For one HHS office, a cyber failure isn’t always bad news

Matthew Shallbetter has an unusual job in government. He actually goes out and meets with cybersecurity vendors.

As the director of security design and innovation at the Department of Health and Human Services, Shallbetter is on the lookout for the next great cybersecurity technology or tool. He often is attracted to those that have grabbed the attention of venture capital groups.

Shallbetter said this approach helps HHS make better decisions for how to protect its technology networks and data, because sometimes failure is a good thing.

He pointed to a six-month pilot using a secure internet browser tool.

Matthew Shallbetter is the director of Security Design and Innovation at the Department of Health and Human Services.

“We got an ‘F.’ It just didn’t work. It was too complicated, too heavy. But we tried it and we got everybody involved pushing on it. So we learned a lot. We learned we don’t want to do that again. And that helped us pivot to some new capabilities,” Shallbetter said on Ask the CIO. “We have solved some other problem like around Domain-based Message Authentication, Reporting and Conformance (DMARC) products. We had been testing those solutions internally for a while before the Homeland Security Department pushed out their binding operational directive. We were already pivoting to that, particularly around Healthcare.gov, and some of the more well-known domains that were just getting spoofed every year. We began testing a couple of products in March, I think we had around a three different products, we chose one.”

The roll out of DMARC software to the Healthcare.gov portal just before open season started in 2016 was a success story.

Shallbetter said the Centers for Medicare and Medicaid Services installed the tool and for the first time they had zero spoofing incidents against the portal.

“I think we just scared them off completely. Just because we were ready. So we’ve had successes and we’ve had failures. But that’s sort of the way we win,” he said.

DHS eventually mandated agencies add DMARC tools to their websites in 2017 to prevent email and website spoofing.

Securing a wide-range of devices

Shallbetter said the DMARC example shows why meeting with vendors and other experts helps HHS address emerging threats more quickly.

“The Center for Disease Control and Prevention has done some great work in terms of this year pivoting to Zscaler, and some zero trust products, and moving some of their products to the cloud. That started with us. So I’m not always the one doing the innovation. That’s not really what I’m here for. But at least I’m building a community of like-minded folks, and giving them ideas on where to go and where to start,” he said.

One of the big challenges Shallbetter and his office faces is the federated nature of HHS and the assortment of devices ranging from Apple computers at the National Institutes of Health and the other scientific communities, to executives using tablets.

“When you begin to put some of this newer technology on that hasn’t been tested, we just realized, there’s too much variety at the very end of our network to deploy those kinds of tools, if they’re heavy at all on the endpoint. Putting things in the cloud, making it shareable and accessible, mean that our federation is less of an issue. We can put that on the vendor or the product suite or the integrator, we can offload that challenge to somebody else. And I think that someplace where our failure early on, definitely led to us looking or led to me looking at that cloud browsing as a solution,” he said.

Bringing HHS components together

The lessons from the cloud isolation browser test now is helping HHS launch a full on pilot with a technology that meets their needs. Shallbetter said he is working with the Defense Information Systems Agency on the CBII effort after DISA awarded a five-year, $199 million contract to move the technology into full-production last summer.

The other part of his job beyond meeting with vendors and testing products is to help the component agencies understand what is possible around cyber. The HHS CIO only controls about 20% of the agency’s $6.4 billion IT budget with a majority of it tied to programmatic efforts.

“A lot of the activity is really coalescing on a good idea, which is why the bigger products seem to make a splash. The department does have access to funding sources so a lot of our solution has really been getting the CISO leadership together, getting the CIO leadership together on a monthly basis to talk regularly and align around common problems,” Shallbetter said. “The Government Accountability Office audits have an enormous impact on our activity, and they’re hitting all of our big operating divisions. Those kinds of pressures tend to bring the CIOs and CISOs together. They have a lot of the same challenges, even though we have very different missions. We’re still trying to solve the same problems, and still have some of the same internal problems. I think that where we’ve really made successful movement in this area has been sort of the combination of two activities. One is driving some of those discussions into those groups, getting them to say where their problems really lie and how the department can shoulder some of those burdens and get them upfront to agree to commit to some of that activity, and always helps if we haven’t a source of funding that we can.”

Related Stories

Comments

ASK THE CIO

THURSDAYS 10 A.M. & 2 P.M.

Weekly interviews with federal agency chief information officers about the latest directives, challenges and successes. Follow Jason on Twitter. Subscribe on Apple Podcasts or Podcast One.

Sign up for breaking news alerts