NASCAR, NASA and the secret to cybersecurity


NASCAR drivers practice for the 2004 Daytona 500. (Air Force image via Wikimedia Commons.)

One is a storied federal agency, the other a source of entertainment for millions. One races into space, the other races at breakneck speeds around a track. What do NASA and NASCAR have in common?

They probably have a better approach to managing risk and security than you do.

At both organizations, risk management and security are huge parts of their respective missions. A failure to protect NASA's networks could have disastrous effects; a failure to provide drivers with adequate security could be deadly. As a result, both groups build in those top priorities right at the front – and not as an afterthought, as is all too common at many departments scrambling to protect their IT assets.

"Our problems are bureaucratic, institutional, systemic. Integrating security into architecture, system development lifecycle, systems engineering process and acquisition – those four areas would go a long way into enhancing cybersecurity," said Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology. "When you get to the point where security is done because people recognize it's central to the mission and success, then we've crossed that Rubicon and we're looking at security not as a cost, but more as an investment in our productivity, survivability and everything needed to compete today."

Of course, that may be easier said than done. Today the word "investment" alone will stop program leaders in their tracks because it means money – a precious resource in a climate of sequestration and budget cuts. But that climate itself is a stepping stone to better cybersecurity, Ross said.

"Program managers and mission and business owners care about schedule, cost and performance. So how do you get all of this started?" he said. "You have to look for forcing functions to start down the road to 'thinning the herd,' or reducing complexity. The current declining budget and frustrations we're enduring at the federal level is a great forcing function for reducing the costs of IT infrastructure."

As it happens, society as a whole – including the government – are swimming in IT. It's cheap, it's powerful and as a result everyone actually has more of it than is really needed, Ross noted.

"Studies show a lot of what we procure, we never deploy or use effectively. This is where to focus on simplifying architecture: When you use things like enterprise architecture, you by very definition consolidate, standardize and optimize the IT infrastructure," he said. "You build a leaner and meaner IT infrastructure. That simpler architecture provides more efficient services, is less expensive to deploy and maintain, and provides security professionals a better opportunity to protect what we own and deploy."

But how can departments and companies get to that improved architecture? As at NASA, security professionals need to have a seat at the table, whether that is a board room or the boss's office. All too often those in charge of information security – the ones overseeing the architecture and IT infrastructure – are not part of decision-making.

"NASA builds their spacecraft with integrated project teams; every stakeholder sits around the table and the mission doesn't move forward until every stakeholder has given a thumbs up. Our security teams and people need to be stakeholders at the table in order to integrate the important cybersecurity concepts, principles and technologies into the systems early in the lifecycle – and not as an afterthought," Ross said.

If threats and security are part of the plan from the very beginning, operators have a much better chance at resiliency when they do come under attack, or in the case of NASCAR, experience a high-speed crash. That survivability is a key metric for determining the strength of a department's defenses.

"In our business, when you talk about risk management and risk assessment, you deal with four things: threats, vulnerabilities, impact to the organization if threats are exploited and how likely threats are to be exploited," Ross said. "In NASCAR, their threat is the 200-mph race car potentially hitting the wall. NASCAR doesn’t sit around wringing their hands about the threat. They can't reduce the speed; they wouldn't have any fans in the stands. So they build the threat into the business model."

The result, which came after the  2001 death of Dale Earnhardt Sr. in a fiery crash at the Daytona 500: NASCAR officials designed a piece of equipment called the head and neck safety device, and since they instituted that, no driver has died from a neck injury sustained in a race, Ross said.

While the safety device successfully addressed a critical NASCAR vulnerability, it is not exactly the same as employing enterprise architecture at a major government agency, where the stakes involve many more people and less tactile threats.

But the vignette underscores the need for departments to move beyond patching systems, configuring firewalls and locking down components. Those are all important housekeeping duties, Ross said, but they do not go far enough.

"We can control only what we can control. We can't control the threat or the adversary or the attacks. What we can control is how we build and architect our systems to be stronger and more penetration-resistant," he said. "I'm passionate about integrating that into enterprise architecture, with the security team working right there as a partner ensuring security controls are in place. Until we do that, security will be an afterthought."





About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Tue, Aug 6, 2013

In the space biz, Murder Boards are c ommon, respected, and often used. A Murder Board is where a person or team presents a problem and solution(s) with diverse-talent audience's job is to shoot as many holes into it, to riddle the team with questions, dig deep into what-if's, and bascially try to murder the idea. An solution that can pass the best experts in the area is then ready for testing on the simulator.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above