George Dilger II, who is the Federal regulatory compliance IPv6 SME at Dell Technologies and a new inductee into the Cyber Defenders class of 2024, gave us 20 minutes of his time to shine a powerful light on how high-profile government technology policies can sometimes end up reinforcing one another to improve security.
In the Q&A that follows, Dilger explains how the Biden administration’s zero trust security mandate stemming from the 2021 Cybersecurity Executive Order is also pushing along compliance with longer-standing but frequently ignored requirements of OMB 21-07 to migrate toward Internet Protocol version 6 (IPv6) communications protocols, which also foster the ability to improve security.
MeriTalk: Congrats on the Cyber Defender award, George! Can you tell us a little bit about your job and what security work you are doing at Dell Technologies?
Dilger: Appreciate it and thanks for having me. Back in 2017 the government issued an executive order and implementing guidance in OMB 21-07 directing Federal agencies to transition to IPv6. From that, the National Institute of Standards and Technology (NIST) developed USGv6 Revision 1, which is the U.S. government standard for IPv6. I am responsible for ensuring all applicable Dell products meet the USGv6r1 requirement.
MeriTalk: For folks that maybe aren’t experts, please take us through an explanation of IPv6.
Dilger: Sure, IPv6 is the latest version of the internet protocol, and it replaced the previous IPv4 standard. IP is the Internet Protocol that all devices use to communicate to each other over the internet.
Over these past few years, I have been highly active in certifying Dell products for USGv6r1. But outside of the original OMB mandate, there was really no excitement for agencies to deploy our IPv6-compliant products because there was no application for it.
Then in 2022 OMB came through with its OMB 22-09 memo, which is the zero trust mandate for Federal agencies stemming from the 2021 Cybersecurity Executive Order. Within the OMB zero trust mandate there is specific reference to collaboration of efforts across existing OMB mandates.
That means as agencies deploy their zero trust, they should coordinate compliance with existing OMB mandates, such as OMB 21-07 Completing the Transition to IPv6.
instead of deploying zero trust over just an IPv4 network, you really want to also deploy zero trust on top of an IPv6 network because then you are being very efficient in addressing both OMB mandates. Otherwise, you would deploy zero trust on top of IPv4 and then revisit in a year or two, because you cannot escape the IPv6 mandate from OMB 21-07.
My goal is to provide our federal customers with as many products as possible that support the IPv6 mandate so when agencies purchase Dell Technologies products, they can include deploying their zero trust on top during their initial deployment.
MeriTalk: In the bigger picture on security, what are some recent policy and tech trends you are seeing that are helping to improve security and that we should be doing more of?
Dilger: It really comes down to the zero trust requirements. I focus on that because we have implemented zero trust within Dell, I interact with it frequently, and I see the benefits behind what multi factor authentication can do and the different mechanisms that are supported beyond some of the other zero trust features that lend themselves towards IPv6.
For instance, when using IPv4, the systems communicating to each other will not know the IP address of the actual client they are exchanging data with. Yes, they are leveraging an IP address, but that is not necessarily the actual client that is sending the packets to/from, it could be translated multiple times as that packet transitions through the network. IPv6 on the other hand uses true client-to-client communication, you will know what my address is, I will know what your address is. By doing that, it also makes it so that access control lists can be built based on the client IP address, which cannot happen with IPv4 because of the translations that are necessary.
Over the years I have become an IPv6 advocate and am happy to have been inducted into the IPv6 Hall of Fame which was created in 2018 to recognize people who are significantly contributing to the technology.
MeriTalk: What’s your thinking about the ultimate fate of IPv4 addresses, will they ever be entirely replaced by IPv6 addresses?
Dilger: I am a realist, recognizing it is going to be exceedingly difficult to deprecate IPv4 entirely. That is because there could be legacy systems that only function with IPv4, and development on that product would have stopped years ago. Companies are not going to do the technical debt work to port that to IPv6. So, if those infrastructures are still bound to IPv4, we are still going to be dealing with at least a dual-stack network using both kinds of addresses. Based on this, I do not think IPv4 will be deprecated entirely for at least the next decade or two.
MeriTalk: Also in the bigger picture, what looms large for challenges in improving security?
Dilger: Two things – the first is developing a skilled workforce. There are not a lot of people who are knowledgeable in IPv6, or even zero trust for that matter, and there are lots of opportunities to get educated more on both. I see this as a technology gap – or a technology drought if you will – for skilled people. Relative to IPv6, we find there are more skilled people internationally than there are domestically because the United States is entrenched with IPv4. Some companies do not want to move on from these legacy networks and it’s impeding people from progressing and creating the knowledge to drive that technology forward.
The other thing is government budgets. Government budgets are set yearly but bad actors do not inflict vulnerabilities based on a budgetary cycle. So, we need to ensure that our government agencies have enough overhead to allow them to react if need be to threats outside of the budget cycle.
MeriTalk: How did you find your way to the tech security field, was it something that always seemed like a natural path or was the path more complicated?
Dilger: Security was a natural path. I originally entered the technical field during the initial development of the Internet, and during that time security was not in our thoughts, I can tell you that. It was 1993, 1994, 1995 and we focused on how to get connectivity, which was our goal. As more mission-critical systems connected, and more bad actors started to show up, it became clear that we needed to address the gaps in the initial design and implementation. So, it was a natural progression to move to security and leverage my knowledge of the internet.
MeriTalk: And last one, what do you enjoy doing in “real life” that doesn’t have anything to do with technology and security?
Dilger: I’ve always fooled around with music, so right before the COVID pandemic I picked up the guitar and now I’m somewhat proficient on it. I continue to play around with it, and my family gets to listen in, and that’s what I do in my off time to break away from the technical stuff.