Tommy Gardner, chief technology officer at HP Federal and vital participant in Executive Mosaic’s GovCon Expert program, is a seasoned veteran of the government-serving technology space. He has nursed a fascination with engineering since he was a young child, taking after a lineage of mechanical engineers in his father and both grandfathers. His career began with 28 years in the U.S. Navy, a time which he deems “a lot of fun” due to intensive engineering and information technology work.
The executive’s trajectory after the Navy has been a storied and highly accomplished timeline, heading up the technological outfits of a series of high-profile government contracting companies. He was director of science and technology at Raytheon and chief technology officer for lengthy stints at ManTech, Jacobs and Scitor. He says he aims to continuously accrue knowledge so that he brings a little more wisdom and expertise to each new organization.
“I’m still a little mole hill, but at least I can look up to the mountains and understand what they’re talking about,” Gardner said humbly. He sat down with GovCon Wire for an Executive Spotlight interview where he proved himself far more than small-statured. During the conversation, he touched on the knotty issues surrounding digital ethics, the immense threat posed by cyber bad actors and why he thinks application interfaces, or APIs, are the most concerning cyber threat.
Interested in learning more about the most pressing cyber trends and issues of today? Register for Potomac Officers Club’s upcoming 2023 Cyber Summit! It will be a packed day of informative keynotes and dynamic panel seminars, with ample networking opportunities.
Can you talk about the importance of AI ethics? Explain why we should be paying more attention to ethical AI.
AI ethics are something that we don’t focus on enough. We focus on cyber ethics even less. I teach a course on this subject Monday nights to graduate students at Catholic University. There are not a whole lot of courses in the U.S. on cyber ethics. Ethics is kind of baked into other courses, I’m sure, but not a course focused on that.
When I was at Black Hat DEF CON last year, I asked the founder, Jeff Moss (Dark Tangent), if he could recommend a book on the subject and he suggested Ethical Machines by Reid Blackman. The book is a very good explanation of how to think about things as they relate to technology and cyber. The subtitle is Your Concise Guide to Totally Unbiased, Transparent and Respectful AI. If we want to be ethical, we have to learn to be respectful of people and genders and ethnicity and age. If we can’t do that correctly, we’ve got to step back and decide, is AI beneficial or is it harmful? We want to create things that benefit society at HP, so certainly we’re going to be taking an ethical track to the development of our products and our software and our offerings to the public. I’m trying to look at the broader cyber ethics arena, more than just AI, including digital ethics at large, so Jeff additionally pointed me toward This is How They Tell Me the World Ends by Nicole Perlroth. Nicole is a writer for the New York Times who wrote about some of the espionage that was going on in the National Security Agency, specifically, Edward Snowden.
When I taught my course and the students and began talking about cyber ethics with this book, the main issues we wrestled with were: is it okay for your company to sell to governments that are trying to learn about national security? Should we be working with people like the FBI or the NSA or the Central Intelligence Agency? Is that okay? Is that ethical? To answer that question, you have to understand what your ethical framework is. What is the basis, the first principles that you believe in?
Can you talk about how cybersecurity has impacted or changed the national security paradigm? What new trends or shifts are you seeing at the intersection of cybersecurity and national security, and how are those trends influencing the public sector today?
Cybersecurity has impacted our national security in many ways. When we started creating all of the digital information that is out there, no one thought about it getting into someone else’s hands. Previously, you needed physical access to secure espionage information or corporate intelligence information for criminals to act. That no longer is the case. National borders became irrelevant in the cyber world.
You can attack from anywhere in the world. The threat vectors instantly multiplied when that became a realization. Even before the internet, back in the 1990s, you had digital information, but no one really thought about it being risky to hold and carry that around. It was like a briefcase, a stack of papers. You just had your floppy disk and your information was held there. Today, you have a constant threat of bombardment, a constant threat of attack. At HP, we have a software program to protect against ransomware. Because when you experience a loss of data that you incorporated, it’s stopping your operations and you may have to pay vast sums to get things back up and running. Our ransomware protection is very effective at a reasonable cost.
The world is changing and attackers are adapting quickly. The attackers learn from every attack to know what worked and what didn’t. And they’ve tried every possible approach. They have AI algorithms to make sure they leave no stone unturned. We are monitoring that, and we should be monitoring that because as they get better, we have to get better too.
We have the world’s most secure PCs and printers because of the work we put in to the design of our products. Zero Trust principles were started in 1992 by HP, when we designed products with a trusted compute module. That was seven years before the term Zero Trust became mainstream. Why? Because it was the right thing to do. We wanted our customers safe, and we wanted them protected. As such, we create these protections in our products with a Zero Trust philosophy.
The national security implications are just tremendous. It took a while for countries to wake up to the reality of their vulnerabilities. Once they realized the vulnerabilities, they started putting up defenses. At first it was like: ‘we’re going to put a castle with a moat around it and protect everybody.’ Well, all of a sudden you realize, there are threats that are inside the castle already. A quest for the most secure option got away from perimeter defense into only forming a basis of trust and work in order to allow access either by individuals or other machines that have been verified trustworthy.
Cybersecurity is very important to economic security, which is very important to national security or defense security. They’re all intertwined. Cyber is now finally being recognized as a major domain in warfare along with air, sea and land warfare, even though electronic warfare has been with us since before World War II. It has changed and evolved over time. Right now, it’s probably one of the biggest threat vectors and can be one of the biggest differentiators in warfare.
Cybersecurity impacts the broader economic, diplomatic and even the critical infrastructure protections that we have in our country.
What is the biggest threat facing U.S. cyber systems today, and what is being done to protect against that threat?
Ransomware is probably today’s biggest threat. There are many solutions out there which is good. You want a variety of solutions for the public to choose from. This competition in products is good for the country and cybersecurity overall. I’m actually not as worried about ransomware as I used to be. Today, I’m most worried about application interfaces.
While teaching the Catholic University course, which is about cyber attack methodologies and covers certified ethical hackers, we focused on how easy it is to hack into an API and manipulate things and to get into systems. APIs are talking software to software. There’s no person in the loop between them. And that’s why they’re very vulnerable, because they have to be open to other software packages trying to approach and either provide information or take information. I have some concerns that we, as an industry, must shore up capability in APIs.
Do you think the United States’ cybersecurity efforts are keeping up with demand? If not, how can we accelerate and broaden cybersecurity?
It’s a dynamic world and it’s nonlinear, so it’s not like you can project a path of cyber defenses and try to jump or leapfrog ahead to get there before the enemy does. No, it’s going in multiple directions at the same time. I liken it to a quantum computing problem where you’ve got a computer that’s not just dealing with zeros and ones, but it’s dealing with zero, one at the same time, simultaneously going in 360-degree spherical directions exploring vectors. That’s the way the cyber problem is expanding. We need to recognize the inherent issues of that expansion to foster protection or help folks see the path they’re on and then try to leapfrog, when we understand the direction they’re going, the motivations they have and most importantly where the money’s going.
We need to demand that all companies be the best that’s available and then have a commitment to continuously improve as we see the threats changing. We must rapidly change and shift to get ahead of them or get a solution or patch is the best it could be or the holes that are there. That’s both in the hardware and the software side. You can’t just pick one. You have to do both. You have to pick the best hardware and the best software and master the combination of the two and how they work together.