by Gary Hamel

April 14, 2015

Summary.   

Pope Francis has not tried to hide his desire to radically reform the administrative structures of the Catholic Church, which he sees as imperious and insular. The Church is, essentially, a bureaucracy, full of good-hearted but imperfect people – not much different than any organization, making the Pope’s counsel relevant for leaders everywhere. Pope Francis’s 2014 address of the Roman Curia can be translated into corporate-speak. It identifies 15 “diseases” of leadership that can weaken the effectiveness of any organization. These diseases include excessive busyness that neglects the need for rest, and mental and emotional “petrification” that prevents compassion and humility. The Pope also warns against poor coordination, losing a sense of community by failing to work together. A set of questions corresponding to the 15 diseases can help you determine if you are a “healthy” leader.

Pope Francis has made no secret of his intention to radically reform the administrative structures of the Catholic church, which he regards as insular, imperious, and bureaucratic. He understands that in a hyper-kinetic world, inward-looking and self-obsessed leaders are a liability.

Last year, just before Christmas, the Pope addressed the leaders of the Roman Curia — the Cardinals and other officials who are charged with running the church’s byzantine network of administrative bodies. The Pope’s message to his colleagues was blunt. Leaders are susceptible to an array of debilitating maladies, including arrogance, intolerance, myopia, and pettiness. When those diseases go untreated, the organization itself is enfeebled. To have a healthy church, we need healthy leaders.

Through the years, I’ve heard dozens of management experts enumerate the qualities of great leaders. Seldom, though, do they speak plainly about the “diseases” of leadership. The Pope is more forthright. He understands that as human beings we have certain proclivities — not all of them noble. Nevertheless, leaders should be held to a high standard, since their scope of influence makes their ailments particularly infectious.

The Catholic Church is a bureaucracy: a hierarchy populated by good-hearted, but less-than-perfect souls. In that sense, it’s not much different than your organization. That’s why the Pope’s counsel is relevant to leaders everywhere.

With that in mind, I spent a couple of hours translating the Pope’s address into something a little closer to corporate-speak. (I don’t know if there’s a prohibition on paraphrasing Papal pronouncements, but since I’m not Catholic, I’m willing to take the risk.)

Herewith, then, the Pope (more or less):

The leadership team is called constantly to improve and to grow in rapport and wisdom, in order to carry out fully its mission. And yet, like any body, like any human body, it is also exposed to diseases, malfunctioning, infirmity. Here I would like to mention some of these “[leadership] diseases.” They are diseases and temptations which can dangerously weaken the effectiveness of any organization.

1. The disease of thinking we are immortal, immune, or downright indispensable, [and therefore] neglecting the need for regular check-ups. A leadership team which is not self-critical, which does not keep up with things, which does not seek to be more fit, is a sick body. A simple visit to the cemetery might help us see the names of many people who thought they were immortal, immune, and indispensable! It is the disease of those who turn into lords and masters, who think of themselves as above others and not at their service. It is the pathology of power and comes from a superiority complex, from a narcissism which passionately gazes at its own image and does not see the face of others, especially the weakest and those most in need. The antidote to this plague is humility; to say heartily, “I am merely a servant. I have only done what was my duty.”
2. Another disease is excessive busyness. It is found in those who immerse themselves in work and inevitably neglect to “rest a while.” Neglecting needed rest leads to stress and agitation. A time of rest, for those who have completed their work, is necessary, obligatory and should be taken seriously: by spending time with one’s family and respecting holidays as moments for recharging.
3. Then there is the disease of mental and [emotional] “petrification.” It is found in leaders who have a heart of stone, the “stiff-necked;” in those who in the course of time lose their interior serenity, alertness and daring, and hide under a pile of papers, turning into paper pushers and not men and women of compassion. It is dangerous to lose the human sensitivity that enables us to weep with those who weep and to rejoice with those who rejoice! Because as time goes on, our hearts grow hard and become incapable of loving all those around us. Being a humane leader means having the sentiments of humility and unselfishness, of detachment and generosity.
4. The disease of excessive planning and of functionalism. When a leader plans everything down to the last detail and believes that with perfect planning things will fall into place, he or she becomes an accountant or an office manager. Things need to be prepared well, but without ever falling into the temptation of trying to eliminate spontaneity and serendipity, which is always more flexible than any human planning. We contract this disease because it is easy and comfortable to settle in our own sedentary and unchanging ways.
5. The disease of poor coordination. Once leaders lose a sense of community among themselves, the body loses its harmonious functioning and its equilibrium; it then becomes an orchestra that produces noise: its members do not work together and lose the spirit of camaraderie and teamwork. When the foot says to the arm: ‘I don’t need you,’ or the hand says to the head, ‘I’m in charge,’ they create discomfort and parochialism.
6. There is also a sort of “leadership Alzheimer’s disease.” It consists in losing the memory of those who nurtured, mentored and supported us in our own journeys. We see this in those who have lost the memory of their encounters with the great leaders who inspired them; in those who are completely caught up in the present moment, in their passions, whims and obsessions; in those who build walls and routines around themselves, and thus become more and more the slaves of idols carved by their own hands.
7. The disease of rivalry and vainglory. When appearances, our perks, and our titles become the primary object in life, we forget our fundamental duty as leaders—to “do nothing from selfishness or conceit but in humility count others better than ourselves.” [As leaders, we must] look not only to [our] own interests, but also to the interests of others.
8. The disease of existential schizophrenia. This is the disease of those who live a double life, the fruit of that hypocrisy typical of the mediocre and of a progressive emotional emptiness which no [accomplishment or] title can fill. It is a disease which often strikes those who are no longer directly in touch with customers and “ordinary” employees, and restrict themselves to bureaucratic matters, thus losing contact with reality, with concrete people.
9. The disease of gossiping, grumbling, and back-biting.This is a grave illness which begins simply, perhaps even in small talk, and takes over a person, making him become a “sower of weeds” and in many cases, a cold-blooded killer of the good name of colleagues. It is the disease of cowardly persons who lack the courage to speak out directly, but instead speak behind other people’s backs. Let us be on our guard against the terrorism of gossip!
10. The disease of idolizing superiors. This is the disease of those who court their superiors in the hope of gaining their favor. They are victims of careerism and opportunism; they honor persons [rather than the larger mission of the organization]. They think only of what they can get and not of what they should give; small-minded persons, unhappy and inspired only by their own lethal selfishness. Superiors themselves can be affected by this disease, when they try to obtain the submission, loyalty and psychological dependency of their subordinates, but the end result is unhealthy complicity.
11. The disease of indifference to others. This is where each leader thinks only of himself or herself, and loses the sincerity and warmth of [genuine] human relationships. This can happen in many ways: When the most knowledgeable person does not put that knowledge at the service of less knowledgeable colleagues, when you learn something and then keep it to yourself rather than sharing it in a helpful way with others; when out of jealousy or deceit you take joy in seeing others fall instead of helping them up and encouraging them.
12. The disease of a downcast face. You see this disease in those glum and dour persons who think that to be serious you have to put on a face of melancholy and severity, and treat others—especially those we consider our inferiors—with rigor, brusqueness and arrogance. In fact, a show of severity and sterile pessimism are frequently symptoms of fear and insecurity. A leader must make an effort to be courteous, serene, enthusiastic and joyful, a person who transmits joy everywhere he goes. A happy heart radiates an infectious joy: it is immediately evident! So a leader should never lose that joyful, humorous and even self-deprecating spirit which makes people amiable even in difficult situations. How beneficial is a good dose of humor! …
13. The disease of hoarding. This occurs when a leader tries to fill an existential void in his or her heart by accumulating material goods, not out of need but only in order to feel secure. The fact is that we are not able to bring material goods with us when we leave this life, since “the winding sheet does not have pockets” and all our treasures will never be able to fill that void; instead, they will only make it deeper and more demanding. Accumulating goods only burdens and inexorably slows down the journey!
14. The disease of closed circles, where belonging to a clique becomes more powerful than our shared identity. This disease too always begins with good intentions, but with the passing of time it enslaves its members and becomes a cancer which threatens the harmony of the organization and causes immense evil, especially to those we treat as outsiders. “Friendly fire” from our fellow soldiers, is the most insidious danger. It is the evil which strikes from within. As it says in the bible, “Every kingdom divided against itself is laid waste.”
15. Lastly: the disease of extravagance and self-exhibition. This happens when a leader turns his or her service into power, and uses that power for material gain, or to acquire even greater power. This is the disease of persons who insatiably try to accumulate power and to this end are ready to slander, defame and discredit others; who put themselves on display to show that they are more capable than others. This disease does great harm because it leads people to justify the use of any means whatsoever to attain their goal, often in the name of justice and transparency! Here I remember a leader who used to call journalists to tell and invent private and confidential matters involving his colleagues. The only thing he was concerned about was being able to see himself on the front page, since this made him feel powerful and glamorous, while causing great harm to others and to the organization.

Friends, these diseases are a danger for every leader and every organization, and they can strike at the individual and the community levels.

____________________

So, are you a healthy leader? Use the Pope’s inventory of leadership maladies to find out. Ask yourself, on a scale of 1 to 5, to what extent do I . . .

• Feel superior to those who work for me?
• Demonstrate an imbalance between work and other areas of life?
• Substitute formality for true human intimacy?
• Rely too much on plans and not enough on intuition and improvisation?
• Spend too little time breaking silos and building bridges?
• Fail to regularly acknowledge the debt I owe to my mentors and to others?
• Take too much satisfaction in my perks and privileges?
• Isolate myself from customers and first-level employees?
• Denigrate the motives and accomplishments of others?
• Exhibit or encourage undue deference and servility?
• Put my own success ahead of the success of others?
• Fail to cultivate a fun and joy-filled work environment?
• Exhibit selfishness when it comes to sharing rewards and praise?
• Encourage parochialism rather than community?
• Behave in ways that seem egocentric to those around me?

As in all health matters, it’s good to get a second or third opinion. Ask your colleagues to score you on the same fifteen items. Don’t be surprised if they say, “Gee boss, you’re not looking too good today.” Like a battery of medical tests, these questions can help you zero in on opportunities to prevent disease and improve your health. A Papal leadership assessment may seem like a bit of a stretch. But remember: the responsibilities you hold as a leader, and the influence you have over others’ lives, can be profound. Why not turn to the Pope — a spiritual leader of leaders — for wisdom and advice?

Gary Hamel is a visiting professor at London Business School and the founder of the Management Lab. He is a coauthor of Humanocracy: Creating Organizations as Amazing as the People Inside Them (Harvard Business Review Press, 2020).

Article link: https://hbr.org/2015/04/the-15-diseases-of-leadership-according-to-pope-francis

Officials are conducting a top-to-bottom review with an eye toward Cybercom 2.0.

BYMARK POMERLEAU

JANUARY 31, 2024

FORT MEADE, Md. — U.S. Cyber Command is in the midst of a holistic top-to-bottom review to reshape its organization and forces and ensure it’s best postured to deal with threats in a highly dynamic environment.

Officials are dubbing the review Cybercom 2.0.

“As we’re trying to look at the future of U.S. Cyber Command, I want to have a bold move forward,” Gen. Paul Nakasone, commander of Cybercom and director of the NSA, told reporters during a media roundtable at Fort Meade. Nakasone is set to retire Friday following a change-of-command ceremony where he will pass the torch to Lt. Gen. Timothy Haugh, who will pin on his fourth star.

The command, now just north of 10 years old, was built on many principles of its time a decade ago. The domain it operates in is so dynamic that many of these tenets are now outdated.

For example, the cyber mission force — the teams each service provides to Cybercom to conduct offensive and defensive operations — was designed around 2012, built from 2013 to 2016, and reached full operational capability in 2018.

At the time, according to declassified task orders that were unearthed via the Freedom of Information Act by the National Security Archive at George Washington University, the priority was to get the teams formed, built quickly and rely as much as possible on NSA support.

“Given the increasing threats to our nation’s critical infrastructure and DoD networks, it is imperative that we establish, train, and employ equipped cyber mission forces as expeditiously as possible. We must get these forces in position now—these teams will be prepared to defend the nation, provide support to combatant commanders, and to provide active defense of key terrain on critical networks,” a task order from March 2013 read. “We will establish immediate operational capability during FY13 by effectively task organizing our available personnel into [REDACTED] effective, combat-ready teams, positioned in the best locations for mission success, and with a command and control structure in place to direct successful operations.”

The order goes on to state that while the initial focus was on establishing combat-ready teams quickly and efficiently, they would keep the end-state force posture in mind.

Those teams and their structures have not been holistically relooked or reexamined since then, with new teams being added to the initial 133 for the first time in the president’s fiscal 2022 budget request. For example, Nakasone said those teams were built with a different understanding of the world in 2012, with a counterterror focus and when Iranian financial system cyber disruptions were one of the main threats of the day — long before the shift back to great power competition with nations such as China.

Many of the manning numbers of personnel and teams were arbitrary given the quantity of forces the services had available at the time and to justify the need to Department of Defense leadership, according to former officials.

There were calls and expectations in the past to relook the team structure and reexamine how the force trains and acquires capabilities — particularly after the cyber mission force reached full operational capability in 2018 — however, the remedy for many years had been to task organize for particular missions or break teams into smaller elements.

During the build, for instance, Cybercom leadership locked in the structure and didn’t want to tweak the teams so as not to appear as if they were moving the bar on the services until they reached full operational capability.

There wasn’t another model to emulate when building these teams, and so experts have said it’s no surprise they didn’t get everything right.

Additionally, Cybercom relied very heavily on NSA personnel and equipment as it grew. As a military organization, it needs its own military-specific systems separate from intelligence systems. As a result, it wants the ability to acquire and manage those capabilities much like the rest of the military develops platforms to conduct operations.

The command, in partnership with other elements of the DOD, is working hard at a holistic reexamination to better posture the command and its forces.

“I think all options are on the table except status quo,” Nakasone said during an INSA event in December. “We built our force in 2012 and 2013. We’ve had tremendous experience, but scope, scale, sophistication and the threat has changed, the private sector has changed, our partners have changed. I think that we’ve got to be able to take a look at how we’re going to change as well.”

A cross-functional team consisting of a group of experts has been convened to discuss how the command can think about how its authorities, training, personnel and acquisitions can be done differently.

In fact, a problem statement regarding what they’re seeking to examine was approved this weekend, though Nakasone declined to provide details.

“We’ve got to think boldly about such things as how we do training and how we might do personnel processes that are different,” Nakasone said.

Why now?

Sources indicated it’s been over 10 years since the command was created and they want to update the vision, force structure and doctrine. There are also now personnel at the top levels of leadership that have been around the command for years — such as Haugh and incoming deputy commander Lt. Gen. William “Joe” Hartman — with a lot of knowledge of the domain, making this a good opportunity for a revamp.

Now is the right time to begin looking at what the next iteration of Cybercom is for several reasons, Nakasone said.

In the fiscal 2023 National Defense Authorization Act, Congress directed several studies and examinations of the department, which include a force generation study due in June examining the responsibilities of the services for organizing, training and presenting the total force to Cybercom, among seven other elements. Additionally, there are 14new teams that are slated to be built over the course of the next five years. Moreover, since 2018, when the department gained new authorities to conduct cyber operations, a lot of lessons have been learned from those operations as well as election defense, ransomware, the Russia-Ukraine conflict and other issues.

“We haven’t done this, I think, really since we started up the force. And I think this is the right time,” Nakasone said of the confluence of these circumstances leading to 2024 being the best opportunity to reexamine the command.

Other officials have noted that the variety of studies Congress has asked for provides a good opportunity to package these key questions together and provide the secretary of defense with several options for the future evolution of the command.

“The Congress has laid on really multiple studies over the past few years to look at what things should the department do or could be doing to improve our ability to generate cyber forces, train cyber forces, retain cyber forces for maximum effect,” John Plumb, assistant secretary of defense for space policy, who also serves as the principal cyber advisor to the secretary of defense, told reporters in January. “We have been slowly working through various options. And the question is like, how much would need to change? What should you look at? … What are we after for readiness? How can we make readiness better?”

He noted as they look at all the things that are coming, the team knows they have to present the secretary a set of options related to this large, significant study and find the best recommendations to present a more comprehensive set of options as opposed to doing them one at a time.

Nakasone noted how 2018 was a watershed year for the command when it gained new authorities through executive policy changes, congressional legal changes and clarifications.

“That leads us to a whole heck of a lot of operations, so from 2018, forward to now, the number of operations is sky high, which means there’s a lot of data, in terms of what’s going on,” he said.  

Prior to that point there were only a handful of operations that had taken place because there was a bias for inaction, meaning there wasn’t a lot of data regarding how effective the team structure and personnel were.

This led to the paradigm shift toward persistent engagement, which encompasses challenging adversary activities daily and wherever they operate. Nakasone noted that is something the command got right and must continue to operate.

“You have to have persistent engagement. If you’re on the sidelines watching this, you’re going to get hit. That’s why I think it’s so important for our forces worldwide to be able to be engaged, and being able to act and understand what our adversaries are doing,” Nakasone said. “Being able to continue to operate day in and day out, this is how you get really good. You operate in the domain. This is what Special Operations Command has taught us, right?  Continued operations build proficiency and professionalism. We’re going to need that. I think a lot about that piece, in terms of where Cyber Command is going.”

Similarly, the command has fashioned itself off the Socom model even though it was initially under U.S. Strategic Command, which is in charge of the military’s nuclear weapons.

Another turning point in Cybercom’s history happened in 2020 when Nakasone asked for more service-like authorities from the secretary of defense similar to Socom. He also asked for more teams and a reposturing of teams from counterterrorism to be more aligned against China and Russia.

This included enhanced budget authority, which provides direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force.

Many of these changes will also affect the services and how they present their forces to the command.

“I’m a pretty demanding customer with the services. I just want their best and I want it all the time. They have been very, very supportive, in terms of what’s gone on, but I will tell you that we operate in a domain that requires a longer dwell time for our soldiers, sailors, airmen and Marines, than the constant movement,” Nakasone said. “I think that this has been a concern that I’ve expressed that I think is one of the things that we’re going to have to deal with in the future.”

Nakasone recognized that the services have to provide a number of different forces to combatant commands, with Cybercom being one of them. They have to balance their readiness needs as well. However, he was aware that it’s his job as the commander of Cybercom to talk about why this domain is unique and why there is a need to consider recruiting, retention, or assignment policies differently than in the past.

This has also led to calls for an independent cyber service — akin to the Army, Navy, Marine Corps, Air Force and Space Force — which have intensified over the last year.

Proponents of an independent cyber service argue that cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different, and the command-and-control structures are confusing. Moreover, they allege only an independent cyber force or service can solve key problems.

Congress had initially proposed an independent study on the matter, but it was cut out of the annual policy bill for fiscal 2024. Proponents have vowed to get it into the fiscal 2025 bill.

Nakasone has, at least publicly, remained neutral to this notion, offering that it’s a policy determination for the secretary of defense.

What could be done for the future force?

According to experts and sources, there could be more formal restructuring of teams — rather than task organizing for each mission — to break them into smaller elements.

The Cyber National Mission Force — a sub-unified command under Cybercom made up of 39 joint teams and thought to have the DOD’s most talented cyber operators that defend the nation from significant cyber threats, which Nakasone, Haugh and Hartman have all commanded — has significantly more flexibility than the combat mission teams that conduct offensive operations on behalf of combatant commands, and cyber protection teams that conduct defensive cyber ops. This is due to the fact it’s a smaller force and organized around six task forces. This allows them to be able to more accurately task organize based upon skill sets and readiness of personnel needed for certain missions.

That could be a possible model going forward. Having greater oversight of readiness of forces and skills through new tools the command is developing will help commanders be able to have better fidelity of what they’ll need at any given time to pluck personnel with skill sets required for operations.

Initially, cyber protection teams were made up of 39-person teams with five squads. That has evolved to smaller elements after what forces learned through operations and not having to deploy 39 people to address every problem. In the future, they could be split up even more to make additional teams.

Experts noted that everything is on the table and the planners involved are not going in with any pre-determined solutions to figure out what the best way forward will be.

“As Gen. Haugh takes over that he’ll take this forward to a briefing with policymakers then, ultimately, the SECDEF and say, ‘Hey, this is how we think the Cyber Command of the future needs to be able rebuild today,’” Nakasone told reporters.

Written by Mark Pomerleau

Mark Pomerleau is a reporter for DefenseScoop, covering information warfare and cyberspace.

Article link: https://defensescoop.com/2024/01/31/cybercom-2-0-review-holistic-examination-underway/?

by 

• Nicholas W. Eyrich,
• Robert E. Quinn,
• David P. Fessell

December 27, 2019

Summary.   

While corporate transformations are almost universally assumed to be top-down processes, in reality, middle managers, and first-line supervisors can make significant change when they have the right mindset. Dr. Tadataka Yamada was one of dozens of executives the authors spoke to over the last several years to learn how one can succeed in making positive change in large organizations. His story shows many of traits the authors observed in interviews. He had a clarity of conscience and was willing to speak up. He took every chance, even small ones, to hone his skills of challenging the status quo for the greater good. He didn’t let tough challenges gradually slip from focus because they were “too big” to tackle in the moment. Finally, he centered his purpose on helping those with less privilege.

In December 2000, when Dr. Tadataka Yamada became the new chairman of research and development at Glaxo SmithKline, he was horrified to learn that his company was a complainant in a lawsuit over access to drug therapies for HIV/AIDS patients. GSK was one of 39 pharmaceutical companies charging Nelson Mandela and the government of South Africa with violating price protections and intellectual property rights in their efforts to access lower priced antiretroviral drugs. Close to 25 percent of black South Africans were living with HIV/AIDS and at the time, antiretroviral therapies cost approximately $1000 per month—more than a third of the average South African’s annual salary, putting treatment out of reach for most patients.

Yamada held discussions with his research staff and quickly learned that he was not alone in his opposition to the lawsuit. The team wanted to be a part of the solution to global health issues, not party to a lawsuit preventing such drugs from reaching those in dire need, but they felt they lacked the power to change the company’s direction. Yamada felt differently. In one-on-one meetings with individual board members of GSK, he stressed the company’s moral responsibility to alleviate human suffering and tied it to the long-term success of the company. He stated that GSK can’t make medicines that save lives and then not allow people access to them. He noted the public relations disaster associated with the lawsuit, and set forth a vision, co-created by his team, for how GSK could also become a leader in the fight against TB and malaria, diseases that also were disproportionately impacting third-world populations. The external pressure did not abate, with protests against many drug companies around the world.

In April, 2001, all 39 companies dropped the lawsuit against Nelson Mandela; GSK and others reduced the prices of antiretroviral drugs by 90% or more. Furthermore, under Yamada’s direction, one of GSK’s major laboratories in Tres Cantos, Spain, was converted into a profit-exempt laboratory that focused only on diseases in the developing world, including malaria and tuberculosis. Using his influence, Dr. Yamada also spurred GSK into allocating resources for affordable access to medications and development of future therapies. Subsequently top executives at GSK became leaders in global health issues. Andrew Witty assumed the CEO position at GlaxoSmithKline in 2008 and became one of the leading spokespersons for global health in the pharmaceutical industry. Chris Viehbacher, corporate executive team member at GSK, subsequently became the CEO of Sanofi, and a champion of global health. Both have since partnered with the Gates Foundation on global health initiatives.

Most people would love to be a part of such an amazing turn of events, yet this kind of transformation doesn’t happen very often. While many helped with these efforts, what made it possible for Dr. Yamada to step forward with a steady voice and a sound vision? In several interviews with Dr. Yamada we identified four key mindsets that helped him catalyze this transformation.

The power of one.

A single person with a clarity of conscience and a willingness to speak up can make a difference. Contributing to the greater good is a deep and fundamental human need. When a leader, even a mid-level or lower level leader, skillfully brings a voice and a vision, others will follow and surprising things can happen—even culture change on a large scale. While Yamada did not set out to change a culture, his actions were catalytic and galvanized the organization. As news of the new “not for profit” focus of Tres Cantos spread, many of GSK’s top scientists volunteered to work there. Yamada’s voice spoke for many others, offering a clear path and a vision for a more positive future for all.

The power of sequential skill building.

Prior to GSK, Yamada had a lot of practice with smaller challenges, from caring for the most complex patients in the intensive care unit, to becoming a department head and national leader in his field. Along the way he also led other efforts to change the status quo by actively helping more African Americans and women to join the gastroenterology faculty at the University of Michigan. The lesson is not to underestimate any chance you have, even if small, to hone your skills of challenging the status quo for the greater good. Train your “courage for challenging convention” muscle consistently, so that it’s ready when needed. At GSK, he first invited the input of his team, ultimately resulting in the plan to convert the Tres Cantos laboratory to a “not for profit” disease focus. He did not wait for someone else to speak out first, or for a committee to be formed to study the issue. He had built the skills to quickly recognize the problem, and also to advocate for a better way—a way GSK could become a leader in the fight against diseases that might not be profitable but would help countless individuals in dire need.

The power of sustained focus and determination.

It’s easy to say, “This will take some doing; I’ll think about it later.” Combined with an unconscious “This could be dangerous for my career,” it can be easy for tough challenges to gradually slip from focus. Over time the unacceptable can become the norm, and the energy for change dissipates. But Yamada didn’t accept the unacceptable; his focus and determination were well honed. He emigrated from Japan as a teenager and entered the demanding field of medicine. Along the way he took up marathon running and edited a seminal 3440-page textbook of Gastroenterology, among many other achievements. Attacking challenges was not just an occasional adventure—it’s been a way of being, as well as a highly successful career path. Assuring success of the Tres Cantos lab was not accomplished with a simple signature on a document. The laboratory was initially funded by GSK with the expectation that the researchers would soon obtain external grants so the output from the lab would not have expectations of making a profit for GSK. Partnerships with many organizations and universities were also initiated and sustained to help support this work.

The power of using privilege to support people with less privilege.

While such a mindset is not required for transformation to occur, most would agree that it’s even better, and more rewarding, when transformation also helps those with less privilege. Dr. Yamada, trained over many years in the “patient first” culture of medicine, had a well-honed awareness of the larger change he could bring because of his voice, and a vision for the positive impact GSK could bring to South Africa—and other countries in dire need of low cost, life-saving drugs to treat HIV, TB, and malaria. His team, and ultimately many others at GSK, shared a desire to help those less fortunate. The work done by the Tres Cantos lab continues to impact countless people in poverty suffering from TB, malaria, and many other diseases.

Speaking of the lawsuit that sparked his transformational leadership, Yamada said: “It was obvious we could reduce the price, but beyond that I felt it was really important for the company to make a commitment to making medicines for people where we might not make profit, but where we could have huge medical impact.”

With the support and efforts of many at GSK, this positive vision and pathway for action reverberated across the organization and helped energize a culture shift. The changes catalyzed by Yamada continued after he left GSK in 2006 to become President of the Global Health Program at the Bill and Melinda Gates Foundation. Today GSK is one of the top pharmaceutical companies for global drug access and global health initiatives. In just the past 3 years Tres Cantos researchers have co-authored over 100 scholarly research publications. The laboratory continues to provide independent researchers access to GSK facilities, expertise and resources to advance the understanding of diseases of the developing world.

Yamada was one of dozens of executives we spoke to over the last several years to learn how one can succeed in making positive change in large organizations. In these interviews, we heard accounts that reflect the mindsets Yamada described. In nearly every case we saw the power of one. In one example, a woman in a Fortune 50 company shared her experience in transforming her unit in Brazil. After being promoted to a senior position at headquarters, she saw the need for change, but the politics were more intense, and her previous experience seemed irrelevant. With unwavering focus, she pressed forward and succeeded. In reflecting on her success, she noted that challenging the status quo is a skill that one can develop, and it applies at every level. In another case, a woman in a Fortune 500 company was promoted to oversee a large but failing business line. The eight people who preceded her were all fired. She spent months examining the organization and formulated a strategic plan. It required serious work at the top. Her boss said no. Using all her acquired skills and courage, she led her boss until he was ready to change. The organization turned around.

These stories remind us that while corporate transformations are almost universally assumed to be top-down processes, in reality, middle managers, and first-line supervisors can make significant change when they have the right mindset.

Nicholas W. Eyrich is a graduate student at the University of Michigan Medical School

Robert E. Quinn is a professor emeritus at the University of Michigan’s Ross School of Business and a cofounder of its Center for Positive Organizations.

David P. Fessell is an executive coach, faculty associate at the University of Michigan’s Ross School of Business, and a retired University of Michigan professor of radiology. He writes and speaks on positive psychology and emotional intelligence and is a graduate of the Second City Improv Conservatory.

Article link: https://hbr.org/2019/12/how-one-person-can-change-the-conscience-of-an-organization?

The world is changing fast – and so are the challenges we face.

The World Economic Forum has produced the Global Risks Report 2024 in partnership with Marsh McLennan and Zurich Insurance Group. Learn more: https://ow.ly/vv9X50QyQ0n

Zurich Insurance Marsh McLennan

https://www.linkedin.com/posts/world-economic-forum_the-world-is-changing-fast-and-so-are-the-activity-7161383269446434816-VClX?

The way AI models structure text may have something to do with it, according to the study authors.

By Rhiannon Williams

June 28, 2023

Disinformation generated by AI may be more convincing than disinformation written by humans, a new study suggests. 

The research found that people were 3% less likely to spot false tweets generated by AI than those written by humans.

That credibility gap, while small, is concerning given that the problem of AI-generated disinformation seems poised to grow significantly, says Giovanni Spitale, the researcher at the University of Zurich who led the study, which appeared in Science Advancestoday. 

“The fact that AI-generated disinformation is not only cheaper and faster, but also more effective, gives me nightmares,” he says. He believes that if the team repeated the study with the latest large language model from OpenAI, GPT-4, the difference would be even bigger, given how much more powerful GPT-4 is. 

To test our susceptibility to different types of text, the researchers chose common disinformation topics, including climate change and covid. Then they asked OpenAI’s large language model GPT-3 to generate 10 true tweets and 10 false ones, and collected a random sample of both true and false tweets from Twitter. 

Next, they recruited 697 people to complete an online quiz judging whether tweets were generated by AI or collected from Twitter, and whether they were accurate or contained disinformation. They found that participants were 3% less likely to believe human-written false tweets than AI-written ones. 

The researchers are unsure why people may be more likely to believe tweets written by AI. But the way in which GPT-3 orders information could have something to do with it, according to Spitale. 

“GPT-3’s text tends to be a bit more structured when compared to organic [human-written] text,” he says. “But it’s also condensed, so it’s easier to process.”

The generative AI boom puts powerful, accessible AI tools in the hands of everyone, including bad actors. Models like GPT-3 can generate incorrect text that appears convincing, which could be used to generate false narratives quickly and cheaply for conspiracy theorists and disinformation campaigns. The weapons to fight the problem—AI text-detection tools—are still in the early stages of development, and many are not entirely accurate. 

OpenAI is aware that its AI tools could be weaponized to produce large-scale disinformation campaigns. Although this violates its policies, it released a report in January warning that it’s “all but impossible to ensure that large language models are never used to generate disinformation.” OpenAI did not immediately respond to a request for comment.

However, the company has also urged caution when it comes to overestimating the impact of disinformation campaigns. Further research is needed to determine the populations at greatest risk from AI-generated inauthentic content, as well as the relationship between AI model size and the overall performance or persuasiveness of its output, the authors of OpenAI’s report say. 

It’s too early to panic, says Jon Roozenbeek, a postdoc researcher who studies misinformation at the department of psychology at the University of Cambridge, who was not involved in the study. 

Although distributing disinformation online may be easier and cheaper with AI than with human-staffed troll farms, moderation on tech platforms and automated detection systems are still obstacles to its spread, he says. 

“Just because AI makes it easier to write a tweet that might be slightly more persuasive than whatever some poor sap in some factory in St. Petersburg came up with, it doesn’t necessarily mean that all of a sudden everyone is ripe to be manipulated,” he adds.

Article link: https://www-technologyreview-com.cdn.ampproject.org/c/s/www.technologyreview.com/2023/06/28/1075683/humans-may-be-more-likely-to-believe-disinformation-generated-by-ai/amp/

By ALEXANDRA KELLEYJANUARY 24, 2024

Nine other federal agencies and several private sector entities have signed on to support the program.

The National Science Foundation launched the National Artificial Intelligence Research Resource pilot on Wednesday, marking the federal government’s first step in working to democratize widespread access to key components of artificial intelligence technologies. 

Announced on Wednesday, the pilot program aims to promote the Biden administration’s goal of establishing the U.S. as a leader in AI innovation by making federal resources — including advanced computing, datasets, training models, software assistants and user support — open and publicly accessible. 

Immediate goals for the NAIRR pilot are to cultivate an AI-ready workforce and bridge socioeconomic gaps to provide quality AI training and education materials to all corners of the U.S.

“The NAIRR pilot is really needed because the resources needed to even begin participating in the ecosystem have become increasingly concentrated and inaccessible to many, many communities that are really essential for developing a healthy and responsible AI ecosystem,” Katie Antypas, director of the NSF’s Office of Advanced Cyberinfrastructure, said during a press call ahead of the launch. “And so the pilot is the first step to bridging this gap and will provide access to the research and education community across our country.”

The NAIRR pilot is intended to provide historical datasets to train AI models and computing resources to test the validity of a larger model. Researchers across the country will be able to access these tools to ensure more disadvantaged populations can still learn how to use AI and machine learning systems.

Four categories define the NAIRR pilot’s focus areas: NAIRR Open, which specializes in general AI resource access; NAIRR Secure, which focuses on AI research for privacy-preserving technologies; NAIRR Software, which helps investigate interoperable uses of AI tools for pilot resources; and NAIRR Classroom, which provides educational initiatives and outreach resources. 

“The pilot is really the first step in unlocking the potential of our research community to advance AI for the public good,” Antypas said. 

Industry partners, including Anthropic, Amazon Web Services, IBM, Meta, Intel, NVIDIA, OpenAI and Microsoft and others, will provide model access, educational resources for experimentation, researcher collaboration, technical training for proprietary software and workshop opportunities.

Antypas confirmed that these companies are not receiving payment for their participation. Some, namely NVIDIA and Microsoft, have pledged $30 million and $20 million respectively to support the pilot program. Stakeholders including government officials, academics and private sector firms collaborated on the pilot’s design.

“I think the variety of entities that have come to the table — nonprofits, the private sector, philanthropy — really speaks to this shared urgency to develop this national platform and accelerate AI innovation for our country,” she said.

The pilot’s format will feature a “diverse variety of architectures” to house these resources. Antypas said that the pilot is meant to grow into a platform united by common software stacks that can support diverse engagement.

“There is not going to be one single entity that is going to be building the NAIRR,” she said. “We’re going to need the best ideas from the community in order to really go through this community design process.”

NAIRR’s Community engagement is also meant to foster greater trustworthiness in both mature and newer AI systems. 

Tess deBlanc-Knowles, special assistant to the director for artificial intelligence at NSF, said that researchers can play a “critical role” in developing NAIRR past the pilot.

“I think also in the context of broader federal efforts, the work that is going to be supported through the NAIRR pilot is going to help inform some of these other efforts, such as those being run through [the National Institute of Standards and Technology] or the AI Safety Institute as they move forward to kind of formalize some of these benchmarks around how do we test, how do we verify that these models are trustworthy,” deBlanc-Knowles said. 

Nine federal agencies will join NSF as partnering entities: the Department of Energy, the Department of Veterans Affairs, NASA, the National Institutes of Health, NIST, the National Oceanic and Atmospheric Administration, the Defense Advanced Research Projects Agency, the U.S. Patent and Trademark Office and the Department of Defense. 

These agencies will work together in close coordination alongside other federal efforts that could benefit or inform NAIRR’s work, deBlanc-Knowles said.

Researchers will be able to apply for access to the NAIRR portal on Wednesday. The pilot program is slated to run for two years. Antypas said that in the pilot’s first launch, officials anticipate supporting 25 to 50 research projects. More projects will come online as additional resources from partnering entities are made available. 

In terms of the application process, researchers will need to first request access to NAIRR tools. They will be vetted based on their responsiveness to the open opportunity call, and a matching process will determine the outcome of each request. 

The NAIRR pilot’s launch is a result of President Joe Biden’s October 2023 executive order on AI. Sethuraman Panchanathan, the NSF director, said that NAIRR is meant to inspire and motivate innovation and talent across the U.S. with quality resources. 

“We need resources to advance AI that is open to all so that every community across our nation may reap the benefits of AI,” Panchanathan said. “Therefore, a National AI Research Resource simply put, has the potential to change the trajectory of our country’s approach to AI. It will lead the way for a healthy, trustworthy U.S. AI ecosystem.”

Article link: https://www.linkedin.com/posts/nextgovfcw_nsf-launches-ai-resource-pilot-to-spur-us-activity-7156285717692760064-xGbP?

Anastasia Obis

January 23, 2024 5:28 pm

A new memo from the Defense Department clarifies who is accountable for ensuring the security of cloud services at the FedRAMP moderate level.

The latest document provides guidance on a clause within the Defense Federal Acquisition Regulation Supplement regarding the application of FedRAMP moderate to cloud services being used by contractors for storing and processing covered defense information.

“One of the things that we learned in the early days of cloud was there was a lot of finger-pointing going on when something bad would happen. Let’s say a vulnerability would be found, or a zero-day event happened, there was this confusion around, ‘Is that the cloud service provider’s responsibility? Is that a contractor’s responsibility? Is that the government’s responsibility or somebody else? Who really is responsible?’” Raj Iyer, ServiceNow’s global head of public sector and a former chief information officer of the Army, told Federal News Network.

“And I think what this memo clarifies is that at the end of the day, the DoD’s contract is with that company A, and they got to make sure that they have an incident response plan, which shows how they’re going to coordinate any kind of remediation, or triaging that needs to happen when there is an incident that happens. That way, DoD holds the contractor accountable and responsible, and it’s their job to coordinate with all of the stakeholders.”

Historically, there has been a lot of debate around what being FedRAMP equivalent means. Since 2016, the DFARS clause said that if contractors use an external cloud service provider to store, process or transmit controlled unclassified information (CUI), the contractor should ensure that the cloud service provider meets security requirements equivalent to the FedRAMP moderate baseline.

The DFARS clause also required the cloud service provider to comply with incident reporting, data retention and access requirements listed in the clause.

With the new memo, to be considered FedRAMP moderate, cloud services must achieve 100% compliance with the latest security control baseline through an assessment conducted by a FedRAMP-recognized third-party organization.

In addition, the cloud service provider needs to present a list of evidence, or a body of evidence, to the contractor, including a system security plan, security assessment plan, security assessment report and a plan of action and milestones should they fall short in any areas. The memo says that requirements for FedRAMP moderate equivalency do not allow for a plan of action and milestones from a third party organization and any action items identified in the plan of actions and milestones must be marked as closed by the third party.

“From an evidence standpoint, the evidence requirements are pretty consistent with things that are going to be in your security package. I don’t think there’s anything in there that’s going to be super hard for organizations to come up with,” Grant Schneider, senior advisor to the Alliance for Digital Innovation and a former federal chief information security officer, told Federal News Network.

“With the 100% compliance and the inability to have a plan of action and milestone, even though they list plan of action milestones as a piece of the evidence that you have to meet every element under FISMA moderate, under 800-53, I think that may be a challenge for organizations to meet.”

Schneider said that if organizations are not 100% compliant with the latest FedRAMP moderate security control baseline for various reasons, it will have to be a business decision whether they want to make that investment to get to 100% to do business with DoD.

The memo says that the contractor approves their organization’s cloud services and ensures that the selected cloud service provider has a response plan. Moving forward, the contractor, not the cloud service provider, will be held responsible for reporting should a compromise happen and make sure their cloud provider follows the incident response plan.

It’s unclear what triggered the memo, but Schneider said he would like to see more context for what might have caused its issuance.

“I would love to see, is there a particular issue that the department ran into, in some way, shape or form that caused them to put this out? Or is there a particular risk that they’re looking to avoid? I don’t know what that is, but I would certainly love to know what the answer is,” Schneider said.

Over the years, DoD has had various cyber policies emerging independently, including the Cybersecurity Maturity Model Certification (CMMC) program, with the zero trust framework eventually becoming an overarching approach to cybersecurity. As for the memo, Iyer said this is most likely one of the policy areas that needed tightening up.

“The DoD is relying more and more on cloud service offerings, putting more and more of our sensitive data in the cloud. And it became clear to [our adversaries], if there’s a single point of failure, it is cloud. Second point, it was very clear that our adversaries knew that the vulnerabilities were in the supply chain,” Iyer said.

“Yes, this does put a burden on industry. But I think for industry, for the defense industrial base, they’ve always known that this was coming. So this should be no news to anybody. We shouldn’t expect to see any pushback. And for the cloud service providers like us, we’ve always taken this seriously. And it’s part of what you have to do to serve the defense customer. And yes, it comes with the cost. But this is going to filter out companies that are serious about working with the DoD and protecting the data. It is absolutely critical that the tightening happens through the policy and process,” he added.

CMMC final rule

David McKeown, DoD’s chief information and security officer, signed the FedRAMP equivalency memo on Dec. 21, but it didn’t become public until January. The long-awaited CMMC proposed rule came out around the same time, laying out requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors and subcontractors implement required security protocols when sharing sensitive unclassified information on their networks.

The proposed CMMC rule adds little detail on top of DFARS 7012, and the requirements appear to be more stringent than what is laid out in the proposed rule. DoD will most likely align the requirements from both documents when it releases the final CMMC rule.

“I think the question will be if there’s something that the DoD is intending this memo to change inside of CMMC, I would really hope for their sake that they already had that in the proposed rule. Because typically, once a proposed rule is out for public comment, you can make changes in the final rule. But typically, you can’t make really big substantive changes that weren’t somehow either included or alluded to in the proposed rule. So if this is going to cause a significant shift, I think that could be problematic just from a rulemaking procedure or from a rulemaking standpoint,” Schneider said.

Article link: https://federalnewsnetwork.com/cybersecurity/2024/01/dods-new-memo-puts-stricter-requirements-on-cloud-providers/

By EDWARD GRAHAMJANUARY 10, 2024

The Government Accountability Office found that less than half of surveyed federal agencies had compliant security programs and called for improved performance metrics.

The federal government’s implementation of the Federal Information Security Modernization Act — or FISMA — “continued to be mostly ineffective” in fiscal 2022, with only eight of 23 surveyed civilian agencies found to have effective information security programs in place, according to a Government Accountability Office report released on Tuesday.

FISMA requires covered agencies to develop and implement programs to secure their information systems. The Office of Management and Budget is also tasked with overseeing agencies’ security practices and developing policies to guide implementation of their cyber standards.

GAO reviewed inspectors general reports on the surveyed agencies’ compliance with FISMA for the 2021 and 2022 fiscal years and said that, while “some improvement was reported,” broad adherence to the security standards was still lacking.

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control,” the watchdog said, adding that “addressing the causes could improve the federal government’s cybersecurity posture.”

Despite finding that just eight surveyed agencies had implemented effective security programs in FY2022 — the departments of Homeland Security, Education and Justice, as well as the Environmental Protection Agency, General Services Administration, National Science Foundation, Nuclear Regulatory Commission and the U.S. Agency for International Development — GAO said its latest report still represented something of a high-water mark in terms of recent levels of compliance with FISMA.

“Out of the 23 civilian [Chief Financial Officers Act] agencies, no more than eight received an effective rating in any given year over the last six years of reporting (fiscal years 2017 through 2022),” the watchdog said.

OMB provides metrics for evaluating the effectiveness of agencies’ security programs and their implementation of FISMA, but GAO said that “agencies and IGs stated that some FISMA metrics are not useful because they do not always accurately evaluate information security programs.”

The watchdog said agencies and IGs reported that FISMA metrics “should be clearly tied to performance goals, account for workforce issues and agency size and incorporate risk,” and further suggested that “crafting metrics that address the key causes of ineffective programs could enhance their effectiveness.” 

GAO made two recommendations to OMB, including calling for the agency to develop metrics “related to causes of ineffective information security programs identified by IGs” and to “improve the [chief information officer] and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size and adequately address risk.”

OMB did not agree or disagree with the watchdog’s recommendations but provided technical comments that were incorporated into the report.

Article link: https://www.nextgov.com/cybersecurity/2024/01/agencies-fisma-implementation-still-mostly-ineffective-watchdog-says/393246/?

By EDWARD GRAHAMJANUARY 22, 2024

Legislation from Sens. Gary Peters, D-Mich., and Joni Ernst, R-Iowa, would “streamline procedures” for both solicitation and awards by slimming down the procurement process.

A new bipartisan proposal seeks to simplify the federal contracting process — and potentially allow for more small businesses to work with the government — by reducing burdensome requirements and creating “a more nimble and meaningful bidding process and evaluation of proposals.”

The Conforming Procedures for Federal Task and Delivery Order Contracts Act was introduced by Sens. Gary Peters, D-Mich., and Joni Ernst, R-Iowa, on Jan. 19. 

The bill seeks “to streamline procedures for solicitation and the awarding of task and delivery order contracts for agencies” by shrinking “the procurement process for contractors bidding on work as well as for the government, ensuring necessary due diligence is done while allowing awards to be made faster and to a wider array of contractors, including small businesses.”

This includes reducing “duplication of documentation requirements for agencies” and applying some of the contracting measures that the Department of Defense “currently has in place to all federal agencies.”

Ernst — the ranking member of the Senate Small Business and Entrepreneurship Committee — said in a statement that “too much bureaucratic red tape stands in the way” when it comes to smaller companies effectively competing for federal contracts.

“By making the award process faster and wider, Iowa’s small businesses and entrepreneurs can better compete and succeed,” she added, referencing the benefits the bill would have for her Hawkeye State constituents. 

In a statement, Peters also said the legislation “streamlines the contracting process for federal government agencies, and as a result will boost small businesses trying to stay competitive and will increase efficiency for all government agencies, benefitting people across the nation.”

This isn’t the first time that Peters and Ernst have teamed up on legislation to improve the government’s procurement process, which is receiving renewed attention as lawmakers discuss the role that emerging technologies can play in bolstering the capabilities of federal services. 

The senators previously authored legislation, known as the PRICE Act, to “promote innovative acquisition techniques and procurement strategies” to improve the contracting process for small businesses. Their bill was signed into law in February 2022. 

Peters and Ernst also introducedlegislation in July 2022 that would require the Office of Management and Budget and the General Services Administration “to streamline the ability of the federal government to purchase commercial technology and provide specific training for information and communications technology acquisition.” 

Following a Jan. 10 Senate Homeland Security and Governmental Affairs Committee hearing on how artificial intelligence can be used to improve government services, Peters — who chairs the panel — also told Nextgov/FCW “how the federal government procures AI… is going to have a big impact on AI throughout the economy.”

“And I think that’s a very effective way for us to think about AI regulation, through the procurement process,” he said.

Article link: https://www.nextgov.com/acquisition/2024/01/bipartisan-bill-strives-more-nimble-and-meaningful-federal-contracting/393508/?

By Al Lakhani

 published 2 days ago

Security weaknesses of multi-factor authentication

“Multi-Factor Authentication stops 99% of all attacks.” It’s a phrase we hear a lot.

However, while MFA has become the go-to cybersecurity solution deployed by businesses globally, we must recognize that not all MFA solutions are created equal. Many are as easy to hack with social engineering and phishing as traditional passwords. So, the claim that almost all attacks can be repelled by MFA is an oversimplification at best and insincere at worst.

This raises an important question: if so many MFA solutions are ineffective at fending off commonplace cyber threats (such as phishing attacks, which account for more than 80% of cyber-attacks), why do businesses still rely upon them?

One plausible answer is that business software packages – think Google Workspace or Microsoft 365 – come with in-built two-factor authentication. Businesses may, therefore, think that investing in another solution is an unnecessary additional expense.

Another factor is that many cyber insurers now demand that organizations adopt MFA in the underwriting stage of the insurance process. It could be the case, then, that IT decision-makers treat MFA as a check-the-box exercise in order to comply with insurers’ requirements. And they do so without carefully considering the difference between good MFA and bad MFA.

Whatever the reason, it is clear that many organizations are adopting MFA without scrutinizing the effectiveness of their chosen solution and which attacks it actually prevents.

So, it is important we take a step back and understand some of the inherent weaknesses of your typical MFA solution.

1. Second factor authenticators are still vulnerable to attack

The basis of most MFA solutions is that, even if someone manages to get hold of a user’s password, they still need to bypass the second piece of the puzzle – such as an SMS code, One Time Password (OTP) or approving a push notification – in order to access the account.

At face value, this seems quite secure. However, the very nature of these second layers of authentication can do more harm than good, paradoxically providing hackers with further opportunities for attack. It’s a double-edged sword that many businesses fail to fully grasp when choosing their security solutions.

Indeed, OTPs can be exploited by ‘on the fly’ phishing attacks that put a business’ sensitive information at risk; SMS authenticators are prone to ‘smishing’; and many criminals can now hijack authenticating notifications directly from the source. Meanwhile, the ‘human element’ is employed by hackers to defeat push notifications via prompt bombing.

The apparent protection of additional layers of security, therefore, could be blinding decision-makers to the inherent dangerous vulnerabilities, prompting the need for tech and cyber decision-makers to re-evaluate the true efficacy of these widely adopted security measures.

2. All MFAs including passkeys can be bypassed

The main issue here – and it’s pretty mind-boggling – is that all MFA solutions can be circumvented by hackers to gain access without needing to provide any authentication factors. There are two main causes: session cookies and centralization.

A session cookie is a piece of information stored in the user’s device browser after authentication. This allows the user to access the required resource without needing to re-authenticate on every interaction with the service provider. Therefore, anyone with access to the session cookies can infiltrate the user account without being required to authenticate.

Hackers use this tactic in what is known as an Adversary-in-the-Middle (AiTM) attack, capturing authenticated session cookies from users at the point of authentication. With the session cookies, hackers can access a user’s account without the need for password authentication, rendering the MFA solution useless. A recent example is the Okta breach, where session cookies were stolen from Okta’s customer support management system to compromise many of their customers, including 1Password and Cloudflare.

These attacks can be prevented with the use of phish-resistant MFA such as a passkey. But the plot thickens…

Passkeys are designed to synchronize to all user devices so that the user can use it to login from any of their devices. However, they are still vulnerable due to their reliance on centralization.

Although passkeys rely on public key cryptography, their dependence on the platform’s security (the security provided by Google, Apple, Microsoft and so forth) means that a business’s security is equivalent to that of a user’s Google or Apple account credentials. This is because almost all user accounts depend on a password and a vulnerable second factor authenticator, so they can be phished or circumvented using AiTM. As a result, passkeys can also be bypassed, and cannot provide meaningful security to businesses.

To adapt the old cliché, a cybersecurity solution is only as strong as its weakest link. User credentials are often that weak link.

3. Some MFA solutions are phish-resistant, but not phish-proof

To date, the highest level of security has typically come from “phish-resistant” MFA. Some MFA solutions can accurately claim to be ‘phish-resistant’, but they are not ‘phish-proof’ because they still rely on phishable factors at some point in their implementation or recovery lifecycle.

This is a critical shortcoming of many MFA solutions and a particularly pertinent issue in the UK. Research has found that 83% of British organizations experienced a phishing attack last year, which reportedly cost an average loss of £245,000 per business per attack.

This weakness basically means that a user’s account might be secure once the solution has been implemented. But the process of adding a new user, adding a new device to an account or recovering an account if the registered device is lost or damaged can be exploited using phishing techniques.

For instance, let’s say that ‘Barry from accounts’ doesn’t have the device he registered his passkey on or lost his FIDO2 security key. Phish-resistant MFAs fall back to phishable factors such as SMS, OTP or push notifications to enable Barry to recover his account.

Or Barry does not realize that the same phishable factors such as SMS, OTP, push or passwords were used by someone else to add another FIDO2 security key to his account without his knowledge.

More must be done to raise awareness of the difference between phish-resistant and phish-proof. Precious few MFA solutions can truly claim to be phish proof. Truly phish proof, MFA solutions are able to eliminate breaches like AiTM, because they secure the entire user identity life cycle – with these solutions, registration, identity proofing, authenticators establishment, authentication, recovery-identification, and account termination are immune to even sophisticated phishing attacks.

This means that attackers are prevented from bypassing authentication, intercepting and/or tricking users into revealing access credentials by the fact that they simply don’t exist in that solution’s authentication lifecycle. What’s more, phish-proof solutions ensure the chain of trust established at the stage of user identity proofing is transitive, so it cannot be broken and is provable at every stage of the identity lifecycle.

The next generation of MFA

This may seem like a scathing attack on MFA. Fortunately, though, as noted at the start, not all MFA is created equal. Better solutions are out there.

The next generation of MFA solutions addresses the weaknesses outlined above. They do this by eliminating the vulnerabilities and phishable factors that leave businesses’ IT systems open to attack.

The key innovation of this new wave of technology is that they move beyond the reliance on passwords. Instead, these solutions embrace cutting-edge, Zero Trust Architecture (ZTA) technology rooted in principles like transitive trust, identity proofing and the adoption of W3C Web Authentication Standard, which tackle the core issues behind data breaches and remove the threat of human error.

By implementing technology from this new wave of MFA, businesses can make their cyber security systems immune to both external and internal threats and guarantee robust authentication through the entire identity lifecycle.

It’s time to recognize that basic MFA solutions that rely on OTPs, push, and QR-code are relics of the past. They suffer from the same inherent flaws that have plagued password-based cybersecurity technology for decades – namely, they cannot prevent all credential phishing and password-based attacks. Slowly but surely, the industry is recognizing that zero trust paves the way to a more secure and efficient future.

We’ve featured the best encryption software.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Al Lakhani is the founder and CEO of IDEE. Al is a recognized cyber security expert, digital identity crusader, inventor, entrepreneur, and university lecturer with more than 25 years’ experience in cyber forensics.

Article link: https://www.techradar.com/pro/multi-factor-authentication-suffers-from-three-major-weaknesses