Article | March 23, 2022
COVID-19 placed enormous demands on government services—demands that are not likely to go away. Moreover, the private sector now looks to government to facilitate the data transparency, digital processes, and data security needed to fuel recovery. Governments now understand those old ways of doing business no longer work. They need to become agile and flexible to meet today’s needs. Some were moved in that direction by the unexpected demands of the pandemic. For others, COVID-19 simply accelerated their digital transformation journey that was already underway.
Article | May 27, 2021
The COVID-19 virus (C19) pandemic is turning out to be the event of the century. Even World War seems timid in comparison. We are in the 4th month of the virus (in non-China countries) and have gone past the lockdown in many places. Isn’t it time we re-think the approach? What if there is another wave of C19 coming soon? What if C19 is the first of many such events in the future?
Before we get into analysis and solution design, summarizing the C19 quirks:
While a large section of the affected population is asymptomatic, for some it can be lethal
There isn’t clarity on all the ways C19 spreads
It’s known to affect the lungs, heart, and kidneys in patients with weak immunity
It has been hard to identify a definitive pattern of the virus. Some observations in managing the C19 situation are:
With no vaccine in sight, the end of this epidemic looks months or years away
Health care personnel in hospitals need additional protection to treat patients
Lockdowns lead to severe economic hardship and its repeated application can be damaging
Quarantining people has an economic cost, especially in the weaker sections of society
If one takes a step back to re-think about this, we are primarily solving 2 problems:
Minimise deaths: Minimise the death of C19 and non-C19 patients in this period
Maximise economic growth: The GDP output/growth should equal or higher than pre-C19 levels
One needs to achieve the 2 goals in an environment of rising number of C19 cases.
An approach that can be applied to achieve this is:
Data driven health care capacity planning
Build a health repository of all the citizens with details like pre-existing diseases, comorbidity, health status, etc. The repository needs to be updated quarterly to account for patient data changes
This health repository data is combined with the C19 profile (disease susceptibility) and/or other seasonal diseases to determine the healthcare capacity (medicines, doctors, etc.) needed
The healthcare capacity deficit/excess needs to be analysed in categories (beds, equipment, medicine, personnel, etc.) and regions (city, state, etc.) and actions taken accordingly
Regular capacity management will ensure patients aren’t deprived of timely treatment. In addition, such planning helps in the equitable distribution of healthcare across regions and optimising health care costs. Healthcare sector is better prepared to scale-up/down their operations
Based on the analysis citizens can be informed about their probability of needing hospitalisation on contracting C19. Citizens with a higher health risk on C19 infection should be personally trained on prevention and tips to manage the disease on occurrence
The diagram below explains the process
Mechanism to increase hospital capacity without cost escalation
Due to the nature of C19, health personnel are prone to infection and their safety is a big issue. There is also a shortage of hospitable beds available. Even non-C19 patients aren’t getting the required treatment because health personnel seek it as a risk. This resulted in, healthcare costs going up and availability reducing.
To mitigate such issues, hospital layouts may need to be altered (as shown in the diagram below). The altered layout improves hospital capacity and availability of health care personnel. It also reduces the need for the arduous C19 protection procedures. Such procedures reduce the patient treatment capacity and puts a toll on hospital management.
Over a period, the number of recovered C19 persons are going to increase significantly. We need to start tapping into their services to reduce the burden on the system. The hospitals need to be divided into 3 zones. The hospital zoning illustration shown below explains how this could be done. In the diagram, patients are shown in green and health care personnel are in light red.
**Assumption: Infected and recovered C19 patients are immune to the disease. This is not clearly established
Better enforcement of social factors
The other reason for high number of infections in countries like India is a glaring disregard in following C19 rules in public places and the laxity in enforcement. Enforcement covers 2 parts, tracking incidents of violation and penalising the behaviour. Government should use modern mechanisms like crowd sourcing to track incidents and ride on the growing public fear to ensure penalty enforcement succeeds. The C19 pandemic has exposed governance limitations in not just following C19 rules, but also in other areas of public safety like road travel, sanitation, dietary habits, etc.
Maximise economic growth
The earlier lockdown has strained the economy. Adequate measures need to be taken to get the economy back on track. Some of the areas that need to be addressed are:
One needs to evaluate the development needs of the country in different categories like growth impetus factors (e.g. building roads, electricity capacity increase), social factors (e.g. waste water treatment plants, health care capacity), and environmental factors (e.g. solar energy generation, EV charging stations). Governments need to accelerate funding in such projects so that that large numbers of unemployed people are hired and trained. Besides giving an immediate boost to the ailing economy such projects have a future payback. The governments should not get bogged down by the huge fiscal deficit such measures can create. Such a mechanism to get money out in the economy is far than better measures like QE (Quantitative Easing) or free money transfer into people’s bank accounts
Certain items like smartphone, internet, masks, etc. have become critical (for work, education, critical government announcements). It’s essential to subsidise or reduce taxes so that these items are affordable and accessible to everyone without a financial impact
The government shouldn’t put too many C19 related controls on service offerings (e.g. shops, schools, restaurants, cabs). Putting many controls increases the cost of the service which neither the seller not buyer is willing or able to pay. Where controls are put, the Govt should bear the costs or reduce taxes or figure out a mechanism so that the cost can be absorbed.
An event like the C19 pandemic is a great opportunity to rationalise development imbalances in the country. Government funding should be channelized more to under-developed regions. This drives growth in regions that need it most. It also prevents excess migration that has resulted in uncontrolled and bad urbanisation that has made C19 management hard (guidelines like social distance are impossible to follow)
Post-C19 lockdown, the business environment (need for sanitizers, masks, home furniture) has changed. To make people employable in new flourishing businesses there could be a need to re-skill people. Such an initiative can be taken up by the public/private sector
The number of C19 infected asymptomatic patients is going to keep increasing. Building an economy around them (existing, recovered C19 patients) may not be a far-fetched idea. E.g. jobs for C19 infected daily wage earners, C19 infected taxi drivers to transport C19 patients, etc.
In the last 100 years, mankind has conquered the destructive aspects of many a disease and natural mishap (hurricanes, floods, etc.). Human lives lost in such events has dramatically dropped over the years and our preparedness has never been this good. Nature seems to have caught up with mankind’s big strides in science and technology. C19 has been hard to reign in with no breakthrough yet. The C19 pandemic is here to stay for the near future. The more we accept this reality and change ourselves to live with it amidst us, the faster we can return to a new normal. A quote from Edward Jenner (inventor of Small Pox) seems apt in the situation – “The deviation of man from the state in which he was originally placed by nature seems to have proved to him a prolific source of diseases”.
Article | July 16, 2022
“Belonging to the essential nature of a thing; originating and included wholly within an organ or part.” That is the definition of “Intrinsic.” When we were developing the “IT Manhattan Project” framework, we were doing so in direct response to some of the most significant hacks in U.S. Federal history, which piled on to the already unprecedented push to expedite the modernizing of federal IT because of the COVID-19 response. The COVID-19 response shifted the way that the U.S. federal government operated, where our workforce worked from, the immediate need for mobile ‘available from anywhere’ workloads, and how to both secure and support that new way of doing federal business. A new, vigorous push towards rapidly modernizing federal IT environments was underway. Ultimately, it laid the groundwork for producing transformational federal memos and oversight by way of some of the following:
Executive Order 14028: “Improving The Nation’s Cybersecurity”
M-22-09: OMB’s Zero Trust Strategy M-22-09
NIST 800-53rev5: Fulfilling an expedited realization of the overall intent of NIST 800-53r5 through the emphasis on things like conditional access, TIC 3.0 frameworks, Secure Orchestration/Automation/Remediation, and modernized, agile approaches to secure micro-segmentation from Hybrid Environments up to Federal Cloud instances
Overall mandates like these carry with them a consistent anthem driving at rapid IT modernization with rigorous proof of performance schedules attached. Piling on top of those Herculean efforts, the urgency was drastically increased by several of the highest profile cyber compromises in U.S. federal history. Rapid modernization had to happen right away. The time for IT transformation was here, backed by promises of significant funding and a high level of political visibility.
The Shift to Zero Trust
At their core intent, Zero Trust architectures are expected to provide a centralized policy structure that dictates how every individual flow in our IT environments are permitted to talk. No user, host, or flow is permitted without being subjected to rigorous authentication and authorization policy. This shifts our previous understanding of North-South, East-West traffic and how we police it. The foundational intent of Zero Trust architectures centers around applying unified policy to every transaction that occurs between enterprise resources, and doing so in ways that are agnostic to the IT Silo that they reside in.
Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.”
NIST 800-207 aptly
They go on to explain that the scope of this posture includes all assets, workflows, network accounts, and the like. In summary, police everything, abstract production traffic intent from the underlying infrastructure that supports it, and institute a unified security posture to execute the policing at every network entry point. Regardless of the domain. We all know that this is a tectonic but much-needed shift in our industry. I’d go so far as to say that the successful instantiation of this approach across Federal IT environments is critical to our national security going forward.
Enterprise IT domains contain varied mixtures of OEM solutions, home-grown tools, and utilize a wide variety of protocols to intercommunicate that aren’t necessarily standardize. Each of these domains is normally managed by separate IT teams who specialize in maintaining those environments. In the federal landscape, each of these domains aren’t just managed by separate enterprise IT teams, but are commonly managed by different contractors. Therefore, IT security organizations have a difficult time achieving and maintaining the necessary operational awareness required to enforce centralized policy. These cultural complexities exacerbated by budgeting concerns have created a fatalistic mentality when it comes to far-reaching mandates. This is where the tectonic shift in architectural and administrative approach is so necessary. This is where multidomain architectures shine.
Let’s define a common baseline of enterprise domains seen across traditional IT environments:
Extended Enterprise (IoT, OT/ICS)
But to deliver a successful Zero Trust across the enterprise, it is first necessary to understand some foundational building blocks on which to construct our architectural approach:
We can’t have MULTIDOMAIN POLICY without first achieving fuller
We can’t deliver macro and micro-segmentation without first having robust MULTIDOMAIN
We can’t have multi-vendor MULTIDOMAIN Zero Trust POLICY without sensical INTEGRATIONS to stitch each enterprise domain together.
Let’s face it, enterprise IT environments don’t simply include infrastructure from a single manufacturer, or even a few key manufacturers. Rather, our Enterprise IT environments are represented by a plethora of IT manufacturers specializing in different niches of IT and the domains they are commonly found in. These environments are managed by different Federal IT organizations, different contractors who support these Federal IT organizations, and many different teams that support each common IT silo. Different teams that support oft-compartmentalized areas like Network Security Operations, Network Operations, Data Center Operations, Institutional Services, Wide Area Networking contracts, Operational Technologies, and dotted lines to different leadership oversight like CIO Programs, CTO Architecture, the Cyber Security Office, and the audit oversight bodies that they are subjected to. Each of these make up a complex support structure that isn’t necessarily streamlined for efficiency.
Summary and Overarching Goals
In articles to follow, you’ll see us referencing the IT Manhattan Project framework several times. Though many details of the framework can’t be discussed due to their sensitivity, the foundational principles are relevant across the board when pursuing intrinsic multidomain Zero Trust.
Establish Visibility (Administration, Telemetry, Assurance)
Define Straightforward Policy Structure and Hierarchy (Auth Chains)
Perform Multidomain Integrations (API Integrations)
Deploy Software-Defined Framework (Day-0, Programmable Fabrics, Multi-OEM Fabric Integrations)
Establish Sensical Automation Runbooks (Day-2 Operations)
We will also explore some areas that deliver unexpected value to the agency business in immediate ways. All of this will help create a cohesive story that helps CIOs, CISOs, and enterprise architects alike communicate the criticality of this multidomain Zero Trust approach to agency leaders across the federal spectrum.
Article | July 22, 2020
While congressional leaders work diligently to develop the next COVID recovery bill, other interesting legislation also is being discussed.
Many of the conversations focus on public funding options after COVID-19. There are no disagreements when it comes understanding the critical funding needs that will be front and center for cities, counties, states, schools, and hospitals as the country begins to emerge from a total focus on the coronavirus.
Many public projects and initiatives will have to be addressed. First of all, crumbling, inefficient and unsafe infrastructure, of all types, must be a priority. Secondly, jobs will be a critical component of the successful re-establishment of economic stability.
It is already apparent that a great deal of new funding will flow to long-standing federal programs. That’s a good thing because public officials already are aware of how those programs function. However, a number of new bills under discussion relate to the provision of additional and innovative ways for governmental entities to secure funding for projects that would stimulate the economy, create jobs, and address aging infrastructure. One particularly interesting new concept being evaluated is tax-exempt COVID recovery bonds.
The current discussions focus on a federal COVID recovery bonding program that would be launched with approximately $25 billion. A small number of states have already initiated programs such as this on a smaller scale.
The funding would be allocated to states based on population. From the governor’s office in each state, funding could be disbursed for projects of specific types.
If COVID recovery bonds become a reality, the program would provide another way for public entities to secure funding that does not come solely from public coffers. Individual private sector contractors, investors, and organizations would provide the funding and work collaboratively with public officials.
This program would be somewhat similar to private activity bonds which provide alternative funding for public initiatives. The new COVID recovery bonds would be tax exempt when used for permitted purposes such as financing airport, port, transportation, sewage, water, solid waste disposal, certain facilities, and other projects.
In the following weeks and months, taxpayers and citizens should watch with eager anticipation. Congressional actions will boost America’s economic recovery and stabilize governmental organizations throughout the country. Inaction is a possibility, too, but that would risk missing out on recovery opportunities.
Congressional representatives base their actions and their votes on input from constituents they represent. There are times when citizens, whatever their opinions, should provide input to elected representatives. This is one of those times.
Mary Scott Nabers is president and CEO of Strategic Partnerships Inc., a business development company specializing in government contracting and procurement consulting throughout the U.S. Her recently released book, Inside the Infrastructure Revolution: A Roadmap for Building America, is a handbook for contractors, investors and the public at large seeking to explore how public-private partnerships or joint ventures can help finance their infrastructure projects.