Category Archives: Security

Five Regulatory Changes For Government Contractors to Watch

Standard
Image: Mastercontrol.com

“WASHINGTON TECHNOLOGY”

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG.

______________________________________________________________________________

“In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.

Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG. As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Section 889 of the Fiscal Year 2019 National Defense Authorization Act

As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act establishes two constraints on telecommunications supply chains. Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.

Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.

The interim rule for Section 889(a)(1)(A) was released last August and opened for comment. The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released. This means that key terms, such as “entity”and “use” remain undefined. Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.

SECURE Technology Act

On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act. The Act establishes the Federal Acquisition Security Council, which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.

The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain. The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.

Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order. Although the Department of Defense and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide. Still to be seen is whether the exclusion determinations will be publicly available.

Cybersecurity Maturity Model Certification

On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification. CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain. Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.

Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins. Most importantly, contractors will no longer be able to self-certify compliance. Instead, compliance with a particular CMMC level must be externally validated by trained auditors.

DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year. DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026. DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.

Executive Order on Securing the ICTS Supply Chain

On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States. The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Reviews of transactions will be conducted on a case-by-case basis.

Commerce received comments on a November 2019 proposed rule in January 2020. There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.

Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act

Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.

The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use. DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.

The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.”

https://washingtontechnology.com/articles/2020/06/26/insights-covington-regulatory-changes.aspx

GSA Bumps STARS II Ceiling By $7 Billion

Standard
Image: “FCW

FCW

The General Services Administration raised the ceiling of its 8(a) Streamlined Technology Application Resource for Services (STARS) II contract by $7 billion, to $22 billion.

STARS II is a small business set-aside for customized IT services and IT-services-based solutions from 787 small business contractors that qualify under Small Business Administration standards. GSA said the contract is used by 50 federal agencies to plan and supply long-term IT projects.

_____________________________________________________________________________

“In early April, the GSA’s 8(a) STARS II governmentwide contract hit its $15 billion ordering obligation limit.

“By raising the 8(a) STARS II ceiling, GSA continues to ensure that we meet the needs of our federal agency customers,” said GSA Administrator Emily Murphy in a June 23 statement on the increase. “As agency demand for IT products and services has increased during the COVID-19 pandemic, GSA is proud that STARS II will remain available to help agencies deliver world class IT services.”

GSA started limiting task orders on the GWAC to agencies whose contracting officers had obtained a “control number” to use the contract vehicle, but it stopped issuing new control numbers.

All 787 contractors remain on the vehicle, GSA said in its announcement. Agencies can place new task orders through Aug. 30, 2021, and work can continue on those new orders through June 30, 2022.

GSA is working on a new iteration of the contract, 8(a)STARS III.

In a June 10 blog post, Laura Stanton, acting assistant commissioner of GSA’s Federal Acquisition Services’ Office of Information Technology Category, said the agency plans to issue the final solicitation for the STARS III contract by end of the federal government’s fiscal year on Sept. 30.

The initial STARS III request for information went out last August.

Stanton said the increase to STARS II wasn’t the first for the popular contract to accommodate agency demand.

“As we move into this contract’s fourth generation we can say for certain that this program is a huge success. A significant number of prior 8(a) STARS program participants have grown their businesses so much that we now see them thriving with the big companies on GSA’s Alliant 2 GWAC,” she said.”

https://fcw.com/articles/2020/06/24/rockwell-stars-ii-ceiling-bump.aspx?oly_enc_id=

Ways To Solve The Cyber Talent Gap

Standard
Image: “Itproportal

FCW

Two biggest impediments hindering the federal government’s cyber recruiting efforts are money and the lengthy hiring process that consumes most federal agencies.

Declining budgets and a lack of career development programs contributing factors for rising turnover rates among federal IT contractors.”

______________________________________________________________________________

“Federal agencies and Congress have increasingly looked to bug bounty programs to find and stamp out cybersecurity vulnerabilities in their software. A new survey of nearly 3,500 security researchers who use Bugcrowd’s platform offers a glimpse into the backgrounds and motivations of a highly coveted pool of emerging cyber talent that both government and industry are desperate to recruit.

More than half of those surveyed live in urban environments, and three out of four speak multiple languages. Despite efforts within the information security community in recent years to improve diversity, the average age of those who participated in the survey skewed overwhelmingly young and male.

According to the survey, higher education is an important feature for many security researchers and their families. They’re most likely to have obtained a college degree (49%), have parents who have done the same (36%) and are three times less likely to drop out than their parents. The survey data “suggests most security researchers are degree-qualified because they come from educated families that value the acquisition of worldly knowledge, skills, values, beliefs and habits.”

While the size of the average American household has been in decline for decades, nearly half (48%) of respondents come from large families with between 4-12 members. Even with more mouths to feed, 64% reported pulling down a median annual income of just $25,000 or less, though many also say they only chase bug bounties on a part-time basis. Perhaps not surprisingly, making money was cited as the most important issue, followed by flexible hours and improved skills.

The report predicts that over the next six months, cybercriminals will exploit the widespread shift to remote telework in the wake of the COVID-19 pandemic, increasingly targeting vulnerable infrastructure through expanded reconnaissance activities and asset discovery. That in turn will lead to organizations boosting their reliance on white hat hackers over the next year as they race to identify and fix hidden software vulnerabilities.

The pandemic “has demystified many of the perceived differences between employees working remotely and security researchers” and emerging technologies such as machine learning that are not yet mature enough to meet the increased demand.

“This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their human expertise in securing their assets via crowdsourcing, the most efficient and practical approach to finding available talent,” the company forecasts.

John Zangardi, former CIO at the Departments of Defense and Homeland Security, told FCW in an interview that in his experience, two biggest impediments hindering the federal government’s cyber recruiting efforts are money and the lengthy hiring process that consumes most federal agencies.

While they often cannot compete on pay, one potential advantage for federal agencies could be through supporting the continuing education goals of its IT and cyber employees. A recent study by government contracting intelligence firm Deltek cited declining budgets and a lack of career development programs as a contributing factor for rising turnover rates among federal IT contractors, while a majority of respondents to the Bugcrowd survey say they use the platform for personal development and improving their skills.

Last year the Trump administration issued an executive order creating a new rotational program for federal employees to detail at the Cybersecurity and Infrastructure Security Agency and other agencies to improve their technical skills. CISA has also sought ways to sidestep normal federal hiring procedures to more easily hire information security specialists and pay them more.

Zangardi said during his tenure, cyber retention incentive bonus programs at DHS that provided extra compensation to employees who complete new certifications acted as a partial salve to some of the government’s inherent recruiting challenges. However, he acknowledged that for many positions — particularly highly-skilled ones — individuals can still earn tens of thousands of dollars more per year by doing similar work in the private sector.

“I can’t change the GS federal pay scale, but we can take steps to ensure that we’re giving them what we can,” said Zangardi.”

https://fcw.com/articles/2020/06/23/johnson-cyber-workforce-survey.aspx?oly_enc_id=

DARPA’s First Bug Bounty: Find Vulnerabilities In Hardware-Based Security

Standard

GCN”

DARPA’s first bug bounty program, called the Finding Exploits to Thwart Tampering (FETT) program, will be held in partnership with the Department of Defense’s Defense Digital Service and Synack, a crowdsourcing security company.

__________________________________________________________________________

“The Defense Advanced Research Projects Agency is inviting security researchers to find vulnerabilities in its System Security Integration Through Hardware and Firmware systems.

Launched in 2017, SSITH aims to secure electronic systems with hardware security architectures and tools that protect against common classes of hardware vulnerabilities regularly exploited through software.

Participants will try to penetrate the SSITH hardware security schemes developed by researchers at SRI International, the University of Cambridge, the Massachusetts Institute of Technology, the University of Michigan and Lockheed Martin. Their approaches generally involve providing the hardware with more information about what the attacking software is trying to do so it can become an active participant in its own defense, DARPA officials said. The SSITH development teams are working with Galois, a computer science research and development company, to move the hardware instances systems to the cloud for the evaluations.

The emulated systems will be running in an Amazon Web Services EC2 F1 cloud. Each emulated system is based on field-programmable gate array semiconductors and includes a RISC-V processor core that has been modified to include the SSITH hardware security.

According to DARPA, each emulated system’s software stack will contain SSITH hardware security protections as well as common vulnerabilities, such as buffer errors, information leakage, resource management and numeric errors. Security researchers will be tasked to devise exploit mechanisms that bypass the hardware security protections.

The FETT challenge is expected to run from July to September 2020.

“There is a lot of complexity associated with hardware architectures, which is why we wanted to provide ample time for interested researchers to understand, explore, and evaluate the SSITH protections,” said Keith Rebello, the DARPA program manager leading SSITH and FETT. 

Before security researchers and ethical hackers can join the FETT program as a Synack red team members, they must first qualify through a capture-the-flag challenge. After they are approved, participants will see a number of applications using SSITH defenses, including a medical records database system, a password authentication system for PCs and a web-based voter registration system that aims to “protect the underlying voter information from manipulation or disclosure, even in the presence of vulnerabilities in the system’s software,” Rebello said.  

More information on FETT can be found here.”

https://gcn.com/articles/2020/06/15/darpa-ssith-bug-bounty.aspx?oly_enc_id=

Cyber Speed Vs. Cyber Security In The Age Of Pandemic

Standard
Image: Shaun Gordon “Future Stack

“GCN” BY TONY HUBBARD, DAVE BUCKLEY, KATHY CRUZ

The need for speed may always conflict with concerns about preventing fraud and bolstering security. But one thing is sure: Future systems must be built for resilience, because the next technology upheaval could be right around the corner.

____________________________________________________________________________

“The sudden imperative to move state employees to remote work followed by the unprecedented flow of billions into states coffers to pay unemployment benefits has created big headaches for government agencies.

Sophisticated fraudsters have been waiting patiently for just this moment — the convergence of a flood of government funding and new, lax controls to allow money to get to applicants quickly. Armed with personally identifiable information obtained through data breaches and sold on the dark web, these fraudsters have applied for state unemployment compensation under false pretenses, diverting millions of taxpayer dollars and causing havoc for program officials and legitimate applicants. In addition, in states where mobile applications were quickly developed so applicants could apply conveniently via their smart phones, normal controls and processes were not implemented and, in some cases, security was compromised.

“The move to remote work also led to some malicious activity as government agencies were forced to rapidly deploy remote-access solutions that were not designed to accommodate a surge of growth. Again, to get the workforce to be productive quickly, some security processes and controls were relaxed or waived.

Obviously, the pandemic forced government to balance the need for quick action against ensuring that security processes were followed and controls put into place. In the battle between speed and security, however, speed often won.  Fraudsters, always watching for vulnerability and opportunity, pounced. And they are still pouncing.

In retrospect, better cybersecurity controls could have been baked into payment processes from the beginning. This upfront activity could have largely prevented the incident and response efforts that inevitably occur when security becomes an afterthought. However, hindsight is not helpful now, so what can be done going forward to bolster security and prevent fraud?

Government agencies should examine every key decision since work-from-home orders began. They should conduct risk assessments, understand the threats, vulnerabilities and consequences – and reimagine security tools and processes that should have been built in.  Rather than thinking it’s too late and giving up, agencies should re-evaluate remote access and newly implemented collaboration tools, especially those involving third parties. For unemployment claims, agencies should re-examine modified applications and mobile apps to assure security. They must also look into privileged access, which may have changed, and continue to apply risk management concepts.

Above all, agencies must continue to focus on the fundamentals and make them integral to their culture. These include access management (especially for privileged users), training and awareness, consistent software patching, regular antivirus updates and well-tested business continuity and resilience processes.

While these measures can certainly help in the short term, the real solution is longer term.

If the pandemic has taught us anything, it’s the need to be resilient — and that is especially true for government technology systems.

Broadly speaking, what has occurred over the past three months should cause government organizations to think about the next crisis and build systems that can adapt to whatever happens — whether it is a sudden need for remote work solutions, a major program change to respond to an economic collapse or the constant need to stay one step ahead of hackers and fraudsters.  In short, agencies must evolve with the environment.

When agencies anticipate disruption, technology transformation projects can be planned with resilience and adaptability in mind. Cloud-based operations must be considered for critical applications because the cloud can provide the agility, efficiency and the elasticity needed during both normal business operations and unpredictable times.”

https://gcn.com/articles/2020/06/18/speed-vs-security.aspx

New Redesigned Social Security Retirement Benefits Portal

Standard
Image: Social Security Administration

“FCW”

The newly redesigned retirement benefits portal, will make it easier for millions to file for retirement benefits, the agency said in a statement.

The new portal also cuts down on pages and dense wording in favor of more concise information.

______________________________________________________________________________

The agency also optimized the portal for mobile devices, as well as set up subscription lists for retirement information and benefits updates.”

SSA.Gov

“Social Security is part of the retirement plan for almost every American worker. It provides replacement income for qualified retirees and their families. This section of our website helps you better understand the program, the application process, and the online tools and resources available to you.”

Networked Customer Experience (CX) Is Converging Public And Private Sectors

Standard
Image: “WSP

FCW

The government’s mobilization in the recent weeks to design a network of citizen-focused programs has been profound to watch—and in many ways represents the future of experience. 

At the end of the day, a networked customer experience is not just the result of a technical solution; rather, it’s a deeper philosophical shift in a move from top-down transactional experiences to more integrated, co-equal relationships between government and citizens.

____________________________________________________________________________

“In a matter of weeks, and in some cases days or hours, many businesses have pivoted because of the pandemic to meet the needs of their customers and offer a completely different customer experience (CX). Similarly, hospitals and medical practices have started to pivot their business model to focus on telemedicine, and many small businesses that were never in the delivery space have shifted quickly so they can continue to bring goods and services to customers—and remain profitable during a challenging time.

But the private sector is not the only space innovating and taking a customer-centered approach to the public health crisis. Government agencies have also had to shift in significant ways to operate in this unique environment and interact with citizens differently. Here are just a few examples of what federal organizations have done in a very short period of time to continue meeting their mission to serve citizens:

  • On April 15, the IRS launched the Get My Payment web tool so the millions of Americans who will receive stimulus checks can track the status of their payment. Shortly after deploying this tool the IRS began monitoring usage trends and customer feedback to drive the creation of coronavirus stimulus-specific FAQ content and iterative agile application improvements. The IRS has been, and will continue, deploying updates several times each week since launch.
  • In order to stay accountable to the public and report on the nearly $3 trillion stimulus funds, the Treasury Department is updating the Data Act systems to update its tools to account for increased submission requirements by agencies spending CARES Act money. The department is making that information available to the public on USAspending.gov and the Data Lab in new visualizations and data downloads.
  • In order to re-open recreation areas safely and in accordance with safe distancing guidelines, federal land management agencies are using Recreation.gov as one of their tools to provide advanced reservations, manage visitation volume, distribute information, and offer online payment solutions to visitors.
  • And the General Services Administration’s Technology Transformation Services pivoted up to 20 percent of its talent pool, at times, to fast-paced response efforts—including the development of authentication technology for the Paycheck Protection Program run out of the Small Business Administration and which is keeping so many businesses afloat.

Moving Toward Networked Customer Experiences

In both the private and public sectors, customers are expecting interactions that are seamless, with access to a collection of features simultaneously. We refer to this as a “networked” experience model, where customers create value with multiple providers, and the experience depends on the value those providers deliver collectively. There are still experience challenges that are unique to government given its organizational and mission complexity.

There will be a time soon when those responsible for delivering federal services like social security, veterans’ benefits, and medical programs will be able to rethink the entire customer interaction. At the end of the day, a networked customer experience is not just the result of a technical solution; rather, it’s a deeper philosophical shift in a move from top-down transactional experiences to more integrated, co-equal relationships between government and citizens.

It’s clear that a networked services model has in many ways operationalized during this public health crisis, in which customer experience has taken on heightened significance. Federal organizations can’t afford major missteps, and agency leaders should take advantage of support resources for help navigating this complex new normal. Over the past few years several organizations and programs have been established, including the United States Digital ServiceOPM LabsGSA’s 18F and their IT Modernization Center of Excellence for Customer Experience, to help agencies evolve with a rapidly changing experience landscape. Lighthouse agencies (such as the U.S. Department of Agriculture) and Lead Agency Partners (such as the Department of Veterans Affairs) for customer experience have had fully operational CX practices in place since before the crisis, and their models can serve as a blueprint for others along their experience journeys.”

https://fcw.com/articles/2020/06/12/milian-covid-federal-cx.aspx?oly_enc_id=

Cool It With the ‘America In Decline’ Talk

Standard
Image: AP/ Rich Pedroncelli

DEFENSE ONE

The bottom line: the notion that the United States is shrinking to a shell of its former glory or somehow withering in the face of challenges from its strategic competitors leaves out all nuance and simplifies a highly complicated world into clickbait.

______________________________________________________________________________

“With more than 40 million Americans out of work, demonstrations rocking cities coast-to-coast, and projections for a dire economic picture this summer, you can be forgiven for believing the United States is on a rapid decline. 

The conventional wisdom now emerging is one of a distracted, bumbling, and fumbling America ceding the international playing field to strategic competitors and outright adversaries. In the words of a featured June 2 report in the New York Times: “with the United States looking inward, preoccupied by the fear of more viral waves, unemployment soaring over 20 percent and nationwide protests ignited by deadly police brutality, its competitors are moving to fill the vacuum, and quickly.”

While this “U.S. is in decline” narrative is exceedingly popular today, it also happens to be inaccurate — and dangerous. If it becomes widely accepted as fact that Washington is “retreating” and leaving adversaries to “fill the vacuum,” then U.S. policymakers responsible for formulating and executing foreign policy will be increasingly susceptible to making bad policy.

We need to clear the record: discussions about the United States losing its luster, or on its way to meeting the same fate as the Roman Empire, are vastly overblown. To continue making these arguments is to wipe away all context and ignore recent history.

Much has already been written about China’s aggressive behavior in the South China Sea, perhaps the world’s most important shipping lane and an area where multiple countries have set out competing sovereignty claims. This year alone, the People’s Liberation Army-Navy has sunk a Vietnamese fishing vessel in disputed waters off the Paracel Islands and engaged in a month-long standoff with a Malaysian oil exploration ship in waters claimed by China, Malaysia, and Vietnam. Beijing has become noticeably more confrontational with Taiwan, dropping the word “peaceful” from its reunification plans and reportedly preparing a military drill simulating the seizure of Taiwanese-held Pratas Island. And as Beijing´s move on Hong Kong last week shows, the Chinese Communist Party is getting bolder and asserting itself on issues it has long considered as vitally important to its national security, despite universal international condemnation. 

We are led to believe that China’s recent activity in the South China Sea is some direct product of a U.S. seemingly incapable of maintaining a global leadership role. This, however, discounts the fact that Beijing has long viewed the waterway as its exclusive domain and has in fact spent the last 25 years coercing, cajoling, and otherwise chipping away at its neighbors’ competing claims through various military maneuvers. To chalk up China’s activity in the Pacific to a lack of U.S. resolve or leadership is to overstate Washington’s ability to deter Chinese behavior in this domain. If this mistaken premise is accepted outright, it will almost certainly convince Washington that a more intensive U.S. military response would be deter future Chinese assertiveness.

It’s important to note that China has continued to improve its posture in the South and East China Seas despite an uptick in U.S. freedom-of-navigation operations and B-1 bomber flights in international airspace. 

Nor does the present narrative explain the recent spate of Russian interceptions of U.S. aircraft in international airspace, which are not exactly a new phenomenon either. On May 26, Russian Su-35 aircraft challenged a U.S. Navy P-8A flying in the eastern Mediterranean in what the U.S. Navy called an “unsafe and unprofessional” operation. Five weeks earlier, a similar Russian aircraft intercepted another U.S. surveillance plane in the same area. The U.S. Air Force has reciprocated; on April 9, U.S. F-22s escorted two Russian maritime surveillance aircraft after they entered the Alaskan Air Identification Zone. Such encounters are likely to continuee, which is precisely why it is urgent for U.S. and Russian officials to establish far more durable channels of communication in order to deescalate the situation and ensure these types of relatively regular incidents don´t result in a miscalculation or mid-air collision. 

Over the previous week, U.S. officials have suggested Russia is making a power-play in North Africa and establishing its own strategic base in Libya. According to U.S. Africa Command, more than a dozen Russian warplanes recently flew to Eastern Libya purportedly to assist its partner in the civil war, renegade Libyan general Khalifa Haftar, after a series of humiliating setbacks on the battlefield. Russian investment in Libya´s conflict, however, hasn´t exactly panned out the way the Kremlin anticipated. 

Haftar has turned out to be an unreliable, mercurial, stubborn wannabe strongman whose  with other armed, tribal factions is fueled by little more than contempt for the U.N.-recognized government in Tripoli. Russian President Vladimir Putin was publicly embarrassed last December, when Haftar walked out of a Kremlin-orchestrated peace conference. Negotiations remain practically nonexistent, which suggests Russia will soon face an unenviable choice between doubling down on a war that shows no signs of abating or disengaging and looking feckless.

As for Russia´s presence in Syria, this too has become an albatross around Moscow´s neck. While Russian air support in 2015 turned the war around and saved Bashar al-Assad from death or exile, Moscow´s investment in Syria since the conflict erupted more than nine years ago has yet to translate into concrete security benefits for the Kremlin. Notwithstanding the establishment of a few Russian airbases and friendly lease terms for the warm-port in Tartus, Moscow´s so-called victory in Syria consists of nothing more than a broken country led by a government that is corrupt, largely isolated from the West, and woefully incompetent in delivering basic services. Syria´s economy is in utter shambles as a result of the war, a rash of international economic sanctions, and outright mismanagement. Assad, the man the Kremlin has backed despite significant harm to its reputation, remains intransigent on even the slightest compromise with his opponents—leading Russia itself to question whether its support of the Syrian dictator was worth the cost.  

Developing a foreign policy that meets U.S. interests requires working from accurate assessments and the world as it really is. Relying on a black-and-white view of international affairs is risky business and could very well produce policies that will truly weaken the United States.”

https://www.defenseone.com/ideas/2020/06/cool-it-america-decline-talk/165913/

Marine Veteran Recalls 1971 Anti-War Protests In Washington D.C.

Standard
Image: International Center
on Nonviolent Conflict

MARINE TIMESBy David Nelson

(Courtesy of David Nelson)

The caption under the photograph of the solitary Marine guarding the Treasury Building indicates that Treasury was the farthest point of Marine control in Washington.

Wow! How difficult is it to imagine a portion of our nation’s capital being under “Marine control”? Have we not progressed much in 49 years in learning to peacefully resolve our nation’s issues?

______________________________________________________________________________

Marines stand guard on a bridge in Washington in 1971. (Courtesy of David Nelson)

“During the first six months of 1971, I was consumed with making it through Marine Corps officer training at The Basic School in Quantico, Virginia. I was not particularly aware of Vietnam anti-war protests going on around the country and close by in Washington, D.C. When I did think of the protests, I resented the demonstrators since I was a firm believer in law and order. Also, some of the demonstrations were aimed at our military personnel who were serving, or had served, in Vietnam. That sentiment was particularly hurtful to me, as I had lost a childhood friend and fellow Marine, Lee Herron, who had died heroically in Vietnam in 1969.

Why should any of our nation’s volunteers or draftees be looked down upon for having gone where our country’s leadership had sent them? It was a dark period in our country, much as today is. Why should any ethnicity or group of people in our nation be looked down upon today?

Especially since I had come from Houston, the spring of 1971 seemed to be an extremely cold one that lasted until early June. Going from doing indoor work in Houston to doing pushups in the snow at Quantico seemed like a surreal experience.

As I arrived at the school in Quantico, Virginia, one morning in early May, my class of young officers was told that the field exercises for the next day or so had been canceled. A number of the instructors had been sent to Washington, D.C., to guard a number of government installations in the city, and to keep the major bridges open. The troops also took with them various items of equipment, including a number of the Vietnam-era radios, the so-called PRC-25 radios.

Since those PRC-25 radios were critical to our TBS-planned field exercises, the loss of them to the troops guarding D.C. meant that our missions were “scrubbed” until a later date. But most of my class members and I were pleased at the turn of events, as we got to spend a couple of extremely cold days indoors.

The Quantico Sentry newspaper caption reads: “Marines queried newsmen and demonstrators alike at approaches to George Mason Memorial Bridge. All pedestrians were closely screened before crossing bridges.” (Courtesy of David Nelson)
The Quantico Sentry newspaper caption reads: “Marines queried newsmen and demonstrators alike at approaches to George Mason Memorial Bridge. All pedestrians were closely screened before crossing bridges.” (Courtesy of David Nelson)

I did not keep many articles and photos from the local Quantico Sentry newspaper during that spring, but I did keep several photos and the main article that showed and described the anti-war protests going on in Washington, D.C. The photo that stood out to me more than any other one depicts some Marines screening a long-haired young man and a newsman, as they approached the George Mason Memorial Bridge. I found the contrast quite striking.

On the one hand, there are the Marines in full uniform and obviously with short hair. Approaching them is an assumed civilian demonstrator with long hair down past his shoulders, and a newsman wearing a suit and neatly dressed. The caption accompanying the photograph reads as follows: “Marines queried newsmen and demonstrators alike at approaches to George Mason Memorial Bridge. All pedestrians were closely screened before crossing bridges.”

Another searing photo depicts a Marine Chinook helicopter with Marines onboard from Camp Lejeune, North Carolina, about to land on the grounds next to the Washington Monument. According to the photo’s caption, the purpose was to “head off demonstrators moving toward the Treasury Building.” I have always wondered whether there was a concern of demonstrators attempting to loot the Treasury Building! But if that were the case, the Treasury Building was guarded only by a sole Marine, at least in the published photo.

The caption under the photograph of the solitary Marine guarding the Treasury Building indicates that “Treasury was the farthest point of Marine control in Washington.” Wow! How difficult is it to imagine a portion of our nation’s capital being under “Marine control”? Are the protests currently in progress and being planned — are they going to result in Washington, D.C., and perhaps other cities, being under some degree of military control?

Are the protests currently in progress and being planned — are they going to result in Washington, D.C., and perhaps other cities, being under some degree of military control?”

https://www.marinecorpstimes.com/news/your-military/2020/06/04/marine-vet-recalls-1971-anti-war-protests-in-washington/

ABOUT THE AUTHOR:

David Nelson served in the Marine Corps for three years before separating as a captain in 1973. He lives in Houston.

5G Promise And Perils For Government Agencies

Standard
Image: “FCW

FCW

Agencies’ existing network and cybersecurity investments will help navigate the 5G future, but discussions about how to adapt these investments, and reorient them where necessary, must happen now.

Knowing what devices are connecting to your networks, what their cyber posture is and how they behave will remain the first and most critical component of effective cyber risk mitigation.

___________________________________________________________________________

“Fifth generation (5G) wireless technology has the potential to transform how the U.S. government achieves its many critical missions. With superior bandwidth, agencies will be able to connect more mission-supporting devices than ever. 5G also promises to increase functionality of these devices through reduced latency and speeds that are up to 100 times faster than the current fourth generation Long Term Evolution (LTE) technology. This can translate into improved performance, security, safety and efficiency for federal missions.

Congress and the White House both recognize how important it is that the U.S. fully harness the power of 5G in meeting government missions. The need for effective and efficient COVID-19 response and recovery has only highlighted this.

The U.S. military — the most logistically complex organization in the world – is likely to emerge as a leading 5G adopter and innovator. In the fiscal 2020 defense spending bill, Congress prioritized 5G research and development by providing $275 million to the Department of Defense for next generation information communications technology, including 5G. The DOD is currently demonstrating the benefits of 5G in government in a few interesting projects, including at the U.S. Naval Supply Systems Command Fleet Logistics Center San Diego, the concept of a “smart warehouse” is being tested. This project will leverage 5G to manage inventory and process orders with optimal efficiency and accuracy. As the DOD contemplates the wide range of possible use cases for 5G technology, its spending will align to these desired uses.

To allow the DOD and other federal agencies to realize 5G’s full potential, however, the government must address concerns about 5G and cyber risks. One of the widely discussed risks associated with 5G is the problem of potentially compromised hardware being incorporated into our national telecommunications infrastructure. Congress and the White House have both taken steps to address this issue — calling for the incorporation of a microelectronic trusted supply chain and operational security standards into 5G equipment.

The government has also prohibited telecommunications providers that receive federal funding from utilizing Huawei and ZTE equipment, two telecommunications equipment manufacturers the U.S. government believes have ties to the Chinese Communist Party and therefore could potentially be compelled to install unauthorized remote access capabilities (so-called “backdoors”) into their products. The concern that such backdoors could be exploited by the Chinese government for espionage, sabotage or even acts of war is shared by many U.S. policymakers and experts, on a bipartisan basis.

While much of the security discussion surrounding 5G has thus far focused on certain Chinese equipment manufacturers, there is another major security concern that must be addressed: the security risk posed by the addition of millions of additional devices, including Internet of Things (IoT) devices, accessing government network resources.

In the past, such devices have connected to network resources utilizing U.S. government-managed wired or wireless access points on government-controlled campuses. The 5G vision instead entails millions of devices accessing network resources remotely via cellular connections, likely provided through a blend of government and carrier-owned networks. Whose job is it to determine which of these devices are legitimate and do not pose a threat to either the carrier or the agency IT infrastructure they access? Who is responsible for monitoring devices while connected to ensure they don’t change their state – in other words, present themselves as legitimate, secure devices, but once admitted to the network proceed to engage in hacking or espionage activities? And ultimately, how should this diverse landscape of devices and connectivity be prioritized and segmented according to roles and criticality, so that the most sensitive and mission-critical functions are identified and protected? In a 5G future, government network security teams risk losing visibility and control of devices accessing their federal networks through carriers’ 5G towers.

Fortunately, most agencies have laid down an important foundation enabling them to overcome some of the challenges of securing their networks as 5G adoption increases. Two government-wide cybersecurity programs — the civilian agency-focused Continuous Diagnostics and Mitigation (CDM) program and the DOD’s Comply to Connect (C2C) program — are examples of dynamic frameworks and integrated capabilities designed to ensure all devices are detected and classified as they connect to the network, and are inspected continuously for cybersecurity risks, including patch and configuration status, banned hardware and software, behavioral anomalies and a host of other attributes.

Agencies that have mature instantiations of either the CDM or C2C programs will have the same level of insight into devices connecting via carrier-owned 5G networks as they do for those connecting within a campus, cloud or data center network, and will be able to enforce the same security and network access policies. Not insignificantly, the remote working trend that has become necessary during the COVID-19 pandemic has provided federal agencies some lessons in applying their CDM and C2C tools to devices that are connecting through Internet Service Provider networks in employees’ homes – in some rare cases on devices that are not owned or managed by the federal government. While telework architectures are still in need of improvement, a productive outcome of the COVID-19 crisis is that it has afforded federal agencies, in particular the DOD, an opportunity to apply “zero trust” strategies even as the concept of the network “perimeter” has been completely shattered.

We are still in the early days of 5G and the full benefits for federal agencies have yet to be realized. The operationalization of 5G will mean many millions more devices connecting to government systems. These devices support services vastly improving citizens’ security and safety and allowing government services to be delivered more effectively. However, allowing all of these devices to connect to government systems without a robust capability for finding, profiling and monitoring them would jeopardize not only agencies’ existing networks, but the very missions 5G equipment is deployed to support.

The C2C and CDM programs are good examples of how [a]visibility-first approach enables more effective security and ensured agencies’ mission-readiness. Securing 5G-enabled networks through this foundation reduces national security risk and enhances government agencies’ ability to continue serving missions.”

https://fcw.com/articles/2020/06/09/comment-gronberg-5g-promise-peril.aspx