Making friends with partners isn’t just easy when you’re at NASA, it’s necessary. In this AMA with outgoing CIO of NASA, Renee P. Wynn details the importance of international partnerships, how storytelling is crucial to cybersecurity and delivering IT services to astronauts in space.
Your father also worked at NASA. What would you say is the biggest difference between the two eras at the agency?
Space exploration has changed a lot since my Dad worked at NASA as a metallurgist. But this era comes at it from a different perspective. My job is purely terraform web-based. We ask how we can build resilience into NASA’s Space Program, as well as into our air and aeronautics programs as well because cybersecurity is a huge issue.
If you’ve got hardware and software, you have the potential for throughput and a really bad day should someone get control of those operations. So my role was always internal and how all the mechanics work, not the electrical mechanics, but how the software and hardware are interacting. And if that hardware and software can touch Earth, are we doing the right things to protect it? And then when you’re in space, I think of a good neighbor policy, probably pretty much as my dad thought of good neighbor policies. Will the metals be able to withstand the environment that it’s in? Mine is a good neighbor policy and that is that the asset cannot be commandeered and used for nefarious activities.
What are your basic principles with cybersecurity in protecting data at NASA?
It’s just one big principle and that’s securing mission success. Underneath that it also breaks out financial risks. First and foremost, I’m driven by the reputational risk associated with NASA. Then there’s our strategic risk. How are we going to imagine Moon to Mars with the Artemis program? And with cybersecurity threats, how do we build a more resilient set of systems associated with our Moon to Mars endeavors?
Then there’s operational risks and I weave those in together in terms of how do we get them on the chalkboard to get them addressed? So overall, I’m about securing mission success, and then taking a look at the spectrum of risks underneath that secure that mission success. Then the question arises as to how to put those in front of people to solve those risks, or whether we accept those risks. If we accept a risk then you need to document that, so that we know in NASA what our overall risk posture is associated with cybersecurity, as every system is connected to another system. I know I hear about having things air gapped. Well, I like to see the diagrams associated with your gap, because I actually haven’t seen a diagram that is truly air gapped yet.
An element of my job in terms of securing mission success is telling stories and bringing to life cybersecurity, because it’s not something you necessarily see, unless maybe you get ransomware, which I don’t want to have happened here on my watch on the network. But it is a hard thing to imagine if you’re not accustomed to it. And so using stories to bring that to life helps us focus on securing mission success and mitigating the risks underneath that.
Was security one of the biggest challenges that you had to overcome in a project like Artemis?
Yes. It doesn’t matter where you’re doing IT, people process and tools still break out to the basics. The first one is the people. Helping people understand cybersecurity risks that you don’t really see. You might bring in media stories of breaches and say these things could happen here at NASA. We just completed an assessment–a pretty stringent assessment of cybersecurity–for Artemis amongst some other issues. And we’re looking forward to working with our human spaceflight program to start addressing those risks.
Besides Artemis, what were some of your highlights at NASA?
One of my favorite things to do was flying on Sofia, a big giant telescope on an airplane at 40-43,000 feet. You open the back of an airplane and you get to stare at Jupiter all evening. Then once a week they got everything going and I had a chance to talk to the scientists in the airplane. They were doing software testing on the particular flight that I got on.
So then I got to talk to the software engineers while we were in flight, because they were doing all their shakedowns associated with it. When that airplane landed, they pull the data off the airplane and then used the sneakernet. I’m glad they used the sneakernet, that’s a true air gap that one! It a very cool flight where we could talk about those risks and what they were doing to mitigate those risks.
Another great thing was going to Moscow and Kazakhstan for a human launch on the Soyuz and talking to my team that was there and how we supported the human launch. Being part of the fanfare and meeting the families of the American astronauts that were going as well as continuing to follow their careers as astronauts back here on terra firma.
Being part of that tour and seeing the business that my team did in support of the human launch was great.
Finally, not a cybersecurity story, but a very cool story was how I got to hold moon rock and I got to see a lunar trash can. I asked myself, do we really have a lunar trash can? I was at Johnson Space Center and I can tell you that the trash can looks a lot like just a regular trash bin where you step on the pedal and the lid comes up. It just has to be labeled so the folks treat the trash accordingly.
I wondered if you could speak to the internationalization of space exploration and how information security fits in with that.
My job is to make friends and be effective by building trust with anyone that I work with. That includes foreign countries. So I have worked with other space agency CIOs to increase cybersecurity protection in the way NASA does business with other space agencies. This is a journey that we’re going to be on for foreseeable future.
As an example of what we’ve done, the European Space Agency, ESA, and us just finished building out a partner network. Before, when we did business, we didn’t believe that we needed a partner network. But both of us have entities to protect: our intellectual property. And to protect ourselves we believed that this was the right thing to do.
In terms of partnershipS, we’ve got to be able to exchange appropriate engineering diagrams and work on engineering issues together in a more collaborative environment. We have the typical email and typical file share capabilities and we need to be doing that in a more secure manner together.
We also need to respect each other’s laws. Doing business with Europe, we’ve got the GDPR that we have to deal with. And so we went through a whole process to understand that law, what it would mean to be doing business with them at NASA.
It always feels like a CIO that we are behind. That’s ok except when you get to the red alert stage and people need things now. It’s harder to deliver now in this environment, because you have to take a hard look at what’s embedded in that software before you use it.
How does the CIO of NASA make a business case?
The first thing is understanding the way they do business. So I spent the first couple of years here at NASA just learning NASA. And believe me, I felt like I landed on another planet when I got here. I didn’t understand them. I’m pretty sure they didn’t understand me either.
It’s seeing the way people were and how can you enable that productivity in a way that’s more secure. So NASA cybersecurity posture had to improve considerably. That has been a major area of focus of mine. I couldn’t do that alone. You can’t do anything alone. How do you get family members to help you with something? You can order them around and that’s not going to get you far. The other side is to understand where folks are coming from and then work with them by telling stories or telling compelling cases–perhaps mathematical cases–that really helps them see what the problems are to invite them to solve those problems with you.
Many people might be surprised to hear that NASA has customers.
First and foremost, my customers are the NASA employees and the contractors that come to work every day that use my network, and use my services. So those services must be forward-leaning in the customer experience.
But it doesn’t stop there. That customer experience will go to our partners that will help us achieve the bold mission of Artemis that help us achieve on an everyday basis bringing science back from space. Those are also my customers, because they need to work with the scientists and they need to work with the public as well in order to identify Earth 2.0. Probably be a good idea for us to find that planet in the near future!
So those are my customers, anybody that wants to do business with NASA, the Boeings the Lockheed Martins, they are my customers at well.
We’ve improved our security posture measurably in about a three to four years time frame. We’ve got metrics that prove it. But that came with sacrificing the customer experience and our strategic plan had service excellence in it, but it is not an area that I believe I got to spend enough time with. However, as I am leaving, the new CIO will be striving for it and it is that person’s business to address customer experience within the services that are provided out of the CIO organization.
NASA has probably the most remote workforce of any organization. How do you manage a team spread across (above) the planet?
The good news is that the astronauts don’t report to me! I rely upon 10 center CIOs to create and maintain organizations that are productive for all the folks that they are serving.
I do have a global IT workforce that we need to take care of in securing the mission. When we go over to launch from Kazakhstan, the team goes ahead of time in order to prepare for that. I chose to make myself known to the IT workforce. I visited every center every single year and met with the team. Conducting meetings with the team to tell them where we’ve been and a little bit more about where we’re going. I have shadowed individuals within the centers and I shadow the folks that work in that world right there delivering IT, asking them to just ignore me. So I was basically out of my office for the better part of the last four years.
I’m happy to say that in September of this year, my team delivered Office 365 to the space station. I can’t say if it’s the preferred tool, but it is at least being delivered to them on the space station.