The Federal Emergency Management Agency is focused on “stabilizing the core infrastructure and the core environment” to keep the agency and its partners securely connected during a crisis, including upgrading aging infrastructure to support the latest security controls, said the agency’s acting deputy chief information officer for disaster operations.
“The biggest concern and the biggest issue as we move to the cloud is to ensure it’s a secure move, that the data is secure, that the environment is secure… ensuring that we have a secure connection is critical,” Scott Bowman, who has more than two decades of experience at FEMA, told HSToday at the Government Technology & Services Coalition’s Emergency Management 2019 event.
“Ensuring that we have scalability in that connectivity – we need to ensure that we just don’t have a very scalable, elastic cloud that has infinite compute capability, but we’re limited on the network side of the house,” he said. “So an area of focus is ensuring the bandwidth and connectivity to the cloud is through a secure connection that is adequate to meet the need.”
This spring, hackers were responsible for blaring tornado emergency warning sirens in Texas and one Illinois city said it planned to pull its sirens after multiple hacks.
Bowman said the vulnerability of systems such as these underscores how FEMA must be “building in security with everything, considering everything we do on a daily basis.”
“It’s not only having the physical security and securing the network but it’s also educating the users, because all it takes is one user accidentally giving out their password to a malicious actor, and they could exploit that,” he said. “Or not securing a device. So a lot of ‘trust but verify’ – people will say that they’ve secured a device, that they’ve secured a system, but continual scanning and continuous diagnostics and mitigation are required.”
“Because something may be secured today and tomorrow, but it’s possible a future change may be made to an environment that leaves it unsecure. So just continually monitoring and checking everything we can on the network systems, applications, network devices, laptops, phones, all of those, ensuring that penetration points are protected.”
Bowman noted that “a lot of users know that they shouldn’t click on something or shouldn’t do something, but it’s very tempting – they receive a spam email or a spear phishing email.”
“My big wish would be that we could alleviate the malware via the browsers and the spear phishing emails,” he said. “We have a sophisticated email system that blocks a lot of the malicious email, a lot of the spear phishing emails, a lot of those types of threats, but our adversaries are continually changing to bypass those products so we can’t catch all of them.”
Rather than eye emerging technologies at the moment, FEMA is concentrating on shoring up its systems by continuing to implement continuous diagnostics and mitigation as the effort is “really ensuring that our base infrastructure is as secure as it can be.”
“We have a lot of infrastructure that is old, that can’t be secured to the levels it needs to be today, so over the next two years that’s one of the things we’re focusing on: ensuring our base infrastructure and core network is running on current hardware and current software with all the proper security controls implemented and in place,” Bowman added.
There are “definitely” some program offices interested in artificial intelligence (AI) on the horizon, “especially for tasks that are repetitive and could potentially be done by something like AI,” he noted, along with “potentially leveraging it to help identify different threat vectors and different traffic coming in, different emails coming in, using that intelligence to help predict what is and what isn’t malicious content or content with malicious intent.”
“That’s where we are now – we’re exploring, but we’re still not fully implementing AI on any particular program at this point,” he said.
The deputy CIO said FEMA is also looking at “ensuring we have good data standardization and better sharing of data with our partners to improve our disaster response and recovery efforts.”
“It’s all in an effort to benefit the public as we do this, and the better the data and the more data that we can share with our partners, the better the assistance they can provide along with FEMA – talking about volunteer agencies and also local, state, tribal, territorial and other agencies,” Bowman said. “A lot of our efforts are focused on that collaboration and the data sharing – not necessarily emerging technologies, but stabilizing that base at this point.”
Challenges faced by FEMA include “cyber concerns, privacy concerns, ensuring the correct data is shared – and shared in a secure and correct manner,” he noted. “So it’s always a careful balance for the government – use of data, what we’re allowed to use it for, and ensuring that it’s used for the correct purposes when it is shared.”
“We have to ensure that we do it in a secure fashion and that presents a major risk – not only exploitation of systems, potentially, but exploitation of data after it is shared with others and ensuring that they’re doing their due diligence to protect the data once we’ve shared it with them,” Bowman said.