Q&A With Bill Kalogeros,
Director, US Federal and Defense

archTIS and subsidiary Nucleus Cyber just launched a dedicated US Federal and Defense Sales and Channel Practice in the United States to meet increased government demand for advanced information protection solutions. Read about it here.

Bill Kalogeros, a 25 year US federal sales professional and US veteran, has joined archTIS’s leadership team as Director, US Federal and Defense.

We sat down with Bill to get to know him better. Here’s what he had to say about his long career in the federal and defense software industry and the security challenges facing the space today.

Q. You were a United States Army Ranger, tell us what that was like?

In a word… Amazing. When I was in (back in the early 80’s), we only had the two Ranger Battalions. It’s changed a lot since then… everything from the parachutes, to the use of GPS and other technologies – the networked battlefield. The one thing that has not changed, is the attitude. You learn to train and work as a team. It also tests you both mentally and physically – to push you to your limits – and then push further. If you believe in the team and yourself, and are well prepared, you will achieve mission success. That mentality and work ethic has carried over to my work life.

Q. How and when did you first get started in software sales?

I actually started in hardware sales, after I got out of the service in Anchorage, AK. Selling Sony CPM-based computers and word processing systems. It’s also where I learned a very important lesson.  That you never judge a book by its cover and also to be respectful of others you are presenting to.

Even with selling hardware, there’s always been some aspect of software in there. To you question though, the last 15+ years have been more focused on the software aspects of security – from internet policy management software, deep packet processing/manipulation, DNS, VPN, zero-trust, and advanced cyber deception products. All of them have had their place.  Which is one of the reasons I’m excited to be back with the archTIS/Nucleus Cyber team.

I worked with our COO Kurt as part of the Cryptzone team and had great success with our Security Sheriff products, because it solved a big problem for Section 508 compliance and SharePoint security for our Federal customers. That product has evolved to become NC Protect. Now, with the merger of archTIS and Nucleus Cyber, two important solutions now come together under one global team. NC Protect delivers a Zero-Trust capability required for the full Microsoft stack, delivering Attribute-Based Access Control (ABAC) and Federation. It allows you to deliver dynamic security controls across all aspects of your Microsoft environment – from chat sessions and sharing in MS Teams to Outlook, DropBox, OneDrive, SharePoint, Yammer, and even Nutanix. It’s not only secure, but there’s also a full audit trail for audits and CMMC compliance.

archTIS extends our capability for secure information sharing to our Federal Government and our Defense Industrial base with our Kojensi Secure information sharing platform for more classified requirements. It’s been previously accredited to TOP SECRET/SCI under JSIG, and provides a simple to use, highly secured web-based capability that controls the release of information against, security clearance information, country of access, organization and topic/codeword – a more secure ABAC capability for multi-domain operations at the file level.

Q. What led you to specialize in the government and defense industry?

I first started working a little bit with the government customer when I first got into the industry, working with NASA and other DOD SIs in the Silicon Valley area. I slowly got more involved working with Government accounts and liked it.  Once I understood it was a more specialized area, I jumped in (no pun intended). I liked the people and the process, once I understood it and the funding cycles.  There is also a trust level that you have with Government clients, like back in the military.

Q. What are the top security concerns facing government and defense agencies and organizations that support them today?

Where do you start? We hear about it almost every day – whether it’s an insider threat situation (either cyber or human), the Solar Winds and other infrastructure level attacks, supply chain issues – these are just some of the concerns keeping the CXOs up at night. With the new COVID workforce, everyone is working virtual, which means traditional security methodologies are no longer effective – there aren’t any network boundaries anymore. Legacy networking and VPNs are either dead or dying. The adversaries are getting smarter, coding is getting more powerful, which means another SolarWinds supply chain exploit is certainly possible. So now we are exploring ways to create a Zero-Trust reference architecture to try to get a handle on the inherent flaws with IP and stay a step ahead of the threats.

So that also brings up two additional points to consider for the agency CXOs. First is Awareness. For example, you know you have a major problem or challenge with a zero-day exploit, so what are the game-changing technologies available to me to mitigate, or fix the problem? What resources are available to me to rapidly find and assess new technologies and solutions to my problems? The big technology/security players figure you can invest a ton more money by upgrading the same type of solution…not a good plan. So then how do you get to the new innovative technologies that fly under the radar? That’s almost as much a concern as the threats themselves.

Another area of concern for government, defense and the Defense Industrial Base (DIB), is the way security products are acquired. By the time some products make it through a certification process (say FIPS accreditation), the product has by the time of accreditation, is now out of date (two or three new product versions have been released) and now has to be re-certified. So, there also needs to be a new approach to rapid acquisition of new technology solutions. That has begun to happen with organizations such as AFWERX and NAVALX, that are accelerating the SBIR process and connecting innovative technology with agency stakeholders. OTAs (Other Transactional Authorities) are also beginning to take hold and have been gaining momentum in the acquisition arena as well, to bring new technologies into the DOD.

Q. How has this changed in the past 25 years?

Well, 25 years ago, things were not all connected. OT, IoT and GPS systems had not yet been fully commercialized.  Things like VPNs were just getting into production environments and we were focused on the traditional defense-in-depth security architecture (firewalls, IPS/IDS, VPNs, etc.). The threats were not as sophisticated, and things weren’t as connected. Now everything is connected! Your nanny cam, refrigerator, and automobile are all connected and are potential hacking points in the connected world, weather via the network or Bluetooth connection.

We’ve now migrated to IPv6, due to the limitations of IPv4 for networked devices, which includes weapons systems and UAVs. Multi Domain operations fully relies on networked systems, to include the F-35s, ground units and UAV assets, and in the future, systems such as Skyborg. Back in my days in the Army, they could barely get the Link-16 systems to communicate.

With COVID, everyone is now working remotely, which means that the traditional network perimeter no longer exists. With your work laptop connected to your home network, along with all of the other aforementioned devices (cars, cams, TV, etc.) the network is porous at best.

Q. What can government and defense organizations do to better defend against these cybersecurity threats and prepare for future threats?

First, don’t buy any of those network-connected personal devices! We have to rethink how we look at security. First, the “old guard” in senior leadership needs to listen to the cyber-defenders that are doing the hard work in the NOC/SOC and doing their best defending our nation in the cyber realm.  Second, the old traditional security solutions we delivered to our government customers in the past, will not cut it today.  With the SolarWinds ongoing attack and the malware that has been deployed, and the supply-chain hacks, it has only brought into focus the inherent problems with TCP/IP.

DISA seems to be leading the charge with a zero-trust reference architecture, that can help tremendously in this area.  With this shift to zero-trust, what you hope doesn’t happen is that hardware vendors slap a few new features on their systems, with new rules, and call it zero trust – it’s not. Companies such as Tempered Networks, delivers a zero trust infrastructure, that really addresses some of the core problems at the Layer2/3, with a “cloak of invisibility” over the protected network(s).

Another critical requirement is to secure the data in a dynamic fashion—which is where a company like Nucleus Cyber comes in. The NC Protect product integrates Attribute-Based Access Control (ABAC) to all of your files and file shares, Teams and all Microsoft products, essentially adding zero-trust to your files, without a forklift upgrade to any of your systems.

Q. Do you have any recommendations for agencies and organizations that have to work with third-party suppliers and the inevitable security issues that can come with providing them privileged security information?

Well, the DIB is getting forced to lock things down now, with Cybersecurity Maturation Model Certification (CMMC) as a requirement. CMMC is a combination of various cybersecurity standards and best practices. The model’s creation was supported by the Department of Defense (DoD) and built upon existing regulations where compliance is based on trust and a verification component.

Most organizations receiving funding from the DoD will need to be certified to qualify for future Department acquisitions. Initially, contractors will see Level 1 through Level 3 assessments occurring during Fall/Winter 2020 into 2021. Level 1 is required for anyone handling federal contract information (FCI), and Level 3 is required for anyone handling controlled unclassified information (CUI). 

One area that NC Protect addresses for Level 3 CMMC, is Domain AU: Audit and Accountability controls specify how to create and maintain audit trails that let you track individual users’ activity and system activity.  NC Protect also addresses the Level 1 & 2 requirements, addressing data and access to the data, along with information sharing and full auditing of user access to the data.

Network and information protection has never been more critical than is has been today. EVERTHING IS NOW CONNECTED TOGETHER. I could potentially launch a DDOS attack against a critical infrastructure target, like a water treatment plant from a neighborhood full of smart appliances. Insider threats and nation state attacks are targeting critical information on an hourly basis. It’s our responsibility to keep working together to keep our country safe from cyber-attacks.