Category Archives: Computer Security

NATO Agency Seeking Bids for IT Modernization Program

Standard

NATO IT

Photo: NATO officials discuss future cyber initiatives at the NATO Communications and Information Agency. (NATO)

“NATIONAL DEFENSE MAGAZINE”

“The program will span at least four contracts and be worth up to $537 million, and is expected to be completed by mid-2018.

NATO’s communication and information technology arm is seeking industry partnerships as it takes on a multi-year modernization effort for its information-technology systems, according to the organization’s acquisition director.

The NATO Communications and Information Agency — which runs the information technology, communications and command and control for the multinational organization — has opportunities for defense and IT companies in various stages of the modernization program, Peter Scaruppe told National Defense in February.

“The IT modernization program is a very important one because it basically replaces all of the IT in all the NATO locations, and for all the NATO forces,” he said.

The program entails: streamlining NATO’s IT service offerings to increase efficiency and effectiveness; using a customer-funded delivery system to increase the flexibility and scalability of IT services; delivering services from a centralized set of locations; and implementing increased cyber security measures, according to the agency.

Next on the priorities list is introducing a cloud-based services enterprise design by this summer, which Scaruppe called a major part of the modernization program.

“Storage is an important issue for all current and future IT programs, because with big data and the availability of big data, it is increasingly important,” he said. “We are anxious to see what companies will provide.”

NCIA Agency also plans to develop new data centers in Mons, Belgium, and Lago Patria, Italy, by early 2018, Scaruppe said. A third site has not yet been publicly revealed, but is being considered as an option “if and when we need it,” he said.

“This is for the IT support and operational support for NATO locations and operations,” he said.

NCI Agency has made concerted efforts in recent years to work more closely with industry to beef up its cyber defense capabilities. The agency contracts out about 80 percent of its work to the defense and security industries of NATO’s 28 current member-nations, Scaruppe said.

This year, the agency will host its annual industry conference in North America for the first time since it kicked off six years ago, rather than in a European country, “to note the transatlantic alliance,” he said.

The theme of the NCIA Agency Industry Conference and AFCEA TechNet International — which will be held in late April in Ottawa, Canada — is “Sharpening NATO’s Technological Edge: Adaptive Partnerships and the Innovative Power of Alliance Industry.” The conference builds upon last year’s theme of why innovation is important to NATO’s technological needs, Scaruppe said.

“Especially in the IT and cyber world, we know that there are a lot of innovators out there … not exactly keen on working with an 800-pound gorilla like NATO,” he said. “Some are not familiar with the process, [so] we need to catch the right innovators.”

One major part of the conference is dedicated to innovation challenges where agency officials and industry will discuss pre-determined areas of study, he said. “We did this last year, very successfully, and we got lots of proposals, many more than we thought we would get.”

Conference attendees will learn of upcoming business opportunities with an overall budget of about $3.2 billion over the next two to three years, Scaruppe said.

Businesses also have the change to speak with agency experts ahead of potentially bidding on a project.

“We do this every year, but we’re dedicating a lot more time to this part than usual [this year],” he said, adding that the agency hopes to attract more U.S. and Canadian industry members as a result.

Attendance rates at previous conferences have been about 70 percent European-based, Scaruppe said.

The agency is also looking to attract more cyber experts through the conference by running a next-generation skills exercise and innovators program, he said.

“We have a lot more work than we have staff for — and the same is true with the private companies — [and] we want to find innovative ways of how to attract these people, how to retain these people and also keep us current in the cyber exercise.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2448

 

 

 

De-Complicating Federal Cyber Security

Standard

Decompliating Cyber Security(Photo Credit: U.S. Army)

“FIFTH DOMAIN CYBER” – By Keith Lowry

When it comes down to it we’re dealing primarily with a people problem before a technical problem. People use technology to become cybersecurity and insider threats.

They also use low-tech tactics like social engineering and dumpster diving, too. Until the government realizes these concepts are connected, and that it can’t just purchase tools to address their vulnerabilities, it will always lag behind the threat.

“The nine most terrifying words in the English language are, ‘I’m from the Government, and I’m here to help.’” ~President Ronald Reagan

It might seem like hyperbole to claim that anything the government does hinders, and doesn’t help, progress. I’d like to think differently, but my experience gives President Reagan’s statement a certain level of credibility. Too many times, government agencies are convinced that doing things on a large scale will solve individual problems or issues. This attitude leads to massive delays and a lack of attention to the small but important details.

Making Simple Things Complex

During my tenure at the Pentagon, it was almost impossible to develop, coordinate, authorize and publish any policy within two years. Even if a proposed policy was extremely important, it just took too long to implement. If the Department of Defense has such issues in developing policy, then consider how difficult it must be to develop and publish policies that span across the entire spectrum of the government.

Governments inherently make simple things complex, and complicate obviously simple tasks. Because of this, I inherently question any program driven by a government agency or organization that claims it is “here to help.”

Large scale government programs are often initiated to create cost effectiveness, but what is the cost if the program takes years to develop and implement? Even worse, the fast-paced cycle of technological advances makes measuring program development in terms of years a huge problem. The opportunity costs coming from a breach or system downtime far outweigh any fiscal savings. Add in the fact that many government agencies will fight for ownership of a large program because of the concomitant funding, and you’ll see why relatively simple matters can spiral out of control very easily.

That’s not to say there isn’t a benefit in government ownership. There are potential cost savings tied to having overarching policies executed by a single entity, but the coordination and time lapse in enacting anything of value is suspect. It takes too long to enact and follow through, especially when most agencies have their own congressionally driven budget and appropriations process to consider.

A Multi-faceted Issue

Over the years, I have heard many agencies state that they cannot consider creating an insider threat program or cybersecurity program because they don’t have the budget, or that they are waiting for a parent agency to come up with a plan and associated instructions. The problem with this thought process is multi-faceted. First, no two federal organizations are alike. They all have differing processes, serve diverse populations, and also possess assorted and sundry critical value data.

Second, each of these variables means that one insider threat or cybersecurity solution doesn’t fit another organization’s needs. Finally, the budgetary and appropriations cycles are controlled by Congress, subjecting them to political realities and consequences.

In these circumstances, when I hear that the government is telling agencies what they must do while controlling the budget from afar, it’s creating a difficult problem for the agencies to solve. Furthermore, when I hear that one agency is dependent upon another to proceed in developing insider threat programs or cybersecurity solutions, it rings of the “I’m from the government, and I’m here to help,” idiom. In other words, no action will be taken in sufficient time to counter any threat.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Tactically, the government should elevate decision making for the cybersecurity/insider threat problem to a Cabinet-level position, which would signify the importance of the issue. Additionally, the Cybersecurity Cabinet person should adhere to the mantra of centralized administration, de-centralized execution. Making each agency responsible for executing its own cybersecurity and insider threat program will encourage much faster implementation countering these threats. Of course, Congress would have to be included in any solution to ensure success.

This may not be the best fiscal option, but it would certainly be the best method for quick implementation and execution required to protect government-held and controlled critical value data. Rather than one agency doing everything, make each agency responsible for creating, implementing, and running individual programs, and hold them accountable at the highest level possible.

http://fifthdomain.com/2017/03/08/de-complicating-cybersecurity-at-the-federal-level-commentary/

About the Author

Keith Lowry

Keith Lowry is the senior vice president of Nuix USG and Nuix’s Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, as well as an information security consultant in the private sector

 

The FCC Seems Unlikely to Stop Internet Providers from Selling Your Data

Standard
selling-your-data-cbs-news-dot-com

Image: CBS News.com

“WIRED”

“Little seems to be standing in the way of Comcast, Verizon, and other internet service providers selling your personal information without your permission.

The Federal Communications Commission took a first step toward delaying its own rules protecting consumer privacy and security.

Last October the agency passed a set of rules that would have required internet providers to take new steps to protect your private data from hackers. That same regulatory package would have required ISPs to notify you if someone hacked your data and to get your active permission before selling your data. The FCC suspended the data security rules from that package that would have taken effect Thursday

The FCC and the Federal Trade Commission, which regulates the privacy and security practices of websites like Google and Facebook, also issued a joint statement that signaled a seeming intention to jettison the privacy rules as well before they take effect later this year. (Neither agency responded to a request for comment.)

“The Federal Communications Commission and the Federal Trade Commission are committed to protecting the online privacy of American consumers,” FCC chairman Ajit Pai and FTC chairman Maureen K. Ohlhausen said. “We believe that the best way to do that is through a comprehensive and consistent framework.”

Ajit Pai, chairman of the FCC, has opposed the rules all along, saying he believes websites and internet providers should follow similar privacy and security practices. He contends that multiple sets of rules will lead to confusion among consumers. The upshot for consumers: Your internet provider has less obligation now than it would have to protect you from hackers. And providers seem to be facing few legal roadblocks standing in the way of selling your personal data to advertisers.

Reasonable Protections

Rather than spelling out specific steps that internet providers should follow to protect customer data, last year’s privacy and security order called for internet providers to provide “reasonable data security.” The order made it clear that internet providers wouldn’t be held liable for all data breaches and provided some guidance that it described as consistent with the Federal Trade Commission’s privacy rules. It also suggested that providers look to other privacy laws, such as the the Health Insurance Portability and Accountability Act (HIPAA). Industry groups objected, claiming the FCC’s new rules were too vagu

Protecting internet privacy has also traditionally fallen to the FTC. But in 2015, the FCC reclassified internet providers as utility-like “common carriers,” a change that enabled the agency to enforce net neutrality rules banning internet providers from discriminating against or favoring particular websites or apps. Last year as result of a lawsuit filed by AT&T, a federal court decided that because internet providers now qualify as common carriers, the FTC no longer has authority over them. Responsibility for regulating how internet access providers manage privacy instead fell to the FCC, while the way websites like Facebook and Google manage privacy remained the FTC’s responsibility.

Shortly after the court’s decision, the FCC set about creating a set of stricter privacy rules. The biggest and most controversial difference between the FCC’s newer rules and the FTC’s rules was the ban on selling customer data without your permission, set to take effect as early as December. Your internet provider has a view of your most intimate online activities. Although Google uses encryption to prevent prying eyes from seeing your online searches, your internet provider can see what websites you visit, when you visit them, and how much time you spend there.

In 2012, Verizon began tracking its wireless customers’ activities across the internet. It then used that data to target ads on the various sites it owns, such as the Huffington Post. Eventually the company gave customers the option to opt out of that tracking, and later it limited tracking your behavior on Verizon-owned sites only. The FCC’s newer rules would ban Verizon or any other provider from similar data collecting without getting customers’ permission, unless the Congress or the FCC delay or overturn them before they go into effect.

Pre-existing FCC rules already ban providers from tracking customers without at least notifying them, but unless the new, more stringent rules take hold, telcos will have much more freedom to sell your data. Regulations letting both internet access providers and websites sell your data may be consistent. But that doesn’t mean they make sense.”

https://www.wired.com/2017/03/fcc-graciously-sets-internet-providers-free-sell-data/

 

 

 

Army Awards Spots on $2.5B Contract Vehicle for Desktop and Mobile Computers

Standard
mobile-computing-contract-defense-systems-dot-com

Image: Defense Systems.com

“GOVCONWIRE.COM”

“Nine companies have won spots on a potential 10-year, $2.5 billion contract.

The Army Contracting Command received 58 bids for the Army Desktop and Mobile Computing-3 contract vehicle, the Defense Department said Thursday.

The ADMC-3 contract covers integrated desktop computers, tablets, notebooks, tablets, workstations, electronic displays, printers, thin clients and multifunction devices, according to a FedBizOpps notice.

The awardees are:

  • Blue Tech
  • Dell’s federal systems business
  • GovSmart
  • Ideal Systems Solutions
  • Intelligent Decisions
  • Iron Bow Technologies
  • NCS Technologies
  • Red River Computers
  • Strategic Communications

The Army will determine work locations and obligate funds upon award of each task order under the firm-fixed-price contract and expects contractors to complete work by Feb. 15, 2027.”

https://www.govconwire.com/2017/02/army-awards-9-spots-on-2-5b-desktop-mobile-computers-contract-vehicle/

Intelligence Advanced Research Projects Activity (IARPA)Hits Stride Funneling Collaborative New Technology

Standard

iarpa

“NATIONAL DEFENSE MAGAZINE”

“The Intelligence Advanced Research Projects Activity  technology incubator celebrated its 10th year by transitioning a large number of programs to its clients.

12 new research programs, two new challenge prizes, 46 workshops with 2,700 attendees, 250 peer reviewed publications, and 22 technologies being transitioned to one of its client agencies.

It has worked with 500 organizations — half universities or small colleges, a quarter small businesses, and a quarter a mix of large companies, federal laboratories and federal agencies said Jason Matheny, IARPA director, said at the National Defense Industrial Association’s Special Operations/Low Intensity Conflict conference.

It serves 17 intelligence agencies in the U.S. government. “Their problem sets are broad,” he said. They involve everything from the hard sciences such as physics, biology and chemistry to political science and psychology with neuroscience, computing and engineering kicked in.

“The way that I used to describe this to my family was that we are the United States’ version of Q Branch from the James Bond movies,” he said. Except when his daughter came to visit on family day, she remarked that it was just a bunch of filing cabinets with contracts inside.

“We have outsourced Q Branch. … We fund the best and the brightest in academia and industry to solve our hardest problems,” he said.

The agency modeled itself after the Defense Advanced Research Projects Agency because it was so successful, Matheny said.

Over the past decade, IARPA has emerged as the largest funder of academic research into quantum and superconducting computing. It also pours money into machine learning, speech recognition, imagery analysis, facial recognition, and automated video analysis.

About one-third of its budget is put toward human judgment programs. This field helps analysts make better assessments based on partial data or wrong information, Matheny said. “How can they make more accurate judgments quickly? How can they resist certain universal cognitive biases?”

“Ultimately, judgments in the intelligence community come down to a human being. We haven’t automated analysis and we don’t expect to automate that kind of analysis,” he added.

Other technologies it’s pursing include sensors that can pick up chemical traces from stand-off distances and in-place unattended chemical sensors that can be dormant for years, then “phone home” when it detects an agent. It’s also looking at detectors for nuclear weapons and synthetic genomes in the environment.

“Very” quiet unmanned aerial vehicles and persistent undersea sensors are two other needs, he said.

New opportunities include the Janus program, which focuses on the hard facial recognition problem, he said. “Let’s say you have faces that are covered, that are captured from an angle with very low resolution cameras or video.” The goal is to piece together various images from multiple angles and try to compose a
composite facial image.

It’s also looking into high-resolution 3D modeling created from overhead imagery. “Can you build a 3D model of not just a building, but an entire city with 5 centimeter accuracy?” If so, that could be helpful for special operators planning raids, he added.

It is also searching for knowledge discovery tools in multi-lingual domains. This is intended for languages for which there isn’t a common automatic translation system such as those provided by Google.

IARPA prefers a competitive set up. It issues similar contracts in parallel to pursue the same technical goal. Multiple teams then research the same target. “We obsessively keep score. We spend about a quarter of our budget on testing and evaluation. And then we exercise options … for the teams that are outperforming others,” Matheny said.

This is stressful for the teams but results in more innovation, more quickly “in ways we don’t see otherwise in federal contracting,” he said.

“Prize challenges are one of the more cost-effective ways we have for funding innovation,” he said. The organization has found hobbyists willing to solve problems for $10,000 prize purses. The competition levels the playing field for anyone who is able to participate.

Like DARPA, it issues broad area announcements that it always keeps open so it can rapidly provide seed money for those with good ideas. The “informal process” begins with as little as a paragraph describing an idea, followed by a phone call with a program manager. “The program manager has been trained to be brutally honest — to give a thumbs down on an idea that we don’t want to see a full proposal on, or a thumbs up.”

The phone conversation is key, Matheny said. “If the program manager tells you they really want to see a proposal, they really do want to see that proposal.” Ninety percent who are asked for a full proposal go on to be funded, he noted. The more formal way of proceeding only resulted in 20 percent moving forward, he added.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2419

 

 

 

 

 

The New Technology of Humanitarian Assistance

Standard

drones-for-humanity

“THE CIPHER BRIEF”

“Technology has already transformed the conduct of war; could it also transform approaches to aiding the victims of conflict, disease, and natural disasters?

Drones could help alleviate some of these challenges through remote delivery of high-value, low-mass goods to areas otherwise inaccessible due to hard terrain, natural disaster, or conflict.

Since the first CIA Predator drone strike in October 2001, the United States, among others, has sought to expand the technology to facilitate remote warfare. UN peacekeeping forces use drones for intelligence gathering in such places as Mali, the Central African Republic, and the Democratic Republic of the Congo. The commercial drone industry is booming and is expected to only grow further with hobbyists using off-the-shelf quadcopters for their scenic vantage points and Amazon’s prospective drone deliveries to customers. Even insurgents are beginning to incorporate this new technology into their arsenals, setting their sights on recruitment messaging, intelligence collection, and explosives delivery.

To understand how drones could transform the provision of humanitarian aid, it is important to first acknowledge the areas of difficulty humanitarians often encounter. Jack Chow, a former U.S. ambassador and the first Assistant Director-General of the World Health Organization on HIV/AIDS, Tuberculosis, and Malaria, points out that “the barriers to providing humanitarian aid are numerous and evolving. Chief among them are extensive operational obstacles that involve myriads of personnel, assets, and supply chain links. Complications and breakdowns among any operational components will cause delays and losses of aid. Chokepoints and tenuous routes invite corruption and pilferage.” Kristin Bergtora Sandvik, a professor at Peace Research Institute Oslo (PRIO) and co-founder and former director of the Norwegian Center for Humanitarian Studies, says that “the humanitarian sector struggles with lots of unresolved challenges with respect to obtaining adequate situational awareness for aid workers; getting sufficient information about the size and whereabouts of crisis-affected communities; and overcoming the logistical problems of timely and appropriately scaled last-mile delivery of cargo.”

The issue of supply chain logistics became a major hindrance in the timeliness of the international response to the 2014 Ebola epidemic in West Africa, particularly with fears of the virus spreading internationally. Drones could help alleviate some of these challenges through remote delivery of high-value, low-mass goods such as everyday medicines as insulin, antibiotics, and painkillers, or of communications equipment such as phones and computers, to areas otherwise inaccessible due to hard terrain, natural disaster, or conflict. For example, in Malawi, UNICEF sees drones as a method of transportation for blood work to help HIV testing, while in Rwanda, a humanitarian drone startup known as Zipline is also delivering blood supplies to remote hospitals in the region.

Similarly, the negotiation of humanitarian access in conflict and post-conflict countries often includes tradeoffs between an organization’s freedom of movement and concessions made to local authorities operating in a vacuum of formal government control. However, as Sandvik points out, even if drones could potentially replace caravans of trucks to mitigate the problem of access, “most of the models offered by the drone industry are too expensive for the humanitarian sector and the available models often not powerful enough to stay for any significant time in the air,” let alone “transport tons worth of relief items.”

While larger drones are available to the U.S. military, they require more advanced pilots and could also be targeted by the anti-aircraft systems of belligerents purposely using starvation and medical deprivation as weapons of war. For example, to deliver aid to the Yazidi population trapped on Mt. Sinjar in August 2014, the U.S. military had to first conduct airstrikes on ISIS positions to ensure safe passage of their cargo planes.

Potential advances in artificial intelligence (AI), however, could allow swarms of small drones to slip by air defense systems to individually deliver small packages of cargo—possibly even create impromptu networks for Wi-Fi and establish phone signal availability. Chow asserts that “as costs come down and AI-driven avionics accelerate in power, flotillas of drones over vulnerable regions can provide constant coverage for early detection and rapid response to humanitarian crises.” Artificially intelligent drones could also address major impediments to post-conflict reconstruction, such as landmine removal to enable locals to return to an agricultural economy while mitigating indiscriminate casualties largely affecting children. The Mine Kafon Drone seeks to autonomously map a designated area, detect the positioning of mines via GPS and then safely detonate them at a pace unmatched by even skilled personnel.

Drones could also be a source of information for aid workers on developing crisis situations. Chow notes that “on-board sensors will acquire information about conditions on the ground, presence of detectable dangers, and the numbers and locations of affected people,” and “in the future they may detect the first stirrings of violence by picking up sounds or flashes from gunfire.” Following the 2008 Sichuan earthquake in China that killed over 69,000 and left 18,000 missing, Chinese responders used drones to locate downed bridges, collapsed tunnels, and other chokepoints hindering rescue efforts, while assessing damage to critical buildings such as schools and hospitals. In Nepal, the Humanitarian UAV Network used drones to create clearer photos than existing satellite images while also using 3D modeling of the damage to identify which houses were prone to collapse.

The problem with humanitarian drones monitoring from the skies is that governments and their populations will be uneasy about what the data will be used for. The association of drones with military intelligence collection creates a stigma not easily avoided, and governments may fear footage could be shared with human rights organizations documenting war crimes. Some of this can be addressed through technical solutions such as geo-fencing, whereby drones are only able to gain access to certain airspace, but ultimately, as Chow notes, “expanding drones’ powers will also force a need for a regulatory framework at the national and international level in order to establish technical standards and rules for operations.”

Sandvik suggests the major criticisms of the humanitarian use of drones now are over “concerns the technology creates distance between beneficiaries and aid workers,” “the potential association with military applications” such as intelligence collection, and ultimately, “the lack of added value delivered by the use of drones,” whereby the technology is simply not sufficiently developed yet and therefore a “distraction from other work.”

While drones would likely augment, not replace aid workers—or other longer-term projects such as infrastructure development—there is still enormous potential for drone technology to change the provision of humanitarian aid. There are, however, numerous steps before such technology becomes meaningful, let alone systematically normalized. While the hype over the humanitarian application of drones may have spurred the discussion, persistence is needed to determine how drone technology will actually contribute to future humanitarian efforts.”

https://www.thecipherbrief.com/article/tech/new-technology-humanitarian-assistance-1092

 

 

 

Silicon Valley’s Pentagon Ties Stay Strong

Standard
pentagon-165964418-final

Image:  “Wired”

“WIRED”

“On the surface, left-leaning Silicon Valley and the more conservative US military seem worlds apart.

But the Pentagon’s Defense Innovation Advisory Board continues to bring the two together.

Former Secretary of Defense Ash Carter created the board in March 2016 so that the Pentagon could tap some of the best minds in science and technology. It counts among its members prominent Silicon Valley leaders such as Alphabet’s Eric Schmidt, Amazon’s Jeff Bezos, Instagram’s Marne Levine and LinkedIn’s Reid Hoffman.Despite uncertainty about its future under Trump’s administration, all the board members plan to remain until the end of their terms. They’ve also dodged the public controversy swirling around Silicon Valley leaders who maintain advisory ties to the Trump White House.

“There is a real contrast between the enthusiasm of tech leaders to serve on the Pentagon’s Innovation Board and the positive public atmosphere that surrounds it and the controversy that surrounds Trump’s CEO advisory group, which CEOs from companies such as Uber have bailed from,” says Peter Singer, a defense expert at the New America Foundation and coauthor of the 2014 book “Cybersecurity and Cyberwar: What Everyone Needs to Know.”

The fact that Silicon Valley’s current advisory role to the Pentagon has proven substantially less controversial than its White House parallel is not without irony. “It points to how the Defense Department is now viewed as the bastion of sanity and respect for law and science, versus the White House as a space of controversy,” Singer says.

Calling All Geeks

To date, the board’s “seemingly nonpartisan ideas” have been “well-received within the defense policy community,” Singer says. But he cautioned that ordinary bureaucratic resistance could slow adoption of its recommendations, unless Mattis and senior Pentagon leaders make them a priority.

Still, the Silicon Valley approach has some momentum within the military, particularly around open source initiatives. The Forge.mil program—founded by the Defense Information Systems Agency in 2009—has enabled collaborative work on open source and community source software across the Pentagon. Separately, the Military Open Source Software (Mil-OSS) community has connected developers in the military and civilian worlds since its creation in 2009. Such open source approaches could help the Pentagon move faster and innovate inexpensively, says Joshua Davis, senior research scientist at the Georgia Tech Research Institute and co-founder of the Mil-OSS community.

On Jan. 9, the Defense Innovation Advisory Board voted to approve 11 recommendations that covered issues such as boosting cybersecurity for advanced weapons, and funding new research in artificial intelligence. Outside experts such as Davis and Singer especially lauded the board’s recommendation to make computer science a “core competency,” by creating a specialized career track for military service members and recruiting fresh talent from both the military and civilian worlds. The Pentagon previously announced its commitment to this recommendation during an interim proposal period in Oct. 2016.

“That right there is a multi-decade kind of thing that’s not going to happen overnight,” Davis says. “But it’s probably one of the first things you can do to build a culture to accept innovation happening this way.”

Training a generation of troops on computer science would have outsized impact because many of the other board recommendations will not succeed without it, says David A. Wheeler, an expert on developing secure software, open source software, and software innovation. “The [Department of Defense] already has tracks for lawyers and doctors,” Wheeler says. “Sadly, software expertise is thin within government, even though modern systems are completely controlled by software.”

A Few Good Recs

Other recommendations clarify existing Pentagon practices. For example, the board suggested that the Pentagon “require all systems purpose-built for the military to have their source code available to the Department,” so that the government retains the rights to and can modify the code when needed. That helps ensure military software remains up-to-date and relatively secure. (Davis describes source code as the equivalent to the recipe that the computer “kitchen” relies upon to cook up the executable software.)

Standard contracting clauses for custom-developed military software already give the government such rights, Wheeler says. But he notes that officials sometimes waive those rights because they don’t realize the systems they’re purchasing have custom software, and fail to specify the software as a contract deliverable.

An interim recommendation calling for a new “global and secure” online system that would hold “all or most” of the Pentagon’s data has yet to be approved—and will likely prove very tricky to implement. Many companies in Silicon Valley and other industries already have their own internal systems to collect and share data in a way that boosts efficiency and productivity. But companies typically don’t worry about devastating national security consequences if they get hacked by foreign powers or malicious agents. “Security isn’t just part of the problem, it is the fundamental problem,” Wheeler says.

The best commercial security products can’t protect the Pentagon’s data from determined adversaries backed by foreign governments, Wheeler says. As a result, the Pentagon has intentionally kept its many systems and networks isolated, to limit the damage that can be caused by breaches of security. But the board has discussed using so-called “formal methods” that can mathematically prove a computer system is immune to entire classes of cyberattacks—a promising approach that still requires much more development.

It’s still unclear how Marine Gen. James Mattis, Trump’s Secretary of Defense, will handle the board’s recommendations. He has the final say on whether the Pentagon fully embraces the board’s ideas.

“At the staff level, we have had very productive conversations with the President’s transition team,” says Joshua Marcuse, Executive Director at Defense Innovation Board.

The US military’s mission will likely never be fully compatible with the Silicon Valley culture that Singer describes as “fast, flat in structure, and happy to fail and fail rapidly.” But it’s still refreshing to see a collaboration between government and tech that’s not fraught with controversy, and that may actually yield some positive results. After all, if the military’s going to meet the technological demands of 21st-century warfare, it’s going to need a few good geeks.”

https://www.wired.com/2017/02/despite-trump-silicon-valleys-pentagon-ties-stay-strong/

Tech Can Get Diversity – Here’s How to Do It

Standard

diversity

“WIRED”

“After publicly setting diversity goals in 2015, Pinterest, for example, boosted hiring rates of underrepresented people of color by 8 percentage points for technical roles and 5 percentage points for non-technical roles.

Since then, both Microsoft and Pandora have also taken similar steps to increase their own diversity.

The American tech industry remains a bastion of white, male privilege.

Even a cursory look at voluntary disclosures to the Equal Employment Opportunity Commission by American tech firms reveals huge racial disparities in the tech workforce compared to the private sector overall.

Adobe’s workforce is 69 percent white and Apple’s 56 percent. Google? 59 percent. Microsoft? 58 percent. The list goes on. Black people, Latinos, and Native Americans are underrepresented in tech by 16 to 18 percentage points compared with their presence in the US labor force overall.

Tech companies and investors should be concerned: Evidence strongly suggests that a racially diverse tech sector could translate into stronger financial performance. A McKinsey report showed a linear relationship between racial and ethnic diversity and a company’s financial performance. “For every 10 percent increase in racial and ethnic diversity on the senior-executive team,” the report stated, “earnings before interest and taxes (EBIT) rise 0.8 percent.”

Veterans Administration Patchwork System Eats Most Of $4B Tech Budget

Standard

va-systems

“DEFENSE ONE”

“VA, with its history of failed large-scale IT projects that cost taxpayers billions of dollars, is again grappling with IT issues.

The agency’s CIO says there’s no clear plan for replacing custom-built systems, two of which are more than 50 years old.

This time, it isn’t a single program bleeding taxpayer dollars that is troubling Congress. Rather, it’s the agency’s aging IT systems, two of which are more than 50 years old, according to testimony from Dave Powner, director of IT management issues for the Government Accountability Office.

The age of some of VA’s oldest systems and its disproportionate spending on legacy technology clearly bothered several members of the House Committee on Veterans Affairs.

“It appears 86 percent of the money in IT is used for maintaining systems,” said Chairman Phil Roe, R-Tenn., who pressed VA Chief Information Officer Rob Thomas about what industry best practices for legacy spending were. Earlier, Powner had revealed that only about $400 million of the over $4 billion VA spends annually on IT is used to research and develop new systems.

Our numbers are out of kilter from industry; we’d like to see 60 percent on maintenance and 40 percent on development,” Thomas said. “Right now, we’re turning at 85 to 90 percent sustainment, and we have to shrink that.”

Thomas told the committee VA stood up a modernization effort last year aiming to decommission old systems, close data centers and attempt to make a dent in the agency’s legacy spending. Thomas said that effort could help lead VA toward a buy-over-build approach to IT, which he himself supports.

Roe said the push for commercial-off-the-shelf solutions is encouraging, but tempered his enthusiasm. Congress has increased VA’s appropriations for IT an average of 7 percent over the past five years with little to show for it. While the Defense Department opted to go commercial for its electronic health records system two years ago, VA still grapples with whether to build its own system or follow DOD.

“My fear is that I’ve been sitting here eight years, listening to how it will get better, and I realize we have a lot of good, smart people working on this, and it’s obviously not easy,” Roe said. “But there are a lot of COTS products that can do scheduling and billing.”

Roe also voiced disgust at VA’s failed $5.3 million cloud migration contract.

“That money could have paid for so many other things,” Roe said. “Like 70 entry-level nurses in Johnson, Tennessee.”

VA’s consolidation of data centers is generally behind the rest of government. Despite being the fourth largest IT spender among all agencies, VA has closed only 20 of its 356 data centers, ranking 19th out of the 24 agencies GAO studied.

Powner said VA’s reported data center savings of $15 million since fiscal 2011 are pennies compared to the $2.8 billion other agencies saved collectively over the same period. VA also has yet to meet any metrics established by the Office of Management and Budget. To better keep tabs on progress at VA, Powner recommended the committee call VA personnel to Capitol Hill for quarterly updates. The committee agreed.

“We need to have clear transparency on what progress is being made, and when the goal posts change,” said Powner, referring to schedule slippages that are apt to occur in large software projects.

Thomas said VA has many large IT decisions to make in the near future, beginning as soon as President Donald Trump’s nominee for VA secretary, David Shulkin, is confirmed. Chief will be determining whether VA will transition to a commercial electronic health records system, though when pressed, Thomas said he had no idea how long it might take.

DOD is beginning pilots of its new EHR system, but its $9 billion contract was awarded almost two years ago. Acquisitions of that scale take time, and VA would be reluctant to cut corners given the scrutiny it is under.

Ranking member Tim Walz, D-Minn., said he wouldn’t suffer another decade of health records issues between VA and the  Defense Department, and was disappointed to learn—from Powner—there still isn’t a seamless transition of health data for troops who transition to veterans. He called on Congress to demand interoperability between VA and DOD.

“I have to tell you, I cannot talk to a veteran and justify why we’re going to spend countless dollars for two systems that do not communicate and do not improve veterans’ experience,” Walz said. “We need to demand interoperability for one system and be responsible. Ten more years of it, I can’t stand it.”

If VA were to transition to a commercial EHR system, Thomas said the department would not necessarily have to use the same Leidos- and Cerner-developed system the Pentagon uses. Other commercial platforms should be interoperable, he said”

http://www.defenseone.com/technology/2017/02/vas-patchwork-system-eats-most-its-4b-tech-budget-congress-wants-stop/135254/

 

 

 

 

Cyber’s Role in Air Force’s Premier Training Exercise: Red Flag

Standard

Red radar display with identified targets

“FIFTH DOMAIN”

“Cyber forces have become an integral part in the Air Force’s premier realistic combat training exercise typically held four times each year.

The new face of warfare includes land, sea, air, space and cyber.

“We are bringing the non-kinetic duty officers into the fight at Red Flag,” Lt. Col. Neal, chief, current operations, 25th Air Force, said. “These experts in ISR and cyber warfare are the newest weapons in our command and control arsenal.”

Neal stressed the importance of bringing non-kinetic elements to the fight as the services are transitioning to multi-domain battle.

Air Force cyber teams have been integrated in Red Flag since 2009, a spokesperson from 24th Air Force said. The Air Force’s cyber element is made up of personnel from both 24th and 25th Air Force. Personnel from 25th Air Force provide cyber intelligence, surveillance and reconnaissance while personnel from 24th Air Force provide cyber operations and effects resulting in a 60/40 split of personnel from each numbered Air Force, respectively, to make up the roughly 1,700 AFCYBER workforce.

Cyber forces began in 2009 with a small contingent of 57 information aggressor squadron teams acting as red teams against operators in the Combined Air Operations Center at Nellis, the spokesperson said via email. Defensive cyber teams were then added.

Cyber mission teams, whose role is to defend the nation from cyberattacks, were added in the 2014-2015 timeframe to conduct full spectrum operations, integrating non-kinetic effects with kinetic operations and working with coalition partners. For example, in 2015, the Air Force looked at how to defend a s upervisory control and data acquisition, or SCADA/industrial control system at Red Flag, the 24th spokesperson said.

Defensive and offensive teams operate remotely from their home stations as well as at Nellis, where the main event is held, Jose Delgado, cyber-ISR subject matter expert at 25th Air Force said. Members from 24th Air Force, operating from Lackland Air Force Base in Texas, operate and defend the Air Force Information network at the CAOC-Nellis while offensive cyber operations executed from 24th and 25th cyber mission teams are executed at home station and Nellis.

Offensive teams work to infiltrate networks and disrupt data, Delgado said, representing adversary forces Blue teams must defend against.

Aside from the role of Cyber Command, each service has cyber components to address inherent challenges for their respective missions. The Air Force is no different.

“There’s a clear recognition that our service needs an organic cyber capability to get after much of what Cyber Command … just doesn’t have the bandwidth to do or simply not in their charter, and it’s critical [to the] Air Force,” Air Force CIO Lt. Gen. William Bender said.

This organic capability revolves around the Air Force’s five core missions – air and space superiority, intelligence, surveillance and reconnaissance, rapid global mobility, global strike and command and control – and focuses on mission-specific tasks in the air domain. CYBERCOM, Bender said, is concerned with big problems and high-end warfare, such as protecting missile defense systems and air defense systems and assuring the nuclear enterprise and space enterprise.

Red Flag is now used to validate training objectives for cyber mission force teams at Cyber Command. Each individual and team must meet certain training objectives in order to be validated at initial and full operational capability. The CMF reached initial operational capability in October, though slightly behind schedule.

The CMF is slated to reach FOC at the end of 2018.”

http://fifthdomain.com/2017/02/06/cybers-role-air-forces-premier-training-exercise-red-flag/