MeriTalk Q&A: RSA’s Carey Eyes Lessons Learned from Pandemic

Robert Carey, VP/GM Global Public Sector Solutions at RSA Security, has rightly earned the ability to take the long view of large-scale technology deployments across both the private and public sectors. He’s six years into a second private-sector career with previous stops at GDIT and Vencore since capping off an eight-year run as CIO of the Department of the Navy, and then Principal Deputy CIO at the Department of Defense.

We caught up with Carey last week as he was – like most of us – working from home, to discuss the Federal government’s quick turn to large-scale telework, what the government can do in the coming months to get ready for a return to more normal times, and most importantly how it can benefit from lessons learned to notch permanent gains in serving citizens. Here’s what he had to say:

MeriTalk: In the current climate, what can the Federal government do right now on the tech front to better sustain or improve service to citizens and to its work force?

Carey: As a retired civil servant, I’d say there’s quite a bit that has been done, and more can be. The first thing is to enable almost the entire agency or department workforce to serve from a distributed location, obviously now mostly at home. And that’s not as simple as it appears, because the servers that are set up to receive identity credentials and let somebody on the network from the outside are generally not scaled for that. The CIOs and CISOs have adjusted the network capacity for external access to this new normal very well.

This current mass-telework condition requires someone to think about further enabling identity access – employees have common access cards or PIV cards, but at the same time that doesn’t always get them into their application workspace. And whether we like it or not, we have been forced into an “everything-over-mobile” stage; that’s our reality today as opposed to just a few months ago. So connecting the workforce to their work, regardless of where they sat before, is paramount.

The second thing is you have to ensure that you have sufficient bandwidth in the networks to allow for both connectivity and for the workforce. So things like circuit capacity, 5G deployments, and resiliency in the network all start to come into focus here because Federal agencies may not have enough bandwidth or infrastructure to deal with millions of people now trying to get their citizen services through the internet. Cloud computing, as a platform, should be shining now, as it provides for scalable computing.

Continuity of operations planning (COOP), mission continuity, and business continuity are vital to success, and this pandemic has driven agencies to new levels of external users making the network even more important to mission success. Heretofore, this level of external access wasn’t planned for, but surely will be now.

MeriTalk: Beyond the government workforce, how about access to citizen services?

Carey: There are a lot of things that citizens will go to the government for that require identification of who you are. Many services are online today. Data requests, voting information, benefit information etc. Currently, many transactions can be conducted on-line: for example, a state Department of Motor Vehicles can reissue your driver’s license, or license plate. Some of those things require “wet” signatures, too. I think the departments and agencies can now look at that list and decide, for example, do I actually need a wet signature for a certain transaction, or can I easily make available an electronic equivalent to complete that transaction. But there are probably many, things that we could enable that through an electronic equivalent within the government to ensure that the proper delivery of a service can be rendered, particularly during this time of change and different operating models. This will require careful analysis.

MeriTalk: What can Federal leadership and agencies do over the next six months, as the pandemic peaks and then winds down, to get ready for the recovery?

Carey: As a former DoD guy, we’ve said for years we can operate from anywhere, at any time, from any place as long as one has secure connectivity to the network. Well, we’re testing that model right now, of how to do business in the new normal, so let’s keep that moving. The lessons learned from this pandemic can make government MORE efficient. The Federal leadership can continue to deliver their services but then be sure to set time aside to reflect on how to improve.

Over the next six months, it’s also important to focus on bandwidth and network availability. This allows work to be done and services for citizens provided. It’s also important to accelerate the delivery of broadband services like 5G, because that provides connectivity from citizen to government services, or government worker to his/her workspace. And we know that nearly everybody has a smartphone, so let’s create a handful of “lite” applications so they can run effectively on a smartphone.

I can’t say everybody has a tablet device, and I can’t say everybody has a laptop or a desktop computer at home, or even broadband service at home, but I can say they very likely have cell service. So if I can ensure that wireless infrastructure needs are met in the next 6-12 months, the government is better prepared for executing COOP plans.

MeriTalk: What are going to be the valuable lessons learned over this six months to put in place later on?

Carey: So the whole point in this next six months is to record what was necessary to operate under this new “full telework” paradigm, and then implement those lessons learned. Additionally, how well did the agencies’ plans match expectations?

First of all, departments and agencies will need to do a lessons learned event and transition the results into the plans and more importantly the budgets, that’s key. Because we tend to just want to move on, and that’s the error – to just go back to the way it was. No one ever said this is not going to happen again. Department and agencies should be prepared to operate like we are now.

The other thing is how we as citizens access services from the Federal government online. We need to review those things and expand as many as possible, get the risk of an online transaction down to near nil. Simple, easy to use, secure identity tokens are a must. That’s another area where I think we can do those things over the next six months. So we need to just make sure we imbue those learning periods back into standard operating procedures.

MeriTalk: Will our former ways of doing things just snap back into place, or are some changes likely to be more permanent?

Carey: No, I don’t think so, not for a while anyway. Something done for more than 30 days becomes a new normal … so the adjustment back … will be different. This “new normal”, must incorporate the learning from this period. It’s critical to sit down and figure out what do we need to do better, what worked, and what didn’t work for some agencies.

I’m sure that some agencies were less prepared than others to transition to a telework workforce. We’ve been web-enabling services for 20 years now, and is everything available online for citizens? The answer is there’s a lot, don’t get me wrong, but when it comes to looking at what’s available versus what’s needed, I think each agency needs to be able to render some review.

For instance, if I’m a veteran, does the Veterans Administration provide all of the services it can online outside of those that require touch-service with a medical professional? Much is available now. It is really about doing a look-back, and sometimes we don’t like to do that. We tend to gloss over opportunities to conduct lessons learned, because we think we are pointing the finger at ourselves but in reality, we’ll learn much from this opportunity.

When I was at the Pentagon we had very well thought out COOP plans that included all necessary technologies to perform our jobs, should circumstances warrant. And we would practice that, we would exercise operating in a COOP posture for a day or two at a time to ensure we could, if required. It works, but it only works if you practice it. Agencies don’t necessarily practice these drills, but they’re invaluable and when a crisis actually comes you can transition smoothly and maintain organization resiliency.

MeriTalk: Given the tales of cloud-enabled services outperforming some of the on-prem infrastructure during the pandemic, what’s your take on cloud going forward?

Carey: Cloud computing is here to stay and the government is rapidly adapting to the opportunity presented. Cloud can be utilized for nearly everything, but CIOs and CISOs know that there must be a business case justifying investment in anything new. The U.S. government will operate in a hybrid mode for the foreseeable future, as it crosses over to cloud as resources and business cases permit. Cloud is especially useful when a requirement to expand and contract the network compute/storage requirements presents itself, like now. If you introduce enough “stress” you could easily overwhelm your standard on-prem stuff. Certainly, as long as you have the right agreements in place with your cloud service provider, the purpose of cloud is to flex when needed and then scale back down when not.  Cloud is another powerful tool in the CIO/CISO tool box, and with proper security delivered via FedRAMP qualifications, departments and agencies can respond to spiking demands for network services more easily.

MeriTalk: What can your company do right now and over the next several months to better prepare the Federal government for whatever comes next?

Carey: RSA can and has done a great deal. First, we provide secure identity tokens to enable access to network resources from outside the network. The workforce needs an agile and reliable path into the network to ensure mission essential functions are operation. So the security of aligning identity to access to network resources is crucial right now because you need to be who you say you are. Also, given that the bad guys understand that the network is being taxed heavily right now, and the attack surface is greatly enlarged by all the telework resources, CISOs must be even more vigilant. RSA provides tools to enable network visibility, control and cybersecurity compliance through RSA NetWitness and RSA Archer.

And identity is really part of the cloud because if you get in the cloud, and everything’s in the cloud, and you’re not supposed to be there you can do a lot of damage, so the whole purpose of what we’re doing today is making that available. We’re doing free proof of concepts for customers who are interested in trying before they buy.

I wouldn’t say we are overwhelmed, but we’ve never seen a demand signal like this, say over the last four weeks. We have met needs of several sensitive customers, several large government customers, several state customers. There is definitely a recognition of identity in the whole sequencing of how do I get my services, or how do I get on the network to be able to provide services to the citizens, so that’s really the big thing that we’re doing today – cyber as a whole. There’s a lot of cyber attacks going on right now because networks are taxed. The cybersecurity tools that we bring to bear are getting a little harder look-see.

MeriTalk: Any final thoughts?

Carey: I’m a recovering Federal CIO, so it is satisfying to see that networks can now bear the stress, and to see a Federal communications infrastructure robustly supporting mission, even under unique demand of the pandemic. Sometimes it slows down, and sometimes we take internet speeds for granted until they’re not there. But frankly, it’s working. The country has slowed, but it hasn’t shut down, so I’m just pleased that it’s able to respond, through the “network”. And back to lessons learned, it’s comforting to know that the network is resilient enough to meet these new challenges … knowing you can surge and meet unprecedented demand, above and beyond normal operations.

John Curran
About John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.

Categories

Recent