Thousands of users across the Defense Department’s “fourth estate” will get their first chance to use modern collaboration tools on classified IT networks over the next several weeks as DoD continues its push to deploy Office 365 across the military departments, Defense agencies and field activities.
The Defense Information Systems Agency has been piloting the new service — called DOD365-Secret — since January. But officials are now fully deploying it for users across the 17 components of the Office of the Secretary of Defense (OSD), mainly in the Pentagon itself and in the nearby Mark Center in Alexandria, Virginia.
It’s a major shift, not only in that it’s one of DoD’s first large-scale forays into cloud computing at the secret level, but also because it will have the effect of consolidating an aging patchwork of tools senior leaders and their support staff have been using to discuss classified information for years, said Danielle Metz, OSD’s chief information officer.
“Over the past 10 to 15 years, those who live on our classified environment to do their mission have had to really figure out how to stitch together some collaboration capabilities using really old-school chat services that aren’t very effective and aren’t well used across the board,” she said during an interview for Federal News Network’s On DoD. “Effectively what this does is it brings everybody together — we’re all on Teams and getting the same collaborative experience where we’re able to do chat, we’re able to do video, we’re able to collaborate on documents all at the same time, we’re able to store it in a cloud-based environment. None of that exists right now on the classified side, but we are at the precipice of having all of this at our fingertips.”
The implementation of DoD365-Secret across those 17 components will be one of the first major accomplishments for Metz’s new office, which marks its first anniversary this month. Prior to that, each of the OSD sub-offices — known as “principal staff assistants” — operated somewhat independently when it came to IT governance and planning. Because of that, the networks they use are still fragmented and complex. Cloud helps solve part of that problem.
“A cloud-based approach allows us to look and feel and act as if we’re on the same environment, because we are — we’re in the cloud,” Metz said. “The networks are still going to be what the networks are, and there are some modernization activities associated with bringing those up to a better standardized and consistent digital experience. But I think we’re showcasing the importance of being able to all be on in the same environment to be able to work more jointly together to collaborate. It reduces the need for the workforce to figure out how to do it themselves — that’s what I don’t want them to do. I want them to use their creativity to actually do their job. Our job is to ensure that they have the right capabilities and tools to do their job better.”
Aside from modernizing and simplifying those networks, other near-term goals for Metz’s new office include updating end-user devices and laying the groundwork for other significant moves to the cloud. In the early days, the focus is on treating the collection of OSD offices as a single IT enterprise and building out common IT services.
“One of the things that we were able to do is to build that governance structure, create an identity, so that we can have a community of practice,” she said. “We’ve also identified a number of PSAs that are the pockets of excellence: forging ahead, failing fast, and pushing the envelope. They’ve been able to figure out what their business processes are to get to the technical makeup of moving to cloud adoption.”
Over the long-term, Metz said OSD will rely heavily on DoD’s new Joint Warfighting Cloud Computing (JWCC) contract — but those task orders will likely be organized along functional lines, once the office is ready to lean in to supporting mission-specific IT needs. For now, the objective is to map out OSD’s cloud requirements and build the support services to help them migrate.
“We want to be able to do something similar to what the Army did with their Enterprise Cloud Management Agency: create a corporate playbook for OSD,” she said. “What I don’t want is for each individual PSA to fail on their own and do it in a vacuum. We want to be able to least standardize what we think the business processes are, to help inform the technical processes to determine which systems and workloads need to be moved to a targeted cloud environment … The other side of the coin that we’ve struggled with for OSD is that we don’t have an authorizing official (AO) for cloud, which makes it extremely difficult to do anything. And so we’re working on testing out and piloting AO as a service. That and some other basic elements need to be in place and available to OSD in order for us to even start moving the needle for cloud adoption.”
Jared Serbu is deputy editor of Federal News Network and reports on the Defense Department’s contracting, legislative, workforce and IT issues.
This CISA-NSA guidance reveals concerning gaps and deficits in the multifactor authentication and Single Sign-On industry and calls for vendors to make investments and take additional steps.
The National Security Agency and the Cybersecurity and Infrastructure Security Agency published on October 4, 2023, a document titled Identity and Access Management: Developer and Vendor Challenges. This new IAM CISA-NSA guidance focuses on the challenges and tech gaps that are limiting the adoption and secure employment of multifactor authentication and Single Sign-On technologies within organizations.
The document was authored by a panel of public-private cross-sector partnerships working under the CISA-NSA-led Enduring Security Framework. The ESF is tasked with investigating critical infrastructure risks and national security systems. The guidance builds on their previous report, Identity and Access Management Recommended Best Practices Guide for Administrators.
In an email interview with TechRepublic, Jake Williams, faculty member at IANS Research and former NSA offensive hacker, said, “The publication (it’s hard to call it guidance) highlights the challenges with comparing the features provided by vendors. CISA seems to be putting vendors on notice that they want vendors to be clear about what standards they do and don’t support in their products, especially when a vendor only supports portions of a given standard.”
IAM-related challenges and gaps affecting vendors and developers
The CISA-NSA document detailed the technical challenges related to IAM affecting developers and vendors. Specifically looking into the deployment of multifactor authentication and Single-Sign-On, the report highlights different gaps.
Definitions and policy
According to CISA and the NSA, the definitions and policies of the different variations of MFAs are unclear and confusing. The report notes there is a need for clarity to drive interoperability and standardization of different types of MFA systems. This is impacting the abilities of companies and developers to make better-informed decisions on which IAM solutions they should integrate into their environments.
Lack of clarity regarding MFA security properties
The CISA-NSA report notes that vendors are not offering clear definitions when it comes to the level of security that different types of MFAs provide, as not all MFAs offer the same security.
For example, SMS MFA are more vulnerable than hardware storage MFA technologies, while some MFA are resistant to phishing — such as those based on public key infrastructure or FIDO — while others are not.
Lack of understanding leading to integration deficits
The CISA and NSA say that the architectures for leveraging open standard-based SSO together with legacy applications are not always widely understood. The report calls for the creation of a shared, open-source repository of open standards-based modules and patterns to solve these integration challenges to aid in adoption.
SSO features and pricing plans
SSO capabilities are often bundled with other high-end enterprise features, making them inaccessible to small and medium organizations. The solution to this challenge would require vendors to include organizational SSOs in pricing plans that include all types of businesses, regardless of size.
MFA governance and workers
Another main gap area identified is MFA governance integrity over time as workers join or leave organizations. The process known as “credential lifecycle management” often lacks available MFA solutions, the CISA-NSA report stated.
The overall confusion regarding MFA and SSO, lack of specifics and standards and gaps in support and available technologies, are all affecting the security of companies that have to deploy IAM systems with the information and services that are available to them.
“An often-bewildering list of options is available to be combined in complicated ways to support diverse requirements,” the report noted. “Vendors could offer a set of predefined default configurations, that are pre-validated end to end for defined use cases.”
Key takeaways from the CISA-NSA’s IAM report
Williams told TechRepublic that the biggest takeaway from this new publication is that IAM is extremely complex.
“There’s little for most organizations to do themselves,” Williams said, referring to the new CISA-NSA guidance. “This (document) is targeted at vendors and will certainly be a welcome change for CISOs trying to perform apples-to-apples comparisons of products.”
Deploying hardware security modules
Williams said another key takeaway is the acknowledgment that some applications will require users to implement hardware security modules to achieve acceptable security. HSMs are usually plug-in cards or external devices that connect to computers or other devices. These security devices protect cryptographic keys, perform encryption and decryption and create and verify digital signatures. HSMs are considered a robust authentication technology, typically used by banks, financial institutions, healthcare providers, government agencies and online retailers.
“In many deployment contexts, HSMs can protect the keys from disclosure in a system memory dump,” Williams said. “This is what led to highly sensitive keys being stolen from Microsoft by Chinese threat actors, ultimately leading to the compromise of State Department email.”
“CISA raises this in the context of usability vs. security, but it’s worth noting that nothing short of an HSM will adequately meet many high-security requirements for key management,” Williams warns.
Conclusions and key recommendations for vendors
The CISA-NSA document ends with a detailed section of key recommendations for vendors, which as Williams says, “puts them on notice” as to what issues they need to address. Williams highlighted the need for standardizing the terminology used so it’s clear what a vendor supports.
Chad McDonald, chief information security officer of Radiant Logic, also talked to TechRepublic via email and agreed with Williams. Radiant Logic is a U.S.-based company that focuses on solutions for identity data unification and integration, helping organizations manage, use and govern identity data.
“Modern-day workforce authentication can no longer fit one certain mold,” McDonald said. “Enterprises, especially those with employees coming from various networks and locations, require tools that allow for complex provisioning and do not limit users in their access to needed resources.”
For this to happen, a collaborative approach amongst all solutions is essential, added McDonald. “Several of CISA’s recommendations for vendors and developers not only push for a collaborative approach but are incredibly feasible and actionable.”
McDonald said the industry would welcome standard MFA terminology to allow equitable comparison of products, the prioritization of user-friendly MFA solutions for both mobile and desktop platforms to drive wider adoption and the implementation of broader support for and development of identity standards in the enterprise ecosystem.
Recommendations for vendors
Create standard MFA terminology Regarding the use of ambiguous MFA terminology, the report recommended creating standard MFA terminology that provides clear, interoperable and standardized definitions and policies allowing organizations to make value comparisons and integrate these solutions into their environment.
Create phishing-resistant authenticators and then standardize their adoption In response to the lack of clarity on the security properties that certain MFA implementations provide, CISA and NSA recommended additional investment by the vendor community to create phishing-resistant authenticators to provide greater defense against sophisticated attacks.
The report also concludes that simplifying and standardizing the security properties of MFA and phishing-resistant authenticators, including their form factors embedded into operating systems, “would greatly enhance the market.” CISA and NSA called for more investment to support high-assurance MFA implementations for enterprise use. These investments should be designed in a user-friendly flow, on both mobile and desktop platforms, to promote higher MFA adoption.
Develop more secure enrollment tooling Regarding governance and self-enrollment, the report said it’s necessary to develop more secure enrollment tooling to support the complex provisioning needs of large organizations. These tools should also automatically discover and purge enrollment MFA authenticators that have not been used in a particular period of time or whose usage is not normal.
“Vendors have a real opportunity to lead the industry and build trust with product consumers with additional investments to bring such phishing-resistant authenticators to more use cases, as well as simplifying and further standardizing their adoption, including in form factors embedded into operating systems, would greatly enhance the market,” stated the CISA and the NSA.
We’re in a very strange moment for the internet. We all know it’s broken. That’s not news. But there’s something in the air—a vibe shift, a sense that things are about to change. For the first time in years, it feels as though something truly new and different might be happening with the way we communicate online. The stranglehold that the big social platforms have had on us for the last decade is weakening. The question is: What do we want to come next?
There’s a sort of common wisdom that the internet is irredeemably bad, toxic, a rash of “hellsites” to be avoided. That social platforms, hungry to profit off your data, opened a Pandora’s box that cannot be closed. Indeed, there are truly awful things that happen on the internet, things that make it especially toxic for people from groups disproportionately targeted with online harassment and abuse. Profit motives led platforms to ignore abuse too often, and they also enabled the spread of misinformation, the decline of local news, the rise of hyperpartisanship, and entirely new forms of bullying and bad behavior. All of that is true, and it barely scratches the surface.
We’re in a very strange moment for the internet. We all know it’s broken. That’s not news. But there’s something in the air—a vibe shift, a sense that things are about to change. For the first time in years, it feels as though something truly new and different might be happening with the way we communicate online. The stranglehold that the big social platforms have had on us for the last decade is weakening. The question is: What do we want to come next?
There’s a sort of common wisdom that the internet is irredeemably bad, toxic, a rash of “hellsites” to be avoided. That social platforms, hungry to profit off your data, opened a Pandora’s box that cannot be closed. Indeed, there are truly awful things that happen on the internet, things that make it especially toxic for people from groups disproportionately targeted with online harassment and abuse. Profit motives led platforms to ignore abuse too often, and they also enabled the spread of misinformation, the decline of local news, the rise of hyperpartisanship, and entirely new forms of bullying and bad behavior. All of that is true, and it barely scratches the surface.
But the internet has also provided a haven for marginalized groups and a place for support, advocacy, and community. It offers information at times of crisis. It can connect you with long-lost friends. It can make you laugh. It can send you a pizza. It’s duality, good and bad, and I refuse to toss out the dancing-baby GIF with the tubgirl-dot-png bathwater. The internet is worth fighting for because despite all the misery, there’s still so much good to be found there. And yet, fixing online discourse is the definition of a hard problem. But look. Don’t worry. I have an idea.
What is the internet and why is it following me around?
To cure the patient, first we must identify the disease.
When we talk about fixing the internet, we’re not referring to the physical and digital network infrastructure: the protocols, the exchanges, the cables, and even the satellites themselves are mostly okay. (There are problems with some of that stuff, to be sure. But that’s an entirely other issue—even if both do involve Elon Musk.) “The internet” we’re talking about refers to the popular kinds of communication platforms that host discussions and that you probably engage with in some form on your phone.
Some of these are massive: Facebook, Instagram, YouTube, Twitter, TikTok, X. You almost certainly have an account on at least one of these; maybe you’re an active poster, maybe you just flip through your friends’ vacation photos while on the john.
The internet is good things. It’s Keyboard Cat, Double Rainbow. It’s personal blogs and LiveJournals. It’s the distracted-girlfriend meme and a subreddit for “What is this bug?”
Although the exact nature of what we see on those platforms can vary widely from person to person, they mediate content delivery in universally similar ways that are aligned with their business objectives. A teenager in Indonesia may not see the same images on Instagram that I do, but the experience is roughly the same: we scroll through some photos from friends or family, maybe see some memes or celebrity posts; the feed turns into Reels; we watch a few videos, maybe reply to a friend’s Story or send some messages. Even though the actual content may be very different, we probably react to it in much the same way, and that’s by design.
The internet also exists outside these big platforms; it’s blogs, message boards, newsletters and other media sites. It’s podcasts and Discord chatrooms and iMessage groups. These will offer more individualized experiences that may be wildly different from person to person. They often exist in a sort of parasitic symbiosis with the big, dominant players, feeding off each other’s content, algorithms, and audience.
Large language models are full of security vulnerabilities, yet they’re being embedded into tech products on a vast scale.
The internet is good things. For me, it’s things I love, like Keyboard Cat and Double Rainbow. It’s personal blogs and LiveJournals; it’s AIM away messages and MySpace top 8s. It’s the distracted-girlfriend meme and a subreddit for “What is this bug?” It is a famous thread on a bodybuilding forum where meatheads argue about how many days are in a week. For others, it’s Call of Duty memes and the mindless entertainment of YouTubers like Mr. Beast, or a place to find the highly specific kind of ASMR video they never knew they wanted. It’s an anonymous supportive community for abuse victims, or laughing at Black Twitter’s memes about the Montgomery boat brawl, or trying new makeup techniques you learned on TikTok.
It’s also very bad things: 4chan and the Daily Stormer, revenge porn, fake news sites, racism on Reddit, eating disorder inspiration on Instagram, bullying, adults messaging kids on Roblox, harassment, scams, spam, incels, and increasingly needing to figure out if something is real or AI.
The bad things transcend mere rudeness or trolling. There is an epidemic of sadness, of loneliness, of meanness, that seems to self-reinforce in many online spaces. In some cases, it is truly life and death. The internet is where the next mass shooter is currently getting his ideas from the last mass shooter, who got them from the one before that, who got them from some of the earliest websites online. It’s an exhortation to genocide in a country where Facebook employed too few moderators who spoke the local language because it had prioritized growth over safety.
The existential problem is that both the best and worst parts of the internet exist for the same set of reasons, were developed with many of the same resources, and often grew in conjunction with each other. So where did the sickness come from? How did the internet get so … nasty? To untangle this, we have to go back to the early days of online discourse.
It’s also very bad things: 4chan and the Daily Stormer, revenge porn, fake news sites, racism on Reddit, eating disorder inspiration on Instagram, bullying, adults messaging kids on Roblox, harassment, scams, spam, incels.
The internet’s original sin was an insistence on freedom: it was made to be free, in many senses of the word. The internet wasn’t initially set up for profit; it grew out of a communications medium intended for the military and academics (some in the military wanted to limit Arpanet to defense use as late as the early 1980s). When it grew in popularity along with desktop computers, Usenet and other popular early internet applications were still largely used on university campuses with network access. Users would grumble that each September their message boards would be flooded with newbies, until eventually the “eternal September”—a constant flow of new users—arrived in the mid-’90s with the explosion of home internet access.
When the internet began to be built out commercially in the 1990s, its culture was, perversely, anticommercial. Many of the leading internet thinkers of the day belonged to a cohort of AdBusters-reading Gen Xers and antiestablishment Boomers. They were passionate about making software open source. Their very mantra was “Information wants to be free”—a phrase attributed to Stewart Brand, the founder of the Whole Earth Catalog and the pioneering internet community the WELL. This ethos also extended to a passion for freedom of speech, and a sense of responsibility to protect it.
It just so happened that those people were quite often affluent white men in California, whose perspective failed to predict the dark side of the free-speech, free-access havens they were creating. (In fairness, who would have imagined that the end result of those early discussions would be Russian disinformation campaigns targeting Black Lives Matter? But I digress.)
The culture of free demanded a business model that could support it. And that was advertising. Through the 1990s and even into the early ’00s, advertising on the internet was an uneasy but tolerable trade-off. Early advertising was often ugly and annoying: spam emails for penis enlargement pills, badly designed banners, and (shudder) pop-up ads. It was crass but allowed the nice parts of the internet—message boards, blogs, and news sites—to be accessible to anyone with a connection.
But advertising and the internet are like that small submersible sent to explore the Titanic: the carbon fiber works very efficiently, until you apply enough pressure. Then the whole thing implodes.
Targeted advertising and the commodification of attention
In 1999, the ad company DoubleClick was planning to combine personal data with tracking cookies to follow people around the web so it could target its ads more effectively. This changed what people thought was possible. It turned the cookie, originally a neutral technology for storing Web data locally on users’ computers, into something used for tracking individuals across the internet for the purpose of monetizing them.
To the netizens of the turn of the century, this was an abomination. And after a complaint was filed with the US Federal Trade Commission, DoubleClick dialed back the specifics of its plans. But the idea of advertising based on personal profiles took hold. It was the beginning of the era of targeted advertising, and with it, the modern internet. Google bought DoubleClick for $3.1 billion in 2008. That year, Google’s revenue from advertising was $21 billion. Last year, Google parent company Alphabet took in $224.4 billion in revenue from advertising.
Our modern internet is built on highly targeted advertising using our personal data. That is what makes it free. The social platforms, most digital publishers, Google—all run on ad revenue. For the social platforms and Google, their business model is to deliver highly sophisticated targeted ads. (And business is good: in addition to Google’s billions, Meta took in $116 billion in revenue for 2022. Nearly half the people living on planet Earth are monthly active users of a Meta-owned product.) Meanwhile, the sheer extent of the personal data we happily hand over to them in exchange for using their services for free would make people from the year 2000 drop their flip phones in shock.
And that targeting process is shockingly good at figuring out who you are and what you are interested in. It’s targeting that makes people think their phones are listening in on their conversations; in reality, it’s more that the data trails we leave behind become road maps to our brains.
Plus: A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
When we think of what’s most obviously broken about the internet—harassment and abuse; its role in the rise of political extremism, polarization, and the spread of misinformation; the harmful effects of Instagram on the mental health of teenage girls—the connection to advertising may not seem immediate. And in fact, advertising can sometimes have a mitigating effect: Coca-Cola doesn’t want to run ads next to Nazis, so platforms develop mechanisms to keep them away.
But online advertising demands attention above all else, and it has ultimately enabled and nurtured all the worst of the worst kinds of stuff. Social platforms were incentivized to grow their user base and attract as many eyeballs as possible for as long as possible to serve ever more ads. Or, more accurately, to serve ever more you to advertisers. To accomplish this, the platforms have designed algorithms to keep us scrolling and clicking, the result of which has played into some of humanity’s worst inclinations.
In 2018, Facebook tweaked its algorithms to favor more “meaningful social interactions.” It was a move meant to encourage users to interact more with each other and ultimately keep their eyeballs glued to News Feed, but it resulted in people’s feeds being taken over by divisive content. Publishers began optimizing for outrage, because that was the type of content that generated lots of interactions.
On YouTube, where “watch time” was prioritized over view counts, algorithms recommended and ran videos in an endless stream. And in their quest to sate attention, these algorithms frequently led people down ever more labyrinthine corridors to the conspiratorial realms of flat-earth truthers, QAnon, and their ilk. Algorithms on Instagram’s Discover page are designed to keep us scrolling (and spending) even after we’ve exhausted our friends’ content, often by promoting popular aesthetics whether or not the user had previously been interested. The Wall Street Journal reported in 2021 that Instagram had long understood it was harming the mental health of teenage girls through content about body image and eating disorders, but ignored those reports. Keep ’em scrolling.
There is an argument that the big platforms are merely giving us what we wanted. Anil Dash, a tech entrepreneur and blogging pioneer who worked at SixApart, the company that developed the blog software Movable Type, remembers a backlash when his company started charging for its services in the mid-’00s. “People were like, ‘You’re charging money for something on the internet? That’s disgusting!’” he told MIT Technology Review. “The shift from that to, like, If you’re not paying for the product, you’re the product … I think if we had come up with that phrase sooner, then the whole thing would have been different. The whole social media era would have been different.”
The big platforms’ focus on engagement at all costs made them ripe for exploitation. Twitter became a “honeypot for a**holes” where trolls from places like 4chan found an effective forum for coordinated harassment. Gamergate started in swampier waters like Reddit and 4chan, but it played out on Twitter, where swarms of accounts would lash out at the chosen targets, generally female video-game critics. Trolls also discovered that Twitter could be gamed to get vile phrases to trend: in 2013, 4chan accomplished this with#cuttingforbieber, falsely claiming to represent teenagers engaging in self-harm for the pop singer. Platform dynamics created such a target-rich environment that intelligence services from Russia, China, and Iran—among others—use them to sow political division and disinformation to this day.
“Humans were never meant to exist in a society that contains 2 billion individuals,” says Yoel Roth, a technology policy fellow at UC Berkeley and former head of trust and safety for Twitter. “And if you consider that Instagram is a society in some twisted definition, we have tasked a company with governing a society bigger than any that has ever existed in the course of human history. Of course they’re going to fail.”
How to fix it
Here’s the good news. We’re in a rare moment when a shift just may be possible; the previously intractable and permanent-seeming systems and platforms are showing that they can be changed and moved, and something new could actually grow.
One positive sign is the growing understanding that sometimes … you have to pay for stuff. And indeed, people are paying individual creators and publishers on platforms such as Substack, Patreon, and Twitch. Meanwhile, the freemium model that YouTube Premium, Spotify, and Hulu explored proves (some) people are willing to shell out for ad-free experiences. A world where only the people who can afford to pay $9.99 a month to ransom back their time and attention from crappy ads isn’t ideal, but at least it demonstrates that a different model will work.
Another thing to be optimistic about (although time will tell if it actually catches on) is federation—a more decentralized version of social networking. Federated networks like Mastodon, Bluesky, and Meta’s Threads are all just Twitter clones on their surface—a feed of short text posts—but they’re also all designed to offer various forms of interoperability. Basically, where your current social media account and data exist in a walled garden controlled entirely by one company, you could be on Threads and follow posts from someone you like on Mastodon—or at least Meta says that’s coming. (Many—including internet pioneer Richard Stallman, who has a page on his personal website devoted to “Why you should not be used by Threads”—have expressed skepticism of Meta’s intentions and promises.) Even better, it enables more granular moderation. Again, X (the website formerly known as Twitter) provides a good example of what can go wrong when one person, in this case Elon Musk, has too much power in making moderation decisions—something federated networks and the so-called “fediverse” could solve.
The big idea is that in a future where social media is more decentralized, users will be able to easily switch networks without losing their content and followings. “As an individual, if you see [hate speech], you can just leave, and you’re not leaving your entire community—your entire online life—behind. You can just move to another server and migrate all your contacts, and it should be okay,” says Paige Collings, a senior speech and privacy advocate at the Electronic Frontier Foundation. “And I think that’s probably where we have a lot of opportunity to get it right.”
Europe’s big tech bill is coming to fruition. Here’s what you need to know.
There’s a lot of upside to this, but Collings is still wary. “I fear that while we have an amazing opportunity,” she says, “unless there’s an intentional effort to make sure that what happened on Web2 does not happen on Web3, I don’t see how it will not just perpetuate the same things.”
Federation and more competition among new apps and platforms provide a chance for different communities to create the kinds of privacy and moderation they want, rather than following top-down content moderation policies created at headquarters in San Francisco that are often explicitly mandated not to mess with engagement. Yoel Roth’s dream scenario would be that in a world of smaller social networks, trust and safety could be handled by third-party companies that specialize in it, so social networks wouldn’t have to create their own policies and moderation tactics from scratch each time.
The tunnel-vision focus on growth created bad incentives in the social media age. It made people realize that if you wanted to make money, you needed a massive audience, and that the way to get a massive audience was often by behaving badly. The new form of the internet needs to find a way to make money without pandering for attention. There are some promising new gestures toward changing those incentives already. Threads doesn’t show the repost count on posts, for example—a simple tweak that makes a big difference because it doesn’t incentivize virality.
We, the internet users, also need to learn to recalibrate our expectations and our behavior online. We need to learn to appreciate areas of the internet that are small, like a new Mastodon server or Discord or blog. We need to trust in the power of “1,000 true fans”over cheaply amassed millions.
Anil Dash has been repeating the same thing over and over for years now: that people should buy their own domains, start their own blogs, own their own stuff. And sure, these fixes require a technical and financial ability that many people do not possess. But with the move to federation (which at least provides control, if not ownership) and smaller spaces, it seems possible that we’re actually going to see some of those shifts away from big-platform-mediated communication start to happen.
“There’s a systemic change that is happening right now that’s bigger,” he says. “You have to have a little bit of perspective of life pre-Facebook to sort of say, Oh, actually, some of these things are just arbitrary. They’re not intrinsic to the internet.”
The fix for the internet isn’t to shut down Facebook or log off or go outside and touch grass. The solution to the internet is more internet: more apps, more spaces to go, more money sloshing around to fund more good things in more variety, more people engaging thoughtfully in places they like. More utility, more voices, more joy.
My toxic trait is I can’t shake that naïve optimism of the early internet. Mistakes were made, a lot of things went sideways, and there have undeniably been a lot of pain and misery and bad things that came from the social era. The mistake now would be not to learn from them.
Katie Notopoulos is a writer who lives in Connecticut. She’s written for BuzzFeed News, Fast Company, GQ, and Columbia Journalism Review.
IBM Research Global Internship Program applications are now open to intern with IBM Quantum the summer of 2024.
At IBM Quantum, we’re bringing useful quantum computing to the world. This technology is widely expected to solve valuable problems that are unsolvable using any known methods on classical supercomputers. And quantum summer internships, as part of the IBM Research Global Internship Program, are perhaps the most valuable in the field. Every intern working in quantum makes meaningful contributions to the IBM Quantum Development Roadmap — pushing the field of quantum computing forward in the process.
We have directly trained more than 400 interns at all levels of higher education since 2020, many of whom have gone on to work at IBM Quantum or elsewhere in the field of quantum after graduation. Interns have the opportunity to work directly with researchers, developers, and business experts working to advance the field of quantum computing. Our interns have researched quantum applications, and design hardware, developed open-source projects with Qiskit, carried out market research, and more.
We are hiring software developer, hardware engineer, and research scientist interns for the summer of 2024. Interns in the US will work at either the Thomas J. Watson Research Center in Yorktown Heights, New York, or at IBM Research — Almaden in San Jose, California from either May 20, 2024 to August 9, 2024, or from June 17, 2024 to September 6, 2024. International internship opportunities will be added to this article, soon. See the full list of roles and links below to apply.
The internship experience
Internships with IBM Quantum prepare students with the skills, networks, and career paths needed to launch their careers in the field of quantum. In previous years, the IBM Quantum internship program has included the Qiskit Global Summer School, poster sessions, and a fireside chat with IBM Fellow and Vice President of IBM Quantum, Jay Gambetta, hosted and organized by IBM Quantum interns.
Arian Noori, a University of Wisconsin graduate student and quantum hardware engineering intern who worked on optimizing cryogenic qubit control transmission lines for improved signal delivery to a quantum chip, said about his experience interning at IBM Research:
“Not only did I acquire invaluable practical and technical skills, but my mentors also instilled in me new and intuitive ways of approaching engineering and physics problems. The IBM community is remarkably friendly and open. I was surrounded by some of the most intellectual individuals in the world, and everyone was delighted to share insights into their projects.
“This exposure allowed me to better conceptualize the entire quantum computing ecosystem, enabling a deeper understanding of the most pressing challenges in the field.”
Columbia University undergraduate and quantum software intern Danielle Odigie said about her IBM Research internship experience: “I feel like this summer was the summer where I started feeling like an actual software engineer! It was so fulfilling and so cool to be able to aid in the efforts to create software that connects programmers to such powerful technology.”
And Dhruv Srinivasan, University of Maryland undergraduate and quantum hardware intern learned about the bring-up of quantum computers, and the “many facets of the quantum stack, where I worked on both the room-temperature electronics cooling, as well as the calibration of the amplification of a chain of qubits.”
For more advice from previous interns, take a look at last year’s blog. Though familiarity with quantum computing is not required, we suggest candidates consider getting acquainted with with Qiskit. We have also revamped the IBM Quantum Learning platform, making it easier than ever to hone your quantum computing skills and make yourself a more competitive candidate. Check out the IBM Quantum Learning platform.
2024 internship openings
We look forward to hearing from you. And for those outside the United States, we will share updates on internship opportunities outside of the US in the near future. Follow IBM Quantum on LinkedIn for updates.
Today, CISA, the Federal Bureau of Investigation, the National Security Agency, and the U.S. Department of the Treasury released guidance on improving the security of open source software (OSS) in operational technology (OT) and industrial control systems (ICS). In alignment with CISA’s recently released Open Source Security Roadmap, the guidanceprovides recommendations to OT/ICS organizations on:
Supporting OSS development and maintenance,
Managing and patching vulnerabilities in OT/ICS environments, and
Using the Cross-Sector Cybersecurity Performance Goals (CPGs) as a common framework for adopting key cybersecurity best practices in relation to OSS.
Alongside the guidance, CISA published the Securing OSS in OT web page, which details the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative, a priority within the JCDC 2023 Planning Agenda. The initiative will support collaboration between the public and private sectors—including the OSS community—to better understand and secure OSS use in OT/ICS, which will strengthen defense against OT/ICS cyber threats.
CISA encourages OT/ICS organizations to review this guidance and implement its recommendations.
Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms.
“This means the next time you sign in to your account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins,” Google’s Sriram Karra and Christiaan Brand said.
“It also means you’ll see the ‘skip password when possible‘ option toggled on in your Google Account settings.”
Passkeys are a new form of authentication that entirely eliminate the need for usernames and passwords, or even provide any additional authentication factor.
In other words, it’s a passwordless login mechanism that leverages public-key cryptography to authenticate users’ access to websites and apps, with the private key saved securely in the device and the public key stored in the server.
Each passkey is unique and bound to a username and a specific service, meaning a user will have at least as many passkeys as they have accounts, although there can be multiple passkeys per account since passkeys function only within the confines of the same platform.
A user can, therefore, have one passkey each for a website for Android, iOS, macOS, and Windows.
Thus, when a user signs into a website or app that supports passkeys, a random challenge is created and sent to the client, which, in turn, prompts the individual to verify using their biometric or a PIN in order to sign the challenge using the private key and send it back to the server.
Authentication is considered successful if the signed response can be validated using the associated public key.
An immediate benefit to passkeys is two-fold: they not only obviate the hassle of remembering passwords, but are also phishing-resistant, thereby safeguarding accounts against potential takeover attacks.
The development comes weeks after Microsoft officially began supporting passkeys in Windows 11 for improved account security. Other widely-used platforms like eBay and Uber have enabled passkey support in recent months.
Individual atoms on a surface do their first basic calculation.
Physicists have performed the first quantum calculations to be carried out using individual atoms sitting on a surface.
The technique, described on 5 October in Science1, controls titanium atoms by beaming microwave signals from the tip of a scanning tunnelling microscope (STM). It is unlikely to compete any time soon with the leading approaches to quantum computing, including those adopted by Google and IBM, as well as by many start-up companies. But the tactic could be used to study quantum properties in a variety of other chemical elements or even molecules, say the researchers who developed it.
At some level, everything in nature is quantum and can, in principle, perform quantum computations. The hard part is to isolate quantum states called qubits — the quantum equivalent of the memory bits in a classical computer — from environmental disturbances, and to control them finely enough for such calculations to be achieved.
Andreas Heinrich at the Institute for Basic Science in Seoul and his collaborators worked with nature’s ‘original’ qubit — the spin of the electron. Electrons act like tiny compass needles, and measuring the direction of their spin can yield only two possible values, ‘up’ or ‘down’, which correspond to the ‘0’ and ‘1’ of a classical bit. But before it is measured, electron spin can exist in a continuum of possible intermediate states, called superpositions. This is the key to performing quantum computations.
Three titanium atoms are arranged inside a scanning tunnelling microscope (STM), close enough to sense each other’s quantum spins. Iron atoms stuck to the tip of the STM (top) ‘talk’ with one of the qubits (blue), using it to read and write information on the other two (red) and to get them to perform a rudimentary quantum computation.Credit: Center for Quantum Nanoscience
The researchers started by scattering titanium atoms on a perfectly flat surface made of magnesium oxide. They then mapped the atoms’ positions using the STM, which has atomic resolution. They used the tip of the STM probe to move the titanium atoms around, arranging three of them into a triangle.
Using microwave signals emitted from the STM tip, the researchers were able to control the spin of a single electron in one of the titanium atoms. By tuning the frequencies of the microwaves appropriately, they could also make its spin interact with the spins in the other two titanium atoms, similarly to how multiple compass needles can influence each other through their magnetic fields. By doing this, the team was able to set up a simple two-qubit quantum operation, and also to read out its results. The operation took just nanoseconds — faster than is possible with most other types of qubit.
Heinrich says that it will be fairly straightforward to extend the technique to perhaps 100 qubits, possibly by manipulating spins in a combination of individual atoms and molecules. It might be difficult to push it much beyond that, however — and the leading qubit technologies are already being scaled up to hundreds of qubits. “We are more on the basic-science side,” Heinrich says, although he adds that multiple STM quantum computers could one day be linked to form a bigger one.
Culture is often described as “how we do things around here” — a passive reflection of legacy norms and behaviors. It’s more helpful to think of culture as the nervous system of an organization. In biology, the central nervous system is the pathway by which thoughts in our brains are translated into actions by our muscles, and how our experience of acting in the world updates our brain’s understanding of the world. In organizations, this means thinking of culture as the transmission mechanism by which a company both communicates its intended strategy to the front lines and receives feedback and intelligence from the field about whether the strategy is achieving the intended outcomes in the market.
This nervous system metaphor illuminates the factors behind two of the most common reasons given for business failure: “We had a great strategy but failed to execute it” (a failure in the communication from the center to the field) or “Our leaders surrounded themselves with people who were afraid to tell them how the business was really performing” (a failure to relay important feedback and intelligence from the field). Both are examples of the failure to create an effective transmission mechanism from thought to action and back again.
A strategic approach to culture involves an active effort to create the environment and infrastructure to promote the necessary information flow between strategy and execution — treating them as complementary components of purposeful doing. These tools can include town halls, customer site visits, postmortems on lost bids, employee engagement surveys and any number of other mechanisms that facilitate the exchange of valuable information about what is (or is not) working. These tools nurture a culture of contextual awareness and adaptability that enables the business to perform better in its current environment and to prepare for future success.
Different change objectives require different choices about culture.
There are certain aspects of culture that are universally desirable and others whose value is more context-dependent. When Donald Sull and Charles Sull analyzed 1.4 million employee reviews on Glassdoor, they identified four key factors that contribute to a positive corporate culture (respect, leadership, compensation/benefits, and job security). But when organizational change is the imperative, this requires deliberately adding context-dependent factors to the culture.
The importance of adaptation has been the defining theme of our earlier articles
The Strategy of Change
To develop effective strategy amid constant change, leaders must hone their ability to determine which changes will boost their organization’s competitiveness. This series examines data from companies worldwide to provide practical insights for business leaders seeking advantage as they navigate complexity and change. More in this series
ABOUT THE AUTHORS
Jonathan Knowles is the founder of advisory firm Type 2 Consulting. B. Tom Hunsaker is a clinical professor of strategy and leadership at Arizona State University’s Thunderbird School of Global Management. Melanie Hughes is the former chief HR officer of Moody’s, American Eagle, and Tribune Media.
The Department of Veterans Affairs (VA) said it plans to share a lot more data with non-VA medical providers. The VA today announced a data-sharing pledge with 13 community health care systems to improve the veteran experience whether veterans receive their care at a VA facility or not. Through the “Veteran Interoperability Pledge,”the VA said it will securely exchange information with non-VA medical providers about care provided and requested, as well as help to connect veterans with VA benefits. “This pledge will improve veteran health care by giving us seamless, immediate access to a patient’s medical history, which will help us make timely and accurate treatment decisions,” VA Under Secretary for Health Dr. Shereef Elnahal said. The pledge comes as the VA is in the process of migrating to a new electronic health record (EHR) system through its Electronic Health Records Modernization (EHRM) program.
healthcarereimagined 