Category Archives: Computer Security

CARES Act Delivery Hampered By Old Tech, Bad Data

Standard
Image: “FCW”

FCW

Aspects of the federal government’s economic response to the coronavirus pandemic were marred by outdated state technology software and a crushing volume of beneficiaries that overwhelmed many systems, according to a new report from the watchdog Government Accountability Office.

_____________________________________________________________________________

“Federal officials said “the ability to easily modify data systems to incorporate new flexibilities varies among state and local agencies,” leading to numerous delays and interoperability challenges across multiple recovery programs related to the Coronavirus Aid, Relief, and Economic Security Act passed in March.

Agencies like Health and Human Services reported that states had to coordinate across different data systems to serve existing beneficiaries as well as a surge of new applicants for programs like Electronic Benefit Transfer and Supplemental Nutrition Assistance Program payments. Meanwhile, uneven technological sophistication across different states made remote collaboration in the wake of the pandemic caused challenges while coordinating payments for the Women, Infants and Children (WIC) program.

According to Department of Labor officials, many states processing unemployment claims were using “information technology systems that date as far back as the 1970s” and crashed under the load of newly laid off workers filing for benefits. The department has provided federal grants, technical assistance and guidance to help modernize those systems, but “relatively few” states conducted adequate load-testing to handle the volume of claims they have received since March.

These systems was already straining, with federal and state governments overseeing more than $2.7 billion in improper unemployment payments in 2019, and overseers worry the numbers will look even worse this year as the government has rushed to respond to the economic fallout of the virus.

“DOL’s experience with temporary UI programs following natural disasters suggests there may be an increased risk of improper payments associated with CARES Act UI programs,” auditors wrote.

A rushed response also led the IRS to send more than a million stimulus checks to citizens who were deceased. As FCW has reported, the agency emphasized speed to get relief dollars into the hands of Americans as soon as possible, leading to processing errors and opening the door to potential fraud. Auditors suggest that implementing 2018 recommendations to align their authentication practices with NIST cybersecurity guidance making better use of death data housed at the Department of Treasury and other agencies could address the problem.

Auditors noted that ” IRS has full access to the death data maintained by the Social Security Administration…but Treasury and its Bureau of the Fiscal Service, which distribute the payments, do not.”

In a response attached to the audit, IRS Chief Risk Officer Tom Brandt said employee worked “around the clock since mid-March to develop new tools and new guidance” to make handle economic impact payments but that “our work is not done yet” and the agency will consider the GAO’s recommendations further.

Information technology challenges and delays also reportedly hampered efforts by the Small Business Administration to process economic injury disaster loans, though details are scarce. The report paints a portrait of disorganized agency that at times unresponsive to oversight. While auditors asked to meet with agency officials on April 13 to get more detailed information on individual loan data and other aspects of the response, SBA didn’t agree to a meeting until June 1 and provided “primarily publicly available information in response to our inquiries” about loan data.

In a statement, House Oversight and Government Reform Chairwoman Rep. Carolyn Maloney (D-N.Y.) said the report “provides a comprehensive and independent look at the Trump administration’s incompetent and dangerous response to the coronavirus pandemic” and pressed for more information on IRS stimulus payments to dead Americans. She also called on SBA to address transparency concerns about its loan program “immediately.”

SBA responded to a draft version of the report disputing GAO’s claims, saying they offered staff for interviews and provided 420 pages, including “information on loan numbers and loan volume, the number and type of lenders participating in [the Paycheck Protection Program], loan numbers and loan volume for each type of lender, loan numbers and volume by industry and state” and other figures.

“To be clear, SBA has never refused to provide data to GAO,” wrote William Manger, Chief of Staff for Administrator Jovita Carranza.

Federal agencies were of course not immune from technological troubles, and the audit suggests modernization efforts at the IRS, the Department of Housing and Urban Development and other agencies can better position them to process funds related to the CARES Act.

The report also posits that agencies could make better use of a number of existing contracting authorities and programs, including contracts that allow work to begin before a final agreement is reached, Other Transaction Authority (OTA) that sidestep certain federal regulations to prototype new technologies and higher spending thresholds for emergency purchases.

GAO is currently working on separate reports examining how agencies planned and managed contracts related to the pandemic, reimbursement policies for contractors who performed emergency work and the use of the Defense Product Act.”

Five Regulatory Changes For Government Contractors to Watch

Standard
Image: Mastercontrol.com

“WASHINGTON TECHNOLOGY”

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG.

______________________________________________________________________________

“In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG. As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act establishes two constraints on telecommunications supply chains. Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.

Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment. The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released. This means that key terms, such as “entity”and “use” remain undefined. Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act. The Act establishes the Federal Acquisition Security Council, which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.

The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain. The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order. Although the Department of Defense and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide. Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification. CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain. Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.

Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins. Most importantly, contractors will no longer be able to self-certify compliance. Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year. DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026. DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States. The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020. There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.

The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use. DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.

The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.”

https://washingtontechnology.com/articles/2020/06/26/insights-covington-regulatory-changes.aspx

Ways To Solve The Cyber Talent Gap

Standard
Image: “Itproportal

FCW

Two biggest impediments hindering the federal government’s cyber recruiting efforts are money and the lengthy hiring process that consumes most federal agencies.

Declining budgets and a lack of career development programs contributing factors for rising turnover rates among federal IT contractors.”

______________________________________________________________________________

“Federal agencies and Congress have increasingly looked to bug bounty programs to find and stamp out cybersecurity vulnerabilities in their software. A new survey of nearly 3,500 security researchers who use Bugcrowd’s platform offers a glimpse into the backgrounds and motivations of a highly coveted pool of emerging cyber talent that both government and industry are desperate to recruit.

More than half of those surveyed live in urban environments, and three out of four speak multiple languages. Despite efforts within the information security community in recent years to improve diversity, the average age of those who participated in the survey skewed overwhelmingly young and male.

According to the survey, higher education is an important feature for many security researchers and their families. They’re most likely to have obtained a college degree (49%), have parents who have done the same (36%) and are three times less likely to drop out than their parents. The survey data “suggests most security researchers are degree-qualified because they come from educated families that value the acquisition of worldly knowledge, skills, values, beliefs and habits.”

While the size of the average American household has been in decline for decades, nearly half (48%) of respondents come from large families with between 4-12 members. Even with more mouths to feed, 64% reported pulling down a median annual income of just $25,000 or less, though many also say they only chase bug bounties on a part-time basis. Perhaps not surprisingly, making money was cited as the most important issue, followed by flexible hours and improved skills.

The report predicts that over the next six months, cybercriminals will exploit the widespread shift to remote telework in the wake of the COVID-19 pandemic, increasingly targeting vulnerable infrastructure through expanded reconnaissance activities and asset discovery. That in turn will lead to organizations boosting their reliance on white hat hackers over the next year as they race to identify and fix hidden software vulnerabilities.

The pandemic “has demystified many of the perceived differences between employees working remotely and security researchers” and emerging technologies such as machine learning that are not yet mature enough to meet the increased demand.

“This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their human expertise in securing their assets via crowdsourcing, the most efficient and practical approach to finding available talent,” the company forecasts.

John Zangardi, former CIO at the Departments of Defense and Homeland Security, told FCW in an interview that in his experience, two biggest impediments hindering the federal government’s cyber recruiting efforts are money and the lengthy hiring process that consumes most federal agencies.

While they often cannot compete on pay, one potential advantage for federal agencies could be through supporting the continuing education goals of its IT and cyber employees. A recent study by government contracting intelligence firm Deltek cited declining budgets and a lack of career development programs as a contributing factor for rising turnover rates among federal IT contractors, while a majority of respondents to the Bugcrowd survey say they use the platform for personal development and improving their skills.

Last year the Trump administration issued an executive order creating a new rotational program for federal employees to detail at the Cybersecurity and Infrastructure Security Agency and other agencies to improve their technical skills. CISA has also sought ways to sidestep normal federal hiring procedures to more easily hire information security specialists and pay them more.

Zangardi said during his tenure, cyber retention incentive bonus programs at DHS that provided extra compensation to employees who complete new certifications acted as a partial salve to some of the government’s inherent recruiting challenges. However, he acknowledged that for many positions — particularly highly-skilled ones — individuals can still earn tens of thousands of dollars more per year by doing similar work in the private sector.

“I can’t change the GS federal pay scale, but we can take steps to ensure that we’re giving them what we can,” said Zangardi.”

https://fcw.com/articles/2020/06/23/johnson-cyber-workforce-survey.aspx?oly_enc_id=

DARPA’s First Bug Bounty: Find Vulnerabilities In Hardware-Based Security

Standard

GCN”

DARPA’s first bug bounty program, called the Finding Exploits to Thwart Tampering (FETT) program, will be held in partnership with the Department of Defense’s Defense Digital Service and Synack, a crowdsourcing security company.

__________________________________________________________________________

“The Defense Advanced Research Projects Agency is inviting security researchers to find vulnerabilities in its System Security Integration Through Hardware and Firmware systems.

Launched in 2017, SSITH aims to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software.

Participants will try to penetrate the SSITH hardware security schemes developed by researchers at SRI International, the University of Cambridge, the Massachusetts Institute of Technology, the University of Michigan and Lockheed Martin. Their approaches generally involve providing the hardware with more information about what the attacking software is trying to do so it can become an active participant in its own defense, DARPA officials said. The SSITH development teams are working with Galois, a computer science research and development company, to move the hardware instances systems to the cloud for the evaluations.

The emulated systems will be running in an Amazon Web Services EC2 F1 cloud. Each emulated system is based on field-programmable gate array semiconductors and includes a RISC-V processor core that has been modified to include the SSITH hardware security.

According to DARPA, each emulated system’s software stack will contain SSITH hardware security protections as well as common vulnerabilities, such as buffer errors, information leakage, resource management and numeric errors. Security researchers will be tasked to devise exploit mechanisms that bypass the hardware security protections.

The FETT challenge is expected to run from July to September 2020.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. 

Before security researchers and ethical hackers can join the FETT program as a Synack red team members, they must first qualify through a capture-the-flag challenge. After they are approved, participants will see a number of applications using SSITH defenses, including a medical records database system, a password authentication system for PCs and a web-based voter registration system that aims to “protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system’s software,” Rebello said.  

More information on FETT can be found here.”

https://gcn.com/articles/2020/06/15/darpa-ssith-bug-bounty.aspx?oly_enc_id=

Cyber Speed Vs. Cyber Security In The Age Of Pandemic

Standard
Image: Shaun Gordon “Future Stack

“GCN” BY TONY HUBBARD, DAVE BUCKLEY, KATHY CRUZ

The need for speed may always conflict with concerns about preventing fraud and bolstering security. But one thing is sure: Future systems must be built for resilience, because the next technology upheaval could be right around the corner.

____________________________________________________________________________

“The sudden imperative to move state employees to remote work followed by the unprecedented flow of billions into states coffers to pay unemployment benefits has created big headaches for government agencies.

Sophisticated fraudsters have been waiting patiently for just this moment — the convergence of a flood of government funding and new, lax controls to allow money to get to applicants quickly. Armed with personally identifiable information obtained through data breaches and sold on the dark web, these fraudsters have applied for state unemployment compensation under false pretenses, diverting millions of taxpayer dollars and causing havoc for program officials and legitimate applicants. In addition, in states where mobile applications were quickly developed so applicants could apply conveniently via their smart phones, normal controls and processes were not implemented and, in some cases, security was compromised.

“The move to remote work also led to some malicious activity as government agencies were forced to rapidly deploy remote-access solutions that were not designed to accommodate a surge of growth. Again, to get the workforce to be productive quickly, some security processes and controls were relaxed or waived.

Obviously, the pandemic forced government to balance the need for quick action against ensuring that security processes were followed and controls put into place. In the battle between speed and security, however, speed often won.  Fraudsters, always watching for vulnerability and opportunity, pounced. And they are still pouncing.

In retrospect, better cybersecurity controls could have been baked into payment processes from the beginning. This upfront activity could have largely prevented the incident and response efforts that inevitably occur when security becomes an afterthought. However, hindsight is not helpful now, so what can be done going forward to bolster security and prevent fraud?

Government agencies should examine every key decision since work-from-home orders began. They should conduct risk assessments, understand the threats, vulnerabilities and consequences – and reimagine security tools and processes that should have been built in.  Rather than thinking it’s too late and giving up, agencies should re-evaluate remote access and newly implemented collaboration tools, especially those involving third parties. For unemployment claims, agencies should re-examine modified applications and mobile apps to assure security. They must also look into privileged access, which may have changed, and continue to apply risk management concepts.

Above all, agencies must continue to focus on the fundamentals and make them integral to their culture. These include access management (especially for privileged users), training and awareness, consistent software patching, regular antivirus updates and well-tested business continuity and resilience processes.

While these measures can certainly help in the short term, the real solution is longer term.

If the pandemic has taught us anything, it’s the need to be resilient — and that is especially true for government technology systems.

Broadly speaking, what has occurred over the past three months should cause government organizations to think about the next crisis and build systems that can adapt to whatever happens — whether it is a sudden need for remote work solutions, a major program change to respond to an economic collapse or the constant need to stay one step ahead of hackers and fraudsters.  In short, agencies must evolve with the environment.

When agencies anticipate disruption, technology transformation projects can be planned with resilience and adaptability in mind. Cloud-based operations must be considered for critical applications because the cloud can provide the agility, efficiency and the elasticity needed during both normal business operations and unpredictable times.”

https://gcn.com/articles/2020/06/18/speed-vs-security.aspx

Networked Customer Experience (CX) Is Converging Public And Private Sectors

Standard
Image: “WSP

FCW

The government’s mobilization in the recent weeks to design a network of citizen-focused programs has been profound to watch—and in many ways represents the future of experience. 

At the end of the day, a networked customer experience is not just the result of a technical solution; rather, it’s a deeper philosophical shift in a move from top-down transactional experiences to more integrated, co-equal relationships between government and citizens.

____________________________________________________________________________

“In a matter of weeks, and in some cases days or hours, many businesses have pivoted because of the pandemic to meet the needs of their customers and offer a completely different customer experience (CX). Similarly, hospitals and medical practices have started to pivot their business model to focus on telemedicine, and many small businesses that were never in the delivery space have shifted quickly so they can continue to bring goods and services to customers—and remain profitable during a challenging time.

But the private sector is not the only space innovating and taking a customer-centered approach to the public health crisis. Government agencies have also had to shift in significant ways to operate in this unique environment and interact with citizens differently. Here are just a few examples of what federal organizations have done in a very short period of time to continue meeting their mission to serve citizens:

  • On April 15, the IRS launched the Get My Payment web tool so the millions of Americans who will receive stimulus checks can track the status of their payment. Shortly after deploying this tool the IRS began monitoring usage trends and customer feedback to drive the creation of coronavirus stimulus-specific FAQ content and iterative agile application improvements. The IRS has been, and will continue, deploying updates several times each week since launch.
  • In order to stay accountable to the public and report on the nearly $3 trillion stimulus funds, the Treasury Department is updating the Data Act systems to update its tools to account for increased submission requirements by agencies spending CARES Act money. The department is making that information available to the public on USAspending.gov and the Data Lab in new visualizations and data downloads.
  • In order to re-open recreation areas safely and in accordance with safe distancing guidelines, federal land management agencies are using Recreation.gov as one of their tools to provide advanced reservations, manage visitation volume, distribute information, and offer online payment solutions to visitors.
  • And the General Services Administration’s Technology Transformation Services pivoted up to 20 percent of its talent pool, at times, to fast-paced response efforts—including the development of authentication technology for the Paycheck Protection Program run out of the Small Business Administration and which is keeping so many businesses afloat.

Moving Toward Networked Customer Experiences

In both the private and public sectors, customers are expecting interactions that are seamless, with access to a collection of features simultaneously. We refer to this as a “networked” experience model, where customers create value with multiple providers, and the experience depends on the value those providers deliver collectively. There are still experience challenges that are unique to government given its organizational and mission complexity.

There will be a time soon when those responsible for delivering federal services like social security, veterans’ benefits, and medical programs will be able to rethink the entire customer interaction. At the end of the day, a networked customer experience is not just the result of a technical solution; rather, it’s a deeper philosophical shift in a move from top-down transactional experiences to more integrated, co-equal relationships between government and citizens.

It’s clear that a networked services model has in many ways operationalized during this public health crisis, in which customer experience has taken on heightened significance. Federal organizations can’t afford major missteps, and agency leaders should take advantage of support resources for help navigating this complex new normal. Over the past few years several organizations and programs have been established, including the United States Digital ServiceOPM LabsGSA’s 18F and their IT Modernization Center of Excellence for Customer Experience, to help agencies evolve with a rapidly changing experience landscape. Lighthouse agencies (such as the U.S. Department of Agriculture) and Lead Agency Partners (such as the Department of Veterans Affairs) for customer experience have had fully operational CX practices in place since before the crisis, and their models can serve as a blueprint for others along their experience journeys.”

https://fcw.com/articles/2020/06/12/milian-covid-federal-cx.aspx?oly_enc_id=

5G Promise And Perils For Government Agencies

Standard
Image: “FCW

FCW

Agencies’ existing network and cybersecurity investments will help navigate the 5G future, but discussions about how to adapt these investments, and reorient them where necessary, must happen now.

Knowing what devices are connecting to your networks, what their cyber posture is and how they behave will remain the first and most critical component of effective cyber risk mitigation.

___________________________________________________________________________

“Fifth generation (5G) wireless technology has the potential to transform how the U.S. government achieves its many critical missions. With superior bandwidth, agencies will be able to connect more mission-supporting devices than ever. 5G also promises to increase functionality of these devices through reduced latency and speeds that are up to 100 times faster than the current fourth generation Long Term Evolution (LTE) technology. This can translate into improved performance, security, safety and efficiency for federal missions.

Congress and the White House both recognize how important it is that the U.S. fully harness the power of 5G in meeting government missions. The need for effective and efficient COVID-19 response and recovery has only highlighted this.

The U.S. military — the most logistically complex organization in the world – is likely to emerge as a leading 5G adopter and innovator. In the fiscal 2020 defense spending bill, Congress prioritized 5G research and development by providing $275 million to the Department of Defense for next generation information communications technology, including 5G. The DOD is currently demonstrating the benefits of 5G in government in a few interesting projects, including at the U.S. Naval Supply Systems Command Fleet Logistics Center San Diego, the concept of a “smart warehouse” is being tested. This project will leverage 5G to manage inventory and process orders with optimal efficiency and accuracy. As the DOD contemplates the wide range of possible use cases for 5G technology, its spending will align to these desired uses.

To allow the DOD and other federal agencies to realize 5G’s full potential, however, the government must address concerns about 5G and cyber risks. One of the widely discussed risks associated with 5G is the problem of potentially compromised hardware being incorporated into our national telecommunications infrastructure. Congress and the White House have both taken steps to address this issue — calling for the incorporation of a microelectronic trusted supply chain and operational security standards into 5G equipment.

The government has also prohibited telecommunications providers that receive federal funding from utilizing Huawei and ZTE equipment, two telecommunications equipment manufacturers the U.S. government believes have ties to the Chinese Communist Party and therefore could potentially be compelled to install unauthorized remote access capabilities (so-called “backdoors”) into their products. The concern that such backdoors could be exploited by the Chinese government for espionage, sabotage or even acts of war is shared by many U.S. policymakers and experts, on a bipartisan basis.

While much of the security discussion surrounding 5G has thus far focused on certain Chinese equipment manufacturers, there is another major security concern that must be addressed: the security risk posed by the addition of millions of additional devices, including Internet of Things (IoT) devices, accessing government network resources.

In the past, such devices have connected to network resources utilizing U.S. government-managed wired or wireless access points on government-controlled campuses. The 5G vision instead entails millions of devices accessing network resources remotely via cellular connections, likely provided through a blend of government and carrier-owned networks. Whose job is it to determine which of these devices are legitimate and do not pose a threat to either the carrier or the agency IT infrastructure they access? Who is responsible for monitoring devices while connected to ensure they don’t change their state – in other words, present themselves as legitimate, secure devices, but once admitted to the network proceed to engage in hacking or espionage activities? And ultimately, how should this diverse landscape of devices and connectivity be prioritized and segmented according to roles and criticality, so that the most sensitive and mission-critical functions are identified and protected? In a 5G future, government network security teams risk losing visibility and control of devices accessing their federal networks through carriers’ 5G towers.

Fortunately, most agencies have laid down an important foundation enabling them to overcome some of the challenges of securing their networks as 5G adoption increases. Two government-wide cybersecurity programs — the civilian agency-focused Continuous Diagnostics and Mitigation (CDM) program and the DOD’s Comply to Connect (C2C) program — are examples of dynamic frameworks and integrated capabilities designed to ensure all devices are detected and classified as they connect to the network, and are inspected continuously for cybersecurity risks, including patch and configuration status, banned hardware and software, behavioral anomalies and a host of other attributes.

Agencies that have mature instantiations of either the CDM or C2C programs will have the same level of insight into devices connecting via carrier-owned 5G networks as they do for those connecting within a campus, cloud or data center network, and will be able to enforce the same security and network access policies. Not insignificantly, the remote working trend that has become necessary during the COVID-19 pandemic has provided federal agencies some lessons in applying their CDM and C2C tools to devices that are connecting through Internet Service Provider networks in employees’ homes – in some rare cases on devices that are not owned or managed by the federal government. While telework architectures are still in need of improvement, a productive outcome of the COVID-19 crisis is that it has afforded federal agencies, in particular the DOD, an opportunity to apply “zero trust” strategies even as the concept of the network “perimeter” has been completely shattered.

We are still in the early days of 5G and the full benefits for federal agencies have yet to be realized. The operationalization of 5G will mean many millions more devices connecting to government systems. These devices support services vastly improving citizens’ security and safety and allowing government services to be delivered more effectively. However, allowing all of these devices to connect to government systems without a robust capability for finding, profiling and monitoring them would jeopardize not only agencies’ existing networks, but the very missions 5G equipment is deployed to support.

The C2C and CDM programs are good examples of how [a]visibility-first approach enables more effective security and ensured agencies’ mission-readiness. Securing 5G-enabled networks through this foundation reduces national security risk and enhances government agencies’ ability to continue serving missions.”

https://fcw.com/articles/2020/06/09/comment-gronberg-5g-promise-peril.aspx

“Zero Trust” Security Model Design Requires Specific Mission Input From Within The Organization

Standard
Image iStocksuphakit73

FCW

Information sharing and cybersecurity controls are pillars of good governance and areas of emphasis.

The move to the zero-trust model potentially puts guardrails around sharing and requires cooperation between techies and the mission side to work.”

_____________________________________________________________________________

“For much of the past 20 years, the federal government has segmented its systems and networks, but, said Federal Chief Information Security Officer Grant Schneider, “you presumed once someone had access control … that they were entitled to see almost anything in there.”

“That’s great for information sharing, it’s a challenge from a security standpoint because it’s an opportunity for our adversaries,” Schneider said at a May 18 event hosted by FCW. “When an outsider or an adversary get into your system, they really only look like an adversary for a short period time, because they pretty quickly are able to pivot to leverage real credentials in some way shape or form, and suddenly your outsider looks like an insider. So the fact that you built an environment where you’re trusting all of your insiders is really not going to help you and not going to allow you the capabilities that you need.”

The choice to give employees “pretty much free rein” if they had access privileges was part of a larger shift that has taken place in the federal government to facilitate greater information sharing following 9/11, Schneider said.

However, over that same timeframe, agencies have also suffered a string of embarrassing security compromises, both from state-backed hacking groups and insiders who abused access privileges to steal or leak data unrelated to their day-to-day responsibilities.

Lately, a “zero trust” model has been trending, in which agencies architect their systems and networks with controls that by default assume malicious intent from both insiders and outsiders.

That means agencies will have to re-evaluate who gets access to what information and under which conditions. Employees physically present in a federal facility might have different access and privileges than they would if they were logging in remotely. Agencies must also get better at tracking and quickly updating when an employee’s role (and corresponding access) changes.

There’s a long way to go before that paradigm takes hold, however.

“We’re still riding a lot of networks and environments that your IT department or you don’t know much about,” Schneider said. “We don’t know how they’re run, we don’t know who’s on them, we don’t know what they look like.”

The technologies needed to put zero trust in place aren’t particularly sophisticated or difficult to implement, Schneider said. What’s trickier is ensuring agencies have clear rules for access. Those policies and decisions, he said, are “going to come from the mission side, from the business side who understand their data and their environment,” he said.

Schneider drew on his time as CIO at the Defense Intelligence Agency to illustrate this point.

“I didn’t know whether a Middle East analyst in Germany should or shouldn’t be looking at a piece of data or information on China or North Korea or somewhere else. Because there may be a nexus and a connection and a thread that they’re pulling on, and I don’t want to be the one that’s preventing them from connecting the dots,” he said. The alternative is that CIOs and CISOs get involved in training the mission side on security.”

DHS Facial Recognition Privacy Risk Assessment Report

Standard
Image: “FCW

FCW

A new Privacy Impact Assessment details how the Department of Homeland Security’s Immigration and Customs Enforcement agency uses facial recognition and what protections it plans to put in place to prevent abuse.

_____________________________________________________________________________

“The assessment, signed by DHS Chief Privacy Officer Dena Kozanas and ICE Privacy Officer Jordan Holz, lays out more than a dozen potential privacy risks associated with the agency’s use of and access to numerous databases and algorithms to identify travelers or suspects. Those risks include the possibility that ICE could abuse those services or use them outside of their intended scope, that the agency might submit or rely upon low quality images that have been found to impact accurate identification, that it might rely on inaccurate information contained in third-party databases and that it could mishandle data, leading to a breach or compromise of personally identifiable information by hackers.

The document makes clear just how much information and data are within the program’s reach. DHS has two systems, the Automated Biometric Identification System (IDENT) and the Homeland Advanced Recognition Technology (HART), which stores and processes digital fingerprints, facial scans and iris scans along with biographical information for identified individuals.

However, the office that stores those images (the Office of Biometric Identity Management) is also in the process of connecting to the FBI’s primary identity management system, the Department of Defense’s Automated Biometric Identification System, the Department of State’s Consolidated Consular Database, databases compiled by state and local law enforcement organizations, region-specific intelligence fusion centers and databases maintained by commercial vendors.

Each system has its own database of images but many also track and collect other biometrics and information about individuals. Often DHS can also access that information and agencies like the FBI can hold onto and use probe photos sent by ICE later for other investigative purposes.

The report also notes that ICE investigators can run images through facial recognition systems that haven’t been approved for agency-wide use by the central Homeland Security Investigations Operational Systems Development and Management unit (OSDM) in the event of “exigent circumstances.”

One privacy risk cited in the assessment is the potential to use image for purposes other than that which they were initially collected. That risk is mitigated, according to ICE, by deleting images from facial recognition systems that were not vetted prior to use.

The assessment also notes the risk of abuse of facial recognition systems by employees and contractors. Training programs and rules of behavior that are being developed by Homeland Security Investigations, ICE’s privacy office and DHS’ Science and Technology Directorate. Supervisors will periodically audit each employee’s use of facial recognition services to ensure compliance and ICE Privacy will only approve commercial vendors who provide auditing capabilities for their own systems.

To guard against data breaches, HSI will only submit “the minimum amount of information necessary for the [service] to run a biometric query,” such as the probe photo, the case agent’s name and the legal violation being investigated. If a breach occurs “the information lost by the FRS will be minimal and out of context,” the report claims. Another DHS agency, Customs and Border Protection, saw tens of thousands of photos from its facial recognition program stolen last year when hackers compromised a subcontractor who had been storing and retaining the images without permission.

The use of facial recognition systems by DHS under the Trump administration has come under scrutiny as tech experts have fretted over the technical limitations and activists have complained about a lack of transparency from ICE regarding how it uses the technology and the potential to facilitate widespread targeting of Latinos, Muslims and other vulnerable populations.

In line with previous assessments from the National Institute of Standards and Technology, the privacy report also makes clear that numerous factors impact the accuracy of the many algorithms relied on by DHS, including lighting, photo quality, camera quality, distance or angle of the subject, facial expressions, aging and accessories like glasses, hats or facial hair.

Doctor Nicol Turner Lee, a fellow at the Center for Technology Innovation at the Brookings Institute who studies algorithmic integrity, said some of the guardrails outlined in the assessment — like emphasizing trainings and accountability measures — are a step in the right direction. However, she said the agency’s continued reliance on open source image collection and coordination with other major databases still leave significant concerns around accuracy, privacy and civil liberty.

“I think what they’re doing [here] is good but we still have a host of other challenges to address and remedy for the full-scale deployment of facial recognition,” Lee said in a phone interview. “We still need a better accounting of the types of training data that is being used, we still need a conversation on the technical specifications and its ability to fairly identify – particularly — people of color that are not sufficiently found in certain facial recognition systems.”

Lee also said there remain concerns about biases embedded in facial recognition system and “within the context of ICE, the likelihood of certain populations being more violently subjected to this over-profiling and overrepresentation in certain databases.”

https://fcw.com/articles/2020/05/27/ice-facial-recognition-privacy.aspx

New Contract Award Reveals Pentagon’s Evolving Cloud Strategy

Standard
Image: Peggy Frierson/Defense Media Activity

DEFENSE ONE”

Defense Innovation Unit (DIU) Secure Multi-Cloud Management System Contract disproves fears that the massive JEDI contract meant one company would get all the work.

It shows that the Pentagon is moving away from its older multi-cloud environment, a kluge of little clouds mostly from longtime defense contractors.”

________________________________________________________________________

“Google will build security-and app-management tools for the Pentagon’s Defense Innovation Unit, deepening the Silicon Valley giant’s military ties and illuminating the challenges facing the Defense Department’s drive to a multi-cloud environment.

Tools and a console built with the company’s Anthos application management platform will allow DIU to manage apps on either of the cloud services heavily used by the Pentagon: Microsoft Azure, which won the hotly contested JEDI cloud contract, and Amazon Web Services, or AWS, heavily used by DoD researchers, from a Google Cloud console.

Mike Daniels, vice president of government sales for Google Cloud services, said the company’s approach to security both complements and differs from those of Microsoft and AWS. Traditional “castle-and-moat” network security uses firewalls and virtual private networks to keep attackers on the other side of some sort of digital barrier. The higher security certification, the deeper and wider that moat. It works well enough in a single-cloud environment but less well in one with applications running in multiple clouds. It can also present problems when you’re dealing with an “extended workforce”: a bunch of people working from home or different locations.

Google’s approach is based on fewer borders, perimeters, and moats, Daniels explained. “It looks at critical access control based on information about a specific device, its current state, its facilitated user, and their context. So it considers internal and external networks to be untrusted,” he said. “We’re dynamically asserting and enforcing levels of access at the application layer, not at the moat or perimeter. What does that do? That allows employees in the extended workforce to access web apps from virtually any device anywhere without a traditional remote-access [virtual private network].”

First, it shows that the Pentagon is moving away from its older multi-cloud environment, a kluge of little clouds mostly from longtime defense contractors. When the JEDI program was announced, a lot of those vendors howled that a single massive cloud contract would leave DoD overly reliant on one company. The Pentagon countered that while JEDI was its biggest cloud contract to date, it would not be the last. What DoD did not say—but what some vendors should have anticipated—is that Azure and AWS will be picking up more and more of that business. Case in point: the Air Force’s Cloud One, a key node in their Advanced Battle Management System concept, is a hybrid AWS-Azure cloud. “Multi-cloud environment” for DoD increasingly means AWS and Azure. Future software should be compatible with both. 

Second, it shows that Google is overcoming its employees’ resistance to defense contracting. In 2017, newly appointed Defense Secretary Jim Mattis made Google one of the main stops on his tech tour. His favorable impression of the company’s pioneering cloud-based approach to AI shaped the JEDI competition and helped give rise to Project Maven, a program to apply AI to intelligence, surveillance, and reconnaissance. But an employee protest led Google to end its work with Maven.

Since then, Google has put in place a list of ethical guidelines, which, it says, should enable the company to work with the Defense Department in a way that doesn’t violate what it sees as its core values. It’s working with the Joint Artificial Intelligence Center on projects related to healthcare and business automation and far-reaching research initiatives in AI safety and the post-Moore’s Law computing environment. Meredith Whittaker, the Google employee who led the protests, left the company last year.

Last April, Kent Walker, the company’s senior vice president for global affairs, described the perception that the company was opposed to doing national security work, as “frustrating.” 

Government cloud contracts have become a lot more important to Google’s business model than they were a few years ago. Google has tripled its investment in the public sector space, said Daniels. While this individual contract award is in the seven figures range, Daniels sees it as a possible pathfinder for future work with more of the Defense Department, enabled by DIU. “Frankly, the U.S. DoD is important to us, both domestically as well as globally. We are a global public sector business. To the extent that the U.S. Department of Defense is doing work with us, I do think that is an indicator for us globally as to the confidence that governments around the world can put into Google as a business partner.” 

https://www.defenseone.com/technology/2020/05/what-googles-new-contract-reveals-about-pentagons-evolving-clouds/165524/