Matthew McCormack Chief information security officer, Defense Intelligence Agency. (Defense Intelligence Agency)
Matthew McCormack is unusual among the intelligence community’s information security leadership. Most top managers are homegrown, but McCormack came to the Defense Intelligence Agency in January 2011 from the Internal Revenue Service, where he was chief of cybersecurity operations.
McCormack joined DIA at a time when the intelligence community was beginning to embrace cloud computing and the push toward mobile devices. Despite his outsider credentials, McCormack is hardly a security newbie. He was a Navy cryptology officer before leaving the service in 2002 to pursue a private-sector career in the banking industry. McCormack takes a cautious view about the role of mobile communications in the intelligence community, for example.
At DIA, one of McCormack’s key responsibilities is to maintain the security of the government’s highly classified equivalent of the Internet, the Joint Worldwide Intelligence Communications System, or JWICS. The network was created by DIA but it is used by officials in multiple agencies.
McCormack spoke by phone with Ben Iannotta.
Q: How did your experience at the IRS affect your work there at DIA?
A: At the IRS, you had a politically appointed head, whereas here we have a military head. So the cultures are very different. And a lot of it I think has to do with the type of work that you do, the type of data you’re protecting. The IRS was a very big beast — [an agency of] 100,000 to 110,000 with 250 million customers, essentially. The IRS was much more online and mobile, whereas the DIA, because of the level of classification of the data we do, a lot more of the work has to be done within the certain buildings. Two very different worlds.
Q: Would your experience at the IRS help you switch to the cloud securely at DIA?
A: The cloud means different things to different people. I don’t necessarily see us going toward the Google cloud in the very foreseeable future. You know, some of the IT efficiency stuff that has been decided on has the NSA and the CIA building out clouds, because a lot of the new software that’s being developed [by software vendors] now requires a cloud back end. So if I’m going to buy some new security software, it’s collecting to a quote-unquote cloud, as opposed to some of the very expensive EMC-type storage. So, to take advantage of all these new technologies coming out that require a cloud back-end storage, I think you’re going to see us building out essentially a propriety cloud, so that we can still have access to all that new whiz, bang stuff.
Q: Not the public cloud?
A: Right. The cost savings of some of these new things is in storage. Storage is very, very expensive. And so as long as you have to keep maintaining your own complete storage facilities, you’re not necessarily seeing some of the cost savings as you would from the cloud.
Q: Those storage facilities are the data centers?
A: Yeah, I mean, when you’re storing information for seven, eight, nine, 10, however many years, that gets pricey. The benefit of being able to use cloud technology is definitely there. It’s just a question of the security models that some of the commercial cloud vendors have doesn’t fit us yet.
Q: Are you involved in the prototype cloud initiative that NSA and CIA are working on?
A: Yes. But under FISMA [Federal Information Security Management Act], we have legal responsibilities — each agency — and we can’t just abdicate that, and say, “Well, NSA is building a cloud, so they can go build it and we’ll just use it.” No, we all gotta make sure it meets our own requirements.
Q: Are you doing continuous monitoring yet?
A: We’re moving toward it. The idea behind continuous monitoring is that there is a significant cost savings because you’re not paying to completely revisit an application every three years. We are moving toward that [but] we are the DIA, so we maintain essentially FISMA requirements for all of DoD TS/SCI [top secret/sensitive compartmented information]. As we move toward continuous monitoring, it’s not just DIA I have to consider. I have to consider Army, Navy, Air Force, Marines and the Pentagon as to how my continuous monitoring model help[s] them. I can’t go push out my own thing and then break theirs.
Q: What is DIA’s role in the security of top-secret intelligence?
A: We have accreditation authority, essentially FISMA authority, for the Defense Department. We gotta make sure they’re not introducing vulnerabilities into the [Joint Worldwide Intelligence Communications System] global network. It’s a little bit confusing and it took me several months to really grasp it. Why am I signing accreditation letters for iPads at the Pentagon? But it is what it is.
Q: Weren’t you just recently assigned enterprise responsibility for JWICS?
A: We are the executive agent for the protection of JWICS for the Director of National Intelligence. An executive order came out back in October, saying all agencies will do a better job of protecting cybersecurity data.
Q: With JWICS, do new features like video teleconferencing and remote access to your desktop complicate security?
A: No. Video teleconferencing, we do it a little bit differently here. We don’t do the webcam-on-top-of-your-computer thing. We actually have standalone [computers] called Tandbergs. You’re essentially a separate computer and therefore l can wrap my arms around you better. That is a nice feature, because obviously as a global operation, when you’ve got guys in Afghanistan, it’s nice to be able to have face to face [conversations.]. It’s been a really good, very well-received technology.
Q: You mention Afghanistan. Have you been to some of the DIA sites overseas?
A: Not since I’ve been at DIA. When I was active duty, I spent a lot of time over there.
Q: Do you plan to do that?
A: I absolutely plan to. I haven’t made it over to the sandy places. I’ve made it to Europe, and you know we have stuff all over the place. But there’s got to be a value in the trip. What are you looking to gain? If I have a person in one of these locations, it probably doesn’t justify the cost of the trip.
Q: You came on board after Wikileaks.
A: Yes. Fun time. When you look at that situation, it definitely made us more aware, and the idea of monitoring how some of those people might do that type of stuff. We obviously can’t get into what we do and how we do it, but we’re continually changing our protection model. We don’t just build a wall and stand behind, and say, “There, we built our wall.” We’re constantly having to change how we do business.
Q: Is DIA using the Host-Based Security System?
A: The McAfee [system]? Everybody across the DoD and the intelligence community does. That allows a consistent base line on all systems. So, even though you might have your network and I have my network, as long as we have the same security suite on each of these computers, our ability to defend and research what these people did goes through the roof. We’ve dramatically limited the amount of unknown things out there because no matter which computer he was on, it’s going to have an HBSS vehicle on it. The different people can do their different reporting off it.
Q: What does HBSS allow you to do?
A: Kill USB connections, prevent any DVD writing. Things like that.
Q: Part of the HBSS software had not been licensed before WikiLeaks, the part that would have detected a large download. Has that been fixed?
A: To my knowledge, yes; understanding that when you’re deploying a software across hundreds of thousands of desktops, it’s a work in progress. McAfee has a bunch of engineers that are working all over DoD and all over the intelligence community to make sure that stuff gets installed. DISA [Defense Information Systems Agency] maintains it for unclass and secret. I maintain it for top secret.
Q: NSA has this mobile-device pilot program. Are any DIA personnel involved in that?
A: You mean the iPads? There’s a couple different devices. You might be more specific.
Q: NSA has given intelligence professionals 100 mobile phone devices as a pilot program. In December they started testing classified conversations.
A: I am not familiar with it but the telecom guys are in a different office. They would probably come to me if they decided they liked it, and they needed security approval on it.
Q: You mention iPads.
A: An iPad is a technology. It’s not a requirement. A requirement is mobile computing. When somebody comes to me and says, “Well I need an iPad,” the question is, “Why do you need an iPad over an Android?” Typically they’ll say, “Well, I have one at home and I know how to use them.” When you look at the amount of things we have to print out every morning and carry around, there is a definitive business justification. If you’re able to put a whole week’s worth of briefings into one of these, you just saved a thousand trees. You’re starting to see them, but obviously in a very limited manner and they are not commercial off the shelf. You can’t just go to Best Buy and bring it in. They are customized, and certain features are turned off. Obviously, because of the idea that you might be able to put a month’s worth of stuff on an iPad and walk out the door, we [at DIA] have to make sure there are controls that keep that from happening.
Q: So those controls haven’t been done yet?
A: It’s not just the controls. There is specialty software that prevents people from doing different things. You have to do some work on the operating system to turn off some things. Obviously, wireless is typically not allowed. So you can’t be bringing 3G ones in. There’s some customization that has to go on.
Q: More generally, are you sure that people are going to go mobile in the intelligence community and that you can do that securely?
A: Mobile means something completely different in the intelligence community than it did when I was at the IRS, [where] mobile meant you can work from home, you can work from Starbucks. Here, mobile means maybe I could go work up at Fort Meade. That’s why you’re seeing the idea of going toward a standard desktop across the intelligence community. I could go up to Fort Meade at the NSA, and their computers look just like mine do here at the DIA, and I can log in and do work. I don’t see in the near future us moving toward being able to do classified work at home. The laws surrounding the protection of that type of information is just not conducive to Blackberries and iPads in your home office.
Q: When you look at going to a standard desktop operating system and the mobile-device push, is there still a question of whether you can do them securely?
A: Oh, no, it will happen, and yes, we can do them securely. My engineers have been in there since the initial requirements-definition phase. So as they’re building this new desktop, the security guys are sitting right there with them. It’s a factor of 10 [times] more expensive to duct tape on security at the back end of a system, as opposed to just building it right the first time. So, that’s why I’ve been saying here’s my smartest engineers. They’re going to help so you’re building this thing securely so that we’re not trying to fix it to the back end.