Category Archives: Computer Security

Android Devices Can Be Fatally Hacked by Malicious Wi-Fi Networks

Standard

 

samsung-phone-800x600

Image: Samsung

“ARS TECHNICA”

“A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices.

Apple patched the vulnerability with Monday’s release of iOS 10.3.1. “An attacker within range may be able to execute arbitrary code on the Wi-Fi chip,” Apple’s accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P “by Wi-Fi proximity alone, requiring no user interaction.”

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn’t respond to an e-mail seeking comment for this post.

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom’s wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini’s code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Basic mitigations missing

Besides the specific stack overflow bugs exploited by the proof-of-concept attack, Beniamini said a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.

“We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” he wrote. “Specifically, it lacks all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])”

The Broadcom chipset contains an MPU, but the researcher found that it’s implemented in a way that effectively makes all memory readable, writeable, and executable. “This saves us some hassle,” he wrote. “We can conveniently execute our code directly from the heap.” He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms.

Given the severity of the vulnerability, people with affected devices should install a patch as soon as it’s available. For those with vulnerable iPhones, that’s easy enough. As is all too often the case for Android users, there’s no easy way to get a fix immediately, if at all. That’s because Google continues to stagger the release of its monthly patch bundle for the minority of devices that are eligible to receive it.

At the moment, it’s not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.”

https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/

 

Sensitive Navy Information on Readiness Will No Longer Be Publicly Disclosed

Standard
Adm. John Richardson

Admiral John Richardson

“BREAKING DEFENSE”

“We can share that information with the Congress behind closed doors, but we don’t want to share that information with our competitors,”

Chief of Naval Operations, Adm. John Richardson, issued a March 1 memorandum urging all naval personnel “to ensure we are not giving away our competitive edge by sharing too much information publicly.Adm. Richardson MemoIn their desperation to convince Congress that budget gridlock hurts military readiness, Navy officials made public some information that they shouldn’t have, Acting Secretary Sean Stackley told reporters here today.

Many of my fellow reporters here at the Navy League’s Sea-Air-Space conference said they’d felt a chilling effect from the CNO’s memo. I myself saw three admirals cite the need to say less in public. And, unlike in past years, the CNO himself didn’t address the conference in any public forum. (Richardson was consumed with prep for today’s congressional hearing on the danger of a full-year Continuing Resolution, Stackley said).

So naturally the new policy came up when Stackley sat down with us this afternoon. His response is worth quoting at length.

“We’re having a dialogue with Congress, trying to get Congress to understand the impacts associated with Continuing Resolutions, the shape that our budget is in, and the impacts that has on things like fleet readiness,” Stackley said. “And in doing that… what had been happening is, people were leaning further and further into talking about details associated with readiness — hey, that’s classified. We don’t promulgate that information.”

“We can share that information with the Congress behind closed doors, but we don’t want to share that information with our competitors,” Stackley continued, “so there has been a pullback in terms of how much detail we put out regarding materiel readiness.”

Stackley’s staff clarified to me afterwards that he was not accusing anyone of improperly disclosing classified information. That’s a relief. But a central point of the CNO’s memo, and of Stackley’s comment, was that even unclassified data can be damaging if disclosed.

China’s watching everything that we do, and we want to be very measured about what we put out in open, public forums,” Stackley said. “Are we in fact sharing information that creates vulnerabilities, crosses the line in terms of security?”

“I’ve read pieces myself, I’ve seen things in the literature (that made me think), ‘what the heck is this doing in the press?’” Stackley said. “These are our secrets, and we don’t need them to know exactly what we’re doing, how we’re doing it.”

“We do have a responsibility to share information with the public, (but) we need to be more measured about the information we’re pushing out in the public domain,” Stackley said. “There’s some recalibration going on, rightfully so. We have a very aggressive competitor out there.”

http://breakingdefense.com/2017/04/navy-officials-overshared-sensitive-info-on-navy-readiness-stackley/

 

 

How Russian Hackers Will Attack the US Next

Standard

Russia Hack the hackers

RZOZE19/SHUTTERSTOCK.COM

DEFENSE ONE”

“The U.S. needs to be planning now how it will respond.

The question is not if Russia will conduct another major cyberattack on the U.S., but when.

Russia has been the subject of much American press speculation this spring, as questions and suspicions swirl regarding its involvement in alleged hacks during the U.S. presidential election. While the details of these specific attacks remain unclear, what is clear is the danger posed by the superpower’s well-established hacking prowess.

As such, America needs to be planning now how it will respond. In 2015, cyberthreat firm FireEye alleged Russian nexus-hackers had caused power and energy outages across Ukraine, impacting thousands of citizens. No other country has been so publicly accused of conducting a cyber-to-conventional attack (a cyberattack with visible, physical consequences). Russia leadership has also publicly prioritized its information warfare and cyberweapons. “Information is now a species of weapon,” wrote Russian major general Ivan Vorobvev in 2013.

As proven by the alleged hacking activities this U.S. presidential election, the fear of information warfare is very real. However, the US must also remain vigilant about cyber-to-conventional attacks; many of our critical infrastructure networks are littered with vulnerabilities, and consumer technology is moving more and more citizens into the line of battle.

Because cybertools have become so accessible, it’s unlikely even a limitless defense budget could stop every attack. With this in mind, response must be the key priority. Based on my qualitative analysis of Russia’s previous military motives, strategies and tools, any Russian attempt to exploit US cybervulnerabilities will most likely target the US’s communications and IT critical infrastructure.

Intensifying the Fog of War

Russia is unlikely to target other industries for a number of reasons. Historically, it has avoided attacks that could trigger a full-scale military response, preferring to intensify the fog of war and cause maximum confusion. Within this strategy, Russia is unlikely to target such important U.S. sectors as chemical, nuclear, public health, energy, or defense industries. Russia is also unlikely to seriously attack the U.S. financial, agriculture, or manufacturing industries, which could anger U.S. allies and damage Russia’s growing role in the global economy.

But attacks on communications and IT infrastructure could take several forms.

Targeting alert systems would prevent U.S. monitoring systems from catching intrusions fast enough. This could in turn precede tactics with more immediate conventional consequences. As an example, conducting denial-of-service attacks against central IT networks could cripple government operations, disrupting service for thousands of phone customers or severing internet access for millions of consumers. If timed well, a communications attack during wartime could disrupt national emergency alert services. This includes 911 networks and emergency broadcast stations. During a national disaster, this would have devastating consequences.

Russia could also target physical parts of national infrastructure managed (and defended) by private companies, including fuel centers, power sources, and trucks that transport IT components. These industries also rely heavily on the internet of things, with vulnerabilities in cloud and mobile computing.

The U.S. is certainly aware of these risks. Following the 2013 National Infrastructure Protection Plan, national leaders assessed all critical infrastructure for vulnerabilities, and proposed defensive plans. As a result, industry departments have started performing a number of routine checks, including information sharing, monitoring, and backing up essential information.

However, budgetary gaps remain a huge problem. The Obama administration asked for only $19 billion (yet to be received) for its 2017 Cyber Security Budget. While the Trump administration has included huge proposed increases for cybersecurity investment in its 2017 budget (including $61 million for the FBI to combat criminal encryption tools), the private sector spent approximately $80 billion on cybersecurity five years ago. Of note, none of these federal government cybersecurity budgets were, or have been, approved.

Hacking the Hackers

As a result of these budget constraints and realities, it’s crucial the U.S. focus its efforts strategically. As a minimal option, the U.S. could respond to a Russian cyberattack by conducting simple cyberintrusions against Russian internet networks, government websites, and communications services, causing disruptions and damaging Russia’s security credibility. For example, using National Security Agency’s TreasureMap tool, which tracks all global connections to the internet, the U.S. could also place malware in these networks for future intelligence gathering.

A more aggressive response would involve conducting operations against Russia’s own critical infrastructure networks. By inserting logic bombs into Russian networks (tools that self-destruct once within systems), the U.S. could potentially damage the Russian economy. These same tools can be leveraged to cause even more damage if used to target dams, air traffic control towers or other infrastructure. Such actions would send a grave message, but the risk of escalation would be higher as well.

The most aggressive response would involve directly attacking Russian military targets by shutting off power at a nuclear facility or an airfield. Many Russian industrial networks run on Windows XP, a very old system, while remaining connected to the internet. Not only are these systems extremely vulnerable to attack, the U.S. has already shown it has the ability to do so. In November 2016, the U.S. reportedly penetrated Russian military systems and left behind malware, to be activated in the case of Russian interference of U.S. elections.

The problem with these cyberattacks is that the potential for counter attacks is infinite. Russia attacks the U.S. communications grid. The U.S. does the same. And on it would go, potentially until a physical war was started.

In 2016, Christopher Painter, the U.S. State Department’s coordinator for cyber issues, said “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the UN Charter.” This means the U.S. could legally respond to a Russian cyberattack with conventional military forces, in an effort to deter Russia from escalating further.

But ultimately, there’s a reason the Obama administration referred to the plethora of powerful U.S. and Russian cybercapabilities as a digital arms race. The cycle is perhaps best described as an endless series of advantages, with Russia and the U.S. continuing to make each other more and more uncomfortable. And now Trump’s administration will need to figure out just how uncomfortable he is willing to get.”

http://www.defenseone.com/threats/2017/03/how-russian-hackers-will-attack-us-next/136469/?oref=d-river&&&utm_term=Editorial%20-%20Early%20Bird%20Brief

NATO Agency Seeking Bids for IT Modernization Program

Standard

NATO IT

Photo: NATO officials discuss future cyber initiatives at the NATO Communications and Information Agency. (NATO)

“NATIONAL DEFENSE MAGAZINE”

“The program will span at least four contracts and be worth up to $537 million, and is expected to be completed by mid-2018.

NATO’s communication and information technology arm is seeking industry partnerships as it takes on a multi-year modernization effort for its information-technology systems, according to the organization’s acquisition director.

The NATO Communications and Information Agency — which runs the information technology, communications and command and control for the multinational organization — has opportunities for defense and IT companies in various stages of the modernization program, Peter Scaruppe told National Defense in February.

“The IT modernization program is a very important one because it basically replaces all of the IT in all the NATO locations, and for all the NATO forces,” he said.

The program entails: streamlining NATO’s IT service offerings to increase efficiency and effectiveness; using a customer-funded delivery system to increase the flexibility and scalability of IT services; delivering services from a centralized set of locations; and implementing increased cyber security measures, according to the agency.

Next on the priorities list is introducing a cloud-based services enterprise design by this summer, which Scaruppe called a major part of the modernization program.

“Storage is an important issue for all current and future IT programs, because with big data and the availability of big data, it is increasingly important,” he said. “We are anxious to see what companies will provide.”

NCIA Agency also plans to develop new data centers in Mons, Belgium, and Lago Patria, Italy, by early 2018, Scaruppe said. A third site has not yet been publicly revealed, but is being considered as an option “if and when we need it,” he said.

“This is for the IT support and operational support for NATO locations and operations,” he said.

NCI Agency has made concerted efforts in recent years to work more closely with industry to beef up its cyber defense capabilities. The agency contracts out about 80 percent of its work to the defense and security industries of NATO’s 28 current member-nations, Scaruppe said.

This year, the agency will host its annual industry conference in North America for the first time since it kicked off six years ago, rather than in a European country, “to note the transatlantic alliance,” he said.

The theme of the NCIA Agency Industry Conference and AFCEA TechNet International — which will be held in late April in Ottawa, Canada — is “Sharpening NATO’s Technological Edge: Adaptive Partnerships and the Innovative Power of Alliance Industry.” The conference builds upon last year’s theme of why innovation is important to NATO’s technological needs, Scaruppe said.

“Especially in the IT and cyber world, we know that there are a lot of innovators out there … not exactly keen on working with an 800-pound gorilla like NATO,” he said. “Some are not familiar with the process, [so] we need to catch the right innovators.”

One major part of the conference is dedicated to innovation challenges where agency officials and industry will discuss pre-determined areas of study, he said. “We did this last year, very successfully, and we got lots of proposals, many more than we thought we would get.”

Conference attendees will learn of upcoming business opportunities with an overall budget of about $3.2 billion over the next two to three years, Scaruppe said.

Businesses also have the change to speak with agency experts ahead of potentially bidding on a project.

“We do this every year, but we’re dedicating a lot more time to this part than usual [this year],” he said, adding that the agency hopes to attract more U.S. and Canadian industry members as a result.

Attendance rates at previous conferences have been about 70 percent European-based, Scaruppe said.

The agency is also looking to attract more cyber experts through the conference by running a next-generation skills exercise and innovators program, he said.

“We have a lot more work than we have staff for — and the same is true with the private companies — [and] we want to find innovative ways of how to attract these people, how to retain these people and also keep us current in the cyber exercise.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2448

 

 

 

De-Complicating Federal Cyber Security

Standard

Decompliating Cyber Security(Photo Credit: U.S. Army)

“FIFTH DOMAIN CYBER” – By Keith Lowry

When it comes down to it we’re dealing primarily with a people problem before a technical problem. People use technology to become cybersecurity and insider threats.

They also use low-tech tactics like social engineering and dumpster diving, too. Until the government realizes these concepts are connected, and that it can’t just purchase tools to address their vulnerabilities, it will always lag behind the threat.

“The nine most terrifying words in the English language are, ‘I’m from the Government, and I’m here to help.’” ~President Ronald Reagan

It might seem like hyperbole to claim that anything the government does hinders, and doesn’t help, progress. I’d like to think differently, but my experience gives President Reagan’s statement a certain level of credibility. Too many times, government agencies are convinced that doing things on a large scale will solve individual problems or issues. This attitude leads to massive delays and a lack of attention to the small but important details.

Making Simple Things Complex

During my tenure at the Pentagon, it was almost impossible to develop, coordinate, authorize and publish any policy within two years. Even if a proposed policy was extremely important, it just took too long to implement. If the Department of Defense has such issues in developing policy, then consider how difficult it must be to develop and publish policies that span across the entire spectrum of the government.

Governments inherently make simple things complex, and complicate obviously simple tasks. Because of this, I inherently question any program driven by a government agency or organization that claims it is “here to help.”

Large scale government programs are often initiated to create cost effectiveness, but what is the cost if the program takes years to develop and implement? Even worse, the fast-paced cycle of technological advances makes measuring program development in terms of years a huge problem. The opportunity costs coming from a breach or system downtime far outweigh any fiscal savings. Add in the fact that many government agencies will fight for ownership of a large program because of the concomitant funding, and you’ll see why relatively simple matters can spiral out of control very easily.

That’s not to say there isn’t a benefit in government ownership. There are potential cost savings tied to having overarching policies executed by a single entity, but the coordination and time lapse in enacting anything of value is suspect. It takes too long to enact and follow through, especially when most agencies have their own congressionally driven budget and appropriations process to consider.

A Multi-faceted Issue

Over the years, I have heard many agencies state that they cannot consider creating an insider threat program or cybersecurity program because they don’t have the budget, or that they are waiting for a parent agency to come up with a plan and associated instructions. The problem with this thought process is multi-faceted. First, no two federal organizations are alike. They all have differing processes, serve diverse populations, and also possess assorted and sundry critical value data.

Second, each of these variables means that one insider threat or cybersecurity solution doesn’t fit another organization’s needs. Finally, the budgetary and appropriations cycles are controlled by Congress, subjecting them to political realities and consequences.

In these circumstances, when I hear that the government is telling agencies what they must do while controlling the budget from afar, it’s creating a difficult problem for the agencies to solve. Furthermore, when I hear that one agency is dependent upon another to proceed in developing insider threat programs or cybersecurity solutions, it rings of the “I’m from the government, and I’m here to help,” idiom. In other words, no action will be taken in sufficient time to counter any threat.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Tactically, the government should elevate decision making for the cybersecurity/insider threat problem to a Cabinet-level position, which would signify the importance of the issue. Additionally, the Cybersecurity Cabinet person should adhere to the mantra of centralized administration, de-centralized execution. Making each agency responsible for executing its own cybersecurity and insider threat program will encourage much faster implementation countering these threats. Of course, Congress would have to be included in any solution to ensure success.

This may not be the best fiscal option, but it would certainly be the best method for quick implementation and execution required to protect government-held and controlled critical value data. Rather than one agency doing everything, make each agency responsible for creating, implementing, and running individual programs, and hold them accountable at the highest level possible.

http://fifthdomain.com/2017/03/08/de-complicating-cybersecurity-at-the-federal-level-commentary/

About the Author

Keith Lowry

Keith Lowry is the senior vice president of Nuix USG and Nuix’s Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, as well as an information security consultant in the private sector

 

The FCC Seems Unlikely to Stop Internet Providers from Selling Your Data

Standard
selling-your-data-cbs-news-dot-com

Image: CBS News.com

“WIRED”

“Little seems to be standing in the way of Comcast, Verizon, and other internet service providers selling your personal information without your permission.

The Federal Communications Commission took a first step toward delaying its own rules protecting consumer privacy and security.

Last October the agency passed a set of rules that would have required internet providers to take new steps to protect your private data from hackers. That same regulatory package would have required ISPs to notify you if someone hacked your data and to get your active permission before selling your data. The FCC suspended the data security rules from that package that would have taken effect Thursday

The FCC and the Federal Trade Commission, which regulates the privacy and security practices of websites like Google and Facebook, also issued a joint statement that signaled a seeming intention to jettison the privacy rules as well before they take effect later this year. (Neither agency responded to a request for comment.)

“The Federal Communications Commission and the Federal Trade Commission are committed to protecting the online privacy of American consumers,” FCC chairman Ajit Pai and FTC chairman Maureen K. Ohlhausen said. “We believe that the best way to do that is through a comprehensive and consistent framework.”

Ajit Pai, chairman of the FCC, has opposed the rules all along, saying he believes websites and internet providers should follow similar privacy and security practices. He contends that multiple sets of rules will lead to confusion among consumers. The upshot for consumers: Your internet provider has less obligation now than it would have to protect you from hackers. And providers seem to be facing few legal roadblocks standing in the way of selling your personal data to advertisers.

Reasonable Protections

Rather than spelling out specific steps that internet providers should follow to protect customer data, last year’s privacy and security order called for internet providers to provide “reasonable data security.” The order made it clear that internet providers wouldn’t be held liable for all data breaches and provided some guidance that it described as consistent with the Federal Trade Commission’s privacy rules. It also suggested that providers look to other privacy laws, such as the the Health Insurance Portability and Accountability Act (HIPAA). Industry groups objected, claiming the FCC’s new rules were too vagu

Protecting internet privacy has also traditionally fallen to the FTC. But in 2015, the FCC reclassified internet providers as utility-like “common carriers,” a change that enabled the agency to enforce net neutrality rules banning internet providers from discriminating against or favoring particular websites or apps. Last year as result of a lawsuit filed by AT&T, a federal court decided that because internet providers now qualify as common carriers, the FTC no longer has authority over them. Responsibility for regulating how internet access providers manage privacy instead fell to the FCC, while the way websites like Facebook and Google manage privacy remained the FTC’s responsibility.

Shortly after the court’s decision, the FCC set about creating a set of stricter privacy rules. The biggest and most controversial difference between the FCC’s newer rules and the FTC’s rules was the ban on selling customer data without your permission, set to take effect as early as December. Your internet provider has a view of your most intimate online activities. Although Google uses encryption to prevent prying eyes from seeing your online searches, your internet provider can see what websites you visit, when you visit them, and how much time you spend there.

In 2012, Verizon began tracking its wireless customers’ activities across the internet. It then used that data to target ads on the various sites it owns, such as the Huffington Post. Eventually the company gave customers the option to opt out of that tracking, and later it limited tracking your behavior on Verizon-owned sites only. The FCC’s newer rules would ban Verizon or any other provider from similar data collecting without getting customers’ permission, unless the Congress or the FCC delay or overturn them before they go into effect.

Pre-existing FCC rules already ban providers from tracking customers without at least notifying them, but unless the new, more stringent rules take hold, telcos will have much more freedom to sell your data. Regulations letting both internet access providers and websites sell your data may be consistent. But that doesn’t mean they make sense.”

https://www.wired.com/2017/03/fcc-graciously-sets-internet-providers-free-sell-data/

 

 

 

Army Awards Spots on $2.5B Contract Vehicle for Desktop and Mobile Computers

Standard
mobile-computing-contract-defense-systems-dot-com

Image: Defense Systems.com

“GOVCONWIRE.COM”

“Nine companies have won spots on a potential 10-year, $2.5 billion contract.

The Army Contracting Command received 58 bids for the Army Desktop and Mobile Computing-3 contract vehicle, the Defense Department said Thursday.

The ADMC-3 contract covers integrated desktop computers, tablets, notebooks, tablets, workstations, electronic displays, printers, thin clients and multifunction devices, according to a FedBizOpps notice.

The awardees are:

  • Blue Tech
  • Dell’s federal systems business
  • GovSmart
  • Ideal Systems Solutions
  • Intelligent Decisions
  • Iron Bow Technologies
  • NCS Technologies
  • Red River Computers
  • Strategic Communications

The Army will determine work locations and obligate funds upon award of each task order under the firm-fixed-price contract and expects contractors to complete work by Feb. 15, 2027.”

https://www.govconwire.com/2017/02/army-awards-9-spots-on-2-5b-desktop-mobile-computers-contract-vehicle/

Intelligence Advanced Research Projects Activity (IARPA)Hits Stride Funneling Collaborative New Technology

Standard

iarpa

“NATIONAL DEFENSE MAGAZINE”

“The Intelligence Advanced Research Projects Activity  technology incubator celebrated its 10th year by transitioning a large number of programs to its clients.

12 new research programs, two new challenge prizes, 46 workshops with 2,700 attendees, 250 peer reviewed publications, and 22 technologies being transitioned to one of its client agencies.

It has worked with 500 organizations — half universities or small colleges, a quarter small businesses, and a quarter a mix of large companies, federal laboratories and federal agencies said Jason Matheny, IARPA director, said at the National Defense Industrial Association’s Special Operations/Low Intensity Conflict conference.

It serves 17 intelligence agencies in the U.S. government. “Their problem sets are broad,” he said. They involve everything from the hard sciences such as physics, biology and chemistry to political science and psychology with neuroscience, computing and engineering kicked in.

“The way that I used to describe this to my family was that we are the United States’ version of Q Branch from the James Bond movies,” he said. Except when his daughter came to visit on family day, she remarked that it was just a bunch of filing cabinets with contracts inside.

“We have outsourced Q Branch. … We fund the best and the brightest in academia and industry to solve our hardest problems,” he said.

The agency modeled itself after the Defense Advanced Research Projects Agency because it was so successful, Matheny said.

Over the past decade, IARPA has emerged as the largest funder of academic research into quantum and superconducting computing. It also pours money into machine learning, speech recognition, imagery analysis, facial recognition, and automated video analysis.

About one-third of its budget is put toward human judgment programs. This field helps analysts make better assessments based on partial data or wrong information, Matheny said. “How can they make more accurate judgments quickly? How can they resist certain universal cognitive biases?”

“Ultimately, judgments in the intelligence community come down to a human being. We haven’t automated analysis and we don’t expect to automate that kind of analysis,” he added.

Other technologies it’s pursing include sensors that can pick up chemical traces from stand-off distances and in-place unattended chemical sensors that can be dormant for years, then “phone home” when it detects an agent. It’s also looking at detectors for nuclear weapons and synthetic genomes in the environment.

“Very” quiet unmanned aerial vehicles and persistent undersea sensors are two other needs, he said.

New opportunities include the Janus program, which focuses on the hard facial recognition problem, he said. “Let’s say you have faces that are covered, that are captured from an angle with very low resolution cameras or video.” The goal is to piece together various images from multiple angles and try to compose a
composite facial image.

It’s also looking into high-resolution 3D modeling created from overhead imagery. “Can you build a 3D model of not just a building, but an entire city with 5 centimeter accuracy?” If so, that could be helpful for special operators planning raids, he added.

It is also searching for knowledge discovery tools in multi-lingual domains. This is intended for languages for which there isn’t a common automatic translation system such as those provided by Google.

IARPA prefers a competitive set up. It issues similar contracts in parallel to pursue the same technical goal. Multiple teams then research the same target. “We obsessively keep score. We spend about a quarter of our budget on testing and evaluation. And then we exercise options … for the teams that are outperforming others,” Matheny said.

This is stressful for the teams but results in more innovation, more quickly “in ways we don’t see otherwise in federal contracting,” he said.

“Prize challenges are one of the more cost-effective ways we have for funding innovation,” he said. The organization has found hobbyists willing to solve problems for $10,000 prize purses. The competition levels the playing field for anyone who is able to participate.

Like DARPA, it issues broad area announcements that it always keeps open so it can rapidly provide seed money for those with good ideas. The “informal process” begins with as little as a paragraph describing an idea, followed by a phone call with a program manager. “The program manager has been trained to be brutally honest — to give a thumbs down on an idea that we don’t want to see a full proposal on, or a thumbs up.”

The phone conversation is key, Matheny said. “If the program manager tells you they really want to see a proposal, they really do want to see that proposal.” Ninety percent who are asked for a full proposal go on to be funded, he noted. The more formal way of proceeding only resulted in 20 percent moving forward, he added.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2419

 

 

 

 

 

The New Technology of Humanitarian Assistance

Standard

drones-for-humanity

“THE CIPHER BRIEF”

“Technology has already transformed the conduct of war; could it also transform approaches to aiding the victims of conflict, disease, and natural disasters?

Drones could help alleviate some of these challenges through remote delivery of high-value, low-mass goods to areas otherwise inaccessible due to hard terrain, natural disaster, or conflict.

Since the first CIA Predator drone strike in October 2001, the United States, among others, has sought to expand the technology to facilitate remote warfare. UN peacekeeping forces use drones for intelligence gathering in such places as Mali, the Central African Republic, and the Democratic Republic of the Congo. The commercial drone industry is booming and is expected to only grow further with hobbyists using off-the-shelf quadcopters for their scenic vantage points and Amazon’s prospective drone deliveries to customers. Even insurgents are beginning to incorporate this new technology into their arsenals, setting their sights on recruitment messaging, intelligence collection, and explosives delivery.

To understand how drones could transform the provision of humanitarian aid, it is important to first acknowledge the areas of difficulty humanitarians often encounter. Jack Chow, a former U.S. ambassador and the first Assistant Director-General of the World Health Organization on HIV/AIDS, Tuberculosis, and Malaria, points out that “the barriers to providing humanitarian aid are numerous and evolving. Chief among them are extensive operational obstacles that involve myriads of personnel, assets, and supply chain links. Complications and breakdowns among any operational components will cause delays and losses of aid. Chokepoints and tenuous routes invite corruption and pilferage.” Kristin Bergtora Sandvik, a professor at Peace Research Institute Oslo (PRIO) and co-founder and former director of the Norwegian Center for Humanitarian Studies, says that “the humanitarian sector struggles with lots of unresolved challenges with respect to obtaining adequate situational awareness for aid workers; getting sufficient information about the size and whereabouts of crisis-affected communities; and overcoming the logistical problems of timely and appropriately scaled last-mile delivery of cargo.”

The issue of supply chain logistics became a major hindrance in the timeliness of the international response to the 2014 Ebola epidemic in West Africa, particularly with fears of the virus spreading internationally. Drones could help alleviate some of these challenges through remote delivery of high-value, low-mass goods such as everyday medicines as insulin, antibiotics, and painkillers, or of communications equipment such as phones and computers, to areas otherwise inaccessible due to hard terrain, natural disaster, or conflict. For example, in Malawi, UNICEF sees drones as a method of transportation for blood work to help HIV testing, while in Rwanda, a humanitarian drone startup known as Zipline is also delivering blood supplies to remote hospitals in the region.

Similarly, the negotiation of humanitarian access in conflict and post-conflict countries often includes tradeoffs between an organization’s freedom of movement and concessions made to local authorities operating in a vacuum of formal government control. However, as Sandvik points out, even if drones could potentially replace caravans of trucks to mitigate the problem of access, “most of the models offered by the drone industry are too expensive for the humanitarian sector and the available models often not powerful enough to stay for any significant time in the air,” let alone “transport tons worth of relief items.”

While larger drones are available to the U.S. military, they require more advanced pilots and could also be targeted by the anti-aircraft systems of belligerents purposely using starvation and medical deprivation as weapons of war. For example, to deliver aid to the Yazidi population trapped on Mt. Sinjar in August 2014, the U.S. military had to first conduct airstrikes on ISIS positions to ensure safe passage of their cargo planes.

Potential advances in artificial intelligence (AI), however, could allow swarms of small drones to slip by air defense systems to individually deliver small packages of cargo—possibly even create impromptu networks for Wi-Fi and establish phone signal availability. Chow asserts that “as costs come down and AI-driven avionics accelerate in power, flotillas of drones over vulnerable regions can provide constant coverage for early detection and rapid response to humanitarian crises.” Artificially intelligent drones could also address major impediments to post-conflict reconstruction, such as landmine removal to enable locals to return to an agricultural economy while mitigating indiscriminate casualties largely affecting children. The Mine Kafon Drone seeks to autonomously map a designated area, detect the positioning of mines via GPS and then safely detonate them at a pace unmatched by even skilled personnel.

Drones could also be a source of information for aid workers on developing crisis situations. Chow notes that “on-board sensors will acquire information about conditions on the ground, presence of detectable dangers, and the numbers and locations of affected people,” and “in the future they may detect the first stirrings of violence by picking up sounds or flashes from gunfire.” Following the 2008 Sichuan earthquake in China that killed over 69,000 and left 18,000 missing, Chinese responders used drones to locate downed bridges, collapsed tunnels, and other chokepoints hindering rescue efforts, while assessing damage to critical buildings such as schools and hospitals. In Nepal, the Humanitarian UAV Network used drones to create clearer photos than existing satellite images while also using 3D modeling of the damage to identify which houses were prone to collapse.

The problem with humanitarian drones monitoring from the skies is that governments and their populations will be uneasy about what the data will be used for. The association of drones with military intelligence collection creates a stigma not easily avoided, and governments may fear footage could be shared with human rights organizations documenting war crimes. Some of this can be addressed through technical solutions such as geo-fencing, whereby drones are only able to gain access to certain airspace, but ultimately, as Chow notes, “expanding drones’ powers will also force a need for a regulatory framework at the national and international level in order to establish technical standards and rules for operations.”

Sandvik suggests the major criticisms of the humanitarian use of drones now are over “concerns the technology creates distance between beneficiaries and aid workers,” “the potential association with military applications” such as intelligence collection, and ultimately, “the lack of added value delivered by the use of drones,” whereby the technology is simply not sufficiently developed yet and therefore a “distraction from other work.”

While drones would likely augment, not replace aid workers—or other longer-term projects such as infrastructure development—there is still enormous potential for drone technology to change the provision of humanitarian aid. There are, however, numerous steps before such technology becomes meaningful, let alone systematically normalized. While the hype over the humanitarian application of drones may have spurred the discussion, persistence is needed to determine how drone technology will actually contribute to future humanitarian efforts.”

https://www.thecipherbrief.com/article/tech/new-technology-humanitarian-assistance-1092

 

 

 

Silicon Valley’s Pentagon Ties Stay Strong

Standard
pentagon-165964418-final

Image:  “Wired”

“WIRED”

“On the surface, left-leaning Silicon Valley and the more conservative US military seem worlds apart.

But the Pentagon’s Defense Innovation Advisory Board continues to bring the two together.

Former Secretary of Defense Ash Carter created the board in March 2016 so that the Pentagon could tap some of the best minds in science and technology. It counts among its members prominent Silicon Valley leaders such as Alphabet’s Eric Schmidt, Amazon’s Jeff Bezos, Instagram’s Marne Levine and LinkedIn’s Reid Hoffman.Despite uncertainty about its future under Trump’s administration, all the board members plan to remain until the end of their terms. They’ve also dodged the public controversy swirling around Silicon Valley leaders who maintain advisory ties to the Trump White House.

“There is a real contrast between the enthusiasm of tech leaders to serve on the Pentagon’s Innovation Board and the positive public atmosphere that surrounds it and the controversy that surrounds Trump’s CEO advisory group, which CEOs from companies such as Uber have bailed from,” says Peter Singer, a defense expert at the New America Foundation and coauthor of the 2014 book “Cybersecurity and Cyberwar: What Everyone Needs to Know.”

The fact that Silicon Valley’s current advisory role to the Pentagon has proven substantially less controversial than its White House parallel is not without irony. “It points to how the Defense Department is now viewed as the bastion of sanity and respect for law and science, versus the White House as a space of controversy,” Singer says.

Calling All Geeks

To date, the board’s “seemingly nonpartisan ideas” have been “well-received within the defense policy community,” Singer says. But he cautioned that ordinary bureaucratic resistance could slow adoption of its recommendations, unless Mattis and senior Pentagon leaders make them a priority.

Still, the Silicon Valley approach has some momentum within the military, particularly around open source initiatives. The Forge.mil program—founded by the Defense Information Systems Agency in 2009—has enabled collaborative work on open source and community source software across the Pentagon. Separately, the Military Open Source Software (Mil-OSS) community has connected developers in the military and civilian worlds since its creation in 2009. Such open source approaches could help the Pentagon move faster and innovate inexpensively, says Joshua Davis, senior research scientist at the Georgia Tech Research Institute and co-founder of the Mil-OSS community.

On Jan. 9, the Defense Innovation Advisory Board voted to approve 11 recommendations that covered issues such as boosting cybersecurity for advanced weapons, and funding new research in artificial intelligence. Outside experts such as Davis and Singer especially lauded the board’s recommendation to make computer science a “core competency,” by creating a specialized career track for military service members and recruiting fresh talent from both the military and civilian worlds. The Pentagon previously announced its commitment to this recommendation during an interim proposal period in Oct. 2016.

“That right there is a multi-decade kind of thing that’s not going to happen overnight,” Davis says. “But it’s probably one of the first things you can do to build a culture to accept innovation happening this way.”

Training a generation of troops on computer science would have outsized impact because many of the other board recommendations will not succeed without it, says David A. Wheeler, an expert on developing secure software, open source software, and software innovation. “The [Department of Defense] already has tracks for lawyers and doctors,” Wheeler says. “Sadly, software expertise is thin within government, even though modern systems are completely controlled by software.”

A Few Good Recs

Other recommendations clarify existing Pentagon practices. For example, the board suggested that the Pentagon “require all systems purpose-built for the military to have their source code available to the Department,” so that the government retains the rights to and can modify the code when needed. That helps ensure military software remains up-to-date and relatively secure. (Davis describes source code as the equivalent to the recipe that the computer “kitchen” relies upon to cook up the executable software.)

Standard contracting clauses for custom-developed military software already give the government such rights, Wheeler says. But he notes that officials sometimes waive those rights because they don’t realize the systems they’re purchasing have custom software, and fail to specify the software as a contract deliverable.

An interim recommendation calling for a new “global and secure” online system that would hold “all or most” of the Pentagon’s data has yet to be approved—and will likely prove very tricky to implement. Many companies in Silicon Valley and other industries already have their own internal systems to collect and share data in a way that boosts efficiency and productivity. But companies typically don’t worry about devastating national security consequences if they get hacked by foreign powers or malicious agents. “Security isn’t just part of the problem, it is the fundamental problem,” Wheeler says.

The best commercial security products can’t protect the Pentagon’s data from determined adversaries backed by foreign governments, Wheeler says. As a result, the Pentagon has intentionally kept its many systems and networks isolated, to limit the damage that can be caused by breaches of security. But the board has discussed using so-called “formal methods” that can mathematically prove a computer system is immune to entire classes of cyberattacks—a promising approach that still requires much more development.

It’s still unclear how Marine Gen. James Mattis, Trump’s Secretary of Defense, will handle the board’s recommendations. He has the final say on whether the Pentagon fully embraces the board’s ideas.

“At the staff level, we have had very productive conversations with the President’s transition team,” says Joshua Marcuse, Executive Director at Defense Innovation Board.

The US military’s mission will likely never be fully compatible with the Silicon Valley culture that Singer describes as “fast, flat in structure, and happy to fail and fail rapidly.” But it’s still refreshing to see a collaboration between government and tech that’s not fraught with controversy, and that may actually yield some positive results. After all, if the military’s going to meet the technological demands of 21st-century warfare, it’s going to need a few good geeks.”

https://www.wired.com/2017/02/despite-trump-silicon-valleys-pentagon-ties-stay-strong/