Podcast: CIO Crossroads – DHS Edition

The COVID-19 pandemic has focused a bright spotlight on Federal IT. Leaders are turning on a dime so agencies can deliver vital services, protections, and trillions of dollars in financial assistance. As operations start to normalize, MeriTalk is chronicling the efforts of Federal IT leaders who are meeting the pandemic challenge head-on. How can agencies future proof government tech for what lies ahead? This edition of CIO Crossroads turns to the Department of Homeland Security (DHS).

The Mission Can’t Stop; Preparation Pay Off at DHS – CIO Q&A

Beth Cappello, Deputy CIO at DHS, is calm in the eye of the storm. Her active duty service in the U.S. Marines and years helming IT operations prepared her to stay focused on a singular goal: ensuring DHS can continue to deliver on its many essential missions.

When the pandemic hit, DHS turned an average daily load of 10,000 teleworkers into 70,000 almost overnight. It supported a 200 percent increase in traffic to the Homeland Security Information Network (HISN). These shifts have allowed DHS to coordinate across Federal, state, and local government (and private industry) on issues related to critical infrastructure, law enforcement, intelligence, and emergency services.

Every DHS component is on the front lines. The Coast Guard ensures ships observe the required 14-day waiting period before docking in the U.S. And, they continue to meet core missions from fighting drug smuggling, to rescuing mariners in distress, to keeping commerce flowing through our 305 seaports.

FEMA is expediting the movement of critical PPE supplies – including 87.2 million N95 respirators, 124.8 million surgical masks, 8.6 million face shields, 20.5 million surgical gowns, 974.2 million gloves, 10,663 ventilators, and 8,450 Federal medical station beds – to areas with the greatest need. The agency is also working closely with the Department of Veterans Affairs to bring critical medical supplies to veteran care facilities.

Cappello credits her predecessors for smart modernization steps, laying the groundwork to meet COVID-19 challenges. She is already putting lessons learned on the whiteboard. “The mission is too important to stop,” she tells MeriTalk in an exclusive interview that reviews the past three months of pandemic response, and charts the way forward for DHS.

MeriTalk: Take us through your pandemic response. What are the some of the key technologies that have come into play?

Cappello: I appreciate the opportunity to give credit where credit is due. My predecessors at DHS put a great deal of investment in our VPN infrastructure, and in running a pilot for virtual desktops with the workplace-as-a-service solution, coupled with the migration to Office 365.

We were able to pivot to a remote workforce almost seamlessly. Prior to the pandemic, we might have 10,000 folks teleworking and using the VPN solution on any given day. Within a couple of days of social distancing in place, we had upwards of 70,000 personnel teleworking.

The DHS headquarters network team stayed ahead of the capacity requirements. They added some needed capacity for our workplace-as-a-service solution. And, they supported training needs for folks transitioning to the Office 365 toolset, including Microsoft Teams™ for collaboration. I am very proud of the way we’ve been able to respond to these incredible requirements to support remote work, and in turn, serve the DHS mission.

MeriTalk: Can you share any metrics on network performance, increases in web traffic you have seen, aspects of cyber defense?

Cappello: One of the capabilities we provide at DHS headquarters is the Homeland Security Information Network (HSIN), an information sharing platform. We’ve seen a 200 percent increase in use. We are also adding new capabilities to the platform, such as enabling the U.S. Coast Guard to onboard new personnel.

We have seen a significant increase in sharing intelligence around cyber threats. We also increased our internal communications to keep folks aware of phishing campaigns and other threats. And, we continue to remind them to follow all the normal cyber hygiene best practices.

CISA is playing an important role. On May 5, CISA and the United Kingdom’s National Cyber Security Centre released a joint advisory for international healthcare and medical research organizations that are vulnerable to attacks from Advanced Persistent Threat (APT) groups. The advisory describes some of the methods these actors are using to target organizations participating in the COVID-19 response and provides mitigation advice to reduce their cyber risks.

And on May 6, CISA released two Supply Chain Risk Management (SCRM) products to help organizations keep supply chain networks secure. It partnered with the Idaho National Laboratory (INL) to launch a new Commercial Routing Assistance (CRA) tool for truckers and other commercial drivers in the U.S. It’s a free app that incorporates coordinated data streams and plots multiple routing options so commercial truck drivers can quickly plan and manage interstate transport in times of emergency.

MeriTalk: How has the Continuous Diagnostics and Mitigation (CDM) program helped on the cyber front?

Cappello: We have been able to leverage the CDM tools and platform to keep our environments secure. I’m cautiously optimistic when looking at the number of attacks on the agency. We know they are there, and we’ve investigated some concerns about collaboration and video conferencing tools. We are certainly paying attention. National-level events like this bring out the bad guys.

MeriTalk: What do you feel has worked particularly well across the Federal government in regards to telework and where have you seen challenges? And, for those at DHS who can’t work from home due to the mission, what are some of the other adjustments you can provide for them that would be helpful?

Cappello: I’ll give a lot of credit to the vendor community and to the carriers. I know there are examples of huge volumes of laptops that have been purchased, configured, and issued; as well as scaling up VPNs and VDI solutions.

At DHS, we have the law enforcement and first responder communities, whose activities just can’t be done remotely. Once we have some breathing room, I’m going to focus on evaluating virtual technologies. Are there mobile technologies that offer some shielding for agents and first responders?

We are going to have to get creative around automation. For example, anyone who has gone through an international airport has used the CBP kiosks – they are awesome. Are there other opportunities for contactless technologies that can provide protections for our front-line workforce?

Read other Fed success stories

MeriTalk: What might be the greatest lesson you have learned since the pandemic began?

Cappello: I learned we need to do more training. Collaboration tools are fantastic. They help us keep the mission rolling. But, part of our population is just not used to using them. In certain levels of the government, folks operate in face-to-face meetings, period. Getting that workforce prepared and trained is important.

MeriTalk: Anything to share about systems that have worked better or have not worked as well, and any lessons from that in broad categories of IT modernization, cloud use, cyber, authentication?

Cappello: One of the areas we all recognized as a challenge was the PIV (Personal Identity Verification) card or the CAC (Common Access Card) for the Defense Department.

Setting up that credentialing process involves being face-to-face. You take fingerprints and pictures. How were we going to onboard folks in a contactless environment? How do we deal with expiring PIV cards? I am pleased with the collaboration among our DHS Office of the Chief Security Officer and the OCIO Office for Identity Management. They came up with a solution for a derived alternate credential. From a mission standpoint, this means new employees, contractors, and current employees whose credentials expire can gain logical access to the network, without having to go back to a DHS credentialing facility in person. It doesn’t do you any good to have all this great technology, if you can’t authenticate to the network – so that was a huge success story.

Moving email to the cloud also facilitated our success. I am not confident we would have transitioned as well as we did if we still used the legacy on-prem email. We certainly would not have had the kind of collaboration capabilities we have today. As we go forward and hot wash our capabilities for the next event, we will look at other areas where we need to be in the cloud.

MeriTalk: Any real-world examples from the DHS components – things you are proud of?

Cappello: Immigration and Customs Enforcement scaled up to over 15,000 remote users in less than three days.

The U.S. Coast Guard increased their network gateway tenfold to support the influx of remote workers. TSA is doing some interesting thinking around how they can support increased training for their officers, while they might have some time for it. And, certainly CBP – they collaborated closely with us on capacity scaling for the VPN and our Workplaces-as-a-Service solution.

The Federal Law Enforcement Training Center hosted a virtual spring graduation ceremony for their law enforcement classes. There was a particular law enforcement community that was supporting a classmate they had lost during the course of the term. They wanted to celebrate that person at the graduation. And they were still able to, virtually.

MeriTalk: Any examples of state and local collaboration?

Cappello: I mentioned the HSIN platform. We are adding National Guard units on a regular basis. The state and locals also participate in some of the communities of interest on the platform, depending on the topic.

MeriTalk: Can you give us a sense of what was your life was like in the first week of the pandemic, and what life is like today in the new normal.

Cappello: In the first week, the focus was on getting the workforce settled and comfortable. Do they have what they need to continue day-to-day operations and support the mission in this new environment? I come from an operations background. And, I’ve managed very large geographically dispersed workforces, so managing a remote workforce did not feel challenging. It felt familiar. I knew we needed to identify people in the workforce that need support, and keep in touch with them.

I had a high level of confidence in our ability to respond with the technologies. Obviously, we went through all the checklists on capacity. On bandwidth, I’m very impressed with how the carriers have responded – that was an initial concern. I’m thrilled with how we’ve been able to respond with technology and continue operations. And the workforce has been amazing. We are video conferencing, talking to one another, and checking in. I increased the tempo of my brown-bag sessions so I’m accessible to the workforce, because there are a lot of questions.

MeriTalk: Any special shout-outs to your team at DHS or others in government that you’ve been working with?

Cappello: That’s a really long list. I obviously have a great deal of respect for my IT operations team. They have kept the underlying remote infrastructure humming along, and they’ve increased capacity on the fly without a hiccup. They’ve worked well with the DHS components using these technologies to ensure that we have the capacity needed. I mentioned the HISN platform earlier – that team has been amazing in their response to increases in usage.

From a collaboration standpoint, we have an incredibly tight working relationship with the DHS component CIOs and component technology teams. We share best practices, tools that others can use, etc. One of the things we’re talking about now is platforms we could use for contact tracing and reporting. We’re looking at how we can help automate these functions for our medical community. Some of our components have started doing some work in this space. So, a huge shout-out to the DHS IT community.

And I want to recognize the Federal CIO Council and the response from [Federal CIO] Suzette Kent in leading all of us through this. We are sharing best practices, getting together and communicating, and that’s been fantastic. And certainly our vendors. Everybody has stepped up to collaborate and provide assistance in any way possible.

We like to talk about the heroic efforts because they are interesting. What doesn’t get as much credit are those areas where folks just continue to do the job. I would like to give a shout out to everyone in DHS IT and in the community, who just continue to do the work without missing a beat.

Finally, we have several extremely large acquisition items going on right now. All of that acquisition work has continued seamlessly. I want to applaud the efforts of all the folks who are doing their jobs, keeping it going, regardless of the circumstances.

MeriTalk: Big picture, what do you believe will change in our government and in our society, moving forward as a result of the pandemic? What will we do that is new, and what will we stop doing?

Cappello: We are going to have a permanent shift in our thinking on remote workforce. We’ve demonstrated, from my perspective, that we can continue business operations and be successful, efficient, and effective, in a remote work posture.

We’ll look back at the fundamentals: people, processes, technologies, and examine what our workforce needs to be successful in this posture.

We have to think about the notion that some folks are fine working in isolation. For others, it is not a comfortable place. What business process modifications do we need? The processes around ID credentials for authentication are just one example. Digital signatures are another interesting topic. What’s acceptable and where are they acceptable? And then the technologies. We talked a lot about the VPN and cloud technologies, but what else do we need to support this type of remote workforce in an even more robust fashion going forward?

MeriTalk: If you could go back and give the Beth of three months ago advice, what would you say?

Cappello: Well, of course, “buy toilet paper,” but … more seriously, when this started, everyone was dealing with kids and parents and how we manage on the personal side. And, ensuring we keep doing our work. So, I think when we go back and we do some deep dives around pandemic planning, we need to tie in those personnel issues as well.

From a technical standpoint, I would say do more training on the collaboration tools, particularly for senior leadership. And I would have liked to have spent more time thinking about planning for onboarding new employees, or how we help retiring employees. One of the things we are missing with all of this is we can’t say goodbye to people and celebrate them like we do when we’re face to face.

MeriTalk: How you would grade intra-government collaboration through this time? What do you see working well? Where are some of the areas of greatest opportunity for more collaboration?

Cappello: I mentioned the Federal CIO Council previously; I have tremendous respect for the way that has operated.

It’s tough to identify areas where I would like to see improvement while we are in the middle of the event. I will say, I am so pleased with the way we have been able to facilitate state and local, and Federal government information sharing on the HISN network. When this is done, I would like to promote and market that capability more, because it has been successful.

MeriTalk: One of the big changes in the IT world is no more in-person conferences. How do you envision interacting with industry?

Cappello: It’s something I’ve been thinking about. We are going to have to schedule these interactions, but I think we can do it in ways that are meaningful for both sides.

I like the idea of a virtual conference with topic booths where I can investigate what’s interesting to me, or set up a block of time where I meet with vendors on a topic; maybe each get 15 minutes to demo what they have. And then, I can follow up. We are going to have to be more thoughtful about these interactions.

Read more Federal success stories from the COVID-19 pandemic.

Read More About
More Topics
MeriTalk Staff