Leading cyber minds converge at Hanscom

May 30, 2014

Chuck Paone

5/30/2014 - HANSCOM AIR FORCE BASE, Mass. -- Numerous regional cyber leaders convened at Hanscom Air Force Base May 28 to discuss, and sometimes debate, the merits and challenges of secure cloud computing.

Organized by the Advanced Cyber Security Center (ACSC) and hosted by leaders at Hanscom, the event fostered vigorous discussion about the most efficient and secure ways to store and protect critical data and systems. Participating companies and organizations included Akamai, Google, State Street Financial, Liberty Mutual, Biogen Idec, Manulife Financial, MITRE, the RAND Corp. and Boston University's Hariri Institute for Computing and Computational Science and Engineering.

ACSC Executive Director Charlie Benway noted that the event fit perfectly with Life Cycle Management Center Commander Lt. Gen. C.D. Moore II's charge to bring in "thought leaders from outside the fence-line." Benway also believes his organization's members can benefit from information and ideas Hanscom leaders share.

Toward that end, two Hanscom senior leaders, Director of Engineering and Technical Management Kevin Stamey and AFLCMC Chief Technology Officer Dr. Tim Rudolph, offered presentations about Air Force cyber challenges.

Stamey discussed the edge Hanscom program specialists bring to U.S. warfighters: a full spectrum of command and control that harnesses space, air, terrestrial and cyber assets.

"However, that asymmetric capability is probably also our top vulnerability," he said, noting that protecting the various systems and the data they produce is a constant challenge.
But protection efforts aren't sufficient against the most advanced and persistent threats, he said. The Air Force needs to build resilient systems that can withstand and recover quickly from attack.

Protecting systems and data - either by shielding them from attack or enabling them to rapidly reconstitute - doesn't necessarily mean keeping everything in a locked room nearby though. Forum discussion centered, in fact, on analyzing whether and when it makes sense to store data in "clouds," huge, remotely managed data centers with great capacity and built-in security.

"I started out anti-cloud," Rudolph said during his presentation. "I wanted to control the network, the computer and storage." Over time, however, he has become a strong cloud proponent, arguing that working within the cloud is far more cost-effective and that it generally offers enhanced security, with control features that reduce spillage and vulnerability to attack.

He spoke about the U.S. government's federal data center consolidation effort, emphasizing that the ultimate goal should be "to get to zero," meaning no reliance on government-operated data centers. For now, however, the federal government will rely on a hybrid model that combines private cloud, public cloud and traditional data centers, he said.

A panel discussion among industry "cloud adopters" revealed similar sentiments, with early skeptics gradually developing increasing trust.

"Three months ago, if you asked me about the cloud, I'd have said 'Hell, no,'" said John McKenna, senior vice president and chief information security officer for Liberty Mutual. While he continues to proceed cautiously, security and other advantages have convinced him that cloud computing cannot be ignored.

John Schramm, vice president for Global Information System Risk Management at Manulife Financial, also spoke about advantages realized, especially for a global business. His goal is to have 85 percent of Manulife's data in the cloud within five years.

Another panelist, Bob Guay, manager of Information Security and Governance for pharmaceutical giant Biogen Idec, said that the best way to reduce risk and concern is to ask cloud providers if they're really doing what they're supposed to be doing to protect your data.

Cloud providers themselves were also on hand and were quick to offer assurances.

Third party audit results and the opinion of technical peers are among the things information security managers can use to build confidence in cloud providers, according to Ian Kelly, technical security lead for Public Sector at Google. Large providers like Google are further motivated to perform by the potential repercussions of a problem.

"At Google, if we spill or leak data, it will hit the front page of the Wall Street Journal and New York Times," he said.

The event also featured a RAND Corp. presentation on a trust assessment model it developed and a discussion about Massachusetts' Open Cloud initiative, which allows for innovative design and experimentation as well as commercial use.

Boston-area intellectual capital is what made it possible to bring together so many major cyber players, according to Bill Guenther, chairman and founder of ACSC.

"One of the reasons this region has an advantage is the talent we have here," he said.