Tag Archives: technology

Neutrality Matters

Standard
Net Neutrality CNN dot com

Image:  CNN.com

“WIRED”

“In a time when there are too few companies with too much power – we need net neutrality now more than ever.

Getting rid of Title II would lead to even more centralization, handing more power to the largest Internet companies while stifling competition and innovation.

Next month, Amazon, Netflix, and dozens of other companies and organizations will host a “day of action” aimed at saving net neutrality as we know it. The Federal Communications Commission, meanwhile, is on the verge of revoking its own authority to enforce net neutrality rules, and the country’s biggest telecommunications companies are cheering along. The future of the internet is on the line here, but it’s easy to be cynical about the conflict: What does it matter which set of giant corporations controls the internet?

Under the current net neutrality rules, broadband providers like Comcast and Charter, and wireless providers like AT&T and Verizon, can’t block or slow down your access to lawful content, nor can they create so-called “fast lanes” for content providers who are willing to pay extra. In other words, your internet provider can’t slow your Amazon Prime Video stream to a crawl so you’ll keep your Comcast cable plan, and your mobile carrier can’t stop you from using Microsoft’s Skype instead of your own Verizon cell phone minutes.

If the Trump administration gets its way and abolishes net neutrality, those broadband providers could privilege some content providers over others (for a price, of course). The broadband industry says it supports net neutrality in theory but opposes the FCC’s reclassification of internet providers as utility-like “Title II” providers, and that consumers have nothing to worry about. But it’s hard not to worry given that without Title II classification, the FCC wouldn’t actually be able to enforce its net neutrality rules. It might be less alarming if the internet were a level playing field with free and fair competition. But it’s not. At all.

If you want to search for anything online, you’ve got to go through Google or maybe Microsoft’s Bing. The updates your Facebook friends share are filtered through the company’s algorithms. The mobile apps you can find in your phone’s app store are selected by either Apple or Google. If you’re like most online shoppers, you’re mostly buying products sold by Amazon and its partners. Even with the current net neutrality laws there’s not enough competition—without them, there will be even less, which could stifle the growth and innovation that fuels the digital economy.

Fast lanes or other types of network discrimination could have a big impact on the countless independent websites and apps that already exist, many of which would have to cough up extra money to compete with the bigger competitors to reach audiences. Consider the examples of Netflix, Skype, and YouTube, all of which came of age during the mid-2000s when the FCC’s first net neutrality rules were in place. Had broadband providers been able to block videos streaming and internet-based phone calls in the early days, these companies may have seen their growth blocked by larger companies with deeper pockets. Instead, net neutrality rules allowed them to find their audiences and become the giants they are today, and without net neutrality, they could even potentially become the very start-up-killers that would’ve slowed or stopped their own earlier growth. Getting rid of net neutrality all but ensures that the next generation of internet companies won’t be able to compete with the internet giants.

The end of net neutrality could also have ranging implications for consumers. Amazon, Netflix, YouTube, and a handful of other services may dominate the online video market, but without net neutrality, broadband providers might try to make it more expensive to access popular streaming sites in an attempt to keep customers paying for expensive television packages. “[Net neutrality] protects consumers from having the cost of internet go up because they have to pay for fast lane tolls,” says Chris Lewis, vice president of the advocacy group Public Knowledge.

Lewis also points out that there are a few other consumer friendly protections in the FCC’s net neutrality rules. For example, the FCC rules require internet service providers to disclose information about the speed of their services, helping you find out whether you’re getting your money’s worth. They also force broadband providers to allow you to connect any device you like to your internet connection, so that your provider can’t force you to use a specific type of WiFi router, or tell you which Internet of Things gadgets you can or can’t use.

“The Internet is as awesome and diverse as it is thanks to the basic guiding principle of net neutrality,” says Evan Greer, campaign director for Fight for the Future, one of the main organizers of the net neutrality day of action, which will take place on July 12 and try to raise awareness about net neutrality across the web.”

https://www.wired.com/story/why-net-neutrality-matters-even-in-the-age-of-oligopoly/

National Geospatial Intelligence Agency (NGA) To Offer Data to Industry for Partnerships

Standard
NGA Federal News Radio

NGA Headquarters – Image:  “Federal News Radio”

“BREAKING DEFENSE”

“The idea: offer companies chunks of the “wonderland” of unclassified NGA data so they can use them to build new products or to test algorithms key to their products.

It’s a bold and rare move by a large and largely secretive government agency.

The top two leaders of the National Geospatial Intelligence Agency, Robert Cardillo and Susan Gordon, met with Anthony Vinci, now NGA’s director of plans and programs, to discuss ways to get more value from the agency’s incredibly valuable pools of data.

Using The Economist‘s description of data as the oil of today — the most valuable commodity in our economy — Vinci argued the agency must deploy it and help pay the American people back for the investment they have made in building the agency. If data is the new oil, Vinci said companies should “turn it into plastic,” adding value.

Cardillo told reporters would NGA would create a B corporation — in effect a non-profit government company — and hire an outsider to run it.

This, I think it’s fair to say, is not a slam dunk. Culturally, it will be challenging, Vinci admitted. “It’s straightforward, but it sort of breaks every rule we have in the IC (Intelligence Community).” The IC doesn’t share data and it doesn’t partner with outsiders, except for allied and friendly governments when needed.

This process may sidestep the whole process of generating a requirement for an intelligence system. “I don’t think that’s how problems can be solved any more,” Vinci said. The current system, which can be circumvented if an urgent need exists, is generally slow and restrictive, one that the Pentagon and the IC are increasingly trying to amend.

I spoke with three senior industry officials who listened to Vinci’s presentation and they were hopeful but cautious. All three said they thought the new effort could yield unexpected and useful returns on taxpayer’s investments in the data.

The biggest obstacle may be Congress. Although NGA would not be making money from the data sharing and it would not be releasing any data that could help our enemies, they would be sharing a government resource which voting taxpayers paid for and over which lawmakers have oversight. Whether the products resulting from the data would be licensed back to NGA, or allowed to generate profits for companies is all still to be determined.

“That’s part of what were trying to figure out Vinci told me,: “taxpayers paid for this data and how can we get that value back to them.”

http://breakingdefense.com/2017/06/nga-to-offer-data-to-industry-for-partnerships/

 

VA Will Shift Medical Records To DOD’s “In-Process” Electronic Medical Records System

Standard

 

Veterans Gaming the System

Image:  Military Times

Total Investment To Date Now Projected at Nearly $10 Billion

“MILITARY TIMES”

VA has already spent more than $1 billion in recent years in attempts to make its legacy health record systems work better with military systems.

The military’s health record system is still being put in place across that department, more than three years after the acquisition process began. The initial contract topped $4.6 billion, but has risen in cost in recent years.

Shulkin did not announce a potential price tag for the move to a commercial electronic health records system, but said that a price tag of less than $4 billion would likely be “unrealistic.”


“Veterans Affairs administrators on Monday announced plans to shift veterans’ electronic medical records to the same system used by the Defense Department, potentially ending a decades-old problematic rift in sharing information between the two bureaucracies.

VA Secretary David Shulkin announced the decision Monday as a game-changing move, one that will pull his department into the commercial medical record sector and — he hopes — create an easier to navigate system for troops leaving the ranks.

“VA and DoD have worked together for many years to advance (electronic health records) interoperability between their many separate applications, at the cost of several hundred millions of dollars, in an attempt to create a consistent and accurate view of individual medical record information,” Shulkin said.

“While we have established interoperability between VA and DOD for key aspects of the health record … the bottom line is we still don’t have the ability to trade information seamlessly for our veteran patients. Without (improvements), VA and DoD will continue to face significant challenges if the departments remain on two different systems.”

White House officials — including President Donald Trump himself — hailed the announcement as a major step forward in making government services easier for troops and veterans.
Developing implementation plans and potential costs is expected to take three to six months.

But he did say VA leaders will skip standard contract competition processes to more quickly move ahead with Millennium software owned by Missouri-based Cerner Corp., the basis of the Pentagon’s MHS GENESIS records system.

“For the reasons of the health and protection of our veterans, I have decided that we can’t wait years, as DOD did in its EHR acquisition process, to get our next generation EHR in place,” Shulkin said.

Shulkin for months has promised to “get VA out of the software business,” indicating that the department would shift to a customized commercial-sector option for updating the health records.

The VA announcement came within minutes of Trump’s controversial proposal to privatize the nation’s air traffic control system. The president has repeatedly pledged to make government systems work more like a business, and in some cases hand over public responsibilities to the private sector.

Shulkin has worked to assure veterans groups that his efforts to rely on the private sector for expertise and some services will not mean a broader dismantling of VA, but instead will produce a more efficient and responsive agency.

He promised a system that will not only be interoperable with DOD records but also easily transferable to private-sector hospitals and physicians, as VA officials work to expand outside partnerships.

Shulkin is expected to testify before Congress on the fiscal 2018 budget request in coming weeks. As they have in past hearings, lawmakers are expected to request more information on the EHR changes then. ”

http://www.militarytimes.com/articles/va-share-dod-electronic-medical-records-decision

 

 

4 Ways to Protect Against the Very Real Threat of Ransomware

Standard
ransomware-495934588-s

“Getty Images”

“WIRED”

“You’re still largely on your own when it comes to fighting ransomware attacks, which hackers use to encrypt your computer or critical files until you pay a ransom to unlock them.

Ransomware is a multi-million-dollar crime operation that strikes everyone from hospitals to police departments to online casinos.

It’s such a profitable scheme that experts say traditional cyberthieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials—in favor of ransomware.

You could choose to cave and pay, as many victims do. Last year, for example, the FBI says victims who reported attacks to the Bureau enriched cyber extortionists’ coffers by $24 million. But even if you’ve backed up your data in a safe place and choose not to pay the ransom, this doesn’t mean an attack won’t cost you. Victims of the CryptoWall ransomware, for example, have suffered an estimated $325 million in damages since that strain of ransomware was discovered in January 2015, according to the Cyber Threat Alliance (.pdf). The damages include the cost of disinfecting machines and restoring backup data—which can take days or weeks depending on the organization.

But don’t fear—you aren’t totally at the mercy of hackers. If you’re at risk for a ransomware attack, there are simple steps you can take to protect yourself and your business. Here’s what you should do.

First of All, Who Are Ransomware’s Prime Targets?

Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, Congress, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for example, could affect the Windows systems that power and water plants use to monitor and configure operations, says Robert M. Lee, CEO at critical infrastructure security firm Dragos Security. The slightly relieving news is that ransomware, or at least the variants we know about to date, wouldn’t be able to infect the industrial control systems that actually run critical operations.

“Just because the Windows systems are gone, doesn’t mean the power just goes down,” he told WIRED. “[But] it could lock out operators from viewing or controlling the process.” In some industries that are heavily regulated, such as the nuclear power industry, this is enough to send a plant into automated shutdown, as regulations require when workers lose sight of operations.

Individual users are also at risk of ransomware attacks against home computers, and some of the suggestions below will apply to you as well, if you’re in that category.

1. Back Up, as Big Sean Says

The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.

“More than 5,000 customers have called us for help with ransomware attacks in the last 12 months,” says Chris Doggett, senior vice president at Carbonite, which provides cloud backup services for individuals and small businesses. One health care customer lost access to 14 years of files, he says, and a community organization lost access to 170,000 files in an attack, but both had backed up their data to the cloud so they didn’t have to pay a ransom.

Some ransomware attackers search out backup systems to encrypt and lock, too, by first gaining entry to desktop systems and then manually working their way through a network to get to servers. So if you don’t back up to the cloud and instead backup to a local storage device or server, these should be offline and not directly connected to desktop systems where the ransomware or attacker can reach them.

“A lot of people store their documents in network shares,” says Anup Ghosh, CEO of security firm Invincea. “But network shares are as at risk as your desktop system in a ransomware infection. If the backups are done offline, and the backup is not reachable from the machine that is infected, then you’re fine.”

The same is true if you do your own machine backups with an external hard drive. Those drives should only be connected to a machine when doing backups, then disconnected. “If your backup drive is connected to the device at the time the ransomware runs, then it would also get encrypted,” he notes.

Backups won’t necessarily make a ransomware attack painless, however, since it can take a week or more to restore data, during which business operations may be impaired or halted.

“We’ve seen hospitals elect to pay the ransom because lives are on the line and presumably the downtime that was associated, even if they had the ability to recover, was not considered acceptable,” says Doggett.

2. Just Say No—To Suspicious Emails and Links

The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.

But ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust, such as the malvertising attacks that recently struck the New York Times and BBC. Ad blockers are one way to block malicious ads, patching known browser security holes will also thwart some malvertising.

When it comes to phishing attacks, experts are divided about the effectiveness of user training to educate workers on how to spot such attacks and right-click on email attachments to scan them for malware before opening. But with good training, “you can actually truly get a dramatic decrease in click-happy employees,” says Stu Sjouwerman, CEO of KnowBe4, which does security awareness training for companies. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.” He says with awareness training he’s seen the number of workers clicking on phishing attacks drop from 15.9 percent to just 1.2 percent in some companies.

Doggett agrees that user training has a role to play in stopping ransomware.

“I see far too many people who don’t know the security 101 basics or simply don’t choose to follow them,” says Doggett. “So the IT department or security folks have a very significant role to play [to educate users].”

3. Patch and Block

But users should never be considered the stop-gap for infections, Ghosh says. “Users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you,” he says.

His stance isn’t surprising, since his company sells an end-point security product designed to protect desktop systems from infection. The product, called X, uses deep learning to detect ransomware and other malware, and Ghosh says a recent test of his product blocked 100 percent of attacks from 64 malicious web sites.

But no security product is infallible—otherwise individuals and businesses wouldn’t be getting hit with so much ransomware and other malware these days. That’s why companies should take other standard security measures to protect themselves, such as patching software security holes to prevent malicious software from exploiting them to infect systems.

“In web attacks, they’re exploiting vulnerabilities in your third-party plug-ins—Java and Flash—so obviously keeping those up to date is helpful,” Ghosh says.

Whitelisting software applications running on machines is another way Sjouwerman says you can resist attacks, since the lists won’t let your computer install anything that’s not already approved. Administrators first scan a machine to note the legitimate applications running on it, then configure it to prevent any other executable files from running or installing.

Other methods network administrators can use include limiting systems’ permissions to prevent malware from installing on systems without an administrator’s password. Administrators can also segment access to critical data using redundant servers. Rather than letting thousands of employees access files on a single server, they can break employees into smaller groups, so that if one server gets locked by ransomware, it won’t affect everyone. This tactic also forces attackers to locate and lock down more servers to make their assault effective.

4. Got an Infection? Disconnect

When MedStar Health got hit with ransomware earlier this year, administrators immediately shut down most of the organization’s network operations to prevent the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and respond to ransomware, says that not only should administrators disconnect infected systems from the corporate network, they should also disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.

After that, victims should determine what strain of ransomware infected them. If it’s a known variant, anti-virus companies like Kaspersky Lab may have decryptors/a> to help unlock files or bypass the lock without paying a ransom, depending on the quality of encryption method the attackers used.

But if you haven’t backed up your data and can’t find a method to get around the encryption, your only option to get access to your data is to pay the ransom. Although the FBI recommends not paying, Ghosh says he understands the impulse.

“In traditional hacks, there is no pain for the user, and people move on,” he says. But ransomware can immediately bring business operations to a halt. And in the case of individual victims who can’t access family photos and other personal files when home systems get hit, “the pain involved with that is so off the charts…. As security people, it’s easy to say no [to paying]. Why would you feed the engine that’s going to drive more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the money, because you’re not in their shoes.”

https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/

 

Pentagon Networks of Expendable Platforms

Standard

33817-DARPA-Swarm-oldsite

Photo: DARPA’s swarming concept (DARPA)

“NATIONAL DEFENSE MAGAZINE”

“Teams of lower-cost, unmanned systems that don’t need to return from battle will be critical for future warfighting, the head of the Pentagon’s Strategic Capabilities Office said March 28.

Potential adversaries are developing new military technologies that are putting expensive U.S. military platforms and personnel at greater risk, William Roper noted at an Air Force Association conference in Arlington, Virginia.

“Increasingly we’re going to ask our designers, including those in industry, to help us shift all of the dangerous jobs in combat — as many of them as we can do in an ethical way — to machines that can take the brunt of at least that initial edge of conflict so that … we have the maximum number of our operators returning home safely,” he said.

Much of the technology required already exists, he said.

The Strategic Capabilities Office, also known as the SCO, has partnered with Defense Department research laboratories and other organizations on a number of projects along these lines.

One, called Perdix, demonstrated the ability of a fighter jet to launch a swarm of autonomous drones capable of performing intelligence, surveillance and reconnaissance missions.

Another, called Avatar, is a robotic “wingman” concept that would pair unmanned aircraft with a manned fighter. Doing so would reduce the number of pilots in harm’s way. The SCO is working on a similar concept for the Army, Roper said.

The office also has a program aimed at creating “a ghost fleet of expendable boats” that could team with U.S. Navy vessels, he said.

These types of systems offer an advantage over most of today’s platforms, he noted.

“All the things we build are expensive, and if they take off it’s our expectation that they come home and land,” he said. “That hasn’t been an issue until now” when there is greater concern about fighting advanced adversaries.

Requiring a high level of survivability is a huge constraint for system designers and operational planners, Roper said. Manned platforms have to be protected and refueled. They also require more maintenance and sustainment. That translates to higher costs for the Defense Department, he added.

Using relatively low-priced robotic systems to perform high-risk missions would provide greater operational flexibility and lower the costs of a loss or mishap, he said.

“There’s a reason why we don’t take fine china and crystal to have picnics anymore,” he said. “Once you’ve used paper plates and Dixie cups, you’re not coming back from that. It makes it a completely different experience. We haven’t had that equivalent in the military.”

Advances in autonomy, teaming technologies, artificial intelligence and machine learning are enabling a greater reliance on robots, Roper noted.

“I think you’re going to see that more and more,” he said.  “Making a team of things perform a function that only an expensive thing would have done in the past.”

Despite these advances, humans will not be completely cut out of the loop. Nor will the Pentagon cease to buy high-ticket equipment, Roper said. But the role of high-priced, manned platforms could change.

“What I think … our high-end tactical systems will become is less weapon-slingers and they’ll become more like command hubs,” he said.

Roper likened the human warfighter of the future to an NFL quarterback running an offense. “They’re the ones that call the audibles … and it’s the team [of robots] that runs the play that has been picked,” he said.

This manned-unmanned teaming concept is driving much of what the Strategic Capabilities Office is working on, he said.

While machines are becoming smarter and more capable, they still have limitations, he noted. “Autonomy is very good at making brute force elegant,” Roper said. “But it’s very difficult for it to make strategic choices especially outside of the data set on which it’s built.”

Machines are more likely to fail when presented with a decision that they haven’t been programmed to make, he said.

“What that tells me is that I’m going to need people connected to the machine to help make choices when it’s that thing that hasn’t been seen before,” he said. “People are great at …  quickly being able to think strategically [and] get down to action in a way that’s cognizant of the risks that are being taken.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2465

We Need to Audit the Pentagon

Standard

videopentagon575

“THE PROJECT ON GOVERNMENT OVERSIGHT (POGO)”

“In 1994 Congress passed legislation requiring every federal agency to be auditable.

Since then every agency has complied—except for the Department of Defense.

“We have known for many years that the Department’s business practices are archaic and wasteful, and its inability to pass a clean audit is a longstanding travesty,” Chairs John McCain (R-AZ) and Mac Thornberry (R-TX) of the Senate and House Armed Services Committees said recently in a joint statement. “The reason these problems persist is simple: a failure of leadership and a lack of accountability.”

The Department’s… inability to pass a clean audit is a longstanding travesty

Increasing Pentagon spending under these circumstances is the opposite of fiscal responsibility. In fact, giving the Pentagon $54 billion and finding out why later is bad budgeting.

Both the Republican and Democratic party platforms included the need to audit the Pentagon, and Congress should resist calls to give more money to an agency they know to be irresponsible with taxpayer dollars.

You can learn more about the seemingly endless saga surrounding the Pentagon’s utter failure to get a clean audit opinion here.”

http://www.pogo.org/straus/issues/defense-budget/2017/pentagon-audit-needed-oversight.html

 

 

 

 

 

NATO Agency Seeking Bids for IT Modernization Program

Standard

NATO IT

Photo: NATO officials discuss future cyber initiatives at the NATO Communications and Information Agency. (NATO)

“NATIONAL DEFENSE MAGAZINE”

“The program will span at least four contracts and be worth up to $537 million, and is expected to be completed by mid-2018.

NATO’s communication and information technology arm is seeking industry partnerships as it takes on a multi-year modernization effort for its information-technology systems, according to the organization’s acquisition director.

The NATO Communications and Information Agency — which runs the information technology, communications and command and control for the multinational organization — has opportunities for defense and IT companies in various stages of the modernization program, Peter Scaruppe told National Defense in February.

“The IT modernization program is a very important one because it basically replaces all of the IT in all the NATO locations, and for all the NATO forces,” he said.

The program entails: streamlining NATO’s IT service offerings to increase efficiency and effectiveness; using a customer-funded delivery system to increase the flexibility and scalability of IT services; delivering services from a centralized set of locations; and implementing increased cyber security measures, according to the agency.

Next on the priorities list is introducing a cloud-based services enterprise design by this summer, which Scaruppe called a major part of the modernization program.

“Storage is an important issue for all current and future IT programs, because with big data and the availability of big data, it is increasingly important,” he said. “We are anxious to see what companies will provide.”

NCIA Agency also plans to develop new data centers in Mons, Belgium, and Lago Patria, Italy, by early 2018, Scaruppe said. A third site has not yet been publicly revealed, but is being considered as an option “if and when we need it,” he said.

“This is for the IT support and operational support for NATO locations and operations,” he said.

NCI Agency has made concerted efforts in recent years to work more closely with industry to beef up its cyber defense capabilities. The agency contracts out about 80 percent of its work to the defense and security industries of NATO’s 28 current member-nations, Scaruppe said.

This year, the agency will host its annual industry conference in North America for the first time since it kicked off six years ago, rather than in a European country, “to note the transatlantic alliance,” he said.

The theme of the NCIA Agency Industry Conference and AFCEA TechNet International — which will be held in late April in Ottawa, Canada — is “Sharpening NATO’s Technological Edge: Adaptive Partnerships and the Innovative Power of Alliance Industry.” The conference builds upon last year’s theme of why innovation is important to NATO’s technological needs, Scaruppe said.

“Especially in the IT and cyber world, we know that there are a lot of innovators out there … not exactly keen on working with an 800-pound gorilla like NATO,” he said. “Some are not familiar with the process, [so] we need to catch the right innovators.”

One major part of the conference is dedicated to innovation challenges where agency officials and industry will discuss pre-determined areas of study, he said. “We did this last year, very successfully, and we got lots of proposals, many more than we thought we would get.”

Conference attendees will learn of upcoming business opportunities with an overall budget of about $3.2 billion over the next two to three years, Scaruppe said.

Businesses also have the change to speak with agency experts ahead of potentially bidding on a project.

“We do this every year, but we’re dedicating a lot more time to this part than usual [this year],” he said, adding that the agency hopes to attract more U.S. and Canadian industry members as a result.

Attendance rates at previous conferences have been about 70 percent European-based, Scaruppe said.

The agency is also looking to attract more cyber experts through the conference by running a next-generation skills exercise and innovators program, he said.

“We have a lot more work than we have staff for — and the same is true with the private companies — [and] we want to find innovative ways of how to attract these people, how to retain these people and also keep us current in the cyber exercise.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2448

 

 

 

What Mark Thompson Has Learned Covering the Military for 40 Years

Standard
550-billion-pentagon-budget-cartoon-600x396_orig

Image:  “Otherwords.org”

“Scant public interest yields ceaseless wars to nowhere”

 

“Straus Military Reform Project – Center for Defense Information at POGO”

“It turns out that my spending four years on an amusement-park midway trying to separate marks from their money was basic training for the nearly 40 years I spent reporting on the U.S. military.

Both involve suckers and suckees. One just costs a lot more money, and could risk the future of United States instead of a teddy bear.

But after 15 years of covering U.S. defense for daily newspapers in Washington, and 23 more for Time magazine until last December, it’s time to share what I’ve learned. I’m gratified that the good folks at the nonpartisan Project On Government Oversight, through their Straus Military Reform Project, are providing me this weekly soapbox to comment on what I’ve come to see as the military-industrial circus.

As ringmaster, I can only say: Boy, are we being taken to the cleaners. And it’s not so much about money as it is about value. Too much of today’s U.S. fighting forces look like it came from Tiffany’s, with Walmart accounting for much of the rest. There’s too little Costco, or Amazon Prime.

There was a chance, however slight, that President Trump would blaze a new trail on U.S. national security. Instead, he has simply doubled down.

We have let the Pentagon become the engine of its own status quo.

For too long, the two political parties have had Pavlovian responses when it comes to funding the U.S. military (and make no mistake about it: military funding has trumped military strategy for decades). Democrats have long favored shrinking military spending as a share of the federal budget, while Republicans yearn for the days when it accounted for a huge chunk of U.S. government spending. Neither is the right approach. Instead of seeing the Pentagon as the way to defend against all threats, there needs to be a fresh, long-overdue accounting of what the real threats are, and which of those are best addressed by military means.

The Defense Department’s Quadrennial Defense Review, which is supposed to do just that every four years, has become an engine of the status quo. The Pentagon today is little more than a self-licking ice cream cone, dedicated in large measure to its growth and preservation. Congress is a willing accomplice, refusing to shutter unneeded military bases due to the job losses they’d mean back home. The nuclear triad remains a persistent Cold War relic (even former defense secretary Bill Perry wants to scrap it), with backers of subs, bombers and ICBMs embracing one another against their real threat: a hard-nosed calculus on the continuing wisdom of maintaining thousands of nuclear weapons on hair-trigger alert.

Unfortunately, it’s getting worse as partisan enmity grows. It’s quaint to recall the early congressional hearings I covered (Where have you gone, Barry Goldwater?), when lawmakers would solemnly declare that “politics stops at the water’s edge.” The political opposition’s reactions to Jimmy Carter’s failed raid to rescue U.S. hostages held in Iran in 1980 that killed eight U.S. troops, and to the loss of 241 U.S. troops on Ronald Reagan’s peacekeeping mission in Beirut in 1983, was tempered.

But such grim events have been replaced Hillary Clinton’s Benghazi and Donald Trump’s Jan. 29 special-ops raid in Yemen. Rancid rancor by both sides cheapens the sacrifice of the five Americans who died. It only adds a confusing welter of new rules designed to ensure they aren’t repeated. Yet mistakes are a part of every military operation, and an unwillingness to acknowledge that fact, and act accordingly, leads to pol-mil paralysis. It’s amazing that the deaths of Glen Doherty, William “Ryan” Owens, Sean Smith, Chris Stevens and Tyrone Woods seem to have generated more acrimony and second-guessing than the wars in Afghanistan and Iraq, in which 6,908 U.S. troops have died.

There is today a fundamental disconnect between the nation and its wars. We saw it in President Obama’s persistent leeriness when it came to the use of military force, and his successor’s preoccupation with spending and symbolism instead of strategy. In his speech to Congress Feb. 28, Trump mentioned the heroism of Navy SEAL Owens, but didn’t say where he died (Yemen). Nor did he mention Afghanistan, Iraq or Syria, where nearly 15,000 U.S. troops are fighting what Trump boldly declared is “radical Islamic terrorism.”

But he did declare he is seeking “one of the largest increases in national defense spending in American history.” His $54 billion boost would represent a 10% hike, and push the Pentagon spending, already well beyond the Cold War average used to keep the now-defunct Soviet Union at bay—even higher.

“We are going to have very soon the finest equipment in the world,” Trump said from the deck of the yet-to-be-commissioned carrier Gerald R. Ford on Thursday in Hampton, Va. “We’re going to start winning again.” What’s surprising is Trump’s apparent ignorance that the U.S. military has had, pound-for-pound, the world’s finest weapons since World War II. What’s stunning is his apparent belief that better weapons lead inevitably to victory. There is a long list of foes that knows better.

It’s long past time for a tough look at what U.S. taxpayers are getting for the $2 billion they spend on their military and veterans every day. It would have been great if Trump had been willing to scrub the Pentagon budget and reshape it for the 21st Century. But the U.S. has been unwilling to do that ever since the Cold War ended more than 25 years ago. Instead, it simply shrunk its existing military, then turned on a cash gusher following 9/11.

I know many veterans who are angered that their sacrifice, and that of buddies no longer around, have been squandered in Afghanistan and Iraq.

I recall flying secretly into Baghdad in December 2003 with then-defense secretary Donald Rumsfeld. The bantam SecDef declared on that trip that the U.S. military had taken the “right approach” in training Iraqi troops, and that they were fighting “well and professionally.” Last month, Defense Secretary Jim Mattis, the fifth man to hold that job since Rumsfeld, declared in Baghdad that the U.S. training of the Iraqi military is “developing very well.” His visit, like Rumsfeld’s 14 years earlier, wasn’t announced in advance.

Even as Army Lieutenant General H.R. McMaster, Trump’s national security adviser, tries to chart a path forward in Iraq, it’s worth remembering that he earned his spurs 26 years ago as a captain in a tank battle with Iraqi forces.

If we’re going to spend—few would call it an investment—$5 trillion fighting in Iraq and Afghanistan (and Syria, and Yemen), don’t we, as Americans, deserve a better return?

The problem is that the disconnect between the nation and its wars (and war-fighters) also includes us:

  • Our representatives in Congress prefer not to get their hands bloodied in combat, so they avoid declaring war. They prefer to subcontract it out to the White House, and we let them get away with it.
  • Through the Pentagon, we have subcontracted combat out to an all-volunteer force. Only about 1% of the nation has fought in its wars since 9/11. We praise their courage even as we thank God we have no real skin in the game.
  • In turn, the uniformed military services have hired half their fighting forces from the ranks of private, for-profit contractors, who handle the critical support missions that used to be done by soldiers. The ruse conveniently lets the White House keep an artificially-low ceiling on the number of troops in harm’s way. We like those lower numbers.
  • Finally, we have contracted out paying for much of the wars’ costs to our children, and grandchildren. We are using their money to fight our wars. They’ll be thanking us in 2050, for sure.

Until and unless Americans take responsibility for the wars being waged in their name, and the weapons being bought to wage them, this slow bleeding of U.S. blood and treasure will continue. “We have met the enemy,” another Pogo once said, “and he is us.”

http://www.pogo.org/blog/2017/03/military-industrial-circus-national-security-column.html

mark-thompson-230

2By: Mark Thompson, National Security Analyst

Mark Thompson Profile

Mark Thompson writes for the Center for Defense Information at POGO.

 

Intelligence Advanced Research Projects Activity (IARPA)Hits Stride Funneling Collaborative New Technology

Standard

iarpa

“NATIONAL DEFENSE MAGAZINE”

“The Intelligence Advanced Research Projects Activity  technology incubator celebrated its 10th year by transitioning a large number of programs to its clients.

12 new research programs, two new challenge prizes, 46 workshops with 2,700 attendees, 250 peer reviewed publications, and 22 technologies being transitioned to one of its client agencies.

It has worked with 500 organizations — half universities or small colleges, a quarter small businesses, and a quarter a mix of large companies, federal laboratories and federal agencies said Jason Matheny, IARPA director, said at the National Defense Industrial Association’s Special Operations/Low Intensity Conflict conference.

It serves 17 intelligence agencies in the U.S. government. “Their problem sets are broad,” he said. They involve everything from the hard sciences such as physics, biology and chemistry to political science and psychology with neuroscience, computing and engineering kicked in.

“The way that I used to describe this to my family was that we are the United States’ version of Q Branch from the James Bond movies,” he said. Except when his daughter came to visit on family day, she remarked that it was just a bunch of filing cabinets with contracts inside.

“We have outsourced Q Branch. … We fund the best and the brightest in academia and industry to solve our hardest problems,” he said.

The agency modeled itself after the Defense Advanced Research Projects Agency because it was so successful, Matheny said.

Over the past decade, IARPA has emerged as the largest funder of academic research into quantum and superconducting computing. It also pours money into machine learning, speech recognition, imagery analysis, facial recognition, and automated video analysis.

About one-third of its budget is put toward human judgment programs. This field helps analysts make better assessments based on partial data or wrong information, Matheny said. “How can they make more accurate judgments quickly? How can they resist certain universal cognitive biases?”

“Ultimately, judgments in the intelligence community come down to a human being. We haven’t automated analysis and we don’t expect to automate that kind of analysis,” he added.

Other technologies it’s pursing include sensors that can pick up chemical traces from stand-off distances and in-place unattended chemical sensors that can be dormant for years, then “phone home” when it detects an agent. It’s also looking at detectors for nuclear weapons and synthetic genomes in the environment.

“Very” quiet unmanned aerial vehicles and persistent undersea sensors are two other needs, he said.

New opportunities include the Janus program, which focuses on the hard facial recognition problem, he said. “Let’s say you have faces that are covered, that are captured from an angle with very low resolution cameras or video.” The goal is to piece together various images from multiple angles and try to compose a
composite facial image.

It’s also looking into high-resolution 3D modeling created from overhead imagery. “Can you build a 3D model of not just a building, but an entire city with 5 centimeter accuracy?” If so, that could be helpful for special operators planning raids, he added.

It is also searching for knowledge discovery tools in multi-lingual domains. This is intended for languages for which there isn’t a common automatic translation system such as those provided by Google.

IARPA prefers a competitive set up. It issues similar contracts in parallel to pursue the same technical goal. Multiple teams then research the same target. “We obsessively keep score. We spend about a quarter of our budget on testing and evaluation. And then we exercise options … for the teams that are outperforming others,” Matheny said.

This is stressful for the teams but results in more innovation, more quickly “in ways we don’t see otherwise in federal contracting,” he said.

“Prize challenges are one of the more cost-effective ways we have for funding innovation,” he said. The organization has found hobbyists willing to solve problems for $10,000 prize purses. The competition levels the playing field for anyone who is able to participate.

Like DARPA, it issues broad area announcements that it always keeps open so it can rapidly provide seed money for those with good ideas. The “informal process” begins with as little as a paragraph describing an idea, followed by a phone call with a program manager. “The program manager has been trained to be brutally honest — to give a thumbs down on an idea that we don’t want to see a full proposal on, or a thumbs up.”

The phone conversation is key, Matheny said. “If the program manager tells you they really want to see a proposal, they really do want to see that proposal.” Ninety percent who are asked for a full proposal go on to be funded, he noted. The more formal way of proceeding only resulted in 20 percent moving forward, he added.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2419

 

 

 

 

 

DOD Opens Web Sites to “White Hat” Hackers

Standard

hack-the-pentagon-graphic-768x512

“BREAKING DEFENSE”

“DOD will allow white hat hackers to test all its unclassified public websites.

The bigger the problem, the bigger the payout, with Hack The Pentagon going as high as $15,000 and the forthcoming Hack The Army likely to go higher.

First, a new policy released today encourages anyone  to look for weaknesses in any public DoD site, as long as they report what they find. Then, for a select subset of hackers and sites, “bug bounty” programs go further by offering cash rewards to registered hackers for finding problems in selected sites.

Bug bounties for white hats are old hat for tech companies, but they’re still a new idea for much of the wider commercial sector, let alone the staid Defense Department. Defense Secretary Ashton Carter has pushed hard to bridge the gap between the Pentagon and Silicon Valley. He created a special contracting outpost in Palo Alto, DIUx (Defense Innovation Unit, Experimental), and set up a Defense Digital Service to bring IT experts into the Pentagon on roughly one-year tours to shake things up

Chris Lynch heads the DDS. “We have actively dissuaded people from telling us vulnerabilities,” Lynch told reporters at an embargoed briefing before the new policy’s release. In one case he’s personally familiar with, a private security researcher was doing routine scans of large portions of the website that happened to include .mil sites. “The Department of Defense had actually reached out…and said, ‘please don’t scan us,’” Lynch said. “I think that that’s crazy.”

Hack The Pentagon’s very success highlighted other problems. The program only rewarded researchers for finding vulnerabilities in specific, enumerated websites. But some participating hackers found “out of scope” vulnerabilities in other websites. When they tried to report the problems, they found no procedure to do so, no policy and no point of contact.

“It turns out we had no process,” said Charley Snyder, senior cyber policy adviser in the Office of the Secretary of Defense. Patriotic hackers ended up emailing their vulnerability reports to the Pentagon webmaster — which is kind of like calling 911 and getting voicemail — or even posting them on Twitter.

So in parallel to setting up Hack The Army, which offers bug bounties for vulnerabilities inArmy recruiting-related sites, the Pentagon also wrote up an across-the-board policy for reporting vulnerabilities in any public-facing Defense Department website. (If you channelMatthew Broderick and hack the nuclear command and control system, sorry, you’re still not covered).

Based on private-sector Vulnerability Disclosure Policies, the Pentagon VDP sets certain expectations for researchers. For example, don’t disrupt Pentagon business by conducting Denial of Service (DOS) attacks, said Snyder, and “don’t just run crazy automated scans that are just going to generate a lot of low-level stuff.” In return, well-behaved white hackers who find real vulnerabilities will have a channel to report them without fear of legal repercussions, which has prevented at least some reporting in the past.

“We don’t care where the information comes from. We just want an avenue for you to deliver this information to us,” said Lisa Wiswell, who works for Lynch as a “bureaucracy hacker” in the Defense Digital Service. (In a sign of shifting cultures, while Wiswell has spent 10 years in government, mostly in DoD, like Lynch she was so casually dressed I initially mistook her for a fellow reporter; Snyder, by contrast, wore a suit). Wiswell is running the bug bounty programs.

The bounties are more targeted than the DoD-wide Vulnerability Disclosure Policy, Wiswell made clear. They’re also getting increasingly challenging — both for the hackers and for DoD. Hack The Pentagon only rewarded participants for finding vulnerabilities in a set list of “static” websites like Defense.gov which publish information for the general public. Hack The Army will cover Army recruiting websites, which are still by their nature aimed at the public but which take in data important to the day-to-day functioning of the service’s recruiting operation.

Only hackers who register with private sector firm HackerOne will be allowed to participate, said Wiswell, and only those who pass a background check can actually receive a bounty payment. (Until that point, a participant can stay pretty anonymous). For future bug bounties targeting more sensitive websites, Wiswell said, the Pentagon has contracted with security firm Synack, whose ex-NSA founders have a list of exhaustively vetted hackers for work requiring discretion.

To anyone nervous about opening up Pentagon systems to such outside scrutiny, Snyder points out DoD computers are under real attack from real adversaries every day. “The bad guys are certainly not waiting for an invitation,” he said. Now, at least, the good guys have one.”

Hack Us, Please: DoD Opens Websites To ‘White Hat’ Hackers