by 

• Nicholas W. Eyrich,
• Robert E. Quinn,
• David P. Fessell

December 27, 2019

Summary.   

While corporate transformations are almost universally assumed to be top-down processes, in reality, middle managers, and first-line supervisors can make significant change when they have the right mindset. Dr. Tadataka Yamada was one of dozens of executives the authors spoke to over the last several years to learn how one can succeed in making positive change in large organizations. His story shows many of traits the authors observed in interviews. He had a clarity of conscience and was willing to speak up. He took every chance, even small ones, to hone his skills of challenging the status quo for the greater good. He didn’t let tough challenges gradually slip from focus because they were “too big” to tackle in the moment. Finally, he centered his purpose on helping those with less privilege.

In December 2000, when Dr. Tadataka Yamada became the new chairman of research and development at Glaxo SmithKline, he was horrified to learn that his company was a complainant in a lawsuit over access to drug therapies for HIV/AIDS patients. GSK was one of 39 pharmaceutical companies charging Nelson Mandela and the government of South Africa with violating price protections and intellectual property rights in their efforts to access lower priced antiretroviral drugs. Close to 25 percent of black South Africans were living with HIV/AIDS and at the time, antiretroviral therapies cost approximately $1000 per month—more than a third of the average South African’s annual salary, putting treatment out of reach for most patients.

Yamada held discussions with his research staff and quickly learned that he was not alone in his opposition to the lawsuit. The team wanted to be a part of the solution to global health issues, not party to a lawsuit preventing such drugs from reaching those in dire need, but they felt they lacked the power to change the company’s direction. Yamada felt differently. In one-on-one meetings with individual board members of GSK, he stressed the company’s moral responsibility to alleviate human suffering and tied it to the long-term success of the company. He stated that GSK can’t make medicines that save lives and then not allow people access to them. He noted the public relations disaster associated with the lawsuit, and set forth a vision, co-created by his team, for how GSK could also become a leader in the fight against TB and malaria, diseases that also were disproportionately impacting third-world populations. The external pressure did not abate, with protests against many drug companies around the world.

In April, 2001, all 39 companies dropped the lawsuit against Nelson Mandela; GSK and others reduced the prices of antiretroviral drugs by 90% or more. Furthermore, under Yamada’s direction, one of GSK’s major laboratories in Tres Cantos, Spain, was converted into a profit-exempt laboratory that focused only on diseases in the developing world, including malaria and tuberculosis. Using his influence, Dr. Yamada also spurred GSK into allocating resources for affordable access to medications and development of future therapies. Subsequently top executives at GSK became leaders in global health issues. Andrew Witty assumed the CEO position at GlaxoSmithKline in 2008 and became one of the leading spokespersons for global health in the pharmaceutical industry. Chris Viehbacher, corporate executive team member at GSK, subsequently became the CEO of Sanofi, and a champion of global health. Both have since partnered with the Gates Foundation on global health initiatives.

Most people would love to be a part of such an amazing turn of events, yet this kind of transformation doesn’t happen very often. While many helped with these efforts, what made it possible for Dr. Yamada to step forward with a steady voice and a sound vision? In several interviews with Dr. Yamada we identified four key mindsets that helped him catalyze this transformation.

The power of one.

A single person with a clarity of conscience and a willingness to speak up can make a difference. Contributing to the greater good is a deep and fundamental human need. When a leader, even a mid-level or lower level leader, skillfully brings a voice and a vision, others will follow and surprising things can happen—even culture change on a large scale. While Yamada did not set out to change a culture, his actions were catalytic and galvanized the organization. As news of the new “not for profit” focus of Tres Cantos spread, many of GSK’s top scientists volunteered to work there. Yamada’s voice spoke for many others, offering a clear path and a vision for a more positive future for all.

The power of sequential skill building.

Prior to GSK, Yamada had a lot of practice with smaller challenges, from caring for the most complex patients in the intensive care unit, to becoming a department head and national leader in his field. Along the way he also led other efforts to change the status quo by actively helping more African Americans and women to join the gastroenterology faculty at the University of Michigan. The lesson is not to underestimate any chance you have, even if small, to hone your skills of challenging the status quo for the greater good. Train your “courage for challenging convention” muscle consistently, so that it’s ready when needed. At GSK, he first invited the input of his team, ultimately resulting in the plan to convert the Tres Cantos laboratory to a “not for profit” disease focus. He did not wait for someone else to speak out first, or for a committee to be formed to study the issue. He had built the skills to quickly recognize the problem, and also to advocate for a better way—a way GSK could become a leader in the fight against diseases that might not be profitable but would help countless individuals in dire need.

The power of sustained focus and determination.

It’s easy to say, “This will take some doing; I’ll think about it later.” Combined with an unconscious “This could be dangerous for my career,” it can be easy for tough challenges to gradually slip from focus. Over time the unacceptable can become the norm, and the energy for change dissipates. But Yamada didn’t accept the unacceptable; his focus and determination were well honed. He emigrated from Japan as a teenager and entered the demanding field of medicine. Along the way he took up marathon running and edited a seminal 3440-page textbook of Gastroenterology, among many other achievements. Attacking challenges was not just an occasional adventure—it’s been a way of being, as well as a highly successful career path. Assuring success of the Tres Cantos lab was not accomplished with a simple signature on a document. The laboratory was initially funded by GSK with the expectation that the researchers would soon obtain external grants so the output from the lab would not have expectations of making a profit for GSK. Partnerships with many organizations and universities were also initiated and sustained to help support this work.

The power of using privilege to support people with less privilege.

While such a mindset is not required for transformation to occur, most would agree that it’s even better, and more rewarding, when transformation also helps those with less privilege. Dr. Yamada, trained over many years in the “patient first” culture of medicine, had a well-honed awareness of the larger change he could bring because of his voice, and a vision for the positive impact GSK could bring to South Africa—and other countries in dire need of low cost, life-saving drugs to treat HIV, TB, and malaria. His team, and ultimately many others at GSK, shared a desire to help those less fortunate. The work done by the Tres Cantos lab continues to impact countless people in poverty suffering from TB, malaria, and many other diseases.

Speaking of the lawsuit that sparked his transformational leadership, Yamada said: “It was obvious we could reduce the price, but beyond that I felt it was really important for the company to make a commitment to making medicines for people where we might not make profit, but where we could have huge medical impact.”

With the support and efforts of many at GSK, this positive vision and pathway for action reverberated across the organization and helped energize a culture shift. The changes catalyzed by Yamada continued after he left GSK in 2006 to become President of the Global Health Program at the Bill and Melinda Gates Foundation. Today GSK is one of the top pharmaceutical companies for global drug access and global health initiatives. In just the past 3 years Tres Cantos researchers have co-authored over 100 scholarly research publications. The laboratory continues to provide independent researchers access to GSK facilities, expertise and resources to advance the understanding of diseases of the developing world.

Yamada was one of dozens of executives we spoke to over the last several years to learn how one can succeed in making positive change in large organizations. In these interviews, we heard accounts that reflect the mindsets Yamada described. In nearly every case we saw the power of one. In one example, a woman in a Fortune 50 company shared her experience in transforming her unit in Brazil. After being promoted to a senior position at headquarters, she saw the need for change, but the politics were more intense, and her previous experience seemed irrelevant. With unwavering focus, she pressed forward and succeeded. In reflecting on her success, she noted that challenging the status quo is a skill that one can develop, and it applies at every level. In another case, a woman in a Fortune 500 company was promoted to oversee a large but failing business line. The eight people who preceded her were all fired. She spent months examining the organization and formulated a strategic plan. It required serious work at the top. Her boss said no. Using all her acquired skills and courage, she led her boss until he was ready to change. The organization turned around.

These stories remind us that while corporate transformations are almost universally assumed to be top-down processes, in reality, middle managers, and first-line supervisors can make significant change when they have the right mindset.

Nicholas W. Eyrich is a graduate student at the University of Michigan Medical School

Robert E. Quinn is a professor emeritus at the University of Michigan’s Ross School of Business and a cofounder of its Center for Positive Organizations.

David P. Fessell is an executive coach, faculty associate at the University of Michigan’s Ross School of Business, and a retired University of Michigan professor of radiology. He writes and speaks on positive psychology and emotional intelligence and is a graduate of the Second City Improv Conservatory.

Article link: https://hbr.org/2019/12/how-one-person-can-change-the-conscience-of-an-organization?

The world is changing fast – and so are the challenges we face.

The World Economic Forum has produced the Global Risks Report 2024 in partnership with Marsh McLennan and Zurich Insurance Group. Learn more: https://ow.ly/vv9X50QyQ0n

Zurich Insurance Marsh McLennan

https://www.linkedin.com/posts/world-economic-forum_the-world-is-changing-fast-and-so-are-the-activity-7161383269446434816-VClX?

The way AI models structure text may have something to do with it, according to the study authors.

By Rhiannon Williams

June 28, 2023

Disinformation generated by AI may be more convincing than disinformation written by humans, a new study suggests. 

The research found that people were 3% less likely to spot false tweets generated by AI than those written by humans.

That credibility gap, while small, is concerning given that the problem of AI-generated disinformation seems poised to grow significantly, says Giovanni Spitale, the researcher at the University of Zurich who led the study, which appeared in Science Advancestoday. 

“The fact that AI-generated disinformation is not only cheaper and faster, but also more effective, gives me nightmares,” he says. He believes that if the team repeated the study with the latest large language model from OpenAI, GPT-4, the difference would be even bigger, given how much more powerful GPT-4 is. 

To test our susceptibility to different types of text, the researchers chose common disinformation topics, including climate change and covid. Then they asked OpenAI’s large language model GPT-3 to generate 10 true tweets and 10 false ones, and collected a random sample of both true and false tweets from Twitter. 

Next, they recruited 697 people to complete an online quiz judging whether tweets were generated by AI or collected from Twitter, and whether they were accurate or contained disinformation. They found that participants were 3% less likely to believe human-written false tweets than AI-written ones. 

The researchers are unsure why people may be more likely to believe tweets written by AI. But the way in which GPT-3 orders information could have something to do with it, according to Spitale. 

“GPT-3’s text tends to be a bit more structured when compared to organic [human-written] text,” he says. “But it’s also condensed, so it’s easier to process.”

The generative AI boom puts powerful, accessible AI tools in the hands of everyone, including bad actors. Models like GPT-3 can generate incorrect text that appears convincing, which could be used to generate false narratives quickly and cheaply for conspiracy theorists and disinformation campaigns. The weapons to fight the problem—AI text-detection tools—are still in the early stages of development, and many are not entirely accurate. 

OpenAI is aware that its AI tools could be weaponized to produce large-scale disinformation campaigns. Although this violates its policies, it released a report in January warning that it’s “all but impossible to ensure that large language models are never used to generate disinformation.” OpenAI did not immediately respond to a request for comment.

However, the company has also urged caution when it comes to overestimating the impact of disinformation campaigns. Further research is needed to determine the populations at greatest risk from AI-generated inauthentic content, as well as the relationship between AI model size and the overall performance or persuasiveness of its output, the authors of OpenAI’s report say. 

It’s too early to panic, says Jon Roozenbeek, a postdoc researcher who studies misinformation at the department of psychology at the University of Cambridge, who was not involved in the study. 

Although distributing disinformation online may be easier and cheaper with AI than with human-staffed troll farms, moderation on tech platforms and automated detection systems are still obstacles to its spread, he says. 

“Just because AI makes it easier to write a tweet that might be slightly more persuasive than whatever some poor sap in some factory in St. Petersburg came up with, it doesn’t necessarily mean that all of a sudden everyone is ripe to be manipulated,” he adds.

Article link: https://www-technologyreview-com.cdn.ampproject.org/c/s/www.technologyreview.com/2023/06/28/1075683/humans-may-be-more-likely-to-believe-disinformation-generated-by-ai/amp/

By ALEXANDRA KELLEYJANUARY 24, 2024

Nine other federal agencies and several private sector entities have signed on to support the program.

The National Science Foundation launched the National Artificial Intelligence Research Resource pilot on Wednesday, marking the federal government’s first step in working to democratize widespread access to key components of artificial intelligence technologies. 

Announced on Wednesday, the pilot program aims to promote the Biden administration’s goal of establishing the U.S. as a leader in AI innovation by making federal resources — including advanced computing, datasets, training models, software assistants and user support — open and publicly accessible. 

Immediate goals for the NAIRR pilot are to cultivate an AI-ready workforce and bridge socioeconomic gaps to provide quality AI training and education materials to all corners of the U.S.

“The NAIRR pilot is really needed because the resources needed to even begin participating in the ecosystem have become increasingly concentrated and inaccessible to many, many communities that are really essential for developing a healthy and responsible AI ecosystem,” Katie Antypas, director of the NSF’s Office of Advanced Cyberinfrastructure, said during a press call ahead of the launch. “And so the pilot is the first step to bridging this gap and will provide access to the research and education community across our country.”

The NAIRR pilot is intended to provide historical datasets to train AI models and computing resources to test the validity of a larger model. Researchers across the country will be able to access these tools to ensure more disadvantaged populations can still learn how to use AI and machine learning systems.

Four categories define the NAIRR pilot’s focus areas: NAIRR Open, which specializes in general AI resource access; NAIRR Secure, which focuses on AI research for privacy-preserving technologies; NAIRR Software, which helps investigate interoperable uses of AI tools for pilot resources; and NAIRR Classroom, which provides educational initiatives and outreach resources. 

“The pilot is really the first step in unlocking the potential of our research community to advance AI for the public good,” Antypas said. 

Industry partners, including Anthropic, Amazon Web Services, IBM, Meta, Intel, NVIDIA, OpenAI and Microsoft and others, will provide model access, educational resources for experimentation, researcher collaboration, technical training for proprietary software and workshop opportunities.

Antypas confirmed that these companies are not receiving payment for their participation. Some, namely NVIDIA and Microsoft, have pledged $30 million and $20 million respectively to support the pilot program. Stakeholders including government officials, academics and private sector firms collaborated on the pilot’s design.

“I think the variety of entities that have come to the table — nonprofits, the private sector, philanthropy — really speaks to this shared urgency to develop this national platform and accelerate AI innovation for our country,” she said.

The pilot’s format will feature a “diverse variety of architectures” to house these resources. Antypas said that the pilot is meant to grow into a platform united by common software stacks that can support diverse engagement.

“There is not going to be one single entity that is going to be building the NAIRR,” she said. “We’re going to need the best ideas from the community in order to really go through this community design process.”

NAIRR’s Community engagement is also meant to foster greater trustworthiness in both mature and newer AI systems. 

Tess deBlanc-Knowles, special assistant to the director for artificial intelligence at NSF, said that researchers can play a “critical role” in developing NAIRR past the pilot.

“I think also in the context of broader federal efforts, the work that is going to be supported through the NAIRR pilot is going to help inform some of these other efforts, such as those being run through [the National Institute of Standards and Technology] or the AI Safety Institute as they move forward to kind of formalize some of these benchmarks around how do we test, how do we verify that these models are trustworthy,” deBlanc-Knowles said. 

Nine federal agencies will join NSF as partnering entities: the Department of Energy, the Department of Veterans Affairs, NASA, the National Institutes of Health, NIST, the National Oceanic and Atmospheric Administration, the Defense Advanced Research Projects Agency, the U.S. Patent and Trademark Office and the Department of Defense. 

These agencies will work together in close coordination alongside other federal efforts that could benefit or inform NAIRR’s work, deBlanc-Knowles said.

Researchers will be able to apply for access to the NAIRR portal on Wednesday. The pilot program is slated to run for two years. Antypas said that in the pilot’s first launch, officials anticipate supporting 25 to 50 research projects. More projects will come online as additional resources from partnering entities are made available. 

In terms of the application process, researchers will need to first request access to NAIRR tools. They will be vetted based on their responsiveness to the open opportunity call, and a matching process will determine the outcome of each request. 

The NAIRR pilot’s launch is a result of President Joe Biden’s October 2023 executive order on AI. Sethuraman Panchanathan, the NSF director, said that NAIRR is meant to inspire and motivate innovation and talent across the U.S. with quality resources. 

“We need resources to advance AI that is open to all so that every community across our nation may reap the benefits of AI,” Panchanathan said. “Therefore, a National AI Research Resource simply put, has the potential to change the trajectory of our country’s approach to AI. It will lead the way for a healthy, trustworthy U.S. AI ecosystem.”

Article link: https://www.linkedin.com/posts/nextgovfcw_nsf-launches-ai-resource-pilot-to-spur-us-activity-7156285717692760064-xGbP?

Anastasia Obis

January 23, 2024 5:28 pm

A new memo from the Defense Department clarifies who is accountable for ensuring the security of cloud services at the FedRAMP moderate level.

The latest document provides guidance on a clause within the Defense Federal Acquisition Regulation Supplement regarding the application of FedRAMP moderate to cloud services being used by contractors for storing and processing covered defense information.

“One of the things that we learned in the early days of cloud was there was a lot of finger-pointing going on when something bad would happen. Let’s say a vulnerability would be found, or a zero-day event happened, there was this confusion around, ‘Is that the cloud service provider’s responsibility? Is that a contractor’s responsibility? Is that the government’s responsibility or somebody else? Who really is responsible?’” Raj Iyer, ServiceNow’s global head of public sector and a former chief information officer of the Army, told Federal News Network.

“And I think what this memo clarifies is that at the end of the day, the DoD’s contract is with that company A, and they got to make sure that they have an incident response plan, which shows how they’re going to coordinate any kind of remediation, or triaging that needs to happen when there is an incident that happens. That way, DoD holds the contractor accountable and responsible, and it’s their job to coordinate with all of the stakeholders.”

Historically, there has been a lot of debate around what being FedRAMP equivalent means. Since 2016, the DFARS clause said that if contractors use an external cloud service provider to store, process or transmit controlled unclassified information (CUI), the contractor should ensure that the cloud service provider meets security requirements equivalent to the FedRAMP moderate baseline.

The DFARS clause also required the cloud service provider to comply with incident reporting, data retention and access requirements listed in the clause.

With the new memo, to be considered FedRAMP moderate, cloud services must achieve 100% compliance with the latest security control baseline through an assessment conducted by a FedRAMP-recognized third-party organization.

In addition, the cloud service provider needs to present a list of evidence, or a body of evidence, to the contractor, including a system security plan, security assessment plan, security assessment report and a plan of action and milestones should they fall short in any areas. The memo says that requirements for FedRAMP moderate equivalency do not allow for a plan of action and milestones from a third party organization and any action items identified in the plan of actions and milestones must be marked as closed by the third party.

“From an evidence standpoint, the evidence requirements are pretty consistent with things that are going to be in your security package. I don’t think there’s anything in there that’s going to be super hard for organizations to come up with,” Grant Schneider, senior advisor to the Alliance for Digital Innovation and a former federal chief information security officer, told Federal News Network.

“With the 100% compliance and the inability to have a plan of action and milestone, even though they list plan of action milestones as a piece of the evidence that you have to meet every element under FISMA moderate, under 800-53, I think that may be a challenge for organizations to meet.”

Schneider said that if organizations are not 100% compliant with the latest FedRAMP moderate security control baseline for various reasons, it will have to be a business decision whether they want to make that investment to get to 100% to do business with DoD.

The memo says that the contractor approves their organization’s cloud services and ensures that the selected cloud service provider has a response plan. Moving forward, the contractor, not the cloud service provider, will be held responsible for reporting should a compromise happen and make sure their cloud provider follows the incident response plan.

It’s unclear what triggered the memo, but Schneider said he would like to see more context for what might have caused its issuance.

“I would love to see, is there a particular issue that the department ran into, in some way, shape or form that caused them to put this out? Or is there a particular risk that they’re looking to avoid? I don’t know what that is, but I would certainly love to know what the answer is,” Schneider said.

Over the years, DoD has had various cyber policies emerging independently, including the Cybersecurity Maturity Model Certification (CMMC) program, with the zero trust framework eventually becoming an overarching approach to cybersecurity. As for the memo, Iyer said this is most likely one of the policy areas that needed tightening up.

“The DoD is relying more and more on cloud service offerings, putting more and more of our sensitive data in the cloud. And it became clear to [our adversaries], if there’s a single point of failure, it is cloud. Second point, it was very clear that our adversaries knew that the vulnerabilities were in the supply chain,” Iyer said.

“Yes, this does put a burden on industry. But I think for industry, for the defense industrial base, they’ve always known that this was coming. So this should be no news to anybody. We shouldn’t expect to see any pushback. And for the cloud service providers like us, we’ve always taken this seriously. And it’s part of what you have to do to serve the defense customer. And yes, it comes with the cost. But this is going to filter out companies that are serious about working with the DoD and protecting the data. It is absolutely critical that the tightening happens through the policy and process,” he added.

CMMC final rule

David McKeown, DoD’s chief information and security officer, signed the FedRAMP equivalency memo on Dec. 21, but it didn’t become public until January. The long-awaited CMMC proposed rule came out around the same time, laying out requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors and subcontractors implement required security protocols when sharing sensitive unclassified information on their networks.

The proposed CMMC rule adds little detail on top of DFARS 7012, and the requirements appear to be more stringent than what is laid out in the proposed rule. DoD will most likely align the requirements from both documents when it releases the final CMMC rule.

“I think the question will be if there’s something that the DoD is intending this memo to change inside of CMMC, I would really hope for their sake that they already had that in the proposed rule. Because typically, once a proposed rule is out for public comment, you can make changes in the final rule. But typically, you can’t make really big substantive changes that weren’t somehow either included or alluded to in the proposed rule. So if this is going to cause a significant shift, I think that could be problematic just from a rulemaking procedure or from a rulemaking standpoint,” Schneider said.

Article link: https://federalnewsnetwork.com/cybersecurity/2024/01/dods-new-memo-puts-stricter-requirements-on-cloud-providers/

By EDWARD GRAHAMJANUARY 10, 2024

The Government Accountability Office found that less than half of surveyed federal agencies had compliant security programs and called for improved performance metrics.

The federal government’s implementation of the Federal Information Security Modernization Act — or FISMA — “continued to be mostly ineffective” in fiscal 2022, with only eight of 23 surveyed civilian agencies found to have effective information security programs in place, according to a Government Accountability Office report released on Tuesday.

FISMA requires covered agencies to develop and implement programs to secure their information systems. The Office of Management and Budget is also tasked with overseeing agencies’ security practices and developing policies to guide implementation of their cyber standards.

GAO reviewed inspectors general reports on the surveyed agencies’ compliance with FISMA for the 2021 and 2022 fiscal years and said that, while “some improvement was reported,” broad adherence to the security standards was still lacking.

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control,” the watchdog said, adding that “addressing the causes could improve the federal government’s cybersecurity posture.”

Despite finding that just eight surveyed agencies had implemented effective security programs in FY2022 — the departments of Homeland Security, Education and Justice, as well as the Environmental Protection Agency, General Services Administration, National Science Foundation, Nuclear Regulatory Commission and the U.S. Agency for International Development — GAO said its latest report still represented something of a high-water mark in terms of recent levels of compliance with FISMA.

“Out of the 23 civilian [Chief Financial Officers Act] agencies, no more than eight received an effective rating in any given year over the last six years of reporting (fiscal years 2017 through 2022),” the watchdog said.

OMB provides metrics for evaluating the effectiveness of agencies’ security programs and their implementation of FISMA, but GAO said that “agencies and IGs stated that some FISMA metrics are not useful because they do not always accurately evaluate information security programs.”

The watchdog said agencies and IGs reported that FISMA metrics “should be clearly tied to performance goals, account for workforce issues and agency size and incorporate risk,” and further suggested that “crafting metrics that address the key causes of ineffective programs could enhance their effectiveness.” 

GAO made two recommendations to OMB, including calling for the agency to develop metrics “related to causes of ineffective information security programs identified by IGs” and to “improve the [chief information officer] and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size and adequately address risk.”

OMB did not agree or disagree with the watchdog’s recommendations but provided technical comments that were incorporated into the report.

Article link: https://www.nextgov.com/cybersecurity/2024/01/agencies-fisma-implementation-still-mostly-ineffective-watchdog-says/393246/?

By EDWARD GRAHAMJANUARY 22, 2024

Legislation from Sens. Gary Peters, D-Mich., and Joni Ernst, R-Iowa, would “streamline procedures” for both solicitation and awards by slimming down the procurement process.

A new bipartisan proposal seeks to simplify the federal contracting process — and potentially allow for more small businesses to work with the government — by reducing burdensome requirements and creating “a more nimble and meaningful bidding process and evaluation of proposals.”

The Conforming Procedures for Federal Task and Delivery Order Contracts Act was introduced by Sens. Gary Peters, D-Mich., and Joni Ernst, R-Iowa, on Jan. 19. 

The bill seeks “to streamline procedures for solicitation and the awarding of task and delivery order contracts for agencies” by shrinking “the procurement process for contractors bidding on work as well as for the government, ensuring necessary due diligence is done while allowing awards to be made faster and to a wider array of contractors, including small businesses.”

This includes reducing “duplication of documentation requirements for agencies” and applying some of the contracting measures that the Department of Defense “currently has in place to all federal agencies.”

Ernst — the ranking member of the Senate Small Business and Entrepreneurship Committee — said in a statement that “too much bureaucratic red tape stands in the way” when it comes to smaller companies effectively competing for federal contracts.

“By making the award process faster and wider, Iowa’s small businesses and entrepreneurs can better compete and succeed,” she added, referencing the benefits the bill would have for her Hawkeye State constituents. 

In a statement, Peters also said the legislation “streamlines the contracting process for federal government agencies, and as a result will boost small businesses trying to stay competitive and will increase efficiency for all government agencies, benefitting people across the nation.”

This isn’t the first time that Peters and Ernst have teamed up on legislation to improve the government’s procurement process, which is receiving renewed attention as lawmakers discuss the role that emerging technologies can play in bolstering the capabilities of federal services. 

The senators previously authored legislation, known as the PRICE Act, to “promote innovative acquisition techniques and procurement strategies” to improve the contracting process for small businesses. Their bill was signed into law in February 2022. 

Peters and Ernst also introducedlegislation in July 2022 that would require the Office of Management and Budget and the General Services Administration “to streamline the ability of the federal government to purchase commercial technology and provide specific training for information and communications technology acquisition.” 

Following a Jan. 10 Senate Homeland Security and Governmental Affairs Committee hearing on how artificial intelligence can be used to improve government services, Peters — who chairs the panel — also told Nextgov/FCW “how the federal government procures AI… is going to have a big impact on AI throughout the economy.”

“And I think that’s a very effective way for us to think about AI regulation, through the procurement process,” he said.

Article link: https://www.nextgov.com/acquisition/2024/01/bipartisan-bill-strives-more-nimble-and-meaningful-federal-contracting/393508/?

By Al Lakhani

 published 2 days ago

Security weaknesses of multi-factor authentication

“Multi-Factor Authentication stops 99% of all attacks.” It’s a phrase we hear a lot.

However, while MFA has become the go-to cybersecurity solution deployed by businesses globally, we must recognize that not all MFA solutions are created equal. Many are as easy to hack with social engineering and phishing as traditional passwords. So, the claim that almost all attacks can be repelled by MFA is an oversimplification at best and insincere at worst.

This raises an important question: if so many MFA solutions are ineffective at fending off commonplace cyber threats (such as phishing attacks, which account for more than 80% of cyber-attacks), why do businesses still rely upon them?

One plausible answer is that business software packages – think Google Workspace or Microsoft 365 – come with in-built two-factor authentication. Businesses may, therefore, think that investing in another solution is an unnecessary additional expense.

Another factor is that many cyber insurers now demand that organizations adopt MFA in the underwriting stage of the insurance process. It could be the case, then, that IT decision-makers treat MFA as a check-the-box exercise in order to comply with insurers’ requirements. And they do so without carefully considering the difference between good MFA and bad MFA.

Whatever the reason, it is clear that many organizations are adopting MFA without scrutinizing the effectiveness of their chosen solution and which attacks it actually prevents.

So, it is important we take a step back and understand some of the inherent weaknesses of your typical MFA solution.

1. Second factor authenticators are still vulnerable to attack

The basis of most MFA solutions is that, even if someone manages to get hold of a user’s password, they still need to bypass the second piece of the puzzle – such as an SMS code, One Time Password (OTP) or approving a push notification – in order to access the account.

At face value, this seems quite secure. However, the very nature of these second layers of authentication can do more harm than good, paradoxically providing hackers with further opportunities for attack. It’s a double-edged sword that many businesses fail to fully grasp when choosing their security solutions.

Indeed, OTPs can be exploited by ‘on the fly’ phishing attacks that put a business’ sensitive information at risk; SMS authenticators are prone to ‘smishing’; and many criminals can now hijack authenticating notifications directly from the source. Meanwhile, the ‘human element’ is employed by hackers to defeat push notifications via prompt bombing.

The apparent protection of additional layers of security, therefore, could be blinding decision-makers to the inherent dangerous vulnerabilities, prompting the need for tech and cyber decision-makers to re-evaluate the true efficacy of these widely adopted security measures.

2. All MFAs including passkeys can be bypassed

The main issue here – and it’s pretty mind-boggling – is that all MFA solutions can be circumvented by hackers to gain access without needing to provide any authentication factors. There are two main causes: session cookies and centralization.

A session cookie is a piece of information stored in the user’s device browser after authentication. This allows the user to access the required resource without needing to re-authenticate on every interaction with the service provider. Therefore, anyone with access to the session cookies can infiltrate the user account without being required to authenticate.

Hackers use this tactic in what is known as an Adversary-in-the-Middle (AiTM) attack, capturing authenticated session cookies from users at the point of authentication. With the session cookies, hackers can access a user’s account without the need for password authentication, rendering the MFA solution useless. A recent example is the Okta breach, where session cookies were stolen from Okta’s customer support management system to compromise many of their customers, including 1Password and Cloudflare.

These attacks can be prevented with the use of phish-resistant MFA such as a passkey. But the plot thickens…

Passkeys are designed to synchronize to all user devices so that the user can use it to login from any of their devices. However, they are still vulnerable due to their reliance on centralization.

Although passkeys rely on public key cryptography, their dependence on the platform’s security (the security provided by Google, Apple, Microsoft and so forth) means that a business’s security is equivalent to that of a user’s Google or Apple account credentials. This is because almost all user accounts depend on a password and a vulnerable second factor authenticator, so they can be phished or circumvented using AiTM. As a result, passkeys can also be bypassed, and cannot provide meaningful security to businesses.

To adapt the old cliché, a cybersecurity solution is only as strong as its weakest link. User credentials are often that weak link.

3. Some MFA solutions are phish-resistant, but not phish-proof

To date, the highest level of security has typically come from “phish-resistant” MFA. Some MFA solutions can accurately claim to be ‘phish-resistant’, but they are not ‘phish-proof’ because they still rely on phishable factors at some point in their implementation or recovery lifecycle.

This is a critical shortcoming of many MFA solutions and a particularly pertinent issue in the UK. Research has found that 83% of British organizations experienced a phishing attack last year, which reportedly cost an average loss of £245,000 per business per attack.

This weakness basically means that a user’s account might be secure once the solution has been implemented. But the process of adding a new user, adding a new device to an account or recovering an account if the registered device is lost or damaged can be exploited using phishing techniques.

For instance, let’s say that ‘Barry from accounts’ doesn’t have the device he registered his passkey on or lost his FIDO2 security key. Phish-resistant MFAs fall back to phishable factors such as SMS, OTP or push notifications to enable Barry to recover his account.

Or Barry does not realize that the same phishable factors such as SMS, OTP, push or passwords were used by someone else to add another FIDO2 security key to his account without his knowledge.

More must be done to raise awareness of the difference between phish-resistant and phish-proof. Precious few MFA solutions can truly claim to be phish proof. Truly phish proof, MFA solutions are able to eliminate breaches like AiTM, because they secure the entire user identity life cycle – with these solutions, registration, identity proofing, authenticators establishment, authentication, recovery-identification, and account termination are immune to even sophisticated phishing attacks.

This means that attackers are prevented from bypassing authentication, intercepting and/or tricking users into revealing access credentials by the fact that they simply don’t exist in that solution’s authentication lifecycle. What’s more, phish-proof solutions ensure the chain of trust established at the stage of user identity proofing is transitive, so it cannot be broken and is provable at every stage of the identity lifecycle.

The next generation of MFA

This may seem like a scathing attack on MFA. Fortunately, though, as noted at the start, not all MFA is created equal. Better solutions are out there.

The next generation of MFA solutions addresses the weaknesses outlined above. They do this by eliminating the vulnerabilities and phishable factors that leave businesses’ IT systems open to attack.

The key innovation of this new wave of technology is that they move beyond the reliance on passwords. Instead, these solutions embrace cutting-edge, Zero Trust Architecture (ZTA) technology rooted in principles like transitive trust, identity proofing and the adoption of W3C Web Authentication Standard, which tackle the core issues behind data breaches and remove the threat of human error.

By implementing technology from this new wave of MFA, businesses can make their cyber security systems immune to both external and internal threats and guarantee robust authentication through the entire identity lifecycle.

It’s time to recognize that basic MFA solutions that rely on OTPs, push, and QR-code are relics of the past. They suffer from the same inherent flaws that have plagued password-based cybersecurity technology for decades – namely, they cannot prevent all credential phishing and password-based attacks. Slowly but surely, the industry is recognizing that zero trust paves the way to a more secure and efficient future.

We’ve featured the best encryption software.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Al Lakhani is the founder and CEO of IDEE. Al is a recognized cyber security expert, digital identity crusader, inventor, entrepreneur, and university lecturer with more than 25 years’ experience in cyber forensics.

Article link: https://www.techradar.com/pro/multi-factor-authentication-suffers-from-three-major-weaknesses

DefenseScoop was briefed on the new DIU-led pursuit.

BYBRANDI VINCENT

JANUARY 25, 2024

The Pentagon is in the midst of launching five new Defense Innovation OnRamp Hubs where startups, academia, industry and others in specific regions around the U.S. can more strategically engage and directly connect with department officials to commercialize in-demand, dual-use technologies that are also being prioritized in their local areas. 

A program office within the Defense Innovation Unit, the National Security Innovation Network (NSIN), officially unveiled the latest of those hubs in Seattle Jan. 21. Two other sites in Kansas and Ohio hosted launch events in mid-December, and locations in Arizona and Hawaii are each set to celebrate their openings within the next few months.

“The OnRamp Hub program was developed to streamline collaboration between industry, academia and defense operations to get the needed technologies, information and products in the hands of those who need it most. We are extremely excited to work with these locations to bring this opportunity to their innovation ecosystem,” NSIN’s Acting Defense Innovation OnRamp Hub Program Director Cassie Muffley told DefenseScoop this week.

Each of these new centers “will execute three primary functions to lower the barrier to entry” for working with the Defense Department, Muffley explained. They include:

• Offering a physical location that serves as an off-base, easily accessible “front door” for new people, ideas, and technologies from academia and industry to connect to multiple facets of the DOD.
• Providing DOD entities from multiple services with a means to better coordinate activities and outreach into specific geographic regions.
• Providing access to a physical and digital space for DOD “intrapreneurs” to meet, collaborate and innovate.

The overarching idea is that these sort of one-stop shops will help the Pentagon better leverage startups and academic communities for new concept development, and facilitate the creation of new, dual-use ventures by commercializing DOD lab technology and through customer discovery activities.

They’re also meant to make it easier for interested entrepreneurs to learn how to break into the defense industrial base, and get Pentagon insiders more acclimated in various domestic tech hotspots. 

“By changing the way that small and medium-sized technology companies work with the DOD, we can grow our technological edge that our service branches need to stay competitive and deter conflict,” Muffley said.

To ultimately select these five locations, DIU and NSIN officials assessed a number of factors about different areas, including the robustness of the defense innovation ecosystem; relevance of the innovation ecosystem to DOD needs; health of the innovation ecosystem; expressed demand signal from the innovation ecosystem; existence of similar facilities within key geographic areas; and expressed demand from the Pentagon.

“Each OnRamp Hub will deliver tailored opportunities, programming, and activities, based on their local needs and opportunities to leverage and partner with other activities,” Muffley told DefenseScoop.

As an example, NSIN — in partnership with the Washington Air National Guard (WA ANG), 194 Communications Flight — is preparing to lead an upcoming pitch event and demonstration to identify emerging technologies that could be used to establish two-way communication during an eruption of Mt. Rainier or other natural disasters.

“Participating in NSIN programming through OnRamp Hub: Washington assists innovators in navigating the process of gaining government contracts,” Muffley also noted.

All of the hubs will also provide education related to doing business with the DOD — on topics such as specialized funding options, determining and filing for the correct business classifications, and complex policy compliance. 

“We support the warfighter in gaining a competitive advantage when dealing with 21st century conflicts. This is an amazing opportunity for local entities to engage in national and international efforts that truly make a difference,” Muffley said.

Written by Brandi Vincent

Brandi Vincent is DefenseScoop’s Pentagon correspondent. She reports on emerging and disruptive technologies, and associated policies, impacting the Defense Department and its personnel. Prior to joining Scoop News Group, Brandi produced a long-form documentary and worked as a journalist at Nextgov, Snapchat and NBC Network. She was named a 2021 Paul Miller Washington Fellow by the National Press Foundation and was awarded SIIA’s 2020 Jesse H. Neal Award for Best News Coverage. Brandi grew up in Louisiana and received a master’s degree in journalism from the University of Maryland.

Article link: https://defensescoop.com/2024/01/25/nsin-defense-innovation-onramp-hubs-diu-5-states/?