Tag Archives: cyber security

New Cybersecurity Regulations ‘On Track’ Despite Virus

Standard

“NATIONAL DEFENSE MAGAZINE”

Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

_________________________________________________________________________

“Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.

The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.

Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.

“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”

The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.

“We’re still on track,” she said. “We’re still doing the pathfinders. We’re working through those. We’re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”

Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.

The biggest sticking point will be conducting in person audits, as is required, Arrington said.

“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn’t stopped and we’re still doing our absolute best to stay on track.”


Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. 
“A two-week push on something is not going to … have a massive impact to our rollout of this,” she said. “I don’t think it’s going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.


Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.

“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn’t an option for any of us right now.”
 She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. 
“Do your best to be diligent and remember that … the weakest link is where the adversary will come in,” she said. “Don’t be the weakest link.”


Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.

“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”

Project Spectrum recently released a white paper on potential security risks with Zoom which said, “Zoom’s numerous vulnerabilities are not unique to them because every software company and application has them. Zoom’s links to China, however, are particularly concerning because those links expose the DIB and its supply chain, thus jeopardizing American innovation, IP and proprietary information.”

Project Spectrum recommended Cisco Webex, Facebook Workplace, Google Hangouts, GoToMeeting and Microsoft Teams as potential alternatives.”

https://www.nationaldefensemagazine.org/articles/2020/4/22/new-cybersecurity-regulations-on-track-despite-virus

Telework Security Checklist

Standard
Image: National Institute of Standards And Technology.gov

WASHINGTON TECHNOLOGY

“What are the compliance implications of mass telework? Six questions to ask (and answer) to help you stay compliant while your employees are working remotely”

______________________________________________________________________________

“Government and contractors were unprepared for COVID-19 to so abruptly push so many employees to remote work. Even now, as businesses start to contemplate how to reopen their offices, the continued need for social distancing means many employees will be choosing or required to continue remote work for the foreseeable future. It’s a fundamental change in how organizations operate, fraught with inconsistencies, challenges and distractions.

Yet, while the pandemic is causing modifications and deviations to contracts and regulations, it will not serve as a “Get Out of Jail FREE” card. Government contractors must still comply with their contracts and protect government information.

What are the compliance implications of mass telework? Here are six questions to ask (and answer) to help you stay compliant while your employees are working remotely:

  1. Are your telework policies and procedures up to date?

Resist the temptation to ignore telework policies that are suddenly impractical. In the absence of clear guidance, employees will be inconsistent in their behavior and performance. Take the guesswork out of the mix by updating and publishing revised policies. Provide clear, concise direction for what employees should do under current conditions (and new conditions, as government guidance evolves).

  1. Is your IT infrastructure ready and secure?

A cyber-secure IT infrastructure built to support thousands of employees from a few offices will have vastly different loads and threats when most workers are suddenly piping in remotely. Is your VPN set up for the additional traffic? Do your security models and controls need to be adapted for the increased number of employees working remotely? Consider allowing access into the system for extended hours, so employees with family obligations have flexibility about when to do their work. Be sure your team fully appreciates the risks of relaxing some security controls (such as reducing keystroke monitoring) to improve your system’s responsiveness.


  1. Do employees have the technology and guidelines to work securely from home?

Most employees will do their best to serve government customers and be productive, even if they don’t have the same technology at home as at work. But the bad guys in cyberspace are exploiting this crisis and are increasingly determined to test the security boundaries of governments, businesses and citizens. Some employee “best effort” behaviors could introduce unwanted compliance and security issues.

Remind employees of how to protect sensitive information at home. Re-publish policies about home network security, strong passwords, use of personal email accounts, unknown email attachments and other best practices. Consider home burn bags to store confidential papers until employees return to the office. Remind employees to disengage smart speakers in spaces where work-related conversations are happening. Use passwords and other added security measures for all video conferencing.

  1. How are you managing and monitoring the productivity of remote workers?

Even veteran teleworkers have been disrupted by the sudden appearance of a spouse, children and/or roommates who are all competing for space, time, attention and internet bandwidth. Employees who are teleworking for the first time may have a home environment that is more casual, less vigilant, and filled with more distractions than an office setting.

It’s important, though, to proactively manage and document the work employees are doing. Be sure employees understand policies about work hours, time tracking and status updates. Share tips and expectations for productive and professional telework. Task your managers to understand obstacles their employees are facing – and to communicate clearly about whether any temporary job accommodations are approved. Then, closely monitor performance to ensure that you’re delivering on your contracts and billing the government appropriately for the completed work.

  1. Are key employees cross-trained?

Anticipate that key personnel may become unavailable to perform mission-critical duties at some point in the pandemic. If you haven’t already, identify and cross-train employees who can step in should the need arise. Remember to obtain your customer’s approval of these key employees, so work can continue uninterrupted. Keep an updated and centralized list or database to consult as your situation changes.

  1. Are you monitoring your procedures and controls, especially the updated ones?

When so much is new and changing, monitoring your controls is a must to ensure timely corrective actions and prevent material non-compliances. Periodically test your company compliance hotlines to verify that they are accessible, appropriately staffed and supported. Keep your governance program (board of directors and executive committees) active, engaged, and available to address anything that might go awry.

COVID-19 has created a remote working scenario that most government contractors never could have envisioned. While it’s different from anything we’ve experienced before, the government will not consider these changes an excuse for significant noncompliance. It is more challenging, but with planning, creativity and vigilance, companies, employees, and customers will be well served. In fact, you may find that some changes you make to accommodate the pandemic ultimately improve your operations and should endure after the crisis has resolved.”

https://washingtontechnology.com/articles/2020/04/30/insights-telework-compliance-questions.aspx

COVID-19 Enhances Pentagon Cyber Policy Commission Report Recommendations

Standard

FIFTH DOMAIN

“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government .

So that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Co-Chairman Rep.Mike Gallagher, R-Wis. Gallagher

______________________________________________________________________________

“A co-chairman of the Cyberspace Solarium Commission said April 22 that the fiscal 2021 defense policy bill could include about 30 percent of the group’s cyber policy recommendations.

According to Rep. Mike Gallagher, R-Wis., who co-chairs the Cyberspace Solarium Commission, which released a report with more than 75 cyber policy recommendations March 11, said on a webinar hosted by Palo Alto Networks that commission staff is working with the appropriate congressional committees and subcommittees to put about 30 percent of its recommendations into this year’s National Defense Authorization Act.

The report proposed a three-pronged strategy for securing cyberspace, called layered deterrence: shape behavior, deny benefit and impose cost.

The report also takes U.S. Cyber Command’s “defend forward” policy, which allows the military to take a more aggressive approach in cyberspace. It also suggests broadening the policy to encompass the entire federal government.

Gallagher didn’t specifically identify recommendations he thinks will be included in the NDAA, but given that the bill focuses on authorizing Defense Department programs, Pentagon-specific recommendations are the likeliest to be in the legislative text.

The recommendations for the department focus on ensuring that the Cyber Mission Force is adequately equipped; establishing vulnerability assessments for weapons and nuclear control systems; sharing threat intelligence; and threat hunting of the networks of the defense-industrial base.

The spread of the new coronavirus, COVID-19, disrupted the commission report’s rollout, which included congressional hearings on the commission’s recommendation. Those hearings have been canceled. But the pandemic also highlights the need to implement recommendations made in the report, Gallagher said, specifically the establishment of a national cyber director in the White House.

“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government so that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Gallagher said

Before the spread of the coronavirus, congressional committees had planned to host hearings on the commission report, but those were canceled after the coronavirus spread throughout the United States. Congress is currently wrestling with how to remotely conduct voting and committee business, as the pandemic is restricting gatherings of large groups of people.

“Even though coronavirus has complicated some of … our commission rollout, we’re continuing the legislative process right now, and I’m pretty optimistic about our ability to shape this year’s NDAA,” Gallagher said.

As for the other recommendations, Gallagher said they aren’t germane to the NDAA and will take “some time.”

https://www.fifthdomain.com/congress/capitol-hill/2020/04/22/cyber-policy-suggestions-for-pentagon-could-be-implemented-this-year/

The Federal Government’s Identity Crisis

Standard

FCW

As quarantines and self-isolation guidelines have taken hold, not everyone has workstations or agency-issued laptops with card readers at home, leaving some feds and contractors with no easy way to fulfill the government’s primary identity and access requirement.

_____________________________________________________________________________

“The coronavirus outbreak has shuttered federal office buildings and sent employees to work from home. While most expect those facilities to eventually reopen, the shift to telework is changing how agencies and contractors conduct identity and access management.

The decades-long dominance of Personal Identity Verification (PIV) and Common Access Cards (CAC) as the preferred method to regulate employee access to physical and IT resources may be coming to an end.

According to a January 2020 estimate from the National Institute of Standards and Technology, the federal government and its base of contractors combined use nearly 5 million PIV cards. Digital security contractor Gemalto, which makes smart cards, estimates that the Department of Defense has approximately 4.5 million CAC cards in use at any given time.

Civilian agencies and the military are scrambling to purchase new computers and equipment, but they are competing with private industry and other organizations for limited supplies. The Army recently cited impending supply chain shortages to process an immediate sole source purchase of 200 Dell ruggedized laptops and docking stations that will “allow government workers to telework to avoid exposure to the potential COVID-19 while still completing the mission.” Other agencies like the Department of the Interior have made similar purchases.

“Every day that passes confirmed COVID-19 cases spike and the death toll increases,” the Army wrote in an April 10 justification. “It is imperative that these [notebooks] are obtained as quickly as possible to protect public health.”

Jeremy Grant, a coordinator with the Better Identity Coalition, a non-profit advocacy organization made up of companies across the financial, health care, telecommunications, payments and security sectors, said adjusting to the new reality has been particularly problematic for the federal government.

“On the government side, it’s definitely presenting some special challenges, given that while it’s a great model and very secure, everything about the PIV is premised on this very robust in-person identity and proofing process,” said Grant, a former senior executive advisor to NIST, in an interview. “The challenge has been that we built this policy assuming you can always have this in-person process. Now that it’s not feasible, what are you supposed to do to make things secure?”

Further, new hires normally go through a thorough onboarding process to obtain their cards that often includes in-person interactions to collect biometrics like fingerprints for their PIV credentials. In a March 25 memo, the Office of Personnel Management noted that many of the federal, state and local offices that vet newly hired government employees are “temporarily closed” due to the coronavirus outbreak, making it difficult or impossible to fulfill FBI-requirements for fingerprints to process background investigations and criminal history checks.

The memo advises agencies to use a number of alternatives during the crisis, such as deferring the fingerprint collection, delaying the final reporting and adjudication of a new employee’s background investigation or conducting temporary identity proofing through remote tools like video link, fax or email. New hires that vetted under the interim guidance will be required to undergo in-person identity-proofing when their agency returns to full capacity.

Just when that will be is the subject of much debate and speculation from epidemiologists and health experts, who have offered a wide range of estimates for when the world can expect to safely return to offices and resume group gatherings. Some experts have predicted the status quo could hold until next year or even 2022 if a new vaccine isn’t discovered quickly. That has some cybersecurity and tech companies predicting a broader shift in the global economy where remote work — and all its implications — could be here to stay.

“BYOD is now the reality and will continue to be in the future, because I don’t think we’re going back to that type of work environment that we used to be in,” said Greg Touhill, former federal CISO and current president of AppGate, during an April 15 webinar hosted by Billington CyberSecurity.

Duo Security, which makes and sells remote access tools, is betting that governments and private industry will use the crisis to restructure the way they conduct identity and access management — moving away from physical access cards and toward solutions that allow workers to use their personal devices. Most organizations, the company’s Advisory CISO Sean Frazier said in an interview, are looking for quick and easy ways to “keep the lights on” and ensure business continuity in the wake of the sudden switch.

“I think the PIV card of … 16 years ago when it came out was a really good idea, but we’ve kind of moved on from it from the perspective of agility,” said Frazier. “It’s not necessarily the easiest technology to ramp up quickly. So for example if you have some kind of event where all of a sudden your workers are remote and they’re working from home using personal technology, it was really never designed for that. People are right now kind of scrambling and looking for comparable controls.”

Frazier’s boss, Head of Advisory CISOs Wendy Nather, warned that organizations aren’t setting up their remote infrastructure for the long haul.

“A lot of organizations are thinking that this is a temporary aberration, and so when they put in an infrastructure to enable remote working they’re putting in the fastest and cheapest thing they can find and they figure they’ll just pull it back later when this is over,” she said. “We don’t know when this will be over. Even if it is over, we don’t know how many employees are going to be willing to come back into the office.”

Nather said agencies should also be increasing physical security to protect IT and other assets at their now largely empty office buildings and facilities. The Department of Veterans Affairs, for example, recently purchased new PIV card readers for one of its medical centers in Kansas City, Kan., and has cited the pandemic in multiple emergency procurements for security services to prevent unauthorized access to VA facilities during the COVID-19 outbreak.

Agencies that have historically avoided modernizing their IT and security infrastructure to handle large numbers of remote employees must now rush to implement ad-hoc protocols and purchase equipment to ensure their employees can access agency systems. The Department of Health and Human Services put out a special notice April 16 detailing an urgent COVID-related requirement for a multi-factor authentication and identity assurance solution that can provide remote access to agency resources.

“There’s a lot of employees who were never approved for remote working. Now they’re signing in through their personal devices,” Grant said. “What information do you let them access? Odds are their home device is not going to have a smart card reader built in, so how do you build in some multifactor authentication?”

There are a number of ideas to bridge the access gap in the short term, from implementing new multifactor authentication processes, using app-based solutions, leveraging one-time passwords or even purchasing and distributing Yubikeys and other authentication hardware to agency personnel. Another option could be a larger move to rely more on authenticators that are already embedded in many of today’s commercial computers and phones, allowing employees to use their personal devices to verify their identity.

Shifting your organization’s security mindset from protecting data, not devices, could also help.

“Yes, [employees] may use their own personal technology but I as a business or agency still have to protect my data, so I’ve got to make sure that if they’re coming in with a personal device, I know that device’s software is up to date, that encryption is turned on, that they’re using enabled biometrics so I can provide identity … comparable to what a PIV might provide,” said Frazier.”

https://fcw.com/articles/2020/04/20/federal-gov-id-crisis-johnson.aspx

DOD’s Telework Surge Could Be Permanent

Standard
Image: Sarayut Tanerus Getty Images

FCW

A new emphasis on telework at the Defense Department in response to the COVID-19 pandemic could change work culture at the Pentagon, officials said.

DOD rolled out the CVR or Commercial Virtual Remote environment to handle the deluge of teleworkers March 27.

______________________________________________________________________________

“It now has 900,000 user accounts with 250,000 added in a single day, officials said at an April 13 briefing. CVR is a collaboration suite based on Microsoft Teams that enables video, voice and text communications.

“The department has always been telework-ready long before the pandemic,” DOD CIO Dana Deasy said, but noted full-time telework was the exception and not the rule, so that a lot of education about tools and best practices was needed.

“There will be some permanency to what we have here. Specifically, I think more on the network side, and we will also have to create a base of teleworking equipment that we’ll be able to, in some cases, reuse for other purposes,” Deasy said. “There is going to be an enhanced teleworking capability that will be sustained at the end of COVID-19,” he added.

About 2,000 DOD personnel have gotten additional devices, officials said, with virtual internet service provider connections increasing 30%. Call capacity in the Pentagon has increased 50% and the Defense Information Systems Agency has increased end point capability three-fold.

The Navy’s telework capacity has exploded with 65,000 new telework users on mobile and desktops. The Navy’s telework capacity grew 150% to 250,000 workers due to COVID-19 measures, and there are additional plans to bring the total to 500,000 remote workers. The Marines increased their virtual private network capacity to 60,000 simultaneous workers, up about 80%.

This activity is creating a surge of data, and it’s still unclear what happens to CVR information after the crisis.

“We recognize that a lot of data is being created, it’s going onto an unclassified environment,” DOD CIO Dana Deasy said, in response to a question about how CVR data will be treated after the COVID-19 crisis is over. “We are looking at options on how do we take this data and preserve it and-or port it into other collaboration environments, going forward. That decision has not been taken, but I would also not pre-conclude that we’ve taken the decision the data will just be flat-out destroyed.”

Cybersecurity concerns, and the increased data risk, have risen in tandem with teleworking and is compounded by DOD not implementing all of its cyber hygiene initiatives.

Air Force Lt. Gen. Bradford Shwedo, Joint Staff CIO, said DOD has seen a “surge of spearphishing related to COVID-19” across the organization.

Essye Miller, DOD’s principal deputy CIO, first noted the uptick in cyberattacks in March when the department began encouraging mass telework, discouraging personnel from using streaming services on DOD’s network and encouraging better cyber hygiene practices.

A Government Accountability Office report released April 13 found that DOD has fallen short when it comes implementing proper cyber hygiene methods across the organization.

The GAO said DOD had not fully implemented cyber training briefings for DOD leadership or developed educational and training requirements for cyber workers. Additionally, a component of Cyber Command charged with network operations, the Joint Force Headquarters Department of Defense Information Network, hadn’t developed a plan for scheduled and unannounced cybersecurity inspections, according to the report.

In a letter responding to the report, Deasy said DOD would combine existing scorecards to improve data needed for senior leadership’s decision making, but that it was not possible to eliminate risk.

“Risk is a function of multiple variables and these variables are continually evolving,” Deasy wrote to GAO. “Timely, relevant, and correlated information is the best that can be expected.”

https://fcw.com/articles/2020/04/14/dod-telework-permanent-williams.aspx?oly_enc_id=

U.S. Air Force Technology Empowering Teleworkers

Standard
Image: “Aerospace America

AEROSPACE AMERICA

Aerospace engineers and others will be able to access classified networks from home.

Air Force Research Laboratory accelerated the rollout of a new way for aerospace engineers, intelligence analysts, research physicists and others to securely access classified networks remotely.

_____________________________________________________________________________

“The coronavirus pandemic separated thousands of U.S. service members, Defense Department civilians and contractors from the highly classified information they need to do their jobs each day — data they can’t just bring home or access on the unsecured internet.

AFRL calls the initiative deviceONE. This month contractors authorized to handle classified equipment began home deliveries of jump kits consisting of modified off-the-shelf laptop computers. The laptops are loaded with software developed under a National Security Agency project to securely connect users to classified networks hosted on servers in Hawaii. About 20 kits have gone out so far from an initial batch of 40.

The uses will be myriad. At AFRL, for example, engineers or other professionals could log onto deviceONE to help prepare computer models of aircraft or projectiles for wind tunnel tests, said John Woodruff, the program manager for the SecureView laptops who is based at AFRL’s Rome, New York, site.

Thousands more deliveries will follow, as vendors such as Dell, HP and Panasonic deliver more laptops to AFRL for modification. Those won’t just go to AFRL workers, but also staff at dozens of other Air Force organizations, and possibly other military organizations, Woodruff told me in a phone interview.

The program could last far beyond the COVID-19 lockdowns, potentially giving airmen and troops who depend on classified data a convenient new way to access those networks at far-flung, austere locations in Afghanistan, countries in Africa and elsewhere.

DeviceONE is part of the Air Force’s Advanced Battle Management System effort, which seeks to find new ways to connect aircraft, satellites and operations centers and share data in the field. The initiative has three elements:

  • Virtual Desktop Information, or VDI, a series of cloud-type servers at Pacific Air Force’s Hawaii headquarters that store data and applications such as Microsoft Outlook — basically everything to run a user’s entire desktop remotely.
  • SecureView, the lightweight, thin client-style laptops that do little more than access the classified network and don’t allow anything to be saved to the hard drive.
  • Commercial Solutions for Classified, or CSFC, program, which connects the SecureView laptops with the VDI servers. CSFC, based on technology developed roughly six years ago by the National Security Agency, combines virtual private networks to process classified information.

AFRL was already working on combining those preexisting technologies, but the coronavirus pandemic made the need to get it into the field even more pressing.

AFRL hurried to release the latest version of SecureView, and then worked with several Air Force organizations to get deviceONE approved for rollout at the end of March. The approval process took place at “unprecedented speed,” Woodruff said. “What normally takes months was compressed to five days.”

Now that the first 40 kits have been prepared with the proper security and other software, Woodruff expects the next thousand laptops to arrive by late April.

The next phase of the project will lay the groundwork for deploying several thousand more deviceONE units. Each user’s computer costs less than $2,500, Woodruff said, and adding thousands of more users to Pacific Air Force’s infrastructure will likely cost between $6 million and $10 million.

A nontechnical roadblock could lie ahead, Woodruff suspects. Suitable laptops could become scarce as governments, schools and companies around the world shift to teleworking.

Woodruff said AFRL has kept good relationships with top officials at vendors such as Dell, to try to convince them to prioritize their orders as much as they can.

“We’re all trying to work remotely all of a sudden,” Woodruff said. “It’s very difficult to get the quantity of laptops that we’re discussing, quickly, from the manufacturers.”

https://aerospaceamerica.aiaa.org/meet-the-u-s-air-force-technology-thats-empowering-its-teleworkers/

How Will DOD’s Workforce Shift Post-COVID-19?

Standard
Image: SpaceNews.com

“FCW”

“Social distancing, masks and virtual meetings are the new normal across government, including at the Department of Defense. But what will working in DOD look like on the other side of the COVID-19 curve?”

____________________________________________________________________________

“I don’t think the world’s going back,” Dave Mihelcic, the Defense Information Systems Agency’s former CTO who now consults with DMMI, told FCW, noting that he’s already setting up virtual meetings on mobile devices to keep business going domestically and internationally. “There’s some big advantages to letting people work from home.”

Lower facility costs and better recruiting capabilities are easy wins with the majority of a workforce being remote. And there are several areas that will see significant changes in the near future: The explosive demand for secure devices being chief among them.

“You will see more interest in general in mobility and telework, specifically within organizations other than DOD that have to deal with very sensitive information. And much more interest in better security, and the ability to do multiple levels of security on single devices,” said Terry Halvorsen, a former DOD CIO and now Samsung’s CIO and executive vice president for IT and mobile business.

Mihelcic said with that demand will come the need for IT workers to provision devices without touching them.

“DOD may need to rethink parts of how it does IT and be better prepared for how to do things remotely in a no-touch environment,” he said. “How do you minimize the number of people who have to touch an item?”

Mihelcic predicted those solutions, whatever they are, will not only need to work with all of DOD’s mission partners but support a culture shift where data collection, sharing and analysis are all more precise.

Data access and processing at edge environments will become paramount post-pandemic, . Halvorsen said, because “you’ve got the ability now to store amazing amounts of data at the edge…. The phone I’m talking to you on, I’ve got a terabyte of storage on it.”

The computing power now available for edge devices paired with “augmented intelligence” that can be used to “filter the big volumes of data” will make working remotely much easier, he said.

“One of the other problems you’ve got when people are all working on edges, some of the tools that help people filter in and cut the data down are not available,” he said. “Today we flood people generally with data, not so much valuable information, but lots of data.”

Halvorsen said applications and data access aren’t guaranteed even when the network is available — an issue for government and industry.

“I think you will see an explosion in secure applications that allow this to be done more securely and to actually do more with the data, more analytical tools that can operate in a mobile fashion,” he said.

But there’s no large-scale data sharing without cloud, which will definitely become more important in future emergency events, Mihelcic said.

“If there was an environment that supports edge computing and edge cloud better — that’s the future and that’s helpful,” he said.

When asked how the Joint Enterprise Defense Infrastructure, the Pentagon’s embattled $10 billion cloud effort that’s under protest, would be helpful if it were already in place and running before the coronavirus infections spread throughout the U.S., Halvorsen said DOD is already on the path to more edge computing power and cloud usage.

“If there was an environment in place that supported edge computing and edge cloud better, and I think that’s where DOD is going to go, regardless of how JEDI turns out.” 

https://fcw.com/articles/2020/04/07/defense-workforce-post-covid.aspx

Senate Seeks Industry’s Help With Internal Cyber Threats

Standard
The Senate sergeant-at-arms is looking to industry for help with cybersecurity. (J. David Ake/AP)

FIFTH DOMAIN

The Senate’s sergeant-at-arms is seeking industry assistance with insider-threat and privacy assessments for Senate networks, according to an April 6 solicitation.

___________________________________________________________________________

“The SAA wants a vendor to evaluate two aspects of insider threat prevention efforts: SAA’s protection of Senate data, which can include personally identifiable information or health data; and assessment of the SAA cybersecurity department’s procedures to ensure SAA’s data protection efforts can be audited.

“The assessment will also include evaluation and detection of anomalous user behavior that may represent abuse of their administrative privileges,” the solicitation read.

According to the solicitation, the sergeant-at-arms also wants the vendor to help with the Senate’s ability to hunt threats on its networks. The office is looking for a vendor who can “conduct a comprehensive evaluation of network and systems resources for evidence of unwanted activity and cyber-threat actor persistence,” the solicitation said.

The Office of the Sergeant at Arms also expects the vendor to perform a cybersecurity resiliency test that focuses on “resiliency to effectively identify, protect, detect, react and recover from the advanced cyber threat,” the notice said.

“The Cybersecurity Department expects relevant, comprehensive and actionable improvement recommendations to refine and continue maturing its cybersecurity defense program,” the solicitation said.

While the solicitation is for insider-threat assessments, the posting comes as Senate staff, and congressional staffers more broadly, work from home amid the new coronavirus pandemic. Telework has highlighted several vulnerabilities in the Zoom videoconferencing platform. According to a tweet from a CNN reporter, the Senate’s sergeant-at-arms sent an alert to Senate offices urging them not to use Zoom.

The Office of the Sergeant at Arms has also posted several open cybersecurity jobs.”

https://www.fifthdomain.com/congress/capitol-hill/2020/04/09/the-senate-wants-industry-help-with-internal-cybersecurity/

FBI Warns On Zoom Conference Security

Standard
Image: “Threatpost.com

FCW

As telework expands across the U.S., new users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.

__________________________________________________________________________

“The FBI is warning Zoom video-conferencing platform users to guard against “VTC hijacking” and “Zoom-bombing” by outsiders intent on making threats and offensive displays.

According to the FBI’s Boston Division, two Massachusetts high schools reported separate instances of individuals breaking into online classes in late March being conducted via Zoom teleconferencing software. In one incident, said the FBI, an unidentified individual dialed into a videoconference class, yelled out a profanity and the teacher’s home address. In the other, a school reported an unidentified individual with swastika tattoos dialing into a Zoom videoconference class.

FBI Special Agent Doug Domin told FCW that unauthorized participants are not just an issue on the Zoom platform. “Other providers have similar platforms,” he said, that are just as vulnerable to such intrusion if they’re misused.

“Organizations should have policies for VTC” and its associated software, as well as training on how to use it, said Domin. Individual session passwords should be used, even for audio bridges, he said. “The bigger the group, the bigger the possibilities” for unauthorized entry.

“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesman told FCW in an email. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining,” they said.

The Zoom for Government platform is on the General Services Administration’s buying schedule and also has that agency’s Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.

Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.

Zoom’s standard product has many newer users in public school environments, since company CEO Eric Yuan removed time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.

The company’s video teleconferencing offering has raised the hackles of some privacy experts, including Consumer Reports, who say it collects and sells user data to online advertisers. It revised its privacy policy on March 29 to say it does not sell personal data.

Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.

An IT manager FCW spoke with about Zoom said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform’s integrity.”

https://fcw.com/articles/2020/03/31/zoom-bombers-fbi-rockwell.aspx

Secure Teleworking Guidance From National Institute Of Standards And Technology (NIST)

Standard

“FCW”

The National Institute of Standards and Technology has issued  advice for organizations that must communicate remotely, warning that the lackadaisical security policies of the past will no longer cut it as hackers and spies seek to take advantage of the increased attack surface created by the surge in nationwide remote work.

______________________________________________________________________________

“Workers across the country are being sent home and told to telework as the coronavirus outbreak continues to spread. As virtual meetings and other online interactions become a reality for many federal agencies and businesses, so too do the related cybersecurity threats.

“Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop,” wrote Jeff Greene, director of NIST’s National Cybersecurity Center of Excellence. “Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively — and not the genesis of a data breach or other embarrassing and costly security or privacy incident.”

Greene laid out a number of suggestions for keeping virtual work discussions private and safe, most of which are simple and likely to already be specified (if not always heeded) in an organization’s existing policies.

Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn’t) supposed to be connected.

Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.

The Cybersecurity and Infrastructure Security Agency has also warned that widespread telework could open up new opportunities for digital compromise. The agency put out its own security guidance last week for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.”

https://fcw.com/articles/2020/03/17/nist-advice-virtual-online-meetings.aspx?oly_enc_id=