NASCAR, NASA and the secret to cybersecurity


NASCAR drivers practice for the 2004 Daytona 500. (Air Force image via Wikimedia Commons.)

One is a storied federal agency, the other a source of entertainment for millions. One races into space, the other races at breakneck speeds around a track. What do NASA and NASCAR have in common?

They probably have a better approach to managing risk and security than you do.

At both organizations, risk management and security are huge parts of their respective missions. A failure to protect NASA's networks could have disastrous effects; a failure to provide drivers with adequate security could be deadly. As a result, both groups build in those top priorities right at the front – and not as an afterthought, as is all too common at many departments scrambling to protect their IT assets.

"Our problems are bureaucratic, institutional, systemic. Integrating security into architecture, system development lifecycle, systems engineering process and acquisition – those four areas would go a long way into enhancing cybersecurity," said Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology. "When you get to the point where security is done because people recognize it's central to the mission and success, then we've crossed that Rubicon and we're looking at security not as a cost, but more as an investment in our productivity, survivability and everything needed to compete today."

Of course, that may be easier said than done. Today the word "investment" alone will stop program leaders in their tracks because it means money – a precious resource in a climate of sequestration and budget cuts. But that climate itself is a stepping stone to better cybersecurity, Ross said.

"Program managers and mission and business owners care about schedule, cost and performance. So how do you get all of this started?" he said. "You have to look for forcing functions to start down the road to 'thinning the herd,' or reducing complexity. The current declining budget and frustrations we're enduring at the federal level is a great forcing function for reducing the costs of IT infrastructure."

As it happens, society as a whole – including the government – are swimming in IT. It's cheap, it's powerful and as a result everyone actually has more of it than is really needed, Ross noted.

"Studies show a lot of what we procure, we never deploy or use effectively. This is where to focus on simplifying architecture: When you use things like enterprise architecture, you by very definition consolidate, standardize and optimize the IT infrastructure," he said. "You build a leaner and meaner IT infrastructure. That simpler architecture provides more efficient services, is less expensive to deploy and maintain, and provides security professionals a better opportunity to protect what we own and deploy."

But how can departments and companies get to that improved architecture? As at NASA, security professionals need to have a seat at the table, whether that is a board room or the boss's office. All too often those in charge of information security – the ones overseeing the architecture and IT infrastructure – are not part of decision-making.

"NASA builds their spacecraft with integrated project teams; every stakeholder sits around the table and the mission doesn't move forward until every stakeholder has given a thumbs up. Our security teams and people need to be stakeholders at the table in order to integrate the important cybersecurity concepts, principles and technologies into the systems early in the lifecycle – and not as an afterthought," Ross said.

If threats and security are part of the plan from the very beginning, operators have a much better chance at resiliency when they do come under attack, or in the case of NASCAR, experience a high-speed crash. That survivability is a key metric for determining the strength of a department's defenses.

"In our business, when you talk about risk management and risk assessment, you deal with four things: threats, vulnerabilities, impact to the organization if threats are exploited and how likely threats are to be exploited," Ross said. "In NASCAR, their threat is the 200-mph race car potentially hitting the wall. NASCAR doesn’t sit around wringing their hands about the threat. They can't reduce the speed; they wouldn't have any fans in the stands. So they build the threat into the business model."

The result, which came after the  2001 death of Dale Earnhardt Sr. in a fiery crash at the Daytona 500: NASCAR officials designed a piece of equipment called the head and neck safety device, and since they instituted that, no driver has died from a neck injury sustained in a race, Ross said.

While the safety device successfully addressed a critical NASCAR vulnerability, it is not exactly the same as employing enterprise architecture at a major government agency, where the stakes involve many more people and less tactile threats.

But the vignette underscores the need for departments to move beyond patching systems, configuring firewalls and locking down components. Those are all important housekeeping duties, Ross said, but they do not go far enough.

"We can control only what we can control. We can't control the threat or the adversary or the attacks. What we can control is how we build and architect our systems to be stronger and more penetration-resistant," he said. "I'm passionate about integrating that into enterprise architecture, with the security team working right there as a partner ensuring security controls are in place. Until we do that, security will be an afterthought."





About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Tue, Aug 6, 2013

In the space biz, Murder Boards are c ommon, respected, and often used. A Murder Board is where a person or team presents a problem and solution(s) with diverse-talent audience's job is to shoot as many holes into it, to riddle the team with questions, dig deep into what-if's, and bascially try to murder the idea. An solution that can pass the best experts in the area is then ready for testing on the simulator.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group