By PATRICK TUCKERAUGUST 18, 2022 08:41 AM ET

The Defense Department’s current “checklist” approach can’t keep its networks safe.

Two years ago, a pair of Navy information leaders decided to attack their own networks—and not just once or twice a year during scheduled exercises, but far more frequently, and unannounced. Now they’re trying to get the rest of the Navy—and the Pentagon—to follow suit.

Their experiment showed that frequent, automated red-teaming reveals which vulnerabilities are the most dangerous, the easiest for an attacker to exploit with the highest impact—information they wouldn’t have otherwise, said Aaron Weis, the Navy’s chief information officer, or CIO, and Scott Bischoff, the command information officer at the Naval Postgraduate School.

And it’s far more effective than the way the Defense Department currently handles cybersecurity: with checklists of steps taken, patches implemented, and so on.

“It’s a very compliance-driven mentality, like an audit… and it’s wrong,” Weis told Defense One. “Cybersecurity is not a compliance problem.” 

Treating cybersecurity like a checklist does answer one question: whether the officer, team, or company charged with “cybersecurity” has done their job to some agreed-upon level of performance—basically, whether they’ve fulfilled the terms of a contract or the parameters of an assignment. It’s an approach that works well for a bureaucracy, but it’s not the best way to actually secure your networks, Weis said.

“We’ve got…15 to 20 years of track record using a compliance mentality that says it doesn’t work, right? Because we continue to be exercised by our adversaries in cyberspace,” he said.

Related articles

The US Military Should Red-Team Open Source Code

A Navy Cyber Effort Is Fixing Thousands of Holes—and Building Tech Talent

Weis says the Pentagon needs to measure its networks’ suitability for combat the same way it does for soldiers, sailors, tanks, and ships: through the concept of military readiness.

Such an approach would mean prioritizing the biggest problems first, with second-tier or complicated ones set on slower paths to fixing.

“There’s ‘ready to fight tonight.’ But if you are a carrier strike group and you’re deploying in three months, are you on a path to being ready? You manage your readiness on a day-to-day basis and it’s a function of a whole bunch of things,” he said. “Do we have the right people? Are they trained? Are they qualified, or deficient? Do we have the equipment?”

But Weis had to show that getting to a state of “readiness” in cyberspace is a matter of constant testing and drilling, not filling out compliance forms. 

He needed a safe space where he could understand readiness without exposing huge problems to adversaries or taking essential naval networks offline. He went to the Naval Postgraduate School, or NPS, in Monterey, California.

NPS’ Bischoff says the school lends itself to experimentation because it’s on the California research and education network, not a Navy network. 

“I have a lot of authorities here that other naval units wouldn’t have. It provides the Navy a small chunk of terrain here to do things,” like test new cybersecurity concepts, he said. “We have a somewhat unique terrain here to maybe take a little bit of risk on and try some things. That’s important for a STEM school, you know. We’re very research-intensive, so it’s right up our alley.”

So NPS forged a cooperative R&D agreement with Rebellion, a defense-focused software startup founded by Chris Lynch, the former head of the Defense Department’s Digital Service.

Rebellion brought in a tool called Nova that does automated red-teaming on networks. But it doesn’t just hammer away at the vulnerabilities it finds like it’s running through a checklist. 

“It can identify the system, understand its patch level, catalog its vulnerabilities according to what’s generally available, and then try to run an automated exploit against it, based on what it knows,” said Weis.

The process revealed a lot more information than just a list of vulnerabilities to be patched. They learned which vulnerabilities were the most important, the easiest to attack, which ones let the attacker gain wider network access, things they would have learned only if a real attacker was hitting the system and strategizing its next move. That means that different vulnerabilities had a priority that a checklist completely missed. 

Said Weis: “Right now, because of our compliance approach, we focus on patching every vulnerability, right?…In no particular order, by the way. We just line them up and knock them down. And what that approach…disregards is the question: Can that vulnerability actually be exploited?”

Some vulnerabilities that seemed large were very difficult to exploit, and some that seemed small were a lot more dire than their position on the checklist would indicate. Running similar experiments on actual DOD networks would probably reveal a similar result: that the Department is not managing its cyber vulnerabilities with a real-world understanding of how an attacker would actually approach the network. 

Bischoff said similar red-team experiments involving humans are great, but they happen once or twice a year. “It’s a snapshot, right. I don’t want a snapshot. I want a movie throughout the year.”

Weis said he’s building off of that experiment. 

“We’re in the process of…nominating a set of [Navy] programs that are volunteering to go first and to start to use this different approach,” he said. “We’ve been having leadership-level discussions here since kind of before the holidays last year. It started with a one-on-one with the [Chief Naval Officer] and it’s kind of moved up from there.”

Said Lynch: “Aaron [Weis] is trying to completely change what they’re doing,” not only in the Navy, but potentially across the military. 

That is going to be important if the Defense Department is going to move toward the highly-networked joint all-domain command and control, or JADC2, vision at the heart of its plans for the next decade. The more networks, computers, drones, satellites, etc.. are all linked together, the more unmanageable a checklist approach becomes. The only solution will be to assume your enormous networked war machine is under attack at its weakest points—because it is.

Article link: https://www.nextgov.com/cybersecurity/2022/08/experiment-showed-military-must-change-its-cybersecurity-approach/376003/

January 6, 2021

Drug companies charge more for insulin in the United States than in nearly three dozen other countries RAND researchers examined—and it’s not even close. The average list price for a vial of insulin in Canada was $12. Step across the border into America, and it’s $98.70.

Those differences help explain why insulin has become a symbol of the high cost of American health care. Its prices have shot up in recent years, for reasons that are opaque at best, with those who can least afford it often paying the most. Reining in those prices has become the rare political cause embraced by Democrats and Republicans alike.

“This isn’t just some academic question: ‘How do our prices compare with those in other countries?’” said Andrew Mulcahy, a senior policy researcher at RAND who specializes in health care economics and led the study. “It’s becoming a very practical question, because there are ideas out there to do something about it, and they can benefit from this kind of analysis.”

Diabetes is one of the most pervasive, deadly, and expensive diseases in the United States. More than 30 million people have it, and nearly a quarter of them use insulin to manage their symptoms and prevent life-threatening complications. Per-person spending on insulin, for those with employer-paid health insurance, doubled between 2012 and 2016.

The U.S. Department of Health and Human Services asked RAND to investigate how American insulin prices compare with those in other parts of the world. Researchers obtained list prices for all types of insulin from 33 countries in Europe, Asia, Australia, and the Americas. Plotted on a graph, the U.S. prices stand alone.

The average price in America, across all types of insulin, was more than ten times higher than the average for all of the other countries combined. In fact, the closest any country came to paying the $98.70 American average was the $21.48 average that Chile pays.

The differences were especially stark when the researchers looked at rapid-acting insulin, which makes up about a third of the U.S. market. Its average price in other countries was just over $8. In America, it was $119.

“It comes at a high cost, and not just financially, but in terms of your life,” said Mila Clarke Buckley, 30, whose autoimmune diabetes is slowly shutting down her pancreas. She runs a top-rated blog for fellow diabetics, “Hangry Woman,” from her home in Houston. She has more than 30,000 readers.

“It’s not like one day you can just stop taking insulin,” she said. “You really have to manage your life thinking, OK, this is my No. 1 priority, to be able to get this little pen of liquid so that I can live.”

Insulin prices in the United States are higher than prices in nearly three dozen other countries RAND researchers examined—and it’s not even close.Share on Twitter

The prices RAND used in its study—the list prices, set by drug manufacturers—were the most available for comparison across different countries. They’re a good starting point for understanding the true cost of insulin. In the cryptic world of drug-price setting, the list price is like an opening bid.

The companies that manage the drug formularies that you might see on your insurance plan then enter the picture. They negotiate discounts and rebates in a closed-door process that yields a second, lower price that insurers ultimately pay. Drug manufacturers compete for their business by offering generous discounts, which gives them every reason to set their initial prices high. Even if those discounts cut 50 percent from the price, RAND’s study noted, Americans would still be paying several times more for insulin than what people in other countries pay.

It’s hard to track the final prices that patients like Buckley actually pay at the pharmacy counter. Those who have insurance still have to cover deductibles and copays, which can be significant. Those who don’t have insurance can find themselves paying the full list price.

Drug companies have started to introduce lower-priced insulins and discount cards to help those struggling to pay. But nearly a third of the people who responded to an American Diabetes Association survey said they had postponed doctors’ appointments or put off paying bills to afford their insulin. A quarter had skipped a rent or mortgage payment.

Buckley has been there. When her husband lost his job a few years ago—and with it, their health insurance—she, too, found herself caught between paying their bills and paying for insulin. She paid the bills.

“It was an impossible choice, but we had nothing left to give,” she said. For several weeks, she watched her blood-sugar levels creep up as she rationed what little insulin she had, until her husband could find another job. “It was terrifying,” she said. “That’s why we need to really force this conversation to stay open. It’s important to live in a country where insulin is accessible and affordable and people don’t have to make choices to go without just so they can get their insulin.”

Several states have capped how much their residents can be asked to pay out of pocket for insulin. A few have filed lawsuits against the major drugmakers. At the federal level, policymakers have talked about—but not yet acted on—ideas to allow the importation of cheaper insulin, or to peg prices here to those in other countries. One proposal would cut back the middlemen so that list prices can more closely reflect the final pharmacy prices.

You really have to manage your life thinking, OK, this is my No. 1 priority, to be able to get this little pen of liquid so that I can live.

Mila Clarke Buckley

Rep. Earl “Buddy” Carter of Georgia offered a backhanded thank-you to industry executives during a 2019 hearing on the soaring price of insulin. “You have done something here today that we have been trying to do in Congress [for years],” he told them. “And that is to create bipartisanship.”

Researchers at RAND are now starting to look at how American prices for other prescription drugs compare with those in other countries. “We really need to have a better sense of just how much more we’re paying,” RAND’s Mulcahy said. “It’s not just insulin; it’s across the board. My hope is that this insulin report is the start of a long string of analyses doing this kind of international drug-price comparison.”

Mila Clarke Buckley knows her insulin costs will go up. The type of diabetes she has—latent autoimmune diabetes in adults, or LADA—is a progressive disease, breaking down her body’s ability to function without increasing doses of insulin. Sooner or later, she will become completely insulin dependent. She has a separate tab on her household budget for when that day comes: “Mila’s Diabetes Care.”

“It happened to me; it can happen to you any day,” she said. “That’s why we need to have this conversation, because the prices are astronomical, and it affects real lives. One day, I didn’t have diabetes, and the next day, I found out I did, and it changed my entire life.”

— Doug Irving

Article link: https://www.rand.org/blog/rand-review/2021/01/the-astronomical-price-of-insulin-hurts-american-families.html?

By PATIENCE WAITAUGUST 18, 2022 09:22 AM ET

The memorandum sets up budget expectations for previously established cyber goals.

The Office of Management and Budget in July quietly issued a memorandum to all federal civilian agencies outlining the administration’s “cross-agency cyber investment priorities” for the fiscal year 2024 budget, emphasizing that implementing zero trust and IT modernization must be at the top of the list.

“The Federal Zero Trust Strategy … requires agencies to achieve specific zero trust security goals by the end of FY 2024; budget submissions are expected to prioritize ensuring this work is completed,” the memo states. “Agencies have submitted [their] zero trust implementation plans to OMB, and a cross-government team of cybersecurity experts from OMB, [Office of the National Cyber Director], and Cybersecurity and Infrastructure Security Agency … is engaging with agencies to refine these plans and define ambitious, achievable goals.”

OMB noted that the goals of a zero trust implementation are about achieving a consistent enterprise-wide baseline for cybersecurity “grounded in principles of least privilege, minimizing attack surface and designing protections around an assumption that agency perimeters should be considered compromised.”

The budget directive is aimed at ensuring that agencies demonstrate their commitment to zero trust by reflecting it in their budget requests. 

Similarly, the memo points out that obsolete systems and the resulting technical debt have limited both the government’s ability to deliver modern services to customers and also in the implementation of modern security best practices. As a result, the memo emphasizes that agencies “should prioritize technology modernizations that lead with security integrated during the design phase, as well as throughout the system lifecycle.” This includes:

• Accelerating adoption and use of secure cloud infrastructure and services, leveraging zero trust architecture.
• Developing and deploying federal shared products, services and standards that empower secure customer experiences.
• Using shared security technologies, including the Department of Homeland Security’s Continuous Diagnostics and Mitigation program.
• Sharing awareness between security and IT operations teams across the federal enterprise.
• Using agile development practices and integrating NIST’s Secure Software Development Framework and Software Supply Chain Security Guidance into agencies’ software procurement and development practices.

The memo also directs the civilian agencies to increase their collaboration with the private sector to protect critical infrastructure. Sector Risk Management Agencies “must ensure their [budget] requests reflect adequate resources to fulfill their responsibilities,” including building mechanisms to collaborate with critical infrastructure owners and operators to “identify, understand and mitigate threats, vulnerabilities and risks to respective sectors.” Budget submissions for FY 2024 should prioritize specific proposals that will provide SRMAs adequate resources to meet those responsibilities.

OMB also points out that supply chain risk management is a “critical capability to manage cybersecurity risk.” While agencies have been required to establish formal SCRM programs for their own acquisitions—especially for information and communications technology and services—the requirements are slated to sunset at the end of 2023. OMB advises the agencies that legislation is pending to extend the requirement through 2026, so agencies should continue their investments in their FY 2024 budget submissions.

And agencies’ responsibilities for supply chain risk management extend beyond their own acquisitions, the memo says.

“The federal government also plays a role in addressing national level ICTS supply chain risk,” it states. “In FY 2024 budget submissions, agencies should highlight investments that support a national effort to mitigate undue or unacceptable levels of risk to [the] economic security and national security of the United States.”

This OMB memo is a real ratcheting-up of pressure on federal civilian agencies to implement zero trust. Since last year’s cybersecurity EO, some agencies have grumbled that it represented another “unfunded mandate”—an IT directive without the budget attached to achieve it.

James F.X. Payne, vice president, business development with SecureG, a Sterling, Virginia, company developing secure machine identity management for 5G wireless services, said the OMB memorandum shows the agency is making sure that excuses for a lack of progress will not stand up to scrutiny.

OMB “is embracing zero trust architecture in a serious way. It’s a wake-up call across the government,” he said.

Payne compared it to the way the White House stepped up pressure on agencies to adopt cloud computing more than a decade ago. “First it was a suggestion. Then it was a directive. And then it was, ‘We’ll audit you for compliance,’” he said. “Moving to zero trust is important enough, OMB is moving faster this time.”

Article link: https://www.nextgov.com/cybersecurity/2022/08/omb-memo-places-zero-trust-top-civilian-agency-priorities/375948/

by Andrew White, Michael Smets, Adam Canwell

July 18, 2022

Summary. It’s not news that organizational transformations are prone to failure. To understand the skills, mindsets, and capabilities behind successful transformations in today’s dynamic environment, EY and Oxford University formed a research collaboration to investigate what it takes to lead a successful transformation. One of the authors’ most important findings is that, in order for transformation to be successful, leaders must approach it in ways designed to mitigate emotional harm to — and drive emotional commitment from — employees. The workforce bears the brunt of failed transformations, and the emotional damage can be substantial as employees lose confidence in leaders and become skeptical of further attempts at transformation. Drawn from their research, the authors present seven ways for leaders to set their transformations up for success by prioritizing their employees’— and their own — emotions.

The road is littered with failed transformation programs that were set up in the traditional way: Leaders define objectives, design a project plan, agree on KPIs, and recruit the right people. As many executives, academics, and consultants can relate to, the rate of failure in transformations is still far too high, and one that organizations can ill afford in these disruptive times.

To understand the skills, mindsets, and capabilities behind successful transformations in today’s dynamic environment, EY and Oxford University formed a research collaboration to investigate what it takes to lead a successful transformation. We surveyed 935 CXOs and 1,127 members of the workforce. Approximately 50% of them represented a successful transformation project and 50% an unsuccessful one. The respondents came from 23 countries, seven industries, and 16 sub-industry sectors. We also conducted 25 in-depth interviews with CXOs from multiple global companies. Before their interviews, each leader was asked to identify three critical turning points in their transformation. The interviews then focused on each turning point to understand when and why it happened, what actions were taken, and how they impacted the outcome of the transformation.

One of our most important findings is that, in order for transformation to be successful, leaders must approach it in ways designed to mitigate emotional harm to — and drive emotional commitment from — employees.

What makes transformations successful — and unsuccessful

In general, we found that leaders and workers started transformations at the same point emotionally: excited and optimistic. As the transformations got going, they all showed a reduction in positive emotions and an increase in negative emotions. All transformations are tough, and confidence is bound to dip. This is not only inevitable, it’s key to the transformation’s success: Heightened stress raises performance (up to a point), and leaders who learn from their emotions bring those lessons into the transformation. This maintains a zone of high performance, which is an accelerator for a transformation.

For emotions to be accelerators rather than inhibitors of transformation, leaders must put conditions in place in advance so that the transformation can come through this “pressure zone.” They must create psychological safety and construct mechanisms for all voices to be heard. And as the pressure increases, support, such as listening sessions and employee coaching, needs to increase along with it.

Without that corresponding increase in psychological safety and support, transformations spiral downward. The workforce is left feeling anxious and overworked. People lose faith in transformation when there’s no compelling vision, no visible progress, and no practical and emotional support from leaders. When key stakeholders and the leaders themselves lose faith in the transformation, they may start to distance themselves from it, looking to reduce damage to their own brands and jumping to different activities.

Seven steps for a successful transformation

The workforce bears the brunt of failed transformations, and the emotional damage can be substantial as employees lose confidence in leaders and become skeptical of further attempts at transformation.

Drawn from our research, here are seven ways for leaders to set their transformations up for success by prioritizing their employees’— and their own — emotions.

1. Address the unsustainable status quo.

The first step in any transformation is recognizing that the status quo is unsustainable. This takes courage and an ability to hold and facilitate the emotionally uncomfortable conversations that lead you to accept the delta between where you are today and where you need to be tomorrow. It’s about working on yourself first by becoming aware of what mindsets and assumptions underpin your view of success and beginning a transformational emotional journey.

Understanding the unsustainability of the status quo can mean putting yourself as a leader in a different place, often physically, in order to see yourself, your company, and the part of the world you operate in and impact differently. An executive from the consumer goods industry demonstrated this point in speaking about a 10-day executive trip to Silicon Valley: 

For me the key to the start of the transformation was the Silicon Valley trip. Those of us in the top team saw what the world looked like somewhere else and realized just how different and successful it was. We thought, if we don’t do this, we could be toast in 10 years’ time. Speaking for myself, personally, I came away from Silicon Valley thinking, I have to undergo a pretty profound re-education.

2. Detach from the status quo.

The next step is to consciously detach from the status quo. Embrace the unknown and adopt the humility required to challenge the mindsets and assumptions you have about your company and its current ways of working, as well as the industry and what constitutes success.

This step is about understanding your own ego’s need to be an expert and recognizing the importance of being open to learning during this time of transformation. This is where the real work of leaning into the emotions of anxiety, fear, and excitement occurs as your identity and status moves to the backburner. You must view not knowing what the future might look like as a key capability, rather than a sign of personal weakness.

This means understanding the system in which you’re located (beyond direct competitors), how it’s changing, and what opportunities and risks are being created. This can be uncomfortable. Embrace this discomfort; don’t shy away from it.

This step also requires exposure to new ideas that will inform and structure the future of the industry you’re in and therefore your company. For example, a CEO of a multinational retailer described to us how they attended an eight-week bootcamp on circular economics to understand how the idea would inform how their company needed to transform its operations to align with environmental challenges.

3. Develop a purposeful vision.

Embracing the unknown and adopting humility enables you to develop a purposeful vision because it allows you to see more clearly what needs to change and why. It allows you to understand why you exist, independent from the current mindsets and assumptions and the ways your company operates and creates value. You can then imagine how you might create value differently at a functional, product and service, or even entire business model level. The leader of a healthcare business reflected:

When we began the transformation, the mindset in the organization was that our business model was razors and razorblades. I said, no, that’s not our business, our business is that we give people much needed answers and we change people’s lives. Now our teams are connected to a purpose and show up with their heart, not an arrogant approach…It doesn’t matter who you report to, or what your status is, it’s having a purpose that you can connect to, such as to make people’s lives better, and coming to work every day with a great attitude and a growth mindset. That’s transformation for us in a nutshell.

4. Lead emotional transformation.

This step gets to the heart of our argument and is the key to leading the emotional journey of transformation. Transformation can be exciting and unsettling for employees at the same time. They may feel excitement about being part of a purposeful company but unsettled and anxious — for example, if they can’t see how their skills will be relevant.

Addressing these emotions is key. Bringing topics like anxiety and fear of the unknown as well as different ideas about what the organization’s future looks like into formal conversations allows them to be worked through, instead of just festering and creating resentment.

Our research suggests that listening skills are just as important as a project plan in a leaders’ toolkit of skills. Here are some psychotherapy-based steps to improve your listening. We found that these are remarkably similar to what leaders of successful transformations reported doing:

• Create the right space to actively encourage emotional awareness and expression through simple questions such as, “What are you feeling? Can you tell me more about that?” Silence and open questions allow people to explore their own emotions.
• Use techniques such as deep listening (to what is said and unsaid) and paraphrasing what you think you’ve heard to facilitate emotional regulation, which enables the exploration of primary emotions. Encouraging self-observation and self-compassion, focusing on breath and creating an environment free from judgement and reaction are all important here.
• Create workshops that enable active reflection on emotions (using tools such as meditation, poetry, journaling, and art). This will help facilitate conversations that focus on meaning making and the development of new narratives to explain past experiences and current situations.

5. Include both the rational and emotional. 

When executives begin a transformation, it’s not long before they reach for a project plan. More often than not, this focuses on a rational understanding of how long it will take to deliver key activities. These plans are often overly ambitious from a cost and time point of view, and our research suggests that they miss the critical listening component, which slows down the transformation process.

Conduct listening exercises via one-on-ones, small groups, and digital interventions and workshops across the organization that enable leaders and the workforce to understand their own purpose and values and how they integrate into the wider organizational purpose.

If you’re to integrate both the emotional and rational into your plans, you need to think of the process as a corkscrew rather than a straight line — in other words, a core focus on progress but a non-linear way of getting there. This requires a different approach to project planning that integrates the rational and emotional processes and activities by bringing together the need for patience and pace. An executive in the aerospace industry described it to us like this:

It is more like a spiral, where you just go up a little bit and the turning points are positive, and then a negative one. We came back a little bit and then we go up again and went to the second cycle.

6. Align KPIs, funding, resources, and people.

This is where the benefits of focusing on the emotional journey should come to fruition. Successful transformation requires major shifts in KPIs and performance management, funding, and resources. This new reality can be difficult for some people, as their lack of belief in the transformation becomes real as they lose power, status, and even their roles in the transformed organization. While losing people is more often than not an inevitable part of a successful transformation, our research shows that making decisions about practical matters like KPIs sooner rather than later enables people to transition from one emotional state to another — from reacting to the loss of the status quo to being creative about the future. This is a critical inflection point in the emotional journey.

This quote from a media industry executive illustrates how transformation creates a clear distinction between those who are aligned with the transformation and those who are not:

So, it probably did divide the business I think a little, between people who are here for the next evolutionary stage of what our industry is going through and those who are not. Not all of those who did not see this future have left the business, some are still doing what they do, but quite a few have. So, it’s accelerated a generational change inside our business, I think. I think people are leaders in our business earlier now. A good handful of years earlier than perhaps they would have been before, if they were able to grasp this more than their managers were able to grasp it.

What this step demonstrates in how new KPIs enable shifts in resources and make the transformation a concrete reality. This brings to light those people who are inspired and energized to bring the transformation to reality and those who are not.

7. Make transformation the new normal.

In the twentieth century, many organizations followed the model of being a “machine,” where predictability, stability, and hierarchy were the norm. This model was very good at delivering predictable performance but poor at coping with disruption. Many organizations still live with this legacy approach while their stakeholders demand something very different: a more “organic” organization where continual transformational is the norm.

Enabling transformation requires giving employees the information and resources they need to develop and innovate in other directions. One media executive described how knowledge and resource sharing allowed employees to develop in this way, which can enable the organization to move toward a state of continual transformation:

It’s definitely created a more entrepreneurial sense across the business that more people can participate in this, than perhaps they could previously. Some of the knowledge was quite esoteric. If you wanted to know how to do some of these things you needed to work in a certain department and you needed to be trained in certain ways by someone face to face or hand to hand, to actually show you how to do them. So, it was quite difficult for you to train yourself how to do the things that we do as an agency business. Now anybody who wants to, who has the time an inclination can access all of our tools and systems, discover online all the training that they need to know how to master them and can feedback and help work into what the next situation is likely to be.

. . .

Leaders are expected to deliver continual, rather than episodic, transformation and evolution. Transitioning to this state will not only require new leadership skills, organizational structures, processes, and KPIs — leaders need to bring all these things together to operate within this new paradigm.

• Andrew White is a senior fellow in management practice at Saïd Business School, University of Oxford, where he directs the advanced management and leadership program and conducts research into leadership and transformation. He is also a coach for CEOs and their senior teams.
• Michael Smets is a professor of management at Saïd Business School, University of Oxford. His work focuses on leadership, transformation, and institutional change.
• ACAdam Canwell is head of EY’s global leadership consulting practice. Adam has published extensively on leadership and strategic change. Adam has sold and delivered transformation programs across multiple industries in both the UK and Australia, working with FTSE 100 (or their equivalent) organizations

Article link: https://hbr.org/2022/07/organizational-transformation-is-an-emotional-journey?

A Q&A with NCC Group’s Viktor Gazdag ahead of a Black Hat USA session on CI/CD pipeline risks reveals a scary, and expanding, campaign vector for software supply chain attacks and RCE.

Tara Seals Managing Editor, News, Dark Reading. August 09, 2022

Continuous integration/continuous development (CI/CD) pipelines may be the most dangerous potential attack surface of the software supply chain, researchers say, as cyberattackers step up their interest in probing for weaknesses.

The attack surface is growing too: CI/CD pipelines are increasingly a fixture within enterprise software development teams, who use them to a build, test, and deploy code using automated processes. But over-permissioning, a lack of network segmentation, and poor secrets and patch management plague their implementation, offering criminals the opportunity to compromise them to freely range between on-premises and cloud environments. 

At Black Hat USA on Wednesday, Aug. 10, Iain Smart and Viktor Gazdag of security consultancy NCC Group will take to the stage during “RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise,” to discuss the raft of successful supply chain attacks they’ve carried out in production CI/CD pipelines for virtually every company the firm has tested.

NCC Group has overseen several dozen successful compromises of targets, ranging from small businesses to Fortune 500 companies. In addition to security bugs, the researchers say novel abuses of intended functionality in automated pipelines have allowed them to convert pipelines from a simple developer utility into remote code execution (RCE)-as-a-service.

“I hope people will give some more love to their CI/CD pipelines and apply all or at least one or two recommendations from our session,” Gazdag says. “We also hope this will spark more security research on the topic.”

Tara Seals, Dark Reading’s managing editor for news, sat down with Viktor Gazdag, managing security consultant of NCC Group, to find out more. 

Tara Seals: What are some of the more common security weaknesses in CI/CD pipelines, and how can these be abused?

Viktor Gazdag: We see three common security weaknesses regularly that require more attention:

1) Hardcoded credentials in Version Control System (VCS) or Source Control Management (SCM). 

These include shell scripts, login files, hardcoded credentials in configuration files that are stored at the same place as the code (not separately or in secret management apps). We also often find access tokens to different cloud environments (development, production) or certain services within the cloud such as SNS, Database, EC2, etc. 

We also still find credentials to access the supporting infrastructure or to the CI/CD pipeline. Once an attacker gets access to the cloud environment, they can enumerate their privileges, look for misconfigurations, or try to elevate their privileges as they are already in the cloud. With access to the CI/CD pipeline, they can see the build history, get access to the artifacts and the secrets that were used (for example, the SAST tool and its reports about vulnerabilities or cloud access tokens) and in worst case scenarios, inject arbitrary code (backdoor, SolarWinds) into the application that will be compiled, or gain complete access to the production environment.

2) Over-permissive roles. 

Developers or service accounts often have a role associated with their accounts (or can assume one) that has more permissions than needed to do the job required. 

They can access more functions, such as configuring the system or secrets scoped to both production and development environments. They might be able to bypass security controls, such as approval by other developers, or modify the pipeline and remove any SAST tool that would help searching for vulnerabilities. 

As pipelines can access production and test deployment environments, if there is no segmentation between them, then they can act as a bridge between environments, even between on-prem and cloud. This will allow an attacker to bypass firewalls or any alerting and freely move between environments that otherwise would not be possible.

3) Lack of audit, monitoring, and alerting. 

This is the most neglected area, and 90% of the time we found a lack of monitoring and alerting on any configuration modification or user/role management, even if the auditing was turned on or enabled. The only thing that might be monitored is the successful or unsuccessful job compilation or build.

There are more common security issues, too, such as lack of network segmentation, secret management, and patch management, etc., but these three examples are starting points of attacks, required to reduce the average breach detection time, or are important to limit attack blast radius. 

TS: Do you have any specific real-world examples or concrete scenarios you can point to?

VG: Some attacks in the news that related to CI/CD or pipeline attacks include:

• CCleaner attack, March 2018
• Homebrew, August 2018
• Asus ShadowHammer, March 2019
• CircleCI third-party breach, September 2019
• SolarWinds, December 2020
• Codecov’s bash uploader script, April 2021
• TravisCI unauthorized access to secrets, September 2021

TS: Why are weaknesses in automated pipelines problematic? How would you characterize the risk to companies?

VG: There can be hundreds of tools used in pipeline steps and because of this, the tremendous knowledge that someone needs to know is huge. In addition, pipelines have network access to multiple environments, and multiple credentials for different tools and environments. Gaining access to pipelines is like getting a free travel pass that lets attackers access any other tool or environment tied to the pipeline.

TS: What are some of the attack outcomes companies could suffer should an adversary successfully subvert a CI/CD pipeline?

VG: Attack outcomes can include stealing source code or intellectual data, backdooring an application that is deployed to thousands of customers (like SolarWinds), gaining access to (and freely moving between) multiple environments such as development and production, both on-prem or in the cloud, or both.

TS: How sophisticated do adversaries need to be to compromise a pipeline?

VG: What we’re presenting at Black Hat are not zero-day vulnerabilities (even though I found some vulnerabilities in different tools) or any new techniques. Criminals can attack developers via phishing (session hijack, multifactor authentication bypass, credentials theft) or the CI/CD pipeline directly if it’s not protected and is Internet-facing. 

NCC Group even performed security assessments where we initially tested Web applications. What we found is that CI/CD pipelines are rarely logged and monitored with alerting, other than the software building/compiling job, so criminals don’t have to be that careful or sophisticated to compromise a pipeline.

TS: How common are these types of attacks and how broad of an attack surface do CI/CD pipelines represent?

VG: There are several examples of real-world attacks in the news, as mentioned. And you can still find, for example, Jenkins instances with Shodan on the Internet. With SaaS, criminals can enumerate and try to brute-force passwords to get access as they don’t have multifactor authentication enabled by default or IP restrictions, and are Internet-facing.

With remote work, pipelines are even harder to secure as developers want access from anywhere and at any time, and IP restrictions aren’t necessarily feasible anymore as companies are moving towards zero-trust networking or have changing network locations.

Pipelines usually have network access to multiple environments (which they shouldn’t), and have access to multiple credentials for different tools and environments. They can act as a bridge between on-prem and cloud, or production and test systems. This can be a very wide attack surface and attacks can come from multiple places, even those that have nothing to do with the pipeline itself. At Black Hat, we’re presenting two scenarios where we originally started off with Web application testing.

TS: Why do CI/CD pipelines remain a security blind spot for companies?

VG: Mostly because of the lack of time, sometimes the lack of people, and in some cases, lack of knowledge. CI/CD pipelines are often created by developers or IT teams with limited time and with a focus on speed and delivery, or developers are just simply overloaded with work.

CI/CD pipelines can be very or extremely complex and can included hundreds of tools, interact with multiple environments and secrets, and be used by multiple people. Some people even created a periodic table representation of the tools that can be used in a pipeline.

If a company allocates time to create a threat model for the pipeline they use and the supporting environments, they will see the connection between environments, boundaries, and secrets, and where the attacks can happen. Creating and continuously updating the threat model should be done, and it takes time.

TS: What are some best practices to shore up security for pipelines?

VG: Apply network segmentation, use the least-privilege principle for role creation, limit the scope of a secret in secrets management, apply security updates frequently, verify artifacts, and monitor for and alert on configuration changes.

TS: Are there any other thoughts you would like to share?

VG: Although cloud-native or cloud-based CI/CD pipelines are more simple, we still saw the same or similar problems such as over-permissive roles, no segmentation, over-scoped secrets, and lack of alerting. It’s important for companies to remember they have security responsibilities in the cloud as well.

Article link: https://www.darkreading.com/application-security/software-development-pipelines-cybercriminals-free-range-access-cloud-on-prem

By Lieutenant Commander Derek Bernsen, U.S. Navy

August 2022 Proceedings Vol. 148/8/1,434

The Navy is currently the least capable military service for cyber operations and security. While the first computer network attack capabilitiesoriginated from the Navy in the 1970s and 80s, the service has since backslid into mediocrity. Even the House Armed Services Committee (HASC) has noticedand included provisions in the draft 2023 National Defense Authorization Act to force an overhaul of Navy cyber.

The problems in Navy cyber communities and commands—and with its cyber concepts—result in a negative feedback loop. The Navy does not have sufficient cyber capabilities and forces, and instead relies on joint and other services. The Navy is also the only military branch without service-retained offensive cyber units—without which cyber personnel have limited ability to show their value to the fleet. Because of this, Navy leaders are left wondering why cyber is important to Navy missions, and how to integrate cyber into existing capabilities. This leaves Navy cyber sidelined, unsupported, and unable to directly integrate into Navy warfighting capabilities beyond joint operations. Our maritime adversaries understand cyber as a key component in warfare, so it is imperative the Navy fix the feedback loop stemming from these areas.

Problems with the Cyber Community

The Navy’s undervaluation of and apathetic approach to cyber has created a negative feedback loop within its community. Structural community issues (as I explained in my earlier article here) showcase a community struggling to grow.

Recent naval investments in cyber have been theater at best. For example, creating the cyber operations major at the U.S. Naval Academy (along with a $143 million cyber building), while preventing midshipman completing the cyber operations major from commissioning as cyber warfare engineers (CWEs). In 2022, the Academy only graduated four midshipmen skilled enough to be selected as CWEs—all computer science majors. Only two of those four were permitted to become CWEs. The others two were initially forced into surface warfare and aviation communities. A third was later allowed to become a CWE due to a medical disqualification. Meanwhile, the Marine Corps selected seven Naval Academy graduates for its cyber community, and the Army selected 40 West Point graduates for its cyber community. This was after Congress was told in 2018 that the Navy’s investment at the Academy would yield 30 CWEs each year. Thus far, there have only been six.

The Navy’s actions have made it clear that it would prefer to have computer science and cyber operations majors fill arbitrary billets in warfare communities unable to meet their retention requirementsrather than do what they were trained for—protect U.S. interests in cyberspace. While not all graduates would want a cyber career over another operational community, clearly those that endure the rigorous CWE accessions process desire such a career and are placed elsewhere.

No Real Cyber Commands

Compounding personnel problems, Navy information warfare community (IWC) commands are not structured to support cyber. Unlike their counterparts in the other services, such as the Army’s 915th Cyber Warfare Battalion, Navy units do not conduct offensive cyber operations. While Chief of Naval Operations Admiral Michael Gilday recognized this discrepancy and called for service-retained cyber forces and capabilities in the form of tactical cyber units, the Navy has yet to establish one. While the Navy does have a few dedicated cyber protection teams conducting defensive operations, it lacks any Navy personnel conducting offensive cyber operations for Navy missions. This feeds a perception among Navy leaders that cyber is a joint mission and that the service gets little to no benefit for supporting joint offensive cyber operations. Anything the Navy does to improve its cyber training and manning pipeline will not contribute to the Navy’s mission.

Navy Cyber Warfare Development Group (NCWDG) appears to be the exception, but it is plagued by similar joint issues. The name “Cyber Warfare Development Group” may lead readers to believe that NCWDG is solely cyber focused. But NCWDG is a multifaceted monster. Its components have competing responsibilities including research and development, acquisitions, special technical capabilities, and coordinating work with all national level agencies for not just cyber, but for all cryptologic functions. Additionally, NCWDG is responsible for planning and executing U.S. Title 10 (defense) and Title 50 (intelligence) information warfare and cyber operations, is a force provider to the cyber mission force, and operates the Navy’s signals analysis labs.¹ It is simply doing too much to focus on cyber. On top of this, because the NCWDG commander must be an acquisitions professional, it is rarely led by someone with relevant cyber operations expertise. NCWDG is good despite its structure, not because of it.

Problems with the Navy’s Cyber Concept

Navy strategy on cyber is shortsighted, and Navy leaders are ill equipped to develop a more forward-looking strategy. This is because the Navy has no command with a single cyber focus contributing directly to a Navy mission.

The Navy has always been slow to adapt because of deeply ingrained cultural issues, stubborn adherence to outdated traditions, and a refusal to advance its thinking. Rear Admiral William S. Sims explained this in a 1921 addresson military conservatism to that year’s Naval War College graduates. He states, “arguments in favor of fundamentally new weapons have failed except those that resulted in shedding the blood of the unbelievers; that defeat alone has been accepted as a final demonstration.” For a domain that evolves as quickly as cyber does, this culture is doubly concerning.

In addition, Navy leaders lack technical depth in the cyber arena. It has become acceptable for leaders to say “I don’t understand cyber” in Congressional hearings. In addition, because few commands contribute cyber capabilities directly to Navy missions or focus solely on cyber, few Navy leaders see the true benefits of cyber or understand how cyber operations work in a military context. Thus, Navy leaders either get their understanding of cyber operations from hacker movie stereotypes, or do not think cyber adds any value to warfighting. Clearly Navy leaders have recognized this as they recently selected yet another aviator to lead Fleet Cyber Command rather than a flag officer from the cryptologic warfare communities, despite the fact that these communities notionally lead the Navy’s cyber missions.

The 2023 Draft NDAA Proposal

Congress is clearly frustrated and has recently stepped in via provisions in the draft 2023 NDAA to force change in Navy cyber. Specifically, HASC has included language to “establish a cyber warfare operations designator . . . separate from the [CWO],” “establish cyberspace operations as a military discipline that is a separate community from the [IWC],” and prohibit non-cyber personnel from working in cyber fields. These provisions, if passed, will make a huge impact, but there is still room for interpretation on implementation. The Navy must consider how it implements these carefully or risk continuing stagnation.

If the NDAA passes with its current or similar language, the Navy must remove cyber tasks from the CWO and IP communities, allowing them to refocus on their traditional areas of expertise. While the IP community has traditionally filled cyber roles (e.g., red/blue teams, computer network defense, etc) and non-cyber IT roles (e.g. system/network administration, infrastructure maintenance, IT account management, etc), the establishment of a cyber designator, as described in the NDAA, necessitates consolidating all cyber roles in one community. The next step is to deliberately nurture its technical communities, and this can be done in one of two ways. The Navy can either make the CWE community responsible for everything cyber, or split cyber to empower the CWE community while also establishing a cyber operations officer (COO) community for less technical roles.

The all-CWE option ensures the Navy has the best cyber personnel in every role. Expanding the CWE community to take full control, responsibility, and accountability for cyber operations ensures that every CWE officer has a deep technical understanding and cyber-focused experiences, making it the best long-term solution. All cyber jobs benefit from a technical background, even if they are less technically demanding. Growing a community with a deep technical foundation will enable the Navy to conduct maritime cyber operations and develop concepts to bring it back to the cutting edge and lead in the cyber domain.

A COO community would, unlike the current cryptologic warfare community, be wholly focused on cyber and receive technical training, but would focus on the less technically demanding roles in cyber. This community would fill a large portion of cyber roles while allowing the CWEs to modestly expand, remaining an elite and lean community. This builds two communities with technical backgrounds—one focused on pushing the cutting edge and another on the less-technical day-to-day cyber work (e.g., system administration) and community management (e.g. detailing). The Navy would still need to grow the CWE community and foster a relationship between CWEs and COOs. While COOs may get enough focus to be capable in cyber, they would need to know when to call on CWEs for their technical insight. Leadership roles must be shared by the two communities. For example, a COO leadership role must be accompanied by a CWE deputy and vice versa to take advantage of their complementary skills. Failure to align these two communities would result in short-term improvement but long-term stagnation.

If given the choice, the Navy should opt for growing the CWE community and include their rigorous accessions process and strict technical depth. The potential pitfalls of a less technical COO community are too great and would result in Congress being forced to take another heavy-handed move to solve a problem the Navy will not address on its own.

New Cyber Commands

The Navy should establish new commands that focus solely on cyber. Creating service-retained cyber units whose sole responsibility is some aspect of cyberspace operations creates a foundation to build genuine expertise. Commands that already exist in this space, such as NCWDG, should split themselves into more focused commands. There is even precedent for this given Navy Information Operations Command Maryland’s split in 2017. Navy units whose sole mission is cyber are required to develop concepts and capabilities for maritime cyber—something joint and other service units have no reason to prioritize.

Eventually, cyber will need to be integrated with units across the various other Navy warfare domains (surface, subsurface, special warfare, etc.) to maximize the cross-over advantages of cyber effects. Doing so before building dedicated cyber units that regularly produce experts will not be successful. Instead, dedicated cyber units should be where cyber professionals first cut their teeth before being attached to other units to employ their expertise.

Just as the Navy does not request the Air Force’s permission to fly planes, the Navy needs its own capabilities to operate without requesting to use joint or other service capabilities and personnel. Dedicated Navy defenders will be more experienced with the Navy networks and systems. Similarly, offensive professionals would be intimately familiar with the intricacies of maritime cyber and be able to develop capabilities and conduct tailored cyberspace operations. Dedicated cyber units enable cyber professionals to command and lead these units. Placing talented cyber leaders in charge of these units will set conditions for greater capability and community growth than allowing non-cyber personnel to command.

Alternate Concept Solutions

Time is needed to grow and refine concepts. It is understandable for national and naval leaders to demand to be shown why they should invest in cyber. Yet there is a chicken-and-egg problem without the correct alignment of personnel, structures, and concepts. The Navy needs to rethink the timeline it expects to see results outside of classified spaces and what it can do to support those results. Special operations forces (SOF) are beginning to see the benefits because they have begun to invest in cyber. CWEs have already proven their potential impact with SOF at demonstrations. The impact can go beyond demonstrations, but the Navy must set conditions for it to happen.

Correctly aligning cyber communities and commands will help the Navy develop new concepts for employing maritime cyber operations. Though most cyber operations will continue to be conducted remotely, there are opportunities for conducting close-access cyber operationsthrough working with SOF or from various naval platforms. The cryptologic warfare community has had decades to develop these concepts but has failed to do so. The fewadvancements in the past decade have been led by CWEs, though naturally most are classified.

The Navy’s ability to go anywhere and maintain a significant dwell time poses a great opportunity for initial access, which is the largest obstacle to offensive operations. The Navy must embrace cyber as a domain and capability to be used against maritime targets, such as hacking enemy warships and forcing their engines to seize up or hacking foreign antiship cruise missile systems preventing them from being launched as a strike group conducts operations. Defensively, concepts for maritime cyber that must be expanded include protectingwarships from cyber attacks, decoupled and modular systems so the Navy can get rid of its Windows XP machines, and inter-ship network defenses. The Navy—and much of the government—has a scarcity mindset that regards cyber capabilities as too expensive and sensitive to ever be used. This mindset must change to empower the people tasked with developing and operating these capabilities. The Navy needs to shift its Overton window to align with the realities of cyber and embrace lower equity cyber capabilities.

Finally, the Navy must hold its civilian and uniformed cyber personnel accountable for results. It must send the message that cyber is important enough that if you fail, you will get fired.

Consequences of Inaction

If the Navy cannot prioritize cyber, then it must divest itself entirely of cyber warfare. Maintaining a mediocre cyber force is a waste, so the Navy must choose to go all-in or all-out. Divesting may force the DoD to create an independent U.S. cyber force, but that would mean the Navy would forever lack the ability to conduct maritime cyber or develop tailored cyber concepts and capabilities.

No Admiral Sims is coming to save Navy cyber. The Navy must make tough decisions to create an environment in which it can again be a top cyber player. Overhauling the responsible communities, reorganizing commands so cyber is not an after-thought, and setting conditions for refreshed concepts of maritime cyber are all critical. If the Navy does not follow this path, then it must exercise a truly drastic plan: sacrifice any opportunity to ever again be a capable cyber player and give its full support to the creation of an independent cyber service. The one thing truly unacceptable is to stay the course and accept mediocrity in cyber.

1. U.S. Navy, Navy Cyber Warfare Development Group Instruction 3120.1C, NCWDG Standard Organization and Regulations Manual (18 February 2021).

Article link: https://www.usni.org/magazines/proceedings/2022/august/navy-needs-cyber-course-correction

Lieutenant Commander Derek Bernsen, U.S. Navy

Lieutenant Commander Bernsen is a cyber warfare engineer officer who recently transferred to the U.S. Navy Reserve. He has a master’s degree in computer science from Georgia Tech and is a graduate of The Citadel.

MORE STORIES FROM THIS AUTHORVIEW BIOGRAPHY

By CHRIS RIOTTAAUGUST 1, 2022

The proposal would establish baseline safeguards for cybersecurity and physical issues like natural disasters

A group of bipartisan senators have introduced legislation to establish baseline cybersecurity requirements and new protections against catastrophic weather-related disasters for federal data centers across the country.

The Federal Data Center Enhancement Act of 2022 tasks the Office of Management and Budget with establishing standardized cybersecurity requirements for the federal facilities, which host some of the nation’s most sensitive information technology and cybersecurity infrastructure.

OMB will have 180 days to provide new minimum requirements for data centers under the legislation, which includes specific calls for information security protections and safeguards against power failures, natural disasters and intrusions. The bill also instructs OMB to work with the Cybersecurity and Infrastructure Security Agency and the National cyber director’s office to establish the requirements, as well as consult with the General Services Administration and the Federal Chief Information Officers Council.

Sen. Gary Peters (D-Mich.), chairman of the Senate Homeland Security and Governmental Affairs Committee, noted the responsibility federal data centers have to protect data like Social Security and credit card information in a statement after the bill was introduced on Friday.

“The federal government is responsible for storing considerable amounts of sensitive and personal information,” he said, adding: “We must ensure this data is stored securely and used in a way that does not violate civil rights and liberties.”

Peters introduced the bill along with Sen. Jacky Rosen (D-Nev.) and Sen. John Cornyn (R-Tex.). 

The bill seeks to build on recent efforts to close and consolidate federal data centers: over 6,000 facilities have been consolidated since 2010, a trend that has resulted in an estimated $5.8 billion in cost savings and cost avoidance, according to a copy of the bill obtained by FCW. 

Agency leaders will be tasked with regularly assessing their data center usage to help determine whether to continue operating a data center, and to ensure legacy systems are updated, modern technologies are employed and the facility is overall optimized and secure against potential vulnerabilities. 

“The sensitive information stored on federal systems cannot be left open to vulnerabilities like cyberattacks or natural disasters,” Cornyn said in a statement. “This legislation would help secure federal data and encourage optimization, which will save taxpayer dollars and protect Americans who entrust their information to the federal government.”

Rosen also noted the “increasing threat of cyberattacks and natural disasters” in a statement and said the bill “will enact a new set of security and resiliency standards” to protect data.

Article link: https://fcw.com/security/2022/08/senators-introduce-bill-ensure-resiliency-federal-data-centers/375219/