• The threat vector has dramatically changed at the same time that laws are changing that put penalties on not securing your data. More is changing in this environment than is staying the same.
• Some security practitioners have dropped the word “advanced” from the description of advanced persistent threat (APT) because they observe the vast majority of attackers using common attack approaches – the “open door” rather than “breaking a window.” The disparity in security capabilities is greater than the disparity in threat.
• Mobility – The number of new mobile vulnerabilities being detected is growing almost exponentially each year, making mobility the biggest growing threat vector.
• Cyber arms race is unlike any other arms race in history because it is frictionless. For example, it took 3 days for Stuxnet to be reverse-engineered, reproduced, and propagated. It taught everybody how to attack a SCADA system. It has also given rise to the private cyber arms manufacturer – people who build cyber-attack capabilities and sell them on the black market.
• Personnel training to avoid risky behavior is the most important element of cybersecurity. NSA statistics show that 80 percent of exploitable vulnerabilities are a result of poor cyber hygiene. The other 20% is the APT.
• Social engineering is a growing threat because, among other things, it gives the attackers a deeper understanding of how users and organizations behave, respond and think.
• Growing cyber threats in the aviation sector target in-flight operations, ground support operations, air traffic managements systems, etc.

• Some agencies are moving to cloud services because of financial constraints, knowing of security risks and hoping security will follow soon afterward.
• Some key challenges in effectively implementing Cloud include:
  • Contract structuring: How do you structure a contact offering when you don’t own the asset? How do agencies (GSA, etc.) effectively strengthen cloud acquisition policy and build in security into SLAs?
  • Clearance: what types of clearance levels are needed for people around the world who are supporting agencies or have access to their data, but are not necessarily part of a secure sector? Information sharing on threats, etc. is sensitive.
  • Incident response: When there is an incident, who do I call? The Cloud Service Provider (CSP) or the agency? 

• Information sharing is not an ends, it’s a means to an ends. In this context, it is needed to gain an effective shared situational awareness among shared stakeholders.
• One challenge to information sharing stems from a sense of human preservation. We have a culture of not sharing information, while hackers have a culture of sharing widely.
• Electricity Sector Information Sharing and Analysis Center (ES-ISAC) – Allows electric providers to share information in a non-compliance framework and encourages free flow of information without fear of compliance threat hanging over you. Effective sharing requires the freedom from the threat of sharing.
• Cyber Federated Model (CFM) – the warfighter has great command and control (C2) information and the CFM intends to enable C2 for cyber indicator information. For example, an infected site is sent into the CFM and within a few minutes all other sites within the CFM get the information. Some sites have automated updates and the information sharer gets to control with whom they share.
• One key to effective sharing includes the ability to be able to do it securely, i.e. share with assurance. Also, data must be anonymized to be shared, especially if the data is classified, sensitive or contains private information. Sensitive but unclassified information will need cooperative agreement between government and industry to set the boundaries for what each can do with the information they receive.
• Automated information sharing should focus on machine-readable threat indicators to automate data flow and get people out of loop where possible. Currently, high-priority threat-level information is XML-based, but going forward organizations will need more visual analytics.

• SCADA (supervisory control and data acquisition) systems, and other industrial control systems (ICS) were never designed for networking, but they have been extensively. So we are now building monitoring capabilities in an attempt to detect and defend against attacks on systems that were never designed to withstand such attacks. 
• Attacks like Stuxnet and Shamoon targeted energy sector systems and disclosed SCADA system vulnerabilities.
• The patching treadmill – These control systems were never designed to be patched and/or shut down regularly. This patching can mean an entire plant must be shut down to complete the patch. This has the potential for unforeseen domino effects and implications for supply interruptions and other complexities.
• Different organizations and unrelated sectors currently have different architectures and protocols for collecting and sharing threat information. What is needed is a common open-standards XML schema to communicate attacks in industrial control and other systems.

• There is not currently a consensus on how to proceed with administering cyber- and critical infrastructure protections, with significant polarization existing between competing regulatory/compliance and collaboration/incentive approaches. 
• Comprehensive legislation (Lieberman-Collins, and others) that failed in the Senate included new and expanded regulatory and compliant elements over the private infrastructure community.
• Some industries, like nuclear energy, have very mature regulatory environments and some assert that the success in this area is an example of positive regulation that should serve as a prototype for other infrastructure industries.
• Public-private partnerships are essential. The Critical Infrastructure Partnership Advisory Council (CIPAC) and HSPD-7 were the predecessors to the latest Executive Order (EO) and Presidential Policy Directive (PPD-21).

With the Executive Order signed February 12^th the administration has reiterated a commitment to improving critical infrastructure, driven in part through government collaboration with industry and in part by the continued development of a cybersecurity framework by NIST. On February 13^th, NIST announced that it would issue a Request for Information (RFI) from critical infrastructure providers, government organizations, industry and other stakeholders. It’s clear that government risk management and security requirements will continue to evolve. In the meantime, both cloud service providers and third party assessment organizations should familiarize themselves with the new controls and consider the steps required to accommodate any additions or changes to their offerings.

As we wrap up our soon-to-be published report on Big Data, I can’t help but think about how profoundly technology will change our world in the years ahead.  Big Data will drive great changes, but what kind will depend on what we do with it. No agency can afford to do Big Data just for the sake of organizing their data. The cost of capturing, managing, processing, storing, and analyzing data is just too high to not have a sufficient payoff in terms of the value that the data produces.

1. Streamlining and improving current business processes and applications to directly benefit the public.
2. Leveraging the state’s investment in shared support services and technology infrastructure.
3. Establishing a strong organization-wide management and oversight framework, including policies, processes, performance measures, program management and organizational change management.

1. Enterprise Resource Planning (ERP) - Hawaii is moving forward with implementation of an enterprise-wide ERP system that will replace the large majority of the current central systems within the Enterprise Support Services band.
2. Tax Modernization - This involves a strategic initiative to explore ways to streamline and modernize tax processing away from the current Integrated Tax Information Management System (ITIMS). It will expand the overall use of electronic tax filing, electronic payment, improved analytics, and improved case management processing to streamline and decrease cycle times for the citizens of the state.
3. Health IT - Envisioning a more effective, efficient, patient-focused healthcare system, Hawaii’s Transformation Plan includes a four-point strategy of innovations for Delivery System Improvements, Payment Reforms, Health IT and Healthcare Purchasing. Hawaii is seeking systemic improvements in public health through measuring health status, performing assessments, and the tracking of preventions, promotion, and outcomes. The State will look to use Electronic Health Records and a secure exchange of information to improve care coordination, reduce duplication and waste, empower patient engagement in their health, and enable public health analytics to shape policy decisions that will improve the overall health system.
4. OneNet/Enterprise Services Network - A single network, OneNet, will look to fulfill the network needs of all state departments and employees and citizens with guaranteed performance levels.
5. Adaptive Computing Environment (ACE) - Establishes a consistent configuration for computing devices across the State using pre-approved vendors. State employees can order standard systems that are engineered to operate most efficiently in the OneNet environment. Choices are provided based on job classification for mobile/tablet solutions, laptop/desktop, or a strictly virtual environment for certain work. These systems require fewer support resources than non-standard configurations, enhance overall support effectiveness, and reduce total cost of ownership.
6. Shared Services Center - For the future State vision, the goal will be to have five fully meshed functional shared services centers (SSC) distributed across the islands to provide high availability, redundancy, fault tolerance, data backup and replication, disaster recovery, and always-on services to Hawaii. Connections between shared services centers will be provided with dedicated high-speed fiber optic lines with service providers and State wireless connections acting as redundant and backup links respectively.
7. Information Assurance & Privacy - Hawaii has a fully integrated Security Operations Center (SOC) and Computer Security Incident Response Centerv (CSIRC) to: provide uninterrupted security services while improving security incident response times; reduce security threats to the State; and enable quicker, well-coordinated notification to all State Departments regarding security threats or issues.
8. Mobile Computing – Hawaii is aiming to establish a standard mobile applications solution pattern and approach with standard methods, skill development, contractor resources, and tools/technologies in conjunction with the adoption of preferred smartphones and tablets. Since mobile application development has a very small footprint in the State at this time, this initiative will need to analyze, pilot, and invest/implement in a standard approach, capabilities, and tools for developing mobile applications.
9. E-Mail, Collaboration and Geospatial – This effort is looking to provide several integrated services in a single environment, including integrated multi-media online communications services; collaboration and conferencing services, and multimedia content and information services.
10. Open Government – Seeks to establish a State of Hawaii data.gov internal and public-facing website to facilitate the sharing of master data sets.
11. Hawaii Broadband - Hawaii currently has many broadband projects underway as part of the Hawaii Broadband Initiative (HBI) with departmental participation that highlights the importance of the program. An assessment of the current program illuminates the fact that there must be strong unification of these disparate efforts within an established, disciplined program management framework with continual progress reports.

1. Pharmacy Benefit Management Services and Fiscal Agent Services In Support of Pharmacy Claims Processing; Value: >$30 million; Primary Requirement: IT Professional Services; Award Date: February 2013.
2. Statewide Telecommunications Equipment; Value: >$30 million; Primary Requirement: LAN/WAN Equipment; Award Date: January 2014.
3. Hawaii Broadband Initiative; Value: >$30 million; Primary Requirement: Fiber Optic Materials & Components; Award Date: June 2013.
4. Health Insurance Exchange Services; Value: <$30 million; Primary Requirement: Information Technology; Award Date: November 2012.
5. Third Party Administrator (TPA); Value: <$30 million; Primary Requirement: Information Technology; Award Date: July 2013.

• Changing Perceptions of Security – The creativity, persistence and resourcefulness of those attacking the cyber infrastructure effectively means that no defenses are full-proof, or ever will be. Your infrastructure will be penetrated at some point and striving to prevent that completely is a losing battle. Agencies need to adopt a risk management perspective to be ready, respond, and recover effectively from attack. Agencies also need to embed security at multiple levels of their organizations and infrastructures, including at the data level.
   
• Cyber Landscape is Changing – The explosion of social media, mobile technologies, and adoption of cloud computing has fundamentally changed the threat landscape. The rate of technology change has outpaced our security policy and approaches and that is the new status quo. These technologies, as well as sensor proliferation, will continue to explode the quantity of data available for attack and exploitation.
   
• Offensive Capabilities – Here the theme of “a good offense is your best defense” rings true. Taking some of the tools and tradecraft (e.g. penetration testing) that have their origin in cyber defense and turning them in an outward direction toward our adversaries can be an effective approach. There are several parallels here with strong deterrence through strong offensive capabilities. Some of the challenges include maturing the military rules of engagement (ROEs) and addressing the policies and legalities on what private infrastructure owners can do to self-protect.
   
• Military Cyber Workforce Development – There is much to be done to effectively train and equip military and civilian personnel for cyber defense, and warfare. The tradecraft has developed organically from various directions resulting in a very fragmented and narrowly-defined concept of cyber warrior based on each service branch’s individual needs and perspective. A more uniform and collaborative definition of the necessary skills and experience is needed to effectively build the workforce of the future.
   
• Presidential Executive Order (EO) – While there has been quite a bit of buzz in the federal trade press about the likelihood and content of an EO the general perspective among attendees and speakers was that any such release would not likely come before the November presidential election to avoid the appearance of being blatantly political. Some were doubtful it would be issued at all, given the opinion expressed by some in press accounts that what they’ve seen from the White House lacks real teeth. 
   
• Cyber Legislation – The flurry of cyber security bills that were introduced in this Congress – some passing the House and dying in the Senate and some introduced in the Senate but not gaining enough support to move forward – are basically dead, but some of the ideas may be revived later. It is possible, although it seems unlikely, that a bill could get picked up in the lame duck session. 
     
• Effective Cyber Policy – Numerous presenters cautioned against any legislation, policy or EO that would take a predominantly regulatory approach to cyber and critical infrastructure protection. One of the arguments is that the rapidly changing pace of technology and the constantly morphing nature of the threat mean that any regulations instituted by Congress or the White House would be outdated even before enactment and then tie the hands of agencies and companies to effectively respond.

• In early May, GD acquired IPWireless Inc. for an undisclosed sum. Based in San Francisco, IPWireless provides 3G and 4G LTE wireless broadband network equipment and solutions for first-responder and military customers. The acquisition will allow GD to expand its commercial networking solutions to better serve the needs of its customers, including municipalities who are moving to broadband public safety networks such as the FirstNet nationwide interoperable broadband network.
• In late June, General Dynamics bought Earl Industries ship repair and coatings division to enhance its ability to compete for Naval contracting opportunities. The ship repair and coatings division of Earl Industries is a prime contractor for nuclear aircraft carrier programs, and provides maintenance and repairs for other Naval ships. Financial terms for the transaction weren’t disclosed.
• In mid-August, GD said it would acquire Fidelis Security Systems, a provider of network security tools that provide real-time network visibility, analysis and control. Based in Waltham, Mass., Fidelis' solutions help customers stop advanced threats and prevent data breaches by providing visibility into the complex layers of a network, exposing malicious content in real-time. This acquisition will allow GD to expand its capabilities in the growing cybersecurity market, with a particular focus on incident response and situational awareness. Earlier this year, GD opened its Cyber Intelligence and Solutions Center located in Annapolis Junction, which houses experts working on cyber threat detection and mitigation solutions.
• In late August, General Dynamics acquired the defense operations of Gayston Corp., which supplies precision metal components used in several munitions programs. Gayston's defense unit makes rocket motor tubes for the U.S. Army's Hydra-70 air-to-ground rocket program. It also provides liners and cartridges for 40mm ammunition rounds and components for 60-120mm mortar rounds, among other things.
• Earlier this month, GD also acquired virtualization security software start-up Open Kernel Labs Inc. for an undisclosed amount. OK Labs provides virtualization software for securing wireless communications in the corporate and government sector. In addition, Open Labs creates apps and content for mobile devices and in-vehicle 'infotainment' systems. This acquisition will expand GD’s capabilities as a provider of secure mobile devices for public safety, civilian, military and commercial customers.