SC's 2011 influential IT security thinkers
• Sameer Bhalotra, White House deputy cybersecurity coordinator
• Eric Cowperthwaite, chief information security officer, Providence Health & Services
• Suzanna Schmeelk, teacher, University of Maryland
• John Streufert, chief information security officer, U.S. Department of State
• Peiter "Mudge" Zatko, program manager at the Defense Advanced Research Projects Agency (DARPA)
Social networking, hacktivism, advanced persistent threats, cyberespionage, mobile malware, the entry of portable, handheld devices (smartphones, tablets) into the enterprise environment...these are just a few of the most prominent challenges security professionals must contend with each day. This year-end special section focuses on people who represent the highest degree of professionalism in the security space, individuals who stand out for their technical skills, managerial prowess, insight and advocacy. As well, interspersed are some of the highlights in the year's strongest trends, including top breaches and threats, merger and acquisition activity and legal developments, as well as some of the nuttiest news stories in the cybersecurity world.
Sameer BhalotraAge: 35Occupation: White House deputy cybersecurity coordinatorPersonal: Married, two childrenCollege: B.S., chemistry and physics, Harvard University; Ph.D., physics, Stanford UniversityRecent accomplishments: executive branch development of cybersecurity legislation proposal, National Strategy for Trusted Identities in Cyberspace, and cybersecurity management reform
The three weeks from the end of April to the middle of May was a memorable time for Sameer Bhalotra, the White House's deputy cybersecurity coordinator. Bhalotra, along with his boss, White House Cyber Coordinator Howard Schmidt, oversaw the release of not one, but three major initiatives on cybersecurity. For Bhalotra, who signed on in July 2010, this was the outcome of long days facilitating lengthy meetings with two dozen executive agencies.
Along with Schmidt, Bhalotra is the architect of the administration's cybersecurity legislative proposal, released on May 12. But there was more. Four days later came the first International Strategy for Cyberspace. Previously, on April 26, his office released its National Strategy for Trusted Identities in Cyberspace (NSTIC), which seeks to establish clear privacy rules and greater security within a proposed identity ecosystem.
Accolades abounded for the 35-year-old Bhalotra, whose meteoric rise has taken him from a doctorate in physics at Stanford into the intelligence community, the Senate and his current post.
He achieved what no one in the Department of Homeland Security or the White House was able to do before by bringing the players together and getting them to work harmoniously, Alan Paller, research director for the SANS Institute, says of Bhalotra's work on the legislative blueprint.
Bhalotra was sought for that mission. Soon after his appointment, Senate Majority Leader Harry Reid, D-Nev., asked the administration to weigh in on cybersecurity considering the 50-plus bills floating around the Hill. With this golden opportunity, Schmidt's office decided on a comprehensive approach. It was a minefield – within the executive branch, as well as between government and industry – but Bhalotra navigated it skillfully.
But, Bhalotra prefers to deflect attention from himself. “I'm proud to be yet another hard-working member of the White House staff,” he says. “This was a team effort. Our leadership in the West Wing takes cybersecurity seriously.”
“He's a little publicity shy, actually more than a little,” says Robert Rodriguez, a friend of Bhalotra's and the founder of the Security Innovation Network. “He likes to work under the radar. But he's the man behind all of it…Those were three huge accomplishments.”
On the legislative proposal, Bhalotra coordinated massive intergovernmental collaboration among such agencies as the FBI, National Security Agency and departments of Defense, Commerce, Justice and Homeland Security.
“Managing that process was a great experience,” Bhalotra says. The goal was to come up with recommendations to give Congress, of which securing America's critical infrastructure and information sharing between DHS and industry stand out. Its release “was a great and clear end to a very rigorous process,” he says.
Bhalotra's training for this process came during his nearly four years in the Senate. In 2007, he was brought onboard in a unique bipartisan role as a top staffer for the Senate Select Committee on Intelligence. He quickly seized on cybersecurity as a major issue and became an expert among Beltway staffers on the topic.
Bhalotra found few colleagues there dedicated exclusively to cybersecurity. So he began an informal group, where he gathered Senate and House staffers monthly to discuss cybersecurity and their work. These “cyber jams” allowed his peers to get briefings from officials, information on important issues and visits to security companies. What began with a half-dozen people grew to more than 30, Bhalotra says.
In the Senate, Bhalotra gained many admirers, among them committee chairs Jay Rockefeller, D-W.Va., Kit Bond, R-Mo., and Dianne Feinstein, D-Calif. His reputation led to Schmidt's call. And he brought this knowledge of how Congress works to the White House.
“He knows where the money is spent,” says Paller, who calls Bhalotra brilliant and catalytic in his influence. “He's a wonderful bridge between the two.”
From a young age, Bhalotra, who grew up in New England, worked with computers. He'd tinker with electronics in his home, taking apart computers, VCRs and telephones. His parents were “amazingly tolerant,” he says. “I was lucky I didn't burn down the house or electrocute myself.”
Bhalotra carried this passion to his undergraduate years at Harvard, where he studied physics and chemistry and even taught classes on laboratory electronics as an upperclassmen. His graduate school thesis covered optical sensing in electronics. At Stanford, where he earned a doctorate in physics, his research was funded by the secret Defense Advanced Research Projects Agency (DARPA).
Bhalotra returned east to accept a position with the CIA, where he was assigned to the director's staff. Next, he moved to the office of the director of national intelligence, where he was again involved in Cabinet-level policy discussions. His work on cybersecurity “exploded” after he moved to the Senate.
“I'm a technologist by training,” he says. “And I find cybersecurity so sophisticated, complicated in an interesting way, and important to the country.”
There's little time to rest for Bhalotra, who is already meeting with Congress on the administration's legislative proposal. In addition, he is also focused on bringing others into public service to meet cybersecurity's fresh challenges. He has mentored many young staffers on the Hill. With his distinguished résumé, Bhalotra has cut the model. He hopes others in academia and industry will follow.
“One of my personal interests is trying to bring new people into government,” he says. “We need to tap into the best minds in the country to solve these problems and move forward.” – Ryan Goldberg
Eric CowperthwaiteOccupation: chief information security officer, Providence Health & ServicesAge: 44Personal: Married, four childrenCollege: B.S., computer engineering, California State University-Sacramento
Something of a perfect storm for privacy and security is converging in the health care industry. As part of last year's Patient Protection and Affordable Care Act, companies are now required to digitize their medical records, but with this push come greater threats and challenges.
Eric Cowperthwaite, the chief information security officer of Providence Health & Services, which employs 54,000 people in Washington, Oregon, California, Alaska and Montana, is facing these challenges proactively.
Providence, which operates 214 physician clinics, 27 hospitals, a health plan and many other services, has cut a model for other Catholic health care organizations in protecting patients' information from an increasing number of breaches.
This was borne out of necessity: in 2008, Providence was the first organization to enter into a resolution agreement with Health & Human Services (HHS) to resolve allegations of violating the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Cowperthwaite, 44, has overseen the successful implementation of that agreement.
“They have the most mature program that I'm aware of in health care delivery,” says Gartner analyst Paul Proctor. “Eric has a program that rivals those in financial services.”
The federal government and business side of the industry, Cowperthwaite says, are “pushing us down the road of 100 percent electronic records. All patient information has to be in accessible, open systems.” These systems “will be a one-stop shopping center for all the information you could want about a single person.”
However, confidential information – personal and financial in nature – is incredibly valuable for those who want to steal it. Breaches cost the health care industry $6 billion a year, according to the Ponemon Institute, and the majority of those intrusions currently come from insiders. At the same time, HIPAA and 2009's Health Information Technology for Economic and Clinical Health Act, or HITECH Act, levy heavy fines for the loss of patients' information.
At Providence, protection of that data begins with recognition and emphasis. By design, Cowperthwaite reports to the chief risk officer instead of the chief investment officer. He believes he's the only one among his peers at Catholic health organizations who does this.
“I think it's a recognition that information security is a critical function of the business,” he says. “It's not just an IT issue, but it touches the whole business.”
Providence did not have much of a security program to speak of before Eric, Gartner's Proctor says. “They brought Eric in to build that program up.”
What began with six employees not well versed in information security has become a staff of 19 who report to Cowperthwaite directly, and another 33 people assigned in a matrix role. He is the single point of contact from the security side to those managing the electronic medical record rollout, with multiple teams of auditors, managers and privacy and compliance staff asking questions about access controls and complying with federal regulations.
Cowperthwaite has set the first line of defense for Providence with its employees. All of them must undergo privacy, security and compliance training every year. Cowperthwaite also customizes training for different business units. If, for example, his staff notices emails being sent that contain confidential information, they will educate that particular unit rather than send a company-wide email blast.
A leading area of focus for Providence has been with its employees in the field. As a Catholic entity, home care and hospice are significant parts of the mission. The laptops and mobile devices being used hold vital patient information.
Cowperthwaite has established several policies to mitigate potential threats: Employees are required to activate security controls and keep their computers within sight, the amount of data on them is limited to that day alone, and they are shut down while in transit and cable-locked in employees' trunks. Above all, employees are made aware of why all these safeguards matter.
These measures stand out following Providence's previous slip-up. According to published reports, HHS investigated the company after it fielded more than 30 complaints from people whose information was compromised after unencrypted laptops, optical disks and backup tapes went missing, having been left unattended between September 2005 and March 2006. In all, 386,000 patients were opened to potential identity fraud.
Providence agreed to settle the allegations for $100,000, and successfully implemented a systems improvement plan. Cowperthwaite says the organization had already decided to make significant changes to its security program before the deal. He says HHS recently notified them that they have met all of their mandates.
“I'm proud that we are the first organization to come out of that in a really good way,” he says. “We went above and beyond what they required of us.”
For Cowperthwaite, this has been the validation of an unlikely path. He joined the U.S. Army out of high school and his 10-year service included deployment in operations Desert Shield and Desert Storm. In 1996 he enrolled at California State University, Sacramento to study computer engineering. He graduated two years later and went to work for Medi-Cal, the state of California's Title XIX Medicaid Insurance program. Information security came onto his radar gradually over the years. “I call myself the accidental security guy.”
When Providence called, he foresaw challenges in health care information security that have come to fruition and still animate his work.
“I knew that the explosive growth in the storing of patient information, and needing to do it as effectively and efficiently as possible without expanding costs, would make for a dramatic and innovative field to be in,” he says.
Copyright 2011 SC Magazine
