this week on the communicators we look at the future of cloud computing by the u.s. government a member of congress who just held a hearing on the topic and an internet executive discuss the benefits and challenges towards the cloud computing. >> damn lundgren as chairman of the homeland security subcommittee on the cybersecurity. he's the republican of california and this week his subcommittee held a hearing on cloud computing. congressman lungren is our guest this week on the communicators. congressman, is clouded computing for the federal government inevitable? >> not only is it inevitable it is a part of the mix, and one of

the serious concerns i have is not that it is inevitable but the fact that we ensure that the security aspects of cloud computing our forecast or dealt with ahead of time and are incorporated into this new computer world. cloud computing is a part of the world. >> jennifer martinez is a technology reporter also joining this week on the communicators. >> thank you. the hearing was focused on, like you said, the security of cloud computing in the federal government and assistance towards the cloud, and at that hearing you described the administration officials who have had the benefits of the cloud as the glass half full and then and there was the gop official who was a little more skeptical as cloud computing and its security and you described him as a glass half empty

person. so the hearing is done and you heard what folks have to say. so are you a glass half empty or half full when it comes to security? >> you may recall i asked which class i pick up i think i have to pick up both at this time and the reason for that is that we shouldn't -- we shouldn't shy away from or somehow be afraid of loud computing. it is a part of the advanced development of the country of the world as explained to me by people that are far more technically advanced than i am. at the same time some would say this gives a greater opportunity to secure our data and you would ask why they would say if you have a cloud that contains bits of information from thousands of different sources there is more capital investment that can be made into that cloud than they would do individually. and number two, they can keep up with it on and every second

basis and they can adapt more quickly to the fixes that need to be done. i happen to think that makes sense. on the other side of the equation however is that makes this a greater target environment. if i can go after one particular target instead of thousand or 1700 isn't it more worth my time to do that? and so like everything else there is the good and bad and what i tried to advance is the idea that sometimes in the past as we have to apply computers to other models control and command systems running our electric grid and water systems and so forth they are not initially a engineered with the idea of security. much of it was before 9/11. you wouldn't think of someone wanting to blow things up to blow them up or to do damage by the terrorist psychological impact as opposed to gaining man

or getting a prize and so from that standpoint, we have had to do patchwork ever since and we have done a pretty good work. the question going forward to the engineer in door systems, security from the beginning and i was pleased to hear from both representative of the department of homeland the security and their representative from i.t. security for the general service administration that they are building that into the system. it doesn't mean that it's easy though. >> when the two officials were talking about the largest grant and they were finalizing the security requirements becloud computing services for the federal government but that watch has been pushed back. that draft was released i think last year and has been pushed back and pushed back to deal with concerns from stakeholders.

does that concern you that it has been pushed back? also agencies are still moving to the cloud even though it is not finalized. >> we have to do it right, so it wouldn't do us very good in the long run to end up with an incomplete model where we know where things were going on first. second what i'm concerned is whether or not the different agencies and departments in fact have included this notion of security as they go forward. it's no excuse that program is not available. the independent responsibility as far as running their agencies and departments since the move into a cloud or series of clouds and secure clouds and public clouds that they do it in the right fashion and in the third thing i would say is this. there are different levels of data that would require different levels of security concerns and security applications and getting that right is extremely important

from the very get go. a huge mistake to the kind of data identifying it identified in misapply the security that needs to go to it a huge mess we have to dig our way out. it is government and i get frustrated at times my dad was one of those people in world war ii the beaches of normandy and several days after d-day they went from there to berlin faster than we were able to do most things here in d.c. i do not get the sense they have less than urgent sophisticated concerned about security as we go forward with the cloud computing. >> what about the issue of turning over so much the government data to the private vendors? >> that's a very good question

and one that we raise. we rely greatly on the public vendors to begin with and we have to understand that. the everything i would see is the private vendors frankly are the ones on the cutting edge both new computers will developments, both in terms of the actual transactional work they do and the computation they do but also the security they do and if we were totally to rely on just government-owned enterprises we would be doing a disservice. however what does that require us to do? it requires us to be concerned about proper vetting for the employees about proper understanding of the physically aware the operations are located in the third if we have and this was brought up in his testimony before our committee very well a particular type of security methodologies and procedures

that we've adopted in the federal government we need to make sure any vendor that we utilize is well aware of them and understand how they operate in that environment and therefore can apply those same things to the way they operate and then last, and i think maybe most importantly they have to have a little awareness of what i call good computer hygiene. we've had testimony before the task force in both briefings the task force on cybersecurity that in the number of 85% of the intrusions of the mall where, the unauthorized access to the computer systems or alteration of computer systems could be avoided by a good computer hygiene. those of us as individuals in our operation of computers by our systems directors, by the network of providers, and so a major portion of that is awareness and it is a general

proposition to have in terms of this area of cloud computing. we need to make sure that there is an awareness from the design phase but also in terms of those of us who would operate within that. whether we are in the government sector or the private sector that we understand the good computer hygiene will allow us to eliminate a good portion of the vast majority of those intrusions and sometimes when we don't get rid of that or many times when we don't get rid of that that creates a clutter that makes it more difficult for the system operators, the federal government, for the private sector to be able to focus on the worst kinds of attacks we have on the system. so it behooves all of us to do that. it is one of the simple things i was trying to stress of the meeting the level of awareness as we go forward with cloud computing and how do we do a better job both in terms of just regular computer operations, but also as we move towards mcleod

computing. how do we make sure that we are anticipating the unique security concerns that may be involved in that? >> i guess with the public cloud vendors we have seen a couple of instances in the past year where the cloud isn't perfect sometimes it's happened, for example amazon's cloud service was down for a couple of days and might affect the public government so they were out for a little bit. and then also google had said a year ago that the hackers compromised the system and had taken some ip from it and from china. those that cause you some concern about that view to the cloud? >> sure it does. it gives you another set of concerns if you will. for instance i have my own

system, my own network where i control it, there is a sense of proprietary security their purses when i sent it up to somebody else. i guess the best thing they acknowledge that to is if you are at home and you've got to run your own batteries or generator for electricity that may make sense in the extreme situation but if all of us did it would be impractical. we buy energy off the grid. that means we use it when we needed. it is the same concert with cloud computing. makes sense for the government to move in that direction. however there are certain things in my judgment that may never be able to be put on the cloud. >> like what? >> the most classified level of information that we have. health systems. they are clouds that they utilize that we have to think through that in terms of how do we provide the kind of privacy

protection they would give the average person whose medical information data is somewhat recorded they're going to be protected and some of the experts who testified before it's no different from the small computer that you use the word genius is the would be able to do that to move into from mainframes then we move to the networks and over to cloud computing. we have to be smart about it. there may be some data you don't want to put on the cloud then you have different types of clouds. of private and public clouds and network clouds and does it make sense to diffuse the information that you put? in a letter words it is not on a single cloud may be several different clouds. so it is the next stage in computing operations for virtually everything we were going to have to move to and

understand going forward that the security is backed in from the beginning. >> final question. jennifer martinez. >> okay. so, do have a cybersecurity bill that you are working on. when are we going to see that and what is the name of that bill that you are coming out with? >> it shouldn't be looked at as competition to the administration proposal. i admire the administration for coming up with a comprehensive cybersecurity legislative peace. i think there are things i like in it and things i don't like but overall they made a good attempt to bring forward. if i would suggest one of the things that would be somewhat different in terms of my bill and generally the bill was going to come out as a result public task force on and this it would be less reliance on heavy

regulatory schematics on the government to more of a voluntary public-private partnership going forward. it's easy to see it's much more difficult to articulate the if you get that piece of legislation you would see that is a key part of it. >> the cornerstone of that though is a non-profit organization that's going to act as a clearinghouse support from the government? >> we are trying to figure out what is the interface that would allow the exchange of information public to private and private to public because one of the things we learned is a lack of confidence going in both directions and so i don't have the exact model. we have come up with the idea of not for-profit operations that's neither federal nor private but is a consortium, and it's built on a desire of cooperation but ultimately it is going to rely on a sense of trust and confidence that's built from the people that operate it.

we are open to whether it ought to be one or several for different sectors and if someone wants to call something something else or put their name on it that's fine with me i just want to get going. >> , dan lungren is the chairman of the cedras security homeland security. thank you for being on the communicators. our program continues in a minute. now join in on the communicators is john curran president and ceo of the american registry for internet numbers also known as arin, and he has many years of experience in the internet industry. mr. curran, when you testified at the cloud computing hearing this past week, you talked about some of your concerns with regard to cybersecurity and sensitive government programs. what are your concerns when it comes to the cloud computing? >> absolutely. thank you for having me on the issue today. when i testified i focused on the fact that there are new aspects and old aspects to

having the federal government make use of cloud computing. to some extent the federal government has been using cloud computing or has been using out source computing for years. many of the systems actually don't operate in the federal data centers that operate on contractor facilities. so there is experience in using federal computing systems that are located outside of the federal facilities and using contractors and using their surfaces. that aspect of using cloud computing is actually well known and is something that the accreditation framework used for federal systems, fisma, is actually quite capable of handling. the new wants with cloud computing that is added is that instead of using these outsourced facilities we are using the foot clouds over the public internet and it means we don't miss tolino the location

of the computing that we are doing taking place. so i spoke at a hearing regarding some of the new ones is making use of the internet for doing the the cloud computing for accessing the cloud resources of the vendors. the fact that that raises a number of concerns in particular the internet itself is a changing environment making sure the cloud keeps up with that and also the use of the internet by the federal government is governed by a government wide initiatives we have to make sure that thus cloud use of the government also follows the government white internet initiatives for securing the internet and in the fact that the cloud itself has capabilities for allowing the recovery of the federal systems doesn't mean that we don't need to worry about the migration of data from one plow provider to the other. >> jennifer mac martinez.

>> i just want to jump into one of the gaps that you have identified and the was the migration of the data from one cloud service provider to another, and i wanted to see when the government is moving its service from one provider to another how do we know that information on the original provider is not still being stored and they don't have it anymore? >> that's an excellent question, jennifer. if you think about the framework for securing the federal systems there are controls that exist today the require federal agencies to do contingency planning. so if the systems in three locations in the country and they lose a facility they have to recover in the letter to. but the fact of the matter is that that recovery is all within one federal agency.

when you switch to the cloud computing, we know the providers are robust and have the ability to recover probably more so in many cases than the federal government can because they have many facilities distributed globally and that is a good thing. the problem is what if you are the cloud of provider that has an ear recoverable compromise in its security or shows for some other reason they can't be used. the problem that we face today is there are no standards to quickly move data from one cloud provider to another, yet this capability is required for good responsible contingency planning. it's not enough to simply say that there will be standards or they will be coming. a federal agency has to be prepared for the fact a provider can fail in a way that requires a very rapid transition. so we need those standards from the migration systems and then we need to make sure

contractually the cloud providers are obligated to walk with those migrations including clearing the the data of the systems when they are done. >> actually to that end, too, kind of backtracking of that the former obama administration spearheaded the cloud first policy where he passed all federal agencies to identify the three services they should move to the cloud and the service should make that jump in a year and the other 18 months. are we moving to the cloud to test? are we putting security concerns second? >> i think we are moving to the cloud at the right away but we have to pay attention to the details. fer exhibit if you look at the testimony the dhs aspires during the hearing, he identifies the

dhs to be careful about what it was moving to the cloud to the private cloud for the strategy and of limiting the private cloud to data that is predominantly public and issues already within dhs. it is the type of the balanced risk taking encouraged and actually the type of evaluation that the risk framework the government uses, fisma should be in charge of in other agencies. so we think the short answer is we are moving aggressively, and i think that agency should continue to do so, but they need to do realistic risk management when they do that and choosing which applications the move and how fast they do it. >> john curran, if the dhs is developing its own private cloud come is there a way to be a tendency for all governor agencies to develop their

private cloud kind of small volume the benefits of the proposed benefits of the cloud computing? >> in 2008, when the of the federal government did its inventory of the i.t. systems, the omb published, there were 10,000 or in excess of 10,000 federal i.t. systems, and many of those on 18 systems were systems that operated with what we would call high-risk impact data that if it got out would hinder the ability of the agency to operate, but there were thousands of them that were low risk or moderate risk and the low or moderate risk systems are the ones that are suitable for the cloud. the federal program that has been developed by the gsa, omb and dhs encourages looking at those applications. so i think that you will see private clouds particularly for

the moderate risk applications, but there are many applications a perfectly suitable for the cloud today and in the cases like that the public weld offers all the benefits. i think it's good to make that evaluation public in the face of the dhs for the initial doesn't mean all their applications will end up there. >> i wanted to ask you about, for example, one of the major cloud service providers coming up right now and that some google. about a year ago they had published a posting that hackers had compromised the their system and had stolen some intellectual property in the process and that attack the it said stemmed from china. so if google is able to be breached and is offering an

array of cloud services, not just google, but other very well known innovative technical companies providing the services to the government, is that a concern when you have news of a breach coming from another country? >> i think the way to look at this is it is true cyber attacks are increasing. you're own communicator program has interviewed many people who have testified to that. the fact is we are seeing rapid increases in the cyberattack stand they are coming from all corners of the globe. the federal government has structures on how to secure it system but even with the formal structures the federal system sensitivity issues and those are well-documented also in the headlines. when you look at using a service provider who is a public vendor, regardless of what that vendor is, there are advantages and disadvantages.

the advantage as you pick up as you have to recognize those are on the internet each and every day and therefore in a timely manner to a lot more security threats than necessarily are seen by any given agency in its security personnel. obviously the global clout service provider, what it is, has in some cases more expertise and more experience because of the exposure that they have on an ongoing basis. now, the countervailing view is that simply yes, it is true that if a compromise occurs it is necessary for the government to be able to know where the data when and what it does about that. that is what the federal grant program specifies. it specifies a list of controls that talk about where the data we sides. who is managing it and know how it is backed up.

by using the public called proprietors they also certify themselves through the gsa federal grant to be authorized for use. the government picks up the benefit of the cloud computing provider and the security experience as well as the list of controls that they have been accrediting the systems for the last decade. it's not going to be perfect and there will be issues. we have to recognize there is a benefit in using the providers because they also have a very visible public presence and they have a lot of experience in this space. >> mr. curran one of the areas of your testimony is about merging of threats to the same security in the cloud computing. what are some of those emerging threats, and are we thinking about things that haven't happened yet? >> we actually are. i spoke about emerging threats and also devolving the nature of the internet to secure those threats. there are a number of

initiatives the federal government had launched on including the dnssec, domain name system security. the ability to know that and name is actually going to be mapped to an organization in a way that you can verify. our current naim system isn't 100% locked down. the federal government has worked hard to make that happen. there's another administration osha and with idp version six the protocol to let the internet growth. these are designed to secure the underlying nature of the internet, and we are making great progress in both of those right now across the federal government. my testimony specifically represents the fact that as we authorized the cloud computing providers we have to make sure they also follow the federal initiatives because those initiatives are designed to secure and not just cloud computing providers but secure all of the federal government. so there are emerging threats,

and what we are trying to do is make sure we have better authentication and a better identity on where the cyberattack is coming from. the dnssec and ip version six initiative will get up there long term. we can't exclude the cloud computing writers in the process of authorizing them to hold federal systems to the >> final question from jennifer martinez. >> representative yvette clarke, the representative of this labor security subcommittee asked the first panel of the administration officials what type of data showed never go in the public cloud and she asked the same thing of your panel and let you off the hook so i wanted to deposit question towards you. >> absolutely and it is an excellent question. the most important thing to realize is that this is a decision that is the federal agency cia yo's