Digital, Physical Security Synergized
Preparing for Influx of Global DignitariesHonolulu CIO Gordon Bruce, bolstered by an international conference, is working energetically to expand digital and physical security.
See Also: Developing a Next-Level Cyber Insurance Strategy
Hawaii's biggest city is hosting in November a meeting of the Asia-Pacific Economic Conference, a forum of 21 Pacific Rim nations that promotes free trade and economic cooperation throughout the Asia-Pacific Honolulu native Barack Obama will attend.
In preparation of the gathering, Bruce and his team are working with the Secret Service to help assure the security of the 15,000 to 20,000 people - including delegates, their support staffs and media - expected to attend.
Bolstering security will be the enhancement of a network of traffic cameras that will monitor goings on before and during the conference. The Secret Service is concerned about managing the flow of dignitaries during the event. Honolulu has more than 200 traffic cameras as well as about three dozen non-traffic, non-security cameras. For the forum, the city and county (which are jointly governed) will add another 34 cameras. "Our task is to integrate all those cameras into a single viewing platform that both first responders and the Secret Service can manage and maintain," Bruce said in an interview with GovInfoSecurity (transcript below). When the conference is over, the new cameras will be redeployed at intersections that don't have traffic cameras.
In the interview, Bruce discusses:
- Why Honolulu's chief information officer is responsible for logical and physical security.
- Synergies between digital and physical security.
- How the Secret Service and Honolulu collaborate to provide security for the conference.
Gordon's official title is director of the Department of Information Technology and CIO for the city and county of Honolulu. Gordon previously served as CIO for the Estate of James Campbell, now James Campbell Co., one of Hawaii's largest landowners. While at Campbell, he helped pioneer that organization's vision of a teleport and tech park in Kapolei, an unincorporated part of Honolulu County. He also is the former CIO of the Queen's Medical Center, the state's largest private hospital.
A former adjunct professor at the University of Hawaii, Gordon teaches at Hawaii Pacific University and at the Japan-America Institute of Management Science. He earned a master degree in international business from Hawaii Pacific.
ERIC CHABROW: In November, 21 national leaders, including President Obama, will be in Honolulu to attend the Asia Pacific Economic Cooperation Conference, and though Honolulu's municipal government is not directly involved in securing the IT for the conference, there are plenty of security concerns that Honolulu's chief information officer must address. Tell us a bit about the conference and why and how that affects your job as Honolulu's CIO.
GORDON BRUCE: Well, the conference runs from November 7 through 13 in 2011, and as you mentioned, leaders of 21 nations come into Hawaii, along with their respective entourages and their media. The total number of people is estimated to be between 15,000 and 20,000 people. The Department of Information Technology for the city and county of Honolulu is intimately involved in public safety oversight, and the fact that we have typically chaired that committee that helps to have all the first responders collaborate over a number of different physical operational and cybersecurity initiatives. We're involved in physical access control security for all the government facilities; we're also involved with supporting all the camera systems that are throughout the city and county of Honolulu which are going to be used during that process, and that's all of the applications that we support and what makes us kind of unique in a number of ways is that we run a number of state applications here at the city and county of Honolulu. For example, the driver's licensing system, the motor vehicle registration system are all supported by the city and not by the state, which means we have also the responsibility of supporting all the other counties. Our reach and breadth, breadth and depth, is pretty significant.
CHABROW: Before you get to some of the things for the conference, why don't you explain a little bit why there is this link between digital security and physical security, and why it's important to have such concentration in your office?
BRUCE: It's something that we have believed in for a number of years - by we, I mean the new directors that were appointed - officials came into place in 2005, and one of the guidelines that we had under the mayor was to make sure that we had an integrated approach on how we looked at things. One of the areas that was our department's area of responsibility, as I mentioned earlier, the physical and logical security. It was determined that we would make that a single point of contact, if you will - a single management group that would oversee that, which is our agency. And for us, if you think about it, you have 9,000 to 10,000 employees plus contractors that we allow access to buildings covering 640 square miles of the island of Oahu, and at the same time, those individuals have access to a number of different computer systems and related applications. Controlling and managing who's here - who's on first, if you will - is quite a challenge, so coming up with an integrated approach gives you a one point of contact. In our particular case it's a credential that enables you access to the buildings - not at the moment, but in our long-term plan - the same credential will be used to enable access to the various applications and the permissions that you get. So if someone starts new with the city, they're issued a credential; we automatically know that that person's here. If someone leaves the city and the credential's cancelled, then we automatically know that that individual's no longer with the city. And then you've got related checks and balances along the way.
CHABROW: What are some of the challenges you're facing in using those credentials to get access to IT systems?
BRUCE: The credential is finding an integrated solution set and then once you've found that integrated solution set is having it work across the platforms, and that's where the time drag happens. I'll give you an example - we recently, as part of our security system, we're going to a centralized motor pool, so this same credential is going to be used to allow you to go to a system and reserve a vehicle and then go to another system and physically check out a key off of an electronic system and take that key and use the vehicle. The challenge we have is now making those physical security systems interface with the appointment scheduling system and interface with the system that actually will be used to check out the key - and those always have their little anomalies and across what gets passed back and forth. That's an example of the kind of challenge that you have and then you throw on top of that - that's one application, we've literally got hundreds - it becomes quite a challenge.
CHABROW: Is it worth, though, to pursue this as looking for both a single credential for both physical and digital?
BRUCE: Definitely. I mean, it's worth pursuing it - the motor pool project alone we estimate is going to save us some 32 cars per year that we'd normally typically purchase. So you figure out 32 cars per year at $30,000 apiece plus all the maintenance - you know, it pays for itself in a couple of years, if not less, and there's a lot more out there. And just think about what it would take to manage all of these IDs - 9,000 to 10,000 IDs and all the multiple systems and applications that have to be checked, re-checked and double-checked to make sure that people are still here or not here and the like. And we have pretty stringent polices as far as sign-on's and passwords here. You have to renew them every three months, and if you don't do it within a certain period of time, we essentially lock you out; then we've got to administer that, and that takes a lot of resources.
CHABROW: Can you talk a little bit about other synergies you see with physical and digital security, and also, do you see sort of a merging of that in other areas, too?
BRUCE: Well, I would like to see a merging of it, but it's interesting - as I talk to my peers around the nation in both the public and the private sector, physical security and logical security still seem to be separated; not seem to be - are separated. Facility's main maintenance department has to be in charge of physical security and the Department of Information Technology is responsibility for the cybersecurity, and never the two shall meet. That, I would say, is the norm. again, I go back to the synergies are this whole amount of effort it takes in managing and controlling who has access to what, and by access to what I mean physical and logical access. We're looking at expanding these systems over the next number of years; we're going to be issuing what's known as a PIV-I FRAC card, and that's a first-responder accreditation card that meets federal standards. These will get issued to first responders; it will track their credentials and what they're enabled to have. So if I'm a firefighter and I'm hazmat certified, we'll know that; we'll know that they're currently trained because they have to do continuing education credits - we're going to keep on top of that - and those continuing education credit courses are taken online to tie here. And say with police officers - they have to make sure that they've gone through their appropriate gun training or disaster training or those kinds of things, and we want to tie all of those together. Right now, those are all managed in multiple different disparate systems.
CHABROW: Let's go back to the Asia Pacific conference that's coming here. What initial information security concerns do you have that you wouldn't normally?
BRUCE: There's a number of them, but I'll talk on the physical security side; what's been interesting is the fact that the Secret Service really controls a lot of what goes on during these conferences, and we take our directions from them. One of the things that they were concerned about was managing the flow of the dignitaries during the conference from point A to point B. They wanted more physical capabilities to watch them over the camera systems. Now we have a limited use of camera systems here in Honolulu. My agency was responsible for the support of them; we do some of the installations if it's not contracted out, and then we do maintenance and support afterwards, so we have 200-plus traffic cameras, probably in the neighborhood of about, I'd say, 30 to 40 physical non-security cameras, and we're going to be adding another 34 to this system. And then our task is to integrate all of those cameras into a single viewing platform that both the first responders or the Secret Service can manage and maintain. So during that APEC time, we're going to taking over all the traffic cameras - and by we, I mean Secret Service, police and their designates to monitor not only the traffic, but the flow of the dignitaries through the various areas. Significant amount of effort on the part of my agency in getting all of these systems tied together and then getting another additional 34 cameras installed. Additional cameras are going to be typically in areas where there is no fiber or communications, and in some cases, a limited access to electricity.
CHABROW: What additional work do you need to do or your staff has to do to coordinate this?
BRUCE: A lot of this is wireless so we had to do all the studies to make sure that we had the right kind of coverage, then we do the install, then we bring them into the network, secure the network. We're taking over all the traffic cameras and merging them with our physical security infrastructure camera system into that single viewing platform. And when it's all said and done, we're probably talking in the neighborhood or in excess of 300 cameras, and providing the first responders and the Secret Service a single point where they can be in multiple locations where they can be monitoring these cameras.
CHABROW: Who's paying for all of this?
BRUCE: You are. It comes out of the taxpayer dollars and unfortunately, or fortunately, no matter what way you look at it, for APEC the city and county of Honolulu has to eat these costs. Now we did obtain some monies from the Federal government in grants, and that's why I said you did because you pay your taxes - I'm assuming you do - and we did receive a small grant from the Hawaii Tourism Authority for some of it, but then the rest of it - and our rest of it for all of APEC support, not just these camera systems - is going to be neighboring in the area of about $28 million for the city. Now we're hoping -
CHABROW: That's beyond just IT though, right?
BRUCE: That's beyond IT. That's everything.
CHABROW: So you're doing all this with the help of the Secret Service or working with the Secret Service; when it's all done, what will you have in Honolulu from an IT or IT security perspective that you didn't have before?
BRUCE: We'll have a single platform where all of the camera systems can be managed from a single spot, and a single platform. That's probably one of the biggest things from this part, from this standpoint. There's a lot of things that we've done to our network to increase and enhance cybersecurity that we'll get to keep. The additional 30-plus cameras that we acquired for APEC will go back and be repurposed and we'll be able to expand our traffic camera system as a result of that. We have 400 intersections in Honolulu. Right now, we monitor over 200 and our goal is to eventually monitor all 400, but at least now we'll have additional intersections that we can now monitor when we redeploy those cameras away from being foot traffic-oriented to vehicle traffic-oriented. We gain that. And then the knowledge that my staff has gleaned over these past months has been pretty incredible.
CHABROW: Are you allowing anybody to take vacation in the next week, month or so?
BRUCE: No. They haven't been allowed to take vacations in the past couple months.
CHABROW: And they'll be able to take it when this is all over and I guess -
BRUCE: When this is all over, there'll be a sigh of relief. There's a lot of people out here looking like zombies.
CHABROW: So where does someone who lives in Hawaii go in the middle of winter?
BRUCE: Well, we send more people to Las Vegas than any other state in the country.
CHABROW: They like to stay warm.
BRUCE: Yeah, and then they gamble and then they come back. Now I don't, but that's for the most part what many do.