David W. Carey Oracle's Vice President of Information Assurance Friday, June 13, 2003; Noon ET
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
|
CynthiaL.Webb: We will be starting our Live Online with Oracle's David Carey in about five minutes. Thanks, readers, for the great questions to get our chat started. Keep your input coming! And thanks for joining us on washingtonpost.com.
________________________________________________
CynthiaL.Webb: Good afternoon, Dave. Thanks again for joining us today to talk about IT security challenges facing both the private and public sector. What are the top concerns that your technology clients have about keeping their data and information secure?
DavidW.Carey: The principle concern is just that - keeping their data secure. This is especially true because so many of our customers are in the federal government -- especially the military and the intelligence community -- or in areas such as health care that have security requirements mandated by law. These and other customers are interested in Oracle's ability to protect their data with the technology that we've developed over the last 25 years. That technology allows strong authentication, the ability to encrypt data in motion as well as at rest, the ability to control access to data based on individuals' roles and the sensitivity of the data, and finally the ability to aggressively audit users. This technology allows customers to protect themselves from outside attack as well as from misuse by insiders.
________________________________________________
Annnandale, Va: What do you see as the biggest threat to corporate and consumer Internet security?
DavidW.Carey: Various surveys have indicated that the mostly costly attack to corporations is the attack from the priveleged insider. For consumers I think it's fair to say that there's a bigger threat from hackers stealing data while it's at rest -- such as your credit card numbers while stored -- rather than intercepting data in motion. The key to defending from both is to provide strong protection at the source, i.e. database level.
________________________________________________
Bethesda, Md.: Did Oracle hire you specifically in hopes of selling software to the CIA?
CynthiaL.Webb: We have a number of questions along these lines. Obviously, your credentials and experience are what got you the job, but how important do you think your Rolodex of government contacts was when Oracle eyed you as a prospect?
DavidW.Carey: No. I was hired to build Oracle's Information Assurance Center in Reston, Virginia. Actually, federal ethics legislation precluded me from interacting with the CIA for a year after I retired.
________________________________________________
Washington, DC: It was reported last fall that private sector firms helped defang the Bush administration's cybersecurity strategy -- fearing a bunch of government mandates. Did Oracle participate in that defanging? And does your company see a need for government standards and requirements for IT security?
DavidW.Carey: I don't know about the "defanging" by others but Oracle supported the effort to develop the cyber strategy. Oracle has invested heavily not only in our security technology but in having that technology evaluated by independent laboratories against the "common criteria" and FIPS 140-2 criteria. These evaluations give customers the confidence that our products will perform as advertised. Oracle has completed 15 of these evaluations and has 3 more in progress. In sum, Oracle is a strong supporter of the cyber security strategy.
________________________________________________
CynthiaL.Webb: You worked for more than 30 years at the CIA before joining Oracle. What IT roles did you have at the agency and what lessons from your years in the public sector have helped with your post at Oracle?
DavidW.Carey: The last four years of my career I was the Executive Director for CIA, often described as the Chief Operating Official. As such I had a hand in making policy that affested the IT infrastructure. I was fortunate in having IT experts to advise me and to implement those policies.
________________________________________________
San Diego, CA: Aside from Oracle's database, what other technologies do you see as important in the future? How do you see the role of emerging multi-level secure operating systems?
DavidW.Carey: Technologies that support security for collaboration including web services security, J2EE, and solutions for identity management will be increasingly important. Oracle has supported MLS efforts for over a decade and our technology has beed used in accredited solutions that are deployed today.
________________________________________________
CynthiaL.Webb: Back to cyber-security at the national level: Could you provide some more specifics about what particular guidelines, mandated by the government, you think would help to bolster critical infrastructure for both companies and the government? There has been a lot of criticism from people who think the governmnet's oversight so far has just been guidelines, not required mandates.
DavidW.Carey: With respect to national security information systems, there are guidelines such as NSTISSP # 11, which has been endorsed by DoD in its Directive 8500.1 and included in the Defense Authorization bill passed last December.
________________________________________________
CynthiaL.Webb: Does Oracle's Information Assurance Center do IT security research? Also, can you give examples of how the center interacts with public sector?
DavidW.Carey: The principal focus of the Information Assurance Center is Oracle customers. We work with these customers to solve their information assurance-related challenges. We work closely with the Oracle developers to stay current with the latest research and to let our developers know what is of interest to our cutomers. The IAC works with several of the trade associations that focus on information assurance as well as increasingly with the higher education institutions in this subject area. We are also active in symposia and conferences in this area.
________________________________________________
CynthiaL.Webb: We have another 25 minutes online with David. Readers, thanks for your great questions so far.
________________________________________________
CynthiaL.Webb: You mentioned that many of Oracle's customers are in the federal government. How has your business with Uncle Sam grown since the ramp up in homland security efforts?
DavidW.Carey: Oracle has always done business in the area of homeland security because we're part of the critical infrastructure. It has taken on added importance since Sept. 11, and Oracle is well-positioned to help in the area of secure information-sharing, which is integral to any homeland security solution. Oracle's database and applications technologies are also central to the e-government initiatives federal agencies are implementing.
________________________________________________
Arlington, Va.: What do you see as the bigger market for software firms -- the federal sector or state and local?
DavidW.Carey: I'm not in the sales organization so I'll have to pass on the specific answer. What I can say is that both markets are interested in secure information sharing and in data protection. The Information Assurance Center has hosted customers from both sectors.
________________________________________________
Burke, VA: How does an agency determine which product to choose from the hundreds of IT security vendors? I understand that a multi-vendor layered approach may be best, based on enterprise architecture platform, size of a network, network operating systems and applications, number of users, etc., but can you shed some light on how IT buying decisions are made at the CIA and/or other federal agencies?
DavidW.Carey: In evaluating security solutions I think it's important to look at both technology and performance. In the latter category you want the assurance that the product will performn as advertised. That's why the independent evaluations are so important. In essence, technolgy + evaluations = assurance. With that formula in mind it's much easier to cut through the marketing spiels and focus on real solutions.
________________________________________________
Falls Church, VA: What have you found to be the best IT Security and government/ industry forums and conferences to attend for networking and information on the sector?
DavidW.Carey: There are so many opportunities in this area that I'm hesitant to point you to a few for fear of leaving an important one out. That said, and with apologies to those that I overlook, I've found the conferences arranged by the Information Technology Association of America (ITAA) to be well focused on specific issues and problems. The E-Gov conferences are generally much bigger and bring an amazing array of talent to the various presentations. One just finished at the Washington Convention Center this week and there's an E-Gov conference on Information Assurance in September. FOSE is always beneficial, and there are a number that are devoted to homeland security issues. The key for me is who's on the speaking agenda and who's participating on the panels.
________________________________________________
Los Angeles, CA: Given the world's current security environment, is it reasonable to think that IT security can protect the nation's infrastructure (electricity grid, dams, bridges and refineries) from hacker attacks from the increasingly tech-savvy terror networks?
DavidW.Carey:
Clearly this requires a lot of effort. IT security will be only one part of the equation, but obviously it is especially important. My understanding is that many of these systems were built for special purposes; the security concerns are raised because portions of these systems are now connected to the Internet. The basic tenets of security still apply, however. Defense in depth is especially important, to include physical security and personnel security as well as multiple layers of security technology. That latter includes the adoption of security policies such as "least privelege" access. Auditing and accountability are also important. In essence, while there might not be a perfect solution, there are many things that can be done. I'm confident that much is already underway.
________________________________________________
Bethesda, MD: Do you think the government has the neccesary infrastructure to support it's own IT initiatives? It seems to me that this has got to be a public/private pursuit.
DavidW.Carey: I think it always has been a public/private effort. The key now is that the relationship must be even more dynamic and agile than in the past to keep up with both the advances in technology and the changing threats.
________________________________________________
Alexandria, VA: I thought In-Q-Tel at the CIA really was going to yield some interesting marriages of tech knowhow and the agency's strengths. If it's produced anything worthwhile, it's been so classified that we can't see it. Does Oracle work at all with In-Q-Tel, and with your experience on both sides of the fence, can you comment on the taxpayer value of a program like In-Q-Tel? Seems to me that it's a waste of taxpayer money.
DavidW.Carey: This is a personal perspective, not necessarily an Oracle view. I think In-Q-Tel has been a success. The previous questioner asked about public/private partnerships. The In-Q-Tel approach was designed because of the recognition that new ways were needed to keep current with what was being developed in the private sector. It provides the agility I was talking about earlier.
________________________________________________
CynthiaL.Webb: David, thanks so much for taking the time today to talk about a number of IT security issues (and for staying extra to take some extra questions). And readers, thanks also for your input. We look forward to seeing you all online again soon. Have a great day!
DavidW.Carey: Thanks, Cindy. It's been a pleasure.
________________________________________________
Automatically Update Page
| Get New Responses | Submit Question
 |