The National Oceanic and Atmospheric Administration has six different line offices ranging from the National Environmental Satellite, Data, and Information Service, to low Earth-orbiting satellites, studies on the effects of coronal mass ejections. As Robert Hembrook, former director for the Cyber Security Division in the Office of the Chief Information Officer at NOAA said, the Commerce Department agency’s mission “starts at the sun goes all the way to the bottom of the ocean.”
It’s also a broad spectrum of data formats that NOAA uses, stored on more than 90 different business systems which all require a check on authorization and cyber health, said Hembrook, who is now deputy director for operations and networks at Air Force Cyber Command. Maintaining the data’s confidentiality is crucial, but so is preserving its availability to the public.
“We have to find that balance between putting that data in a way that people can use [it] to the best benefit without exposing where the source of it, or the methodology that’s used to produce it, is because you need to see the meteorologic data. You don’t need access to a supercomputer that made it,” he said on Federal Drive with Tom Temin.
When tackling cybersecurity and, more specifically a Zero Trust model, for such a variety of systems Hembrook said it’s important to have a strategic view of where the organization should end up. Understand individual systems and who runs them, and what data they host. NOAA has a facility in Fairmont, West Virginia, staffed by contractors and overseen by government officials who monitor and operate those systems.
NOAA also has an advantage when it comes to supercomputing. Hembrook said even shuttling the massive amounts of data from its sources to the supercomputer and then to an access point is a challenge.
“Having a very wide bandwidth, high availability network, which we do have for our partners with the Internet2, gives us the ability to shuffle data internal to NOAA and that goes through our [trusted internet connections] and then, has our aggregation ring outside of that to shuffle data up to our clients outside NOAA — that’s really critical because the number of computers we have is limited,” he said. “The amount of compute they have is maxed out pretty much all the time. So being able to effectively and efficiently use those resources we have to move a lot of data to a lot of places.”
Some of that data, especially for weather forecasting, is used to feed publicly available applications. That reality, combined with the need for NOAA employees to occasionally work remotely, requires clean data, he said. Cybersecurity takes a four-sided approach: network architecture, its users, its data and types of access.
On the people side, Hembrook said tokens, two-factor authentication and role-based authentication are important. Meanwhile, NOAA’s network operations and security center has a computer incident response team. He said Zero Trust is certainly on the agency’s mind but it’s easier said than done.
Homeland Security presidential Directive-12, also known as the Common Identification Standard for Federal Employees and Contractors, and identify access management were helpful in that regard. He said it is easy to control users at the Microsoft active directory or system level, while moving beyond that is a “developing process.”
“So we’re rolling that out as time and resources allow, which as you know, in the federal space does take a minute and our planning horizon, unfortunately, when it comes to budgets and such, are done year by year as appropriations allow,” Hembrook said. “But the vision is there, so that years from now, we’ll be able to have a soup-to-nuts solution.”