Category Archives: IoT

Estonia Lesson Learned: “Every Country Should Have a Cyber War”

Standard

cyber-war-or-business-as-usual-10-728

“DEFENSE ONE”

” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”


“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”

http://www.defenseone.com/technology/2017/08/every-country-should-have-cyber-war-what-estonia-learned-russian-hacking/140217/?oref=d-mostread

 

DIU(X) Pentagon Outreach Program To Tech Startups Is Here to Stay

Standard

DIU(X) Web Site:   https://www.diux.mil/portfolio

“BREAKING DEFENSE”

“DIU(X) has spent $100 million on projects from 45 companies. These are not traditional defense contractors but commercial tech companies, mostly small ones, backed by about $1.8 billion in venture capital.

The whole idea is to reach beyond the often stodgy military-industrial complex to the thriving, innovative tech sector, especially to start-ups that lack the time, connections, or specialized manpower to penetrate the defense procurement labyrinth.


How does Trump’s Defense Secretary feel about one of the Obama Pentagon’s more controversial aus, the outreach to tech start-ups known as DIU(X)?

“I don’t embrace it,” Jim Mattis told reporters en route to Silicon Valley yesterday. “I enthusiastically embrace it, and I’m grateful that Secretary Carter (Ash Carter, Obama’s last SecDef) had the foresight to put something in place to anchor the Department of Defense out there.”

“I want to see results. I want to see what they’re doing with their location and the ideas that they’re bringing, they’re harvesting — what are we getting out of it?” Mattis continued when pressed by a skeptical press. “Absolutely, I want to see them in their mission. I’m not coming out here questioning the mission.” (Emphasis ours).

Mattis’s embrace of this Obama-era idea is just the latest sign that there’s a lot more continuity at the Pentagon in some policy areas than President Trump’s Twitter barrages would suggest. Trump blasted the F-35 stealth fighterMattis committed to continued production. Trump called NATO “obsolete” and said South Korea should pay for US missile defenses; Mattis reached out to allies. Trump campaigned on pledges of a Reaganesque defense buildup; his actual budget proposal has been modest. Trump promised new Navy ships and Army units; Mattis has prioritized better training and maintenance for the forces we already have. Trump said he’d made US nuclear forces stronger but they’re actually still shrinking under Obama-era arms control treaties. All modernization to nuclear delivery systems was started under Obama.

In this context, Mattis keeping his predecessor’s Defense Innovation Unit (Experimental) isn’t so surprising. Congressional Republicans have been ambivalent about DIU(X), which has offices in three strongholds of Democrat-leaning techies: Palo AltoAustin and Boston. (Note the persistent attacks by the far right on Google and other tech companies.) House Armed Services chairman Mac Thornberry has worried aloud that DIU(X) duplicates longstanding high-tech efforts such as DARPA.

One of Work’s last acts, on July 14, was to give DIU(X) new legal authorities. One of the most significant is rapid hiring authorities that let DIU(X) bypass cumbersome federal regulations and bring tech expert onboard in as little as a day. (Similar authorities have been proposed in Congress) Another expanded the unit’s ability to set up Cooperative Research & Development Agreements (CRADAs) with private companies. Still other authorities gave DIU(X) new abilities to advertise, run prize competitions, host conferences, all methods of getting geniuses’ attention for its projects.”

http://breakingdefense.com/2017/08/diux-is-here-to-stay-mattis-embraces-obama-tech-outreach/

What has DIU(X) done to deserve more money and power? The unit’s signature achievement so far is new planning software for Air Force flight operations previously run with Microsoft Excel and markers on whiteboards. The new software cost $1.5 million, but by scheduling sorties more efficiently, it will save an estimated $131 million year in fuel and maintenance for tanker aircraft, DIU(X) says. The DIU(X) project also delivered in 120 days what a multi-year, $745 million dollar Air Force program could not.

Other DIU(X) contracts range from robotic sailboats (“saildrones”) to collect data on the ocean – vital for naval planning – to military simulations derived from commercial games.

All told, after a rough start which prompted Carter to reboot the unit, DIU(X) has spent $100 million on projects from 45 companies. These are not traditional defense contractors but commercial tech companies, mostly small ones, backed by about $1.8 billion in venture capital. The whole idea is to reach beyond the often stodgy military-industrial complex to the thriving, innovative tech sector, especially to start-ups that lack the time, connections, or specialized manpower to penetrate the defense procurement labyrinth. [UPDATE: Mattis also visited Google on Friday, but the tech giant has been leery of military contracts.] This strategy lets the military ride a train whose locomotive is massive private investment the Pentagon doesn’t have to pay for.

Now Mattis is publicly embracing this approach. In the words of a press release the Defense Innovation Unit (Experimental) put out to celebrate the secretary’s visit, it looks like “DIU(X) is here to stay.”

http://breakingdefense.com/2017/08/diux-is-here-to-stay-mattis-embraces-obama-tech-outreach/

 

 

 

 

A New Tool for Looking at Federal Cybersecurity Spending

Standard
cyber Spending

Image:  “Taxpayers for Common Sense”

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”


“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”

http://www.pogo.org/blog/2017/08/a-new-tool-for-looking-at-federal-cybersecurity-spending.html

 

 

 

 

 

Northrop Grumman Expanding Grand Forks, North Dakota Unmanned Aerial Systems Facility

Standard
grand-sky1

Photo: Northrop Grumman

“NATIONAL DEFENSE MAGAZINE”

“Less than a year after Northrop Grumman opened the doors to its new unmanned aerial systems facility in North Dakota, the company will soon break ground on a new hangar to conduct testing and maintenance on its family of autonomous systems.

The company expects to employ 100 people by the end of 2017, with a mix of current Northrop employees coming from San Diego and other locations, and new hires from the North Dakota area.

The Grand Sky Park, for which Northrop Grumman is the anchor tenant, hosts several commercial tenants with ties to unmanned aerial systems, including General Atomics, Hambleton said. Northrop committed over $10 million to the initial Grand Sky project, and its initial 36,000 square-foot facility was completed in late 2016.

The company in April announced the opening of its new facility at the Grand Sky Unmanned Aerial Systems Business and Aviation Park near Grand Forks. The facility serves as a “nucleus” for research and development, pilot, operator and maintainer training, as well as operations and mission analysis and aircraft maintenance, according to Northrop.

Before the end of the summer, Northrop will start work on a new hangar that will allow it to take advantage of the proximity of Grand Forks Air Force Base’s remotely piloted aircraft squadron, David Hambleton, Grand Sky program manager and site lead, said in an interview with National Defense.

Northrop leased 10 acres of land from the Air Force to build the recently opened facility and the 35,000 square-foot hangar, which is expected to be complete by the end of 2018, he said. Flight testing and aircraft maintenance for the company’s family of autonomous systems will begin by the following year, he added.

The company’s facility in North Dakota will be an “offshoot” of its autonomous systems division in San Diego, California, he said. “In one place, we have access to both civil and restricted airspace [and] opportunities to collaborate with the universities nearby” such as the University of North Dakota and North Dakota State University, he said.

The Grand Sky team will have the ability to link different capabilities “through a modeling and simulation backbone,” he added. “We’ll be able to tie together system testing in a lab with monitoring mission data as it comes in, connecting to training simulators and linking them together in a technical way to enable new ways to doing what, in the past, we’ve done independently or separately.”

The FAA-designated Northern Plains unmanned aerial systems test site is also located in Grand Forks, and the Air Force’s fleet of RQ-4 Global Hawk unmanned surveillance aircraft, produced by Northrop, is based next door, he noted.

“Having all of these capabilities and infrastructure concentrated here makes Grand Sky a desirable place for us to pursue flight testing and system demonstration,” he added.

Northrop expects to perform flight testing and maintenance for the Global Hawk fleet at Grand Sky, but also intends to support other unmanned systems such as the Navy’s forthcoming MQ-4C Triton surveillance aircraft or the MQ-8 Fire Scout reconnaissance helicopter, he added.

Northrop committed over $10 million to the initial Grand Sky project, and its initial 36,000 square-foot facility was completed in late 2016, he added.

The local community and the state of North Dakota were interested in developing the unmanned aerial systems industry in the Red River Valley region, he said. A group of local actors that included the University of North Dakota and Grand Forks County developed the Red River strategic alliance agreement.

“Northrop Grumman signed on to this agreement to promote the UAS industry,” he said. “That set the stage for the goal of creating… the Grand Sky aviation business park for UAS.”

http://www.nationaldefensemagazine.org/articles/2017/8/3/northrop-prepares-for-new-hangar-construction-in-north-dakota

 

Pentagon To Unveil New Acquisition Structure

Standard

Pentagon Reorganization

“DEFENSE NEWS”

“The Pentagon is scheduled to deliver its new acquisition structure to Congress,  a major step toward redesigning how the building researches and procures equipment.

The 2017 National Defense Authorization Act instructed the Pentagon to devolve the undersecretary of acquisition, technology and logistics, or AT&L, into two separate jobs: undersecretary for acquisition and sustainment, or A&S; and a new undersecretary for research and engineering, or R&E, essentially a chief technology officer.

Those changes are expected to be in place by Feb. 1, 2018.

Congress purposefully allowed time for the Department of Defense to come up with its own road map on how the split should occur, which the department is supposed to deliver to Capitol Hill on Aug 1[2017].

Sources say there were discussions about delaying that delivery, in order to allow newly installed Deputy Secretary of Defense Patrick Shanahan a chance to weigh in. However, all indications are that the department intends to hit its Tuesday deadline.

It is important to note that this report will not be the final say in the issue. Its purpose is to inform Congress of how the department will split the duties of AT&L and the broad organizational strategy, but does not need to detail the nuts and bolts of currently shared services. That also means that Shanahan and Ellen Lord, the longtime Textron executive-turned-AT&L nominee who may be confirmed this week, will have a chance to continue to give input going forward.

An interim, two-page memo to Congress was delivered March 1, which contained few details about how the building is approaching the question of devolving AT&L into the new offices.

Congress, meanwhile, is trying to balance out how to give senior leaders a chance to weigh in and making sure the DoD meets the Feb. 1 deadline. And while the report will be happily received in Congress, there is skepticism about what the DoD will actually deliver and how closely it will hew to Congress’ vision of how the new structure should look.

Bill Greenwalt, a longtime defense acquisition expert who spent two years as a staffer on the Senate Armed Services Committee where he had a central role crafting McCain’s acquisition changes, emphasized that the Pentagon’s thoughts are recommendations and that Congress will have final say.

“I think it will be a back and forth between the Congress and administration in terms of how to make this work,” he told Defense News. “The key thing for Congress is R&E should be driving innovation. A&S should be providing the oversight structure. The boxes shouldn’t be transferred around, it should be a cultural shift.”

SCO, DIUx likely folded under R&E

While the majority of the changes to the AT&L structure will entail a reshuffling of offices already under central control, there are two notable offices that may be brought in house, whether they desire it or not.

The Strategic Capabilities Office, or SCO, and the Defense Innovation Unit Experimental, or DIUx, were two pet projects of former Secretary of Defense Ash Carter. The SCO is focused on finding innovative solutions to near-term challenges, while DIUx is charged with creating ties between the DoD and the commercial technology sector.

Notably, both offices have existed as quasi-independent entities. DIUx actually started as a report inside the AT&L structure before being relaunched a year ago following a lack of progress in its mission; it then became a direct report to Carter. The SCO, meanwhile, was created by Carter during his time as deputy secretary of defense and was formally introduced to the world by Carter during the fiscal 2017 budget rollout.

With Carter gone and Congress seeking to improve innovation inside the building, there is pressure from the Hill to see those groups folded into the new R&E portfolio. In a May 18 interview, Mary Miller, acting assistant secretary of defense for research and engineering, said SCO and DIUx “would naturally fit in the USDR&E, that’s the intent.”

“If we set this undersecretary up as we believe we will, as we’re hoping this turns out to be and it will be a select-in to this whole new culture we’re establishing, we don’t need to have special groups that were set up just to be different, because that will be the undersecretary mission,” Miller said during the interview.

Greenwalt said that if the Pentagon crafts the R&E spot “right,” groups like DIUx, SCO, the various rapid capabilities offices and perhaps the Defense Advanced Research Projects Agency should all fall under its control.

When it was pointed out to him that regardless what the Pentagon says, Congress could step in and demand those groups fall under R&E’s control, Greenwalt smiled. “Right. That’s the back and forth,” he said. ”We’ll have to see how it works.”

Greenwalt isn’t the only one who thinks those outside groups should come inside. Frank Kendall, whose tenure of four-plus years as AT&L ended with the Obama administration, believes that for the R&E spot to work, it must include all the research groups scattered around the department.

“It would have basic research, 6.1, 6.2 and 6.3, it would have DARPA, it would have SCO and DIUx, it would have the existing office that does experimentation,” Kendall said in April, adding that he had provided that recommendation to Deputy Secretary of Defense Bob Work.

Andrew Hunter, an analyst with the Center for Strategic and International Studies, noted that the Senate clearly has been leaning toward putting SCO, DIUx and DARPA into the R&E portfolio. But that may be an imperfect fit, he warned.

“DARPA, by mandate, deals with that leap-ahead tech, 6.1, 6.2, 6.3 work, research that is early stage. Once it gets to prototypes, that’s no longer DARPA territory. SCO is on the other end,” Hunter said. “Both have a fit in the R&E position. But it seems the department is heading towards having R&E have more of an early stage focus, so they might come to a different answer.”

Leadership questions

While the future of the R&E office is uncertain, the A&S job appears to be more stable — in part because its leadership seems intact.

Lord, the former Textron executive, has already gone through a confirmation hearing for the AT&L job, during which she reaffirmed she would be sliding over to A&S once the AT&L office goes away in February.

The Senate’s version of this year’s defense authorization bill would require Lord to be reconfirmed for the A&S job, but given how little headwind she faced in her confirmation hearing, the assumption is she would easily be reconfirmed for the new title.

Which brings up the question of who her counterpart would be. It is understandable that no names have been put forth for the job, as the White House and Pentagon have been focused on filling existing roles, plus the R&E job does not exist. But waiting too long to put forth a nominee could have “risk,” Hunter said.

“You might not be able to get the quality person you want because of how it is cast. The earlier you name a person, the more they have a chance to shape the structure of the office,” he added. “However you slice the piece, what used to be one really powerful job is now two jobs, each of which is slightly less powerful — so how appealing are they for someone who wants to put their stamp on the future?”

http://www.defensenews.com/pentagon/2017/07/31/pentagon-to-unveil-new-acquisition-structure-on-aug-1/

 

 

 

Flush Times for Hackers in Booming Cyber Security Job Market

Standard
A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas

A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas, Nevada, U.S. July27, 2017.     Joseph Menn

“REUTERS”

“One of the outside firms that handle such programs, HackerOne, said it has paid out $18.8 million since 2014 to fix 50,140 bugs, with about half of that work done in the past year.

Mark Litchfield made it into the firm’s “Hacker Hall of Fame” last year by being the first to pull in more than $500,000 in bounties through the platform, well more than he earned at his last full-time security job, at consulting firm NCC Group.”


“In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

Reporting by Joseph Menn and Jim Finkle; additional reporting by Dustin Volz; Editing by Jonathan Weber and Grant McCool

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.

The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.

“Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people,” said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week’s most popular parties.

Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies.

But as tech has taken over the world, the opportunities in the security field have exploded.

Whole industries that used to have little to do with technology now need protection, including automobiles, medical devices and the ever-expanding Internet of Things, from thermostats and fish tanks to home security devices.

More insurance companies now cover breaches, with premiums reduced for strong security practices. And lawyers are making sure that cloud providers are held responsible if a customer’s data is stolen from them and otherwise pushing to hold tech companies liable for problems, meaning they need security experts too.

The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15 percent.

For hackers who prefer to pick things apart rather than stand guard over them, an enormous number of companies now offer “bug bounties,” or formal rewards, for warnings about vulnerabilities that leave them exposed to criminals or spies.

In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

https://www.reuters.com/article/us-cyber-conference-business-idUSKBN1AD001

Pentagon Product Acquisition Focus Must Be On Requirements Document

Standard

Pentagon requirements

“DEFENSE NEWS” By Gen. John Michael Loh (retired)

“The most important, yet most overlooked product in the defense acquisition system is a succinct operational requirements document.

The Defense Department’s acquisition process is so overloaded with Office of the Secretary of Defense as well as Joint Staff bureaucracy, unqualified personnel, multiple reviews and councils, and duplication of the service’s requirements organizations, the requirement gets lost.”


“The operational requirements document, or ORD, is the foundation of the acquisition process from concept development through system development.That series of processes — the Joint Capabilities Integration and Development System, or JCIDS — in place since 2003, adds little value and never focuses on the ORD as the centerpiece.In fact, the requirements document isn’t called the “requirements document” in JCIDS. As the lengthy JCIDS process proceeds at a snail’s pace, what substitutes for a requirements document goes by various names like “initial capability document,” then, the “capability development document,” then the “capability production document,” without having a clear owner for each. An end-to-end ORD just doesn’t exist in JCIDS.

Instead of the top-down, JCIDS-based requirements process, the requirements process should be bottom-up with single ownership by the service’s major operating commands throughout. Putting together and managing an airtight, bulletproof ORD should be the first priority and main focus of activity during concept development leading to milestone one. After milestone one, the ORD should stay in the forefront of every decision and remain unchanged. That is the way the system worked before JCIDS.

We need to learn from the past and get back to basics in the acquisition system starting with the requirements process. From the start of the F-15 and F-16 programs in the early 70s through the F-22 start in the late 80s, concept development began with small, smart teams working together from the operating and developing commands; understanding the need; conducting trade-off analyses to assess risk and cost, in continuous dialogue, producing a requirements document unfettered by top-down micromanagement or wall-to-wall reviews and nitpicking.

The teams were manned by smart operators from the major operating command, who understood the capability needed, and by technical experts from the development command, who understood the state of the art and the risk to go beyond it. They worked in harmony in horizontal dialogue, not having to go through vertical chains of command to communicate with each other, as is the case today. Nor did the Pentagon interfere.

This process worked to produce remarkably well-constructed ORDs in less than a year in most cases. The ORD, approved by the operating and development command, went directly to the service chief and secretary for validation, then to the Joint Requirements Oversight Council, which made sure it included joint service support.

Typically, the work in the Pentagon took less than six months to validate the requirement and put it on the street to industry. The key was the work done by the small teams, freed from bureaucratic tyranny and micromanagement by non-experts.

The ORD served as the main product and basis for the system specification, request for proposals and the source selection process. It kept discipline in the acquisition system throughout all pre-full-scale development milestones.

However, building small, smart teams is essential but difficult. Experience and expertise are prerequisites. Experts in development command teams must know technical and cost risks, and have a working knowledge of operational matters. Experts in the operational command teams must know threats and concepts of operations, and a working knowledge of acquisition matters. But, these experts must be trained and educated for their roles.

Today, particularly in the major operating commands, the officers defining requirements are good operators but not expert in the requirements business. To make matters worse, the responsibility for defining requirements has been subordinated in many operational commands under the plans and programming functions.

Many things need fixing in the defense acquisition system. Reform should start with eliminating JCIDS and returning to what worked — making the ORD the foundational document and driving force in acquisition programs created by small, smart teams from the responsible commands in the services The result will be an acquisition cycle that is years shorter than JCIDS, and systems that meet needed capabilities on cost and schedule.”

https://www.defensenews.com/opinion/2017/07/26/defense-acquisition-focus-on-the-requirement-document-not-the-process-commentary/

About the author: (wikipedia)

“John Michael Loh (born March 14, 1938)[1] is a retired four-star general in the United States Air Force who last served as Commander, Air Combat Command from June 1992 to July 1995. His other four-star assignment include being the 24th Vice Chief of Staff of the Air Force from June 1990 – March 1991, and Commander, Tactical Air Command from March 1991 – June 1992.”

https://en.wikipedia.org/wiki/John_M._Loh

John Loh, official military photo.JPEG

NASA Seeks Certified 8(a) Minority-Owned Contractors for $100M Headquarters IT Contract

Standard

sba-8a

“WASHINGTON TECHNOLOGY”

“NASA has kicked off the bidding on a potential five-year, $100 million contract for IT services at the agency’s headquarters in Washington.

Only small businesses with the 8(a) designation are eligible to compete for the the Headquarters Information Technology Support Services III contract. The agency posted a request for proposals on July 18 and responses are due Aug. 18.

A selected contractor will provide integrated IT, systems engineering, operations and IT-related management support services mission directorates and mission support offices at NASA’s headquarters. The solicitation also calls for management of a cloud infrastructure program in a managed computing environment at headquarters.

HITSS III has one base year with four one-year options and is the successor contract to HITSS II won by Digital Management Inc. in 2012. Media Fusion Inc. also is an incumbent contractor through a task order awarded against a GSA Schedule contract, according to Deltek.

HITSS II expires on Sept. 30 and has a potential five-year value of $177 million. Deltek estimates NASA has spent approximately $145 million over that contract’s lifespan.”

https://washingtontechnology.com/articles/2017/07/25/nasa-8a-it-hq-rfp.aspx

 

Government Accountability Office Stings DOD – “Fake Cops” Get $1.2 Million in Real Weapons

Standard

GAO Sting

“WIRED”

“The GAO created a fictitious law enforcement agency—complete with a fake website and a bogus address that traced back to an empty lot.

The agency’s faux cops were able to obtain $1.2 million worth of military gear, including night-vision goggles, simulated M-16A2 rifles, and pipe bomb material from the Defense Department’s 1033 program.

When you think of a federal sting operation involving weaponry and military gear, the Government Accountability Office doesn’t immediately jump to mind. The office is tasked with auditing other federal agencies to root out fraud and abuse, usually by asking questions and poring over paperwork.

This year, the agency went a little more cowboy and applied for military-grade equipment from the Department of Defense. And in less than a week, they got it.

“They never did any verification, like visit our ‘location,’ and most of it was by email,” said Zina Merritt, director of the GAO’s defense capabilities and management team, which ran the operation. “It was like getting stuff off of Ebay.”

In its response to the sting, the Defense Department promised to tighten its verification procedures, including trying to visit the location of law enforcement agencies that apply and making sure agents picking up supplies have valid identification, the GAO report said. The department also promised to do an internal fraud assessment by April 2018.

A Defense Department spokesman declined to comment further.

The sting operation has its roots in the 2014 fatal police shooting of Michael Brown in Ferguson, Missouri. At the time, many were surprised to see law enforcement respond to protests with armored trucks, sniper rifles, tear-gas bombs, and other weapons of war.

Reporting by The Marshall Project and others found that much of the equipment came from the obscure 1033 program, which dates back to the Clinton era. Any equipment the US military was not using—including Humvees, grenades, scuba-diving gear, and even marching-band instruments—was available to local cops who could demonstrate a need.

The program has transferred more than $6 billion worth of supplies to more than 8,600 law enforcement agencies since 1991.

After Ferguson, then-President Barack Obama issued an executive order prohibiting the military from giving away some equipment and deeming other equipment “controlled,” establishing strict oversight and training requirements for law enforcement agencies that wanted it. The order also required a Defense Department and Justice Department working group to ensure oversight.

But since President Donald Trump took office, the group has not met, according to the Constitution Project, a legal and policy advocacy organization that had been participating in the meetings. Trump has said that he will revoke Obama’s executive order, although he has not yet.

Congress ordered the GAO to look into the program last year. A survey of local law enforcement did not turn up any instances of outright abuse at the state level, but did find one illegitimate agency that had applied as a federal entity and was approved for equipment, Merritt said.

That’s when the agency launched the sting. Contrary to its public image, GAO has snagged other agencies with undercover work in the past, including an investigation of the Affordable Care Act in which the agency submitted fictitious applications, and got approved, for subsidized healthcare coverage.

In this case, the GAO created the fake law enforcement agency—whose name the GAO would not reveal — and it claimed did high-level security and counterterrorism work. Once approved, the agency easily obtained the items from a Defense Department warehouse of unused military goods.

Jim Pasco, executive director of the Fraternal Order of Police, which lists rescinding Obama’s executive order one of its top priorities for the Trump administration, said the possibility of fraud does not indict the whole program.

“It suggests only that the US military is one of the world’s largest bureaucracies and as such is going to have some lapses in material control,” Pasco said. “Law enforcement is going to get that equipment and we’re going to use it, to protect both officers and civilians. And if we don’t get it free from the military, we’re going to have to buy it with taxpayer dollars.”

But to Madhuri Grewal, senior counsel for the Constitution Project, and other opponents of police militarization, the problem is more fundamental.

“There just aren’t many everyday policing uses for military equipment like this,” Grewal said. “The question is why can real law enforcement agencies get some of this stuff, let alone fake ones?”

https://www.wired.com/story/gao-sting-defense-department-weapons/

 

Whistleblower Hotlines: A Valuable Tool

Standard
00_EthicsCorner

Photo: iStock

“NATIONAL DEFENSE MAGAZINE’

“An effective ethics reporting tool, implemented as part of an ethics and compliance program, can help an organization detect and resolve potential misconduct issues.

It can also help support a culture of integrity and responsibility within the workplace.

Misconduct in the workplace can be devastating. The Association of Certified Fraud Examiners’ “2016 Report to the Nations” estimates that, on average, organizations lose 5 percent of revenue per year due to fraud and other misconduct.

Many organizations have implemented active and deliberate misconduct-detection processes. “Active” means that a person, or an internal control method, has been put in place and is instrumental in looking for fraud and other misconduct. Compare that to “passive” detection, in which the organization learns of unethical activity only after the fact or by accident.

How does an ethics reporting tool, such as a whistleblower hotline, fit in? It could be labeled a “passive” tool because fraud or other misconduct is often reported after it has happened. However, an ethics reporting tool can help to shed light earlier on misconduct that might otherwise continue for any length of time and cause more damage.

Knowing about misconduct sooner enables an organization to put a stop to it earlier. According to the report, the median duration of fraud prior to detection is about 18 months. For smaller organizations, early detection could mean the difference between surviving or going out of business.

A whistleblower hotline doesn’t just help bring fraud to the forefront. Other types of misconduct commonly reported using these systems are harassment, discrimination, workplace health and safety violations, alcohol/drug abuse, violence in the workplace, and conflicts of interest — to name a few.

Once an ethics program has been implemented, it needs to engage every employee, from the top down. It can’t just exist as window dressing.

Senior management needs to be committed to the ethics program and sincere about sharing their commitment with employees. Employees learn acceptable workplace behavior by taking cues from leadership. If management doesn’t believe in the ethics program and model leading with integrity themselves, employees are not likely to use the reporting tool to report any unethical conduct.

Employees may also be skeptical about coming forward to report perceived misconduct. Many people are concerned that even if they do make a report, no corrective action will be taken. But the biggest fear for employees is retaliation by co-workers and management. Ethics program best practices, as well as regulatory standards, call for ethics hotlines to ensure confidentiality for employees who report concerns and offer the option for anonymity.

External third-party ethics hotlines, which often include a case management database, can help. Third-party programs provide the ability for management and the reporter to communicate with each other about the allegation securely, within the system, enabling management to gather more information while protecting the whistleblower’s identity. This ensures a more thorough investigation of the alleged misconduct, getting to the bottom of any serious issues sooner, before they escalate.

Customizable third-party whistleblowing systems allow companies to create a program that is best suited to meet the needs of their organization, regardless of industry. They log and date stamp every report and allow management of each case to closure.

The ability to include a company’s national or global locations as part of the reporting process enables all incidents to be funneled into the one system in an organized manner.

Every industry has its own unique risk concerns and customizable third-party systems help management spot and track issues and trends, no matter the location, the department or the issue.

If they are not comfortable talking with their supervisor, a whistleblower wants to know where they can go to report ethical concerns and remain anonymous. An anonymous hotline removes many of the obstacles to reporting inappropriate behavior and gives employees, suppliers and vendors the ability to raise genuine concerns about illegal or unethical behavior.

Ethics hotlines also reduce the risk of individuals going outside the organization with their concerns, potentially damaging an organization’s reputation and causing further financial harm.

Every employee wants to know that his or her voice matters in the organization. That’s why encouraging a speak-up culture is important. Employees want to know they are part of the success of the company. Encouraging them to speak up about wrongdoing and showing them that their concerns do matter and are taken seriously creates more motivated employees who truly want to participate in the company’s future.

Many companies believe they are too small to warrant an ethics reporting system. There’s a belief that there’s too much complexity and work involved. But putting in extra upfront effort to set up a customizable program that is right for the company is well worth it when the result is more open communication, happier employees, reduced risk, and future growth and success.

When an organization implements a confidential and anonymous third-party ethics hotline, it lets employees and stakeholders know that it is serious about adherence to its code of conduct, it takes all reports of misconduct seriously, and it does not tolerate retaliation towards anybody reporting perceived misconduct.

If company leaders truly want to promote a speak-up culture, and give employees a safe place to come forward to report ethics and compliance concerns, then one of the best ways is to provide employees security and comfort of anonymity and confidentiality via a whistleblower hotline.”

http://www.nationaldefensemagazine.org/articles/2017/7/17/whistleblower-hotlines-a-valuable-tool