In the heart of Silicon Valley, NASA Ames Research Center is in a daily battle with the giants of the commercial tech industry for the best and the brightest to come work for them.
But for Jerry Davis, the NASA Ames chief information officer, the challenge is even greater as his needs around cybersecurity experts, big data analysts and regular every day IT workers to run the network or keep the laptops and desktops humming are even tougher to fill. That’s why Davis, who has been CIO at NASA Ames for 20 months, said his top priority begins and ends with the workforce.
“My leadership’s priorities are always on the workforce, organizational development. You can’t get work done without people. It’s people that drives me,” he said. “I spend a lot of time on developing the workforce.”
Davis said it’s tough to compete against the likes of Google, Facebook and many, many other top technology companies.
“Google actually shares part of our campus, and I’ve lost more than a handful of employees to Google because they’re smart, bright, talented people,” Davis said. “Getting people in isn’t the hard part, it’s retention over time. We do have pretty robust training. The tough part is once they are trained up and working for a couple of years, other opportunities come up to them whether it’s Google, Facebook or LinkedIn, they are all looking for solid people. So it’s really tough.”
Davis said he’s focusing more on cross-training people rather than trying to fill positions in light of head count restrictions and competition within NASA and the commercial sector.
Help from the data scientist, please
NASA headquarters recently brought on a data scientist and Davis hopes to take advantage of that person’s skills specifically around cybersecurity.
Ames runs the security operations center for all of NASA, and Davis wants help understanding and using all that information to improve the space agency’s network and application assurance. “I met with this gentleman [recently] and said, ‘We know that there’s valuable data that has to do with attacks and vulnerabilities, but I really don’t even know what I should be looking for, or how to go about looking for it,'” Davis said. “So his whole job is to look at those data sets, get a sense of the job that we do, and then help us develop the algorithms to look for those particular data sets that we can use to produce information and then develop mitigation.”
Davis said another area he wants help from the data scientist is with quantum computing, including quantum cryptography.
“Is there something that we can do that’s practical at that level?” Davis said.
Beyond the work with the data scientist on cyber, Davis said the security operations center, which he helped set up when he was at NASA headquarters from 2008 to 2010, has matured over time in terms of how it’s used and the technology running it.
“What we find and what it all comes down to is the data that we collect when we have incident tickets that come in and we review those tickets. We find that largely everything comes down to what I like to call basic hygiene — very basic administration of IT so it’s IT management,” he said. “If you have poor IT management then you will inevitably wind up with poor security.”
As part of his IT management effort, Davis said he’s trying to educate the Ames workforce and train them about phishing attacks.
“Phishing is probably the number one attack vector we see today, not just across the government, but all areas of industry. We are doing a number of phishing exercises where we actually craft phishing emails and send them out to several thousand employees from the security operations center and then we look at how people respond to those emails,” he said. “We can tell that they got the email, how long it took until they opened the email, how long did it take until they clicked on the link in the email and they actually entered their credentials as it asked for in the email. If they go to that level, they get a pop up screen saying this was a training exercise and we give them a little training. We can see how long they spent on the training page.”
Davis said that exercise helps NASA see how vulnerable its employees are to phishing attacks and create training to help them.
Cloud, service delivery integration
Beyond cyber and workforce, Davis said his other priorities include improving service delivery to his customers and moving into the cloud.
“I spent the first year just looking at operations, how we run things, how we do things and whether customers are happy,” he said. “We always are looking at new ways to better improve mobility. NASA, by the nature of the work we do, is highly mobile. How do we best serve them? We do a pretty good job today, but we always are looking for the next set of technology.”
One of the next technologies that NASA Ames is making big use of is virtual collaboration. Davis said Ames runs a virtual institute to bring scientists from around the world together. Customer service, the virtual institute and even mobility all depend on Ames having a robust network.
That’s why Ames has been a leader in exploring how cloud computing can better meet its needs, Davis said.
NASA Ames is working with headquarters to set up a cloud service office to build the interconnections, the interfaces and the business processes for NASA to use a commercial government-only cloud.
“We are doing all the front-end work as it relates to security,” he said. “What are the security requirements that the commercial provider has to have? What are the requirements on the customer side? We are building all the frameworks for that. How do we bill it? How do we track usage so we can get all of our NASA customers to commercial cloud providers?”
NASA has been working on this for a few years with some piloting, including one that’s happening now. Davis said over the next year or so, this concept should be available more broadly across the entire agency.
“We put a lot of focus on the security and a lot of focus on the service. This is a new service,” he said. “Service planning, design, implementation and management, we wanted to make sure we did all of those pieces rights. There is a service executive out of headquarters.”
Davis said one of the pilots within Ames is figuring out how the commercial service works and how well the agency can track usage, deal with billing and ensure the cloud vendors meet the agency’s security requirements. “There are obviously a lot of legalities that you have to go through when you are trying to use a commercial service. You spend a lot of time on administrative issues with our general counsel to make this happen. We are starting with the low and incrementally moving up to moderate. We don’t want to rush into things, set ourselves up for compromises, vulnerabilities and that sort of thing. We have been doing a lot of work on the security side of things.”
Davis also participated in a Federal News Radio online chat where he discussed his cybersecurity goals, big data and more. View an archive of the chat.