rocks. now is your chance to ask questions. live on in depth sunday november 6 at noon eastern on book tv on c-span2. >> you've been watching booktv, 48 hours of programming. nonfiction books all weekend every weekend right here on c-span2. ..

>> this week on "the communicators," we look at the future of cloud computing by the u.s. government. a member of congress who just held a hearing on the topic and an internet executive discuss the benefits and challenges of the government's easing toward cloud computing. >> host: dan lungren is chairman of the homeland security subcommittee on cybersecurity, he is a republican of california, and this week his subcommittee held a hearing on cloud computing. congressman lungren is our guest this week on "the communicators." congressman, is cloud computing for the federal government inevitable? >> guest: it not only is inevitable, it's already part of the mix and one of the serious concerns i have is not that it's inevitable, but the fact that we insure that the security aspects of cloud computing are forecast, are dealt with ahead of time and are incorporated into this new, this new computer world. i mean, cloud computing is part

of the new computer world. >> host: jennifer martinez of politico is a technology reporter, she's also joining us this week on "the communicators." >> host: thank you. and the hearing was focused on, like you said, the security of cloud computing and the federal government moving etc. moving its systems toward the cloud. and at that hearing you described the administration beneficials who touted the benefits of the cloud as glass half full people. and then there was a gao official who was a little bit more skeptical of cloud computing and its security, and you driebd him as a glass half empty person. >> guest: right. >> host: so the hearing's done, and you've heard what people have to say, so are you a glass half empty or half full guy? [laughter] >> guest: well, i think i have to pick up both glasses at this point in time, and the reason for that is that we shouldn't, we shouldn't shy away are from

or somehow be afraid of cloud computing. it is a part of the advanced development of the computer world as explained to me by people that are far more technically advanced than i am. at the same time, some would say, well, look, this gives us a better opportunity to secure our data, and you would ask why said say that. well, if you've got a cloud that contains bits of information from a thousand different sources, there is more capital investment that can be made into that cloud than they would do individually, number one. and number two, they can keep up with it on an every second basis, and they can adapt more quickly to the fixes that needed to be done. i happen to think that that makes sense. on the other side of the equation, however s that that makes this a greater target-rich environment. if i can go after one particular target inted of a thousand or --

instead of a thousand or 1700, isn't it more worth my time to do that? and so like everything else, there's the good, and there's the bad. and what i tried to advance was the idea that sometimes in the past as we have applied computers to other models, command and control systems, running our electric grid, running our water systems and so forth, they were not initially engineered with the idea of security in mind. much of it was before 9/11. you wouldn't think of someone wanting to just blow things up to blow them up. or to do damage for the terroristic psychological impact as opposed to gaining land or gaining a prize. and so from that standpoint we've had to do patch work ever since. and we've done some pretty good work. the question is going forward do we engineer into our systems security from the beginning? and i was, i was pleased to hear

from both representative of the department of homeland security and the representative for i.t. security for general services administration that they are building that into the system. doesn't mean it's easy though at all. >> host: well, and on that, too, they were -- the two administration officials were talking about the launch of fred ramp -- fed ramp, and they were finalizing those security requirements for cloud computing services, um, for the federal government to use. but that launch has been pushed back, um, that draft was released i think last year, and it's been pushed back and pushed back to deal with concerns from stakeholders. does that concern you, that that launch has been pushed back? and also agencies are still moving to the cloud even though it's not finalized there. >> guest: well, first of all, we've got to get it right, so it would not do us very good in the long run for us to end up with an incomplete model where we

ignored things that we learned going on, first. secondly, what i am concerned about is whether or not the different government agencies and departments, n. be, have included this notion of security as they go forward. it's no excuse that that one program is not available. they have independent responsibility as far as running their government agencies and departments if they're moving to a clouds or series of clouds or secure clouds or public clouds, that they do it in the right flag. and then the third thing i'd say is this, there are different levels of data that would require different levels of security concern and then security application. and getting that right is extremely important from the very get go. if you make a huge mistake with respect to the kinds of data, identifying it on one side, misapplying the security that needs to go to it, then we're in a huge mess that we have to dig our way out of. so, no, it doesn't bother me to

say they are taking their time. it is government, and i get frustrated at times in part because my dad was one of those great people in world war ii who, you know, landed on beaches in normandy several days after d day, and they went there from to berlin faster than we're able to do most things in d.c. but i don't get theceps they're dragging their feet, and i did not get the sense that they have a less than urgent and sophisticated concern about security as we go forward with the cloud computing. >> host: congressman lungren, what about the issue of turning over so much government data to private vendors? >> guest: that's a very good question, one that we raised. um, we rely greatly on private vendors to begin with. we've got to understand that. the other thing i would say is that the private vendors, frankly, are the ones that are on the cutting edge of both new computer developments both in

terms of the actual transactional work they do, the computation that they do, but also with the security that they do. and if we were totally to rely on just government-owned enterprises, frankly, we would be doing a disservice to us. however, what does that require us to do? it requires us to be concerned about proper vetting for their employees, about proper understanding of physically where their operations are located, and thirdly, that if we have -- and this was brought up by mr. curran in his testimony before our committee very, very well -- if we have a particular type of security methodology and procedure that we adopt in the federal government, we need to make sure that any vendor that we utilize is well aware of them, is understanding of how they operate in that environment and, therefore, can apply those same things to the way they operate. and then lastly, and i think

maybe most importantly, you have to have a level of awareness of what i call good computer hygiene. we've had testimony before our task force in both private and public briefings, our task force on cybersecurity, that -- and the number that's thrown out is 85% of the intrusions, the malware, the unauthorized access to computer systems or the alteration of computer systems could be avoided by good computer hygiene. by those of us as individuals in the operation of our computers, by our systems directors, by the network providers. and so a major portion of that is awareness. and that's a general proposition. in terms of cloud computing, we need to make sure there's an awareness from the design phase, but also this terms of those of us who will operate within that. whether we're in the government sector or the private sector, that we understand the good

computer hygiene will allow us to eliminate a good portion, the vast majority of those intrusions. and sometimes when we don't get rid of that or many times, that creates a clutter that makes more difficult for our systems operators, for the federal government, for the private sector to be able to focus on the worst kinds of attacks that we have on the system. so it behooves all of us to do that, and that was just one of the simple things i was trying to stress at the meeting. what is our level of awareness as we go forward with cloud computing, and how do we do a better job both in terms of just regular computer operations, but also as we move towards cloud computing, how do we make sure that we are anticipating the unique security concerns that may be involved in that? >> host: right. and i guess with the public cloud vendors we've seen a couple of instances in the past year where the cloud isn't

perfect. sometimes things happen. so, for example, amazon's cloud service was down for a couple of days, and that even affected some government/public-facing web sites where they were out for a little bit. and also google had said about a year ago that some hackers had compromised its systems and taken some ip from it, and that attack had stemmed from china. does that cause you some concern about that move to the cloud? >> oh, sure it is. i mean, it gives you another set of concerns, if you will. for instance, if i've got my own system, my own network where i control it, there is a sense of proprietary security there versus when i send it out to somebody else. i guess the best thing that they analogized it to is if you're at home and you've got to run your own batteries or your own

general rater -- generator for electricity, that may make sense in an extreme situation, but if all of us did that, it would be impractical. we buy energy off a grid. that means we use it when we need it. it's the same with cloud computing. in that sense, it makes perfect sense for government to move in that direction. however, there are certain things that, in my judgment, may never be able to be put on a cloud. >> host: like what? >> guest: probably the most classified level information that we have. health systems. they are clouds that are utilized there, but we've got to think through that in terms of how do we provide the kinds of private protections that will give the average person whose medical information data is somewhere recorded that they are going to be protected? but as some of the experts we had who testified before us said, look, this is no different than when we moved from, you know, your small computer that

you use, well, the geniuses that were able to do that to move into mainframes, information contained onto main people ins, then we -- main people peoplefre moved to networks. then you have different types of clouds, private clouds, public clouds, network clouds. and does it make sense to diffuse the information that you put? in other words, not on a single cloud, maybe several different clouds. so it's, it's, um, it's the next stage in computing operations for virtually everything that we're going to have to move to and understand going forward that security is wrapped into it from the very beginning. >> host: final question, jennifer martinez. >> host: um, okay. so you have a cybersecurity bill that you're working on, and you've circulated it to some folks in industry about it.

so when are we going to see that, and i guess what is the main aim of that bill that you're coming out with? >> guest: well, first of all, it should not be looked at as a bit of competition to the administration's proposal. i very much admire the administration for coming up with a comprehensive cybersecurity legislative piece. i think there are things that i like in it, there are things that i don't like in it, but overall they've made a good attempt to try and bring forward. if i would suggest that one of the things that would be somewhat different in terms of my bill, and i think generally the bills that are going to come out as a result of the republican task force effort on this, it would be less reliance on heavy regulatory schematic from the government to more of a voluntary public/private partnership going forward. it's easy to say, it's much more difficult to articulate. but if you look at our piece of legislation, that's a key part in there. >> host: it's a cornerstone of

that bill that there's a nonprofit organization that's going to act as a clearinghouse that's separate from the government -- >> guest: yeah. we're trying to figure out what is the interface, what is the facilitator that will allow that exchange of information? because one of the things we've found is a lack of confidence going in both directions. and so i don't have the exact model. we've come up with the idea of a not-for-profit operation that's neither federal, nor private but is a consortium. and it's built on a design of cooperation, but ultimately it's going to rely on a sense of trust and a confidence that's built in from the people who operate it. we're open to whether it ought to be one or several for different sectors, and if someone wants to call it something else, wallets to put their name on it, that's fine with me. i just want to get it going. >> host: congressman dan lungren, thank you for being on "the communicators." our program continues in a minute. >> guest: thank you. >> host: and now joining us on

"the communicators" is john curran, he is president and ceo of the american registry for internet numbers, also known as arin, and he has many years of experience in the internet industry. mr. curran, when you testified at the cloud computing hearing this past week, you talked about some of your concerns with regard to cybersecurity and sensitive government programs. what are your concerns when it comes to cloud computing? >> guest: absolutely. thank you for having me on the show today. when i testified, i focused on the fact that there are new aspects and old aspects to having the federal government make use of cloud computing. to some extent, the federal government has been using cloud computing or has been using outsourced computing for years. many of the federal i.t. systems actually don't operate in federal data centers, but operate on contractor

facilities. so there's experience in using federal computing systems that are located outside of federal facilities and using contractors and using their services. that aspect of using cloud computing is actually well known and is something that the accreditation framework that's used for federal systems is actually quite capable of handling. the nuance with cloud computing that's added is that instead of using these outsourced facilities, we're now using clouds over the public internet, and we're using clouds means we don't necessarily know the location of where the computing that we're doing is taking place. so i spoke at the hearing regarding some of the nuances of making use of the internet for doing cloud computing, for shing cloud resources -- for accessing cloud resources or vendors. and the fact that that raises a number of concerns. the concerns in particular are

the internet itself is a changing environment, and new technology is coming. we have to make sure the cloud keeps up with that. also, the use of the internet by the federal government is governed by government-wide initiatives. we have to make sure that the cloud use of the government also follows those government-wide initiatives for securing secure. and then the fact that the cloud itself has capabilities for allowing recovery of federal systems doesn't mean that we don't need to worry about the migration of data from one cloud provider to the other. >> host: jennifer martinez. >> host: hi, mr. curran. so i just wanted to jump into one of the gaps, um, that you had identified, and that was the migration, um, from -- of data from one cloud service provider to another. and i wanted to see when the

government is moving its service from one provider to another, how cowe know that that -- how do we know that that information on the original provider is not still being stored and they don't have it anymore? >> guest: that's actually an excellent question, jennifer. um, if you think about the framework for securing federal systems, there are controls that exist today that require federal agencies to do contingency planning. so if they have systems in three locations in the country and they lose a facility, they have to be able to recover in the other two. but the fact of the matter is that, um, that recovery is all within one federal agency. when you switch to cloud computing, we know the cloud providers are very robust and have the ability to recover, probably more so in many cases than the federal government can because they have many facilities distributed globally. and that's a good thing. the problem is, what if you have

a cloud provider who has an irrecoverable compromise in its security or shows for some other reason that they can't be used? the problem that we face today is there are no standards to quickly move data from one cloud provider to another. yet this capability is required for good, responsible contingency planning. it's not enough to simply say that there will be standards or they'll be coming. a federal agency has to be prepared for the fact that a cloud provider could fail in a way that requires a very rapid transition. so we need those standard for migration of data and systems, and then we need to make sure contractually the cloud providers are obligated to work with those migrations including clearing the data off their system when they're done. >> host: right. and actually to that and, too, kind of backtracking a bit. so since last december the former obama administration cio

spearheaded the cloud first policy where he tasked all federal agencies to identify three cloud service -- or three services that they should move to the cloud. one of those services should make that jump in a year, and the other two within 18 months. are we moving to the cloud too fast? do you think that we are putting security concerns second? >> guest: i actually think we're moving to the cloud at the right rate, but we have to pay attention to the details. for example, if you look at the testimony of dhs during the hearing, he identified how dhs was being careful what-moving to the -- what it was moving to the cloud and that it was moving a private cloud for fulfilling its cloud first strategy, and that was limiting that private cloud to data that was predominantly public and issues that were predominantly public already within dhs.

and that's the type of balanced risk taking that's encouraged. and, actually, the type of evaluation that the risk framework that the government uses, fisma, should be encouraging in other agencies. so i think the short answer is, um, we're moving aggressively, and i think that agencies should continue to do so. but they need to do the realistic risk management when they do that in choosing which applications they move and how fast they do it. >> host: john curran, if dhs is developing its own private cloud, is there going to be a tendency for all government agencies to develop their private cloud, thus kind of nullifying the benefits, the proposed benefits of cloud computing? >> guest: well, in 2008 when the federal government did it inventory of i.t. systems, the omb published some of the statistics. there were 10,000, or in excess

of 10,000 federal i.t. systems. and many of those i.. the -- i.t. systems operated with fairly what we would call high-risk impact data, data that if it got out would really hinder the ability of the agency to operate. but there were thousands of them that were low or moderate risk systems, and those are the ones that are suitable for the cloud. the fed ramp program that has been developed by gsa, omb and dhs encourages looking at those applications. so i think you will see private clouds particularly for the moderate risk applications, but there are many applications that are perfectly suitable for the cloud today. and in cases like that, the public cloud offers all the benefits. i think that it's good to make that evaluation of private versus public. in the case of dhs, they chose

private for initial foray. that doesn't mean all their applications will end up there. >> host: and then i wanted to ask you about, for example, one of the major cloud service providers coming up right now, and that's google. and about a year ago they had published a blog post saying that hackers, um, had compromised, um, their system and had stolen some intellectual property in the process in that attack, they said, which stemmed from china. so if google is able to be breached and, um, google is offering an array of cloud services -- not just google, but other very well known innovative tech companies are providing cloud service services to the government -- is that a concern when you have news of a breach coming from another country?

>> guest: i think the way to look at this is that it is true that cyber attacks are increasing. your own "communicator" program has interviewed many people who have testify today that. the fact is that we're seeing rapid increases in cyber attacks, and they're coming from all corners of the globe. the federal governments has formal structures on how to secure its systems, but even with those formal structures, there are federal systems that have had security issues, and those are well documented. when you're looking at using a public service provider who's a vendor regardless of what that vendor is, there are advantages and disadvantages. the advantages you pick up is you have to recognize those providers are on the internet each and every day and, therefore, they are exposed to and have to respond in a timely manner to a lot more security threats than necessarily are seen by any given agency and its

security personnel. obviously, a global cloud service provider whatever it is has, in some cases, may have actually more expertise and experience because of the exposure they have on an ongoing basis. now, the countervailing view on that is simply that, yes, it is true a if a compromise occurs, it's necessary for the government to be able to know where its data went and what it does about that. that is what that fed ramp program specifies. it specifies a list of controls that talk about where the data resides, is it -- um, who is managing it and how it's backed up and a very long list of controls. by using public cloud providers who then also certify themselves through the gsa fed ramp to be authorized for use, the government picks up the benefit of the cloud computing provider and their security experience as well as the list of controls that they've been accrediting

systems for for the last decade. it's not going to be perfect, and there will be issues. but we have to recognize that there's a benefit in using cloud providers because they also have a very visible public presence be, and they have a lot of experience in this space. >> host: mr. curran, one of the areas of your testimony was about emerging threats to cybersecurity and cloud computing. what are some of those emerging threats, and are we thinking about things that haven't happened yet? >> guest: we actually are. i spoke about emerging threats and, also, evolving nature of the internet to secure those threats. there are a number of initiatives that the federal government has launched on including dns-sec, domain name system security. the ability to know that a name is actually going to be mapped to an or the in a way that you can verify. our current name system suspect

100% locked down. the federal government's worked very hard to make that happen. there's another version with ip version 6 to let the internet continue to grow. these initiatives are designed to secure the underlying nature of the internet, and we're making great progress in both of those right now across the federal government. my testimony specifically referenced the fact that as we authorize cloud computing providers, we have to make sure that they also follow those federal initiatives because those initiatives are designed to secure not just cloud computing providers, but secure all the federal government. so there are emerging threats, and what we're trying to do is make sure we have better awe they want case and a better identity on where the cyber attack is coming from. the dns-cec and ip version 6 initiatives will get us there long term. we can't exclude the cloud computing providers in the

process of authorizing them to hold systems. >> host: and final question from jennifer martinez. >> host: and, representative yvette clark, the ranking member of the cybersecurity subcommittee, asked the first panel of administration officials what type of data should never go in the public cloud? and she didn't ask the same thing of your panel and let you guys off the hook, so i wanted to posit that question toward you. >> guest: absolutely. and it's, actually, an excellent question. the most important thing to realize is that this is a decision that's the federal agency cio's decision. and that's where it should rest. the cio knows the impact of that data and its disclosure, knows the impact of that data and it compromise or the unavailability of the system. and so at the end of the day the goal is to make sure that cio has enough information to make sure that they can make a