Defense Innovation Board looks to lock data access in ‘all vendor agreements’: The Pentagon would mandate data access in all vendor contracts under a new legislative requirement recommended by the Defense Innovation Board in its most recent report.

The report, which examined the Department of Defense’s data economy, said “the current state of data access within DOD vendor agreements is fragmented and inconsistent” and includes suggested legislative text for the FY2025 National Defense Authorization Act that would “enshrine DOD data access and rights in all vendor agreements.”

The DIB — an independent oversight committee that provides technology recommendations to the defense secretary and other senior Pentagon officials — was tasked in October 2023 by David Honey, DOD’s undersecretary of defense for research and engineering, to help the department enhance its use of data. The study was cleared for public release on January 23.
https://buff.ly/3OFtyST

A recent study from the advisory group said data access requirements in the Pentagon’s vendor agreements are “fragmented and inconsistent” and called for Congress to take action

The Pentagon would mandate data access in all vendor contracts under a new legislative requirement recommended by the Defense Innovation Board in its most recent report. 

The report, which examined the Department of Defense’s data economy, said “the current state of data access within DOD vendor agreements is fragmented and inconsistent” and includes suggested legislative text for the FY2025 National Defense Authorization Act that would “enshrine DOD data access and rights in all vendor agreements.”

The DIB — an independent oversight committee that provides technology recommendations to the defense secretary and other senior Pentagon officials — was tasked in October 2023 by David Honey, DOD’s undersecretary of defense for research and engineering, to help the department enhance its use of data. The study was cleared for public release on January 23. 

The report called the Pentagon’s efforts to quickly access and use needed data across the entire department “outdated,” noting that inadequate data access practices are “inhibiting effective interoperability and utilization of data across various platforms” needed to enable the DOD’s Combined Joint All-Domain Command and Control initiative. Known as CJADC2, the ongoing departmentwide effort seeks to streamline information-sharing across disparate military domains into one cohesive network.

The board said the NDAA proposal — which it called an “initial action” to address the department’s broader data access issues — would ensure that all future DOD vendor agreements “incorporate clear language on data rights and interoperability that manages data procured or generated under defense industrial contracts, and that facilitates, safeguards and future-proofs DOD’s access to this data.”

The DIB report also recommended that the proposed requirement “direct the formation of a federated defense industrial data catalog for defense companies and the department, a trusted community of interest for accessing this federated data catalog and an oversight body for this new data marketplace.”

During the DIB’s quarterly public meetingon Jan. 26, Ryan Swann — a board member and the chief data analytics officer at Vanguard — said the recommended NDAA proposal would help the Pentagon “prioritize data rights and data interoperability so that we can get data out of our platforms and systems so they can be shared securely, kind of across the enterprise where we find value, or where we are able to leverage AI to create value.”

While the board’s report said including its recommendation in the next must-pass defense policy bill would not, on its own, be a panacea for all of DOD’s data challenges, it wrote that “enhanced collaboration with commercial vendors will propel DOD’s antiquated approach to data access decades forward in the next 12 to 18 months.”

Article link: https://www.nextgov.com/defense/2024/02/defense-innovation-board-looks-lock-data-access-all-vendor-agreements/393929/?

Samantha Anderer; Yulin Hswen, ScD, MPH

Article Information

JAMA. Published online February 7, 2024. doi:10.1001/jama.2023.22981

This conversation is part of a series of interviews in which JAMA Editor in Chief Kirsten Bibbins-Domingo, PhD, MD, MAS, and expert guests explore issues surrounding the rapidly evolving intersection of artificial intelligence (AI) and medicine.

AI applications for health care should be designed to function well in different settings and across different populations, says Marzyeh Ghassemi, PhD (Video), whose work at the Massachusetts Institute of Technology (MIT) focuses on creating “healthy” machine learning (ML) models that are “robust, private, and fair.” The way AI-generated clinical advice is presented to physicians is also important for reducing harms, according to Ghassemi, who is an assistant professor at MIT’s Department of Electrical Engineering and Computer Science and Institute for Medical Engineering and Science. And, she says, developers should be aware that they have a responsibility to clinicians and patients who could one day be affected by their tools.

Video. AI and Clinical Practice— AI and the Ethics of Developing and Deploying Clinical AI Models

Video. AI and Clinical Practice— AI and the Ethics of Developing and Deploying Clinical AI Models

JAMA Editor in Chief Kirsten Bibbins-Domingo, PhD, MD, MAS, recently spoke with Ghassemi about “ethical machine learning,” the computer scientist’s decision to opt out of AI in her own health care, and more.

The following interview has been edited for clarity and length.

Dr Bibbins-Domingo:You have a research lab, Healthy ML. It specializes in examining biases in artificial intelligence, and you’re specifically interested in its applications in clinical practice. I’d love to hear how you got into the very specific area.

Dr Ghassemi:At the end of my PhD, we found out that [machine learning] models tend not to work as well in all groups. And that really informs what we do here in my lab today, focusing on how we make sure that models that are developed work robustly. And if you think about robustness, that could mean that it works well in a new environment or across different kinds of people.

Dr Bibbins-Domingo:How do you think about the range of reasons why a model might not perform well in one setting vs another or in one group of people vs another?

Dr Ghassemi:I try to think about it within the pipeline that all models are developed in. And this is not just in health care. This is for any machine learning model that might be developed and deployed in any human-facing setting. You choose a problem, collect some data, define a label, develop an algorithm, and then deploy it. In each part of that pipeline, there are reasons that your model might not perform as well. For problem selection, what we choose to fund and what we choose to work on is often biased. We tend to look at problems that are easy to address where there are more data readily available that can be correlated with different metrics of social status, or privilege, or just where funding tends to be allocated to.

For example, diseases that are disproportionately affecting people who are biologically female at birth tend to be understudied. And if we’re collecting data from these human sources, it’s probably going to have some bias in it just because of the way that humans interact with one another. Just by collecting data from a human process, you’re going to have some potential performance issues. We probably want machine learning models to replicate the very best health care practices that we see now, but if we take a random sample of data from thousands of hospitals and say, “Perform the way that an average doctor is performing on an average day,” we might get some behaviors that we don’t want to extend.

When we define a label, that’s another way that bias can be injected into the learning process. It’s a true-false label. We never contextualize it with the choice that’s being made or the human rule that’s being applied. When you collect labels in this descriptive way but then train a machine learning model, all of those machine learning models become much harsher. They have a much higher false-positive rate.

Dr Bibbins-Domingo:You use the term ethical machine learning. I’d love you to define what that term means for you and help us to understand it in the context of medical practice.

Dr Ghassemi:I think for me as a technical person, ethical machine learning means recognizing your responsibility to end users that might potentially be impacted by the models that you’re developing, the technology that you’re releasing. And I think there are many ethical frameworks that professional societies have—for engineers, for doctors, for different kinds of individuals that interact with humans.

And that’s not standard in computer science training. It wasn’t in my computer science curriculum. There wasn’t a specific set of rules, or regulations, or even principles that we went over. And now we’re seeing a lot of programs like the program at MIT step up and recognize that computer science impacts just as many people as many engineering disciplines do. But I think that we’re playing a little bit of catch-up in the field with people starting to recognize that these choices make an impact.

Dr Bibbins-Domingo:So, what does that mean for algorithms designed for use in clinical practice settings? Do you just need to be more aware and understand this ethical machine learning? Do you and I need to talk as you are developing a particular model? What types of processes get us to the point where we really are focused on the end user, in this case patients? And what type of team, and what type of processes, and what types of things get us there?

Dr Ghassemi:I think we need a change in the technical people, the technical societies, and the technical systems. We need to speak with and be informed by the needs of those whom we are collaborating with and not just to understand how data might have been collected but how a model might be deployed and what the risks are for such a deployment.

I think the problem here is not just that we’re using machine learning and health, it’s that we’re using this really powerful tool in a space where technology has been reasonably laxly regulated. We’re adding this extra tool to a setting that doesn’t currently have a lot of regulation, and I think it’s a struggle to catch up. If you’re upset about a machine learning model learning to kill more women than men, performing more poorly on women than men, but it learned that from the data, maybe we should try to address the underlying problem, which is that more women die in this procedure. Rather than saying, “I’m so angry that the model has learned this thing,” let’s use the fact that it learned it to address the underlying issue.

Dr Bibbins-Domingo:You’re speaking about such an important issue, and we are in an environment where this technology is moving at rapid speed, both the capabilities and the enthusiasm for adopting any type of machine learning, AI approach in health care. We also know that these models can be subject to biases. So, in your view, how should we think about regulation once the model’s developed or once it’s deployed?

Dr Ghassemi:I totally agree with you that it seems like the philosophy here is deploy ahead of regulation, which I don’t think is the right way of thinking about the role of technology in the health care setting. What I will say is, I think that the FDA [US Food and Drug Administration] has done really fantastic work toward trying to have systems where audits can be done for machine learning models. I think that there are improvements that could be made, like with any system.

I’m actually a big fan of the multiarm regulatory system that aviation has with different federal agencies that were created decades apart specifically to ensure that there’s safety in airplanes that exist, and there’s training for pilots to use technology, and that there are standards about how different airlines have to communicate, and there are responsibilities that airlines and carriers have to passengers who fly.

I think that we need the same kind of regulation that is well recognized as being not about assigning blame or liability but about ensuring safety and having a space and a culture of safety. And also that there is some amount of oversight where people voluntarily take a certain amount of training in order to be able to work well with technology prior to having it integrated into their setting.

I do want to address the fact that—unlike in aviation where there were lots of human-computer-interaction-end user studies done to figure out how best to show information to people in a stressful situation who are trying to make decisions—we haven’t done a lot of those studies in a human-computer interaction of machine learning or other technology-plus-doctor setting. We don’t actually know how best to give information to doctors, information that might be wrong sometimes by the way, such that they are able to use it well when it’s right and they’re not disproportionately biased by it when it’s wrong. The work that we’ve done so far suggests that the key or one of the keys to making sure that doctors aren’t misled by biased information is to make sure that it’s given to them descriptively.

Dr Bibbins-Domingo:And is that because we trust that it’s an AI model, it’s math, and therefore we should do what it says?

Dr Ghassemi:Based on other work by really fantastic researchers and work that my lab has done, I think it is two things coupled. Number one, it’s an automation bias. It’s been well documented in a clinical setting for a long time that if there’s a prefilled default, you’re more likely to use it.

And the other is exactly what you’re saying. We think it’s algorithmic overreliance. People assume that they have a system like a robot, or an AI, or an algorithm, whatever it is, that has access to more information than they do or is well aware of the risks that might be encountered by making an incorrect decision in that setting.

And there’s been many other documented settings where clinicians have been given incorrect or bad advice. And even when they’re made aware that potentially the model could give them incorrect or bad advice, they still exhibit these same automation and overreliance biases. And so, it’s something that we need to be really careful about when we consider exactly the way in which we give advice.

Dr Bibbins-Domingo:I am so glad you brought up the point that in other sectors where there is either a much longer history or a much closer level of training between computers and humans, like in aviation, there has been a lot of attention placed to how information is presented. And it’s clear that we need to understand that much more. It’s reminding me of a study we published in JAMAjust a few months ago on whether the idea of explaining the model can help to give the clinician better insights into where a model might be wrong. It showed that biased models produced the wrong results and the explainability didn’t mitigate against the degree to which a clinician was going to be led astray.

I think it speaks a little bit to what you’re saying here, and how important it is not just to assume that explaining how the model was built is going to help me not to go down the wrong road.

Dr Ghassemi:It’s been well established for a while that explainability methods can make a model less fair because fundamentally they are approximations. How do you make a model explainable? You make it simpler. And so, you have to approximate something. And what we’ve found previously is that these approximations tend to impact minority groups more than majority groups. Which sort of makes sense. If you need to approximate some complex nonlinear boundary and there’s a group you have to do a little bit less well at modeling, it’s probably the group that takes up a smaller amount of the space, right? Because that’s going to impact your performance less.

And so not only do explainability methods tend to make models less fair in many settings that we evaluated, this study in JAMAdemonstrates that explainability can even increase overreliance sometimes. Because if you just have a number or if you just have a description it doesn’t really short-circuit that critical thinking that you have to do to make the decision. But if you make it easy and you start engaging that overreliance and that automation bias where it’s telling you what to do, it’s explaining the reason, I think that’s where we start to see these biases really become very strong.

Dr Bibbins-Domingo:It’s so interesting. The modeling is complex, but humans and human behavior is also complex.

Dr Ghassemi:I think that’s the hardest thing, honestly. It’s such a complex system of interactions. I’m making this loose analogy to aviation. It’s not aviation. In aviation, you have a plane of hundreds of passengers. And the outcome for one is the outcome for all. They all land safely. And that’s not what happens in health care. And so, I think there’s so much more we need to do. There’s so much more research that needs to be done. And we really lack the backbone to do that because even before machine learning, we have had clinical risk scores that do not work for women.

I always tell people when I give these examples, sometimes they’ll say, “Well, a clinical risk score can’t work for every tiny subgroup. It’s hard to collect from minorities.” Women are not a minority. We’re half of the planet, sometimes more. And so, the fact that clinical risk scores have historically not worked for half the planet without machine learning, no AI needed, I think speaks to the fact that we need to understand how to use technology in the health care system, even if we didn’t have machine learning, in a way that doesn’t increase inequity.

Dr Bibbins-Domingo:Okay. So, what AI tools do you use?

Dr Ghassemi:I feel like I have to be very clear here because I have two very different opinions about a very fantastic thing. Like many people, when ChatGPT and other versions of GPT were released, I was so impressed with the technical accomplishment. I have spoken very widely about how unhappy I am that it’s being used for specific things in a clinical setting. I don’t think that that’s the best use of it.

But I will say if you write a grant or you have a great research idea, often you have to summarize it 7 different ways: a 100-word abstract for a general audience, a 200-word abstract for a scientific officer, a 300-word…. I love using GPT models to do summarizations of a specific length for a particular audience of work that I’ve done.

Dr Bibbins-Domingo:That’s a very good example. But let me give you the opportunity to maybe expand on what you were going to challenge us not to use it for before. What AI tools do you avoid or what would you not use right now?

Dr Ghassemi:I opt out of almost all uses of AI in a health setting. Both for myself and for dependents I have, because I’m well aware of the research, some of which is my own, that the tools are unlikely to work well for a minority female.

Dr Bibbins-Domingo:What do you say when someone says, “Well, we are never going to make models that are designed for people like you because you are not letting us use the data on people like you.”

Dr Ghassemi:I have spoken to minority communities and told them, “Please let me use your data. My model will not work. It will perform poorly on your population.” And that’s the reason that clinical models are so bad for so many people, because, sometimes intentionally, only certain groups were studied. What I say is I am doing research that will be peer reviewed, often brutally, and published in some venue. And then if I ever wanted to deploy it, I hope that any deployer, if it’s not me, would go through a rigorous approval process of ensuring that that model was robust prior to deployment.

I think there’s a fundamental difference between using data for discovery and understanding of the limits of machine learning and health vs automating an efficiency metric, or a decision, or an output that just needs to be obtained for an electronic health care record. I would consent to my data being used in a machine learning paper. But I don’t want it used to predict how much care should be allocated for me, or which medications I should have access to, or what kind of doctor I might be available to be referred to, because I know all of those decisions will be biased.

Dr Bibbins-Domingo:Your explanation I think helps us to understand where we are in a landscape of an evolving technology that is both very powerful and has known limitations and biases.

Article Information

Published Online: February 7, 2024. doi:10.1001/jama.2023.22981

Conflict of Interest Disclosures: Dr Ghassemi reported receiving funding from CIFAR, Quanta Computing, Microsoft Research, Helmsley Trust, Wellcome Trust, J-Clinic, IBM, Moore Foundation, Janssen Research and Development, VW Foundation, and Takeda.

Article link: https://jamanetwork.com/journals/jama/fullarticle/2815046

by Gary Hamel

April 14, 2015

Summary.   

Pope Francis has not tried to hide his desire to radically reform the administrative structures of the Catholic Church, which he sees as imperious and insular. The Church is, essentially, a bureaucracy, full of good-hearted but imperfect people – not much different than any organization, making the Pope’s counsel relevant for leaders everywhere. Pope Francis’s 2014 address of the Roman Curia can be translated into corporate-speak. It identifies 15 “diseases” of leadership that can weaken the effectiveness of any organization. These diseases include excessive busyness that neglects the need for rest, and mental and emotional “petrification” that prevents compassion and humility. The Pope also warns against poor coordination, losing a sense of community by failing to work together. A set of questions corresponding to the 15 diseases can help you determine if you are a “healthy” leader.

Pope Francis has made no secret of his intention to radically reform the administrative structures of the Catholic church, which he regards as insular, imperious, and bureaucratic. He understands that in a hyper-kinetic world, inward-looking and self-obsessed leaders are a liability.

Last year, just before Christmas, the Pope addressed the leaders of the Roman Curia — the Cardinals and other officials who are charged with running the church’s byzantine network of administrative bodies. The Pope’s message to his colleagues was blunt. Leaders are susceptible to an array of debilitating maladies, including arrogance, intolerance, myopia, and pettiness. When those diseases go untreated, the organization itself is enfeebled. To have a healthy church, we need healthy leaders.

Through the years, I’ve heard dozens of management experts enumerate the qualities of great leaders. Seldom, though, do they speak plainly about the “diseases” of leadership. The Pope is more forthright. He understands that as human beings we have certain proclivities — not all of them noble. Nevertheless, leaders should be held to a high standard, since their scope of influence makes their ailments particularly infectious.

The Catholic Church is a bureaucracy: a hierarchy populated by good-hearted, but less-than-perfect souls. In that sense, it’s not much different than your organization. That’s why the Pope’s counsel is relevant to leaders everywhere.

With that in mind, I spent a couple of hours translating the Pope’s address into something a little closer to corporate-speak. (I don’t know if there’s a prohibition on paraphrasing Papal pronouncements, but since I’m not Catholic, I’m willing to take the risk.)

Herewith, then, the Pope (more or less):

The leadership team is called constantly to improve and to grow in rapport and wisdom, in order to carry out fully its mission. And yet, like any body, like any human body, it is also exposed to diseases, malfunctioning, infirmity. Here I would like to mention some of these “[leadership] diseases.” They are diseases and temptations which can dangerously weaken the effectiveness of any organization.

1. The disease of thinking we are immortal, immune, or downright indispensable, [and therefore] neglecting the need for regular check-ups. A leadership team which is not self-critical, which does not keep up with things, which does not seek to be more fit, is a sick body. A simple visit to the cemetery might help us see the names of many people who thought they were immortal, immune, and indispensable! It is the disease of those who turn into lords and masters, who think of themselves as above others and not at their service. It is the pathology of power and comes from a superiority complex, from a narcissism which passionately gazes at its own image and does not see the face of others, especially the weakest and those most in need. The antidote to this plague is humility; to say heartily, “I am merely a servant. I have only done what was my duty.”
2. Another disease is excessive busyness. It is found in those who immerse themselves in work and inevitably neglect to “rest a while.” Neglecting needed rest leads to stress and agitation. A time of rest, for those who have completed their work, is necessary, obligatory and should be taken seriously: by spending time with one’s family and respecting holidays as moments for recharging.
3. Then there is the disease of mental and [emotional] “petrification.” It is found in leaders who have a heart of stone, the “stiff-necked;” in those who in the course of time lose their interior serenity, alertness and daring, and hide under a pile of papers, turning into paper pushers and not men and women of compassion. It is dangerous to lose the human sensitivity that enables us to weep with those who weep and to rejoice with those who rejoice! Because as time goes on, our hearts grow hard and become incapable of loving all those around us. Being a humane leader means having the sentiments of humility and unselfishness, of detachment and generosity.
4. The disease of excessive planning and of functionalism. When a leader plans everything down to the last detail and believes that with perfect planning things will fall into place, he or she becomes an accountant or an office manager. Things need to be prepared well, but without ever falling into the temptation of trying to eliminate spontaneity and serendipity, which is always more flexible than any human planning. We contract this disease because it is easy and comfortable to settle in our own sedentary and unchanging ways.
5. The disease of poor coordination. Once leaders lose a sense of community among themselves, the body loses its harmonious functioning and its equilibrium; it then becomes an orchestra that produces noise: its members do not work together and lose the spirit of camaraderie and teamwork. When the foot says to the arm: ‘I don’t need you,’ or the hand says to the head, ‘I’m in charge,’ they create discomfort and parochialism.
6. There is also a sort of “leadership Alzheimer’s disease.” It consists in losing the memory of those who nurtured, mentored and supported us in our own journeys. We see this in those who have lost the memory of their encounters with the great leaders who inspired them; in those who are completely caught up in the present moment, in their passions, whims and obsessions; in those who build walls and routines around themselves, and thus become more and more the slaves of idols carved by their own hands.
7. The disease of rivalry and vainglory. When appearances, our perks, and our titles become the primary object in life, we forget our fundamental duty as leaders—to “do nothing from selfishness or conceit but in humility count others better than ourselves.” [As leaders, we must] look not only to [our] own interests, but also to the interests of others.
8. The disease of existential schizophrenia. This is the disease of those who live a double life, the fruit of that hypocrisy typical of the mediocre and of a progressive emotional emptiness which no [accomplishment or] title can fill. It is a disease which often strikes those who are no longer directly in touch with customers and “ordinary” employees, and restrict themselves to bureaucratic matters, thus losing contact with reality, with concrete people.
9. The disease of gossiping, grumbling, and back-biting.This is a grave illness which begins simply, perhaps even in small talk, and takes over a person, making him become a “sower of weeds” and in many cases, a cold-blooded killer of the good name of colleagues. It is the disease of cowardly persons who lack the courage to speak out directly, but instead speak behind other people’s backs. Let us be on our guard against the terrorism of gossip!
10. The disease of idolizing superiors. This is the disease of those who court their superiors in the hope of gaining their favor. They are victims of careerism and opportunism; they honor persons [rather than the larger mission of the organization]. They think only of what they can get and not of what they should give; small-minded persons, unhappy and inspired only by their own lethal selfishness. Superiors themselves can be affected by this disease, when they try to obtain the submission, loyalty and psychological dependency of their subordinates, but the end result is unhealthy complicity.
11. The disease of indifference to others. This is where each leader thinks only of himself or herself, and loses the sincerity and warmth of [genuine] human relationships. This can happen in many ways: When the most knowledgeable person does not put that knowledge at the service of less knowledgeable colleagues, when you learn something and then keep it to yourself rather than sharing it in a helpful way with others; when out of jealousy or deceit you take joy in seeing others fall instead of helping them up and encouraging them.
12. The disease of a downcast face. You see this disease in those glum and dour persons who think that to be serious you have to put on a face of melancholy and severity, and treat others—especially those we consider our inferiors—with rigor, brusqueness and arrogance. In fact, a show of severity and sterile pessimism are frequently symptoms of fear and insecurity. A leader must make an effort to be courteous, serene, enthusiastic and joyful, a person who transmits joy everywhere he goes. A happy heart radiates an infectious joy: it is immediately evident! So a leader should never lose that joyful, humorous and even self-deprecating spirit which makes people amiable even in difficult situations. How beneficial is a good dose of humor! …
13. The disease of hoarding. This occurs when a leader tries to fill an existential void in his or her heart by accumulating material goods, not out of need but only in order to feel secure. The fact is that we are not able to bring material goods with us when we leave this life, since “the winding sheet does not have pockets” and all our treasures will never be able to fill that void; instead, they will only make it deeper and more demanding. Accumulating goods only burdens and inexorably slows down the journey!
14. The disease of closed circles, where belonging to a clique becomes more powerful than our shared identity. This disease too always begins with good intentions, but with the passing of time it enslaves its members and becomes a cancer which threatens the harmony of the organization and causes immense evil, especially to those we treat as outsiders. “Friendly fire” from our fellow soldiers, is the most insidious danger. It is the evil which strikes from within. As it says in the bible, “Every kingdom divided against itself is laid waste.”
15. Lastly: the disease of extravagance and self-exhibition. This happens when a leader turns his or her service into power, and uses that power for material gain, or to acquire even greater power. This is the disease of persons who insatiably try to accumulate power and to this end are ready to slander, defame and discredit others; who put themselves on display to show that they are more capable than others. This disease does great harm because it leads people to justify the use of any means whatsoever to attain their goal, often in the name of justice and transparency! Here I remember a leader who used to call journalists to tell and invent private and confidential matters involving his colleagues. The only thing he was concerned about was being able to see himself on the front page, since this made him feel powerful and glamorous, while causing great harm to others and to the organization.

Friends, these diseases are a danger for every leader and every organization, and they can strike at the individual and the community levels.

____________________

So, are you a healthy leader? Use the Pope’s inventory of leadership maladies to find out. Ask yourself, on a scale of 1 to 5, to what extent do I . . .

• Feel superior to those who work for me?
• Demonstrate an imbalance between work and other areas of life?
• Substitute formality for true human intimacy?
• Rely too much on plans and not enough on intuition and improvisation?
• Spend too little time breaking silos and building bridges?
• Fail to regularly acknowledge the debt I owe to my mentors and to others?
• Take too much satisfaction in my perks and privileges?
• Isolate myself from customers and first-level employees?
• Denigrate the motives and accomplishments of others?
• Exhibit or encourage undue deference and servility?
• Put my own success ahead of the success of others?
• Fail to cultivate a fun and joy-filled work environment?
• Exhibit selfishness when it comes to sharing rewards and praise?
• Encourage parochialism rather than community?
• Behave in ways that seem egocentric to those around me?

As in all health matters, it’s good to get a second or third opinion. Ask your colleagues to score you on the same fifteen items. Don’t be surprised if they say, “Gee boss, you’re not looking too good today.” Like a battery of medical tests, these questions can help you zero in on opportunities to prevent disease and improve your health. A Papal leadership assessment may seem like a bit of a stretch. But remember: the responsibilities you hold as a leader, and the influence you have over others’ lives, can be profound. Why not turn to the Pope — a spiritual leader of leaders — for wisdom and advice?

Gary Hamel is a visiting professor at London Business School and the founder of the Management Lab. He is a coauthor of Humanocracy: Creating Organizations as Amazing as the People Inside Them (Harvard Business Review Press, 2020).

Article link: https://hbr.org/2015/04/the-15-diseases-of-leadership-according-to-pope-francis

Officials are conducting a top-to-bottom review with an eye toward Cybercom 2.0.

BYMARK POMERLEAU

JANUARY 31, 2024

FORT MEADE, Md. — U.S. Cyber Command is in the midst of a holistic top-to-bottom review to reshape its organization and forces and ensure it’s best postured to deal with threats in a highly dynamic environment.

Officials are dubbing the review Cybercom 2.0.

“As we’re trying to look at the future of U.S. Cyber Command, I want to have a bold move forward,” Gen. Paul Nakasone, commander of Cybercom and director of the NSA, told reporters during a media roundtable at Fort Meade. Nakasone is set to retire Friday following a change-of-command ceremony where he will pass the torch to Lt. Gen. Timothy Haugh, who will pin on his fourth star.

The command, now just north of 10 years old, was built on many principles of its time a decade ago. The domain it operates in is so dynamic that many of these tenets are now outdated.

For example, the cyber mission force — the teams each service provides to Cybercom to conduct offensive and defensive operations — was designed around 2012, built from 2013 to 2016, and reached full operational capability in 2018.

At the time, according to declassified task orders that were unearthed via the Freedom of Information Act by the National Security Archive at George Washington University, the priority was to get the teams formed, built quickly and rely as much as possible on NSA support.

“Given the increasing threats to our nation’s critical infrastructure and DoD networks, it is imperative that we establish, train, and employ equipped cyber mission forces as expeditiously as possible. We must get these forces in position now—these teams will be prepared to defend the nation, provide support to combatant commanders, and to provide active defense of key terrain on critical networks,” a task order from March 2013 read. “We will establish immediate operational capability during FY13 by effectively task organizing our available personnel into [REDACTED] effective, combat-ready teams, positioned in the best locations for mission success, and with a command and control structure in place to direct successful operations.”

The order goes on to state that while the initial focus was on establishing combat-ready teams quickly and efficiently, they would keep the end-state force posture in mind.

Those teams and their structures have not been holistically relooked or reexamined since then, with new teams being added to the initial 133 for the first time in the president’s fiscal 2022 budget request. For example, Nakasone said those teams were built with a different understanding of the world in 2012, with a counterterror focus and when Iranian financial system cyber disruptions were one of the main threats of the day — long before the shift back to great power competition with nations such as China.

Many of the manning numbers of personnel and teams were arbitrary given the quantity of forces the services had available at the time and to justify the need to Department of Defense leadership, according to former officials.

There were calls and expectations in the past to relook the team structure and reexamine how the force trains and acquires capabilities — particularly after the cyber mission force reached full operational capability in 2018 — however, the remedy for many years had been to task organize for particular missions or break teams into smaller elements.

During the build, for instance, Cybercom leadership locked in the structure and didn’t want to tweak the teams so as not to appear as if they were moving the bar on the services until they reached full operational capability.

There wasn’t another model to emulate when building these teams, and so experts have said it’s no surprise they didn’t get everything right.

Additionally, Cybercom relied very heavily on NSA personnel and equipment as it grew. As a military organization, it needs its own military-specific systems separate from intelligence systems. As a result, it wants the ability to acquire and manage those capabilities much like the rest of the military develops platforms to conduct operations.

The command, in partnership with other elements of the DOD, is working hard at a holistic reexamination to better posture the command and its forces.

“I think all options are on the table except status quo,” Nakasone said during an INSA event in December. “We built our force in 2012 and 2013. We’ve had tremendous experience, but scope, scale, sophistication and the threat has changed, the private sector has changed, our partners have changed. I think that we’ve got to be able to take a look at how we’re going to change as well.”

A cross-functional team consisting of a group of experts has been convened to discuss how the command can think about how its authorities, training, personnel and acquisitions can be done differently.

In fact, a problem statement regarding what they’re seeking to examine was approved this weekend, though Nakasone declined to provide details.

“We’ve got to think boldly about such things as how we do training and how we might do personnel processes that are different,” Nakasone said.

Why now?

Sources indicated it’s been over 10 years since the command was created and they want to update the vision, force structure and doctrine. There are also now personnel at the top levels of leadership that have been around the command for years — such as Haugh and incoming deputy commander Lt. Gen. William “Joe” Hartman — with a lot of knowledge of the domain, making this a good opportunity for a revamp.

Now is the right time to begin looking at what the next iteration of Cybercom is for several reasons, Nakasone said.

In the fiscal 2023 National Defense Authorization Act, Congress directed several studies and examinations of the department, which include a force generation study due in June examining the responsibilities of the services for organizing, training and presenting the total force to Cybercom, among seven other elements. Additionally, there are 14new teams that are slated to be built over the course of the next five years. Moreover, since 2018, when the department gained new authorities to conduct cyber operations, a lot of lessons have been learned from those operations as well as election defense, ransomware, the Russia-Ukraine conflict and other issues.

“We haven’t done this, I think, really since we started up the force. And I think this is the right time,” Nakasone said of the confluence of these circumstances leading to 2024 being the best opportunity to reexamine the command.

Other officials have noted that the variety of studies Congress has asked for provides a good opportunity to package these key questions together and provide the secretary of defense with several options for the future evolution of the command.

“The Congress has laid on really multiple studies over the past few years to look at what things should the department do or could be doing to improve our ability to generate cyber forces, train cyber forces, retain cyber forces for maximum effect,” John Plumb, assistant secretary of defense for space policy, who also serves as the principal cyber advisor to the secretary of defense, told reporters in January. “We have been slowly working through various options. And the question is like, how much would need to change? What should you look at? … What are we after for readiness? How can we make readiness better?”

He noted as they look at all the things that are coming, the team knows they have to present the secretary a set of options related to this large, significant study and find the best recommendations to present a more comprehensive set of options as opposed to doing them one at a time.

Nakasone noted how 2018 was a watershed year for the command when it gained new authorities through executive policy changes, congressional legal changes and clarifications.

“That leads us to a whole heck of a lot of operations, so from 2018, forward to now, the number of operations is sky high, which means there’s a lot of data, in terms of what’s going on,” he said.  

Prior to that point there were only a handful of operations that had taken place because there was a bias for inaction, meaning there wasn’t a lot of data regarding how effective the team structure and personnel were.

This led to the paradigm shift toward persistent engagement, which encompasses challenging adversary activities daily and wherever they operate. Nakasone noted that is something the command got right and must continue to operate.

“You have to have persistent engagement. If you’re on the sidelines watching this, you’re going to get hit. That’s why I think it’s so important for our forces worldwide to be able to be engaged, and being able to act and understand what our adversaries are doing,” Nakasone said. “Being able to continue to operate day in and day out, this is how you get really good. You operate in the domain. This is what Special Operations Command has taught us, right?  Continued operations build proficiency and professionalism. We’re going to need that. I think a lot about that piece, in terms of where Cyber Command is going.”

Similarly, the command has fashioned itself off the Socom model even though it was initially under U.S. Strategic Command, which is in charge of the military’s nuclear weapons.

Another turning point in Cybercom’s history happened in 2020 when Nakasone asked for more service-like authorities from the secretary of defense similar to Socom. He also asked for more teams and a reposturing of teams from counterterrorism to be more aligned against China and Russia.

This included enhanced budget authority, which provides direct control and management of planning, programming, budgeting and execution of the resources to maintain the cyber mission force.

Many of these changes will also affect the services and how they present their forces to the command.

“I’m a pretty demanding customer with the services. I just want their best and I want it all the time. They have been very, very supportive, in terms of what’s gone on, but I will tell you that we operate in a domain that requires a longer dwell time for our soldiers, sailors, airmen and Marines, than the constant movement,” Nakasone said. “I think that this has been a concern that I’ve expressed that I think is one of the things that we’re going to have to deal with in the future.”

Nakasone recognized that the services have to provide a number of different forces to combatant commands, with Cybercom being one of them. They have to balance their readiness needs as well. However, he was aware that it’s his job as the commander of Cybercom to talk about why this domain is unique and why there is a need to consider recruiting, retention, or assignment policies differently than in the past.

This has also led to calls for an independent cyber service — akin to the Army, Navy, Marine Corps, Air Force and Space Force — which have intensified over the last year.

Proponents of an independent cyber service argue that cyber operators have no distinct identity — as they are still members of their respective services — there are readiness issues associated with each service resourcing their cyber contributions differently, lexicon and pay scales are different, and the command-and-control structures are confusing. Moreover, they allege only an independent cyber force or service can solve key problems.

Congress had initially proposed an independent study on the matter, but it was cut out of the annual policy bill for fiscal 2024. Proponents have vowed to get it into the fiscal 2025 bill.

Nakasone has, at least publicly, remained neutral to this notion, offering that it’s a policy determination for the secretary of defense.

What could be done for the future force?

According to experts and sources, there could be more formal restructuring of teams — rather than task organizing for each mission — to break them into smaller elements.

The Cyber National Mission Force — a sub-unified command under Cybercom made up of 39 joint teams and thought to have the DOD’s most talented cyber operators that defend the nation from significant cyber threats, which Nakasone, Haugh and Hartman have all commanded — has significantly more flexibility than the combat mission teams that conduct offensive operations on behalf of combatant commands, and cyber protection teams that conduct defensive cyber ops. This is due to the fact it’s a smaller force and organized around six task forces. This allows them to be able to more accurately task organize based upon skill sets and readiness of personnel needed for certain missions.

That could be a possible model going forward. Having greater oversight of readiness of forces and skills through new tools the command is developing will help commanders be able to have better fidelity of what they’ll need at any given time to pluck personnel with skill sets required for operations.

Initially, cyber protection teams were made up of 39-person teams with five squads. That has evolved to smaller elements after what forces learned through operations and not having to deploy 39 people to address every problem. In the future, they could be split up even more to make additional teams.

Experts noted that everything is on the table and the planners involved are not going in with any pre-determined solutions to figure out what the best way forward will be.

“As Gen. Haugh takes over that he’ll take this forward to a briefing with policymakers then, ultimately, the SECDEF and say, ‘Hey, this is how we think the Cyber Command of the future needs to be able rebuild today,’” Nakasone told reporters.

Written by Mark Pomerleau

Mark Pomerleau is a reporter for DefenseScoop, covering information warfare and cyberspace.

Article link: https://defensescoop.com/2024/01/31/cybercom-2-0-review-holistic-examination-underway/?

by 

• Nicholas W. Eyrich,
• Robert E. Quinn,
• David P. Fessell

December 27, 2019

Summary.   

While corporate transformations are almost universally assumed to be top-down processes, in reality, middle managers, and first-line supervisors can make significant change when they have the right mindset. Dr. Tadataka Yamada was one of dozens of executives the authors spoke to over the last several years to learn how one can succeed in making positive change in large organizations. His story shows many of traits the authors observed in interviews. He had a clarity of conscience and was willing to speak up. He took every chance, even small ones, to hone his skills of challenging the status quo for the greater good. He didn’t let tough challenges gradually slip from focus because they were “too big” to tackle in the moment. Finally, he centered his purpose on helping those with less privilege.

In December 2000, when Dr. Tadataka Yamada became the new chairman of research and development at Glaxo SmithKline, he was horrified to learn that his company was a complainant in a lawsuit over access to drug therapies for HIV/AIDS patients. GSK was one of 39 pharmaceutical companies charging Nelson Mandela and the government of South Africa with violating price protections and intellectual property rights in their efforts to access lower priced antiretroviral drugs. Close to 25 percent of black South Africans were living with HIV/AIDS and at the time, antiretroviral therapies cost approximately $1000 per month—more than a third of the average South African’s annual salary, putting treatment out of reach for most patients.

Yamada held discussions with his research staff and quickly learned that he was not alone in his opposition to the lawsuit. The team wanted to be a part of the solution to global health issues, not party to a lawsuit preventing such drugs from reaching those in dire need, but they felt they lacked the power to change the company’s direction. Yamada felt differently. In one-on-one meetings with individual board members of GSK, he stressed the company’s moral responsibility to alleviate human suffering and tied it to the long-term success of the company. He stated that GSK can’t make medicines that save lives and then not allow people access to them. He noted the public relations disaster associated with the lawsuit, and set forth a vision, co-created by his team, for how GSK could also become a leader in the fight against TB and malaria, diseases that also were disproportionately impacting third-world populations. The external pressure did not abate, with protests against many drug companies around the world.

In April, 2001, all 39 companies dropped the lawsuit against Nelson Mandela; GSK and others reduced the prices of antiretroviral drugs by 90% or more. Furthermore, under Yamada’s direction, one of GSK’s major laboratories in Tres Cantos, Spain, was converted into a profit-exempt laboratory that focused only on diseases in the developing world, including malaria and tuberculosis. Using his influence, Dr. Yamada also spurred GSK into allocating resources for affordable access to medications and development of future therapies. Subsequently top executives at GSK became leaders in global health issues. Andrew Witty assumed the CEO position at GlaxoSmithKline in 2008 and became one of the leading spokespersons for global health in the pharmaceutical industry. Chris Viehbacher, corporate executive team member at GSK, subsequently became the CEO of Sanofi, and a champion of global health. Both have since partnered with the Gates Foundation on global health initiatives.

Most people would love to be a part of such an amazing turn of events, yet this kind of transformation doesn’t happen very often. While many helped with these efforts, what made it possible for Dr. Yamada to step forward with a steady voice and a sound vision? In several interviews with Dr. Yamada we identified four key mindsets that helped him catalyze this transformation.

The power of one.

A single person with a clarity of conscience and a willingness to speak up can make a difference. Contributing to the greater good is a deep and fundamental human need. When a leader, even a mid-level or lower level leader, skillfully brings a voice and a vision, others will follow and surprising things can happen—even culture change on a large scale. While Yamada did not set out to change a culture, his actions were catalytic and galvanized the organization. As news of the new “not for profit” focus of Tres Cantos spread, many of GSK’s top scientists volunteered to work there. Yamada’s voice spoke for many others, offering a clear path and a vision for a more positive future for all.

The power of sequential skill building.

Prior to GSK, Yamada had a lot of practice with smaller challenges, from caring for the most complex patients in the intensive care unit, to becoming a department head and national leader in his field. Along the way he also led other efforts to change the status quo by actively helping more African Americans and women to join the gastroenterology faculty at the University of Michigan. The lesson is not to underestimate any chance you have, even if small, to hone your skills of challenging the status quo for the greater good. Train your “courage for challenging convention” muscle consistently, so that it’s ready when needed. At GSK, he first invited the input of his team, ultimately resulting in the plan to convert the Tres Cantos laboratory to a “not for profit” disease focus. He did not wait for someone else to speak out first, or for a committee to be formed to study the issue. He had built the skills to quickly recognize the problem, and also to advocate for a better way—a way GSK could become a leader in the fight against diseases that might not be profitable but would help countless individuals in dire need.

The power of sustained focus and determination.

It’s easy to say, “This will take some doing; I’ll think about it later.” Combined with an unconscious “This could be dangerous for my career,” it can be easy for tough challenges to gradually slip from focus. Over time the unacceptable can become the norm, and the energy for change dissipates. But Yamada didn’t accept the unacceptable; his focus and determination were well honed. He emigrated from Japan as a teenager and entered the demanding field of medicine. Along the way he took up marathon running and edited a seminal 3440-page textbook of Gastroenterology, among many other achievements. Attacking challenges was not just an occasional adventure—it’s been a way of being, as well as a highly successful career path. Assuring success of the Tres Cantos lab was not accomplished with a simple signature on a document. The laboratory was initially funded by GSK with the expectation that the researchers would soon obtain external grants so the output from the lab would not have expectations of making a profit for GSK. Partnerships with many organizations and universities were also initiated and sustained to help support this work.

The power of using privilege to support people with less privilege.

While such a mindset is not required for transformation to occur, most would agree that it’s even better, and more rewarding, when transformation also helps those with less privilege. Dr. Yamada, trained over many years in the “patient first” culture of medicine, had a well-honed awareness of the larger change he could bring because of his voice, and a vision for the positive impact GSK could bring to South Africa—and other countries in dire need of low cost, life-saving drugs to treat HIV, TB, and malaria. His team, and ultimately many others at GSK, shared a desire to help those less fortunate. The work done by the Tres Cantos lab continues to impact countless people in poverty suffering from TB, malaria, and many other diseases.

Speaking of the lawsuit that sparked his transformational leadership, Yamada said: “It was obvious we could reduce the price, but beyond that I felt it was really important for the company to make a commitment to making medicines for people where we might not make profit, but where we could have huge medical impact.”

With the support and efforts of many at GSK, this positive vision and pathway for action reverberated across the organization and helped energize a culture shift. The changes catalyzed by Yamada continued after he left GSK in 2006 to become President of the Global Health Program at the Bill and Melinda Gates Foundation. Today GSK is one of the top pharmaceutical companies for global drug access and global health initiatives. In just the past 3 years Tres Cantos researchers have co-authored over 100 scholarly research publications. The laboratory continues to provide independent researchers access to GSK facilities, expertise and resources to advance the understanding of diseases of the developing world.

Yamada was one of dozens of executives we spoke to over the last several years to learn how one can succeed in making positive change in large organizations. In these interviews, we heard accounts that reflect the mindsets Yamada described. In nearly every case we saw the power of one. In one example, a woman in a Fortune 50 company shared her experience in transforming her unit in Brazil. After being promoted to a senior position at headquarters, she saw the need for change, but the politics were more intense, and her previous experience seemed irrelevant. With unwavering focus, she pressed forward and succeeded. In reflecting on her success, she noted that challenging the status quo is a skill that one can develop, and it applies at every level. In another case, a woman in a Fortune 500 company was promoted to oversee a large but failing business line. The eight people who preceded her were all fired. She spent months examining the organization and formulated a strategic plan. It required serious work at the top. Her boss said no. Using all her acquired skills and courage, she led her boss until he was ready to change. The organization turned around.

These stories remind us that while corporate transformations are almost universally assumed to be top-down processes, in reality, middle managers, and first-line supervisors can make significant change when they have the right mindset.

Nicholas W. Eyrich is a graduate student at the University of Michigan Medical School

Robert E. Quinn is a professor emeritus at the University of Michigan’s Ross School of Business and a cofounder of its Center for Positive Organizations.

David P. Fessell is an executive coach, faculty associate at the University of Michigan’s Ross School of Business, and a retired University of Michigan professor of radiology. He writes and speaks on positive psychology and emotional intelligence and is a graduate of the Second City Improv Conservatory.

Article link: https://hbr.org/2019/12/how-one-person-can-change-the-conscience-of-an-organization?

The world is changing fast – and so are the challenges we face.

The World Economic Forum has produced the Global Risks Report 2024 in partnership with Marsh McLennan and Zurich Insurance Group. Learn more: https://ow.ly/vv9X50QyQ0n

Zurich Insurance Marsh McLennan

https://www.linkedin.com/posts/world-economic-forum_the-world-is-changing-fast-and-so-are-the-activity-7161383269446434816-VClX?

The way AI models structure text may have something to do with it, according to the study authors.

By Rhiannon Williams

June 28, 2023

Disinformation generated by AI may be more convincing than disinformation written by humans, a new study suggests. 

The research found that people were 3% less likely to spot false tweets generated by AI than those written by humans.

That credibility gap, while small, is concerning given that the problem of AI-generated disinformation seems poised to grow significantly, says Giovanni Spitale, the researcher at the University of Zurich who led the study, which appeared in Science Advancestoday. 

“The fact that AI-generated disinformation is not only cheaper and faster, but also more effective, gives me nightmares,” he says. He believes that if the team repeated the study with the latest large language model from OpenAI, GPT-4, the difference would be even bigger, given how much more powerful GPT-4 is. 

To test our susceptibility to different types of text, the researchers chose common disinformation topics, including climate change and covid. Then they asked OpenAI’s large language model GPT-3 to generate 10 true tweets and 10 false ones, and collected a random sample of both true and false tweets from Twitter. 

Next, they recruited 697 people to complete an online quiz judging whether tweets were generated by AI or collected from Twitter, and whether they were accurate or contained disinformation. They found that participants were 3% less likely to believe human-written false tweets than AI-written ones. 

The researchers are unsure why people may be more likely to believe tweets written by AI. But the way in which GPT-3 orders information could have something to do with it, according to Spitale. 

“GPT-3’s text tends to be a bit more structured when compared to organic [human-written] text,” he says. “But it’s also condensed, so it’s easier to process.”

The generative AI boom puts powerful, accessible AI tools in the hands of everyone, including bad actors. Models like GPT-3 can generate incorrect text that appears convincing, which could be used to generate false narratives quickly and cheaply for conspiracy theorists and disinformation campaigns. The weapons to fight the problem—AI text-detection tools—are still in the early stages of development, and many are not entirely accurate. 

OpenAI is aware that its AI tools could be weaponized to produce large-scale disinformation campaigns. Although this violates its policies, it released a report in January warning that it’s “all but impossible to ensure that large language models are never used to generate disinformation.” OpenAI did not immediately respond to a request for comment.

However, the company has also urged caution when it comes to overestimating the impact of disinformation campaigns. Further research is needed to determine the populations at greatest risk from AI-generated inauthentic content, as well as the relationship between AI model size and the overall performance or persuasiveness of its output, the authors of OpenAI’s report say. 

It’s too early to panic, says Jon Roozenbeek, a postdoc researcher who studies misinformation at the department of psychology at the University of Cambridge, who was not involved in the study. 

Although distributing disinformation online may be easier and cheaper with AI than with human-staffed troll farms, moderation on tech platforms and automated detection systems are still obstacles to its spread, he says. 

“Just because AI makes it easier to write a tweet that might be slightly more persuasive than whatever some poor sap in some factory in St. Petersburg came up with, it doesn’t necessarily mean that all of a sudden everyone is ripe to be manipulated,” he adds.

Article link: https://www-technologyreview-com.cdn.ampproject.org/c/s/www.technologyreview.com/2023/06/28/1075683/humans-may-be-more-likely-to-believe-disinformation-generated-by-ai/amp/

By ALEXANDRA KELLEYJANUARY 24, 2024

Nine other federal agencies and several private sector entities have signed on to support the program.

The National Science Foundation launched the National Artificial Intelligence Research Resource pilot on Wednesday, marking the federal government’s first step in working to democratize widespread access to key components of artificial intelligence technologies. 

Announced on Wednesday, the pilot program aims to promote the Biden administration’s goal of establishing the U.S. as a leader in AI innovation by making federal resources — including advanced computing, datasets, training models, software assistants and user support — open and publicly accessible. 

Immediate goals for the NAIRR pilot are to cultivate an AI-ready workforce and bridge socioeconomic gaps to provide quality AI training and education materials to all corners of the U.S.

“The NAIRR pilot is really needed because the resources needed to even begin participating in the ecosystem have become increasingly concentrated and inaccessible to many, many communities that are really essential for developing a healthy and responsible AI ecosystem,” Katie Antypas, director of the NSF’s Office of Advanced Cyberinfrastructure, said during a press call ahead of the launch. “And so the pilot is the first step to bridging this gap and will provide access to the research and education community across our country.”

The NAIRR pilot is intended to provide historical datasets to train AI models and computing resources to test the validity of a larger model. Researchers across the country will be able to access these tools to ensure more disadvantaged populations can still learn how to use AI and machine learning systems.

Four categories define the NAIRR pilot’s focus areas: NAIRR Open, which specializes in general AI resource access; NAIRR Secure, which focuses on AI research for privacy-preserving technologies; NAIRR Software, which helps investigate interoperable uses of AI tools for pilot resources; and NAIRR Classroom, which provides educational initiatives and outreach resources. 

“The pilot is really the first step in unlocking the potential of our research community to advance AI for the public good,” Antypas said. 

Industry partners, including Anthropic, Amazon Web Services, IBM, Meta, Intel, NVIDIA, OpenAI and Microsoft and others, will provide model access, educational resources for experimentation, researcher collaboration, technical training for proprietary software and workshop opportunities.

Antypas confirmed that these companies are not receiving payment for their participation. Some, namely NVIDIA and Microsoft, have pledged $30 million and $20 million respectively to support the pilot program. Stakeholders including government officials, academics and private sector firms collaborated on the pilot’s design.

“I think the variety of entities that have come to the table — nonprofits, the private sector, philanthropy — really speaks to this shared urgency to develop this national platform and accelerate AI innovation for our country,” she said.

The pilot’s format will feature a “diverse variety of architectures” to house these resources. Antypas said that the pilot is meant to grow into a platform united by common software stacks that can support diverse engagement.

“There is not going to be one single entity that is going to be building the NAIRR,” she said. “We’re going to need the best ideas from the community in order to really go through this community design process.”

NAIRR’s Community engagement is also meant to foster greater trustworthiness in both mature and newer AI systems. 

Tess deBlanc-Knowles, special assistant to the director for artificial intelligence at NSF, said that researchers can play a “critical role” in developing NAIRR past the pilot.

“I think also in the context of broader federal efforts, the work that is going to be supported through the NAIRR pilot is going to help inform some of these other efforts, such as those being run through [the National Institute of Standards and Technology] or the AI Safety Institute as they move forward to kind of formalize some of these benchmarks around how do we test, how do we verify that these models are trustworthy,” deBlanc-Knowles said. 

Nine federal agencies will join NSF as partnering entities: the Department of Energy, the Department of Veterans Affairs, NASA, the National Institutes of Health, NIST, the National Oceanic and Atmospheric Administration, the Defense Advanced Research Projects Agency, the U.S. Patent and Trademark Office and the Department of Defense. 

These agencies will work together in close coordination alongside other federal efforts that could benefit or inform NAIRR’s work, deBlanc-Knowles said.

Researchers will be able to apply for access to the NAIRR portal on Wednesday. The pilot program is slated to run for two years. Antypas said that in the pilot’s first launch, officials anticipate supporting 25 to 50 research projects. More projects will come online as additional resources from partnering entities are made available. 

In terms of the application process, researchers will need to first request access to NAIRR tools. They will be vetted based on their responsiveness to the open opportunity call, and a matching process will determine the outcome of each request. 

The NAIRR pilot’s launch is a result of President Joe Biden’s October 2023 executive order on AI. Sethuraman Panchanathan, the NSF director, said that NAIRR is meant to inspire and motivate innovation and talent across the U.S. with quality resources. 

“We need resources to advance AI that is open to all so that every community across our nation may reap the benefits of AI,” Panchanathan said. “Therefore, a National AI Research Resource simply put, has the potential to change the trajectory of our country’s approach to AI. It will lead the way for a healthy, trustworthy U.S. AI ecosystem.”

Article link: https://www.linkedin.com/posts/nextgovfcw_nsf-launches-ai-resource-pilot-to-spur-us-activity-7156285717692760064-xGbP?

Anastasia Obis

January 23, 2024 5:28 pm

A new memo from the Defense Department clarifies who is accountable for ensuring the security of cloud services at the FedRAMP moderate level.

The latest document provides guidance on a clause within the Defense Federal Acquisition Regulation Supplement regarding the application of FedRAMP moderate to cloud services being used by contractors for storing and processing covered defense information.

“One of the things that we learned in the early days of cloud was there was a lot of finger-pointing going on when something bad would happen. Let’s say a vulnerability would be found, or a zero-day event happened, there was this confusion around, ‘Is that the cloud service provider’s responsibility? Is that a contractor’s responsibility? Is that the government’s responsibility or somebody else? Who really is responsible?’” Raj Iyer, ServiceNow’s global head of public sector and a former chief information officer of the Army, told Federal News Network.

“And I think what this memo clarifies is that at the end of the day, the DoD’s contract is with that company A, and they got to make sure that they have an incident response plan, which shows how they’re going to coordinate any kind of remediation, or triaging that needs to happen when there is an incident that happens. That way, DoD holds the contractor accountable and responsible, and it’s their job to coordinate with all of the stakeholders.”

Historically, there has been a lot of debate around what being FedRAMP equivalent means. Since 2016, the DFARS clause said that if contractors use an external cloud service provider to store, process or transmit controlled unclassified information (CUI), the contractor should ensure that the cloud service provider meets security requirements equivalent to the FedRAMP moderate baseline.

The DFARS clause also required the cloud service provider to comply with incident reporting, data retention and access requirements listed in the clause.

With the new memo, to be considered FedRAMP moderate, cloud services must achieve 100% compliance with the latest security control baseline through an assessment conducted by a FedRAMP-recognized third-party organization.

In addition, the cloud service provider needs to present a list of evidence, or a body of evidence, to the contractor, including a system security plan, security assessment plan, security assessment report and a plan of action and milestones should they fall short in any areas. The memo says that requirements for FedRAMP moderate equivalency do not allow for a plan of action and milestones from a third party organization and any action items identified in the plan of actions and milestones must be marked as closed by the third party.

“From an evidence standpoint, the evidence requirements are pretty consistent with things that are going to be in your security package. I don’t think there’s anything in there that’s going to be super hard for organizations to come up with,” Grant Schneider, senior advisor to the Alliance for Digital Innovation and a former federal chief information security officer, told Federal News Network.

“With the 100% compliance and the inability to have a plan of action and milestone, even though they list plan of action milestones as a piece of the evidence that you have to meet every element under FISMA moderate, under 800-53, I think that may be a challenge for organizations to meet.”

Schneider said that if organizations are not 100% compliant with the latest FedRAMP moderate security control baseline for various reasons, it will have to be a business decision whether they want to make that investment to get to 100% to do business with DoD.

The memo says that the contractor approves their organization’s cloud services and ensures that the selected cloud service provider has a response plan. Moving forward, the contractor, not the cloud service provider, will be held responsible for reporting should a compromise happen and make sure their cloud provider follows the incident response plan.

It’s unclear what triggered the memo, but Schneider said he would like to see more context for what might have caused its issuance.

“I would love to see, is there a particular issue that the department ran into, in some way, shape or form that caused them to put this out? Or is there a particular risk that they’re looking to avoid? I don’t know what that is, but I would certainly love to know what the answer is,” Schneider said.

Over the years, DoD has had various cyber policies emerging independently, including the Cybersecurity Maturity Model Certification (CMMC) program, with the zero trust framework eventually becoming an overarching approach to cybersecurity. As for the memo, Iyer said this is most likely one of the policy areas that needed tightening up.

“The DoD is relying more and more on cloud service offerings, putting more and more of our sensitive data in the cloud. And it became clear to [our adversaries], if there’s a single point of failure, it is cloud. Second point, it was very clear that our adversaries knew that the vulnerabilities were in the supply chain,” Iyer said.

“Yes, this does put a burden on industry. But I think for industry, for the defense industrial base, they’ve always known that this was coming. So this should be no news to anybody. We shouldn’t expect to see any pushback. And for the cloud service providers like us, we’ve always taken this seriously. And it’s part of what you have to do to serve the defense customer. And yes, it comes with the cost. But this is going to filter out companies that are serious about working with the DoD and protecting the data. It is absolutely critical that the tightening happens through the policy and process,” he added.

CMMC final rule

David McKeown, DoD’s chief information and security officer, signed the FedRAMP equivalency memo on Dec. 21, but it didn’t become public until January. The long-awaited CMMC proposed rule came out around the same time, laying out requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors and subcontractors implement required security protocols when sharing sensitive unclassified information on their networks.

The proposed CMMC rule adds little detail on top of DFARS 7012, and the requirements appear to be more stringent than what is laid out in the proposed rule. DoD will most likely align the requirements from both documents when it releases the final CMMC rule.

“I think the question will be if there’s something that the DoD is intending this memo to change inside of CMMC, I would really hope for their sake that they already had that in the proposed rule. Because typically, once a proposed rule is out for public comment, you can make changes in the final rule. But typically, you can’t make really big substantive changes that weren’t somehow either included or alluded to in the proposed rule. So if this is going to cause a significant shift, I think that could be problematic just from a rulemaking procedure or from a rulemaking standpoint,” Schneider said.

Article link: https://federalnewsnetwork.com/cybersecurity/2024/01/dods-new-memo-puts-stricter-requirements-on-cloud-providers/

By EDWARD GRAHAMJANUARY 10, 2024

The Government Accountability Office found that less than half of surveyed federal agencies had compliant security programs and called for improved performance metrics.

The federal government’s implementation of the Federal Information Security Modernization Act — or FISMA — “continued to be mostly ineffective” in fiscal 2022, with only eight of 23 surveyed civilian agencies found to have effective information security programs in place, according to a Government Accountability Office report released on Tuesday.

FISMA requires covered agencies to develop and implement programs to secure their information systems. The Office of Management and Budget is also tasked with overseeing agencies’ security practices and developing policies to guide implementation of their cyber standards.

GAO reviewed inspectors general reports on the surveyed agencies’ compliance with FISMA for the 2021 and 2022 fiscal years and said that, while “some improvement was reported,” broad adherence to the security standards was still lacking.

“IGs reported various causes for the ineffective programs, including management accountability issues and gaps in standards and quality control,” the watchdog said, adding that “addressing the causes could improve the federal government’s cybersecurity posture.”

Despite finding that just eight surveyed agencies had implemented effective security programs in FY2022 — the departments of Homeland Security, Education and Justice, as well as the Environmental Protection Agency, General Services Administration, National Science Foundation, Nuclear Regulatory Commission and the U.S. Agency for International Development — GAO said its latest report still represented something of a high-water mark in terms of recent levels of compliance with FISMA.

“Out of the 23 civilian [Chief Financial Officers Act] agencies, no more than eight received an effective rating in any given year over the last six years of reporting (fiscal years 2017 through 2022),” the watchdog said.

OMB provides metrics for evaluating the effectiveness of agencies’ security programs and their implementation of FISMA, but GAO said that “agencies and IGs stated that some FISMA metrics are not useful because they do not always accurately evaluate information security programs.”

The watchdog said agencies and IGs reported that FISMA metrics “should be clearly tied to performance goals, account for workforce issues and agency size and incorporate risk,” and further suggested that “crafting metrics that address the key causes of ineffective programs could enhance their effectiveness.” 

GAO made two recommendations to OMB, including calling for the agency to develop metrics “related to causes of ineffective information security programs identified by IGs” and to “improve the [chief information officer] and IG FISMA metrics to clearly link them to performance goals, address workforce challenges, consider agency size and adequately address risk.”

OMB did not agree or disagree with the watchdog’s recommendations but provided technical comments that were incorporated into the report.

Article link: https://www.nextgov.com/cybersecurity/2024/01/agencies-fisma-implementation-still-mostly-ineffective-watchdog-says/393246/?