Lou Magnotti: The Conductor

When Louis Magnotti III was a teenager in the 1970s growing up in Pittsburgh, he frequently worked in his grandfather’s locksmith business during weekends and summers. Reassembling some of the more complex locks, the young Magnotti would try to force the intricate pieces back together. Magnotti’s grandfather would tell him that he had to patiently slide the lock’s parts together, finessing, coaxing and slightly readjusting the pieces so that they slipped just so into place. “If you have to force it, then the lock won’t work,” Magnotti remembers his grandfather telling him.

Magnotti, now 47, has relied on that advice throughout his career in security. The House of Representatives is no straightforward lockdown job, as many of the networks are open for public accessand some of them are controlled by contractors or other outsiders, rather than by Magnotti’s group. This requires a skillful touch, finessing and coaxing independent-minded representatives, their staff members, committee staffers and others to embrace common security practices and policies.

Indeed, it takes a lot of patience to make the locks work.

Reaching Out

As Magnotti sees it, many CSOs try to force information security policies onto users; he refers to it as “pushing out” to customers. That practice often meets with resistance, and like the locks that won’t work if the pieces are forced together, information security won’t work either, because the policies will be frequently ignored and the systems left open for attack or misuse. By contrast, Magnotti says, CSOs would be more successful if they pulled information into the CSO office by reaching out to customers, learning their needs and concerns and working with them to develop policies that they would be more likely to implement. Magnotti’s gentle touch makes sure that the House’s security pieces fit together better. “You have to be up-front with people, and be sensitive to things like privacy,” he says. “That builds credibility, rather than acting like the security guard who is out to hang them for doing something wrong.”

Sensitivity, affability and a predilection toward inclusion are the hallmarks that make Magnotti, who’s been House CISO for six years, a perfect fit for a job that requires securing the networks in an environment that must be kept open to the public yet secure enough to guard sensitive documents. Magnotti oversees network security for 435 U.S. representatives, dozens of committees and subcommittees, as many as 14,000 users and 22,000 system devicesincluding servers, PCs, printers and other peripherals. Many are scattered throughout the United States in 900 district offices.

Magnotti puts those traits to good use in dealing with some of the more educated and accomplished individuals in the high-stakes U.S. political arenasimply put, people who are used to getting their way and being in the spotlight for some of the most high-profile, volatile social and economic issues facing the country. That’s why Tim Campen, then CIO for the House and now vice president of the Orion Homeland Security Center at SRA International, hired Magnotti. The previous House CISO came from the Department of Defense; he was a process-oriented manager who had a militaristic command-and-control style that didn’t mesh well with the movers and shakers in the House, according to Campen. He wanted a CISO who didn’t have a large ego and who would act more like a stage manager, remaining in the background as the curtain rose, satisfied with having the players on the stage receive the applause. “Lou is a master at that,” Campen says. “He knows how far to push the argument or standards, and once he feels pushback, he is very effective with working with the customer diplomatically.”

From the House Information Systems Security Office, Magnotti is constantly balancing on the tightrope of working with independent network administrators and contractors on one side and insisting on compliance with House security policies on the other. To keep from falling, Magnotti has borrowed a page out of the game book of the politicos whom he serves.

Magnotti spends a lot of time “in the field,” which means going around to the representatives’ offices and House committees’ offices. In the lingo of the political environment in which he works, Magnotti calls these visits “walk-in campaigns,” in which he and his staff go in to “drop off trinkets, shake hands and kiss babies,” he says, adding that the kissing babies part is a metaphor. He drops off brochures that define different cyberattacks and what can be done to guard against them, and that explain the security policies for the House. He may hand out mouse pads, one of which is printed with the Capitol Dome and the slogan “Keeping Our House Secure!” Magnotti also sets up a booth at the annual House service fair, where all the service organizations under the House Chief Administrative Officer (CAO), including the Capitol police and the Capitol Credit Union, introduce their services to members and their staffs.

Part of the outreach includes synthesizing and organizing all the information on security that Magnotti’s 20-member staff collects, including intrusions, virus infections, phishing attempts, unauthorized access from all sources and other security breaches. Magnotti uses the data to write a monthly report that he submits to executive managers and other stakeholders (whom Magnotti declines to identify) to keep them informed about what his office is doing and how it is performing. “A lot of CSOs won’t [collect the information] or don’t know how it will help their security program,” Magnotti says. “But when you look at statistics, it will tell you a lot about our relationship with the rest of the organization, how to budget the return on investment, and it keeps security foremost in people’s minds.”

Besides being in constant contact with his boss, House CIO Dan Doody, Magnotti attends monthly meetings of system administrators in charge of different networks throughout the House. Some of the networks in the House are maintained by system administrators or system integrators who were hired by a representative, a committee or a subcommittee, and who do not report to Magnotti. He is directly responsible for the other networks. He works with the group to make sure security policies developed by his office, which is part of the CAO, are followed, but he spends a lot of time listening. He also sits on an executive security committee, the Capitol Infosec Technology Exchange. That group (of about 25) comprises legislative branch CISOs, including Magnotti’s counterpart in the Senate, Paul Grabow, with whom Magnotti frequently exchanges information on cyberattacks.

Reaching out to include others in security policies and deliberations is one of Magnotti’s trademarks, says Louis Bouchard, director of security for Lockheed Martin’s Moorestown Operations in Moorestown, N.J., who has worked with Magnotti for about 25 years. While Magnotti worked for the Navy as a security manager, Bouchard coordinated with him on a committee that established the National Industrial Security Program requirements for the industry to follow when working on military programs for the Defense Department. Equipment manufacturers and the DoD negotiate on how products will be developed under those programs, and as a result, the discussions can be heated because government requirements can create demands that the manufacturers view as onerous or unworkable. But Magnotti, Bouchard says, “was one of the voices of reason. He took the time to understand industry’s perspective and balanced that against government requirements, and we came out with a great document. He was instrumental in making that happen.”

The Professor

Visitors will find no name on the nondescript gray building where Magnotti’s office is located. Standing at his office whiteboard like a basketball coach, marker squeaking like sneakers in a gym, he blends references to popular movies and arcane formulas.

“You know the Robert De Niro and Billy Crystal films Analyze This and Analyze That?” Magnotti asks as he writes. “Well, we like to call what we do here, Analyze This,'” as he writes those words on the board, underlining them for effect.

He jots down a formula: TIA + 8va / M2 = Keeping Our House Secure.

Magnotti steps back and begins to explain. TIA borrows the name of the infamous Total Information Awareness program headed up by retired Adm. John Poindexter. The program, developed in reaction to 9/11, would have tapped into private databases to search for clues that might identify possible terrorists. Congress killed the project, concerned that the system would have overly compromised Americans’ privacy. But Magnotti isn’t referring to the controversial program at all; he says TIA, in his formula, simply represents the demand on security officers to research, analyze and produce data and information to help secure networks and cyberspace, and to capture information signatures that point to vulnerabilities. “You apply that to information security and that’s exactly what we are looking at in terms of gathering information, analyzing and assessing. It gives you an information signature of what you are talking about. It gives you a baseline to start from,” he explains.

The “8va” refers to the music notation for “octave,” which also is an acronym in the information security field that stands for Operationally Critical Threat, Asset and Vulnerability Evaluation criteria. The theory was developed at the CERT Coordination Center and Carnegie Mellon University, and includes the theory of building a threat profile, defining vulnerabilities and developing a security strategy, says Magnotti. Adding TIA and 8va together gives a security chief the information to consider in protecting networks.

The M squared, Magnotti explains, stands for the Magnotti methodology. The Magnotti methodology is how you deploy the security profile, and it includes five elements: 1. a skilled staff, 2. adequate resources, 3. sound security practices, 4. stakeholder involvement and customer outreach, and 5. metrics. Magnotti says when you divide the sum of the information available to you in developing a security profile by the Magnotti methodology, you have created a secure environment.

“It takes a while to learn your environmentyour threat profile, current intrusions, policies that need updating, weak points,” he continues. “Then you have to develop your strategy from there. You’re attacking each one in their own little vector, if you will, with each one of these combatants,” pointing to the list of five criteria that make up his methodology.

Securing the House

Magnotti’s academic approach to information security belies his upbringing. He grew up in a modest home in Pittsburgh, where his father, Louis Jr., first worked in the family locksmith business and later in insurance. His mother was a homemaker. He carried his love for security to the University of Miami in Coral Gables, Fla., where he planned to major in music. However, he says, “I knew early on that computer security was where the new frontier was. That grabbed my interest.” After two years in Miami, his cousin Bill, who had also worked with their grandfather, convinced Magnotti to leave school and move to California, where he worked on securing the buildings at Northrop Advanced Systems Division.

Magnotti used that experience to get into the DoD, and he began working as a security manager for the U.S. Navy. He worked in physical security, keeping sensitive and classified buildings secure, establishing policies, implementing operational security measures and providing clearances for Navy personnel. The job required a lot of travel, and Magnotti finished his undergraduate degree in management information systems at Sterling College in Missouri in 1991 by attending night courses. He did the same to get his master’s degree in computer science from James Madison University.

At every job, he says, he applied the lessons from growing up working in his grandfather’s locksmith business. For instance, Magnotti must be able to react discreetly to incidents such as a staffer on a committee attaching a classified document to an e-mail message. “You have to be able to clean up messes like that, where someone should be fired but can’t be without embarrassing the congressman in the process,” explains Campen, Magnotti’s previous boss. “This job requires a tremendous amount of discretion.”

But make no mistake: All the discretion, patience and politicking would amount to nothing if Magnotti’s team didn’t also have safeguards of a more technical nature in place. Magnotti has set up a lab to track in real-time the tens of thousands of cyberattacks that hit the House systems during any given month. In the network security operations lab just down the hall from Magnotti’s office, four technicians watch a large monitor attached to the wall near the ceiling. On the screen is a digital map of the world. Lines connect countries to Washington, D.C. Each line indicates a cyberattack on a House system that is presently occurring. Lines come from everywhere, including Russia, China, the Middle East, France, the United Kingdom, North Korea, South Korea and even some islands. The technicians can move a cursor from their desks, click on one of the lines to check the source of the attack, what server it is attempting to penetrate and what kind of attack it is, such as a denial of service. Brent Conran, the lab manager, won’t say how many attacks get through the firewall, but he adds, “We’re very busy.”

The House’s cyberspace will become even more open in the coming months. Magnotti is testing a wireless system that will give House members and their staffs instant access to the House networks. Magnotti acknowledges it is probably the most ambitious project he has worked on in his six years as CISO of the House. His staff will test the wireless network’s defenses as an ongoing effort, but Magnotti refuses to give any more details. “I’ll leave it at that,” he says.

Although he is modernizing one of the oldest institutions in the nation, Magnotti still comes back to basics, looking for a way to make sure that the parts of his security strategy fit easily like an intricate lock. That means continually working on a security awareness program, which includes an online security awareness course on the House intranet. The course teaches users to be aware of viruses and incidents, explains how the security office conducts remote access of systems at the House and describes what to do in case of a cyberspace incident. Magnotti’s team also has posted on the internal website security policies and a certification checklist. Users can also access short video clips that teach them about information security topics such as firewalls and intrusion protection. “I think you have a tendency in a security office to forget that real security awareness is the underpinning of what you are trying to do,” he says. “We tend to get sidetracked with the latest technical devices, or how can I make a better security policy, or how can I lock down something even more. What we don’t put as much time and energy into is making sure the people know that we are here, and here are the services that we offer. That’s what makes security fit across the organization. But it takes a lot of work.”