“The veneration of service members in the United States today manifests benignly in the refrain, “Thank you for your service,” and the much appreciated discounts at the local home improvement center, but this reverence can also have less benign effects. The number of retired flag officers serving in high government positions, sitting on the boards of defense contractors, and appearing as talking heads on television shapes policy, which in turn drives Pentagon budgets.
Dr. Steele Brand, a professor of history at The King’s College in New York City, explored the differences between the citizen-soldier and the soldier-citizen in his recent book, “Killing for the Republic.”Republican Rome produced highly adaptive armies with farmers who would moonlight as effective soldiers during the campaigning season and then return to their families and plows—a practice that helped to remove the barriers between the military and the society it served, according to Brand. He says Rome’s part-time soldiers faced an uphill battle against enemy professionals, but that their ability to adapt meant they usually prevailed in the end. In this interview, Dr. Brand explains the differences between the Roman and American models of training soldiers and how those differences contribute to the civilian-military divide.”
“DEFENSE NEWS” By: Venture capital community leaders
“How can the Pentagon best preserve its innovation base and develop the most competitive and advanced technologies? The answer is simple: Buy commercial. New and emerging defense startups — and our men and women in uniform — don’t need symbolic gestures.
What they need is concerted action to bring the latest and most advanced technologies — many of which are routinely used in industry — to dangerously antiquated defense weapons systems and internal IT infrastructure. This was true before COVID-19, it is true now and it will be true when the next crisis strikes.“
“The COVID-19 health crisis is quickly leading to an economic meltdown, throwing millions of Americans out of work and forcing strategic reevaluations across industries. The defense industry is no exception. We are praying for a swift end to the crisis, but its effects will linger, shaping the Pentagon’s priorities, organizational structure, military operations, logistics, supply chains and interactions with the defense-industrial base for years to come.
In the past few weeks, we have had numerous conversations with government officials about our venture and growth equity investments in the defense sector. These discussions have centered on the eligibility rules of the CARES Act’s Paycheck Protection Program and the risk of foreign capital seeking entry into defense technology startups desperate for investment in these trying times.
All too often the government has responded to crises by circling wagons around incumbent firms — the large prime contractors, whose political connections afford them bailouts in the name of “ensuring ongoing competition.” This process is already underway. After announcing its hope for a $60 billion relief package for the aerospace manufacturing industry, Boeing successfully lobbied for $17 billion worth of loans for firms “critical to maintaining national security.”
The CARES Act also announced provisions to streamline the Defense Department’s contracting process, which sounds promising, except for the fact that these provisions apply only to contracts worth over $100 million. This discriminates against smaller, more nimble innovators and providers of cutting-edge technology.
This isn’t how things have always been. After complaints about large horse dealers monopolizing military contracts during the Civil War, the government allowed quartermasters to purchase horses and mules from any dealer on the open market. In World War II, Congress created the Smaller War Plants Corporation, which awarded tens of thousands of contracts to small, competitive firms. Today, through innovative use of Small Business Innovation Research money, other transactional authorities, rapid work programs and the like, the Pentagon is certainly signaling interest in emerging technologies.
But let us be clear: We are not advocating continuing to invest larger dollar amounts into never-ending, short-term pilots and prototypes. The key to sustaining the innovation base through this crisis and any future crises is transitioning the best of these companies and products into real production contracts serving the day-to-day needs of the mission. Host tough, but fair competitions for new innovations, and then rapidly scale the winners.
America’s technological supremacy has afforded our country nearly a century of military hegemony, but it is not a law of nature. Sovereign states and peer competitors like Russia and China will quickly outpace us if we take our prowess for granted. We need new entrants into the defense industry more than ever, but without government support through crises like this one, the talent and capital simply won’t be there.
As the Department of Defense readily acknowledges, its mission is fundamentally changing. Breakthroughs in technological fields like artificial intelligence, autonomous systems, robotics, resilient networks and cyberwarfare mean that future conflicts will look nothing like those we have seen before. The DoD of tomorrow needs a fresh wave of technical expertise to understand and respond to these new kinds of threats.
That is not to say that legacy defense contractors are not needed; their expertise in large air and sea vehicles is currently unparalleled. But the expertise to build these new technologies resides in pockets of talent that the big and bureaucratic incumbents, who made their names with 20th century technology, lost access to decades ago.
The DoD has publicly exalted the importance of innovative defense startups for years. That is partly why we are so excited to invest capital into the defense sector at this moment in history. Silicon Valley has a chance to live up to its oft-ridiculed but sincere ambition to make the world a better place by investing in American national security.
However, we as venture capitalists and growth equity investors also have a duty to our limited partners who have entrusted us to invest and grow their capital. If we see the same old story of the government claiming to support small businesses but prioritizing its old incumbents, those investment dollars will disappear.
Times of rapid and unprecedented change, as COVID-19 has precipitated, also provide opportunities. The DoD and Congress can reshape budget priorities to put their money where their mouths have been and support innovative defense technologies. Each dollar awarded to a successful venture capital and growth equity-backed defense startup through a competitively awarded contract attracts several more dollars in private investment, providing the DoD significantly more leverage that if that same dollar was spent on a subsidy or loan to a large legacy contractor. This leverage of private capital means that every contract a startup receives accelerates by up to 10 times their ability to build technology and hire talent to support the DoD’s mission.
The bottom line is this: There’s no reason to let a health crisis today become a national security crisis tomorrow. The DoD has an opportunity to not only sustain but grow its innovation base, and give contracts, not lip service, to innovators. We, the undersigned, hope they do.”
The contributors to this commentary are: Steve Blank of Stanford University; Katherine Boyle of General Catalyst; James Cham of Bloomberg Beta; Ross Fubini of XYZ Capital; Antonio Gracias of Valor Equity Partners, who sits on the boards of Tesla and SpaceX; Joe Lonsdale of 8VC, who also co-founded Palantir; Raj Shah of Shield Capital, who is a former director of the U.S. Defense Innovation Unit; Trae Stephens of, Founders Fund; JD Vance of Narya Capital; Albert Wenger of Union Square Ventures; Josh Wolfe of Lux Capital; Hamlet Yousef of IronGate Capital; and Dan Gwak of Point72.
“Government and contractors were unprepared for COVID-19 to so abruptly push so many employees to remote work. Even now, as businesses start to contemplate how to reopen their offices, the continued need for social distancing means many employees will be choosing or required to continue remote work for the foreseeable future. It’s a fundamental change in how organizations operate, fraught with inconsistencies, challenges and distractions.
Yet, while the pandemic is causing modifications and deviations to contracts and regulations, it will not serve as a “Get Out of Jail FREE” card. Government contractors must still comply with their contracts and protect government information.
What are the compliance implications of mass telework? Here are six questions to ask (and answer) to help you stay compliant while your employees are working remotely:
Are your telework policies and procedures up to date?
Resist the temptation to ignore telework policies that are suddenly impractical. In the absence of clear guidance, employees will be inconsistent in their behavior and performance. Take the guesswork out of the mix by updating and publishing revised policies. Provide clear, concise direction for what employees should do under current conditions (and new conditions, as government guidance evolves).
Is your IT infrastructure ready and secure?
A cyber-secure IT infrastructure built to support thousands of employees from a few offices will have vastly different loads and threats when most workers are suddenly piping in remotely. Is your VPN set up for the additional traffic? Do your security models and controls need to be adapted for the increased number of employees working remotely? Consider allowing access into the system for extended hours, so employees with family obligations have flexibility about when to do their work. Be sure your team fully appreciates the risks of relaxing some security controls (such as reducing keystroke monitoring) to improve your system’s responsiveness.
Do employees have the technology and guidelines to work securely from home?
Most employees will do their best to serve government customers and be productive, even if they don’t have the same technology at home as at work. But the bad guys in cyberspace are exploiting this crisis and are increasingly determined to test the security boundaries of governments, businesses and citizens. Some employee “best effort” behaviors could introduce unwanted compliance and security issues.
Remind employees of how to protect sensitive information at home. Re-publish policies about home network security, strong passwords, use of personal email accounts, unknown email attachments and other best practices. Consider home burn bags to store confidential papers until employees return to the office. Remind employees to disengage smart speakers in spaces where work-related conversations are happening. Use passwords and other added security measures for all video conferencing.
How are you managing and monitoring the productivity of remote workers?
Even veteran teleworkers have been disrupted by the sudden appearance of a spouse, children and/or roommates who are all competing for space, time, attention and internet bandwidth. Employees who are teleworking for the first time may have a home environment that is more casual, less vigilant, and filled with more distractions than an office setting.
It’s important, though, to proactively manage and document the work employees are doing. Be sure employees understand policies about work hours, time tracking and status updates. Share tips and expectations for productive and professional telework. Task your managers to understand obstacles their employees are facing – and to communicate clearly about whether any temporary job accommodations are approved. Then, closely monitor performance to ensure that you’re delivering on your contracts and billing the government appropriately for the completed work.
Are key employees cross-trained?
Anticipate that key personnel may become unavailable to perform mission-critical duties at some point in the pandemic. If you haven’t already, identify and cross-train employees who can step in should the need arise. Remember to obtain your customer’s approval of these key employees, so work can continue uninterrupted. Keep an updated and centralized list or database to consult as your situation changes.
Are you monitoring your procedures and controls, especially the updated ones?
When so much is new and changing, monitoring your controls is a must to ensure timely corrective actions and prevent material non-compliances. Periodically test your company compliance hotlines to verify that they are accessible, appropriately staffed and supported. Keep your governance program (board of directors and executive committees) active, engaged, and available to address anything that might go awry.
COVID-19 has created a remote working scenario that most government contractors never could have envisioned. While it’s different from anything we’ve experienced before, the government will not consider these changes an excuse for significant noncompliance. It is more challenging, but with planning, creativity and vigilance, companies, employees, and customers will be well served. In fact, you may find that some changes you make to accommodate the pandemic ultimately improve your operations and should endure after the crisis has resolved.”
“The Department of Defense is racing to test and adopt artificial intelligence and machine learning solutions to help sift and synthesize massive amounts of data that can be leveraged by their human analysts and commanders in the field. Along the way, it’s identifying many of the friction points between man and machine that will govern how decisions are made in modern war.
The Machine Assisted Rapid Repository System (MARS) was developed to replace and enhance the foundational military intelligence that underpins most of the department’s operations. Like U.S. intelligence agencies, officials at the Pentagon have realized that data — and the ability to speedily process, analyze and share it among components – was the future. Fulfilling that vision would take a refresh.
“The technology had gotten long in the tooth,” Terry Busch, a division chief at the Defense Intelligence Agency, said during an Apr. 27 virtual event hosted by Government Executive Media. “[It was] somewhat brittle and had been around for several decades, and we saw this coming AI mission, so we knew we needed to rephrase the technology.”
The broader shift from manual and human-based decision-making to automated, machine-led analysis presents new challenges. For example, analysts are used to discussing their conclusions in terms of confidence-levels, something that can be more difficult for algorithms to communicate. The more complex the algorithm and data sources it draws from, the trickier it can be to unlock the black box behind its decisions.
“When data is fused from multiple or dozens of sources and completely automated, how does the user experience change? How do they experience confidence and how do they learn to trust machine-based confidence?” Busch said, detailing some of the questions DOD has been grappling with.
The Pentagon has experimented with new visualization capabilities to track and present the different sources and algorithms that were used to arrive at a particular conclusion. DOD officials have also pitted man against machine, asking dueling groups of human and AI analysts to identify an object’s location – like a ship – and then steadily peeling away the sources of information those groups were relying on to see how it impacts their findings and the confidence in those assertions. Such experiments can help determine the risk versus reward of deploying automated analysis in different mission areas.
Like other organizations that leverage such algorithms, the military has learned that many of its AI programs perform better when they’re narrowly scoped to a specific function and worse when those capabilities are scaled up to serve more general purposes.
Nand Mulchandani, chief technology officer for the Joint Artificial Intelligence Center at DOD, said the paradox of most AI solutions in government is that they require very specific goals and capabilities in order to receive funding and approval, but that hyper-specificity usually ends up being the main obstacle to more general applications later on. It’s one of the reasons DOD created the center in the first place, and Mulchandani likens his role to that of a venture capitalist on the hunt for the next killer app.
“Any of the actions or things we build at the JAIC we try to build them with leverage in mind,” Mulchandani said at the same event. “How do we actually take a pattern we’re finding out there, build a product to satisfy that and package it in a way that can be adopted very quickly and widely?”
Scalability is an enduring problem for many AI products that are designed for one purpose and then later expanded to others. Despite a growing number of promising use cases, the U.S. government still is far from achieving desired end state for the technology. The Trump administration’s latest budget calls for increasing JAIC’s funding from $242 million to $290 million and requests a similar $50 million bump for the Defense Advanced Research Projects Agency’s research and development efforts around AI.
Ramping up the technology while finding the appropriate balance in human/machine decision-making will require additional advances in ethics, testing and evaluation, training, education, products and user interface, Mulchandani said.
“Dealing with AI is a completely different beast in terms of even decision support, let alone automation and other things that come later,” he said. “Even in those situations if you give somebody a 59% probability of something happening …instead of a green or red light, that alone is a huge, huge issue in terms of adoption and being able to understand it.”
“Vietnam today is what we had tried to make it: a free-market consumer society. The tragedy of it is that over 58,000 Americans and some 2 million Vietnamese had to die just so that Vietnam could get there on its own timetable rather than ours.
The great majority of us served honorably and proved ourselves to be better than the muddle-headed politicians who had sent us. That’s something to be proud of.“
“Back in the mid-80s, an Army officer of my acquaintance succinctly summed up the mood of the post-Vietnam military: “It’s OK to be a Vietnam veteran in today’s military,” he observed, “so long as you don’t dwell on it or refer back to it.”
He was right. He had intuited the largely unspoken, but widely understood, politically correct attitude toward our humiliating defeat. Vietnam had been an aberration, the kind of war we would never fight again. And the less said about it, the better.
Ironically, this same spirit of denial and revision has spread to American society in general in recent years. It’s OK to be a Vietnam veteran in today’s America, so long as you remember that war the way President Reagan portrayed it, as a “noble crusade,” and so long as you profess utter admiration for our armed forces and unwavering support for our current crusades.
Thursday, April 30, marked the 45th anniversary of the fall of Saigon — and the end of our Vietnam misadventure. The Vietnam War I remember, and later studied, was anything but a “noble crusade.” It was a profoundly existential experience. Survival was the only moral touchstone, and getting through to our rotation tour dates the only goal we cared about. All the Marines I knew “in country” were profoundly skeptical of the official rationales for why we were there and increasingly embittered by the reluctance of the South Vietnamese to fight their own war.
My fellow Vietnam veterans seem to have forgotten how traumatized we were about all this. We have been co-opted, bought off with belated handshakes and glib expressions of gratitude. We have forgotten what really occasioned all the bitterness and fueled the post-traumatic stress of our generation.
It wasn’t that the country failed to welcome us home or to honor our service with parades. It was the discovery that our leaders had lied to us about the nature and the necessity of the war and that the conduct of the war put the lie to the ideals and values in which we had all been raised to believe.
Would that we all knew then what we know now. Ho Chi Minh was first and foremost a nationalist. Early on, he had appealed to us to help dissuade France from reclaiming its former colony at the end of World War II. But we needed France’s help in blocking communist expansion in Europe, and the ensuing Cold War clouded our judgment. We feared falling dominoes. By 1950, we were mired in Korea and bankrolling France’s Indochina War. With the fall of Dien Bien Phu in 1954, we took over. We sent in intelligence operatives to subvert the Geneva Accords, especially the plebiscite that would have reunited North and South Vietnam under whichever government the majority chose. Having defeated the French, Ho Chi Minh was the hands-down favorite to win. The South Vietnamese president we had installed, Ngo Dinh Diem, was almost as alien to his own people as we were. Ho Chi Minh had cornered the market on Vietnamese nationalism, and out in the countryside, most of the people seemed to want no part of what we were selling.
What’s worse, once we had taken over in our own right, we began to take that indifference personally. Contrary to popular belief, we weren’t forced to fight with one hand tied behind our back. We unleashed a greater tonnage of bombs on Vietnam than we did in all of World War II. We declared free-fire zones. We defoliated large areas with Agent Orange. We made liberal use of close-air support and indirect fire weapons with little regard for the so-called “collateral damage” such weapons inevitably inflict.
Racists that we were, we dehumanized the Vietnamese as “gooks” and “slopes.” Unable to distinguish friend from foe, we viewed them all as potential threats. Hence, the worst atrocity of the war — the My Lai Massacre. Hell hath no fury like a country scorned, especially one that considers itself to be exceptional and eminently deserving of admiration and emulation.
This is not to say that, because we were wrong, the other side was wholly righteous. They resorted to terror. They mistreated our POWs. They were hardly magnanimous in victory. But the irony is that we seem to have won after all.
So how then should those of us who served in Vietnam feel about participating in such an unnecessary and misguided war? While so many of our contemporaries sat in self-indulgent safety and comfort, we put ourselves on the line. Some of us went in believing. Others suspended judgment or even went against our better judgment. But the great majority of us served honorably and proved ourselves to be better than the muddle-headed politicians who had sent us. That’s something to be proud of.”
A native of New Castle, Delaware, Edward Palm served as an enlisted Marine with the Combined Action Program in Vietnam from 1966 to 1968. He went on to earn a Ph.D. in English literature at the University of Pennsylvania. Returning to the Marine Corps in later life, Palm served as the Marine Officer Instructor with the NROTC unit at University of California, Berkeley and taught English at the Naval Academy before retiring as a major in 1993. His civilian academic career included appointments as a tenured professor and college dean. He now lives in Forest, Virginia. Contact Ed Palm at email@example.com
“This refers to gathering information about those with whom newly infected people have been in touch, in order to notify them that they might have been infected. The most-interesting example of this is a recently developed Singapore app called TraceTogether.
It is impossible to mention systems such as these without some raising concerns about privacy. These efforts are still in the earliest stages — but we should be tracking how combating coronavirus has entered the digital age.“
“Recently there has been attention to the importance of what is called “contact tracing” for fighting the coronavirus.
This has come up in the discussions of “reopening the country” after recent lockdowns, with the argument that slowing disease spread depends heavily on being able to do this, though it did not appear in the president’s re-opening plan.
But contact tracing has historically been a resource-intensive and very imperfect process. Officials have had to go to newly infected people and interview them about whom they have been in contact with over the previous two weeks. Memories of course are often imperfect. People may not even know everyone with whom they interacted. And the interviewing itself takes significant time and manpower.
In just-published guidance of contact tracing, the Centers for Disease Control has stated that “contact tracing in the U.S. will require that states, tribes, localities and territorial establish large cadres of contact tracers.” Reaching people to interview about contacts can be slow, and contacting those contacts delays things further. Meanwhile, there is a limited window between infection and illness to catch contacts with problems, so speed is important.
However, since the Ebola outbreak in 2014, mobile telephone technology and especially smartphone penetration have dramatically improved. We are now seeing, mostly in Asia, the use of tech to provide quicker, more accurate, and more economical contact tracing in response to the coronavirus pandemic. I blogged a number of years ago on the theme of areas where Asia was overtaking the U.S. in tech apps, which I illustrated with the widespread use in China of mobile payment apps using smartphones and QR codes. We are now seeing Asian superiority with digital coronavirus apps in Asia as well.
This was the theme of a recent piece in the Daily Alert, a publication of the Harvard Business Review that publishes short management-related articles, called How digital contact tracing slowed covid-19 in East Asia, by MIT Sloan School professor Yasheng Huang and grad students Meicen Sun and Yuze Sui.
I think the most-interesting example of this is a recently developed Singapore app called TraceTogether. For those choosing the use the app, Bluetooth tracks smartphones that have also installed the app. The app then tracks when a user is in close proximity with these other persons, including timestamps. If an individual using the app becomes positive to Covid-19 they can choose to allow the Singapore Ministry of Health to access the tracking data — which can then be used to identify and then contact any recent close contacts based on the proximity and duration of an encounter. This is tech-enabled quick and accurate contact tracing. Apple and Google recently announced ago that they are developing a similar Bluetooth-based app, but rolling it out is apparently still a few months away.
Other Asian countries have used tech in other ways to help fight the virus. Taiwan has created a “digital fence,” whereby anyone required to undergo home quarantine has their location monitored via cellular signals from their phones. Venturing too far from home triggers an alert system, and calls and messages are sent to ascertain the person’s whereabouts. South Korea has an app called Corona100, which alerts users of the presence of any diagnosed Covid-19 patient within a 100-meter radius, along with the patient’s diagnosis date, nationality, age, gender, and prior locations. (A map version of the app called Corona Map similarly plots locations of diagnosed patients to help those who want to avoid these areas.)
It is impossible to mention systems such as these without some raising concerns about privacy. The Singapore SmartTracker will save data for only 21 days, and the names of the ill and their contacts will not be shared with others. Wired ran an article on privacy risks of the Google/Apple system and concluded purported risks were quite small.
A bigger question is whether the government should be allowed under any circumstances to require people to sign onto a new contact-tracing app. Observers worry that without very widespread adoption, the benefits of such apps will dramatically decline. One can make an argument, which underlines the general case for disease quarantines, that if people do not quarantine themselves and then become sick, the costs fall not just on themselves but on others they might infect. However, even Singapore, a country without the robust culture of privacy we have in the U.S., has not been willing to require people to install SmartTracker, and only about 20% have done so.
In other words, these efforts are still in the earliest stages — but we should be tracking how combating coronavirus has entered the digital age.”
“In fact, for every dollar invested in an IG office, they are able to identify about $17 dollars in potential savings to their agencies. But these essential watchdogs, until recently, weren’t the American public’s radar.
This video explains who IG’s are and why we should care.”
“The Navy has been awarding contracts faster since the start of the coronavirus pandemic, but one of the biggest gains have been systems that can assess supply chain weaknesses, according to James Geurts, the Navy’s acquisition chief.
Geurts said doing that allows the Navy to “see what suppliers are at risk. When we understand that, we can start managing those potential delays into our supply system.” That information is then used to inform continuing operations, move supplies if needed and understand when suppliers are back online.
Geurts also said the Navy has geographically networked all of its 3D printers, which provides insight into where the need is on the local levels, “ensuring that we’re not competing or conflicting with each other.” Many organizations are using 3D printers to fabricate parts for medical devices and other needed materials that are not readily available through existing supply chains.
With contracts going out faster than anticipated, Geurts also said the Navy has been examining its business practices, learning how to better collaborate, reduce backlogs and not duplicate functions. All of that will hopefully aid in a faster recovery from the coronavirus, he said.
“Ships still have to come out on time, we’ve got to do the maintenance and continue to supply lethal capabilities to our sailors and Marines, and we can’t afford to lag the recovery.”
“We face difficult times ahead, with challenges at a scale that few, if any of us, have encountered in our lives. And ready or not, we’re going to need IT modernization with an urgency agencies had not experienced before.
A common three-phase cycle – the “three Rs”: Response, Recovery and Restructure.”
“Roughly every 10 years for the last five decades, the federal government has had to deal with major crises ranging from economic to terrorist to pandemic. We now face the novel COVID-19 pandemic, and it has presented CIOs at all levels of government with unprecedented challenges to respond to the critical needs of the country.
Having worked in the Office of Management and Budget, as a congressional committee staff member and in industry during previous crises, I have noted a common three-phase cycle always happens, which I’ll refer to as the “three Rs”: Response, Recovery and Restructure. The cycle plays out this way:
Response: Chaotic triage activity always seems to overwhelm even the best continuity-of-operations plans and key mission-critical programs needed to get benefits and assets to those most in need.
Recovery: When the situation stabilizes, agency officials can take a breadth and figure out how to bring order out of chaos, taking advantage of OMB M-20-21 guidance to address multiple audits of actions taken in the heat of crisis.
Restructure: Audits and reports lead to new agencies, reorganizations and programs to make sure the country never has to experience the same crisis again (e.g., creation of the Department of Homeland Security based on the 9-11 Commission report).
Recovery and Restructure activities during the 21st century have increased major technology spending (33% after 9-11, about 10% after the housing crisis) before flattening. Recovery and Restructure phases from COVID-19 necessarily require increased technology spending and may even radically restructure the government.
With the Response-phase activities related to our current crisis underway, let’s focus on the Recovery Phase. Stated simply, the Recovery phase will be substantially more expensive and less effective if the government does not make a major investment in today’s digital government tools and techniques. In fact, with the massive volume of transactions and data generated in the COVID-19 response, CIOs will have to help agency leaders recognize the need for cloud computing, big data analytics and artificial intelligence/machine learning to meet the historic challenges.
Here are four areas where the government must apply digital government tools:
Administering grants and loans: Without the help of large-scale data analytics and algorithms and the ability to integrate citizen-sourced fraud and abuse insights, it will be extremely difficult to manage risk and achieve performance goals. Traditional ways of sampling won’t work for the sprawling, multi-trillion dollar COVID-19 Recovery phase.
Logistics accounting: Jerry-rigged supply chains for emergency resources will now have to be quantified and recorded against budgets. The government will face two options: It can either write off losses it cannot account for, or it can apply records management, e-discovery and robotics tools to quantify spending by funding source. Twenty years ago, it would have been impossible to pull together the information needed to understand this history. This is important for the government to better manage its response to the next crisis – as well answering congressional inquiries that will inevitably follow for years to come.
Financial and performance management required under OMB M-20-21: Aging financial management systems and longstanding system interface issues will make it difficult to reconcile expenditures and obligations related to coronavirus. A look at the last couple years’ financial audits show gaps in controls and systems capabilities. To manage trillions of dollars of stimulus and public health spending, agencies will need extensive investment in open application programming interfaces, robotics and AI or overhaul their modern financial systems.
Home-based federal workforce: Government cannot go back to an operating model based on 25% of people teleworking on any day. I was once told that to understand how government can best leverage technology requires understanding information flows in daily operations. People, processes and technology will have to reflect a virtual workforce, requiring workflows shifting from documents and consensus to fact-based decision-making and accountability for results. Government will need to deploy a tiered digital architecture to untether people from their desks, leveraging cloud and virtualization techniques with a mixture of open standards, APIs and chunking of databases and legacy code into interoperable modules.
So what makes this the most challenging time for CIOs? The biggest horror stories are already baked into program offices that resisted help from the CIO or where the CIO organization was unable to fix systems needed for the COVID-19 response. If not already a partner in the Response phase, it will be very difficult for the CIO team to be the source of digital transformation needed in the Recovery phase. In the past, agency leaders replaced their IT leadership team and contractors.
We face difficult times ahead, with challenges at a scale that few, if any of us, have encountered in our lives. And ready or not, we’re going to need IT modernization with an urgency agencies had not experienced before.”
“As quarantines and self-isolation guidelines have taken hold, not everyone has workstations or agency-issued laptops with card readers at home, leaving some feds and contractors with no easy way to fulfill the government’s primary identity and access requirement.“
“The coronavirus outbreak has shuttered federal office buildings and sent employees to work from home. While most expect those facilities to eventually reopen, the shift to telework is changing how agencies and contractors conduct identity and access management.
The decades-long dominance of Personal Identity Verification (PIV) and Common Access Cards (CAC) as the preferred method to regulate employee access to physical and IT resources may be coming to an end.
According to a January 2020 estimate from the National Institute of Standards and Technology, the federal government and its base of contractors combined use nearly 5 million PIV cards. Digital security contractor Gemalto, which makes smart cards, estimates that the Department of Defense has approximately 4.5 million CAC cards in use at any given time.
Civilian agencies and the military are scrambling to purchase new computers and equipment, but they are competing with private industry and other organizations for limited supplies. The Army recently cited impending supply chain shortages to process an immediate sole source purchase of 200 Dell ruggedized laptops and docking stations that will “allow government workers to telework to avoid exposure to the potential COVID-19 while still completing the mission.” Other agencies like the Department of the Interior have made similar purchases.
“Every day that passes confirmed COVID-19 cases spike and the death toll increases,” the Army wrote in an April 10 justification. “It is imperative that these [notebooks] are obtained as quickly as possible to protect public health.”
Jeremy Grant, a coordinator with the Better Identity Coalition, a non-profit advocacy organization made up of companies across the financial, health care, telecommunications, payments and security sectors, said adjusting to the new reality has been particularly problematic for the federal government.
“On the government side, it’s definitely presenting some special challenges, given that while it’s a great model and very secure, everything about the PIV is premised on this very robust in-person identity and proofing process,” said Grant, a former senior executive advisor to NIST, in an interview. “The challenge has been that we built this policy assuming you can always have this in-person process. Now that it’s not feasible, what are you supposed to do to make things secure?”
Further, new hires normally go through a thorough onboarding process to obtain their cards that often includes in-person interactions to collect biometrics like fingerprints for their PIV credentials. In a March 25 memo, the Office of Personnel Management noted that many of the federal, state and local offices that vet newly hired government employees are “temporarily closed” due to the coronavirus outbreak, making it difficult or impossible to fulfill FBI-requirements for fingerprints to process background investigations and criminal history checks.
The memo advises agencies to use a number of alternatives during the crisis, such as deferring the fingerprint collection, delaying the final reporting and adjudication of a new employee’s background investigation or conducting temporary identity proofing through remote tools like video link, fax or email. New hires that vetted under the interim guidance will be required to undergo in-person identity-proofing when their agency returns to full capacity.
Just when that will be is the subject of much debate and speculation from epidemiologists and health experts, who have offered a wide range of estimates for when the world can expect to safely return to offices and resume group gatherings. Some experts have predicted the status quo could hold until next year or even 2022 if a new vaccine isn’t discovered quickly. That has some cybersecurity and tech companies predicting a broader shift in the global economy where remote work — and all its implications — could be here to stay.
“BYOD is now the reality and will continue to be in the future, because I don’t think we’re going back to that type of work environment that we used to be in,” said Greg Touhill, former federal CISO and current president of AppGate, during an April 15 webinar hosted by Billington CyberSecurity.
Duo Security, which makes and sells remote access tools, is betting that governments and private industry will use the crisis to restructure the way they conduct identity and access management — moving away from physical access cards and toward solutions that allow workers to use their personal devices. Most organizations, the company’s Advisory CISO Sean Frazier said in an interview, are looking for quick and easy ways to “keep the lights on” and ensure business continuity in the wake of the sudden switch.
“I think the PIV card of … 16 years ago when it came out was a really good idea, but we’ve kind of moved on from it from the perspective of agility,” said Frazier. “It’s not necessarily the easiest technology to ramp up quickly. So for example if you have some kind of event where all of a sudden your workers are remote and they’re working from home using personal technology, it was really never designed for that. People are right now kind of scrambling and looking for comparable controls.”
Frazier’s boss, Head of Advisory CISOs Wendy Nather, warned that organizations aren’t setting up their remote infrastructure for the long haul.
“A lot of organizations are thinking that this is a temporary aberration, and so when they put in an infrastructure to enable remote working they’re putting in the fastest and cheapest thing they can find and they figure they’ll just pull it back later when this is over,” she said. “We don’t know when this will be over. Even if it is over, we don’t know how many employees are going to be willing to come back into the office.”
Nather said agencies should also be increasing physical security to protect IT and other assets at their now largely empty office buildings and facilities. The Department of Veterans Affairs, for example, recently purchased new PIV card readers for one of its medical centers in Kansas City, Kan., and has cited the pandemic in multiple emergency procurements for security services to prevent unauthorized access to VA facilities during the COVID-19 outbreak.
Agencies that have historically avoided modernizing their IT and security infrastructure to handle large numbers of remote employees must now rush to implement ad-hoc protocols and purchase equipment to ensure their employees can access agency systems. The Department of Health and Human Services put out a special notice April 16 detailing an urgent COVID-related requirement for a multi-factor authentication and identity assurance solution that can provide remote access to agency resources.
“There’s a lot of employees who were never approved for remote working. Now they’re signing in through their personal devices,” Grant said. “What information do you let them access? Odds are their home device is not going to have a smart card reader built in, so how do you build in some multifactor authentication?”
There are a number of ideas to bridge the access gap in the short term, from implementing new multifactor authentication processes, using app-based solutions, leveraging one-time passwords or even purchasing and distributing Yubikeys and other authentication hardware to agency personnel. Another option could be a larger move to rely more on authenticators that are already embedded in many of today’s commercial computers and phones, allowing employees to use their personal devices to verify their identity.
Shifting your organization’s security mindset from protecting data, not devices, could also help.
“Yes, [employees] may use their own personal technology but I as a business or agency still have to protect my data, so I’ve got to make sure that if they’re coming in with a personal device, I know that device’s software is up to date, that encryption is turned on, that they’re using enabled biometrics so I can provide identity … comparable to what a PIV might provide,” said Frazier.”