Can your business afford to lose your critical systems to a bomb blast? What sort of protection do you need against physical and cyber threats? Cyberterrorism expert Tony Valletta has some answers. When he was the top civilian CIO for the government, Valletta’s expertise centered on what he calls “the bad guys” and protecting government systems from these terrorists. Today, he uses what he knows to benefit the private sector as well as the federal government.
Valletta’s background is in electrical engineering, having also completed graduate work in engineering and industrial management. He spent almost 30 years working for the Department of Defense. Currently at SRA International, he is vice president of the government sector and director of the command, control, communications, and intelligence (CCCI or C3I) business unit.
Valletta’s career path
TR: How did you get to where you are now?
Valletta: I retired almost two years ago from the federal government where I spent 29 years with the Department of Defense. My last position was the acting assistant secretary for command, control, communications, and intelligence (CCCI or C3I). I started as a military officer, was commissioned ROTC out of Yale University, went into the Signal Corps for about seven years, made it to the rank of captain, and decided to transition into government civil service. I then had a career involving test and evaluation and research and development, because my degree at school was electrical engineering. I was placed in some very good technical jobs, both as a civil servant and also in my military years. That helped me get into a number of key management positions, including the program executive officer (PEO); I was one of the first PEOs in the army.

TR: What does a PEO do?
Valletta: A PEO is a term that we coined in 1987 to describe super project managers. Underneath each of the PEOs we had a number of program managers, sometimes five or six. In my case, I had about 20 program managers in different functional areas in the army—armor, for instance, or air defense. I had standard MIS. All the project managers who reported to me provided for the United States Army all of the MIS for both the battlefield and peacetime operations. This was for all the areas of logistics, personnel, medical, and those types of functions. I did that for about five years.

TR: What did you do next?
Valletta: Then I moved up to deputy to the three-star general who was the CIO for the army. I was his civilian deputy, which is the highest-ranking civilian IT position in the United States Army. From there, I moved up to the office of secretary of defense (OSD). I did that for about four years.

Joining the public sector
TR: What brought you to SRA?
Valletta: After 29 years in the [Department of Defense] environment, I had a lot of job offers when I decided to retire. I took a two-year early-out because I wanted to start a second career while I still had good contacts, good knowledge, and I was still healthy. However, I loved every day, every moment of my 29 years with the federal government. I could have stayed another 10 if I’d wanted to, but I also felt that I had achieved the highest levels. I had achieved the highest degree of responsibility and capabilities, learned a lot, had a great time, and did some great things for the country. I felt that it was time now to settle down, see my family a little bit more, have some quality time, and go out and make a little bit more money, because the pay disparity between civil service positions in the government and industry is unbelievable.

The other reason I left government is that I think I can even help more from the outside, having been on the inside. People who leave the federal government will always be loyal. We will never forget that we still need to help all those folks out there all over the world defending this nation every day. It’s very important that we do that, even from the outside.

TR: How do you do that in your position at SRA?
Valletta: I now meet with the engineers every day. I don’t have the daily thousand e-mails, all the superfluous information, or the multiple meetings. I can prioritize my time to the really important business things. One of the problems I’m trying to help [federal clients] with right now is how to manage all that information dissemination. There’s so much information being fed to decision makers today that I believe, in the future, knowledge management and information dissemination is going to be very crucial. And it’s only going to get worse as bandwidth becomes greater and speeds increase. We don’t want to stop technology. We have to learn how to manage it better.

One of the things I’m trying to do is help the war fighters, because we did a lot of things on my watch to introduce information technology to the battlefield. We used to worry about logistics and personnel, and we still need to worry about those things, but everything is automated today. Now, the bad side is that the more information technology we have in the battlefield or in peacetime operations, the more we are susceptible to the security aspects and to cyber threats. So it’s a two-edged sword.

TR: Let’s discuss C3I
Valletta: SRA gave me the opportunity to come here and actually build this area [C3I, or command, control, communications, and intelligence business unit]. They had pieces of it all over the company, but they asked me to focus it and to bring it all together to form a business unit that I could run, which I’m doing now. I created from scratch our critical infrastructure protection capability. That’s why I was so excited about coming here. I felt that this company would give me the opportunity to finish what I had started on the government side.

You want the positive things that you get from information technology but, more importantly, you need the right capabilities, tools, and protection mechanisms so that enemies—both foreign and domestic—don’t get in there and fool around [with] your data. That’s all part of this cyber threat situation. The President introduced his national plan for cyber threat just recently. Some of us here at SRA worked on it. It’s $2 billion and it’s broken into different categories.

TR: This has certainly put you in a unique position, hasn’t it?
Valletta: Building this capability is not only good for us as a company, but I think it’s good business, whether I deal with the Department of Defense, Department of Agriculture, states, or even businesses. A lot of businesses out there have computer systems that also need to be protected.

A new look at cyber protection for businesses
TR: Is this a service that SRA will provide for businesses as well?
Valletta: Yes. You can name any business, from an insurance company to legal firms to banks to any type of retailers. Anyone that uses information technology to the degree that we use it today has to make sure that their systems are not vulnerable, that they have the right protection mechanisms, and have continuity of operations plans. What happens if the entire online credit card system for a major company gets broken into? The company could go out of business. So what is the continuity of operations plan, COOP? What is the company going to do for backup? Where does the company go if their computer systems get infiltrated?

One of the biggest things that we’ve been doing for the last year and a half is writing COOP plans for a lot of the big major federal agencies that didn’t have them before. We do that by first going in there and taking a look at their vulnerabilities. Then we write a continuity of operations plan based on what we find, and try to put that into execution. The plan could call for backup systems. The plan could call for new tools, firewalls, virus protection schemes, and all kinds of capabilities. It depends on what you find when you do the vulnerability analysis. We have the full range life cycle offering that I created here at SRA. I believe that the entire life cycle of security has to be provided if you’re really going to be a major player in this business.

Life cycles of security capabilities
TR: Describe what you mean by the life cycle of security capabilities.
Valletta: I decided to put into SRA the full life cycle of capabilities, so we put in place people who have all those different skill levels.

  • First, we do an analysis.
  • From the analysis, we can then decide whether you need physical protection or cyber protection, or both.
  • Then we decide how to get that physical and/or cyber protection, and what tools and subcontractors will provide those capabilities.
  • Then we put the tools in place.
  • Then—most importantly—we provide education and awareness.

TR: Tell us about the education and awareness
Valletta: I’ve put that as fifth, but it really starts in the beginning as well. What we find is a lot of the agencies or businesses do not have very good education, awareness, and training programs in this area. After you do this work, you want to make sure that people are trained. By putting the training and awareness in place, it keeps the synergism for this area going.

TR: Let’s discuss physical protection for corporations
Valletta: We provide both the cyber products and the physical products. Physical products aren’t just guards at the gate or concrete barriers for people not to drive their trucks through and blow up bombs. We have blast-proof windows and blast-proof doors. We have wallpaper that stops bomb fragments. It’s not bomb detection. It’s bomb protection.

After looking at some of the explosions that took place in some of our [U.S.] embassies, what they try to do is kill or hurt a lot of people. They blow up something in a parking lot somewhere. Your normal reaction is then to go to the window and to go look at what happened or see where the noise came from. When you do that, you’re now falling into their trap. They then blow up the main thing, which is something right outside where the windows are. If you don’t have blast-protective windows, then a lot of damage is done and a lot of people are killed from the bomb fragments coming in. You need a combination of systems like we provide, which are the blast-protective windows, blast-protective doors, blast-protective wallpaper capabilities. This is a type of wallpaper that, put up in a special system the way our subcontractor installs it, when something explodes on the outside of the building, it actually stops the fragments from coming into the wall. It has an elastic type of capability, like an elastic balloon. When the bomb explodes, it keeps the fragments within it and actually expands inside the wall and stops it from coming into the room. Obviously, the wall gets damaged because the bomb’s going to explode the wall, but on the interior of the wall, it stops the fragments from coming into the room. Now this is something that we advertise as part of our vulnerability analysis to put into all those special offices where your key people are, where your key systems are that you want to protect.

TR: Is this something that businesses should be looking at?
Valletta: I think so. I don’t see a major difference between the chief executive officer of a major multi-billion-dollar company and the commanding general of a major army. While one is winning [a] war, the other is winning a business. He wants to keep his business going so he can stay in business, provide revenue and profit, and he doesn’t want to lose his systems. The other individual’s obviously saving lives, fighting the war for the country. They both have the same goal, and that is not to be penetrated, to be up and running, and to continue operations. A CEO of a major company would not want to see his systems go down. In the last year, certain companies have set up a totally bombproof location with a backup capability where their data can be processed, and it’s harder to get into than the CIA. Determining this need is part of a continuity of operations plan. There are bad people everywhere, and they’re not going to go away. So you might need CIP [Critical Infrastructure Protection] capability.
SRA is a systems integration, consulting, and electronic commerce services company that works with both government and private sectors. The company, founded in 1978, has its headquarters in Fairfax, VA, and offices across the United States with a staff of more than 1,900. The company was recently named one of the “100 best companies to work for” by Fortune, and one of the 20 leading private IT companies by Business Week.
Are you considering physical infrastructure protection?
If so, what are you considering and why? We’d love to hear your stories. Feel free to post them below with comments about this interview. Also, send us a note if you have a CIO you’d like to see interviewed.