghan government and the Afghan Taliban. First, weak Afghan governance, zero-sum politics and endemic corruption fuel the Taliban insurgency. The compromise that formed the National Unity Government in the wake of the disputed 2014 presidential election resolved the immediate political crisis, but the parties have been unable to move beyond narrow partisan interests.

Now key political milestones are on the horizon: parliamentary elections in 2018; presidential elections in 2019; and in 2020 the next installment of international funding for Afghan security forces, the civilian government and development support. Success at these milestones depends mainly on the Afghan government’s moving beyond stalemate, not on how many U.S. troops are on the ground.

Second, Afghanistan's relations with key neighbors are also stalemated, especially with Pakistan where Taliban leaders enjoy a safe haven, but also with Russia and Iran. For its part, U.S. attempts at regional approaches to stabilizing Afghanistan have not been effective due to competing, higher priority interests. In Pakistan, U.S. core interests include suppressing terrorist groups with trans-national reach including the remnants of core al Qaeda, internal stability in a country with the world's fastest growing nuclear arsenal, and the stability of the often tense Pakistan-India relations. 

U.S. interests with Russia focus on Ukraine, challenges to NATO, the crisis in Syria, and interference in democratic processes in the U.S. and other democracies. Our priority interests with Iran are her destabilizing activities across the Middle East including support for the Assad government in Syria, the implementation of the nuclear agreement, and the potential for military miscalculation in the Gulf. With China, too, though our interests in Afghanistan largely converge, we have interests more important than stabilizing Afghanistan. The net effect is that we have tended to discount regional approaches and focused on stabilizing Afghanistan from within, which cannot possibly work.

Finally, despite years of trying we have yet to gain traction on an Afghan-led political approach to the Taliban. The Taliban are not going away and will not be defeated by military means alone. The war in Afghanistan will end with a political settlement, not a military victory.  Some argue that recent Taliban battlefield gains diminish their interest in pursuing talks with the Afghan government and before talks we must dominate militarily. The security situation is actually stalemated with both sides suffering heavy attrition. We should consider anew with our Afghan partner what it would take to move towards a political settlement, using both military means and political compromise to improve chances of success.

In Afghanistan, the Trump Administration — like its two predecessors — encounters a case where political approaches will prove decisive in the long run. As in all conflicts, military tools are only a means to a political end. We should focus on what matters most: breaking the three political stalemates. What we need is a political surge. 

Douglas Lute is a former NSC official in the Bush and Obama Administrations responsible for coordinating US policy in Afghanistan and former U.S. Ambassador to NATO (2013-17). He is also a Senior Fellow with Harvard Kennedy School’s Belfer Center for Science and International Affairs.

COMMENTARY: The Message NATO Needs to Hear from Trump

By: Doug Lute

Last July, the 28 leaders of NATO’s member states met in Warsaw, Poland, to confront the most severe challenges to security in Europe since the end of the Cold War. A series of disorienting events began in 2014 with Russia’s illegal annexation of Crimea, a part of sovereign Ukraine. This was the first instance of using force to change borders in Europe in over 70 years. President Vladimir Putin had violated blatantly every agreement that had governed the long peace, including the United Nations Charter, the Helsinki Final Act, and the NATO-Russia Founding Act. A few months later Putin moved further, using the Russian military and covert means to sponsor separatist proxies and destabilize two key provinces in eastern Ukraine. Russia also challenged NATO more directly with an ambitious military modernization program, aggressive new doctrine, and numerous large exercises that violated agreements designed to promote transparency and stability. At the same time, to NATO’s south, the instability in Syria and Iraq enabled the Islamic State to declare a caliphate after seizing large swathes of territory including Iraq’s second-largest city, Mosul. Meanwhile, the largest mass migration since World War II arrived on the borders of Europe.

These events combined to stun NATO, bringing a sense of urgency to the summit. The 28 NATO leaders gathered at Warsaw were forced to respond to the most severe set of security challenges in Europe in over 25 years. NATO stood at a pivotal moment, faced with diverse challenges coming from outside the alliance.

Over the two-day summit, the program featured NATO’s traditional format: long sessions focused on discrete topics in which the leaders were all given the floor for several minutes. In these sessions, NATO members took decisions to refocus on collective defense, resetting deterrence for the new conditions in the East. To the South, they agreed that NATO had to do more to promote stability among the weak or failed states along its periphery. They extended support to Afghanistan where NATO had led the coalition since 2006, committing 12,000 troops and financing for Afghan forces. Closer to home, Ukraine’s president gave a firsthand account of his nation’s struggle against Russian aggression. To provide the resources required for all this, leaders reaffirmed their commitment to move toward providing 2 percent of GDP to defense. It was a full agenda, focused outward beyond NATO.

Late on July 8, President Barack Obama joined the other leaders, after a long day of travel and tackling a substantive agenda, for a formal working dinner. The setting was symbolic: they dined in the room where the Warsaw Treaty had been signed in 1955, setting up the 8-nation alliance led by the Soviet Union that faced off against NATO during the Cold War. Poland’s leaders were proud to point out the irony. While the leaders met alone for the dinner, a few key staff from each nation gathered tightly into a small adjacent room equipped with an audio-video link to the dinner room, modest sandwiches and too little wine.

The dinner was to focus on NATO’s relationship with Russia, its largest and most militarily capable neighbor. A vibrant discussion unfolded, making clear the diverse perspectives across the alliance. There was consensus that NATO’s attempt since the end of the Cold War to fashion a strategic partnership with Moscow had been hijacked by Putin’s aggressive actions. In response, some allies placed first priority on strengthening NATO’s defenses. Others were challenged more directly by the threats of terrorism, mass migration, and instability to the south. Some believed there were still areas in which to engage Moscow; others were skeptical. As the dinner discussion moved slowly around the large table, a compromise emerged. NATO agreed to strike a balance between strength and dialogue: the alliance would do what was required to deter Russia while also remaining open to dialogue to attempt to reduce risks. NATO would remain the mature, responsible player in Europe.

Near the end of the dinner — while those of us the crowded staff room were counting the last interventions and hoping for brevity — came the most important message of the summit. Obama had spoken early and then listened to all the others. Many leaders lamented Putin’s actions and the Russian challenge to Europe, including disinformation campaigns and malign influence among domestic political parties. Some implied that illegal migrants, not Russia, posed the most severe threat and justified strong responses. At the end of a long dinner and a very long day, Obama unexpectedly raised his hand to speak a second time. He spoke without notes. He said that the United States would respond to Russia, but that the more severe threat to our democracies comes not from outside, not from Putin, but from inside our own societies. He said that xenophobia, anti-migration policies, and unconstrained nationalism could erode our democracies from within. He said that if we drift from our core values, we could lose all that has been built up over the past 70 years. This was not about Putin; it was about us. Everyone fell silent as the dinner concluded.

As President Donald Trump prepares to meet his counterparts for the first time at NATO headquarters in Brussels this week, it is worth recalling this message from a year ago. Troops, tanks, ships, and planes are not the core of NATO’s strength. At the core of the strongest, most durable, most successful alliance in history are its common values — democracy, individual liberty, and rule of law. Values are the glue that binds NATO’s 28 diverse nations together. Today these values are being challenged from multiple directions, including from the inside. Protecting these values is vital to America’s security and it’s a process that begins at home — in all 28 member capitals. This is again the message NATO needs to hear.

This article originally appeared in Foreign Policy on May 23, 2017.

CGA COMMENTARY: Why going small is not always the best cyber strategy

By: Chris Cummiskey, CGA Senior Advisor

**Note: This piece originally appeared in Fifth Domain Cyber, an affiliate of C4ISRNET, Federal Times and DefenseNews.**

In recent years, there has been a strong push in federal departments and agencies to emphasize the need for awarding contracts to small business. This strategy has been further re-enforced by the Small Business Administration that issues regular scorecards to show which agencies meet predetermined percentage targets for small business contract awards.

During my tenure as the acting undersecretary for management and chief acquisition officer at the Department of Homeland Security, I worked closely with our procurement teams to generate a string of “A” grades from SBA in meeting our targets.

Today, of the $13 billion or so DHS awards each year, about one-third goes to small business, while about a third goes to medium sized and large businesses each. This has led to DHS being recognized as one of the leading departments in working with small business.

There are many places in government where a small business procurement strategy is efficient and effective, yet cybersecurity is not necessarily one of those areas. My experience is that government procurement and program officials are dedicated professionals who seek to craft the best acquisition approach based on the requirements. There are, however, a growing number of instances in cyber contracting where a shift to small business could have a detrimental impact. The pressure to meet small business goals, and the feeling among many that small businesses are more flexible and less expensive,  has led to decisions, particularly with cyber contracts, to craft a strategy that is high-risk and counterproductive.

There are several considerations that need examination when crafting a successful cyber procurement approach. These include past performance, program complexity, scale, staffing and pricing.

Past Performance

Demonstrating successful past performance is a key indicator of future success in government contracting. This track record is an important consideration in evaluating which companies can effectively execute often complex federal cyber requirements.

Given the sensitivity and complexity of the cyber mission, it is essential that contracting officers carefully weigh past performance in their evaluation criteria. In this scoring process, well established companies with extensive government experience will certainly have an advantage, but the resulting lower risk to the mission is clearly an important consideration given the cybersecurity climate today.

Program Complexity

Providing cyber defenses in federal agencies has become a challenging and complex undertaking. DHS has been tasked by Congress and the White House with protecting federal networks, while serving as the lead agency for sharing information with the private sector. These vital cyber missions are executed through programs such as Einstein and Continuous Diagnostics and Mitigation (CDM) and centers like the NCCIC and US-CERT.

There is only a subset of companies that have the necessary cyber technical capabilities, large-scale integration experience and processes to effectively run these types of programs.

Breaking cyber contracts up into smaller pieces for the promise of lower cost and more agility can sound promising, yet these promises often go unfulfilled. In reality, what most often occurs is the government themselves will need to integrate across the pieces, potentially compromising the cyber mission, and stressing an already under-staffed government professional team. When coupled with other emerging technological advancements and qualifications, this will continue to be an area where small business will struggle to compete.

Scalability

Another area where small business will have difficulty in meeting requirements of the cyber mission is with scalability. Many successful cyber programs that start as pilots or trial runs eventually end up having to be brought to scale.

As an example, Einstein 3 Accelerated (E3A) started with a relatively modest number of seats covered, yet after the OPM debacle the political will materialized to bring the cyber protection to all 2 million seats in the federal government. Once the decision was made to expand E3A, there was little time to debate whether or not the vendors would be able to accommodate the request. Immediate action to rapidly scale the capability was an imperative.

Staffing

It is not hard to see that there is shortage of skilled cyber employees. Professionals in cyber-related fields have many options today. They can work for the alphabet soup of government agencies that work the cyber mission or they can choose an often more lucrative track in the private sector.

Large government cyber programs need talented and capable personnel in the seats. Often, that means hiring private sector companies to assist with staffing and capabilities. This can be a very good option if the company has solid internal controls for maintaining high quality, cleared cyber staff who receive ongoing training. Small business often has trouble competing to attract and retain high caliber cyber talent.

Pricing

One of the regular arguments one hears about awarding to small business is they are just cheaper than some of the larger outfits. In some cases that may be true, but again, in most cyber procurements that may be an illusion.

A better metric for government cyber than Lowest Price Technically Acceptable (LPTA) should be Best Value. It is not unusual for smaller companies to low ball their pricing on a RFP with the hopes of winning the award. Once secured, they sometimes struggle to meet the contract deliverables, terms and conditions. This is a dangerous trap door for government procurement officials. They are often pressed to reduce contract cost, while not sacrificing functionality.

In too many cases, the government finds out too late that program performance has suffered due to an award to a small business that just can’t get the job done.

Conclusion

These observations are not meant to slam the small business community. There are plenty of areas in federal contracting where small business is the best choice. Unfortunately, large scale government cyber is not one of those places.

Past performance, program complexity, scalability, staffing and pricing all factor into sound federal procurement decision-making. At the start of a new administration, I hope the incoming teams of appointees will take a hard look at how federal cybersecurity is planned, procured and executed to ensure the best results.

Chris Cummiskey is a former acting undersecretary/deputy undersecretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

CGA COMMENTARY: Kelly Lays Out Agressive Agenda in GW Address

By: Chris Cummiskey, CGA Senior Advisor

In his first major address since being sworn in as the fifth Secretary of Homeland Security on January 20th, General John Kelly delivered a wide-ranging address today at the George Washington University, Center for Cyber and Homeland Security. His remarks were centered on the state of U.S. homeland security here and abroad and Trump Administration priorities of fighting terrorism, tightening immigration/vetting, cyber protections for Federal networks and management reforms.

As a former Acting Under Secretary/Deputy Secretary at DHS and a Senior Fellow with the GW Center, I was struck by Secretary Kelly’s full-throated support for the DHS workforce and his “commitment to have their backs” with Congress and other critics of the department. Calling on his 45 years of experience in the Marine Corp, Secretary Kelly made it clear that the department would enforce current law; however unpopular, and challenged members of Congress to have the courage to make changes if they don’t like the current state of affairs.

FIGHTING TERRORISM

Consistent with his former role as the combatant commander of the Southern Command for the Department of Defense, there was a great deal of emphasis on changing the playing field on which the U.S. fights terrorism. Just as former Secretary Jeh Johnson sought to pursue a Southwest Border Campaign Strategy, Secretary Kelly is seeking to push the fight against terrorism far beyond U.S. borders. I also was interested to hear about his prediction that we will be facing increasing coordination between terrorist and criminal organizations in coming years. He also talked about the challenges of thousands of fighters in Syria returning to their countries of origin, many with visa waiver programs with the U.S. He also acknowledged the challenges of confronting “lone wolf” threats and homegrown extremist activity.

IMMIGRATION/ENHANCED VETTING

One of the most dramatic numbers cited by Secretary Kelly was the 70% decrease in southern border crossings over the last ninety days. He referenced President Trump’s tough stance, not necessarily increased enforcement, as the reason for the dramatic decline. It was interesting there wasn’t any reference to building a border wall or the significant plus up (10,000 ICE agents, 5,000 CBP agents) that is being requested in the FY2018 President’s budget. I was glad to hear about his collaborative strategies with other governments and other Federal agencies in seeking to build economic strength in those areas the most outmigration (Guatemala, Honduras et cet.). Secretary Kelly also defended new screening measures and the need for enhanced vetting of foreign travelers.

CYBER

One of the areas in the speech that was less specific involved defense of Federal computer networks. Secretary Kelly did say the White House has various task forces and a draft Executive Order on Cyber pending, yet he was more circumspect about DHS’s plans for reorganizing its cyber capabilities or future plans for the major cyber programs, Einstein and Continuous Diagnostics and Mitigation (CDM). These two major acquisitions have come under fire from GAO and the Hill in recent months. I am encouraged that Secretary Kelly has selected some able cyber professionals like his Chief of Staff, Kirstjen Nielsen, and former Microsoft executive, Chris Krebs, to advise him, yet the absence of a coherent acquisition strategy and a hardened internal bureaucracy continue to stifle cyber progress.

UNITY OF EFFORT

I was glad to hear Secretary Kelly say he is committed to building on his predecessor’s Unity of Effort strategy to further strengthen the department’s business functions. Newly confirmed Deputy Secretary Elaine Duke and Acting Under Secretary for Management Chip Fulghum will likely be tasked with gaining further acquisition and budget efficiencies in the coming months. As the Federal Times reported last month, the FY2018 DHS budget proposal seeks to fund increases in border security and enforcement by reducing the budgets of other DHS components like the Coast Guard, TSA and FEMA. This approach will be a tough sell with Congress.

CONCLUSION

Overall, I thought Secretary Kelly did a good job of laying out a clear agenda for the department in the coming months. The messages were not wildly different than those delivered by former Secretaries Johnson and Napolitano in their first months in office. The main difference for DHS is that for the first time you have an operator running an operational department. These days that is a pretty big deal.

Chris Cummiskey is a senior advisor at CGA, as well as former Acting Under Secretary/Deputy Under Secretary for Management, Chief Acquisition Officer at the U.S. Department of Homeland Security and a Senior Fellow with the George Washington University Center for Cyber and Homeland Security.