The non-profit Institute for Critical Infrastructure Technology, ICIT, has a new executive director. Someone already familiar to those in the federal information technology community. Joyce Hunter was deputy chief information officer for policy and planning at the Agriculture Department and later its acting CIO. She’s also had a long career in management consulting. Joyce Hunter joined Federal Drive with Tom Temin to discuss.
Tom Temin: Joyce, nice to talk with you. It’s been a long time.
Joyce Hunter: Nice to talk with you too Tom. It has been a long time. Glad to be back.
Tom Temin: So tell us first of all, what made you join the nonprofit world after all this long history in government and private consulting?
Joyce Hunter: You know, I think it was not necessarily nonprofit specifically — but it was more in the area of education and research. I always have an affinity for nonprofits. I have a nonprofit myself in the summer program teaching underserved and underrepresented youth data science. So I think the mission of ICIT was greatly important to me, and very, very interesting.
Tom Temin: And tell us more about ICIT itself and what its mission is because there’s a lot of similar sounding associations around town and sometimes it’s hard to kind of sort out the cards in the deck.
Joyce Hunter: True, absolutely. So the Institute for Critical Infrastructure Technology is a think tank, which is a lot different than a lot of the other organizations that are around. It provides objective, nonpartisan research, advisory and education to all sectors and all aspects of not only the federal government, but legislative and commercial and all cybersecurity stakeholders. So we want to create a renaissance. People have talked about cybersecurity, and I think they just got weary about you know, talking about FISMA and all the things, Atos, and everything that goes around cybersecurity and security period, and we wanted to bring it to another level which talks about the thought leadership involved in cyber security.
Tom Temin: Got it. And so what are some of the activities then that can contribute in that mission?
Joyce Hunter: Okay, so we do publications, we have a group of fellows. And if you look at our website and you see the list of fellows there, lots of distinguished people in those fellows, Dr. Darren Death and Dr. Barry West, as well as some others. We do videos, we do monthly cyber legislation. So we actually have a researcher that actually goes through the tedious task of looking through every single piece of legislation and reporting out on it every month, so that members, our sponsors, and our fellows can take a look and see where they might be able to focus their resources. We also have events. Most of those events have been unfortunately sidetracked for now. But we are going to be reinventing them through a virtual format. So you’ll see some announcements come out about that soon. And we also have papers that are written, research papers that are written that we provide to our membership
Tom Temin: Got it. And do you count among the audience federal cyber practitioners also?
Joyce Hunter: Yes, federal practitioners as well. So we have had people from DoD, DHS, USDA, on our panels, and as part of our membership,
Tom Temin: And in your stint, you had a good long run at the Agriculture Department as the deputy CIO. Looking back on it now, what do you personally see as the big challenges for federal agencies as different threats emerge, different causes of possible interruption of operations and cybersecurit– what do you see them facing coming up?
Joyce Hunter: From my perspective as both an insider and an outsider, I see that a lot of the rules and regulations such as FISMA, they’re kind of going by the wayside. They’re not looking at some of these applications as we go forward. And they are kind of rushing to put these applications out. Everybody is interested in providing a COVID-19 solution. And these COVID-19 solutions not necessarily go through the necessary protocols for Atos as well as the FISMA. Because everybody’s involved in doing other things. And so I think that that’s a big challenge. Another challenge is with their FITARA scores, they’re talking about, now this isn’t official, but they’re talking about because FISMA takes so much time and resources and effort — they’re talking about not putting it on the FITARA report this time around. So that still has to be decided. And I think that that’s not a good idea because I think you have to have that kind of rigor in order to ensure that you don’t have any of the nefarious activity that’s going on in these organizations. And I think, you know, COVID-19 does provide a threat for all of the federal agencies, you know, all the bad guys think that we’re off doing other things, and we’re involved in other activities, and we’re not really keeping our eye on the ball as far as our cybersecurity and our resiliency, and infrastructure. So I think that those are the areas that are going to be of concern.
Tom Temin: I guess these issues fall into two buckets really technology and management. You mentioned the Federal Information Security Management Act, FISMA, and FITARA, the Federal Information Technology acquisition Reform Act, and compliance to those is measured by Congress and OMB on the part of agencies and sometimes they fall short there. But earlier, you also said that the deployment of new applications without the security being built in from the outset, I guess it’s surprising that that would still be an issue this late date.
Joyce Hunter: It always is. You always have shadow IT. There’s always somebody out there that’s doing their own thing trying to be helpful, or doing their own activity. I do not have any thoughts that you know, everybody is compliant. The reality is there are organizations out there or individuals who are doing their own research projects, doing their own activity, and they have not gone through the necessary steps in order to get that authority to operate. And I think that you know, you could have, my recommendation would be that you’ve started out from the very beginning, bake it in, as soon as you get the bright idea that you might want to do something, you should have security and you should have testing linked together at the very beginning to go through the entire process because a lot of people think that this is going to take too much time, it’s going to keep me from executing on a timely manner — but if you do it at the beginning, you don’t have that problem. It’s already done and you just have to flip the switch when you get to the end.
Tom Temin: And what’s your take on the technology modernization fund? That’s been about $25 million. And your old department was one of the big taker uppers of TMF funds to do modernization of specific applications. Now there’s a proposal from some of the democrats in the house to put a billion dollars into the TMF. Presuming that even happens, and it’s it’s a long shot, how could that money best be used across agencies do you think?
Joyce Hunter: I think that can be used in both infrastructure. And like you said, the business operations, the people part of this, the consumer experience or the customer experience, whether they be internal customers, or external customers, I think you do have to have both of those areas satisfied. Technology is wonderful. And technology works. You don’t have to worry about that. You have to worry about the culture of an organization. And once you get the culture wrapped around the idea that a lot of these things FITARA, TBM, you name it. The alphabet soup. They are necessary in order to ensure that we have accurate reporting of what we’re doing with the money that our taxpayer dollars are going for. So I think that developing these areas where you can have conversation around what these..
Tom Temin: (Jokingly) You’ve got a lot of technology going in the background there, sounds like yes.
Joyce Hunter: (Laughing) There’s always something beeping and buzzing atbme. But yes, you have to have those kinds of things in place. And you have to have that collaborative infrastructure, not just technical, but people collaborative infrastructure to build that continuing resiliency.
Tom Temin: Joyce Hunter is the new executive director of the Institute for Critical Infrastructure Technology. Thanks so much for joining me.
Joyce Hunter: Thank you, Tom. I look forward to working with everybody.