LOS ANGELES — MITRE, the federal contractor that runs R&D labs for the U.S. government, is developing a space cyber lab where real satellite hardware and software can be tested to ensure security. It’s just one of a host of new measures that space companies are adopting to harden their systems against hackers, panelists at the CyberLEO conference said May 12.

The lab will explore how vulnerabilities discovered in software and hardware components could be exploited by hackers in real space systems, said Jeff Finke, principal engineer and group leader at MITRE’s National Cybersecurity Center of Excellence.

“We have a 3U cubesat in the lab, except for the camera being different and the solar arrays not having solar panels, we could put it on a rocket and launch it into space,” he said. That authenticity is important because satellite software and firmware runs on exotic systems unlike those used in conventional IT — which can make it harder to determine the impact of vulnerabilities for both attackers and defenders.

Initiatives like the space cyber lab are also needed in part, because of the enormous complexity of satellite supply chains, added fellow panelist Phil Robinson, chief security officer for space data relay company SpaceLink. A great deal can be achieved through careful drafting of contracts, added Robinson, but there are limits.

“It comes down to negotiating with our prime suppliers, our subcontractors, our satellite manufacturers. … Do we have our contracts appropriately written in a way that covers risk?” Robinson asked.

Covering risks might mean insuring against them, or it might come in the form of guarantees from the manufacturer or other parties, Robinson continued. “Trust, but verify, right? We’re glad you put it in the contract. But I want to verify that you’re actually doing it as well.”

Relationships with vendors require trust, yet operators needed to ask themselves: “What kind of processes are you putting in place to verify and validate that trusted relationship? Are you actually looking at their practice? Are you talking to their coders that are pulling down code libraries from Lord knows where?” Finke added.

The point, Finke said, is that risks don’t fade as they recede from the first-party vendors. “What are you doing, satellite operators, to trust that relationship from your vendors? How far back are you willing to go? It’s one thing to check out your first level of third party partners. Okay, that’s great. But who are they in business with? Are you willing to spend the resources to then go to that next level, and the next level beyond that, all the way into the chip foundry, all the way to whoever wrote that first library?”

Yet for companies working to turn a profit, the cost of peeling back the onion layers of the satellite supply chain can quickly become unsustainable, Finke warned. “How much, as a commercial entity, where I have to increase shareholder equity or make money — which is a good thing — how much am I willing to invest to mitigate some of this? … How much risk am I willing just to accept knowing it’s out there, versus where I’m going to put resources to mitigate?”

The dangers of vulnerable components are rendered worse because comparatively little research has been done on the unique architectures and embedded systems used in satellites, according to Ang Cui, CEO of Red Balloon Security. Embedded devices are specialized pieces of equipment very different from the general purpose computers of conventional IT. They generally have a single purpose and must run reliably for a dozen or more years. Cui compared satellite embedded devices to those used in industrial control systems known as ICS — the specialized computing systems that run factories, oil refineries, and power stations.

“I would say the security posture of the firmware inside those [ICS embedded] devices is about five to eight years behind general purpose computing security. Having looked at quite a bit of aerospace products … I would say a lot of the firmware inside aerospace things are about five to eight years behind ICS.”

Such a mountainous security debt put satellite companies in an impossible position, he added.  “If I went to anyone here and said, ‘Build a company, but you can only do it with an unpatched Windows 90 laptop, and you can’t make any modifications to any of the code because that’s not your property.’ You would say, ‘That’s a bad idea. That’s a crazy thing to do.’ But in a lot of these situations, that is exactly how we’re operating. We’re using these devices that we can’t change the firmware of because it has [outdated] security [requirements]. It has liability insurance, legal obligations. We’re stuck in that situation.”

As is often the case, the security debt impacts defenders much worse than attackers.

“From what I’ve seen over the last decade, that offensive capability is so much more advanced than defensive capability, in all things embedded. And that gap is growing,” Cui said.

Classified conversations tend to focus on the extraordinary capabilities of government hackers, but the real danger is that those capabilities are quickly proliferating into the hands of criminal groups, too — becoming more widely available. “Those capabilities will spill over. And it’s not just in the hands of nation states. I think that’s the thing that we’re starting to see,” Cui noted.

Not everyone agreed. In a subsequent panel, retired Air Force Maj. Gen. Brett Williams, a co-founder of IronNet Cybersecurity, dismissed the idea that it is possible to secure components through testing — especially against deliberate insiders bent on mischief.

“The thinking you’re going to inspect everything, whether it’s hardware or software, and validate that it’s safe is a non-starter,” Williams said. Instead, he argued, a better approach is to try and validate the behavior of components — to ensure they do what they are supposed to.

“The real market opportunity is finding ways to understand that this stuff is doing what it’s supposed to do,” Williams said. “Even though you and I are using the same component, we’re using it a little bit differently, it’s connected to different things, it does different things. There’s got to be an understanding, is it doing what I need it to do?”

Unlike governments, commercial enterprises can’t put absolute restrictions on their vendor relationships. “The government can say … we aren’t buying anymore Lenovo computers. We aren’t using Kaspersky antivirus. But [in the private sector] you don’t necessarily have that option,” he said.

For instance, one government requirement was that only U.S. nationals could work on coding or making other components, Williams said. “You couldn’t have any foreign nationals touch your software. How many people build software today that doesn’t have a foreign national touch it?”

Government regulations can easily become too burdensome, he noted. “I think the nuclear power industry is a good example of that. Right now, the nuclear power plants are run by commercial companies, but they’re so heavily regulated that the cost is humongous. It’s a really hard problem.”

Article link: https://www.satellitetoday.com/cybersecurity/2022/05/13/leo-operators-and-manufacturers-wrestle-with-supply-chain-cybersecurity/

By MARIAM BAKSHAPRIL 11, 2022

Reply comments are now due in 30 days to the Federal Communications Commission.

The Federal Communications Commission should consider imposing comprehensive tests and fines—after fair warning and guidance—to ensure internet service providers are taking minimal steps to protect the global internet routing system from malicious hackers, according to comments a leader in the open-source security community submitted to the agency.

“Voluntary compliance has failed to ensure compliance with even basic measures; companies have negligently allowed hijacking for decades, even when well-known and practical countermeasures exist,” wrote David Wheeler, director of open source supply-chain security for the Linux Foundation. “The FCC should establish a testing regime to ensure that Internet routing, if depended on by others, strongly resists hijacks using currently practical measures such as [Resource Public Key Infrastructure]”

Comments were due Monday in response to an inquiry the FCC made on the issue in the wake of the Russia-Ukraine conflict. The commission is concerned about hackers’—particularly powerful nation-state actors’—ability to manipulate the Border Gateway Protocol to redirect internet traffic by pretending to offer a more efficient network path. Resource Public Key Infrastructure, or RPKI, refers to a system of certificates and cryptographic attestation for stakeholders to validate the origin and authorize the route internet traffic should take.

In response to the FCC asking about the extent to which network operators have implemented available security measures, Wheeler pointed to a test established by the content distribution network Cloudflare. The test is a simple red-team exercise that advertises a route known to be spurious. Cloudflare committed to implementing RPKIin the fall of 2018.   

“Those US organizations who fail should be notified, provided guidance on how to fix the problem, & given a grace period … to (re)gain compliance,” Wheeler said. “After the grace period there need to be incentives for failing US organizations to change to implement at least minimal efforts … These incentives should include grants if the organization is a not-for-profit, publishing a list of non-compliant entities, and then increasing fines over time … These organizations who negligently continue to leave the Internet so vulnerable, by failing to apply known best practices and existing technologies, are creating a hazard for everyone.”

Comments USTelecom—the leading trade association for major internet service providers—made to the FCC noted an endorsement of RPKI implementation. But they said adoption has been increasing without a requirement on the books.

“The majority of routes are still not signed, but the trajectory is good, we are up from less than 10% in 2018 to more than 35% as of this writing,” the group wrote, adding, “Buy-in from broad sets of stakeholders is essential, not just domestically, but also internationally.”

Also in the FCC’s docket on secure internet routing were comments from ETNO, the European Telecommunications Network Operators’ Association. The organization, internet service providing members of which have deployed BGP-specific routers in their networks, shared their system for coordination and noted wide support for RPKI implementation.

“The fr.telecom [Local Internet Registry] – serving the needs of Orange France and [Orange Business Services], for example, has “close to 100% of its resources associated with an ROA – Route Origin Authorization,” the group said.

Article link: https://www.nextgov.com/cybersecurity/2022/04/open-source-leader-advocates-strong-fcc-enforcement-routing-security/365509/

Posted by Phill Swagel on May 17, 2022

Today, CBO released an enhanced version of its interactive tool for analyzing the force structure of the U.S. military and understanding how that structure influences defense spending.

What New Features Does the Tool Provide?

The enhanced tool allows users to alter the overall defense budget (annually or in total for 10 years) to see the possible effects on military forces; or to add or subtract brigades, ships, aircraft squadrons, and other units to see the effects on the defense budget; or to explore any combination of those approaches. It shows estimated effects on the Department of Defense’s (DoD’s) costs and on the size of the military. (Learn more about CBO’s approach to calculating those costs.)

In addition, CBO now provides a tutorial to help users understand how to use the tool’s new functionality to explore different types of policy choices. The tutorial, combined with the ability to alter total defense spending, makes the tool more broadly accessible by reducing the amount of specialized knowledge that users need to have about the military or the defense budget.

How Can People Use the Tool?

The new features will let Congressional staff, defense researchers, members of the media, educators, and others use the interactive tool in a wide variety of ways.

For budgeting, the tool helps people explore alternative policy choices and generate results that include standard 10-year costs. They can do that by examining potential changes to the total size of the defense budget, altering phase-in time lines, and exporting detailed data files that show 10-year costs as well as the deflators needed to convert real dollars to nominal dollars for budgeting purposes.

For force structure analysis, the tool offers a way to analyze the effects of proposed changes to forces, considering cuts or expansions of various sizes and focusing, if desired, on particular types of units. The tool also provides information about the major combat units that currently make up the U.S. military, including their number, size, functions, and average costs.

For teaching, the tool—in conjunction with CBO’s periodic report The U.S. Military’s Force Structure: A Primer—can continue to help instructors at military academies, war colleges, and security studies programs provide an introduction to U.S. forces and engage in “what if” analysis of possible changes to those forces.

To be transparent, the enhanced tool follows CBO’s practice of showing the raw cost factors and quantities used in the agency’s cost model for the U.S. military, allowing other researchers to view, use, or alter that model. In addition, CBO will continue to update the cost factors and quantities in the tool as DoD releases new budget plans. The enhanced tool also includes the ability to export more detailed data files for users who want to conduct more in-depth analysis than the tool itself permits. Those data files include documentation of all the cost factors and default settings of CBO’s cost model, as well as technical factors such as phase-in rates, deflators, and the military’s projected costs over the next decade.

Phillip L. Swagel is CBO’s Director.

BLOG ARCHIVE

• May 2022 (5)
• April 2022 (7)
• March 2022 (5)
• February 2022 (2)
• January 2022 (9)
• December 2021 (7)
• November 2021 (7)
• October 2021 (7)
• September 2021 (8)
• August 2021 (5)
• July 2021 (10)
• June 2021 (7)
• May 2021 (4)
• April 2021 (13)
• March 2021 (6)
• February 2021 (10)
• January 2021 (7)
• December 2020 (8)
• November 2020 (2)
• October 2020 (9)
• September 2020 (9)
• August 2020 (8)
• July 2020 (4)
• June 2020 (7)
• May 2020 (4)

Browse All

Article link: https://www.cbo.gov/publication/57981?

BRANDON LESHCHINSKIY AND ANDREW BOWNE

MAY 17, 2022

“I don’t know what we mean when we say we’re ‘pursuing AI.’ Do you?”

“We don’t change to accommodate new technologies, anyway … We just shove them into our current paradigm.”

“I don’t even understand what we’re supposed to be doing right now!”

Twenty officers are seated around a table, mired in the discomfort of an “adaptive leadership” workshop. This framework, developed by Ronald Heifetz and colleagues at the Harvard Kennedy School, is designed to help organizations make progress on complex, collective challenges, known as “adaptive” challenges. Unlike “technical” problems, which can be solved with existing know-how, adaptive challenges demand learning and change — adaptation — from the stakeholders themselves.

Digital transformation presents an adaptive challenge for the Department of Defense. As long as the Department of Defense relies on painless, “technical” fixes — what Steve Blank calls “innovation theater” — America will become increasingly vulnerable to exploitation by foreign adversaries, costing both dollars and lives. To make progress on the challenge of digital transformation — and to maintain technological superiority — the Department of Defense should reexamine and reshape its deeply held values, habits, beliefs, and norms.

The officers in the workshop are an excellent example of a group wrestling with adaptation. As in many groups, they begin by looking outwards. One says, “It’s the ‘frozen middle’ that prevents us from doing anything digital,” while another adds, “Our higher-ups can’t agree on what they want, anyway. … What are we supposed to do?” The instructor nudges them: “It seems the group is shifting responsibility to anywhere but here. What makes it difficult to look inward?”

Next, the officers drift away from the challenge. They share stories of previous successes, appraise the instructor’s credentials, and joke about the workshop itself. Again, the instructor intervenes: “I notice we’re avoiding uncertainty. Can we stay longer in the nebulous space of ‘digital transformation’? Or will we escape the moment it’s not clear how to proceed?”

Begrudgingly, they return to digital transformation, but after a few minutes, they ask the instructor for help: “Are you going to chime in here, or …?” The instructor responds, “You’re depending on an authority — someone in charge — to solve a problem that can only be addressed collectively — by all of you.”

At this point, the room burns with frustration. But the officers can’t be blamed. Their moves to avoid adaptive work — diverting attention away from the issue and shifting responsibility for it elsewhere — are typical for groups confronting a difficult reality.

More specifically, in what Heifetz terms the “classic failure,” groups attempt to resolve adaptive challenges via “technical fixes”: painless attempts that apply existing know-how, rather than working with stakeholders to change how they operate.

Hiring someone, firing someone, increasing the budget, expanding the timeline, creating a committee, restructuring the org, building a new tool, pushing a new policy: These are all technical fixes, which, while not inherently harmful, are easier than — and can distract from — the internal work of reevaluating values, habits, beliefs, and norms.

Even now, the Department of Defense is attempting to address digital transformation through technical means. The Department of Defense has created the Joint AI Center, partnered with the Massachusetts Institute of Technology (MIT), and established the position of Chief Digital and AI Officer. These steps are not without benefit: The Joint AI Center has developed AI ethics principlesand a new acquisitions process; MIT has produced valuable research and educational content; and the Chief Digital and AI Officer provides an opportunity to integrate across various technological functions. But these actions are not enough. In fact, they’re not even the most challenging steps.

The real obstacles to digital transformation are deep-seated norms and conflicting perspectives that exist across the entire organization. “How valuable are technologists, really? Should they be treated differently from others?”; “What about computers: Can we trust them to do our jobs as well as we do? If so, what will be the role of humans afterward?”; and perhaps most importantly, “How do we move beyond simply articulating new standards to actually living them?” These are hard questions that affect the Department of Defense’s objectives, strategies, and tasks at every level — but answers will be earned only through discussion and experimentation across the defense ecosystem itself.

Back in the workshop, at least, the officers have made a breakthrough. Toward the end of the session, the instructor says, “I feel a sense of sadness in the room. Does anyone else feel that?” Predictably, everyone shakes their head — admitting sadness feels like admitting failure — but then a major speaks up: “I’ll bite. Yeah, I do feel sad. This just feels overwhelming. If we can’t depend on our commanders to get this done …” He pauses. “I have no idea how we’re going to do it. Especially when we’re told to just keep our heads down all the time. It feels hopeless.”

The major’s comment is the most honest moment the group has seen, and the shift in the room is palpable: An hour prior, the officers were hardly aware of their own duty to generate adaptive work, and if they were, they did not appreciate its weight. Now, they are coming to terms with this responsibility, and they are doing it publicly — vulnerably — where the whole group can learn from individual experience. This shift is the stuff of real change.

The truth is, no one knows how a digitally transformed Department of Defense will operate. But no one will find out without the collective process of trying, failing, and learning. The Department of Defense should therefore become comfortable learning through experience — gathering data through discussion and experimentation — and publicizing that learning across the organization. And while the Department of Defense has good reasons for maintaining a risk-averse culture, avoiding learning creates its own set of risks. The world is changing, and America’s adversaries are improving their capabilities. We cannot afford to wait for our enemies to make clear that they’ve surpassed us.

Officers can take three actions to make progress on digital transformation now.

First, officers should generate and run low-risk experiments: actions that will produce learning for the future, not actions that will produce success based on today’s metrics — who knows whether those metrics will be relevant post-transformation? For example, at the Department of the Air Force– Massachusetts Institute of Technology Artificial Intelligence Accelerator, we have experimented with multiple forms of educating servicemembers, from live lectures and online courses to interactive exercises and project-based workshops. When an experiment produces failure, so be it: Failure is the primary ingredient of learning.

Second, officers should surface as many perspectives on digital transformation as possible. Who balks at digitization? Who supports it? Why? And what’s the wisdom in each perspective? If everyone is part of the problem, everyone should also be part of the solution — even if it means engaging people across boundaries in a way the Department of Defense has never done before.

Finally, officers should prepare those around them for a prolonged period of ambiguity, where operational reality dictates that those in charge will be unable to answer critical questions. This serves two purposes. First, it helps to manage expectations, so those in positions of authority can resist the pressure of providing answers where none exist. Second, it empowers those without authority to run their own experiments — to try something new and to fail — and report back on what they learned.

Ultimately, transforming a system requires transforming the people within it. If the Department of Defense is seriously committed to digital transformation, everyone should be engaged in the uncomfortable and personal process of change. As the work continues, both the organization and the people within it will find themselves better equipped to handle new and challenging realities.

The workshop, meanwhile, closes on a note that applies across the Department of Defense: “This moment demands courage. Try better. Fail better. Learn better. One day, you’ll look back and see that you’ve transformed.”

Article link: https://warontherocks.com/2022/05/digital-transformation-is-a-cultural-problem-not-a-technological-one/

Brandon Leshchinskiy is an AI innovation fellow at the Department of the Air Force-Massachusetts Institute of Technology Artificial Intelligence Accelerator, where he has taught over 600 servicemembers, including over sixty generals, admirals, and senior executive service members, about AI. He also works with Ronald Heifetz and others at the Harvard Kennedy School, where he has coached over 50 students, ranging from young professionals to senior executives, on complex, collective challenges. 

Andrew Bowne is an Air Force judge advocate and the chief legal counsel of the Department of the Air Force-Massachusetts Institute of Technology Artificial Intelligence Accelerator. He is also a Ph.D. candidate at the University of Adelaide examining the nexus of national security and AI, focused on the role of industry. He has published numerous articles and book chapters, including national security, security cooperation, contract law, rule of law, machine learning, and intellectual property. 

The views expressed are those of the authors and do not reflect the official guidance or position of the U.S. government, the Department of Defense, or the U.S. Air Force. Further, the appearance of external hyperlinks does not constitute endorsement by the Department of Defense of the linked websites, or the information, products, or services contained therein. The Department of Defense does not exercise any editorial, security, or other control over the information you may find at these locations.

Image: U.S. Army

Employers and private insurers in 2020 paid hospitals 224% of what Medicare would have paid for the same inpatient and outpatient services, at the same medical facilities.

Findings from Round 4 of an Employer-Led Transparency Initiative

by Christopher M. Whaley, Brian Briscombe, Rose Kerber, Brenna O’Neill, Aaron Kofner

• Related Topics:
• Employer Sponsored Health Insurance,
• Health Care Costs,
• Health Insurance Markets,
• Medicare

• Citation
• Synopsis(print-friendly)
• Embed
• View related products

• Share on Facebook
• Share on Twitter
• Share on LinkedIn

DOWNLOAD EBOOK FOR FREE

PDF file 3.1 MB

Technical Details »

DOWNLOAD SUPPORT FILES

Supplemental Materials

zip file 3.3 MB

Technical Details »

Research Questions

1. What were the levels and variations of hospital prices paid by employers and private insurers across the United States from 2018 to 2020?

Because employer-sponsored spending comes from employee wages and benefits, employers have a fiduciary responsibility to administer benefits in the interest of participants. The lack of transparency of prices in the health care market limits the ability of employers to knowledgeably develop or implement benefit design decisions. This study uses medical claims data from a large population of privately insured individuals, including hospitals and other facilities from across the United States, and allows an easy comparison of hospital prices using a single metric. An important innovation of this study is that our data use agreements allow reporting on prices paid to hospitals and hospital systems(hospitals under joint ownership) identified by name.

Key Findings

• Some states (Hawaii, Arkansas, and Washington) had relative prices below 175 percent of Medicare prices, while other states (Florida, West Virginia, and South Carolina) had relative prices that were at or above 310 percent of Medicare prices.
• In 2020, across all hospital inpatient and outpatient services (including both facility and related professional charges), employers and private insurers paid 224 percent of what Medicare would have paid for the same services at the same facilities.
• The 224 percent total for 2020 is a reduction from the 247 percent figure reported for 2018 in the previous study owing to an increase in the volume of claims from states with prices below the previous mean price.
• Among the common data contributors in this round and the previous round, 2020 prices averaged 252 percent of Medicare, which is similar to the 247 percent relative price reported in the previous round for 2018.
• Prices for common outpatient services performed in ambulatory surgery centers (ASCs) averaged 162 percent of Medicare payments, but if paid using Medicare, payment rates for hospital outpatient departments (HOPDs) would have averaged 117 percent of Medicare.
• Although relative prices are lower for ASC claims priced according to HOPD rules, HOPD prices are higher than ASC prices.
• Very little variation in prices is explained by each hospital’s share of patients covered by Medicare or Medicaid; a larger portion of price variation is explained by hospital market power.
• Prices for COVID-19 hospitalization were similar to prices for overall inpatient admissions and averaged 241 percent of Medicare.

• NEWS RELEASEPrivate Health Plans During 2020 Paid Hospitals 224 Percent of What Medicare Would Pay May 17,2022
• PROJECTHealth Care Price Transparency in the United States May 9, 2019

Table of Contents

• Chapter OneBackground
• Chapter TwoData and Methods
• Chapter ThreeFindings
• Chapter FourConclusion
• Appendix ABackground on Hospital Markets and Pricing

Article link: https://www.rand.org/pubs/research_reports/RRA1144-1.html?

MAY 13, 2022 , DOD NEWS

As America’s strategic competitors advance their technological advantage, the U.S. must take action to avoid losing its edge, said the undersecretary of defense for research and engineering.

On Capitol Hill Thursday, Heidi Shyu told lawmakers at the House Armed Services Committee what the Defense Department must do to maintain its technological advantage. The first step, she said, is building a strong foundation for research and development within the department. The second, she said, is changing how DOD does business.

Spotlight: Engineering in the DOD

“Every strong structure needs to stand on a solid foundation to ensure this country retains our edge and fuels the future technologies and capabilities,” Shyu told lawmakers. “We must make a commitment to science and technology, particularly in basic research.”

Shyu said the department must, among other things, increase efforts to attract the best talent, must build more robust and necessary infrastructure for R&D, must perform joint experimentation and must do better at collaborating across the technology ecosystem. 

“If we expect the department to attract the world’s best and brightest, to produce state-of-the-art technologies, we must modernize our laboratories and test ranges,” she said. “The future of the department depends on talented people, and we’re committed to developing this talent.” 

As part of that commitment, she said, the department has invested in a variety of workforce, educational and research programs ranging from K-12 robotic systems to STEM scholarships and social science research.

The Defense Department has historically been a leader in R&D and still is. But now, in the U.S., the private sector’s capacity for R&D — without the DOD’s involvement — has exploded, Shyu said. 

Spotlight: Support for Ukraine

“As seen in Ukraine, novel commercial technology, paired with conventional weapons, can change the nature of conflict,” she said. “The department’s processes, ranging from programming, to experimentation, to collaboration, should be updated to reflect the dynamic landscape of today and anticipate the needs of tomorrow.”

The U.S. private sector, Shyu said, is America’s competitive advantage. 

“We must focus on improving how the government and private sector work together,” she said. “I am committed to working with you to ensure the department can move as quickly as possible as it engages with the private sector, and the whole innovation ecosystem, to rapidly transition technology to future capabilities.”

Article link: https://www.defense.gov/News/News-Stories/Article/Article/3031868/dod-must-take-action-to-keep-tech-edge/

By FRANK KONKELAPRIL 26, 2022

The future of warfare could be determined by the Defense Department’s ability—or lack thereof—to quickly adopt emerging technologies.

Decades ago, the federal government and U.S. military drove nationwide technology advancements, funding countless cutting-edge initiatives that resulted in technologies like GPS and the internet.

Today, technology research and development funding is led by private sector companies, with federal agencies and the Defense Department serving as customers for—and not necessarily leaders in—cutting-edge technologies.

However, accessing, acquiring and employing new technologies spearheaded by startups and innovative technology firms has become increasingly problematic for a host of reasons for the Defense Department and government broadly, resulting in what’s been termed the “valley of death.”

To begin Season 13 of Critical Update, Nextgov spoke with Pete Modigliani, Software Acquisition Lead for the Office of the Undersecretary of Defense for Acquisition and Sustainment at MITRE, about how the Defense Department can bridge the valley of death and ensure warfighters today won’t miss out on technologies of the future.

You can listen to the full episode below or download and subscribe to Critical Update in Apple Podcasts or Google Play

Article link: https://www.nextgov.com/podcasts/2022/04/critical-update-bridging-defense-departments-valley-death/366061/

• NIST agency running competition for new encryption standards
• Quantum computing comes with risks for modern data protection

By Katrina Manson

May 13, 2022, 8:34 AM EDTUpdated onMay 13, 2022, 9:52 AM EDT

The US is readying new encryption standards that will be so ironclad that even the nation’s top code-cracking agency says it won’t be able to bypass them.

The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards.

“There are no backdoors,” said Rob Joyce, the NSA’s director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor.

The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today’s computers can’t. But it’s also one that the White House fears could allow the encrypted data that girds the U.S. economy – and national security secrets – to be hacked. 

Scientists estimate viable quantum computing could arrive anywhere from five to 50 years from now, if ever.

The contest by the National Institute of Standards and Technology, or NIST, is intended to update the algorithms that underpin widespread public-key cryptography that secures emails, online banking, medical records, access to control systems, some national security work and more. That system, developed in the 1970s, allows for the private exchange of information by relying on publicly accessible algorithms. Announcement of the winners is imminent, officials said.

The Biden administration last week unveiled a plan to switch the entire US economy to quantum-resistant cryptography, which will rely on new NIST algorithms, as much “as is feasible by 2035.” 

Joyce, of the NSA, said it was a question of “when, not if.” He is among those who worry U.S. adversaries are stealing and stockpiling encrypted data intended to remain secret for decades or more in anticipation of being able to unlock it when viable quantum computing arrives. China, for one, is pouring billions of dollars of investment into developing quantum computing, according to US researchers.

NIST, which started the post-quantum contest in 2016, has taken pains to stress independence in overseeing the public competition, which is now down to seven finalists from 69 initial viable submissions “from all over the world.” While the NSA has helped design and edit NIST standards in the past, this time the institute has made all decisions about the new algorithms internally, relying on the expertise of its post-quantum cryptography team, a NIST spokesperson told Bloomberg.

The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didn’t enter any of its own in the contest. The agency’s mathematicians, however, worked with NIST to support the process, trying to crack the algorithms in order to test their merit.

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

The purpose of the open, public international scrutiny of the separate NIST algorithms is “to build trust and confidence,” he said.

Leaked documents from former NSA contractor Edward Snowden in 2013 revealed some of the NSA’s techniques for penetrating encryption and lent credence to allegations that the algorithm it created included a backdoor. Afterward, NIST revoked its support for the algorithm.

Choosing the algorithm is only a first step. NIST will then oversee an effort to turn the winning algorithms into public standards. The plan is to make them available in 2024 so that government and industry can adopt them.

The NIST spokesperson said the final standard will also be open to scrutiny for any weakness or flaws.

“The reason they take so long to standardize is our confidence in them is a function of how many hours really smart people are taking to try to break them,” said Charles Tahan, director of the national quantum coordination office at the White House, in an interview.

Article link: https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech

By NATALIE ALMS May 11, 2022

Immigration and Customs Enforcement has used facial recognition to search through the driver’s license photos of one in three adults in the U.S., according to a new report by Georgetown Law’s Center on Privacy and Technology.

Immigration and Customs Enforcement, or ICE, “now operates as a domestic surveillance agency,” according to a new report by Georgetown Law’s Center on Privacy and Technology based on a two-year investigation.

The report details how, since the agency was established in post-9/11 legislation, ICE has moved beyond cooperating primarily with other law enforcement agencies to assemble an infrastructure that enables it to pull detailed information on Americans, immigrants and non-immigrants alike, with data from private data brokers and state and local governments.

ICE’s “surveillance dragnet” also uses facial recognition, especially the scanning of driver’s license photos for immigration enforcement, according to the report, which involved hundreds of Freedom of Information Act Requests and reviews of the agency’s contracting and procurement records.

Between 2008 and 2021, ICE spent about $96 million on biometrics, a category that also includes fingerprinting and DNA testing, according to the report.

Currently, “there are few regulations limiting law enforcement’s use of face recognition generally and almost no regulations addressing ICE’s use of the technology,” the report states.

ICE did not reply to a request for comment on the report from FCW.

The use of facial recognition dates to a 2008 contract between the agency and biometrics company L-1 Identity Solutions, which gave ICE access to the face recognition database of the Rhode Island motor vehicle department, according to the report, which details ICE’s use of facial recognition searches of DMV databases.

ICE has used facial recognition tech to scan the drivers license photos of one in three adults in the U.S., and since 2015, the agency has requested face recognition scans of DMV databases in at least 14 states, according to the report.

“The use of face recognition on DMV data is particularly egregious because people don’t expect to have their images and personal data be shared with other agencies. This is a betrayal of the trust that people put in their state agencies and needs to stop,” said Allison McDonald, research fellow at the center and one of the report’s authors, in a statement to FCW.

“This doesn’t mean that other, less covert uses of face recognition are unproblematic. There is ample evidence that face recognition is unreliable and biased, and is not a technology that should be used by police or immigration authorities,” she continued.

The report urges ICE to stop the use of facial recognition for immigration enforcement, pointing to concerns with race and gender bias in algorithms, the potential for misidentification and wrongful arrests and concerns about privacy and due process. 

Since May 2020, ICE policy has prohibited the use of facial recognition tech in its Enforcement and Removal Operations, the report states, but not its Homeland Security Investigations.

ICE isn’t the only agency to tap into facial recognition technology.

A 2021 report from the Government Accountability Office surveyed 24 agencies to find that most were using the technology for either domestic law enforcement, cybersecurity or physical security. The General Services Administration, for example, is currently considering the use of facial recognition for Login.gov.

The agency’s surveillance work has occurred largely without judicial, legislative or public oversight, the report states. Most congressional leaders didn’t know about ICE’ use of facial recognition scans of DMV photos until media reports in 2019 – over a decade after the first known contract in 2008, the report states. 

Another major source of information for the agency detailed by this investigation is data and algorithmic tools.

ICE has tapped into databases from private data brokers and state and local governments – often data given in order to get essential services, the report states, pointing to records from the Department of Motor Vehicles, as well as utility information, employment records and housing records.

In 16 states and the District of Columbia, for example, undocumented people can get drivers licenses. In six of those states, ICE has used facial recognition to scan driver’s license photos;  in five, it can look for driver’s license information to use for civil immigration enforcement without a warrant.

The report also estimates that ICE can likely obtain address information for 74% of adults in the U.S. using utility records created when they tap into gas, electricity, phone or internet in a new home – information that can help trace people for deportation, the report states.

The sharing of data handed over to get essential services has already created evidence of  a “chilling effect,” or the deterrence of immigrants from interacting with government systems and enrolling in critical services, the report states.

The report does include recommendations, urging Congress to reform immigration laws, enact new data protections, update laws that limit the disclosure of information given by Americans to the DMV and conduct more oversight of ICE, including the agency’s use of biometrics. 

It also includes recommendations for state lawmakers on the use of water, gas, electricity, phone and internet records for immigraiton enforcement and ICE access to DMV data.

Article link: https://www.nextgov.com/cxo-briefing/2022/05/ice-has-assembled-surveillance-dragnet-facial-recognition-and-data-report-says/366826/

By Melissa Heikkiläarchive page May 13, 2022

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

It’s a Wild West out there for artificial intelligence. AI applications are increasingly used to make important decisions about humans’ lives with little to no oversight or accountability. This can have devastating consequences: wrongful arrests, incorrect grades for students, and even financial ruin. Women, marginalized groups, and people of color often bear the brunt of AI’s propensity for error and overreach. 

The European Union thinks it has a solution: the mother of all AI laws, called the AI Act. It is the first law that aims to curb these harms by regulating the whole sector. If the EU succeeds, it could set a new global standard for AI oversight around the world.

But the world of EU legislation can be complicated and opaque. Here’s a quick guide to everything you need to know about the EU’s AI Act. The bill is currently being amended by members of the European Parliament and EU countries. 

What’s the big deal?

The AI Act is hugely ambitious. It would require extra checks for “high risk” uses of AI that have the most potential to harm people. This could include systems used for grading exams, recruiting employees, or helping judges make decisions about law and justice. The first draft of the bill also includes bans on uses of AI deemed “unacceptable,” such as scoring people on the basis of their perceived trustworthiness. 

The bill would also restrict law enforcement agencies’ use of facial recognition in public places. There is a loud group of power players, including members of the European Parliament and countries such as Germany, that want a full ban or moratorium on its use in public by both law enforcement and private companies, arguing that the technology enables mass surveillance. 

If the EU manages to pull this off, it would be one of the strongest curbs yet on the technology. Some US states and cities, such as San Francisco and Virginia, have introduced restrictions on facial recognition, but the EU’s ban would apply to 27 countries and a population of over 447 million people.

How will it affect citizens? 

In theory, it should protect humans from the worst side effects of AI by ensuring that applications face at least some level of scrutiny and accountability. 

People can trust that they will be protected from the most harmful forms of AI, says Brando Benifei, an Italian member of the European Parliament, who is a key member of the team amending the bill. 

Related Story

Deepfake porn is ruining women’s lives. Now the law may finally ban it.

After years of activists fighting to protect victims of image-based sexual violence, deepfakes are finally forcing lawmakers to pay attention.

The bill requires people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Lawmakers are also debating whether the law should set up a mechanism for people to complain and seek redress when they have been harmed by an AI system. 

The European Parliament, one of the EU institutions working on amending the bill, is also pushing for a ban on predictive policing systems. Such systems use AI to analyze large data sets in the interest of preemptively deploying police to crime-prone areas or to trying to predict a person’s potential criminality. These systems are highly controversial, and critics saythey are often racist and lack transparency.

What about outside the EU?

The GDPR, the EU’s data protection regulation, is the bloc’s most famous tech export, and it has been copied everywhere from California to India. 

The approach to AI the EU has taken, which targets the riskiest AI, is one that most developed countries agree on. If Europeans can create a coherent way to regulate the technology, it could work as a template for other countries hoping to do so too. 

“US companies, in their compliance with the EU AI Act, will also end up raising their standards for American consumers with regard to transparency and accountability,” says Marc Rotenberg, who heads the Center for AI and Digital Policy, a nonprofit that tracks AI policy.

The bill is also being watched closely by the Biden administration. The US is home to some of the world’s biggest AI labs, such as those at Google AI, Meta, and OpenAI, and leads multiple different global rankings in AI research, so the White House wants to know how any regulation might apply to these companies. For now, influential US government figures such as National Security Advisor Jake Sullivan, Secretary of Commerce Gina Raimondo, and Lynne Parker, who is leading the White House’s AI effort, have welcomed Europe’s effort to regulate AI.

“This is a sharp contrast to how the US viewed the development of GDPR, which at the time people in the US said would end the internet, eclipse the sun, and end life on the planet as we know it,” says Rotenberg.

Despite some inevitable caution, the US has good reasons to welcome the legislation. It’s extremely anxious about China’s growing influence in tech. For America, the official stance is that retaining Western dominance of tech is a matter of whether “democratic values” prevail. It wants to keep the EU, a “like-minded ally,” close. 

What are the biggest challenges? 

Some of the bill’s requirements are technically impossible to comply with at present. The first draft of the bill requires that data sets be free of errors and that humans be able to “fully understand” how AI systems work. The data sets that are used to train AI systems are vast, and having a human check that they are completely error free would require thousands of hours of work, if verifying such a thing were even possible. And today’s neural networks are so complex even their creators don’t fully understand how they arrive at their conclusions. 

Tech companies are also deeply uncomfortable about requirements to give external auditors or regulators access to their source code and algorithms in order to enforce the law.

“The current drafting is creating a lot of discomfort because people feel that they actually can’t comply with the regulations as currently drafted,” says Miriam Vogel, who is the president and CEO of EqualAI, a nonprofit working on reducing unconscious bias in AI systems. She also chairs the newly founded National AI Advisory Committee, which advises the White House on AI policy. 

There’s also a giant fight brewing over whether the AI Act should ban the use of facial recognition outright. It’s contentious because EU countries hate it when Brussels tries to dictate how they should handle matters of national security or law enforcement. Several countries, such as France, want to make exceptions for using facial recognition to protect national security. In contrast, the new government of Germany, another big European country and an influential voice in EU decision making, has said it supports a full ban on the use of facial recognition in public places. 

Another big fight will be over what kinds of AI get classified as “high risk.” The AI Act has a list that ranges from lie detection tests to systems used to allocate welfare payments. There are two opposing political camps—one fearing that the vast scope of the regulation will slow down innovation, and the other arguing that the bill as written will not do enough to protect people from serious harm. 

Won’t this stifle innovation? 

A common criticism from Silicon Valley lobbyists is that the regulation will create extra red tape for AI companies. Europe disagrees. The EU counters that the AI Act will only apply to the riskiest set of AI uses, which the European Commission, the EU’s executive arm, estimates would apply to just 5 to 15% of all AI applications.

Tech companies “should be reassured that we want to give them a stable, clear, legally sound set of rules so that they can develop most of AI with very limited regulation,” says Benifei. 

Organizations that don’t comply face fines of up to €30 million ($31 million) or, for companies, up to 6% of total worldwide annual revenue. And experience shows that Europe is not afraid to dish out fines to tech companies. Amazon was fined €746 million ($775 million) in 2021 for breaching the GDPR, and Google was fined €4.3 billion ($4.5 billion) in 2018 for breaching the bloc’s antitrust laws. 

When will it come into effect? 

It will be at least another year before a final text is set in stone, and a couple more years before businesses will have to comply. There is a chance that hammering out the details of such a comprehensive bill with so many contentious elements could drag on for much longer. The GDPR took more than four years to negotiate, and it was six years before it entered into force. In the world of EU lawmaking, anything is possible.

Article link: https://www.technologyreview.com/2022/05/13/1052223/guide-ai-act-europe/