A Look Back at the Decade: Government Tech Edition

With the closing of the decade, we thought it would be interesting to look back at the top technology headlines of 2009 and compare them to where the market is today.

Data on the Rise

Big news was the launch of data.gov in late May of 2009. The site was championed by the country's first Federal CTO, Vivek Kundra, as a way to enable citizens to access federal data. In addition to making the government more transparent, the hope was that private sector could use the massive amount of federal data in research and to create innovative programs and solutions. The site launched with 47 data sets and as of the last reporting (June 2017) it now holds approximately 200,000 datasets, representing about 10 million data resources. Beyond these numbers, data.gov's impact has been significant.

Thousands of programs can point to the site as the basis for their development. More importantly, it launched a new way of thinking in government. Agencies stopped being as territorial about their data and slowly but surely became more open to sharing it with one another and with the public as they saw what innovation can happen with simple access. In 2019, the vision of data.gov expanded with the Open, Public, Electronic and Necessary Government Data Act, requiring that nonsensitive government data be made available in machine-readable, open formats by default.

Cloud First to Cloud Smart

In 2009 the Obama administration established the Cloud-First mandate that changed the way agencies looked at acquiring and modernizing their systems. Each agency had to look first to a cloud solution to see if it fit their needs better than a traditional on-premise or hardware-based solution. Email and communication applications were some of the earliest systems moved to the cloud.

While there were many concerns about the security of cloud, acquisition processes proved to also be a huge stumbling block. Because of the consumption model of cloud, traditional procurement language and processes did not "fit" this new technology. The FAA was an early cloud adopter finding a way to acquire and manage cloud solutions for security, capacity, and application performance.

With minds open to cloud and administrative barriers removed, the government has moved from Cloud-First to Cloud-Smart, an evolution we've covered here on the blog.

Cybersecurity in Focus

President Obama issued a national cyber policy review in May 2009 that included 24 recommendations, including the need for a national cyber coordinator. Hiring for this position proved problematic and delayed the implementation of many of the recommendations by a year or more. Once the building blocks were in place, the government has spent the last 10 years getting organized around cyber defense and strengthening the nation's cybersecurity posture.

We've written here about the progress of the Continuous Diagnostic Mitigation (CDM) Program moving the government from identifying who and what was on their networks (and subsequently cleaning and tightening them up) to better reporting and proactivity related to cyber threats and incidents.

These are only three areas that have changed drastically in the last 10 years. There's also of course the rise of mobile and apps, the continued focus on improving government "customer" service, and the application of technology in the healthcare field. We'd love to hear your picks for the biggest tech or policy evolution over the last decade. Share your thoughts in the comments.

There is No Single Way to IoT

It is called the Internet of Things (IoT) - plural - for a reason. IoT encompasses everything from traditional IT devices like laptops and phones to next-generation technologies like virtual assistants (Alexa, Google Home) to previously unconnected technologies like TVs to everyday utilities like HVAC systems and even refrigerators. With this wide range of things, agencies are finding it difficult to catalog every IoT device, making the creation of policies and processes even more challenging.

Shadow IoT--connected devices that aren't managed or monitored by an organization's IT resources--is a real concern for IT teams. In one study, 90% of organizations found IoT devices they were not aware of using their network. These devices can include fitness trackers, digital assistants, and smart televisions. Once these devices are identified, huge security challenges still remain as many of them were not designed with security in mind. There is also such a wide range of devices and manufacturers that policies cannot be applied consistently across all of the different products and systems.

Even known IoT devices can provide security challenges and concerns. Historically, systems running building automation - lights, elevators, sprinkler systems, HVAC - were separate from the IT systems. Today, these Industrial Internet of Things (IIoT) regularly connect to external networks and introduce risk back into the agency networks. As a workaround, a survey of IoT leaders found that 45% of respondents said they were deploying IoT devices on a dedicated network. Continue reading

Small Event. Big Impact

As we begin to slide into the last quarter of the year and start planning for 2020, the human inclination is to go bigger and better next year. But, we would challenge you to look at how going smaller can actually lead to a greater impact. Smaller events can deliver the same learning as a large event, however do it in a way that enables event organizers to get closer to attendees as well as a different way for attendees to interact with the content and with each other.

For context, we would define a small event as somewhere around 20-50 people. With this size, attendees have an opportunity to get to know one another and the presenters on a deeper level. This is helpful when you're looking to build better customer intimacy or when you are looking to gather feedback. A small group allows for more interaction and questions, so organizers can take advantage of the opportunity and build in plenty of time for Q&A. Attendees can get the lecture experience at any event, so set your event apart with increased access to and interaction with speakers and thought leaders.

Continue reading

Insider Threat Goes Mobile

Insider Threat has been a recognized attack and vulnerability vector for some time. In fact, one survey found that government IT professionals report that insider threats are at an all-time high. One source of this increase may be the rise in the use of mobile devices to access government systems. The main challenge in securing mobile access is ensuring that the person who owns the device is the one actually using it and the apps that reside on it. The portability and ease with which devices are lost and misplaced complicate security authentication efforts. But there are ways to mitigate this risk.

Agencies have looked to multi-factor identification to confirm the person accessing the system is who they say they are. This process includes combining two or more credentials. Typically this is something a person knows (a password), and something they have (an access card or a fingerprint). A practice growing in popularity as part of multi-factor identification is behavioral analytics (BA). This looks at how users typically interact with an application or device analyzing things like browsing habits, message syntax, even how they hold the device. If the behavior is out of the realm of normal, the system can lock that user out until they prove their identity another way.

Implementing these types of identity tracking and management is, of course, not without issue. The Department of Homeland Security is being challenged to put more procedures and policies in place to ensure its insider threat program doesn't violate employees' Fourth Amendment rights (protection against unreasonable searches and seizure).

There are many events in the coming months that include a deep look at insider threat and identity management to help navigate these security challenges.

Continue reading

Is IoT a Superhero or Villain?

The Internet of Things (IoT) is made up of webcams, sensors, thermostats, microphones, speakers, cars, and even stuffed animals. All of these connected devices can help individuals and organizations stay connected across geographic distances, keeping tabs on and managing assets from miles away. The data they collect can be combined with other data sets to create actionable advice for better management and service.

This holds incredible promise for local governments and federal agencies charged with maintaining safe operating fleets and facilities. There's also the application for improving the routing of field technicians as well as traffic flow in general. But, as every superhero knows, with great power comes great responsibility.

As with any technology, IoT standards need to be developed for effective and safe use as well as to enable interoperability. NIST has been working on defining standards and recently released Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, but no federal agency is currently claiming jurisdiction over IoT policy and rule-making. In this vacuum, the legislative branch is getting involved. This past November, the House passed the SMART IoT Act that tasks the Department of Commerce with studying the current U.S. IoT industry. A Senate bill was introduced to manage what types of IoT devices the government can purchase, ensuring that all IoT tech in government is patchable and has changeable passwords. Finally, states are even weighing in on the proper use of IoT in government. California passed the first IoT cybersecurity law, making device manufacturers ensure their devices have "reasonable" security features. Continue reading