Armchair Quarterback: Tech Trends with John Curran

Carolyn:

Welcome to Tech Transforms sponsored by Dynatrace. I'm Carolyn Ford. Each week Mark Senell and I talk with top influencers to explore how the US government is harnessing the power of technology to solve complex challenges and improve our lives. Hi, I'm Carolyn Ford, welcome to Tech Transforms. Today I welcome John Curran, Executive Editor at MeriTalk. Hi John, how are you?

John:

Hey Carolyn, how are you?

Carolyn:

I'm good. I have to tell you, this episode that we're doing today, I love doing these because we get to armchair quarterback. Is that the right term?

John:

It is.

Carolyn:

. We're going to look back on: 2022

John:

e carryovers essentially from: 2021

John:

I see those two things as having been very consuming for federal agencies this year. I base that conclusion on the fact that our reporting staff goes out and essentially goes to a ton of events where federal CIOs, and CISOs, and federal technologists are speaking publicly. We listen to them, we write stories every day, and that's what they talk about, they talk about really having to get after the security order. Those two trends are big in terms of what CIOs, and CISOs, and other agency leadership has to be worrying about. The way the orders have been written doesn't give them a lot of wiggle room to defer action on either of those things. We see them coming up again and again as things that the Biden administration really wants agencies to make some serious headway on.

Carolyn:

We see some deadlines like: 2024

John:

ybe we don't get full-year FY: 2023

John:

We talk to a lot of private sector people and they will just tell you they will say, "Look, we have stuff to sell to the government. The government wants to buy from us, they want to do these things, but if the budget isn't there it's just not going to happen, it can't legally happen. An agency can't spend money that it doesn't have that it hasn't been appropriated." When we talk to those people, you get a real feeling of concern that not only may government agencies not to be able to make the progress that they want to make, but also the private sector companies that are really lining stuff up for them may have not a great year.

John:

Timing-wise, we were supposed to have FY23 approach on October 1st of this year so it didn't happen. We're getting into the three-month period with running on FY22 funding levels. FY23 funding levels we presume, and I think everybody believes, would have some more in agency budgets, would have some more in the budget for CISA to really do more security work. But if that money's not there the work won't happen at the volume that it's supposed to because you have to rely on FY22 funding levels. It's a big problem. And something that, if you're not in the government game, doesn't get talked about a lot. Money matters and you can't spend what you don't have.

Carolyn:

we move to, or farther into,: 2023

John:

Personally, that surprised me. Maybe one or two things. And these are not criticisms, I'm not here to be critical. We look a lot at the technology modernization fund and the fundings that they do, and they do them periodically and the news happens often. They still have several hundred million to put out on projects. I think it's maybe to me slightly surprising that they haven't spent a little bit more of that money that they have. When we listen to TMF officials, they give very proper explanations that they evaluate projects carefully and there's no reason to doubt that or doubt anything that they're doing. But the kind of flow of some of that billion dollars of TMF money that came to them last year, I think you could talk to certain members of Congress and maybe certain agency people that wished that they were a little bit splashier with the headlines on that. Again, that's not a criticism for me, but that's a observation of just having spoken with people about it.

Carolyn:

lk about we're not funded for: 2023

John:

Right.

Carolyn:

ntum towards these efforts in: 2022

John:

I think if you asked federal agency tech leadership, I think the answer would be yes. And I base that not on being able to read their minds, but I base that on how the zero trust aspect of the cybersecurity executive order has really come down. One thing to know about executive orders is that they come in a lot of flavors. The Biden administration has issued quite a few, the Trump administration issued quite a few. What we always look at when we report on those is the really specific language about what does the order really order agencies to do? What does it really, really require?

John:

And a lot of orders over the years are somewhat aspirational. And so they will start off with something like is the policy of this administration that X, Y, Z. We want OMB to take two years to study a discrete issue and then come back with recommendations. Those are good ways to elevate what the policy concerns are but they don't have a lot of instructions on the backend. I'm not saying that they're not taken seriously because they certainly are, but there's not a great big to-do list that goes along with it.

Carolyn:

Right. They just say, "Go do this," but there's no prescription on how to do it, right?

John:

Right. If you look at the cyber EO and then you look at what springs from that through zero trust, it's super specific. It came out with a list of 45-day deadlines, 90-day deadlines, six-month deadlines that were really showed a lot of action that agencies had to do, they didn't have an option to not do these things. So OMB issued some subsequent guidance on that, CISA issued some really detailed subsequent guidance on that. And some of the bottom line there is, we want to find out exactly where an agency is on security so unveiling the truth about your security including maybe if there's any dirty laundry there or things that you haven't been doing. They want to find where the baseline on security is for all agencies. And then they want to funnel money and they want to funnel people from CISA into the agencies to say, "Okay, well now we'll sit down and we'll really start to do stuff about that."

John:

The Federal CISO, Chris DeRusha, has been very vocal about that, and very vocal about there is no way to get around making progress on this order. Back to your original question. If you asked federal technology heads, "Are we making progress on it?" I think everyone would say, "Yes." It's a quite serious directive that agencies really can't get around. And I think technology people above all others realize how significant the cyber threats are and how much they grow. The thing that everyone will tell you is that as our government gets better at let's call it cyber defense, the adversaries are always getting better at cyber offense. It's never a static situation. It's always something where the adversary is going to show you something next week that you hadn't seen the week before. Progress is really super critical. I think that executive order really makes progress happen and I think agency people would probably agree with that.

Carolyn:

ntinue and just get better in: 2023

John:

I think it certainly has to. And what Bob Costello at CISA was talking about there was, issues of security have been bumped up the ladder in importance at agencies. And so if you think of an agency's secretary, right, so think of what they have to do all day. They have to manage agencies that are quite large, have a lot of things going on, and they can't sit and worry about tech all day, they can't sit and worry about cyber all day. What the effect of security EOs and zero trusts policies do is it pushes those issues up to the secretary level. Instead of maybe a few years back, the CIO and the CISO would be off in their own little area doing their techy things, and the agency secretary could just assume a good job was getting done and the technology works. The policies are really directed at the agency secretaries and so they have to take the CIOs and the CISOs and bring them to the table.

John:

of that not going that way in: 2023

John:

Just one more point on zero trust. Really the whole point of the zero trust order was to take three years so from '21 to '24 and to try to get agencies to what Chris DeRusha has called many times a common baseline of security. I think what that means is not like the best security that they will have 10 years down the road, but really putting everybody up to the same basic level so that agencies like OMB and CISA can know what everybody has going on and can make improvements throughout the government enterprise. That's a three-year task that I think we're maybe 18 months in. So I would think for at least the next 18 months it's not only status quo on security being very important, I think that probably only builds over time. And you can never read the future but you can pretty much presume that cyber adversaries are going to keep trying to do what they do to the government and to critical infrastructure.

John:

'm old enough to remember the: 1970

Carolyn:

And I agree. But like I said, when I first heard about it I was like "How is this not already? ... How has this not always been the way it is?" I was surprised that it was an issue. And in that same article actually, there were a few other things that Bob Costello who's the CIO of CISA brought up and that was increased meetings with industry, he said that those had been happening. I find that very hopeful. And then he says that IT systems are rolled out to sort of function and security wasn't baked in from the start. So dare I say he's saying DevSecOps here? We need to implement DevSecOps or am I not quite hitting the mark with that assumption?

John:

I think you had hit the mark really well with DevSecOps, especially on the last piece of it. I think it's been a true trend. We've talked to a lot of people about it that said, "We're so enamored of technology and next generations of technology" just as a society, not just talking about government I'm talking about all of us, "That we always want the next best thing and we want it right now." And security costs a lot of money to put into stuff. The market is price sensitive so the market down from say mainframes that cost $50 million down to your iPhone which you want that to have a lot of functionality. I think we have always pushed off security. That's, I think, a truism that really, really sticks just-

Carolyn:

Absolutely because it gets in the way of my objective.

John:

Absolutely. So the downside is that if there are sophisticated hackers and they do want to target you, you'll feel the pain. If you haven't done the investments in security like that then the pain's going to find you. The other thing that Bob said about sort of relying on the private-sector. I think you would find every good government technologist out there talks publicly all the time about the importance of really leaning on private-sector tech companies. I mean, those are the developers of software, hardware, lots of other things that really can lift up security, that can lift up the customer experience, that can do all of that. And so I think the government's reliance there to sort of purchase from the companies that really know what they're doing is rock solid, is really 100%. Within the government, you still hear about internal development efforts like making software work exactly for my agency. And that happens, and sometimes those are government-driven things. But really everyone would tell you that the reliance on the good private sector tech firms is paramount, is 100%, and that won't tail off at all.

Carolyn:

When I first came into government technology, when I first started working in this industry, I feel like there was a big, dare I say, battle between GOTS versus COTS. Has that shifted or was it just a perceived battle and it wasn't as much of a battle as I thought it was? Because this would've been over a decade ago. So for you to say that governments recognizing industry, that's warms my heart. I'm wondering if that's fairly recent.

John:

A lot of things would come into play with that question. I'm not your best person to be asking that. If you were looking at COTS type of stuff so basic off-the-shelf available tech, I think that it makes a lot of sense, especially as technology, products, and services get better, and so become COTS type of products, that those would be things that you would rely on. For things that you need to be either developed more or differently or integrated differently with your technology enterprise, I would assume, and I'm getting way over my head here, there would always be some need for customization there.

Carolyn:

Absolutely, right?

John:

You couldn't get around it. If you look at the rising tide of technology and you look at how tech gets better, I think a lot of those things become, over time, more COTS-type products and so it makes it easier, not only for government but for business, for everyone, to be able to know that I can buy some great stuff that does a lot of different things and I don't need to necessarily customize it a whole lot. That was probably more of a battle 10 years ago. I just have an inkling, just a feeling, that it's probably less so now.

Carolyn:

Well, I mean, just for the CIO of CISA to say that there's increased meetings with industry and that that's a really good thing. We're coming up to the end of our time.

John:

Oh, yeah.

Carolyn:

big maybe one, two things for: 2023

John:

Well, I hate to be boring but a lot of it's going to be do it more and do it better. For government, I think the security work continues full speed ahead. And I think there's an absolute push by the administration on down from OMB, CISA, to really keep doing this. Something that could get in the way, as we discussed, is funding levels to agencies because you can only spend what you have. That's big. I would personally be looking, as a news editor at MeriTalk, for some more stuff to be revealed about customer experience improvement within the government. I know things are going on, everyone knows things are going on, but we're waiting in a sense for the next big bang. Look back at the customer experience order and there has been some really intriguing talk about things such as a new federal government front door for citizens. And I know GSA will-

Carolyn:

What does that mean?

John:

Well, it means that as a citizen you would begin interacting with the government for any kind of services that you need or anything you need to know through a more useful, a more integrated portal that you can go to that if you logged in it said, "Oh, hello citizen," and it would know your name, and it would know how old you are, it would know things that you were ... Sort of life events, as they say, that you would be getting ready for that the government would come into play. Think of, or at least I've thought of ... Think of-

Carolyn:

So Social Security, VA, all of it's coming in through this single portal?

John:

Well, the way that you would interact with the government you would go to that portal.

Carolyn:

As an end user?

John:

Right. The government would start flowing information to you in more helpful ways, in more easy ways, in more ways that made you better understand what government can do for you. Let's say you log onto a really slick website that you use that's run by a private sector company that you think works really well, think of a government version of that. We all know that's being worked on, we just haven't really seen it yet. GSA's working on some prototypes I have read but we really haven't seen it. I think for big bang, big headline stuff, I think some more action on customer experience improvements within government will be a really interesting story. They've had that EO in place for customer experience improvement since late '21 so been almost a year. I would just think maybe '23 is the time when we start seeing some fruits of that. It could really generate not only a lot of news buzz amongst people like me, but you could see that front page of the Washington Post, you could see that as a thing that citizens really sort of grab onto and get excited about.

Carolyn:

No. I mean, you said-

John:

What's to that?

Carolyn:

Well, you said make it easier and I just felt my shoulders relax. And I'll just share a quick personal story. My dad passed away three and a half years ago, he's a retired colonel, so we were trying to set up the burial. Well, he forgot to tell anyone where his discharge papers were, you have to have those for the burial.

John:

Right.

Carolyn:

I couldn't get them. John. You know how finally we did-

John:

What's that?

Carolyn:

He got the full military burial thanks to the wonderful people at Camp Williams. We called out there and they knew who Colonel Ford was and they took care of it. But it was tears. I mean, you can imagine hours online trying to find this stuff. I mean, just trying to get the right documentation. It was awful. Just that breathe a sigh of relief, right?

John:

Right. No. There is a lot of sensible things that can be done that way. It's probably been over a year now, I spoke with our friend Jonathan Alboum who works-

Carolyn:

At ServiceNow.

John:

At ServiceNow but was previously the CIO at the Agriculture Department. And just a really great technologist. When you speak with him you really get great ideas. We did an interview with him about his thoughts about customer experience, but how the government could provide what he called anticipatory services. The government can know from your prior interactions things like your age or things like if your dad is old or if your dad was a military veteran, and they can begin to suggest things to you that maybe you want to start thinking of, government service.

Carolyn:

Did you know that we offer this service? There's so much the government offers that people don't even know is out there.

John:

Exactly. When you call a ride-sharing service, right, I won't mention names of any ride-share services, but when you open up the application it just has a couple questions in there. It's what do you want? Where do you want to go to? Who do you want me to bill it to? It's like three clicks, right? Taking it back to the customer experience executive order, they really are ... They set a goal in there essentially that says, "Give me a front door for citizens where within three or four clicks you get to some great place where you want to be, it's information you want, it's going to absolutely help you." Rather than having to go onto a government website that you don't understand, that isn't very intuitive and maybe doesn't have all the information rounded up in one place.

Carolyn:

Or you don't even know which one of the government websites to go to. I could've logged on as me, they knew I'm Colonel Ford's daughter, and I could've said, "Guess what? He's gone, I need your help."

John:

Right, right.

Carolyn:

I'm just imagining this world. I love it. Okay, there we go, there's the call to action for our agencies.

John:

ean, I would just say look in: 2023

Carolyn:

I'm looking forward to you telling me all about it through your MeriTalk reporting.

John:

I would love to.

Carolyn:

All right, before I let you go I got to ask you one tech talk question because I told you earlier I'm always looking for good books for my reading list.

John:

Okay, go ahead.

Carolyn:

I'm looking for the trashiest thing you reach, John.

John:

Oh, I'm sorry, I don't read trash I read things on history.

Carolyn:

Oh, okay.

John:

American history, World War II history, stuff like that. I don't read the trashy stuff.

Carolyn:

Okay.

John:

I also can't give you a good technology recommendation because I probably read about tech 12 hours a day, and when the 13th hour comes I don't want to read about tech anymore-

Carolyn:

Well, let me give the technology recommendation for you, MeriTalk.

John:

Please.

Carolyn:

You just said World War II.

John:

Yes.

Carolyn:

Always been fascinated by it. Do you have a favorite like a go-to author? Do you usually read non-fiction? Are there any-

John:

There certainly are some go-to historical authors, especially for World War II. I would recommend a British author named Max Hastings-

Carolyn:

Max Hastings.

John:

For some really good sort of campaign-level stuff. We had the good fortune to be able to visit France a number of years ago and to spend a week in Normandy and see-

Carolyn:

Oh, wow.

John:

Visit the beaches, and be in the hedgerows, and all that and it's a very sobering but great but beautiful experience. You're in the French countryside, it's just ridiculously great. I've read three or four Normandy campaign histories. Those are the things that I tend to gravitate towards. I don't have enough free time to read the trashy stuff, that's my-

Carolyn:

You know what though? I shouldn't have said trashy that was tongue in cheek because I love this stuff too. I have an author Frank Delaney who's an Irish author, and he wrote a beautiful story called Shannon and it's on World War I. It's post-World War I. And it actually revealed a lot of things to me about World War I and just the warfare that I hadn't thought about before. And it's just this man's life afterwards and him trying to put it back together after this horrific war.

John:

One of the things about liking to read history, it gives you some perspective, obviously, it tells you some things. It also makes you understand that, for most of us, the lives that we're living right now are cotton candy compared to-

Carolyn:

So privileged.

John:

What the last episodes of history have been for many, many people. We do have progress in a certain way. But when we sort of look back at people in all situations, we realized that life, as we get to enjoy it now, we just really got a lot of advantages and it's up to us to help build on that.

Carolyn:

Absolutely. Especially here in the United States. I'm very privileged.

John:

Me too.

Carolyn:

It's good to read those books to remind me of that and give me perspective. I love that.

John:

It certainly is.

Carolyn:

All right. Well, John, thank you so much for spending time with me on Tech Transforms today.

John:

Lovely speaking to you and hope we can do it again soon.

Carolyn:

It's been a great conversation. Listeners, if you enjoyed the episode please share and smash that like button and we'll talk to you next week on Tech Transforms. Thanks for joining Tech Transforms sponsored by Dynatrace. For more Tech Transforms follow us on LinkedIn, Twitter, and Instagram.