Category Archives: Global Events

Thoughts For Today And Our Times

Standard
https://www.flickr.com/photos/odysseyof_armaments/7831798736/in/album-72157629232310537/

The Specialist

I see sights you’ll never know
Cruising waters from the sky
Lofty height – down I go
Deftly tooled for fishing low

Humans weird as creatures go
Spindly legs and gaping stare
Planted on the earth below
What’s your game over there?

I’ll ignore you for the moment
Freedom calls – winds arrive
All my tools and instincts poised
The specialist starts his dive

COVID-19 Spawns Government Web Site Phishing Impersonations

Standard
Image: “360smartnetworks.com”

“FCW”

The campaigns targeted both Americans and international users, with some websites impersonating the World Health Organization, the Her Majesty’s Revenue and Customs (the tax collection agency in the U.K.) and the French government.

[Example] A website template for coronavirus financial help that promises to sign users up for their stimulus checks “with 1 click” and contains a drop-down menu to enter credentials for their chosen bank.

____________________________________________________________________________

“Many of the emails used the COVID-19 outbreak to entice users to hand over their banking credentials in order to receive their stimulus checks. 

One email sent to FCW by researchers and not included in their published blog purports to be from the Federal Reserve, touting that its “Protection Program” was fully operational and available to provide payments to economically distressed Americans. It lists a phone number with a Washington D.C. area code for media inquiries and specifies that requests for payments “must be received no later than 45 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER.” In reality the email, sent to approximately 100,000 people, provides users with a link to a spoofed site where they can enter their banking information.

Bizarrely, the [drop down menu] site contains mimicked logos for the White House, the Centers for Disease Control and Prevention and the Federal Emergency Management Agency (though not the IRS, the agency charged with dispersing the checks) all on the same page.

A common theme for almost all the campaigns was an effort to leverage interest in the COVID-19 pandemic, but DeGrippo said the actors otherwise adopted a general “spray and pray” strategy for victims, with little apparent focus on specific individuals or industries.

“They loaded up the spam cannons, shot them out there and hoped for the best,” said DeGrippo. “It’s a tactic that also works. I don’t think not being super targeted is any indication that it’s not effective or that the threat actor is not equipped. Getting 100,000 messages out [over four days] is not an easy feat.”

Even as threat intelligence companies and federal agencies have tracked an explosion of coronavirus-themed scams online in recent months, DeGrippo said that observed credential phish activity has not increased significantly during the pandemic, indicating that it is existing actors shifting their tactics rather than an increase in the overall threat ecosystem.

“Comparatively over the past several years, volumes of credential phish specifically haven’t moved [over the past few months] in ways where we thought ‘Oh my gosh there’s this huge volume increase,'” she said. “What we are seeing is that a threat actor might normally send a credential phish for banking details [and] the shift now is they’re going to wrap that attempt…in a premise around COVID-19.”

Federal agencies like the IRS, the Cybersecurity and Infrastructure Security Agency and the FBI have all warned of a shift in recent months by cyber criminals to profit off increased attention surrounding the pandemic. In particular, experts have worried that the rush by the IRS to process and disperse hundreds of billions of dollars in stimulus relief to Americans has left the program vulnerable to fraud.

Adding to the confusion, the IRS website where Americans can check on the status of their stimulus payments received criticism for its functionality during the initial weeks after passage of the CARES Act, with some users reporting online and on social media that the site did not recognize their taxpayer information and that small differences — like not writing their full name in all capital letters — can trip up the system and return an error message.

The IRS updated its “Get My Payment” tool in late April to fix the error, but the inability to access their information on the official IRS website could have left users more susceptible to exploring quicker solutions offered by scammers. The agency “Frequently Asked Questions” page warns users to be on the lookout for emails and links asking for banking information related to their checks and on May 18 announced it had added another 3,500 phone operators to field questions from taxpayers about their stimulus payments.”

A Pentagon Procurement Program That Seems Doomed to Fail

Standard
Image: “Greycampus.com

REAL CLEAR DEFENSE

The Pentagon spends more money on federal contracts and relies more on private contractors to provide necessary support than all other U.S. government agencies combined.

With a potential ceiling of almost $8 billion dollars, the NGEN-R is one of the largest non-hardware contracts ever awarded. The problem with massive, long-duration IT contracts is that the pace of technological change often makes them out-of-date almost from the start.

______________________________________________________________________________

“The primary objective of the contract is to manage, modernize and eventually merge several massive Navy and Marine Corps networks that collectively encompass some 400,000 computers and 800,000 users at 2,500 locations. NGEN-R will provide secure data and information technology services such as data storage, email, cloud services, and video teleconferencing for Navy and Marine Corps ships and locations around the world.

As if this were not in itself a major undertaking, the Navy acquisition bureaucracy decided to make the effort even more challenging. First, it decided to split what had been for twenty years a single contract into two: a smaller hardware-centric section, and a larger one focused on services and support. Second, the Navy chose to assume the responsibility for overall management of the two contracts. Third, it awarded the services contract to Leidos, a company with no prior experience in providing support to major Navy/Marine Corps networks. Fourth, the new contract sets an extremely aggressive schedule for transferring responsibility for multiple networks from the existing contractors, who have some 30 years of experience in this field.

The NGEN-R award repeats an often-seen pattern in defense acquisitions, particularly those involving IT services and support contracts. The acquisition bureaucracy isn’t satisfied with incremental advancements; it wants to preside over “transformational change.” As a consequence, it dispenses with experienced contractors and tried-and-true approaches in favor of modernizing complex networks. This same bureaucracy buys into the new contractor’s promises that it can effortlessly take over for its predecessors, and then simultaneously integrate and modernize the Navy’s networks—all while lowering costs. We’ve seen this movie many times before and it never ends well.

When an IT network procurement goes wrong, a lot of bad things can happen. The most immediate impacts will be slow responses to individual needs and major events alike. In the former case, this results in increased dissatisfaction and frustration; in the latter case, missions are endangered when Sailors and Marines can’t get data or effectively communicate. Furthermore, it’s less than helpful when the “green” service desk team—the place where one goes for IT support—is struggling to understand how things work. Compounding this demand for IT help is the age of the technology, as refresh cycles for replacement laptops and PCs were likely put on hold until the new team was firmly in place. In the longer term, the Navy risks backsliding on everything it has accomplished over the last 20 years to consolidate its networks, standardize its technology and rein in IT spending. 

Were these normal times, the Navy and its new contractor might have the time and resources to weather the inevitable delays, service interruptions, and cost increases that will result from the acquisition bureaucracy’s desire to have the new contractors do it faster, better and cheaper. However, these are extraordinary times. We are in a crisis in which clear communications and a reliable network are much more important than they were when the contract was awarded. Like everyone else in the world, the Department of the Navy faced a massive challenge in getting several hundred thousand Sailors, Marines and civilians set up to telework and unlike a business, the important mission—protecting the United States—did not stop to wait for the IT to catch up with this radical change. The Navy’s networks have had to be reconfigured in real time while adding new nodes (such as two hospital ships deployed to support New York and Los Angeles’ health systems) and ensuring that both the Navy’s networks and connections to medical networks across the country are viable and secure.

There are already signs that the NGEN-R contract is heading for difficult times. The most notable was the early talk by the winning bidder about changing the solution that they proposed. In a recent interview, Gerry Fasano, head of Leidos’s Defense Group, acknowledged that the network “has continued to evolve, and so we’ll update ourselves from what we proposed and then worked through our transition plans.” Read this to mean: get ready for lots of change orders as the company attempts to make good on all its commitments.

In late April, the Department of the Navy’s Chief Information Officer, Aaron Weis, said in an interview that the Navy has been looking to “jumpstart” modernization—which is the right thinking—but expressed concern that the recently-awarded NGEN contract was the best path forward: “One of the first things we really talked about was do we stop NGEN-R and reset it given what we thought we needed to do. The reality is, given the acquisition timeframes, it probably would’ve set us back another year.” In hindsight, that would not have been a high price to pay.

The Navy’s plan to modernize its IT networks is likely to be dead in the water for an extended period while the NGEN contract transitions and networks struggle to deal with the new reality of communications in the era of COVID-19. While the acquisitions folks won’t feel a bit of pain, the Sailors and Marines and the state and local communities they are trying to help certainly will.

The NGEN-R award is currently in protest. But whatever the outcome, the Navy should take the opportunity to reconsider its rush towards an unpredictable future. The Navy needs a different approach, one that doesn’t put its networks and thus its pandemic response at risk, much less the security of the Nation and tens of thousands of Sailors and Marines. It would be wise for the Navy to suspend the NGEN-R contract and pursue a new competition.”

https://www.realcleardefense.com/articles/2020/05/16/a_pentagon_procurement_program_that_seems_doomed_to_fail_115296.html

Need For Security Clearances May Drop As Teleworking Expands

Standard
Image: Startacybercareer.com

FCW

Having a top-secret clearance may no longer be the insignia of an intel worker, according to the intelligence community’s national counterintelligence chief.

The IC’s [Intelligence Community] culture used to look at having a top-secret clearance as a “pass-fail” test to get in, [William] Evanina said, but that doesn’t mean employees can’t do their jobs from home — as long as it’s done securely.”

______________________________________________________________________________

“We are just as successful, with some exceptions, with people working at home than we were before. And I think we have to be flexible and look at our private-sector model and maybe extrapolate that into our intelligence community,” National Counterintelligence and Security Center Director William Evanina said during a May 13 INSA virtual event.

Evanina said he could see not requiring clearances for some positions in the next few years due to teleworking abilities. “Just because you work in the IC, and just because you have a top-secret clearance, does that mean that everything you do is classified?”

“Right now, our communications from home to work is not safe, whether it’s in the private sector, especially not in the government,” he said. “We have to find effective security solutions to get to where we want to be.”

The federal government has been working to improve the security clearance process and reduce its backlog, which once reached more than 700,000 active investigations on agency personnel and contractors that handle sensitive materials.

The government rolled out its much-criticized Trusted Workforce 2.0 framework in 2019, aiming to reduce the amount of time needed to clear new employees and re-investigate those moving across agencies.

The IC merged two hiring processes, for security clearances and employee suitability, into one earlier this year. The move was meant to clarify the role of human resource officers in ensuring candidates were right for job demands.

Evanina said the security clearance backlog has dropped to 180,000, with upwards of 50% more new applications coming in compared to 2019. That target beats the one set by the President’s Management Agenda at a 200,000 caseload of active investigations, and it is a significant dip from the reported 231,000 cases in January.”

Is Short Term Economic Focus On Earnings Killing U.S. Innovation?

Standard
Image: “Saracanaday.com

DEFENSE SYSTEMS

The U.S. risks losing its competitive edge over China in terms of technology because companies care more about quarterly earnings than research and development.

Solutions involve incentivizing U.S. companies to focus on long-term investments and research.

______________________________________________________________________________

“That’s the message Michael Brown, director of the Defense Innovation Unit, the Defense Department’s innovation arm, shared at a Brookings Institution virtual event May 8 on China’s technological impact worldwide.

“You’re never going to win in a technology race with defense,” Brown said. Instead, the U.S. needs to focus on being more productive and “invest in itself” with more basic research.

“What do we do to reform our business thinking and our capital markets to move away from short-term thinking to be more long-term oriented,” Brown said. Ways to focus U.S. companies on building and maintaining a competitive edge include stricter export controls and more scrutiny of foreign investments in U.S. companies, particularly technology startups.

Brown, formerly CEO of Symantec, said the corporate focus on quarterly earnings and stock prices is counterproductive to competing with China.

“They all feed into this short-term thinking in our business community,” said Brown, “we have to reform this or we’re not going to be successful in competing with China.”

Incentives could include tax advantages for focusing on long-term growth and research and development, Brown said. And on the punitive side, there is the possibility of establishing penalties for U.S. companies that off-shore manufacturing or spinning off hardware businesses whose domestic presence can support U.S. jobs and military production.

“The irony is that U.S. companies focus on profits often driven by market dominance ends up aiding China’s cause,” Tom Wheeler, former Federal Communications Commission chairman, said during the event. “The market control, market dominance that we’ve seen from the principal big tech companies thwarts competition driven innovation.”

“It is doubtful that we will be able to out implement China,” said Wheeler, referencing that country’s tightly controlled, one-party system of government. “But we can out-innovate China if we have policies that will encourage this competition driven innovation.”

The big question for DIU is whether it can take advantage of U.S. tech talent, startups and research dollars to maintain a long term advantage over China, which is able to dictate its priorities to industry.

“The Defense Innovation Unit spends all day every day trying to encourage innovative companies to work with the Defense Department,” Brown said. “And General Secretary Xi [Jinping] accomplishes this by fiat. So we have to recognize that there are some advantages to their system.”

Brown said he maintained some doubts about the ultimate success of the “civil-military fusion” practiced in China.

“I don’t know how well that’s going to work for them, but that certainly keeps me up at night,” he said.”

F-35 Full Rate Production Challenges Include Failing Engine Tests And Replacing 1,005 Turkish Parts

Standard
 Image: Senior Airman Quay Drawdy/U.S. Air Force

DEFENSE NEWS

According to the GAO, the number of F-35 parts delivered late skyrocketed from less than 2,000 in August 2017 to upward of 10,000 in July 2019. At one point in 2019, Pratt & Whitney stopped deliveries of the F135 for an unspecified period due to test failures, which also contributed to the reduction of on-time deliveries.

And those supply chain problems could get even worse as Turkish defense manufacturers are pushed out of the program, the Government Accountability Office said in a May 12 report.

__________________________________________________________________________

 “Lockheed Martin’s F-35 Joint Strike Fighter is on the verge of full-rate production, with a decision slated for early 2021. But a congressional watchdog group is concerned that as the company ramps up F-35 production, its suppliers are falling behind.

The number of parts shortages per month also climbed from 875 in July 2018 to more than 8,000 in July 2019. More than 60 percent of that sum was concentrated among 20 suppliers, it said.

“To mitigate late deliveries and parts shortages — and deliver more aircraft on time — the airframe contractor has utilized methods such as reconfiguring the assembly line and moving planned work between different stations along the assembly line,” the GAO said.

“According to the program office, such steps can cause production to be less efficient, which, in turn, can increase the number of labor hours necessary to build each aircraft,” which then drives up cost, the GAO added.

Those problems could be compounded by Turkey’s expulsion from the F-35 program, which was announced last year after the country moved forward with buying the Russian S-400 air defense system. Although Turkey financially contributed to the development of the F-35 as a partner in the program, the U.S. Defense Department has maintained that Turkey cannot buy or operate the F-35 until it gives up the S-400.

The Pentagon has also taken action to begin stripping Turkish industry from the aircraft’s supply chain, a process that involves finding new companies to make 1,005 parts, some of which are sole-sourced by Turkish companies.

Ellen Lord, the Pentagon’s undersecretary for acquisition and sustainment, had hoped to stop contracting with Turkish suppliers by March 2020, but in January she said that some contracts would extend through the year, according to Defense One.

While the Defense Department has found new suppliers to manufacture the parts currently made in Turkey, it is uncertain whether the price of those components will be more expensive. Furthermore, as of December 2019, the new production rates for 15 components were lagging behind that of the legacy Turkish producers.

“According to program officials, some of these new parts suppliers will not be producing at the rate required until next year, as roughly 10 percent are new to the F-35 program,” the GAO said.

“Airframe contractor representatives stated it would take over a year to stand up these new suppliers, with lead times dependent on several factors, such as part complexity, quantity, and the supplier’s production maturity. In addition, these new suppliers are required to go through qualification and testing to ensure the design integrity for their parts.”

The F-35 Joint Program Office disagreed with the GAO’s recommendation to provide certain information to Congress ahead of the full-rate production decision, including an evaluation of production risks and a readiness assessment of the suppliers that are replacing Turkish companies.

In its statement, the JPO said it is already providing an acceptable number of updates on the program’s readiness for full-rate production.

Hard times for the F-35’s engine supplier

Not all F-35 production trends reported by the GAO were bad for the aircraft. Since 2016, Lockheed has made progress in delivering a greater proportion of F-35s on schedule, with 117 of 134 F-35s delivered on time in 2019.

However, one of the biggest subsystems of the F-35 — the F135 engine produced by Pratt & Whitney — drifted in the opposite direction, with a whopping 91 percent of engines delivered behind schedule.

At one point in 2019, Pratt & Whitney stopped deliveries of the F135 for an unspecified period due to test failures, which also contributed to the reduction of on-time deliveries.

According to the Defense Contracts Management Agency, “there have been 18 engine test failures in 2019, which is eight more than in 2018, each requiring disassembly and rework,” the GAO wrote. “To address this issue, the engine contractor has developed new tooling for the assembly line and has established a team to identify characteristics leading to the test failures. Plans are also in place for additional training for employees.”

https://www.defensenews.com/air/2020/05/12/some-f-35-suppliers-are-having-trouble-delivering-parts-on-schedule-and-turkeys-departure-could-make-that-worse/

The Heavy Cost of Ignoring Biosurveillance

Standard
https://dod.defense.gov/News/Special-Reports/1012_biosurveillance/

NATIONAL DEFENSE MAGAZINE”

It’s crucial that any such network be independent of governments and left in the hands of public health officials. The data it gathers should not be filtered through bad actors such as the Chinese Communist Party, or elected officials who may have a political agenda.

One day — hopefully soon — big international meetings will return and the next Biosurveillance Conference will be held in a bigger venue with a lot more participants.”

__________________________________________________________________________

“It was Aug. 28, 2012 in a Washington, D.C., hotel near Union Station where the National Defense Industrial Association held its first and only Biosurveillance Conference.

It was lightly attended — if memory serves. I’ll be charitable and say there were 75 attendees in the smallish room.

At least one of them — myself — was in the wrong place. Biosurveillance? I thought it would be about sensors. I was expecting to hear about typical defense and homeland security technologies designed to detect bioweapons — something akin to the Department of Homeland Security’s BioWatch program, or what the Joint Program Executive Office for Chemical and Biological Defense wanted. The agenda included Defense Threat Reduction Agency personnel.

No, actually, the attendees were mostly in the public health field, and they were talking about a worldwide database where doctors, public health officials, veterinarians and the like could report what they were seeing as far as new infectious diseases.

They likened the concept to weather reports. The world has a network of sensors that tells meteorologists what’s happening in the atmosphere. With the data, they can warn people if a storm is coming and citizens can prepare. The public health officials wanted to do the same for infectious diseases: manmade or natural. And the far-term goal would be to do predictive analysis — just like weather forecasts.

Here is an example: let’s say a doctor in China — let’s just say Wuhan, China — noticed an unusual number of cases of patients with a new respiratory disease marked by an unusually high fatality rate. He would then input that information into a database accessible to public health officials throughout the world. Then, let’s just say, doctors in South Korea or Italy, noticed the same thing. Analysts could connect the dots and sound the alarm. Hospitals could stock up on items such as, let’s say, face masks and respirators.

What I learned at that one-day conference ended up being part of a story that ran in the November 2012 issue. NDIA members with their expertise in information technology could have a lot to offer building such a network, I reasoned, so it was worth reporting.

Let’s pull some quotes out of that 2012 story.

Harshini Mukundan, a scientist at Los Alamos National Laboratory, said diseases emerge from people, plants and animals.

“They are all interconnected, and having separate agencies monitoring each one defeats the cause.”

Laurie Garrett, an analyst at the Council on Foreign Relations, said the technical part of setting up a biosurveillance network could be completed in five to 10 years. Policies and procedures were the roadblocks. “I don’t believe we have the capacity or the will to implement” it, she said. U.S. political gridlock would prevent the idea from moving forward, she predicted.

Jason Pargas, special assistant to the DTRA director, sounded an optimistic tone. It could all come to fruition in five to 10 years. Prediction models, applied math and advanced computing would make it so.

The reporting that emerged from this conference ended up in the article, “Top Five Threats to National Security in the Coming Decade.” We ranked “Bio-Threats” as No. 1. Yikes. I don’t even want to mention what the other four were for fear of a jinx.

I would like to say that National Defense consistently reported on this issue and that we kept up a constant drumbeat for the need of a worldwide biosurveillance network, but that is not the case. Public health really isn’t in our wheelhouse.

However, two years later in 2015, we did an update online, which was reported from an Armed Forces Communications and Electronics Association homeland security conference.

No progress had been made on a biosurveillance network, Jeff Runge, former chief medical officer at DHS, said at the conference. That year saw a deadly strain of the flu that killed many children and an Ebola outbreak.

“The rate and scope and spread of the illnesses were not detected before severe consequences occurred,” he said. “These are cautionary tales underscoring the need for better biological intelligence.”

Navy Cmdr. Janka Jones, then the director of medical programs in the office of the assistant secretary of defense for nuclear, chemical and biological defense, said, “We’ve got a lot of capability. We don’t have a lot of money to build new capability.”

Transparency, openness and data sharing would be key, she said. Jones helped the Obama administration in 2012 put together the first-ever national strategy on biosurveillance. It was released in July, shortly before the NDIA Biosurveillance Conference. It included a technology roadmap on how to build the information-sharing network.

“Biosurveillance — including early detection — is one of our first lines of defense against these threats,” President Barack Obama wrote in the introduction to the strategy.

National Defense took its eye off the ball when it comes to biosurveillance — but so did a lot of people, apparently. That won’t be the case in the future.

Granted, there are policy, procedure and diplomatic hurdles to overcome, but how much funding would it have cost to set up an initial biosurveillance network — $100 million, $200 million? Seems like a paltry investment when more than $1 trillion is being spent on an economic bailout, lives have been lost and entire industries brought to their knees.”

https://www.nationaldefensemagazine.org/articles/2020/4/21/the-heavy-cost-of-ignoring-biosurveillance

How The Private Sector Including IBM Is Pivoting To “Distance Work”

Standard
Image: “Digday.com

WASHINGTON TECHNOLOGY By  John M. Kamensky

As coronavirus has disrupted society over the last few weeks, some of the distancing measures that once seemed drastic have become acceptable — in a few cases even preferable to the way things worked before.

Nowhere has this been truer than the workplace, where companies and employees have found remote operations far more feasible than expected.”

____________________________________________________________________________

“University of Chicago researchers recently analyzed government employment and income data by industry and concluded that 34 percent of U.S. jobs can “plausibly be performed at home.” Journalist Liz Farmer predicts that “the long-expressed resistance of companies and individual bosses to WFH arrangements will decline markedly after they see how well the arrangement has worked.”

But COVID has also taught us that leading an entire organization through the transition to distance work in a matter of days or weeks can be wrenching, akin to passing through the five stages of grief. In an article about how corporations are adjusting to COVID-mandated remote working arrangements, Australian start-up accelerator Steve Glaveski sees a broad spectrum of adaptation beyond pre-COVID practices:

  • No deliberate action. This is where most companies were at the beginning of the COVID-19 outbreak, with little to no capacity for widespread remote work.
  • Recreating the office online. This is where most traditional organizations have landed. More effective companies offer access to e-tools, but without any redesign of how work gets done.
  • Adapting to the medium. These companies are investing in better equipment (for example, they may provide employees a cash grant to improve their lighting for video calls). Their work favors text-based communication, with fewer meetings that have clear agendas and include only ‘must have’ participants.
  • Asynchronous communication. These companies are structured more in line with how work gets done than where or when. They are typically global and recognize that presence does not equate to productivity.
  • These companies field purely distributed teams that work better than in-person teams. There are a handful of companies like this, and most are in the tech industry.

Glaveski acknowledges that moving across this spectrum won’t work for all industries, and he notes three common challenges to effective distance work that need to be addressed: team building and bonding, the value of informal office communication, and endpoint security.

How IBM Made the Transition

Fletcher Previn — IBM’s chief information officer — recently offered a candid description of how he and his colleagues grappled with these challenges and others as they pivoted the organization’s global workforce of 350,000 people to working from home over a four-week period this spring. Pre-COVID, Previn said, about 30 percent of IBM’s global workforce predominantly worked from “other than a traditional office” (i.e., from a client site or home). This figure shifted to about 95 percent within a matter of days.

He explained that there were two key components to this transition – technological and cultural.

Previn says that the company benefited from having a longer-term internal IT strategy to enable workers to self-service. This began with mailing employees their mobile devices instead of delivering them in person, and creating an internal app store to distribute software. Those measures meant that all employee hardware and software could be delivered outside the office, making it easier to transition quickly to remote work.

IBM had also adopted a standardized set of tech tools to enable collaborative work across the globe through remote meetings, file sharing, remote access and cybersecurity (the company is shifting from a VPN-based to a zero-trust model). Over the past year, Previn created a common “tool box” that employees can access based on their job function (e.g., consultant, scientist, analyst):

  • Slack for collaboration
  • Box for document repository
  • Trello for project management
  • WebEx for meetings
  • Mural for design thinking and whiteboarding

In terms of security, Previn says that his team detects a lot more cyberattacks and fraud attempts on home-based workers. In response, they’ve increasing training to identify phishing and tightened endpoint controls on inbound emails and other traffic. In addition, they are using AI to look for unusual behavior based on a user identity, location and the device being used.

While the tech tools are a necessary prerequisite for working from home, Previn noted that there are also cultural issues. For example, traditional ways of balancing work and personal life need to be redefined as employees work in new settings with new routines. He advocated a model of small three-person teams interacting with each other and with other teams not only through scheduled meetings but spontaneous communications that help maintain human bonds and trust. Previn said he schedules virtual happy hours with his team to bring people together informally rather than just for agenda-driven meetings.

To help ease the cultural transition to distributed teams, IBM HR developed a series of training guides and online modules on how to lead remotely, and tips for remote workers and their managers.

Long-Term Benefits of the Transition

One factor that enabled IBM and many other companies to respond quickly to COVID was the longtime use of distance work tools to improve cross-organizational collaboration, even when the parties at both ends of the line sat in offices. A 2013 survey by McKinsey Consulting found multiple expected benefits to these measures, such as reduced travel costs and increased employee satisfaction.

But the survey also discovered that there was faster access to internal experts and corporate knowledge when using collaborative tools. This implies that in both the private sector and government contexts, it’s less important where you do knowledge-based work than it is how you do it – using collaborative tools in a team-based work environment.

In the last two months, the corporate world has gradually come to realize that it cannot wait to adapt these tools fully to an at-home workforce. Companies have shifted from a strategy of “do what is most urgent and feasible now and postpone everything else until we return to the office” to “we have to make everything work remotely because who knows how long this will last and we can’t push things off any longer.”

For most companies, that means mastering levels three and four of Glaveski’s remote work hierarchy by embracing text-based communication, fewer meetings and asynchronous schedules.

And a few small tech companies have even reached the “nirvana” state that Glaveski describes. For example, Pipedrive, a new software company with staff in both the United States and Europe, responded to COVID by becoming a completely virtual company inside of 24 hours, according to futurist Heather McGowen. And one tech company, Automattic (the company behind WordPress, which powers 35 percent of all websites on the internet), beat COVID to the punch. It is 15 years old and has nearly 1,200 staff scattered across 75 countries – and no offices!

It is easy to think of the current disruption in workplace operations as a temporary shift that will reverse itself after the COVID threat recedes. But as McGowan suggests in Forbes, this pandemic “might be the great catalyst for business transformation,” producing changes in months that might have otherwise taken years to transpire.

“We’re seeing changes that affect work, learning, and daily life,” she writes, “changes that will become a new normal and that take place against a backdrop of several fundamental shifts.”

For example, a slow evolution in corporate culture even before COVID was giving employees greater autonomy and an increased role in meeting business goals. Companies are beginning to recognize culture, creativity and innovation as ingredients of success, and managers increasingly trust their people to “do the right thing.” Corporations have started to consider employee welfare as a central goal in addition to profit. These trends too are bound to accelerate as social distancing continues, and will persist long after it ends.

Future columns will explore these distance work approaches further and how they can be adapted to a government context.”

https://washingtontechnology.com/articles/2020/05/08/insights-kamensky-adapting-to-home-work.aspx

* * * * * *

Note: This post is the second in a series on distance work. Click here to read part 1.

ABOUT THE AUTHOR:

John Kamensky (@JMKamensky) | Twitter

John M. Kamensky is a senior fellow at the IBM Center for the Business of Government and a fellow at the National Academy of Public Administration. He can be reached at john.kamensky@us.ibm.com.

New Cybersecurity Regulations ‘On Track’ Despite Virus

Standard

“NATIONAL DEFENSE MAGAZINE”

Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

_________________________________________________________________________

“Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.

The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.

Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.

“We’re still on track,” she said. “We’re still doing the pathfinders. We’re working through those. We’re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”

Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.

The biggest sticking point will be conducting in person audits, as is required, Arrington said.

“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn’t stopped and we’re still doing our absolute best to stay on track.”


Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. 
“A two-week push on something is not going to … have a massive impact to our rollout of this,” she said. “I don’t think it’s going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.


Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.

“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn’t an option for any of us right now.”
 She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. 
“Do your best to be diligent and remember that … the weakest link is where the adversary will come in,” she said. “Don’t be the weakest link.”


Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.

“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”

Project Spectrum recently released a white paper on potential security risks with Zoom which said, “Zoom’s numerous vulnerabilities are not unique to them because every software company and application has them. Zoom’s links to China, however, are particularly concerning because those links expose the DIB and its supply chain, thus jeopardizing American innovation, IP and proprietary information.”

Project Spectrum recommended Cisco Webex, Facebook Workplace, Google Hangouts, GoToMeeting and Microsoft Teams as potential alternatives.”

https://www.nationaldefensemagazine.org/articles/2020/4/22/new-cybersecurity-regulations-on-track-despite-virus

Amid COVID-19 DOD Weighing Security And Other Transaction Agreement (OTA) Controls

Standard
Image: https://twitter.com/hashtag/othertransactionagreements?src=hash

DEFENSE SYSTEMS

OTAs are meant to speed the government buying process and allow DOD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases.

Rapid acquisitions for prototypes and experimental technology will be subject to the Defense Department’s unified cybersecurity standard.

_____________________________________________________________________________

“In an OTA, in the technical specs, they can actually call it [Cybersecurity Maturity Model Certification (CMMC)] out and say what they want,” said Katie Arrington, DOD’s chief information security officer for acquisition during an April 29 NextGov webinar on CMMC.

OTAs are meant to speed the government buying process and allow DOD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases. But there’s ample worry of potential overuse, which could invite congressional scrutiny.

Arrington’s comments come as DOD has begun pushing for the use of OTAs to find and execute on solutions that can help treat or prevent the spread of coronavirus. Ellen Lord, DOD’s acquisition chief, issued a memo in early April to ease the OTA process by delegating contracting authorities to heads of agencies and combatant commanders during the pandemic.

For example, the Army issued $100,000 contracts for innovative ventilator solutions that could be deployed in rural settings as part of its xTech COVID-19 Ventilator Challenge. The ongoing contest aims to produce 10,000 ventilators suitable for field operation in eight weeks and uses OTAs.

As for cyber concerns, Arrington said because OTAs operate “outside” the Federal Acquisition Regulation and largely benefit small businesses, which can be the most vulnerable when it comes to cybersecurity, CMMC is even more important.

“That’s where we need to ensure that we’re putting those levels of CMMC in,” she said. “If you’re doing some grant work, we do need to make sure the institution or the department or the network that you’re doing this work on understands the risk…Everybody’s vulnerable.”

https://defensesystems.com/articles/2020/05/06/cmmc-ota-cyber-williams.aspx