Category Archives: Computer Security

GSA Weighing ‘Multiple Initiatives’ For Government 2019 Centers of Excellence (COE) Projects

Standard

GSA Centers of Excellence.png

“FEDSCOOP”

“The USDA was selected to be the “lighthouse” agency for the rollout of all five CoE teams, but future projects could focus on agencies using individual teams.

Those teams are paired with contractors, as well as personnel at target agencies, to carry out IT modernization projects based on their skill sets.”

___________________________________________________________________________________________

“As the General Services Administration moves forward leading the White House’s Centers of Excellence program to modernize IT operations at the Department of Agriculture, agency officials at the agency’s Technology Transformation Service are already looking toward the next round of projects.

Joanne Collins-Smee, deputy commissioner of the Federal Acquisition Service and TTS director, said Friday that the agency was already looking for what projects it could deploy the CoE teams to in fiscal 2019.

“That’s the vision, that we would have several agencies that the CoEs are in at one time,” she said at ACT-IAC’s Igniting Innovation event. “So, for the first substantiation, we all agreed it’s USDA and USDA alone. But as we look into 2019, we are looking at are there other agencies that we would bring on?”

The CoE program, announced in December, is built on five teams of IT talent specializing in cloud adoption, IT infrastructure optimization, customer experience, contact center services and service delivery analytics.

“So as we are evolving this model, the view is that it doesn’t have to be all five. We are going to be building up the teams also,” she said. “So our vision is that we are going to have similar tiger teams. Obviously, they have a very specific skill, but they would go into the next agency. So it’s not like the same team would do USDA and [another] agency.”

The ongoing USDA modernization project is currently in its assessment phase of what is projected to be a three-year overall project, with each team on a separate timeline.

USDA CIO Gary Washington said he expects the implementation phase to begin this fall after the agency assessment and game-planning by the CoE teams are complete.

“We have set ambitious, but realistic timeframes to accomplish this,” he said.

Collins-Smee added that GSA and USDA would be revealing some of that assessment information, as well as the timeline for the implementation phase, in an industry day next month.”

https://www.fedscoop.com/gsa-weighing-multiple-initiatives-next-coe-projects-2019/

 

Advertisements

6 Predictions On How A New Strategy Could Change What The Pentagon Buys

Standard

 

 

National Defense Strategy 2

“C4ISRNET”

“During a speech at Johns Hopkins University in January 2018, Jim Mattis, the secretary of defense, unveiled an updated version of a Pentagon document called the National Defense Strategy.

C4ISRNET asked industry leaders to explain how this shift could play out. Individually, their answers are compelling, but together they create a rich portrait of modern warfare.”

___________________________________________________________________________________________

“After nearly 17 years of war in Iraq and Afghanistan, the new document fundamentally changed the direction of the Department of Defense. Now, the Pentagon is turning its attention to what it describes as a near-peer competition — in other words: China and Russia — and away from the counterterrorism mission.

But with the new focus comes a shift in battlefield technology. The strategy calls for updated nuclear command and control, investments in space, and greater integration of cyber.

CYBER

WHAT WILL CHANGE: More sophisticated cyberattacks

WHAT THE PENTAGON WILL WANT: More automation with cyber and more visibility of who’s on the network

NAME: David Mihelcic, federal chief technology and strategy officer, Juniper Networks

Near-peer adversaries are willing to expend significant resources — both in terms of people and money — to penetrate or disrupt federal networks critical to the security and economic health of the United States. Likewise, near-peer adversaries’ tools and techniques are far superior to those used by more typical criminal hackers. As such, we’re going to see threats against federal networks increase exponentially. In response, federal agencies must defend all their network assets and those of the nation, whether they exist in legacy or cloud environments.

Agencies must proactively hunt near-peer adversaries that are attempting to or have already established a foothold within federal networks. These same techniques must also be adopted by operators of enterprise and service provider networks. U.S. Cyber Command and the Department of Homeland Security will need to be prepared to respond in kind if adversaries act against our defense and civilian networks, as well as our national critical infrastructure. Remember that DHS is tasked with protecting the entire country, not just the federal government. To do that, the department must be prepared to respond to cyberthreats to commercial networks.

Security automation will be critical. Automation can also greatly reduce the risk of human error, such as the accidental exposure of highly sensitive data to potential bad actors.

Agencies will also need increased visibility into all aspects of their network environments. Near-peer adversaries’ attack methods are growing increasingly sophisticated. They may target applications, devices or other means, and are motivated to find vulnerabilities that CIOs may not even realize exist. Federal IT professionals must have tools in place that allow them to identify and remediate those vulnerabilities and quickly react to potential threats.

UNMANNED

WHAT WILL CHANGE: More resilient multidomain weapons systems

WHAT THE PENTAGON WILL WANT: More underwater drones to provide intelligence, surveillance and reconnaissance

NAME: Bill Toti, president, L3 Maritime Sensor Systems

Imagine the USS TEXAS approaches the coast of a foreign harbor. The ship slows to near-hover, and from one of its torpedo tubes emerges a swarm of 30 Iver-PW unmanned underwater vehicles. They swim out, then spread into a pattern equidistant in lateral distance and depth, autonomously station-keeping. They scan the ocean volume for bottom, moored and floating sea mines, reporting mine detection in real-time. After completing the deep survey, they continue on to perform hydrographic survey of the beach to prepare for an upcoming Marine amphibious landing. The entire operation is done within six short hours. Before this technology was available, the process would have taken 100 divers over three weeks to perform comparable surveys.

Not far away, an extra-large underwater drone plants an active sonar projector on the sea floor, which immediately goes active. A series of six medium-diameter Iver-5 unmanned underwater vehicles orbit up to 30 miles away carrying passive receivers, bi-statically tracking four adversary submarines in the area.

Further out to sea, one of 50 deployed Bloodhound unmanned surface vehicles is guided to a target datum by shore-based antisubmarine warfare command-and-control forces. A HELRAS dipping sonar is automatically lowered through a moon bay on the Bloodhound, immediately detecting the target, a cruise-missile firing submarine. The USV then reels in the dipping sonar, autonomously repositioning, then dips its sonar again and starts pinging, regaining track. This Bloodhound USV is able to track the submarine for weeks, until hostilities begin and a P-8 Poseidon aircraft outfitted with an MX-20HD electro-optical sensor system is dispatched to launch a torpedo and destroy the submarine from standoff range.

More resilient multidomain drone systems could benefit ISR needs.
More resilient multidomain drone systems could benefit ISR needs.
SPACE

WHAT WILL CHANGE: Adversaries may have counterspace technologies

WHAT THE PENTAGON WILL WANT: Greater space capabilities and resilient satellite communications

NAME: Rebecca Cowen-Hirsch, senior vice president of government strategy and policy, Inmarsat Government

The DoD’s new national defense strategy places even greater emphasis on the urgency for enhanced threat awareness in space, along with the protection of critical assets, both military and commercial on orbit. In contrast to insurgents in the Middle East, a near-peer adversary is more organized, strategic and state funded, and thus positioned to engage aggressively across multiple domains.

Indeed, a future conflict of this nature would likely involve troops and unmanned assets on the ground, in the air and at sea; satellite jamming incidents; on-orbit threats; and state-sponsored cyber intrusions targeting electric power grids, nuclear plants and other critical infrastructure across the globe.

The National Defense Strategy asserts that an attack on critical components of the U.S. space architecture “will be met with a deliberate response at a time, place, manner and domain of our choosing.” In support, the space industry’s focus must be on the broadest areas of support for C4ISR, for both military and commercially supplied satellite communications platforms. This means continued investment into wideband and additional, protected communications, network diversification, backhaul performance, Overhead Persistent Infrared technologies and enhanced augmentation for GPS. This new strategy shifts focus of some mission sets to support advancements in maritime and aeronautical ISR and other highly mobile tech demanding of resilient SATCOM.

The adversaries here are not “new,” but their tactics and capabilities have and will continue to evolve and expand. To respond, commercial, defense and intelligence assets must prepare to deter, detect and defend against these threats — whether on land, in the air, at sea, space and cyberspace.

ELECTRONIC WARFARE

WHAT WILL CHANGE: Near-peers will have significant jamming capabilities

WHAT THE PENTAGON WILL WANT: More software-defined hardware

NAME: Christopher Rappa, product line director for RF, electronic warfare and advanced electronics, BAE Systems FAST Labs

Past counterterrorism operations revealed the difficulties of fighting an asymmetric battle with a determined, cunning and agile adversary. Insurgents leveraged commercial technology, including cellphones and social media, for battlefield coordination and off-the-shelf components in improvised explosive devices. This use of easily accessible technology stressed the defense acquisition pipeline. Solutions required disproportionate investment and continued to be countered at great cost.

In concert with explosive demand in consumer products, radio frequency microelectronics and processing components are continuing to evolve and grow with no sign of slowing down. Additionally, the hardware is becoming more and more defined by software, enabling flexibility with minimal cost impact. The defense technology acquisition pipeline wasn’t designed to keep up and that is not necessarily the case for near-peer competitors. The DoD and industry needs to and can move faster.

Due to long acquisition cycles and a lower historical priority, the technology disparity is extremely evident in electronic warfare. Advancements in off-the-shelf software-defined systems enable waveform flexibility and agility where parameters can be changed between transmissions. Agility means uncertainty, driving us toward the development of cognitive, adaptive and coordinated EW systems that can adjust to counter new and emerging threats. Key innovations in those systems are required to not just keep pace with the commercial capabilities, but also to provide an edge over the near-peers who will be leveraging that technology and have been investing heavily to disrupt our command of the electromagnetic spectrum while the U.S. focused on the counterterrorism mission.

With a renewed focus on near-peer adversaries, the Department of Defense has reprioritized EW technology development. The next generation of electronic warfare technology will not be dulled by a peer’s ability to leverage commercial technology, a lesson learned from IEDs many years ago.

Satellite imagery could play a critical role in understanding China and Russia.
Satellite imagery could play a critical role in understanding China and Russia.
GEOINT

WHAT WILL CHANGE: The U.S. will have interest in an enormous geographic area

WHAT THE PENTAGON WILL WANT: Machine learning to process giant imagery libraries.

NAME: Walter Scott, executive vice president & chief technology officer, Maxar Technologies

One area that’s become increasingly important is the ability to derive intelligence and insight from volumes of data that are far larger than what human analysts can process naturally. Machine learning in the last few years has reached the point where it’s become an effective massive force multiplier, allowing talented and highly trained analysts to focus their efforts on the places and things that are most likely to have mission significance.

This is important because the relevant geographies are now larger than ever, and the adversaries are more capable. In the 1990s, you had to know where to look. In today’s world, it’s not the stuff you know about that’s going to hurt you — it’s the stuff you don’t know. So, you basically must look everywhere. We’ve greatly expanded our ability to collect imagery to the point where DigitalGlobe is now producing on the order of 80 terabytes of imagery product every day. It would take a single human analyst 85 years to extract just one single feature from that volume of imagery.

Fortunately, the tools to exploit this deluge of data have also been advancing very rapidly, enabling analytic results that might otherwise have gone undiscovered because there just aren’t enough eyeballs in the world to look at every pixel that’s being collected.

IT & Networks

WHAT WILL CHANGE: DoD will rely more heavily on the cloud

WHAT THE PENTAGON WILL WANT: More cloud services

NAMES: Lawrence Hollister, executive director, Cubic Mission Solutions

Unconventional warfare is becoming the new normal. As technology evolves and data to decision speeds are increased, the need for a distributed edge cloud architecture or tactical cloud is a must. The tactical cloud is an operating environment where information, data management, connectivity and command and control are core mission priorities.

To best meet the challenges of future peer and near-peer actors, we must exploit all aspects of fused ISR from multiple assets and leverage technology in secure communications.

Quickly capitalizing on the capabilities of the ever-changing information age will allow our forces to seamlessly share situational understanding across C4ISR systems in every domain.

Near-peer actors have highly effective communication denying capabilities, putting our reach back at risk, thus dislocating the edge teams. This is why a hybrid cloud concept with local tactical cloud applications that can run disconnected from reach back cloud infrastructures is so vital. Even though the multidomain tactical/edge cloud has external connections, the cyber threat is reduced or mitigated through the connections to the edge and theater-level secure gateways.

The tactical/edge cloud model is where every platform is leveraged as a sensor. This vision will enable more rapid, effective decisions and will provide a significant operating advantage. A distributed, self-healing, multidomain tactical/edge cloud that is difficult to penetrate significantly complicates an enemy’s pursuits and will force the enemy to focus more resources toward its own defense and offense. In its desired deployment, the tactical/edge cloud will strategically sever the enemy and will lead to and enable multidomain superiority.”

https://www.c4isrnet.com/industry/2018/05/09/6-predictions-on-how-a-new-strategy-could-change-what-the-pentagon-buys/

 

Defending Hospitals Against Life-Threatening Cyber Attacks

Standard
Defending Hospitals Against Cyber Attack phys.org

Image:  phys.org

“FIFTH DOMAIN”

“Hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people.

And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.”

__________________________________________________________________________________________

“A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.

Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.

I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts.

A wide range of devices

A major challenge in hospitals’ cybersecurity is the enormous number of devices with access to a facility’s network. As with many businesses, these include mobile phones, tablets, desktop computers and servers. But they also have large numbers of patients and visitors who come with their own devices, too – including networked medical devices to monitor their health and communicate with medical staff. Each of these items is a potential on-ramp for injecting malware into the hospital network.

Hospital officials could use software to ensure only authorized devices can connect. But even then, their systems would remain vulnerable to software updates and new devices. Another key weakness comes from medical equipment offered as free samples by device manufacturers who operate in a competitive market. They’re often not tested for proper security before being connected to the hospital network. One of our interviewees mentioned:

”In hospitals … there’s a whole underground procurement process whereby medical device vendors approach clinicians and give them lots of stuff for free that eventually makes its way on to our floors, and then a year later we get a bill for it.”

When new technologies bypass regular processes for purchase and risk assessment, they aren’t checked for vulnerabilities, so they introduce even more opportunities for attack. Of course, hospital administrators should balance these concerns against the improvements in patient care that new systems can bring. Our research suggests that hospitals need stronger processes and procedures for managing all these devices.

Staff buy-in

Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward: They told us they’re worried about costs, institutional reputation and regulatory penalties. Getting medical staff on board can be much more difficult: They said they’re focused on patient care and don’t have time to worry about cybersecurity.

People typically treat cybersecurity protections as secondary to what they’re trying to get done. One person we interviewed described why some staff committed the cardinal cybersecurity sin of sharing a password:

“To use an ultrasound machine [you need a password, which] has to change every 90 days. [Staff] just want to use the ultrasound machine. It’s not holding a lot of patient data … so they create a shared login so that they can provide patient care.”

The needs can vary widely across a hospital, in ways that can be surprising – such as access to sites likely to carry malicious software. A chief information officer at a research hospital told us,

“I personally believe that hardcore pornography has no purpose on hospital supported devices. What did I do five years ago? I put up internet content filters that prevented people from navigating to pornography. Within five minutes, the director of psychiatry calls to tell me that we have a grant to study pornography in a medical context [so we had to modify our filters].”

These experiences are why we concluded that budget limitations are not as crucial to hospital cybersecurity as employee involvement. A hospital can buy as many pieces of hardware and software as it wants. If workers aren’t following organizational procedures, the technology won’t keep hospitals safe. Our research suggests that cybersecurity is as much about managing people as it is about technology.

Compliance is not security

The threat is nationwide, and keeps getting harder to defend against, as one chief information security officer told us:

“The nature of attacks is increasingly sophisticated. It used to be my biggest threat was … students. Today, it’s state-sponsored attacks, terrorism and organized crime. It’s more threats than ever before of a more serious nature.”

Unfortunately, many hospital administrators seem to believe that protecting data is as simple as meeting state and federal regulations. But those are minimum standards that don’t adequately address the threat. As one of our interviewees said,

“Compliance is a low bar. I guarantee that little health care organizations and hospitals would do nothing (without regulation). They would have a piece of paper on a shelf called their security policy. It’s needed as a backstop to get companies at least thinking about it. But being compliant does not solve the greater risk management problem.”

Our research shows that hospitals need to think beyond compliance. Also, with so few hospitals well defended against cyberattacks, all hospitals appear more attractive as potential targets. In our view, it’s not enough for hospitals to improve their own defenses – nor for regulators to raise standards. They should manage, and evaluate the security of, the devices on their networks and ensure medical staff understand how good cyber-hygiene can support good patient care. Further, policymakers, health care leaders and hospitals themselves should work together to make the industry as a whole less susceptible to attacks that threaten people’s privacy and their very lives.”

https://www.fifthdomain.com/opinion/2018/04/25/defending-hospitals-against-life-threatening-cyberattacks/

Atlanta Was Not Prepared To Respond To A Ransomware Attack

Standard
Atlanta Ransomware

Image: Dan X. O’Neil

“STATESCOOP”

“A month after the SamSam ransomware virus infected its computer systems, Atlanta’s city government still struggles to provide several services to its residents.

The city is scrambling to dig out from arguably the highest-profile ransomware incident on U.S. soil yet, shelling out nearly $2.7 million in emergency contracts to IT consultants and crisis managers.”

________________________________________________________________________________________

“Water and sewer bills can’t be paid online or over the phone, and business licenses can only be obtained in person. Public Wi-Fi at Hartsfield-Jackson International Airport, the country’s busiest airport, was down for two weeks. City council members reported losingdecades’ worth of correspondence. The municipal courthouse only regained the ability to schedule traffic-ticket hearings on April 16.

Atlanta officials may eventually give full accounting of how the March 22 ransomware attack was allowed to happen, and why the recovery process has been so slow and out of the public view. (The city last issued an official update on March 30.) But the hack hit just the right conditions to sow mayhem: In the weeks since officials were locked out of their systems for a $51,000 ransom demand, it’s been revealed that Atlanta’s municipal IT was woefully disorganized and outdated. Couple that with the recent swearing-in of Mayor Keisha Lance Bottoms, who by her own admission had not devoted much attention toward cybersecurity, and Atlanta became a ripe target for digital bedlam.

As recently as January, the city auditor was excoriating officials for a lax approach toward cybersecurity that left the government with obvious vulnerabilities, obsolete software and an IT culture driven by “ad hoc or undocumented” processes, according to a report published that month by the auditor’s office.

Not everyone is looking for someone to blame, though. Amid all the frustration that the cyberattack has caused, there’s one push for Atlanta to conduct a “blameless” review of the episode. But that seems like something that’s still a long way off from happening. Whatever the case, the attack was not surprising to cybersecurity experts.

“Atlanta is a fairly typical path,” said Max Kilger, a business professor who specializes in cybersecurity at the University of Texas at San Antonio. “These guys seem to be targeting organizations that work for the public good. There’s an urgency when a city gets taken down. The ransomware people are basically counting on that to leverage a payment out of these targets.”

Better to spend now than pay later

By all known accounts, Atlanta hasn’t paid up, though the mayor’s public remarks about it have been inconclusive. “Everything is up for discussion,” Bottoms said six days into the hack. The involvement of the FBI, which recommends ransomware victims refuse their attackers’ demands, suggests Atlanta hasn’t given in.

Kilger said a city as large as Atlanta, with a $2.1 billion budget, is a tempting target for ransomware operators because the ransom demand is so paltry compared the city’s pocketbook. Even if Atlanta won’t pay, the hackers behind the SamSam ransomware are still running a tidy operation — collecting nearly $850,000 since their first attack in late 2015, according to analyses of the SamSam group’s bitcoin wallet. That includes payments from ransomware victims that did pay the bounties to recover their data, including Hancock Regional Hospital in Indiana and Yarrow Point, Washington, an affluent town of 1,000 residents just east of Seattle.

But in those cases, the targets went against the FBI’s advice. The bureau recommends against acceding to ransom demands for the simple reason that a ransomware victim has no guarantee that its attacker won’t “shoot the hostage” anyway. “Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” the FBI advises.

If there’s money going anywhere, it’s to consultants. In the month since the hack, Atlanta has doled out more than half a dozen emergency contracts to cybersecurity firms like Secureworks, Fyrsoft, and CDW, and consulting services from Ernst & Young and Edelman to manage the public response. In Colorado, where a SamSam attack in February took out internal systems at the state’s transportation department, officials have spent between $1 million and $1.5 million on recovery so far.

Government IT officials might find it’s better to spend more money up front hardening their cybersecurity, rather than shelling out after a hack.

“If I were an executive, I would look at the risk equation,” said Walter Tong, a security architect at the Georgia Technology Authority, which manages the state’s IT infrastructure. ”Is it worth spending the money or paying the ransom? I would not like to be in that kind of position.”

IT complacency

Tong’s office is not working on Atlanta’s recovery; he said it doesn’t offer the kinds of recovery services the city needs right now. But he said he knows the job of rebuilding the city’s computer systems will be a long one.

“It takes a while to rebuild and reconstruct applications and network devices,” Tong said. “Hackers choose targets and they find ways of getting there, whether it’s to cause a disruption of service or destruction of data, or both.”

Unlike other ransomware programs that take over networks when a user opens a phishing email or inadvertently runs a malignant program, SamSam infiltrates systems with brute-force attacks like guessing weak or default passwords until one breaks through. SamSam often targets Java-based application servers or Microsoft’s Remote Desktop Protocol.

Tong said his office often looks for those kinds vulnerabilities in network settings and older devices. Had Tong’s team examined Atlanta’s systems, they would’ve found those conditions in abundance. The city auditor’s January report found nearly 100 government servers running on Windows Server 2003, which Microsoft stopped supporting in 2015.

“You can spend a lot of time on educating, making sure your network devices are patched and secure,” Tong said. “But once it happens, you have to have an instant response plan.”

The January audit report suggests Atlanta was nowhere near ready to deal with a cyberattack. Monthly scans conducted over the course of the audit, found between 1,500 and 2,000 security vulnerabilities in Atlanta’s systems. In fact, the number of IT security flaws grew so large, that city agencies slid into a habit of inaction, the audit stated.

“The large number of severe and critical vulnerabilities identified by the monthly vulnerability scan results metric has existed for so long the organizations responsible for this area have essentially become complacent and no longer take action other than to update the monthly report,” the document reads. “The significance of such a backlog of severe and critical vulnerabilities without corrective actions is evidence of procedural, technical or administrative failures in the risk management and security management processes.”

Don’t play the blame game

Whether the hackers who hit Atlanta knew it at the time, the ransomware arrived less than three months into the term of a new mayor who admitted after the hack that cybersecurity had not been one of her administration’s priorities. That was a shift from her predecessor, Kasim Reed, who often played up Atlanta’s emergence as a hub for the cybersecurity industry: The city is home to companies like SecureWorks and Bastille, and Reed went on trade missions to Israel to get that country’s cybersecurity firms to investin Atlanta. Internally, Reed’s chief information officer, Samir Saini oversaw some IT upgrades, like moving city employees from Microsoft Exchange servers to Microsoft’s cloud services.

Saini was snatched away by New York Mayor Bill de Blasio in January, leaving Saini’s former deputy, Daphne Rackley, as the interim CIO. Then on April 9, Bottoms shook up the city’s leadership by asking everyone in her 35-member cabinet, which is still comprised mostly of holdovers from Reed’s administration, to submit letters of resignation. Bottoms hasn’t announced who she’ll be keeping and who she’ll be replacing, but the ransomware attack has made the CIO job a crucial one to watch.

“Just as much as we focus on our physical infrastructure, we need to focus on the security of our digital infrastructure,” Bottoms said a few days after the hack.

But blame for the ransomware attack and responsibility for making sure it doesn’t happen again aren’t necessarily synonymous. Code for Atlanta, a Code for America brigade that advocates for better technology in municipal government, wants Bottoms to eventually order a report that avoids assigning blame.

The idea of a “blameless post-mortem” is widely attributed to developers at the craft site Etsy. In a 2012 post on Etsy’s developer blog, John Allspaw, then a senior vice president at the company, wrote that software engineers respond better to errors and accidents when they know there’s not an overt threat of punishment.

“[A]n engineer who thinks they’re going to be reprimanded are disincentivized to give the details necessary to get an understanding of the mechanism, pathology, and operation of the failure,” Allspaw wrote. “This lack of understanding of how the accident occurred all but guarantees that it will repeat. If not with the original engineer, another one in the future.”

Other companies, including Google, have since adopted that model of review after things go wrong. Code for Atlanta believes that model could work in the public sector, too.

“We want folks in city government to be accountable, but for us it’s more about a culture change,” the group’s leader, Luigi Ray-Montanez, told StateScoop. “When I was at city hall I saw this poster warning people to be wary of cyberattacks. It seems like they were aware of internet culture, but obviously mistakes were made.”

Atlanta City Auditor Amanda Noble told reporters when the audit was first publicized that city officials had started to upgrade their IT security when the ransomware attack hit. But the majority of recommendations the audit made are unlikely to be completed until the third and fourth quarters of 2018.

Despite a recent push to make her government more transparent — including plans to create websites on which the public can track city contracts and municipal data — Bottoms hasn’t given an official statement on the ransomware recovery in weeks. Her office has not responded to requests for an update. Rackley, the acting CIO, has not responded to requests for an interview.

Tong, the security architect for the Georgia Technology Authority, said the city’s current silence might be at the behest of the investigators.

“It’s an active investigation and they likely can’t disclose what’s going on,” he said.

The recovery time for a ransomware victim that doesn’t pay off its attacker can be long. The Colorado Department of Transportation was only 80 percent back online six weeks after it was hit by the SamSam virus. Atlanta’s systems have been flickering back on in spurts, with many public services still rolled back to the pen-and-paper era.

Atlanta’s IT professionals and the contractors it’s hired in the wake of attack are scrambling to patch the holes and upgrade to more secure systems. But lingering out there now, for Atlanta and everywhere else, is the threat of more ransomware attempts to come.

“This is one of many ransomware attacks, and there will be many more,” Kilger, the Texas professor, said. “It’s going to get worse.”

https://statescoop.com/atlanta-was-not-prepared-to-respond-to-a-ransomware-attack

U.S. Defense and Justice Departments Signalling Massive Cloud and Services Single Award Contracts

Standard

Related imageImage result for contract1200px-Seal_of_the_Federal_Bureau_of_Investigation.svg.png

“FEDSCOOP”

“The DOD team leading the Joint Enterprise Defense Infrastructure cloud procurement released the second draft of its working request for proposals Monday.  the contract’s single award acquisition strategy remains.

The FBI is interested in pursuing an “all-encompassing” $5 billion contract to provide all IT services across the Department of Justice.”

_______________________________________________________________________________________

“In second draft, DOD stands firmly by single award for JEDI cloud contract”

“Despite numerous questions and comments pushing for the Department of Defense to reconsider its decision to award a single contract for its forthcoming landmark commercial cloud acquisition, it appears the department isn’t budging.

The decision to award a single contract has drawn ire from all around the government cloud industry and largely driven the conversation concerning JEDI since its inception. The questions and comments attached to the new release of the RFP largely reflect industry’s refusal to accept that a single award would be in the best interest of the DODas it could handcuff the department to a single cloud provider for up to 10 years, limiting innovation and a failsafe in the event of an outage.

In many cases, the team’s response was: “Your comment has been noted. The requirement remains as stated.”

And many respondents asked for the written justification for a single award contract, which is required by federal acquisition law, to be made public. But DOD won’t indulge them “at this time.”

However, another frequent answer about teaming and subcontracting leaves the door open for vendors to get creative despite there being one award up for grabs. Asked if cloud service providers can partner together under a single prime contractor or some similar arrangement, the department responded, “Offerors may propose any kind of teaming/partnering arrangement so long as the proposed solution meets the requirements of the solicitation.”

https://www.fedscoop.com/jedi-cloud-contract-second-draft-dod-pentagon/

FBI weighs $5B ‘all-encompassing’ IT contract for Justice Department

The FBI is interested in pursuing an “all-encompassing” $5 billion contract to provide all IT services across the Department of Justice.

The bureau issued a request for information for a centralized contract covering a range of IT services that would be awarded in March 2019.

The FBI’s Information Technology Acquisitions Unit has been pursuing a new IT contract to replace the current $30 billion Information Technology Supplies and Support Services (ITSSS) blanket purchase agreement, which is set to expire in October. It’s unclear why the proposed new contract’s ceiling would be so much less than its predecessor, but since it’s an RFI, that could change based on industry feedback.

The new RFI outlines a possible indefinite delivery, indefinite quantity contract with a one-year base period — followed by nine yearlong option periods — to start in March 2018. The new timeline envisions that a final solicitation would be issued in August and be due Oct. 5, but it makes no mention of a bridge contract for the expiring contract.

The new contract would be split into several sections, covering agile, development, operations and maintenance, engineering services, IT consulting, IT scientific services, cloud, Telecomm, IT services, cybersecurity, IT security services, and IT help desk support across the entire Justice Department.

Interested vendors have until April 20 to respond to the RFI.  FBI officials plan to hold a follow-up industry day April 30.

fBI officials also recently issued an RFI seeking information on a cloud computing solution.”

https://www.fedscoop.com/fbi-weighs-5b-enterprise-wide-contract/

 

 

 

 

 

 

 

 

 

 

Risks In Police Use of Body Camera Real Time Facial Recognition

Standard

Real Time Facial Recognition

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“Real-time facial recognition is especially concerning because it means that body cameras will continuously scan the face of everyone passing police officers on the street, and immediately log and relay data.

The Wall Street Journal reported that body camera vendors are preparing body cameras with real-time facial recognition capabilities, and law enforcement agencies could potentially deploy them as soon as this fall.”

____________________________________________________________________________________________

“In recent years, we at The Constitution Project have warned that adding facial recognition scanning to police body cameras poses serious risks that could undermine basic privacy and due process rights. Unfortunately, the time to prepare for these risks is running out.

 Before adding real-time facial recognition to body cameras, it’s critical that departments and lawmakers implement necessary measures to avert the unprecedented mass collection of the identity and location of individuals in public:

Set Standards for Police Action that do not Depend upon Facial Recognition

A major issue law enforcement must confront before deploying facial recognition is its inaccuracy. It is well documented that despite its immense power, facial recognition technology is often wrong, especially when identifying racial minorities. Specifically, these systems are prone to generating false positives, in which the technology identifies a match (e.g., says a person on the street matches the face of a wanted criminal) when in reality the faces are of two entirely different people.

It’s not hard to see how this situation could spin out of control with real-time facial recognition on police body cameras. What if an officer’s camera misidentifies an innocent person as a dangerous fugitive at large, leading to a violent incident? Even a commonly accepted police use for facial recognition—searching for a missing child—could turn horribly wrong if a false positive leads an officer to confront a parent as an abductor. Body camera use has grown exponentially because many saw it as a means to improve community-police relations and reduce use-of-force incidents, but adding facial recognition could inflame these problems. Even if misidentifications do not result in use of force, a mere arrest has serious consequences for individuals. They can be detained, fingerprinted, and subject to strip searches—all merely because a computer program was wrong.

It’s critical that before police add real-time facial recognition to body cameras, they set proper limits on the degree to which officers can rely on the identifications provided by an imperfect system. At a minimum, facial recognition should not be allowed to serve as the sole basis for an arrest or any use of force. Officers should seek means of corroborating an identification, and in the event of conflict, base their decision on what action to take on the totality of circumstances rather than completely trusting the determinations of a facial recognition program. This principle is consistent with current practices; departments such as the NYPD already require human review to confirm results when facial recognition is applied to crime scene footage. These measures are necessary not just to prevent improper conflicts and arrests, but also to avoid a perverse incentive to build systems that generate more false positives, which would give police more pretexts to stop or arrest people, while limiting their liability for those actions because the identifications were based on the technology.

Limit Facial Recognition Scans and Identifications to Serious Crimes

Another serious risk that facial recognition poses is giving police “arrest-at-will authority,” and this potential is greatest when real-time facial recognition is incorporated into body cameras. Arrests may be a common police function, but they usually occur in response to specific assignments or situations, rather than in a random or opportunistic manner.

In some municipalities, a huge portion of the population has active bench warrants for minor violations, such as unpaid parking tickets (which people often don’t know can lead to an arrest warrant). For example a 2015 Department of Justice investigation revealed that 16,000 out of the 21,000 residents of Ferguson, Missouri, had outstanding warrants.

A patrol officer may be able to keep an eye out for the faces on a most-wanted listed, but they can’t memorize tens of thousands of people with outstanding warrants for petty offenses. Facial recognition changes that: This technology can take a face and scan it against millions of photos in a second. With this tool, every officer could be notified whenever they encounter an individual with any outstanding warrant, no matter how trivial the offense, and have free rein to arrest them.

This creates serious risk of abuse, as The Constitution Project’s comprehensive reporton police body cameras—whose signatories include both civil liberties advocates and former law enforcement officers—warned. This “arrest-at-will authority” could also be wielded to disrupt First Amendment-protected activities. Police could use real-time facial recognition to scan crowds at protests or political rallies, and then arrest anyone flagged for any potential offense–no matter how trivial. Fear of such abuse isn’t paranoid— we’ve already seen it attempted. In 2016, police scanned for and identified any individuals with outstanding warrants among those protesting police brutality in Baltimore, using a social media scraping software tool called Geofeedia. The platforms Geofeedia scraped its data from (Facebook, Twitter, Instagram) quickly cut off Geofeedia’s access to end the program, but with police using body cameras equipped with facial recognition, there is no such middleman to block misconduct. This will allow law enforcement to directly disrupt and chill participation in First Amendment protected activities.

The solution to these issues is simple: Facial recognition incorporated into body cameras should only be used in relation to an enumerated set of serious crimes. This would set an effective balance, preventing potential abuses stemming from overbroad use while still allowing a system to flag serious threats for officers. Limiting use of powerful technological tools to serious offenses has precedent. The Wiretap Act, which sets the foundation for law enforcement surveillance of phone calls and electronic communications, is only allowed to apply to a list of serious crimes. The government cannot wiretap everyone suspected of parking violations, and it shouldn’t be able to deploy mass surveillance across American cities for such minor offenses either.

Provide Oversight to Prevent Unfettered Location Tracking

A final risk is that real-time facial recognition in body cameras creates a new avenue for location tracking that is devoid of accountability or oversight. Currently, law enforcement location tracking is mostly conducted by tracking cellphones; the United States Supreme Court is currently reviewing whether this should require a warrant.  However, even if the Supreme Court does not impose a warrant standard, cellphone location tracking still requires some court approval. Facial recognition and body cameras, which currently do not require court approval to use, could cut out this independent oversight entirely, circumventing a basic due process protection.

Given the sheer scale of use of police body cameras in populated areas, facial recognition could allow law enforcement to rapidly scan and locate anyone they desire, and track their movements.  This would circumvent privacy rights and independent oversight. It could also chill sensitive activities: If someone sees an officer near a protest, house of worship, political rally, or medical facility, they might (and should) worry that their presence at that location (along with every other attendee) is being logged.

In order to prevent abuse and preserve due process, its vital that a court approve any use of body cameras with facial recognition for location tracking, just as court approval is currently a key component of oversight of other forms of electronic location tracking. The best specific rules and standards for this activity may become more clear in light of the Supreme Court’s ruling on cellphone tracking later this spring, but at a minimum police departments should begin preparing to incorporate independent oversight into any type of location tracking for body cameras with facial recognition. The technology is too powerful—and location information is too sensitive—for law enforcement to be unchecked in its use.


There are a variety of avenues towards setting effective policies for body cameras. Some police departments have directly stepped up and adopted effective internal guidelines. In other locations, cities have established rules to ensure body cameras provide accountability rather than overbroad surveillance. State legislatures have also set limits to stop body cameras from becoming too pervasive as a surveillance tool. Individuals should consider engaging at all of these different levels of government, but now is the time to act. If we do not, could soon be in a world where the government has an eye on every street corner, with little oversight or accountability about how it uses this immense power.”

http://www.pogo.org/blog/2018/04/three-key-reforms-for-facial-recognition-and-body-cameras.html

 

 

 

 

Federal IT Modernization Centers of Excellence Launching In Major Agencies

Standard

Centers of Excellence In Federal IT

“FEDSCOOP”

“The biggest IT modernization of all time.

Two million employees, roughly, non-military inside the government, a budget of $100 billion, thereabouts, 330 million customers, and we’re somewhere between five and 20 years out of date in terms of a lot of the systems we’re trying to modernize.”


“The IT Modernization Centers of Excellence team at the U.S. Department of Agriculture kicked off work this week, according to the program’s lead.

Joanne Collins-Smee, executive director of the CoE effort led by the General Services Administration in partnership with the White House, told attendees Thursday at FedScoop’s IT Modernization Summit that the “first phase” of the project launched April 2.

Collins-Smee said there is a team of 10 USDA IT personnel who report to her office that is embedded in the Centers of Excellence for the next two years. Those experts will pair up with the five industry vendors awarded contracts in March to bring private sector best practices to the department’s modernization efforts in five areas: cloud adoption, IT infrastructure optimization, customer experience, contact-center performance and service delivery analytics.

These aren’t just any 10 USDA technologists. The department had “a brilliant idea that we are now going to use across the rest of the government,” Collins-Smee said. “They ran a top-talent contest for their IT team and selected 10 people that are now embedded in the CoEs for two years.”

She called the CoE detailees “leaders already recognized in IT at USDA.”

“They will continue to have the DNA and really effect that cultural change within the organization,” Collins-Smee said. “Never mind the other stroke of brilliance is they know where everything is buried with the organization, right? They’re top talent across USDA. It was a brilliant idea, and we were noodling on this thing about culture change and how do we effect the best culture change.”

Over the next two years, Collins-Smee’s office, the team of 10 at USDA and the five vendors will focus on some of the “big rocks” challenging IT modernization efforts, she said. Initially, the work will be done at the department-level at USDA, but then they’re “bringing those practices to other agencies.”

Chris Liddell, who leads IT modernization efforts for the White House Office of American Innovation and has championed the idea for IT CoEs since he joined the Trump administration, said the effort develops a needed institutional capacity for federal IT modernization.

“This will not be fixed in one year, it won’t be fixed in two years, it may not even be fixed in one or two administrations,” said Liddell, who was named recently as one of President Donald Trump’s deputy chiefs of staff. “This is a multi-year journey that we are all going on. So creating institutional capacity to effect change is critical, and that’s where the Center of Excellence fit in. They’re a central source, as the name suggests, of expertise that can help firstly one agency but thereafter the whole sets of agencies in their individual modernization approach. So it’s a critical part of an overall strategy toward IT modernization across the government.”

The IT modernization the U.S. federal government faces is unprecedented, and “orders of magnitude bigger than” the private sector transformations the New Zealand native and former Microsoft CFO has dealt with in his career.

“The journey we’re going on is probably the biggest IT modernization of all time,” Liddell said. “We’re talking about two million employees, roughly, non-military inside the government, a budget of $100 billion, thereabouts, 330 million customers, and we’re somewhere between five and 20 years out of date in terms of a lot of the systems we’re trying to modernize.”

https://www.fedscoop.com/usda-modernization-centers-excellence-joanne-collins-smee/

 

 

U.S. Air Force To Outsource All Traditional IT And Concentrate on Mission/Security

Standard
Air Force Outsource IT

Image:  EVERYTHING POSSIBLE/SHUTTERSTOCK.COM

“NEXT GOV’

“Many agencies and departments manage IT services like email, calendars and the like across their enterprises.

According to one of its top tech officials, the U.S. Air Force is trying to get out of that business, preferring instead to contract those services to commercial vendors.”


“We want to get totally out [of that business],” said Frank Konieczny, chief technology officer for the Air Force. Konieczny spoke Wednesday at the ATARC Federal Cloud Computing Summit.

Faced with an IT workforce shortage, Konieczny said it makes more sense to outsource the work to industry entities than to continue training a revolving door of airmen.

“We don’t want to manage anything that’s IT, so we are pushing everything out to other vendors, commercial vendors, even for our own bases,” Konieczny said. “We’re going to outsource all that capacity and data centers at the base level as well. We do not have enough airmen to actually do the jobs, so we’d rather buy the expertise from several contractors as opposed to training people. That’s not their mission in life.”

Increasingly, the Pentagon, intelligence community and military branches have looked at commercial vendors to develop IT solutions in areas like emailelectronic health records, and infrastructure. Those moves typically have a large impact on existing workforce, freeing up federal IT personnel to perform other duties. ”

http://www.nextgov.com/emerging-tech/emerging-tech-blog/2016/01/air-force-cto-we-dont-want-manage-it-anymore/125153/

 

 

 

 

 

Government Security Clearances Continue to Drop, Backlogs Remain

Standard

Security Clearances Status and Issues

“THE PROJECT ON GOVERNMENT OVERSIGHT (POGO)”

“Two major events in 2013—the Edward Snowden leaks and the Navy Yard mass shooting—combined with repeated instances of incomplete or fraudulent security background checks compelled the government to reduce the number of security clearances.

But even as the number of clearances drops, the backlog of pending clearance investigations remains a problem. “


“The number of individuals holding federal government security clearances continues to drop, according to a new report by the Office of the Director of National Intelligence (ODNI). According to the analysis, slightly more than 4 million government employees and contractors held clearances for access to classified information in fiscal year 2016, a 4 percent decrease from the previous year, and a 20 percent decrease from the peak of 5.1 million in FY 2013.

The report found that processing times for the longest cases increased at most agencies in FY 2016, and that there were more investigations pending for more than four months than in previous years.

Delays and backlogs have gotten worse since U.S. Investigations Services LLC (USIS)—the company that had screened and approved Snowden and Navy-Yard shooter Aaron Alexis—was given the heave-ho in 2014 after suffering a massive data breach. The company was also facing a fraud lawsuit accusing it of submitting thousands of background checks that were either incomplete or not properly reviewed—a lawsuit USIS and its parent company settled in 2015 for $30 million without admitting any fault or wrongdoing. USIS was the government’s key provider of background investigations.

According to the report, the intelligence agencies “are still negatively impacted by limited number of background investigators available.”

We were surprised ODNI withheld certain data this year that had been included in previous reports. Specifically, the report does not break down the number of clearances held by government employees versus contractors, nor does it identify agencies by name. Omitting this information prevents the public from digging deeper into the findings—just check out the Project On Government Oversight’s analysis of ODNI’s FY 2015 report to get an idea of what’s been lost. (Extrapolating from past reports, we can estimate that roughly two-thirds to three-quarters of individuals holding federal security clearances in FY 2016—between 2.7 million and 3.1 million people—were government employees, and the rest were contractor employees.)

ODNI told the Federation of American Scientists it removed this information because it “might be of value to our adversaries.” Given that these particular statistics for earlier years are still publicly accessible—presumably without causing any harm to our national security—POGO isn’t buying the government’s explanation. We hope the Freedom of Information Act can pry this information loose.”

http://www.pogo.org/blog/2018/04/government-security-clearances-continue-to-drop-backlogs-remain.html

U.S. Army Prioritizes Research And Development (R&D) Funding And Intellectual Property Policies

Standard

Army Reaearch and Development

“NATIONAL DEFENSE MAGAZINE”

“The idea is to put the money not on various projects that may have been growing with a life of their own, but instead bring that money back against the top six priorities.

More commercial model that may involve purchasing licenses from industry.  Industry can also license intellectual property from the government.”


“The Army’s assistant secretary for acquisition, logistics and technology is looking to aid the service’s modernization efforts by implementing new policies regarding research and development and intellectual property.

Bruce Jette said the Army has already realigned R&D funds to meet its top modernization priorities, which include long-range precision fires, a next-generation combat vehicle, future vertical lift platforms, a mobile and expeditionary communication network, air and missile defense capabilities, and soldier lethality.

“The idea is to put the money not on various projects that may have been growing with a life of their own, but instead bring that money back against the top six priorities,” he said March 28 at the Association of the United States Army’s Global Force Symposium in Huntsville, Alabama.

Additionally, Jette’s office wants to give more freedom to researchers and lab directors by providing some funds that are specifically geared towards innovating technologies that the military may not have anticipated, he noted.

“We can’t … incrementally engineer breakthroughs, and that’s what we’re trying to do is give them the freedom to do that,” he said.

Jette said the service is also working to establish a fund aimed at crossing the “Valley of Death,” referring to the process for transitioning new technologies into existing programs of record.

For example, a senior commander “would sit there and say ‘OK, one of the guys has this project, he’s got it done, it’s ready, and do we want to actually put it into that program?’” Jette said.

Following consultation with the program manager, senior leaders would then make a decision on the way forward, he explained. “We decide it’s worth it. We do it with our eyes open and … then we fund the transition.”

Jette also wants to improve how industry and the government handle intellectual property. Both sides have been “sloppy,” he said.

“The government starts using your IP, you start using the government’s IP, you can’t get extricated and we begin having unpleasant complications,” he said. There needs to be movement towards a more commercial model that may involve purchasing licenses from industry, he added.

“I’ve done this on the outside. Show me the box — that’s your IP. Put that in the bid. Show me what the limits of that [are],” he said. “Tell me what you want to do for licensing … [and] we can have conversations.”

Industry can also license intellectual property from the government, he noted.

If “we built something and … you want to apply it commercially, you want to apply it to another effort, I’m willing to talk about licensing fees,” he said. “Most people don’t realize that, but the government can get paid for their intellectual property.”

http://www.nationaldefensemagazine.org/articles/2018/3/28/senior-army-acquisition-official-highlights-potential-policies