This article was originally published by FedInsider.
CIOs often say that cybersecurity should be built into software and systems, and not thought of as a later add-on. In practice this ideal is seldom reached. But the National Nuclear Security Administration is in the midst of a three-pronged IT initiative to both modernize its infrastructure and get closer to having cybersecurity baked in.
Leading that effort is the NNSA’s new Associate Administrator for Information Management and CIO, Bob Osborn. His background seems to make him a perfect fit. NNSA is a quasi-independent agency under the Energy Department. But it has a decidedly military mission – safeguarding, testing and maintaining the readiness of the nation’s inventory of nuclear weapons. It also works towards non-proliferation by tracking down nuclear and radiological materials that could be used for weapons of mass destruction. Osborn spent 26 years in the Marine Corps, and before joining NNSA earlier this year, he was Deputy CIO of the Transportation Command.
“What really applies here is my understanding of the threats we face,” Osborn said. “NNSA’s defense programs and non-proliferation mission is aligned to DOD.”
As for the IT projects at NNSA, Osborn pointed out, “IT investments will result in cyber secure outcomes. We don’t distinguish between the two disciplines.”
The agency performs a number of IT-supported functions. Besides administration using unclassified networks, there are activities related to tracking the nuclear stockpile which, of course, are classified. Beyond that are computed-aided design and computer-aided manufacturing (CAD/CAM) functions for fabricating replacement parts for the thousands of warheads, some of which are decades old. Because various treaties ban the physical testing of weapons, NNSA scientists employ advanced supercomputers to model behaviors of exploding warheads.
“We have some of the most advanced supercomputing capabilities in the government,” Osborn said.
Osborn described three initiatives that build on one another.
- NNSA Network Vision, or 2NV, is an effort to move virtualized server environments into a cloud computing model.
- Joint Cyber Coordination Center, or JC3, is a joint effort with DOE to more closely coordinate intelligence and cybersecurity experts with the goal of improving response to incidents.
- Advanced cyber R&D will use the talents of DOE and NNSA researchers to better understand emerging threats and how to respond to them.
For 2NV, Osborn said the goal is to have at least two, and at most four, data centers which would act as NNSA’s private cloud. “We’re designing the architecture and migration strategy now,” Osborn said. “All the labs are server-virtualized. That makes it easier to move to the cloud.” He said the rough plan calls for cloud east and cloud west that would mirror one another as backups.
The effort will also result in a better enterprise view across NNSA, whereas now each of eight major facilities, while virtualized, operates its own infrastructure. “We’re now applying enterprise solutions on top of eight NNSA sites,” Osborn said. He added that the final data center locations have not been chosen.
Osborn also hopes to achieve an enterprise view – what he calls a single cyber view – of lab expertise through JC3. “The concept is, the constellation of labs does cool stuff in cyber. But we have trouble sharing.” The JC3, building on the unified architecture and supporting infrastructure of 2NV, will enable that single cyber view via a network operations center and security operations center.
Osborn said, “We need the 2NV architecture in place to have JC3, so we can have a common view of our networks.” That in turn will let NNSA “operationalize research and development of the labs into cybersecurity,” which is the third leg of the 3-pronged effort.
Stopping malware attacks involves, in part, using software tools comprised of multi-million lines of code against works and viruses containing a few dozen or a few hundred lines of code. In that sense, Osborn said, cyber defense is much like the asymmetric threats industrial nations like the United States face from terrorists with far fewer resources.
“But for this critical point: The Internet, unlike the physical world, is man-made. So it can be changed with the proper application of technology,” Osborn said. How to change it in light of cyber threats? Those answers can be found in the collaborative work of what Osborn called “the finest minds” in NNSA’s labs. He added, NNSA will coordinate this work with other agencies, including Homeland Security, the National Security Agency, the Intelligence Community, and with White House Cyber Coordinator Howard Schmidt.
Osborn said he is also looking ahead to virtualizing not just NNSA’s servers but also individual users’ computing resources, so-called desktop virtualization. This would take the form of thin clients and mobile devices accessing virtualized services such that when the end user device is disconnected, there is no persistent data signature left that could cause a cybersecurity problem. Device agnosticism and no left-behind image lower device costs and boost security, Osborn said.
Throughout this effort, Osborn said, he tries to keep the NNSA’s users in mind. He started his military career as a loadmaster for C-130 cargo planes, later moving to logistics positions, eventually at Marine Corps headquarters. As a logistics supervisor, he said, his knowledge of line users’ needs made for good guidance.
Similarly, as NNSA’s CIO, “I’ve been out to every site and looked at the mission. I can’t do the job as strategic advisor to the administrator without doing that.”
Thomas R. Temin is editor in chief of FedInsider and is also co-host of The Federal Drive with Tom Temin and Amy Morris, a weekday morning news and talk program on WFED AM 1500 in Washington D.C. This article was reprinted with permission of FedInsider.