Tag Archives: Government computer Security

Government Improving The Sharing Of Cyber Security Threat Information

Standard
Image: “Fifth Domain”

FIFTH DOMAIN

“A new joint report from inspectors general across the government found that information sharing among the intelligence community and the rest of government “made progress.”

______________________________________________________________________________

“Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it.

The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels.

Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.

Information sharing within the IC has also improved due to the creation of several websites within its top-secret networks that contain threat indicators and several different types of summary reports on cyber activity and vulnerabilities.

Technological change is molding the future of information sharing within the government. With the rise of cloud computing at various classification levels throughout the government, the IC SCC told IGs that it plans to expand the ICOAST threat intel capability to work in secret and unclassified clouds. That is in the “planning and development” stages, according the report.

“At the secret and unclassified levels, the ICOAST instances will interface with multiple DoD components and other federal entities that have the responsibility for distributing cyberthreat information to federal, state and local entities and the private sector,” the IGs wrote.

According to the report, an IC SCC official told the IGs that they wanted to deploy ICOAST in those environments by the end of calendar year 2019. A spokesperson for the ODNI didn’t immediately respond to a question about the availability of ICOAST.

The IC SCC is also working with the Department of Homeland Security’s cybersecurity arm, the Cybersecurity and Infrastructure Security Agency, to improve information within CISA’s threat intelligence platform, Automated Indicator Sharing (AIS), for integration with ICOAST.

Barriers to sharing

Though the government has made marked improvements in its info sharing, the IG noted several ongoing challenges to better information sharing.

CISA’s AIS solution, a system through which the federal government and the private sector can share threat intelligence in near-real time, has its own participation challenges. In December 2018, the IGs found, there were 252 federal and non-federal organizations signed up for AIS. But in June 2019, only four agencies and six non-federal entities were using the platform for information sharing. DHS told auditors that the lack of participation hindered improvement.

“DHS reported that the limited number of participants who input cyberthreat information to AIS is the main barrier for DHS to improve the quality of the indicators with more actionable information to mitigate potential cyberthreats,” the IGs wrote.

The most common complaint was that AIS threat information lacked proper context to be actionable, a complaint similar to that heard from state governments receiving threat intelligence from DHS and the FBI during the 2016 election. Therefore, cybersecurity officials at several agencies couldn’t “determine why the indicator was an issue.”

“As a result, the entities did not know what actions to take based on the information received from AIS without performing additional research,” the IGs wrote.

CISA officials told the IGs that they were working on improving the quality of information with AIS.

Meanwhile, agencies also noted that the classification levels of certain threat intelligence prevented widespread info sharing. Aside from officials lacking proper clearance being prevented from viewing certain information, auditors also noted that classified threat information couldn’t be uploaded into the sharing platforms that aren’t cleared for storing that information, further hampering sharing efforts. Some agencies have worked with the owners to downgrade the classification level, according to the report.

“Sharing cyberthreat indicators and defensive measures increases the amount of information available for defending systems and networks against cyberattacks,” the IGs wrote.”

https://www.fifthdomain.com/dod/2019/12/30/how-good-is-the-government-at-threat-information-sharing/

Four Big Questions For Cyber Security In 2019

Standard

“FIFTH DOMAIN”

“If the United States wants to keep up with digital innovations from China and other countries it is necessary to change the American government’s relationship with the private sector and academia.

But when it comes to the U.S. government’s relationship with the cyber industry, structural barriers to innovation remain.”

______________________________________________________________________________

“How will cybersecurity experts remember 2018?

The Department of Justice announcedsweeping indictments against Chinese hackers and the U.S. intelligence community reported that foreign countries continued to interfere in American elections.

So what comes next? Here are four overarching questions for the cybersecurity community in 2019:

What will the new Pentagon chief do with expanded cyber powers?

In August, the president gave the secretary of Defense the ability to conduct cyberattacks against foreign countries so long as they do not interfere with the national interest of the United States, according to four current and former White House and intelligence officials. But the resignation of Jim Mattis, the Defense secretary, means the next Pentagon chief will have a broad arsenal of cyber authorities.

For the cyber community, Patrick Shanahan, the current acting secretary, is a relative unknown. He has not given significant insight into how he views the role of offensive cyberattacks for the Pentagon, and his scheduled Jan. 1 elevation comes as some in the Trump administration and U.S. Cyber Command have pushed for even more authorities. However, he has spoken at length about the need for the defense industry to bolster its own cyber practices.

Although the appointment of Shanahan as acting Pentagon chief is temporary, he is on the short list of officials who may take on the job full time.

The new Pentagon chief may also have to decide when the National Security Agency and U.S. Cyber Command should split.

Both bodies are led by Gen. Paul Nakasone, but that may change. Cyber Command is in the process of gaining its own infrastructure to conduct offensive cyberattacks, and a Pentagon official told Fifth Domain in November that it appeared the split was all but certain to happen in the coming years, although no formal decision as been made.

What comes next in the U.S.-China cyber relationship?

The Department of Justice released a flurry of indictments against Chinese hackers in 2018, accusing Beijing’s cyber sleuths of infiltrating American government agencies and defense contractors.

The most recent round of allegations came Dec. 18, and the legal action could continue in 2019. While announcing the most recent indictments, Deputy Attorney General Rod Rosenstein accused China of breaking an agreement not to use hacked materials for commercial use, although he did not offer evidence.

The hacking allegations come amid a broader trade war between the United States and China. Experts have told Fifth Domain a trade war could increase digital tension between the two nations. If the trade war continues, experts say they see little incentive for China to limit its cyberattacks.

Will America suffer blowback for more offensive cyber operations

“The side effects of the strategy of ‘persistent engagement’ and ‘defend forward’ are still ill-understood,” Max Smeets and Herb Lin, experts at Stanford University wrote for Lawfare. “A United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure.”

Experts also warn of making any rush judgments about the effectiveness of these offensive cyberattacks. Current and former intelligence officials worry that uncovering and attributing a hack can take more than a year, and, even then, that process is not perfect.

One former official pointed to the leaked documents about Russian targeting of American election infrastructure in 2016 that was sent to the news organization the Intercept. It took months for the intelligence community to understand the full extent of the hack, the official said, an example of how long it takes to detect a cyberattack.

However, all of that means it is reasonable to expect that the merits of the new offensive cyber operations may not be known publicly for years.

Will Congress take action to streamline cybersecurity contracting and research?

Yes, changing the way government does business is ambitious. But experts argue that if the United States wants to keep up with digital innovations from China and other countries it is necessary to change the American government’s relationship with the private sector and academia. The effort to streamline cybersecurity funding and research will fall to the new Congress, in which Democrats will take over the House of Representatives.

But when it comes to the U.S. government’s relationship with the cyber industry, structural barriers to innovation remain.

On average, it takes roughly seven years for an idea to get a contract inside the U.S. government. In that length of time, a product is already two generations old. Former Pentagon officials have used the digital fight against the Islamic State as an example of how long the process takes. It took roughly two years for Cyber Command to receive the proper equipment and training after the order to digitally defeat the Islamic State, officials told Fifth Domain.

In addition, the cybersecurity industry is watching a series of bills in Congress. Sen. Mark Warner, D-Va., has pushed for a streamlined security clearance process, and industry officials told Fifth Domain they expect him to continue the effort in the new year. The bill could make it easier and cheaper to get a security clearance.

And many in the federal cybersecurity community have called for a change in academia’s relationship with cybersecurity.

The universities and research institutions in the United States focusing on quantum computing are “subpar,” George Barnes, deputy director at the NSA said in June.

Experts say that quantum computers will make traditional cybersecurity methods obsolete because of the expansive computing power.

However, new investments in artificial intelligence and a new Solarium Commission, which was created to help contextualize cyber in the broader national and economic security discussion, may provide solutions to these problems.”

https://www.fifthdomain.com/industry/2018/12/31/four-big-questions-for-cybersecurity-in-2019/

Defense Innovation Board Lays Out First Concepts

Standard

pentagon-innovation-board

“DEFENSE NEWS”

“Thinkers and business leaders from the tech world outside of the traditional defense sector.

The sole exception to that is the presence of retired Adm. William McRaven, the former head of SOCOM.

The board came out with a series of rough recommendations for Secretary of Defense Ash Carter — or his successor — that they believe will lead to injecting a culture of innovation into the Pentagon.

Schmidt opened the meeting by acknowledging the importance of the Pentagon’s mission: “We all believe an outside perspective would be beneficial and we’ve set out to try and make some recommendations.”

He added that members of the board have spent the summer traveling around to various DoD installations, including trips to Nellis Air Force Base in Nevada, Fort Bragg in North Carolina and Special Operations Command (SOCOM) headquarters in Tampa, Florida. Schmidt also spent two days last week traveling with Carter to learn about the nuclear enterprise, and future trips are scheduled for US Pacific Command and US Central Command.

So what are the early ideas from the board?

A Chief Innovation Officer

The first idea listed by the board was the concept of a chief innovation officer, appointed directly by the secretary of defense, to serve as a point person for innovation efforts around the department.

Cass Sunstein, a professor at Harvard Law School who has served in various government positions, explained that the sharing of best practices around the DoD is currently “less than ideal,” and noted that the position could act as the umbrella from which funding for low-level projects could flow.

Sunstein also said he believes that office could be set up “in a hurry. This could be done in a relatively informal way in the very near future.” At the same time, he acknowledged that there are “significant” legal and logistical challenges about creating the office.

The position could particularly help create cover for individuals who are down in the ranks and have ideas but are unable to flow them forward on their own.

“There are innovators who are in the Defense Department and who are excellent, but who could be sharing best practices and better coordinated and could be spurred a bit more, and the idea there is a dispersed innovative capacity in the form of lower-level people who have great ideas but face obstacles,” Sunstein told journalists after the event. “The idea of that as an umbrella for various concepts, we’re drawn to that.”

Create a Digital ROTC

The recent hacks of the Office of Personnel Management and state election offices show how critical it is for the US to recruit and retain top cyber talent, said Marne Levine, chief operation officer at Instagram. Top commercial firms with deep pockets and great benefits compete fiercely for that talent, with DoD struggling to keep up.

So in order to attract talent to the Pentagon, the board suggested creating a “digital ROTC,” where the Pentagon would pay college tuition for cyber experts in exchange for their service.

Levine acknowledged setting aside the funding for such a program “may require hard budget choices,” but “one only has to think of the high cost of cyberattacks to understand the value of such an investment.”

Similarly, she put forth the idea of creating a science, technology, engineering and math, or STEM, career-path specialization inside the department, similar to that followed by doctors or lawyers.

The good news, said astrophysicist and television personality Neil deGrasse Tyson, is that the generation currently in high school and college is more interested in science than any before it.

“If you’re going to recruit people who have an interest in science and technology, I can assert that the pool of people now available to you is greater than ever before,” he said. But to attract those people from the commercial sector, the Pentagon needs to offer the best opportunities for new technologies and programs around.

“You can’t just say come because we’re cool. You have to be cool,” Tyson said. “And you’ll get ’em, for sure.”

Create a Center of Excellence for Artificial Intelligence and Machine Learning

The use of artificial intelligence and machine learning have the “ability to spur innovation and represent transformational change,” said J. Michael McQuade, senior vice president for science and technology with United Technologies.

That is certainly an opinion shared by Deputy Secretary of Defense Bob Work, who has talked extensively about the importance of artificial intelligence for the next generation of Pentagon systems. But McQuade said the Pentagon needs to think broadly about that potential and how it can impact things down to supply-chain optimization and training, and not just combat functions.

“We do believe substantial changes are happening in the core science and technology capability” here, McQuade said, which means the Pentagon should look at creating a center of excellence to be the central hub of this work. Whether that is a national lab or institute isn’t clear yet, but the center would ensure “adequate” focus on the issue.

Embed Software Development Teams Within Key Commands

Reid Hoffman, a co-founder of LinkedIn and now with Greylock Partners, joked that the tech industry has become so reliant on software that Silicon Valley should be renamed Software Valley. And the Pentagon, he said, simply has not kept up.

As a result, he put forth the idea of creating embedded software development teams in various key commands, which would be “small, agile teams of software developers where you would keep these teams current on modern techniques of software development.”

Improve Software Testing Regimens

Milo Medin, vice president of Access Services with Google Capital and a former NASA official, also emphasized the importance of software for the Pentagon, noting it is the driving factor behind upgrade programs for everything from radars to the F-35 joint strike fighter.

Currently, operational testing of software is set in the classic mindset, Medin said, adding that the testers seem to have “an implicit assumption” that the Pentagon’s firewalls, as currently constructed, are sufficient.

“In the heavily networked battle space these systems are operating in, the consequences of our weapon systems being breached from a security perspective could be severe,” he warned, adding that as autonomy enters the battle space the risk of systems being hacked could expand.

As a result, software testing needs to happen on an ongoing basis, not just when the planes are going operational. And for that to happen, the government needs access to the software code that runs the systems.

Speaking to reporters after the event, Medin stressed that does not mean defense contractors should be forced to hand over control of code developed in house, a major issue that has been raised from industry in recent years.

“The issue isn’t owning the software. The issue is access to the software,” he said. “If software is your differentiator, if software becomes a core competency … that’s something the government needs to be able to have access to, to be able to build and to be able to potentially modify. That’s what you find in the tech sector.”

Create Funding Streams for COCOMs

The Defense Innovation Board is made up of thinkers from academia and the private tech sector, in a purposeful attempt to inject outside thinking into the department. The sole exception to that is the presence of retired Adm. William McRaven, the former head of SOCOM.

Now the Chancellor at the University of Texas, McRaven provides an insider’s perspective on the acquisition system and internal processes that drive the Pentagon. He also understands how to operate around them to innovate quickly, due to his experience at SOCOM, which is famously able to develop and deploy technology at rapid rates.

But while SOCOM has that ability, other parts of the military do not — something McRaven said the board came to understand during various visits this summer.

“We were a little frustrated as you see these magnificent infantrymen and pilots who are equally as smart [as SOCOM], equally want to innovate, and yet the layers of bureaucracy to get the decision-makers to make those decisions are difficult.”

As a result, McRaven would like to see a way to give other combatant commanders acquisition ability. Not for big, Category 1 programs — “You need to let that go through a traditional approach,” he said — but for smaller technology programs. And if the commanders can quickly turn small projects into fielded capabilities, the idea that innovative thinking will be rewarded will “spread like wildfire” through the force, he added.

Future Concepts

Those concepts are still in their infancy, but represent the more concrete ideas the board has come up with. But there are several broader concepts that the members are still trying to get their head around.

Jennifer Pahika, the founder of the nonprofit Code for America, said she wants to tap into what tech companies call the “maker movement,” with an eye on the tinkerers in the military who have good ideas but not the venue for turning them into products. Eric Lander, president and director of the Broad Institute, said he was really interested in what role biological technologies could provide.

But the toughest issue to tackle, and perhaps the most important, is cultural. All involved agreed that developing a culture where new ideas can be tested and fail, without fear of ending a career, is going to be the biggest challenge. And it’s not clear exactly how that can be changed.

Schmidt said he is “convinced” the biggest change the board needs to look at is with people and culture, more than specific pieces of technology.

That was driven home by the public comment section of the meeting, which featured a number of junior and mid-level officers talking about the risk-adverse nature of the Pentagon. At the end of the day, however, the hope is that the ideas from the board can start to change that around the edges before injecting change more directly into the system.

“The fact [board members are] not steeped in the Department of Defense may be the best thing this group brings,” McRaven told reporters. “At the end of the day, we want to have an outside look because I think that’s where we can make real change.”

Added Schmidt: “We’re not going to write a report without impact. We view ourselves as more of a contact sport, working with whatever way is appropriate.”

Another question is about the future of the group once Carter leaves office, which is expected to occur early next year as a new administration comes to power. The board is currently scheduled to expire in April 2018, but could be renewed much the same way other advisory boards have been in the past.

“The other boards have been around for a while, and I’m assuming we will generate enough value that people want us around,” Schmidt said. “And if we don’t perform, we will be fired.”

http://www.defensenews.com/articles/defense-innovation-board-lays-out-first-concepts?utm_source=Sailthru&utm_medium=email&utm_campaign=EBB%2010.6.16&utm_term=Editorial%20-%20Early%20Bird%20Brief

 

 

 

US Gov. Bid Solicitation: “Host and Protect in Excess of 21.5 Million Records”

Standard

gdb.voanews dot com

Image: gdb.voanews dot com

“WASHINGTON POST”

“The government plans to award a sweeping five-year contract in August to a private company to monitor the hacked security clearance data of 21.5 million people for identity theft — and ensure that the records are protected from further intrusions.

The winning bidder will be asked to monitor financial and health information of the breach victims — contractors and federal employees and their families — for fraudulent activity; set up call centers to answer questions;  train government employees how to prevent other hacks and restore stolen identities.

And the contractor must be on constant alert for further risks to the  hacked background investigation files, among the most sensitive data in the government, according to a 55-page solicitation the General Services Administration issued last week.

GSA has asked potential bidders if they have the capacity to host such a large trove of data: “In light of these requirements, does your company have the ability to host and protect in excess of 21.5 million records?”

GSA wrote in a letter accompanying the solicitation, “… We are launching an aggressive procurement cycle and activities to respond to recent data breaches.”  Officials from GSA and the Defense Department, which will oversee the contract, convened a handful of companies that specialize in data breaches and identity theft protection on a conference call to go over details.

[OPM director resigns under pressure]

The government expects to award the contract by Aug. 14.

The new contract, which will go to a single contractor or a team, will last five years, although the solicitation does not say how long credit monitoring and identity theft protection will last. The Office of Personnel Management has promised at least three years.

The contract will be far more expansive than the $21 million OPM awarded in June to Winvale Group and its partner, CSID, to respond to an earlier hack of personnel records of 4.2 million active and former federal workers. Together, the breaches — believed to have been carried out by the Chinese government — exposed the personal data of more than 22 million people, including Social Security numbers, performance evaluations, and names of family members and friends who were listed as references on millions of applications for security clearances.

[US won’t publicly name China in employee breaches]

CSID was widely criticized for poor customer service during the first few weeks it notified federal employees that their data was at risk. The company says its service has improved. It plans to bid on the new contract, where it will compete to serve a population more than five times as big as its earlier contract.

That population includes current and former federal government employees and contractors, their spouses, children and roommates and anyone else who  provided the government with Social Security numbers for background investigations.

In its solicitation, the government requires that the contractor’s staff respond to calls for information within 30 minutes. It also asks potential bidders if they will be capable of signing up millions of people for identity theft protection.

Can your company “meet a surge requirement to effectively support in excess of 21.5 million individuals where the demand for services entitlements could exceed 20 percent? ” the government asked.”

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/23/government-asks-bidders-on-hack-contract-can-your-company-host-and-protect-in-excess-of-21-5-million-records/?wpisrc=nl_headlines&wpmm=1