By The Open Group
In the digital age, whether an organization will experience a cyber disruption is not a question of “if” but “when?” Although disruptive events may be inevitable, organizations can be prepared with some strategizing and planning.
Eric Sweden, Program Director, Enterprise Architecture and Governance, for the National Association of State Chief Information Officers (NASCIO) addressed the issue of preparing for cyber disruptions at The Open Group Ottawa event in a talk entitled “Preparing for the Inevitable Cyber Disruption—Response Planning.” We spoke to him in about NASCIO’s mission, how organizations can prepare for cyber issues and the role Enterprise Architecture and standards can play in planning for disruptions.
Tell us a bit about NASCIO and what the organization’s charter is…
NASCIO is the National Association of State Chief Information Officers. It’s also, by the way, one of the founding members of the Federation for Enterprise Architecture Professional Organizations. These are the Chief Information Officers of the executive branches of the 50 states and territories of the United States and the District of Columbia. Our mission is essentially to build and contribute to government excellence. We’re touching on business processes, information management, technology policy—we’re a policy organization.
This organization has been around since 1969, and it’s a non-profit 501(3)(c) association. We are providing state CIOs and state members (we have a lot of activity with the staff of the CIOs) with a variety of products and services. We have two conferences a year, usually in the D.C. area for our mid-year conference, and then our annual conference is in other parts of the country. This year we’re going to Austin, Texas. NASCIO’s a network and resource for state CIOs, and we’ve got about 125 corporate partners—it’s a vast array of expert corporations that we tap into, and they contribute to the work we do for the state CIOs.
What’s included in the scope of NASCIO’s work with state CIOs?
We do a lot of Enterprise Architecture, and it’s hard to define what doesn’t fit into Enterprise Architecture. One of the interesting things about working in this field is that it touches every aspect of the organization. The way I like to define Enterprise Architecture is that it’s the memory and the conscious of the enterprise, so everything that we do within Enterprise Architecture is with that enterprise-wide view, and we are touching every aspect of the enterprise. That is a large portfolio in terms of scope—there’s nothing that doesn’t fit in to Enterprise Architecture.
The other thing I might mention is something I’ve used over the years—the Enterprise Architecture Value Chain. The idea is trying to distill down what is Enterprise Architecture at least from our point of view. And we see it as a complete view of the enterprise, as I stated earlier, so we’re saying Enterprise Architecture and enterprise planning is a management discipline for establishing strategic intent. That’s done through appropriate governance, organization, business processes, it’s through technology, but we always do that within a context.
So on that Enterprise Architecture Value Chain you’ll see the very first section is the environmental context—essentially, what’s going on in the world? What is our economics, relationships? What’s new in emerging technology and business practices? And what is going on in the greater environment that will then influence the next part of the chain? That’s continually changing—the next section has to do with understanding markets and opportunities—and the enterprise, whether its state government or profit-motive organizations, is going to have to make decisions on which markets and needs they’re going to address. You can’t do everything, so you have to decide what it is you’re going to address. And the third section is, once you’ve made that decision, you’ve got to have clear intent—what are we gong to do about this market and this need? That includes, how are we going to pull out of here some day? The exit strategy. Then once you’ve made that decision, you’ve got in that third section, specific actionable intent. And the fourth section is, what are the capabilities that we’re going to need to implement that strategic intent within that market or need within the greater environmental context?
All of these things are always moving, they’re fluid. That’s the enterprise, it’s changing depending on the circumstances it’s facing. And there’s another element to this—that’s how is the enterprise influencing the environment that it’s in? That’s a very important dimension, too—the enterprise will help shape the environment in which it exists.
What is NASCIO’s Cyber Disruption Response Planning Guide and how does it aim to help state and local governments with cyber threats and attacks?
The idea here is cyber disruption is a special kind of event—you might call it a subtype of a cyber incident, but it’s a very special kind of event.
We try to, in this document, distinguish what is a cyber incident vs. a cyber disruption.
A cyber disruption has a duration to it, a reach to it that is bigger than a typical incident. Where an incident might last hours, a cyber disruption would last days, weeks, months. Where a cyber incident might affect a certain application or certain small set of users, a cyber disruption has a bigger reach than that—it could affect an entire enterprise, it could affect a region, a city. The importance that we place on this in the first part of this document is differentiating a disruption—it’s very significant kind of an event. And we anticipate that it will probably be related to some major part of our infrastructure—power disruption, water, sewer, gas delivery, communications. I put a scenario in the front end of that report that describes loss of power and what happens if you find that you don’t have communications either, with no cell or mobile service. A very significant kind of event. According to the latest Black Hat survey, a significant number of cyber security professionals are anticipating just such an event.
That’s the significance of why this document is so important and we need to prepare for these events. This is a first version focused on governance and communication. We are presenting that message but we also put in a checklist. That checklist gets down to details like the back up generator for power. Do you have enough fuel? How old is the fuel? Where are you in terms of refilling your gas resources or whatever the fuel source is? Do you have back up for what ever communications are involved? In the case of state government, we may have to back up to using the state radio network.
Those are the kind of aspects included. The final part of that document is—and this is all Enterprise Architecture—there is a cross-functional process flow. How do these various functions that have a role to play (and we highlight those in the first part of the guide)—how do they interact? That’s the state CIOs, the governor’s office, National Guard, emergency management—how do they interact at various threat levels? We introduced this idea that an event may first surface with emergency management or the Chief Information Security Officer, and we may find that both functions are dealing with the same event at some point in the journey, so that brings up the importance of collaboration between the CISO and emergency management.
The purpose of the guide? Let’s get ready, let’s prepare, let’s put into play emergency communications, governance and let’s continue to mature and get better at this. Practice, practice, practice. Then we need to be better at working on a Version 2 which will be more on the process—the inner cross-functional process flow—a very important part of Enterprise Architecture and one of the key components of an Enterprise Architecture is, in fact, the process model.
In terms of preparedness, where are state governments today?
There was a recent survey done as part of Meet the Threats and the National Governors Association, a strategic partner of NASCIO, and most states have a cyber incident response plan. Thirteen states have a cyber disruption response plan, so more and more states are moving into this area and creating a cyber disruption response plan. We survey our states—every two years we publish a cyber security survey. We did the last one in 2016. Next time we’ll revisit this survey in is 2018.
More and more states are implementing a cyber disruption plan. More and more states are addressing strategy, governance, actually creating a cyber security strategic plan. There is more involvement of CISOs in projects and management initiatives and programs so we’ve been proposing to get that security function on the project team early on so that we’re baking in security and it’s not an after thought.
In terms of the type and scope of possible disruptions how broad is your planning?
The scope of the first guide was in fact a discussion because we had been wondering if we needed to look at a national level, but that’s too big. I worked with the state CISOs from across the states and territories and that scope’s too big. We’ve got to get there and that is being addressed through the Department of Homeland Security here in the U.S. But for this first guide we decided to stay at a regional level, so there are regional collaboratives in place and we’ve stayed at the level. When you look at the circle of governance, which will be presented at the conference, this is a state or regional scope. It’s hard to determine because the scope just keeps going and going, so we had to start somewhere and we decided let’s start there and eventually it will have to be expanded, of course.
With some of the recent hacking attacks across the globe, such as the attack in the Ukraine a few weeks ago that quickly spread around the world, and with the hacking into state voting systems during the last U.S. elections, how vulnerable are states to outside attacks?
I think you could look at the surveys we publish here—our cyber security survey, for instance. We talk about a variety of threats—there’s threats that originate internally, externally, threats that originate with business partners, threats that originate within applications—in terms of vulnerability, everybody’s vulnerable.
The other part of this is that the threats continue to grow in sophistication. In our 2014 survey we showed the growth and sophistication in the types of things that are showing up, such as ransom ware, which is extremely destructive. It’s a moving target. The vulnerability will always be there, and we’ll get better and better at preventing, uncovering, defending but we’re always in a defensive posture. The environment continues to change. At the time we wrote that report, we called 2014/2015 the year things doubled. Everything doubled. The number of threats, the sophistication, the cost of cyber events doubled. Is that going to continue? Yes, it will just continue to get more and more challenging over time.
Everybody’s vulnerable. States are vulnerable, federal government, small communities, and it’s kind of a budget war in a lot of ways. How much can you spend on cyber security compared to those that are attacking us? It’s gotten so sophisticated that some of the old groups that are attacking state governments are highly organized and highly funded. We’re in a battle of budgets. How much money do we have and if we’re being outspent, how do we win that?
Are there some basic steps that states can take in preventing cyber attacks?
There are some things that all states can do, and any organization can do. Of course, as we get better at this, the things we’re recommending, we’re growing in our level of sophistication, too. But for sure we need any organization, including state government, counties, cities, they have to have in place security strategy. They should planning advanced cyber analytics. Certainly cyber training is critical. Every employee needs to understand the implications of security and their role, the part that they play in defending the enterprise. There needs to be standard operating discipline for identity management—multifactor identification, data classification. Here’s another interesting point—cyber security merging with enterprise architecture, data architecture, data management, process architecture. It’s got to be baked in. We talk about data classification—is that a data management discipline or a security discipline? And the answer is yes, it’s both. Understanding our assets, risk assessment—practice, practice, practice. Once you’ve got operating discipline in place you need to exercise it so that it’s routine. We’ve also learned you can’t hire enough security professionals even if they were available to have people in front of glass all the time looking at logs, so automating a lot of the analytics to uncover patterns that are abnormal and understanding that normal changes over time. There’s going to be deployment of more and more sophisticated tools for uncovering what’s abnormal behavior. Time of day, what’s being downloaded, what’s being accessed. There needs to be appropriate forensics when things happen to understand not only identify the perpetrators and how this happened but how do we get better and how so we improve? The lessons learned from every incident are gong to inform future project teams and programs—it will become routine. What we did 10 years ago vs. what we do today in terms of baking in security will be an ongoing, evolving exercise of what goes into an application or system or training and as I stated operating discipline will continue to grow. We’re going to get better at this.
We did a document some years ago called ‘The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs.’ That was done back in 2011 but it’s still relevant. We’ve got these calls to action and we talk about what constitutes an effective cyber security program. In there we talk about governance, risk management, compliance services and then we get into operations. That report is full of a host of suggestions in terms of standards and best practices, and then in the cyber disruption response guide we put in their recommendations and also key questions. And the accompanying report to that is advanced cyber analytics and we did the same thing there, recommendations and key questions. So those are great resources for anyone to look through.
How is Enterprise Architecture playing a role in what NASCIO is doing?
We have a rather broad definition of what Enterprise Architecture is. We define Enterprise Architecture as a management discipline. Some people distinguish between strategic planning and Enterprise Architecture. We don’t separate those. We say enterprise planning and architecture are intended to be a discipline for establishing intent and then enabling that intent through appropriate governance, process, technology, managing information as a strategic asset—that’s all part of it, so we have a broad definition of it. What it embeds in our thinking is that we’re always thinking across the enterprise. One aspect of that that’s rather important, I think, is the enterprise portfolio or enterprise portfolio management. We did a brief on that that we called Enterprise Portfolio Management.
I talked about the EA Value Chain earlier in this conversation but, in fact, in government, what drives policy? What drives legislation and supporting regulation? There are issues and there are opportunities. That paper speaks to the fact that there’s a portfolio of issues. The state government has to decide, the governor is going to decide, what things are we going to address? You can’t do everything but we’re going to pick some things and go after those things. How are you going to go about it? You’re going to go about it in a very disciplined way and whether government is consciously, deliberating following this logic, they in fact are first going to be looking at the environmental context, what’s going on in the world. Which of these opportunities and needs are you going to address and then what are we going to do about them? What is our vision, mission, goals, objectives, strategies? That’s all going to be established in some form, and in order to make those things achievable there are going to be capabilities deployed. And those capabilities either already exist in the enterprise or you need to go get them. You’ll partner for them, you’ll rent them, you’ll buy them. The point is you need to think about those things and continually reevaluate things because that environmental context, it’s changing every day, even during the day
Is there a role for standards in helping state and local governments with cyber threats?
Absolutely. Standards are something we have promoted over the years, and the thing that standards do is they help remove risk. We have standard ways of doing things that work and that are part of operating discipline so everyone knows what they’re doing and we’re getting consistent results. In fact, we find that states that have standards and good project management discipline, they have a pricing advantage with consulting companies and integrators because they’ve got in place standards for doing things. It also helps states evaluate solutions. If you have standards in place, we’re removing complexity, and where we’re removing complexity it’s helping us manage risk. We have more predictable outcomes when we have standards.
The other thing standards and best practices are doing, we find out what works because across the states we’re sharing those best practices and standards all the time, and that helps other states avoid rabbit holes and what doesn’t work. Then as we look at standards and best practices across states, we vet them and criticize them. What works? What doesn’t? And sometimes we need to move on to new standards because the landscape has changed, the technology has changed, capabilities have change, the policy landscape has changed, what we’re trying to achieve has changed.
We always want to stay true to what we want to accomplish in state government across this country. We always want traceability back to ‘why are we doing things? Can you justify it?’ You should be able to ask any project team or anyone within the enterprise why are you working on that and they should know. In state government and federal government we always point back to, why are we here? And the greatest reference we have here is you go all the way back to what is our reason for existence and you can learn that by reading the Constitution in the US. Look at the Bill of Rights, the Declaration of Independence—we have a reason for existence. In the case of the U.S., the founders had a mission and vision and that all permeated into the Constitution and we have to stay true to that.
Eric Sweden is Program Director, Enterprise Architecture & Governance, NASCIO. Eric possesses 30 years of experience in senior technical and management positions within IT and business, with substantial experience in business architecture, information architecture, business process enhancement, and strategy development. He has experience in implementing over-arching enterprise information management strategies in large corporations.
In his current role, Eric provides consulting to state and territorial government, authors a variety of reports related to enterprise architecture and the state CIO, leads the NASCIO Enterprise Architecture & Governance Program, and represents NASCIO with various partners in industry and government including OMB, the White House, EPA, GAO, DHS and DOJ.
NASCIO’s reports are widely referenced globally by industry, academia and government.