First-ever Audit At The Department of Defense

Standard

First Ever Audit at the Pentagon

“DEFENSE ONE”

“The Department of Defense is preparing for its first-ever audit.

The nation’s most sprawling and expensive bureaucracy and the world’s largest employer—has yet to undergo a formal, legally mandated review of its finances.

[It] has become a preoccupation for members of Congress intent on demonstrating their fiscal prudence even as they appropriate more than $600 billion annually to the Pentagon.

“Like Waiting for Godot,” one Democratic senator, Jack Reed of Rhode Island, quipped about the absent audit at a recent hearing. The lack of formal accountability has left unanswered basic questions about how the military spends taxpayer money, like the precise number of employees and contractors its various branches have hired. Cost overruns have become legendary, none more so than the F-35 fighter-jet program that has drawn the ire of President Trump. And partial reports suggest that the department has misspent or not accounted for anywhere from hundreds of billions to several trillion dollars.

After years of missed deadlines, the mounting political pressure and a renewed commitment from the Trump administration might finally result in an audit. For the first time last year, both major political parties called for auditing the Pentagon in their campaign platforms. That unites everyone from Hillary Clinton and Elizabeth Warren to Ted Cruz and the House Freedom Caucus. And last week, Trump’s nominee to serve as comptroller for the Pentagon, David Norquist, testified at his Senate confirmation hearing that he would insist on one whether the department could pass it or not. “It is time to audit the Pentagon,” Norquist told members of the Senate Armed Services Committee in his opening statement.

As comptroller for the Homeland Security Department a decade ago, Norquist, the brother of the anti-tax advocate Grover Norquist, undertook the first successful audits of that much younger federal agency. The Defense Department is unlikely to meet a statutory deadline to be “audit-ready” by the end of September. But Norquist said he would begin the process even if the Pentagon’s financial statements were not fully in order, and he committed to having the report completed by March 2019.

What has prevented the Pentagon from being examined this way before? The answer lies somewhere “between lethargy and complexity,” said Gordon Adams, a distinguished fellow at the Stimson Center who was the top budget official for national security in the Clinton White House. “It hasn’t been done ever,” he told me, “partly because it’s incredibly complicated to do and also because there’s not a great, powerful will in the building to do it.”

The complexity of the project dates back to the Civil War, Adams said, when the Army and the Navy set up their own separate accounting systems. The Air Force also went its own way after its creation following World War II, and the military build-ups of the last four decades scrambled the department’s financial records many times over. The explosion of military contractors since 9/11 has made scrubbing the books harder still. Adams estimated that an audit would have to account for 15 million to 20 million contracting transactions each year. The Pentagon has spent several billion dollars over the last seven years just trying to consolidate its accounting systems in preparation for a potential audit.

Despite the ramp-up costs, the project has never risen to be a top priority; the Pentagon has simply been too busy fighting wars. “The military has repeatedly argued that they need to focus on the war effort and accountability can come later,” said Kori Schake, a fellow at the Hoover Institution who previously served in a variety of national-security positions in the government. That excuse carried more weight with lawmakers in the years when the United States had hundreds of thousands of troops fighting in Iraq and Afghanistan.

Now, top Republicans like Senator John McCain of Arizona, chairman of the Armed Services Committee, are pressing for an audit with more urgency. “This has been a very public continuing failure for the Department of Defense, in large part due to the failure of senior management to make this a priority for the department and invest the necessary time and will to get it done,” McCain said at the outset of Norquist’s hearing. “This must end with you,” he told the president’s nominee.

Yet those fiscal hawks hoping that the long-awaited report will spur substantial reforms to defense spending are just as likely to be disappointed. An audit by itself won’t dismantle the “military industrial complex” that former President Dwight Eisenhower famously warned about, nor will it lead members of Congress to stop fighting to protect the bases and weapons systems that are manufactured in their districts—and the jobs that come with them. Several times in recent years, it has been congressional lobbying that has kept up production of weapons and equipment that the military no longer considers necessary.

“An audit does not raise the big issues,” Adams said. “It doesn’t tell you that we’re not getting the right bang for the buck. It doesn’t tell you anything about whether we’re getting the right forces for the threat. It doesn’t tell you how well the forces perform. It doesn’t tell you where we are wasting capability that we don’t need.”

“What it allows a member of Congress to do,” he continued, “is to look tough on defense and spend a lot on defense at the same time.”

Spending a lot on defense is what the Trump administration wants to do, even as it pledges its support for a Pentagon audit. The White House has asked Congress for a $54 billion increase in the military budget over the next year and secured about $15 billion of that in the recent spending deal. “It’s harder when there’s a big inflow of cash to focus on something like the audit,” said William Hartung, director of the arms and security project at the Center for International Policy. “There’s still that incentive to just push the money out the door.”

There’s some hope among audit advocates that the administration’s demand for more money will give congressional spending hawks leverage to insist on progress toward the accounting milestone in exchange for a budget increase. But they also don’t believe leverage should be necessary to demand that a department with a workforce pegged at more than 3 million people commit, at long last, to some basic bookkeeping. “We would never accept the argument that the Department of Education is too big and too complicated to be accountable,” Schake argued. “Why do we accept that for Defense?”

http://www.defenseone.com/politics/2017/05/white-house-vows-audit-pentagon-which-would-be-first/137928/?oref=d-channeltop

 

Fundamental Vulnerabilities in U.S. Computer Infrastructure

Standard

Weak Link Security

“NEW YORK TIMES” By 

“Last week’s cyberattacks have laid bare some fundamental vulnerabilities in our computer infrastructure and serve as a harbinger.

There’s a lot of good research into robust solutions, but the economic incentives are all misaligned. We need government to step in to create the market forces that will get us out of this mess.

None of this is welcome news to a government that prides itself on minimal intervention and maximal market forces, but national security is often an exception to this rule.

As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you’ve kept it updated, your laptop is immune. It’s only older unpatched systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of rampant internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn’t a perfect system, but it’s the best we have.

But it is a system that’s going to fail in the “internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.

Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We’re going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we’re not going to be able to secure these devices.

Like every other instance of product safety, this problem will never be solved without considerable government involvement.

For years, I have been calling for more regulation to improve security in the face of this market failure. In the short term, the government can mandate that these devices have more secure default configurations and the ability to be patched. It can issue best-practice regulations for critical software and make software manufacturers liable for vulnerabilities. It’ll be expensive, but it will go a long way toward improved security.

But it won’t be enough to focus only on the devices, because these things are going to be around and on the internet much longer than the two to three years we use our phones and computers before we upgrade them. I expect to keep my car for 15 years, and my refrigerator for at least 20 years. Cities will expect the networks they’re putting in place to last at least that long. I don’t want to replace my digital thermostat ever again. Nor, if I ever need one, do I want a surgeon to ever have to go back in to replace my computerized heart defibrillator in order to fix a software bug.

No amount of regulation can force companies to maintain old products, and it certainly can’t prevent companies from going out of business. The future will contain billions of orphaned devices connected to the web that simply have no engineers able to patch them.

Imagine this: The company that made your internet-enabled door lock is long out of business. You have no way to secure yourself against the ransomware attack on that lock. Your only option, other than paying, and paying again when it’s reinfected, is to throw it away and buy a new one.

Ultimately, we will also need the network to block these attacks before they get to the devices, but there again the market will not fix the problem on its own. We need additional government intervention to mandate these sorts of solutions.”

Bruce Schneier, a fellow and lecturer at the Harvard Kennedy School, is the chief technology officer of the cybersecurity company Resilient. He blogs at Schneier on Security and is the author, most recently, of “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.”

 

Special Operations “Iron Man” Suit Takes Shape

Standard

talos-iron-man-suit

“DEFENSE NEWS”

“It’s getting very real right now,” Col. James Miller, the director of the Joint Acquisition Task Force TALOS.

The team of around 35 vendors, labs and academic institutions are diving deeper on systems engineering, he said, adding, “We are going to start building parts and snapping them together” while testing for functionality and safety.

The informally named “Iron Man” suit that U.S. Special Operations has been developing will start to come together over the next 18 months with a first prototype expected to be fully built by the end of 2018.

Formally known as the Tactical Assault Light Operator Suit, or TALOS, Special Operations Command has spent the past four years tackling complicated technical hurdles to try to revolutionize the performance of a dismounted operator by developing the armored exoskeleton.

Some skeptics have said the project is moving too slowly or that it’s a waste of money to try to develop something only a reality in comic books and movies, akin to the Pentagon building a “Star Wars” Death Star. A few years ago, the suit even made its way into then-Sen. Tom Coburn’s, R-Okla., famous “wastebook” among 100 federal programs he called wasteful.

But for Miller, getting TALOS right would be a revolutionary leap ahead achievement for the future special operator, not meant to be fielded in just a few years. “We are trying to redefine in many respects science and engineering,” he said.

“We are putting a human inside of a robot,” Miller said, which “has to emulate the human itself.”

The program isn’t tackling how to give back capability to someone who is impaired; it’s trying to take an elite athlete and super empower someone with that capability, James “Hondo” Geurts, USSOCOM acquisition executive told Defense News in an interview at SOFIC.

While SOCOM is trying to push the bounds with a full suit, there have already been “great spin-offs both in technology and in business practices,” along the way, he said.

TALOS program officials sat down with industry representatives by appointment for nearly 12 non-consecutive hours over the course of three-and-a-half day conference.

Each layer of the suit presents complicated technical challenges, and integrating all the layers is yet another challenge. Miller sees it as a “system of systems,” like an aircraft or other major weapons platform.

Miller said the base layer of the suit needs to be capable of regulating the operator’s temperature and will have tubes incorporated into the layer delivering chilled water to keep an operator’s core from overheating. Also “junctional fragmentation” will be woven into the fabric to protect the operator where armor pieces won’t cover.

The exoskeleton’s purpose is to displace hundreds of pounds of weight and enhance body movement. It has to be perfectly form-fitting, “kinematically seamless with the body,” Miller said. The individual wearing it shouldn’t notice it’s there.

“If we get that right, then we are good,” he said, adding exoskeletons have been attempted in the past several decades, but some were so big they couldn’t fit through a door. That won’t work for special operators engaging in close-quarter combat, Miller added.

The 800-part exoskeleton is currently being built using carbon fiber plastics, which is strong enough to replicate and prove design, but not enough to be encumbering or too expensive, Miller said.

The program has used rapid 3-D prototyping as it refines the exoskeleton and has managed to cut what was expected to be a billion-dollar project “way back,” Miller said.

For now, the first prototype will be made of titanium, he said, which is lighter and stronger.

Building on the exoskeleton will be an electric actuation system to emulate muscles. The program will develop both upper- and lower-body actuation, Miler said, which is very hard to do, but both are needed.

The final layer of the suit is the armor. The military has mastered ballistic protection on the chest, back and head, but the legs, arms and face continue to lack appropriate protection, Miller said.

The suit can’t be completely armored head to toe because it would hinder movement too much, so positioning the armor is crucial. The current suit would likely have 26 pieces of armor.

The program is entertaining the idea of a removable mandible to cover the lower half of the face and is experimenting with ways to protect the entire face.

“The thing we haven’t gotten to yet is transparent ballistic material glass … that is not so thick you get [dizzy] and want to throw up all over the place,” Miller said.

The entire suit will be powered through a system on the back that is currently configured to use commercially available batteries. That method of power is limiting, but at least it’s not a suit that requires being plugged into the wall like experimental robotic suits of the past, Miller noted.

The power will not only control the suit but also a computer that processes a network of communications systems integrated into the helmet that feeds audio and imagery into some kind of head-up display, possibly at cheek-level, Miller said.

Much is left to be contemplated after the first prototype is built, and Miller stressed this is the first of many.

Questions have yet to be answered, such as how the suit could be employed operationally, how to get it to fit a variety of body types and how an operator would quickly get out of the suit if it broke down. Those would likely be answered once the science and technology piece ended and the program moved into an official program of record, according to Miller.”

http://www.defensenews.com/articles/its-getting-real-special-ops-iron-man-suit-takes-shape-amid-leap-ahead-tech-hurdles

Pentagon Contractor Performance Monitoring Lacks Timeliness and Content

Standard

CPARS report_575

“THE PROJECT ON GOVERNMENT OVERSIGHT (POGO)”

“Last week, the Department of Defense (DoD) Inspector General (IG) released a summary of a series of reports assessing how effectively the Pentagon tracks the performance of its contractors.

The DoD measures contractors’ past performance with performance assessment reports, or PARs, evaluations that provide a record—both positive and negative—of performance on a contract during a specific period of time.

The DoD IG audited 18 DoD divisions, including the main service branches—Navy, Air Force, and Army (POGO blogged about the IG’s report on the Army last year)—and the Defense Logistics Agency. The audit reviewed a total of 238 PARs on contracts worth a total of $18 billion.

PARs are compiled in a database called the Contractor Performance Assessment Reporting System (CPARS) and are shared government-wide via the Past Performance Information Retrieval System (PPIRS) database.

PARs are incredibly important because without access to timely, accurate, and complete past performance information, the government risks awarding taxpayer money to non-responsible contractors, which is a violation of the law, or allowing performance deficiencies to fester. The former happened several years ago with the botched rollout of the HealthCare.gov website, a fiasco that might have been avoided had the Centers for Medicare and Medicaid Services more thoroughly researched the performance history of the contractor it put in charge of designing and testing the site. An example of the latter was recently discovered on a US Marshals Service contract to manage the Leavenworth Detention Center in Kansas. The Department of Justice IG found the Marshals Service was not entering past performance evaluations of the contractor into CPARS. As a result, safety and security problems at the maximum-security prison caused by understaffing persisted for almost a year.

The IG found the information reported in CPARS and PPIRS “was not consistently useful” because contracting officials did not always comply with requirements for evaluating contractor performance. Although the IG found DoD agencies are preparing more PARs in a timely manner than ever before (74 percent in fiscal year 2016, almost 20 percentage points higher than the previous year), more than a third of the 238 PARs were still late by an average of 73 days. The agencies seem to have a bigger problem with completeness: 84 percent of the PARs contained performance ratings, written narratives, or contract descriptions that fell short of past performance reporting requirements. For example, officials gave contractors an “exceptional” or “very good” rating for required evaluation factors without adequately explaining why the rating was justified, or sometimes even failed to provide a rating at all.

Finally, we would be remiss if we didn’t use this opportunity to reiterate our call for publicly releasing contractor past performance evaluations. Bits of past performance information occasionally turn up in judicial opinions and bid protest decisions, but the government has long resistedpublicly releasing this data on a regular basis in a centralized location. Public availability of contractor past performance records would incentivize responsible business conduct, which would protect the government’s and taxpayers’ interests in the long run.”

http://www.pogo.org/blog/2017/05/watchdog-finds-dod-must-improve-contractor-performance-monitoring.html

 

 

 

Legislation Must Support US Military Reserve Component Personnel

Standard
The+Reserve+Components

Images:  Army National Guard/Defense News

“DEFENSE NEWS”

“It’s time to be honest about the Guard and the Reserve.

It’s been a long time since serving as a member of the Reserve component, or RC, has truly consisted of one weekend a month and two weeks of training in the summer.

The RC has been a consistent source of boots on the ground in Iraq and Afghanistan, used to ameliorate the operational tempo and strain on the active-duty force. However, rhetoric surrounding the “total force” concept is only now catching up with reality, and there’s a moral imperative for legislation and policy to do the same. Congress should update the Uniformed Services Employment and Reemployment Rights Act, also know as USERRA, to reflect the increased training commitments of today’s force and consider additional tax benefits such as deductions for hiring reservists and tax exemptions for “differential pay.”

The role of the RC has shifted from “a strategic reserve to an operational force.” High-demand Army National Guard units are facing an increase of training days up to 60 a year over the course of four years, while the Air National Guard is trying to negotiate with employers, recognizing that airmen often work 60-80 days a year to meet necessary training demands. As training increases, leaders cite a focus on predictability to try and mitigate the impact on families and employers, yet this may not be enough.

Though the RC is more operational than ever, there has been no legislative action reflecting this change to ensure the men and women serving in the Guard have the necessary legal protections to do so effectively. A recent memo to the Massachusetts National Guard notes: “We will constantly be challenged by operational demand, the urgency of readiness requirements, and the constraint of time as a reserve component of the Army.”

his commitment places both employers and service members alike in a bind. Particularly for small businesses, there can be reticence to employ a person who may be gone for a significant portion of the year, with fears over staying open, the bottom line and the requirement to hold a job even if someone must be replaced due to a deployment. While substantial tax credits exist for employing veterans, it might be prudent to consider similar benefits for employers who endeavor to employ members of the RC. Though USERRA compliance is the law, efforts should be made to reward employers who go above and beyond current requirements.

Current tax credits for employing a veteran range from $1,200 to $9,600 and should be matched for hiring a member of the RC. Additionally, the government should consider providing incentives for employers who enact “differential pay” policies that help offset any salary difference when reservists are activated. This could include making those salaries tax-free or tax-deductible, as many states already do for active-duty military salaries. More than simply incentivizing the employment of our citizen soldiers, this could help further the bond between communities and those who serve, as well as offering additional economic benefits. No one is well-served by small businesses who suffer as a result of USERRA compliance, perhaps even leaving service members without a job to which they can return.

Though initially these efforts may seem costly, it could quickly prove cost-neutral to the government by improving recruiting, retention, and readiness. It’s critical to maintaining the total force that we ensure reservists are able to maintain their civilian careers and that businesses are not jeopardized by hiring reservists.

Just as the demand on the armed forces has continued to increase, so has the strain placed on those who bridge the civil-military divide by blending civilian careers with service to nation. It is incumbent upon both service leadership and Congress to more explicitly acknowledge the shift in mission, and accompany this shift with a broader plan as to how to enable personnel and businesses to continue to bridge this divide.

Members of the reserve component must grapple with the demands of both worlds — bearing the burdens of those who serve while also maintaining a civilian job, often working for employers with little understanding as to the commitments of military service. Congress needs to play its part in supporting reservists by updating USERRA and insisting on compliance.”

http://www.defensenews.com/articles/we-need-legislation-to-cover-the-us-guard-and-reserve-commentary

Special Operations Command Opens Doors for Small Firms

Standard
Special Operations Command

Photo:  USSOCOM

“NATIONAL DEFENSE MAGAZINE”

“Unique technology needs mean more opportunities for small businesses and startups to get their foot in the door with SOCOM, program managers have said.

The command has become known as an organization that has come up with some inventive ways to speed up traditional military acquisition regimes.

I would rather play a lot of blackjack than play roulette,” James “Hondo” Geurts, the chief of Special Operations Command’s acquisition, technology and logistics organization said recently.

The analogy spells out his philosophy when it comes to procuring new technologies special operators need to carry out their unique missions. Small, carefully placed bets on niche technologies have a better payoff, in the long run, than spending a lot of funding on any one big program, he said at this year’s National Defense Industrial Association’s Special Operations/Low Intensity Conflict conference.

He wants to fund the technologies “that will transition quickly, then keep moving on,” he said.

“Things are changing so fast we don’t have three years to figure out what we want to do to support an operation. I’m happy if I have three months to figure out some of these things,” he said.

“We want new voices and new ideas,” Geurts said.

One practice SOCOM uses to acquire and discover new technologies is “technical experimentation” venues.

It invites technology developers to bring their works in progress to a hosted event three to four times per year. Each event has a specific theme. Special operators with experience in the field are on hand to assess the technology and provide feedback, which helps them to improve their products, said Kelly Stratton-Feix, director of acquisition agility at special operations forces’ acquisition, technology and logistics office. 

A request for information is posted through FedBizOpps, and advertised on LinkedIn and Facebook pages. Technology providers reply with a white paper, which is then reviewed by users such as components, theater commands and program offices. The users identify the experiments that they are interested in seeing, and the technology provider then receives an invitation to participate, she said. 

Technical experimentations “provide a win-win environment because technology providers can get insight into what’s important to the user early in the development cycle and we get to see technology early on, and often identify additional use-cases that haven’t been considered by the developer,” said Stratton-Feix. 

For those who cannot make it to one of these events, the command launched a web-based technology repository/scouting platform called “Vulcan.”  

This tool, which is searchable and accessible to any government employee, enables technology providers to quickly describe technologies they are offering and to upload supporting documentation to a secure, shared, searchable central database, Stratton-Feix said.

A registered Vulcan user who sees an interesting technology can issue a one-time use “token” to the technology provider who can then upload a scout card containing further information about the product.

“Vulcan is a work in progress,” she said. There are currently more than 1,500 scout cards loaded, with more than 700 registered government users, she added.

There are two other means to initiate contact with SOCOM.

One is the director of small business who provides guidance and information to industry and commercial partners on how to get their foot in the door with the command.

“This office should be one of a small business’ first contacts when initiating communication with USSOCOM,” Stratton-Feix recommended.

The technology and industry liaison office is another conduit to present information on capabilities to the various PEOs, directorates and others responsible for the research and development, acquisition, production and sustainment of materiel and technology platforms. It has a web portal where ideas can be submitted.  

Another high-profile effort to reach out to the larger technology community is SOFWERX, an unclassified, open collaboration facility designed to bring non-traditional partners from industry, academia and the government together to work on the command’s most challenging problems.    

The building located in Tampa’s historic Ybor City district was intentionally chosen so those wanting to collaborate with SOCOM didn’t need to go through onerous security checkpoints at nearby MacDill Air Force Base, Florida, where SOCOM headquarters is found.  

The facility, and a nearby workshop known as DirtyWerx, conduct design thinking sessions, technology sprints, rapid prototyping and other events with government, academia and innovators in the commercial marketplace. It is also the central node in the command’s efforts to push advanced manufacturing and 3D printing technology to operational units, Stratton-Feix said.

Geurts warned that SOFWERX is not intended to be a “bypass” facility to get around traditional ways for the command to acquire technology. It is intended to be “way left” of that process, he said.

Along with these facilities, events and web portals, SOCOM employs some contract vehicles to speed up the traditional acquisition process, which is normally subject to the time-consuming Federal Acquisition Regulation regime.  

“Velocity is our competitive advantage,” Geurts said. “That is what we bring to the fight,” he added, speaking of the command’s acquisition enterprise.

He returned to the roulette analogy. The four services spend a lot of time writing requirements then they “throw the ball on the wheel and let it ride.”

Cooperative research and development agreements (CRADA) have been used by the military to provide some seed money to potential vendors and kick start technology development.

The command established ways to make that process even more streamlined by creating an “Overarching CRADA,” which has already been signed by Geurts. If firms find the CRADA acceptable they simply add their corporate information and sign the document.

“This process now allows for [Overarching CRADAs] to be established in weeks to months compared to the year-long traditional process,” Stratton-Feix said. 

In addition, CRADA partners can now enter in individual work plans with any of the command’s program executive offices or directorates. There are currently 156 CRADAs and 10 active individual work plans with several more in the works, the command said.

SOCOM must comply with the same statutory and regulatory measures required of the military departments. However, the SOF AT&L team “aggressively utilizes the inherent freedom and flexibility of the DoD 5000 series of directives and instructions by streamlining processes and tailoring documentation in developing and managing SOF-peculiar programs,” said Stratton-Feix.

That directive includes such vehicles as “urgent operational needs” and “immediate war fighter needs,” which allows for more rapid technology acquisition, as long as solutions are not developmental and can be acquired off the shelf with few changes.

Other transaction authorities, or OTAs, allow in certain circumstances for program managers to go outside traditional contracts to rapidly acquire prototypes and forgo FAR requirements as long as the agreement is with a “nontraditional defense contractor” and there is some cost-sharing, as the regulations stated.   

“Non-FAR contracts are a great device but not a panacea,” Geurts said.

Geurts wants small businesses and startups to use these various portals to kick off the process of putting their ideas and products in front of SOCOM. 

He meets regularly with vendors, but “don’t come selling me a widget,” he warned. He wants to hear from potential suppliers when they are having a hard time with the process, or if they have ideas on how the command can be a better customer.

“What keeps me up at night is somebody has an idea that can’t get to me,” he said.”

http://www.nationaldefensemagazine.org/articles/2017/4/20/special-operations-command-opens-doors-for-small-firms

 

General Services Administration Readies $300 to $5,000 “Bug Bounty” Program

Standard
bug bounty

Photo Credit: Nguyen Hung Vu via Flickr

“FIFTH DOMAIN CYBER”

“The GSA’s bug bounty platform would represent the first use of an ethical hacking program by a civilian agency in the federal government.

Bug bounty programs have been gaining steam in the federal government after the Department of Defense’s successful “Hack the Pentagon” and “Hack the Army” exercises in 2016.

The General Services Administration’s innovation arm, 18F, said the agency was edging closer to standing up its own bug bounty program after tapping a new provider for its reporting platform.

18F officials said in a May 11 blog post that GSA’s Technology Transformation Service had tapped HackerOne to provide its Software-as-a-Service bug-reporting platform.

The San Francisco-based company offers vulnerability coordination and platform services to reward ethical hackers to locate and report network security vulnerabilities.

GSA issued a solicitation for a bug bounty platform in January, calling for a SaaS to “allow TTS to manage and track issues across multiple public web applications, triage services for those reported vulnerabilities, disburse rewards for effective vulnerabilities and explain the reasons behind rejections,” and provide vulnerability, impact and monthly report services.

18F officials said that HackerOne would help set up bounties on “several TTS public-facing web applications” through its platform and will assess validity of the bug submissions.

The SaaS provider will then forward on the reports to active TTS components to correct the issues and the bug hunters will receive payouts running between $300 to $5,000.

TTS once the platform is in place, officials said they would look to extend it to most of its component websites and applications.”

http://fifthdomain.com/2017/05/12/gsa-readies-the-first-civilian-bug-bounty-program-with-new-platform/

 

Navigating Defense Department Cyber Rules

Standard

Cyber Rules

“NATIONAL DEFENSE MAGAZINE”

“Defense contractors by Dec. 31 are expected to provide “adequate security” to protect “covered defense information” using cyber safeguards.

Thousands of companies who sell directly to the Defense Department, and thousands more who sell to its suppliers, are or will be, subject to the rule.

This obligation arises from a Defense Acquisition Regulation System Supplement clause, “Network Penetration Reporting and Contracting For Cloud Services,” that was finalized last October and described in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Pentagon is well-justified to seek improved cyber protection of sensitive but unclassified technical information. Hackers have exploited network vulnerabilities in the defense supply chain for the unauthorized exfiltration of valuable and sensitive defense information. Senior defense officials have expressed alarm at this persistent and pervasive economic espionage. 

Since 2013, the Defense Department has used acquisition regulations to protect controlled technical information significant to military or space. Other forms of information may not have direct military or space significance, but loss of confidentiality through a cyber breach can produce serious, even grave national injury. 

The Defense Department is the leader among federal agencies in using its contractual power to cause its vendors to improve their cybersecurity. The principal instruments are two contract clauses, DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Both were the subject of final rulemaking released Oct. 21.

Where the -7008 “compliance” clause is included in a solicitation, the offeror commits to implement the SP 800-171 safeguards by the end of this year. Defense Department contracts will include the -7012 “safeguards” clause, which defines the types of information that must be protected, informs contractors of their obligation to deliver “adequate security” using SP 800-171 controls, and obligates reporting to the department of cyber incidents.  

Every responsible defense supplier supports the objectives of these cyber DFARS rules. But the requirements are complex and are not currently well-understood. Outside of a few of the largest, dedicated military suppliers, many companies in the defense supply chain view these rules with a mix of doubt, concern and alarm. This recipe serves neither the interests of the Defense Department nor its industrial base.

A technology trade association, the IT Alliance for Public Sector, released a white paper that examines the Defense Acquisition Regulation System Supplement and other federal initiatives to protect controlled unclassified information. The goal was to assist both government and industry to find effective, practical and affordable means to implement the new cyber requirements. The paper examines these five areas: designation, scope, methods, adoption and compliance.

As for designation, the department should accept that it is responsible to identify and designate the covered defense information that contractors are obliged to protect. It should confirm that contractors only have to protect information that it has designated as covered, and that such obligations are only prospective — newly received information — and not retrospective.

In regards to “scope,” the Defense Department should revise the rule to clarify that contractors must protect information that it has identified as covered and provided to the contractor in the course of performance of a contract that is subject to the rule. The definition of “covered defense information” should be revised to remove confusing language that can be interpreted to require protection of “background” business information and other data that has only a remote nexus to a Defense Department contract.

The October 2016 revision now allows defense contractors to use external cloud service providers, where covered information is involved, only if those vendors meet the security requirements of FedRAMP Moderate “or equivalent.” The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

The regulation fails to explain what is meant by “or equivalent” and who decides. The Defense Department needs to explain what it expects from cloud services to satisfy SP 800-171 and the DFARS rules. A security overlay should be prepared by NIST to add cloud-specific controls. But it is unnecessary to impose the whole of the FedRAMP process and federal-specific controls on commercial cloud providers.

The Defense Department continues to depend on small business for many needs, and seeks their innovative ideas. The supplements are an obstacle and burden on smaller businesses, and yet security is just as important at the lower levels of the supply chain as at the top. The department can improve the ability of small business to implement the required security controls. Several specific recommendations are made as to how it can reach and assist the small business community. One recommendation is to make increased use of the NIST voluntary cybersecurity framework.

As far as compliance, contractors are required to represent that they will deliver “adequate security” and fully implement the SP 800-171 controls by the year-end deadline. The Defense Department needs to better inform its contractors how they can be confident their security measures will satisfy the requirements should they come under scrutiny following a cyber incident. The white paper explores different ways to create a safe harbor for compliance. A key component is contractor documentation of a system security plan, which was added as a 110th requirement to SP 800-171.        

The White Paper is available here. The Defense Department is hosting an industry day on the cyber DFARS, June 23 at the Mark Center in Alexandria, Virginia. Information and registration details available here. ”     

http://www.nationaldefensemagazine.org/articles/2017/4/21/navigating-defense-department-cyber-rules

4 Ways to Protect Against the Very Real Threat of Ransomware

Standard
ransomware-495934588-s

“Getty Images”

“WIRED”

“You’re still largely on your own when it comes to fighting ransomware attacks, which hackers use to encrypt your computer or critical files until you pay a ransom to unlock them.

Ransomware is a multi-million-dollar crime operation that strikes everyone from hospitals to police departments to online casinos.

It’s such a profitable scheme that experts say traditional cyberthieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials—in favor of ransomware.

You could choose to cave and pay, as many victims do. Last year, for example, the FBI says victims who reported attacks to the Bureau enriched cyber extortionists’ coffers by $24 million. But even if you’ve backed up your data in a safe place and choose not to pay the ransom, this doesn’t mean an attack won’t cost you. Victims of the CryptoWall ransomware, for example, have suffered an estimated $325 million in damages since that strain of ransomware was discovered in January 2015, according to the Cyber Threat Alliance (.pdf). The damages include the cost of disinfecting machines and restoring backup data—which can take days or weeks depending on the organization.

But don’t fear—you aren’t totally at the mercy of hackers. If you’re at risk for a ransomware attack, there are simple steps you can take to protect yourself and your business. Here’s what you should do.

First of All, Who Are Ransomware’s Prime Targets?

Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, Congress, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for example, could affect the Windows systems that power and water plants use to monitor and configure operations, says Robert M. Lee, CEO at critical infrastructure security firm Dragos Security. The slightly relieving news is that ransomware, or at least the variants we know about to date, wouldn’t be able to infect the industrial control systems that actually run critical operations.

“Just because the Windows systems are gone, doesn’t mean the power just goes down,” he told WIRED. “[But] it could lock out operators from viewing or controlling the process.” In some industries that are heavily regulated, such as the nuclear power industry, this is enough to send a plant into automated shutdown, as regulations require when workers lose sight of operations.

Individual users are also at risk of ransomware attacks against home computers, and some of the suggestions below will apply to you as well, if you’re in that category.

1. Back Up, as Big Sean Says

The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.

“More than 5,000 customers have called us for help with ransomware attacks in the last 12 months,” says Chris Doggett, senior vice president at Carbonite, which provides cloud backup services for individuals and small businesses. One health care customer lost access to 14 years of files, he says, and a community organization lost access to 170,000 files in an attack, but both had backed up their data to the cloud so they didn’t have to pay a ransom.

Some ransomware attackers search out backup systems to encrypt and lock, too, by first gaining entry to desktop systems and then manually working their way through a network to get to servers. So if you don’t back up to the cloud and instead backup to a local storage device or server, these should be offline and not directly connected to desktop systems where the ransomware or attacker can reach them.

“A lot of people store their documents in network shares,” says Anup Ghosh, CEO of security firm Invincea. “But network shares are as at risk as your desktop system in a ransomware infection. If the backups are done offline, and the backup is not reachable from the machine that is infected, then you’re fine.”

The same is true if you do your own machine backups with an external hard drive. Those drives should only be connected to a machine when doing backups, then disconnected. “If your backup drive is connected to the device at the time the ransomware runs, then it would also get encrypted,” he notes.

Backups won’t necessarily make a ransomware attack painless, however, since it can take a week or more to restore data, during which business operations may be impaired or halted.

“We’ve seen hospitals elect to pay the ransom because lives are on the line and presumably the downtime that was associated, even if they had the ability to recover, was not considered acceptable,” says Doggett.

2. Just Say No—To Suspicious Emails and Links

The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.

But ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust, such as the malvertising attacks that recently struck the New York Times and BBC. Ad blockers are one way to block malicious ads, patching known browser security holes will also thwart some malvertising.

When it comes to phishing attacks, experts are divided about the effectiveness of user training to educate workers on how to spot such attacks and right-click on email attachments to scan them for malware before opening. But with good training, “you can actually truly get a dramatic decrease in click-happy employees,” says Stu Sjouwerman, CEO of KnowBe4, which does security awareness training for companies. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.” He says with awareness training he’s seen the number of workers clicking on phishing attacks drop from 15.9 percent to just 1.2 percent in some companies.

Doggett agrees that user training has a role to play in stopping ransomware.

“I see far too many people who don’t know the security 101 basics or simply don’t choose to follow them,” says Doggett. “So the IT department or security folks have a very significant role to play [to educate users].”

3. Patch and Block

But users should never be considered the stop-gap for infections, Ghosh says. “Users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you,” he says.

His stance isn’t surprising, since his company sells an end-point security product designed to protect desktop systems from infection. The product, called X, uses deep learning to detect ransomware and other malware, and Ghosh says a recent test of his product blocked 100 percent of attacks from 64 malicious web sites.

But no security product is infallible—otherwise individuals and businesses wouldn’t be getting hit with so much ransomware and other malware these days. That’s why companies should take other standard security measures to protect themselves, such as patching software security holes to prevent malicious software from exploiting them to infect systems.

“In web attacks, they’re exploiting vulnerabilities in your third-party plug-ins—Java and Flash—so obviously keeping those up to date is helpful,” Ghosh says.

Whitelisting software applications running on machines is another way Sjouwerman says you can resist attacks, since the lists won’t let your computer install anything that’s not already approved. Administrators first scan a machine to note the legitimate applications running on it, then configure it to prevent any other executable files from running or installing.

Other methods network administrators can use include limiting systems’ permissions to prevent malware from installing on systems without an administrator’s password. Administrators can also segment access to critical data using redundant servers. Rather than letting thousands of employees access files on a single server, they can break employees into smaller groups, so that if one server gets locked by ransomware, it won’t affect everyone. This tactic also forces attackers to locate and lock down more servers to make their assault effective.

4. Got an Infection? Disconnect

When MedStar Health got hit with ransomware earlier this year, administrators immediately shut down most of the organization’s network operations to prevent the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and respond to ransomware, says that not only should administrators disconnect infected systems from the corporate network, they should also disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.

After that, victims should determine what strain of ransomware infected them. If it’s a known variant, anti-virus companies like Kaspersky Lab may have decryptors/a> to help unlock files or bypass the lock without paying a ransom, depending on the quality of encryption method the attackers used.

But if you haven’t backed up your data and can’t find a method to get around the encryption, your only option to get access to your data is to pay the ransom. Although the FBI recommends not paying, Ghosh says he understands the impulse.

“In traditional hacks, there is no pain for the user, and people move on,” he says. But ransomware can immediately bring business operations to a halt. And in the case of individual victims who can’t access family photos and other personal files when home systems get hit, “the pain involved with that is so off the charts…. As security people, it’s easy to say no [to paying]. Why would you feed the engine that’s going to drive more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the money, because you’re not in their shoes.”

https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/

 

Why do some companies not want to expand?

Standard

My answer to Why do some companies not want to expand?

Answer by Ken Larson:

Limiting growth in certain specific stable niches has its advantages. The founders can retain control and still exeperience solid income without the expense of more people, space and marketing.

For instance staying within the small business size limit for certain industries allows a 10 year government contract set-aside potential for minority, veteran owned, woman-owned and HUB zone located businesses. The programs allow establishing a past performance record, a stable work force and similar traits before competing in the open market and substantially expanding to a larger enterprise.

FEDERAL GOVERNMENT CONTRACTING SMALL BUSINESS SET ASIDE DESIGNATIONS

Why do some companies not want to expand?