healthcarereimagined

Written by Dave Nyczepir
Jul 11, 2022 | FEDSCOOP

The Department of Homeland Security Science & Technology Directorate wants to encourage tech companies to develop automated software bill of materials tools offering more visibility into supply chains.

DHS S&T‘s Silicon Valley Innovation Program issued a five-year other transaction solicitation call for foundational open-source software libraries and other tools increasing the availability of trustworthy software bills of materials (SBOMs), machine-readable inventories of components and how they relate.

Many federal contractors hope SBOMs become the standard for proving government-mandated compliance with the Secure Software Development Framework. But multiple data formats exist, prompting the Cybersecurity and Infrastructure Security Agency to seek translation tools and automated SBOM generators that plug into build systems.

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms,” said Allan Friedman, senior advisor and strategist at CISA, in a statement. “By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster and more efficiently.”

SVIP issued the call on behalf of CISA for tools that will help secure essential communications, finance, transportation and energy services.

Other capabilities CISA is interested in are those that:

• visualize SBOM data on provenance and risk;
• plug into integrated development environment tools to highlight software dependencies, warn of vulnerabilities and provide mitigations; and
• use software identifiers to help system administrators using security incident and event management tools pinpoint and prioritize threats to the operational environment.

SVIP runs four phases with an optional fifth for further testing around new operational environments and use cases. Applicants will be submitting Phase 1 applications for $50,000 to $200,000 in funding to produce a minimum viable product (MVP) within three to nine months.

MVPs may be chosen to move to Phase 2: prototype development.

The deadline for Phase 1 applications is 3 p.m. ET, Oct. 3.

A virtual industry day will be held starting at 12:30 p.m. ET, July 14 for developers and vendors to ask questions about the solicitation and operational needs.

“DHS is committed to working with industry to develop tools and technologies that provide visibility into the software supply chain,” said Melissa Oh, managing director of SVIP, in a statement. “This topic call highlights core capabilities that will help bring transparency into the digital building blocks used by organizations in both their business operations and in their cyber defenses.”

DHS’ request for automated tools to help manage supply chain risk comes after the Department of Justice’s Office of Inspector General last week published details of a study in which it found that just two sub-agencies adhered to supply chain risk guidelines over the last six years.

Supply chain risk within federal agencies’ IT procurement processes has received enhanced scrutiny since the SolarWinds attack in 2020 during which software supply chains were used to breach cybersecurity defenses and steal information across government and the private sector.

Article link: https://www.fedscoop.com/dhs-seeks-sbom-tools/

-In this Story- 

Allan Friedman, Cybersecurity and Infrastructure Security Agency (CISA), DHS S&T, Melissa Oh, Science and Technology Directorate, Secure Software Development Framework (SSDF), Silicon Valley Innovation Program (SVIP), software bill of materials (SBOM), supply chain

More data and applications are moving to the cloud, which creates unique infosecurity challenges. Here are the “Pandemic 11,” the top security threats organizations face when using cloud services.

By John P. Mello Jr.

Contributor, CSO Online

JUL 4, 2022 2:00 AM PT

Identity and access issues topped the list of concerns of IT pros in the Cloud Security Alliance’s annual Top Threats to Cloud Computing: The Pandemic 11 report released earlier this month. “Data breaches and data loss were the top concerns last year,” says CSA Global Vice President of Research John Yeoh. “This year, they weren’t even in the top 11.”

“What that tells me is the cloud customer is getting a lot smarter,” Yeoh continues. “They’re getting away from worrying about end results—a data breach or loss is an end result—and looking at the causes of those results (data access, misconfigurations, insecure applications) and taking control of them.”

That trend is indicative of cloud service providers (CSPs) doing a better job of upholding their end of the shared responsibility model, where the CSP is responsible for protecting its infrastructure while the cloud user is on the hook for protecting the data, applications, and access in their cloud environments, says Corey O’Connor, director of products at DoControl, a provider of automated SaaS security. “This puts more pressure on the organization consuming the service, as attackers naturally place a much bigger focus on them,” he says. “This finding supports the narrative of organizations consuming cloud services needing to do everything they can to mitigate the risk of security events and data breaches. They need to do more to uphold their end of the model.”

CSA’s top cloud security threats

Here are the Pandemic 11 in order of importance.

1. Insufficient identity, credential, access and key management

Concerns about identity and access are foremost in the minds of cybersecurity pros, according to the CSA report. “Access is at the top of the list this year because protecting your data starts and ends with access,” says Yeoh.

Forrester Vice President and Principal Analyst Andras Cser agreed. “Identity and access in a CSP’s platforms are everything,” he says. “If you have the keys to the kingdom, you can’t just enter it but reconfigure it—a major threat to operational stability and security of any organization.”

“Attackers no longer try to brute-force their way into enterprise infrastructure,” adds Hank Schless, a senior manager for security solutions at Lookout, a provider of mobile phishing solutions. “With so many ways to compromise and steal corporate credentials, the preferred tactic is to pose as a legitimate user in order to avoid detection.”

As more organizations migrate their applications to the cloud, identity management continues to be a hot button issue, asserts Tushar Tambay, vice president of product development for data protection solutions at Entrust, a digital security and credential issuance company. “With many companies still working remotely as well, IT teams have to verify the identities of employees working from anywhere at any time on any device,” he says. “Additionally, businesses are engaging with customers and partners in the cloud.”

Tambay adds that key management needs to be prioritized, too. “Strong key management can keep data secure and help ensure that trusted parties only have access to data that is absolutely necessary,” he says. “Unfortunately, securing data through encryption can often cause a bit of a key management headache due to the growing number of keys.”

Identity management is almost entirely on the user to manage properly, says Daniel Kennedy, research director for information security and networking at 451 Research. “The cloud providers provide help, but the flexibility of cloud platforms come with a requirement to effectively manage user and system access and privileges,” he says. “It’s one of the primary responsibilities of the enterprise leveraging cloud in a shared responsibility model, and thus figures prominently in their assessment of risk.”

Key takeaways about access and identity management identified in the report include:

• Hardened defenses at the core of enterprise architectures have shifted hacking to endpoint user identity as low-hanging fruit.
• Discrete user and application-based isolation is required to achieve a robust zero trust-layer beyond simple authentication.
• Advanced tools are only part of the story, such as cloud infrastructure entitlement management (CIEM). Operational policies and structured risk models are also vital.
• Trust is more than giving keys and codes. It’s earned. User objects must be given risk scores that dynamically adjust as the business requires.

2. Insecure interfaces and APIs

APIs and similar interfaces potentially include vulnerabilities due to misconfiguration, coding vulnerabilities, or a lack of authentication and authorization among other things, the report stated. These oversights can potentially leave them vulnerable to malicious activity.

It added that organizations face a challenging task in managing and securing APIs. For example, the velocity of cloud development is greatly accelerated. Processes that took days or weeks using traditional methods can be completed in seconds or minutes in the cloud. Using multiple cloud providers also adds complexity, it continues, as each provider has unique capabilities that are enhanced and expanded almost daily. This dynamic environment requires an agile and proactive approach to change control and remediation that many companies have not mastered.

Key takeaways about APIs include:

• The attack surface provided by APIs should be tracked, configured, and secured.
• Traditional controls and change management policies and approaches need to be updated to keep pace with cloud-based API growth and change.
• Companies should embrace automation and employ technologies that monitor continuously for anomalous API traffic and remediate problems in near real time.

3. Misconfiguration and inadequate change control

Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave them vulnerable to unintended damage or external and internal malicious activity, the report explained. Lack of system knowledge or understanding of security settings and nefarious intentions can result in misconfigurations.

A serious problem with misconfiguration errors is they can be magnified by the cloud. “One of the biggest advantages of the cloud is its scalability and the way it enables us to create interconnected services for smoother workflows,” Schless says. “However, this also means that one misconfiguration can have magnified ramifications across multiple systems.”

Due to an automated continuous integration/continuous deliver (CI/CD) pipeline, misconfigurations and vulnerabilities not identified during build time are automatically deployed to production, says Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes and the cloud. “Misconfigurations and vulnerabilities in images are passed on to all containers created from those images.”

Key takeaways about misconfiguration and inadequate change control include:

1. Companies need to embrace available technologies that scan continuously for misconfigured resources to allow remediation of vulnerabilities in real-time.
2. Change management approaches must reflect the unceasing and dynamic nature of continuous business transformations and security challenges to ensure approved changes are made properly using real-time automated verification.

4. Lack of cloud security architecture and strategy

The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design the report notes. However, it added, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe.

Those problems can be compounded when multiple cloud providers are involved. “Leveraging cloud providers is certainly no longer novel, but the security product space continues to emerge and evolve around the cloud,” Kennedy says. “As examples, early on we saw cloud workload security emerge as an approach to provide common third-party security functions.”

“Most security folks looking after cloud security must consider what mix of default controls from the cloud provider, premium controls from the same, and what third-party security product offerings address their specific risk profile, and sometimes that profile is different at the application level. It introduces a lot of complexity in the face of emerging threats,” Kennedy adds.

Key takeaways about the lack of cloud security architecture and strategy include:

• Companies should consider business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions.
• Given the rapid pace of change and limited centralized control in cloud deployments, it’s more important, not less, to develop and adhere to an infrastructure strategy and design principles.
• Adopters are advised to consider due diligence and vendor security assessment foundational practices. They should be complemented with secure design and integration to avoid the kinds of systemic failures that occurred in the, SolarWinds, Kaseya and Bonobos breaches.

5. Insecure software development

While the cloud can be a powerful environment for developers, organizations need to make sure developers understand how the shared responsibility model affects the security of their software. For example, a vulnerability in Kubernetes could be the responsibility of a CSP, while an error in a web application using cloud-native technologies could be the responsibility of the developer to fix.

Key takeaways to keep in mind about insecure software development include:

• Using cloud technologies prevents reinventing existing solutions, allowing developers to focus on issues unique to the business.
• By leveraging shared responsibility, items like patching can be owned by a CSP rather than the business.
• CSPs place an importance on security and will provide guidance on how to implement services in a secure fashion.

6. Unsecure third-party resources

According to the CSA report, third-party risks exist in every product and service we consume. It noted that because a product or service is a sum of all the other products and services it’s using, an exploit can start at any point in the supply chain for the product and proliferate from there. Threat actors know they only need to compromise the weakest link in a supply chain to spread their malicious software, oftentimes using the same vehicles developers use to scale their software.

Key takeaways about unsecure third-party resources include:

• You can’t prevent vulnerabilities in code or products you didn’t create, but you can make a good decision about which product to use. Look for the products that are officially supported. Also, consider those with compliance certifications, that openly speak about their security efforts, that have a bug bounty program, and that treat their users responsibly by reporting security issues and delivering fixes quickly.
• Identify and track the third parties you are using. You don’t want to find out you’ve been using a vulnerable product only when the list of victims is published. This includes open source, SaaS products, cloud providers, and managed services, and other integrations you may have added to your application.
• Perform a periodic review of the third-party resources. If you find products you don’t need, remove them and revoke any access or permissions you may have granted them into your code repository, infrastructure or application.
• Don’t be the weakest link. Penetration-test your application, teach your developers about secure coding, and use static application security testing (SAST) and dynamic application security testing (DAST) solutions.

7. System vulnerabilities

These are flaws in a CSP that can be used to compromise confidentiality, integrity and availability of data, and disrupt service operations. Typical vulnerabilities include zero days, missing patches, vulnerable misconfiguration or default settings, and weak or default credentials that attackers can easily obtain or crack.

Key takeaways about system vulnerabilities include:

• System vulnerabilities are flaws within system components often introduced through human error, making it easier for hackers to attack your company’s cloud services.
• Post-incident response is a costly proposition. Losing company data can negatively impact your business’s bottom line in revenue and reputation.
• Security risks due to system vulnerabilities can be greatly minimized through routine vulnerability detection and patch deployment combined with rigorous IAM practices.

8. Accidental cloud data disclosure

Data exposure remains a widespread problem among cloud users, the report noted, with 55% of companies having at least one database that’s exposed to the public internet. Many of those databases have weak passwords or don’t require any authentication at all, making them easy targets for threat actors.

Key takeaways about accidental cloud data disclosure include:

• Which databases are in the clouds? Review your platform-as-a-service (PaaS) databases, storage and compute workloads hosting databases, including virtual machines (VMs), containers, and the database software installed on them.
• What is effectively exposed from the cloud environment? Choose exposure engines that have full visibility of your cloud environment to identify any routing or network services that allow traffic to be exposed externally. This includes load balancers, application load balancers, content delivery networks (CDNs), network peering, and cloud firewalls.
• Assess external exposure from a Kubernetes cluster. The exposure engine must factor in many Kubernetes networking components, including cluster IPs, Kubernetes services, and ingress rules.
• Reduce access exposure by ensuring that the database is configured to the least-privileged IAM policy, and that assignments of this policy are controlled and monitored.

9. Misconfiguration and exploitation of serverless and container workloads

Managing and scaling the infrastructure to run applications can still be challenging to developers, the report pointed out. They must take on more responsibility network and security controls for their applications.

While some of that responsibility can be offloaded to a CSP through the use of serverless and containerized workloads, for most organizations, lack of control of cloud infrastructure limits mitigation options for application security issues and the visibility of traditional security tooling. That’s why the report recommended building strong organizational practices around cloud hygiene, application security, observability, access control, and secrets management to reduce the blast radius of an attack.
Key takeaways about misconfiguration and exploitation of serverless and container workloads include:

• Companies should implement cloud security posture management (CSPM), CIEM, and cloud workload protection platforms to increase security visibility, enforce compliance, and achieve the least privilege in serverless and containerized workloads.
• Investments should be made into cloud security training, governance processes, and reusable secure cloud architecture patterns to reduce the risk and frequency of insecure cloud configurations.
• Development teams should put extra rigor around strong application security and engineering best practices before migrating to serverless technologies that remove traditional security controls.

10. Organized crime, hackers and APT groups

Advanced persistent threat (APT) groups typically focus their thieving ways at data acquisition. Those groups are closely studied by threat intelligence outfits, who publish detailed reports on the groups’ methods and tactics. The CSA report recommended organizations use those reports to stage “red team” exercises to better protect themselves from APT attacks, as well as perform threat-hunting exercises to identify the presence of any APTs on their networks.

Key takeaways from the report in the APT area include:

• Conduct a business impact analysis on your organization to understand your information assets.
• Participate in cybersecurity information sharing groups.
• Understand any relevant APT groups and their tactics, techniques and procedures (TTPs).
• Conduct offensive security exercises to simulate the TTPs of these APT groups.
• Ensure security monitoring tools are tuned to detect TTPs of any relevant APT groups.

11. Cloud Storage Data Exfiltration

Cloud storage data exfiltration occurs when sensitive, protected or confidential information is released, viewed, stolen or used by an individual outside of the organization’s operating environment. The report noted that many times data exfiltration may occur without the knowledge of the data’s owner. In some cases, the owner may not be unaware of the data’s theft until notified by the thief or until it appears for sale on the internet.

While the cloud can be a convenient place to store data, the report continued, it also offers multiple ways to exfiltrate it. To protect against exfiltration, organizations have begun turning to a zero-trust model where identity-based security controls are used to provide least privileged access to data.

Key takeaways about cloud storage exfiltration in the report include:

• Cloud storage requires a well-configured environment (SaaS security posture management [SSPM], CSPM), remediation of vulnerabilities in infrastructure as a service (IaaS), which is still a major threat vector, and strong identity and access control of both people and non-human personas.
• To detect and prevent attacks and data exfiltration, apply the CSP’s best practices guides, monitoring and detection capabilities.
• Employee awareness training on cloud storage usage is required, as data is scattered in various locations and controlled by various personas.
• Evaluate a cloud providers’ security resilience and, at minimum, security standards adherence, legal agreement, and service level agreement (SLA).
• If not limited by business, client-side encryption can provide protection from external attackers or CSP malicious insiders. Overall, encryption is not always feasible, due to implementation considerations.
• Classifying data can help in setting different controls, and if exfiltration happens, assessing the impact and recovery actions required.

Shifting focus of cloud security

The CSA report noted that its 2022 edition continued a nascent trend found in its previous version: a shift away from the traditional focus on information security, such as vulnerabilities and malware. Regardless, these security issues are a call to action for developing and enhancing cloud security awareness and configuration, and identity management. The cloud itself is less of a concern, so now the focus is more on the implementation of the cloud technology.

Article link: https://www-csoonline-com.cdn.ampproject.org/c/s/www.csoonline.com/article/3043030/top-cloud-security-threats.amp.html

Editor’s note: This article, originally published on March 11, 2016, has been updated to reflect the latest research.

The Army Medical Modernization Strategy (AMMS), which seeks to improve the integration and modernization of mission-critical medical capabilities, will ensure the Army Health System is well-equipped to provide highly adaptive and effective care to the Future Force.

AMMS initiatives will extend across the US Army to strengthen how we support, what we support with and who we are, ultimately delivering a Multi-Domain Medical Force that is an integral part of an adaptive, responsive and resilient Joint Medical Force.

Learn more here: https://lnkd.in/gr7y3GJn

Article link: https://www.linkedin.com/posts/armyfutures_teamafc-forgethefuture-army-activity-6950804021024624640-t4iF?

Once you’ve met your most basic needs, an obsession with your bank account might be hiding deeper anxieties.By Arthur C. Brooks

“How to Build a Life” is a weekly column by Arthur Brooks, tackling questions of meaning and happiness. Click here to listen to his new podcast series on all things happiness, How to Build a Happy Life.

---

Money is one of the things Americans worry about most in the world. Even in 2018, when the economy was expanding, a survey by the life-insurance company Northwestern Mutual found that more than half of Americans felt anxious or insecure about money sometimes, often, or all the time. And during the pandemic, another survey found that workers were almost five times more likely to worry about money than their health.

That’s not to say that so many of us need to worry about money: A far smaller portion of Americans—11.4 percent, according to 2020 data from the U.S. Census Bureau—live in poverty. And yet, according to a 2015 survey fielded by the financial-management firm UBS, more than half of Millennials with a net worth greater than $1 million feared losing their wealth “a great deal” or “somewhat,” as did more than a third of similarly wealthy Baby Boomers.

For millions of people, then, worrying about money is not a reflection of whether their basic needs are being met. In fact, this anxiety reflects deeper concerns that money can’t solve.

orry has a nearly infinite ability to make our lives worse. In his 1948 book, How to Stop Worrying and Start Living, Dale Carnegie wrote, “Those who do not know how to fight worry die young.” The data support his claim: Researchers have found that psychological distress from sources including worry is associated with early mortality. Daily worrying can also lead to clinical anxiety, depression, and physical ailments such as lower-back pain, breathing difficulties, and stomach pains.

By contrast, money has only a limited power to make our lives better. Consider the hierarchy of needs proposed in 1943 by the psychologist Abraham Maslow. Maslow believed that people tend to focus on meeting their needs in a particular order of urgency. We start with survival needs such as food, shelter, and safety. Once these have been met, we turn our attention to social and emotional needs, such as love and belonging. Finally, we focus on higher-order needs such as self-actualization and transcendence—in other words, looking for life’s meaning.

Of these three levels, money is only truly helpful for the first. This is why economists often find that well-being doesn’t improve much once a person reaches the relatively modest financial means that meet those needs. The “middle needs” of love and belonging—family, friends, romance—can’t be met with money, and pursuing money with too much gusto can even cause people to neglect their relationships. Focusing too much on money is also actively opposed to Maslow’s highest-level needs, because doing so can lead people into a trap that researchers call“financial contingency of self-worth,” which happens when a person’s self-esteem is conditional on her financial success.

Not surprisingly, basing your self-image on your bank account can lead to unhappiness. In a 2020 study, my colleague Ashley Whillans and four co-authors asked a sample of 345 adults to react to statements such as “My self-esteem is influenced by how much money I make,” and “I feel bad about myself when I feel like I don’t make enough money.” Those who agreed were more likely to be lonely and socially disconnected. They also, not surprisingly, spent more time working alone than average.

Perhaps financially contingent self-worth is one reason stress is high both when money is tight and after people reach a higher income threshold. A 2018 surveyconducted by LinkedIn found that stress at work falls when people earn more than $50,000, but then starts to rise significantly when people earn above $200,000. One 2016 study in China showed that unhappiness follows a gradual U-shaped curve, declining with moderate income and then increasing again as income rises to higher levels.

t low income levels,worrying about money can be perfectly rational. As I have written in the past in this column, insufficient income to meet one’s material needs is a major source of unhappiness. Sometimes, spending less time on family, friends, and faith is necessary in order to support yourself. In such situations, money still can’t buy happiness—but it can remove sources of unhappiness.

But what if, after assessing your life circumstances honestly, you find that you have passed through the zone of low-income worry and are still worried about money? Perhaps you have some extenuating circumstances, such as a lot of other people who depend on you for support, or a high level of debt. But if these cases don’t apply, your focus on money might be disguising other anxieties.

Perhaps your parents always put a lot of pressure on you to succeed financially, or you tend to be insecure about your self-worth and rely a lot on social comparison. One way or another, you might be measuring yourself in money, and implicitly hoping that at some point you will be “expensive” enough to earn others’ love and respect. Your instincts might be telling you to earn more, more, more in order to find peace and satisfaction. Your instincts are lying, and you could get much happier by reassessing your priorities.

One practice that can help in this project is to give more of your money away, instead of accumulating it or spending it on conspicuous goods. This time of year, you can find no end of good causes competing for your generosity. The voluntary act of giving is a way of demonstrating to yourself that you are not your money, that money is merely a means by which you can create value in your life and others’. Giving is an act of rebellion against your grasping, attached self.

You could also try working less while redirecting your time toward non-remunerative activities that give you benefits that are further up on Maslow’s hierarchy. Many hardworking people work constantly, including on their nights and days off. If that describes you on Saturday or Sunday, for example, start dedicating one of those days to self-actualization instead by reading works of wisdom, walking in nature, or engaging in meditation or prayer. Find a good cause and volunteer your time. Attend worship services. At first you might feel like you don’t have time for this. Soon you will find that you can’t afford not to do these things.

Backing off on your financial ambitions may feel like closing the door on prosperity, which might be a lifelong dream. But actually, it doesn’t mean that at all. “He who knows he has enough is rich,” Lao Tzu said in the Tao Te Ching. In other words, you’ll be happiest if you’re rich in what really matters. Maybe that means you wind up with a lot of money, and maybe it doesn’t. The key is to remember that money can never be what makes you truly prosperous.

Arthur C. Brooks is a contributing writer at The Atlantic, the William Henry Bloomberg Professor of the Practice of Public Leadership at the Harvard Kennedy School, and a professor of management practice at the Harvard Business School. He’s the host of the podcast seriesHow to Build a Happy Life and the author of From Strength to Strength: Finding Success, Happiness, and Deep Purpose in the Second Half of Life.

Article link: https://www.theatlantic.com/family/archive/2021/12/worry-money-maslow-hierarchy-needs/620950/?

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

Your passwords are terrible. Yearafter year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actuallybe the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don’t exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaringtheir support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Article link: https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/apple-passkeys-password-ios16-ventura/amp

Federal agency reveals the first group of winners from its six-year competition.

July 05, 2022

GAITHERSBURG, Md. — The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years.

“Today’s announcement is an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers,” said Secretary of Commerce Gina M. Raimondo. “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so U.S. businesses can continue innovating while maintaining the trust and confidence of their customers.”

The announcement follows a six-year effort managed by NIST, which in 2016 called upon the world’s cryptographers to devise and then vet encryption methods that could resist an attack from a future quantum computer that is more powerful than the comparatively limited machines available today. The selection constitutes the beginning of the finale of the agency’s post-quantum cryptography standardization project.

“NIST constantly looks to the future to anticipate the needs of U.S. industry and society as a whole, and when they are built, quantum computers powerful enough to break present-day encryption will pose a serious threat to our information systems,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “Our post-quantum cryptography program has leveraged the top minds in cryptography — worldwide — to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information.”

Four additional algorithms are under consideration for inclusion in the standard, and NIST plans to announce the finalists from that round at a future date. NIST is announcing its choices in two stages because of the need for a robust variety of defense tools. As cryptographers have recognized from the beginning of NIST’s effort, there are different systems and tasks that use encryption, and a useful standard would offer solutions designed for different situations, use varied approaches for encryption, and offer more than one algorithm for each use case in the event one proves vulnerable.

“Our post-quantum cryptography program has leveraged the top minds in cryptography — worldwide — to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information.” —NIST Director Laurie E. Locascio

Encryption uses math to protect sensitive electronic information, including the secure websites we surf and the emails we send. Widely used public-key encryption systems, which rely on math problems that even the fastest conventional computers find intractable, ensure these websites and messages are inaccessible to unwelcome third parties.

However, a sufficiently capable quantum computer, which would be based on different technology than the conventional computers we have today, could solve these math problems quickly, defeating encryption systems. To counter this threat, the four quantum-resistant algorithms rely on math problems that both conventional and quantum computers should have difficulty solving, thereby defending privacy both now and down the road.

The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by experts collaborating from multiple countries and institutions. 

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.

Three of the selected algorithms are based on a family of math problems called structured lattices, while SPHINCS+ uses hash functions. The additional four algorithms still under consideration are designed for general encryption and do not use structured lattices or hash functions in their approaches. 

While the standard is in development, NIST encourages security experts to explore the new algorithms and consider how their applications will use them, but not to bake them into their systems yet, as the algorithms could change slightly before the standard is finalized.

To prepare, users can inventory their systems for applications that use public-key cryptography, which will need to be replaced before cryptographically relevant quantum computers appear. They can also alert their IT departments and vendors about the upcoming change. To get involved in developing guidance for migrating to post-quantum cryptography, see NIST’s National Cybersecurity Center of Excellence project page.  

All of the algorithms are available on the NIST website.

Article link: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

Information technology, Cybersecurity and Cryptography

July 1, 20225:00 AM ET

JULIE APPLEBY

The new rules will help people get upfront cost estimates for about 500 so-called “shoppable” services, meaning medical care they can schedule ahead of time DNY59/Getty Images

Consumers, employers and just about everyone else interested in health care prices will soon get an unprecedented look at what insurers pay for care, perhaps helping answer a question that has long dogged those who buy insurance: Are we getting the best deal we can?

Starting July 1, health insurers and self-insured employers must post on websites just about every price they’ve negotiated with providers for health care services, item by item. About the only exclusion is the prices paid for prescription drugs, except those administered in hospitals or doctors’ offices.

This story was produced in partnership with Kaiser Health News.

The federally required data release could affect future prices or even how employers contract for health care. Many will see for the first time how well their insurers are doing compared with others.

The new rules are far broader than those that went into effect last year requiring hospitals to post their negotiated rates for the public to see. Now insurers must post the amounts paid for “every physician in network, every hospital, every surgery center, every nursing facility,” said Jeffrey Leibach, a partner at the consulting firm Guidehouse.

“When you start doing the math, you’re talking trillions of records,” he said. The fines the federal government could impose for noncompliance are also heftier than the penalties that hospitals face.

Federal officials learned from the hospital experience and gave insurers more direction on what was expected, said Leibach. Insurers or self-insured employers could be fined as much as $100 a day for each violation and each affected enrollee if they fail to provide the data.

“Get your calculator out: All of a sudden you are in the millions pretty fast,” Leibach said.

Determined consumers, especially those with high-deductible health plans, may try to dig in right away and use the data to try comparing what they will have to pay at different hospitals, clinics, or doctor offices for specific services.

But each database’s enormous size may mean that most people “will find it very hard to use the data in a nuanced way,” said Katherine Baicker, dean of the University of Chicago Harris School of Public Policy.

At least at first.

Entrepreneurs are expected to quickly translate the information into more user-friendly formats so it can be incorporated into new or existing services that estimate costs for patients. And starting Jan. 1, the rules require insurers to provide online tools that will help people get upfront cost estimates for about 500 so-called “shoppable” services, meaning medical care they can schedule ahead of time.

Once those things happen, “you’ll at least have the options in front of you,” said Chris Severn, CEO of Turquoise Health, an online company that has posted price information made available under the rules for hospitals, although many hospitals have yet to comply.

With the addition of the insurers’ data, sites like his will be able to drill down further into cost variation from one place to another or among insurers.

“If you’re going to get an X-ray, you will be able to see that you can do it for $250 at this hospital, $75 at the imaging center down the road, or your specialist can do it in office for $25,” he said.

Everyone will know everyone else’s business: for example, how much insurers Aetna and Humana pay the same surgery center for a knee replacement.

The requirements stem from the Affordable Care Act and a 2019 executive order by then-President Donald Trump.

“These plans are supposed to be acting on behalf of employers in negotiating good rates, and the little insight we have on that shows it has not happened,” said Elizabeth Mitchell, president and CEO of the Purchaser Business Group on Health, an affiliation of employers who offer job-based health benefits to workers. “I do believe the dynamics are going to change.”

Other observers are more circumspect.

“Maybe at best this will reduce the wide variance of prices out there,” said Zack Cooper, director of health policy at the Yale University Institution for Social and Policy Studies. “But it won’t be unleashing a consumer revolution.”

Still, the biggest value of the July data release may well be to shed light on how successful insurers have been at negotiating prices. It comes on the heels of research that has shown tremendous variation in what is paid for health care. A recent study by the Rand Corp., for example, shows that employers that offer job-based insurance plans paid, on average, 224% more than Medicare for the same services.

Tens of thousands of employers who buy insurance coverage for their workers will get this more-complete pricing picture — and may not like what they see.

“What we’re learning from the hospital data is that insurers are really bad at negotiating,” said Gerard Anderson, a professor in the department of health policy at the Johns Hopkins Bloomberg School of Public Health, citing research that found that negotiated rates for hospital care can be higher than what the facilities accept from patients who are not using insurance and are paying cash.

That could add to the frustration that Mitchell and others say employers have with the current health insurance system. More might try to contract with providers directly, only using insurance companies for claims processing.

Other employers may bring their insurers back to the bargaining table.

“For the first time, an employer will be able to go to an insurance company and say, ‘You have not negotiated a good-enough deal, and we know that because we can see the same provider has negotiated a better deal with another company,'” said James Gelfand, president of the ERISA Industry Committee, a trade group of self-insured employers.

If that happens, he added, “patients will be able to save money.”

That’s not necessarily a given, however.

Because this kind of public release of pricing data hasn’t been tried widely in health care before, how it will affect future spending remains uncertain. If insurers are pushed back to the bargaining table or providers see where they stand relative to their peers, prices could drop. However, some providers could raise their prices if they see they are charging less than their peers.

“Downward pressure may not be a given,” said Kelley Schultz, vice president of commercial policy for AHIP, the industry’s trade lobby.

Baicker, of the University of Chicago, said that even after the data is out, rates will continue to be heavily influenced by local conditions, such as the size of an insurer or employer — providers often give bigger discounts, for example, to the insurers or self-insured employers that can send them the most patients. The number of hospitals in a region also matters — if an area has only one, for instance, that usually means the facility can demand higher rates.

Bill Of The Month

Another unknown: Will insurers meet the deadline and provide usable data?

Schultz, at AHIP, said the industry is well on the way, partly because the original deadline was extended by six months. She expects insurers to do better than the hospital industry. “We saw a lot of hospitals that just decided not to post files or make them difficult to find,” she said.

So far, more than 300 noncompliant hospitals have received warning letters from the government. But they could face $300-a-day fines for failing to comply, which is less than what insurers potentially face, although the federal government has recently upped the ante to up to $5,500 a day for the largest facilities.

Even after the pricing data is public, “I don’t think things will change overnight,” said Leibach. “Patients are still going to make care decisions based on their doctors and referrals, a lot of reasons other than price.”

KHN (Kaiser Health News) is a national newsroom that produces in-depth journalism about health issues. It is an editorially independent operating program of KFF (Kaiser Family Foundation).

By Tommaso De Zan Monday, June 27, 2022, 8:01 AM

Evidence suggests there is a global cybersecurity skills shortage affecting businesses and governments alike, which means that organizations are struggling to fill their cybersecurity vacancies. For example, the United Kingdom would need to attract approximately 17,500 new people every year into its cybersecurity sector to meet demand, and similar workforce difficulties have been reported in Australia, Italy, Japan, and the United States. Cybersecurity firm Fortinet depicted a stark picture of this gap in its 2022 report: 80 percent of polled organizations suffered one or more breaches due to a lack of cybersecurity skills and/or awareness, and 67 percent agreed that this shortage creates additional risks for their organizations. 

Further compounding this growing skills shortage has been increasing reliance on information systems, data, and networks to facilitate daily life. Modern information and communication technologies (ICT) are the main drivers of the “information society” of which cyberspace is a constitutive element and very much intertwined with the other physical, social, economic, and political layers. Hence, the absence of professionals who could defend the technological backbones of modern societies could have dire consequences for economic development and national security. For example, when cybersecurity skills are not available in the private sector, companies may incur heavier financial losses, experience disrupted operations, or compromise customers’ privacy and safety. And if this shortage were to happen on a large scale, firms will suffer because of cyber-related incidents in addition to market-related ones.

Meanwhile, the absence of cybersecurity experts protecting national critical infrastructures constitutes a national security threat, a loophole that may be exploited by malicious actors. The importance of securing systems that are generally unclassified or nonmilitary was highlighted even during the ongoing military confrontation in Ukraine by the former head of the U.K. National Cyber Security Centre, who pointed out that “[t]he strategic vulnerability to disruption and sabotage lies not so much in the military space but in the hospital booking system (Ireland), the logistics schedule (Maersk), the political party … and thousands of other mainstream, civilian, mostly privately owned networks.” Because societies are dependent on these information technology (IT) systems, which today are subject more than ever to “elevated cyber threats,” stakeholders should have a twofold approach: start treating the cyber skills shortage as a strategic policy challenge and devise a comprehensive strategy to deal with it.

The Cybersecurity Workforce as a Strategic Asset

Luckily, some national authorities have already framed the lack of cybersecurity experts as a relevant issue and have recognized the need for action. For instance, the U.K. Parliament was “struck” by the government’s apparent lack of urgency in addressing the shortage, which is of “vital importance to both national security and the economy.” The U.S. government expanded on this sentiment even further, stating that:

America’s cybersecurity workforce is a strategic asset that protects the American people, the homeland, and the American way of life. The National Cyber Strategy, the President’s 2018 Management Agenda, and Executive Order 13800 …, each emphasize that a superior cybersecurity workforce will promote American prosperity and preserve peace.

If the cybersecurity workforce is a strategic asset that can promote prosperity and preserve peace, then it follows that the lack of cybersecurity workers is a strategic issue with potential geopolitical implications. And if a country could significantly accrue its cybersecurity expertise by creating a proficient national cyber workforce, it would gain a comparative advantage: By nurturing the people with the right skills to fend off online attacks, that country could continue enjoying the benefits of digital advancements, as opposed to other countries that may struggle to defend themselves if they lack a security-savvy workforce. 

Some governments seem aware of what cybersecurity expert Greg Austin has suggested could become a “cyber workforce arms race.” The White House in its 2018 National Cyber Strategy stated that “[o]ur peer competitors are implementing workforce development programs that have the potential to harm long-term United States cybersecurity competitiveness.” This sentiment is also shared among other superpowers, most notably China, where President Xi Jinping reportedly argued that “talent is the first resource; competition in cyber space is ultimately talent competition.” 

Treating the skills shortage as a strategic issue does not imply that cybersecurity education and skills should be “securitized.” Instead, this realization should help stakeholders allocate the right resources when they plan to enhance the cyber resilience of their countries and organizations. Unfortunately, so far, the skills shortage has belied the high ranking of cybersecurity on corporate and national risk registers: Clearly, the identification of the problem has not translated into adequate investments in skills in the short or long term. For instance, it costs only 37,000 thousand euros to organize programs such as national cybersecurity skills competitions, whose goals are to help students increase their technical competencies and encourage them to choose cybersecurity as a career path, yet such competitions involve almost 18,000 talented youth in Europe every year. Not surprisingly, however, and despite the little investment needed to implement these programs, only 25 percent of national organizers think they have enough financial resources to achieve their objectives. 

A Comprehensive Cybersecurity Skills Strategy

A new inclusive strategy is imperative as multiple factors continue to worsen the shortage. On the one hand, there probably are not enough students enrolling in degrees that are conducive to a career in the cybersecurity sector. For example, in the U.K., almost 80,000 students are enrolled in computer science degrees, but only 6,000 (a mere 13 percent) study cybersecurity. Moreover, both hiring managers and academics complain that students’ cybersecurity skills are often too theoretical and that students lack practical experience. Conversely, employers are not making the situation any better when they publish job vacancies with unrealistic requirements, provide no entry-level opportunities, offer salaries below market value, or do not offer adequate cybersecurity training. For example, 89 percent of cybersecurity-related job postings in the U.S. require a bachelor’s degree, 75 percent require three to five years of professional experience, and 59 percent require professional certification. Thus, because this shortage has several roots, a holistic strategy needs a strong public-private partnership (PPP), where all relevant parties convene to bring their resources and expertise to solve this problem together.

From government reforms to changes in the way businesses recruit, much can be done. While private- and public-sector entities can take some measures immediately to ease their internal shortages, the reality is that this issue requires a national-level effort. Governments should ensure that more young people become interested in cybersecurity. In Israel, cybersecurity education is taught from an early age through the famous Magshimim program. Another option is to organize effective national cybersecurity competitions such as the Italian CyberChallenge.IT, which has noted an increased interest in general cybersecurity among its participants thanks to a mix of training, career seminars, and local and national capture-the-flag events. Governments can also design cybersecurity degrees that are academically and industry relevant, as they did in France and the U.S., where national cybersecurity authorities sat with faculty and professionals to establish new standards for cybersecurity curricula. Depending on the most in-demand jobs nationally, administrations could design market-level interventions to retrain junior IT staff and help them obtain an entry-level cybersecurity role, as the U.K. has already partially done with the Cyber Skills Immediate Impact Fund. Finally, employers must also have an active role in this process and increase junior placements, reconsider entry requirements, and upskill their current workforce. As a threat research expert put it eloquently, “Once it becomes clear that off-the-shelf experts aren’t realistic at scale, cultivating entry-level talent emerges as the only long-term solution—not just for a hiring organization but for the field as a whole.” 

Compared to five years ago when I started analyzing solutions to the skills shortage, we now know more about the problem and what tools may be used to remedy it. However, more could be achieved if stakeholders started treating the shortage as a strategic issue requiring appropriate resources. The lack of cybersecurity professionals might harm information society’s progress and beget geopolitical confrontation, and stakeholders need to converge on strong PPPs to find common solutions before it is too late.

Topics: 

• Cybersecurity

Tags: 

• Cybersecurity Training

Tommaso De Zan is a Senior Consultant within the Digital Policy Team at ICF (UK), where he conducts research studies and impact assessments for the European Commission and other public sector organisations. Previously, he was a CEI Expert for ENISA, an Associate Fellow with the EUISS and a Researcher at the International hAffairs Institute in Rome. He has a PhD in cybersecurity and education from the University of Oxford and a master’s degree in international security from the University of Bologna (Forlì).

• tdezan21

Article link: https://www.lawfareblog.com/strategic-relevance-cybersecurity-skills?

By JOHN BREEDEN IIJUNE 29, 2022 08:00 AM ET

A Phase III PQE contractor talks about getting federal quantum protection deployed quickly.

There is a Chinese proverb that states that the best time to plant a tree was 20 years ago, while the second best time to plant one is right now. Given the quantum arms racegoing on between the United States and its potential rivals, the same can probably be said about post-quantum computing cybersecurity. And the government is now doing everything it can to get a program in place as quickly as possible.

There have already been mandates, proposals and studies. Earlier this year the White House mandated post-quantum cybersecurity—or PQC—via the National Security Memorandum “Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems.” And in Congress, the Quantum Computing Cybersecurity Preparedness Act would direct the National Institute of Standards and Technology and the Office of Management and Budget to develop mitigation measures for post-quantum cryptography. Meanwhile, the Department of Homeland Security worked with NIST to develop a roadmap toward better agency protection.

Planning for a safer future is good, but action is better. That is why the federal government awarded a rare Small Business Innovation Research (SBIR) Phase III contract to post-quantum cybersecurity company QuSecure. The sole-source contract, the first and only one issued for PQC, calls for the company to develop an end-to-end solution for post-quantum cybersecurity that can be deployed to federal agencies as quickly as possible.

Nextgov talked with QuSecure Co-Founder and COO Skip Sanzeri about the need for federal cybersecurity protections that can survive in a world where powerful quantum computers can shred today’s most advanced encryption.

Nextgov: Can you first explain what the awarding of a Phase III contract means for post-quantum protections?

Sanzeri: The Phase III award is a mechanism to allow a small technology company to move to the top of the heap and become a prime contractor, in order to supply vital technologies that can be used by the government without the typical bureaucracy or red tape. QuSecure sees this Phase III as an instance where the government recognizes the gravity of the coming situation where quantum computers will crack current encryption.

Nextgov: I am glad you brought up those dangers. One that has been talked about a lot here at NextGov is the fact that foreign governments are attempting to steal government data right now in hopes that they can store it and crack it later when better quantum computers are available. How important is it that we apply quantum resistant protections to government data right now?

Sanzeri: These “store now, decrypt later” attacks are the biggest reason to start upgrading networks and communications to post-quantum cybersecurity. Foreign nation states are stealing data every second of the day. That data is harvested and stored on computers waiting to be decrypted. And quantum computers will [one day] be able to crack that encryption.

For example, if a quantum computer with enough power to crack encryption is developed in five years, data stolen today would still be very valuable if it has 10, 20 or more years of shelf life. And national security secrets, bank account information, and electronic health records may have data security requirements of up to 75 years. Making matters worse, many experts estimate that changing our current encryption across an enterprise or government agency could take as long as 10 years. Adding this to the shelf life of data means that there are 10 more years of exposed data which attackers can weaponize or use against us. 

In many cases, we are already behind.

Nextgov: Putting aside the “steal and store” attacks for a moment, how long do you think we have before quantum computers can crack AES-256 or other strong encryption?

Sanzeri: At this point, quantum computers are not strong enough to crack our current encryption. Via an algorithm written by Peter Shor, it was mathematically proven that in order to crack current RSA 2048 encryption, you would need about 4,100 qubits. We are in the 100-qubit era now, but advancing rapidly. Many believe that we will have a powerful enough quantum computer in the next three to five years to crack encryption. Some say it will take longer, but nonetheless most data needs to be protected for 25 years or more. IBM, Google, PsiQuantum, Rigetti, and IonQ all have 1,000 qubit computing roadmaps by 2025.

Nextgov: How does your technology work to protect data from quantum-based and encryption-breaking attacks?

Sanzeri: To protect against quantum computers, we need to change encryption and use quantum keys to ensure that data and communications are secure from quantum attacks. QuSecure has an end-to-end post-quantum cybersecurity orchestration platform called QuProtect, which enables organizations for the first time to leverage quantum resilient technology to help prevent today’s cyberattacks, while future-proofing networks and preparing for post-quantum cyberthreats. 

It provides quantum-resilient cryptography, anytime, anywhere and on any device. QuProtect uses an end-to-end, quantum-security-as-a-service (QSaaS) architecture that addresses the digital ecosystem’s most vulnerable aspects, uniquely combining zero-trust, next-generation post-quantum-cryptography, quantum-strength keys, high availability, easy deployment, and active defense into a comprehensive and interoperable cybersecurity suite. The end-to-end approach is designed around the entire data lifecycle as data is stored, communicated and used.

Nextgov: So government will be able to protect its data both in transit and at rest from quantum attacks?

Sanzeri: Yes. Our QuProtect software-only security architecture overlays current infrastructure and protects data in motion, in use, and at rest—on any system, anywhere—from existing and emerging cyber-threats. We utilize NIST algorithms, quantum random number generation and proprietary software applied to communications and data, in order to protect it against quantum attacks. We also have backwards compatibility with our own proxy which translates between TLS layers and post-quantum encrypted communications. This combination of tools enables us to protect communications, data in transit, and data at rest.

Nextgov: Not to be a skeptic, but given that quantum computers rely on various different kinds of technologies—some are mechanical, some are electrical—and the fact that their capabilities are constantly expanding, how can you test your protections against that future threat and guarantee federal data protection?

Sanzeri: Very good question. At this point in time, no one has a quantum computer powerful enough to test encryption, and if we wait until we have that quantum computer, it will be too late. The best we can do at this point is to show how current classical cyberattacks can make data and communications vulnerable, then we can show the same classical attacks will not work against quantum resilient communications and data. 

Additionally, we must rely on organizations such as NIST, which spent over six years studying algorithms to find algorithm candidates that would withstand quantum computing attacks. Fundamentally, those algorithms have changed to be very complex, such as latticed-based infrastructures that mathematically can withstand quantum attacks. But that’s the best that anybody can do at this time.

Nextgov: Okay, so how long will it be before anti-quantum protection is widely available for deployment across the federal government?

Sanzeri: QuSecure will have this first production version of quantum resilience available for government purchase in less than six months. And we intend on adding many features to the initial system in future months that will make the system more robust and scalable. 

However, even with this rapid availability, it will still take years to deploy post-quantum cybersecurity across vast government networks—so that is the entire reason to start early. QuSecure’s solution is mostly software-based and can scale out to IoT and other end devices very quickly to create secure quantum communications. So once decisions are made, scalability and adoption will happen very quickly. 

We’re hoping that the federal government continues its rapid ascent towards a post-quantum world so that our nation’s most important data is protected. Our national security depends on it.

Article link: https://www.nextgov.com/cybersecurity/2022/06/federal-government-gets-serious-about-post-quantum-encryption-protection/368728/

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

Alternative Perspectives 

JUNE 28TH, 2022 BY MIKE MEARS | 0 COMMENTS

Mike Mears retired as the CIA’s Chief of Human Capital where he founded and headed the CIA Leadership Academy. He is a trainer and leadership consultant to government and private sector organizations. Prior to CIA, Mike was senior vice president at GE investments where he managed private equity funds, was a turnaround specialist, and a Six Sigma Black Belt. Before that, he launched eleven small business start-ups, and was president of a fast-food company. Mike served as commander of a nuclear missile site, a general’s aide, and was decorated for valor as a U.S. Army combat platoon leader in Vietnam.

View all articles by Mike Mears

OPINION — I recently saw a creative idea killed. Like a professional hit, the kill was silent and non-attributable. Managers essentially neutralized the employee—let’s call him Matt. I’m confident Matt will never make another suggestion, much less offer another game-changing idea, again.

Idea rejection in bureaucracies is often a clueless crime scene. There are no fingerprints because no one says, “No.” Managers and co-workers use passive-aggressive put-downs, grimaces, or admonishments like:

• We tried it before.
• Don’t rock the boat; be a team player.
• It won’t work here; we’re different.
• The boss will never buy it.
• We have mission to do—no time for this.

In this case, like hyenas circling a fresh kill, several managers ganged up to ravage Matt’s idea—probably because it was a bit provocative and none of the managers had time to implement it. Here is the gauntlet they forced him to run:

• Appear before a panel of those same managers to brief the idea. (None of the managers offered positive responses or encouragement during or after the brief.)
• The panel reassigned Matt to a new location to work on the idea.
• They required him to report to another manager who was not known for innovative receptiveness.
• They advised Matt to stop talking to outsiders (IC colleagues) about the idea.
• They required that he write a detailed execution plan.
• Then, he had to work up a detailed budget.
• He had to coordinate with legal.
• Finally, Matt had to go on a roadshow to formally brief everyone who might be affected.

Of course, big ideas that impact multiple units need to be vetted, but in this case, the employee had to do it all himself, with no top cover or buy-in. In effect, the managers forced the idea through the organizational meat grinder to polish, pulverize, and contort it until it became a minor adjustment to the status quo—the perfect way to anonymously choke innovation.

It worked. The exhausted employee abandoned his treasured idea, and news of the gauntlet sent a clear signal to other employees not to come up with any pesky new ideas or potentially game-changing problem solutions.

What stops innovation?

A CIA Director once asked me, “Mike, why aren’t Agency employees being more creative?”

Then, he added, “I’ve told them I wanted more innovation.”

Like most organizational leaders, he tried to logically sell a cultural and motivational message to be more innovative. In most cases, that doesn’t stick because our minds don’t work that way.  Principles, values, and fears outweigh logic. For example, how often has your logic won a political argument?

If I could replay the conversation and answer him today, I would mention three powerful idea-killing forces that hinder innovation and will stop a CIA Director from unleashing change:

• Survival instinct (Human nature)
• Cultural rigidity (Organizational nature)
• Leadership

Survival instinct

Human change resistance is a survival mechanism buried in all of our minds. It protects us from foolhardy or potentially dangerous ideas.

Rejecting ideas, especially terrible ones, got humans safely through the past 100,000 years or so. You’ll understand how potent change resistance is if you’ve ever tried to lose weight, quit smoking, or start an exercise program. Change resistance acts as a hidden brake inside our unconscious minds to slow us—even when we are trying to execute beneficial ideas.

---

The Cipher Brief hosts expert-level briefings on national security issues for Subscriber+Members that help provide context around today’s national security issues and what they mean for business.  Upgrade your status to Subscriber+ today.

---

Ideas are not created equal. Some are better than others. However, ideas—good or bad—are a gift to be treated with respect by management. A manager who gives a quick no, issues a put-down, or injects a little humiliation ensures employees won’t offer another idea because it is a part of the human survival instinct to avoid pain. If you’ve ever been rejected you understand the pain Matt felt.

Culture

At times, various reviews and blue-ribbon reports on intelligence community activities call for the need for “transformation” or “culture change.” The monographs leave IC managers in the dark about what culture is, much less how to change it.

Simple definition: Culture is the way we do things around here. Another way to think about it is that culture is shared habits, or the cumulative effect of individual’s behaviors.

Examples of culture include whether we call executives by their first name, how new employees are treated when onboarding, how freely employees and managers share ideas, dress codes, and even the amount of stress placed on internal correspondence that is error free. All of these are shared, habitual workplace behaviors.

Breaking individual habits, such as diet, smoking, and exercise, are problematic. Breaking shared habits in culture is trickier, and this is where I rephrase management guru Peter Drucker’s expression, “Culture eats strategy for breakfast,” to, “Culture eats executives for snacks.”

When I asked several hundred IC employees to describe their culture, they listed Mission first. That’s good. However, other descriptors crept into the top 10, including Caution and Control. Needless to say, if one aspires to be a “learning organization” or an “agile organization,” caution and control are severe inhibitors.

A prudent level of caution and control makes sense because of the nature of intel work. On the other hand, the overwhelming majority of the IC’s work does not involve life-and-death matters, and that’s where innovation becomes crucial. Yet, there is little personal upside to innovation for many employees in the IC, just lots of downside. As one person told me:

When someone proposes a new idea that fails, they are punished. If it succeeds, they aren’t rewarded; or everyone else takes credit.

Leadership

The leadership chain, including supervisors, managers, and executives, decides what ideas to accept or block. Let’s look at three innovation inhibitors:

1. The absence of defined Senior Intelligence Service (SIS) roles
2. Management turnover
3. Leadership quality

The absence of defined SIS roles

We’ve all heard IC executives say, “I do mission.” But if the mission is choked by red tape, overwhelmed by technological change, and facing ever-changing adversaries, is “doing the mission” enough?

Some call an SIS promotion a “crown.” It is certainly a capstone to a career, but it should carry responsibility in addition to recognition of a successful career. For instance, are SIS officers shapers and keepers of the culture? Do they know how to change culture? Do they have a duty to reduce bureaucracy and inefficient processes? Do they have a role in removing barriers from employees? Should they act as “champions” to listen, coach, and provide top cover for innovation?

Too often, new SIS officers spend energy addressing problems in their unit, but do not act in concert with other executives in solving the broader organizational issues, no matter how pressing they may be. In effect, each SIS officer operates in their own bubble and not linked to the others.

I had discussions with change guru John Kotter about transforming the IC. He was aware of the turnover issue, and over the years, we had a running joke. When we bumped into one another, I’d ask, “What’s the first step to transform a large East Coast intelligence organization?” His reply was always, “You need a unified, committed leadership team at the top.”  High turnover insures that can’t happen.

As part of their promotion process, potential SIS officers should think through their responsibility to improve the overall organization and submit a detailed write-up of how they intend to do it.

Without a well-defined role, new SIS officers find themselves in the position of a teenager writing an English paper without a thesis statement.

Management turnover

Even if SIS roles were understood and reinforced, we face calamitous management turnover rates from the director level down to the supervisors. Each time a manager changes position, reporting lines are ruptured, vision and direction changes, and relationship bonds are fractured. None of the other elite organizations I consult with match the damaging 22-month turnover I found in one IC organization.

As a result of frequent job switching, enlightened managers don’t stay in place long enough to provide innovation cover—their tours are often curtailed early to solve a pressing problem elsewhere. Innovation lacks time to sprout, much less blossom, before the next manager arrives with a new agenda. Rapid turnover can be justified in specific overseas postings, but not in headquarters.

Short management tours make management accountability more difficult—bad leaders can move on before seniors can assess the damage they’ve done. In addition, rapid turnover hampers long-term thinking—executives focus on getting results over the next 18 months rather than launching the needed long-range programs and executing long-term improvement efforts.

---

Today’s constant barrage of information makes it easy for countries to wage disinformation campaigns and your emotions are the weapon of choice.  Learn how disinformation works and how we can fight it in this short video.  This is one link you can feel good about sharing.

---

Leadership quality

Years ago, I collected employee ratings on the 8,000 IC bosses they served over their careers. I was delighted at the percentage of both “Good” and “Outstanding” leaders, but the percentage of leaders they rated as “Poor” or “Awful” was disturbing because even a small percentage of bad leaders can have an outsized impact on organizational performance.

Bad leaders engender lower employee performance, create organizational distrust, and force some of the best employees to resign. However, they also generate cultural problems. in the short run, culture affects all the managers, but in the long run, the managers collectively affect culture. In this case, an autocratic boss develops his own microculture, one that is marked by higher psychological fear and far less innovation. Because culture is “sticky,” a bad boss can negatively affect an organization for up to five years after transferring out.

In organizations with two-year management turnover, a poor leader can ricochet around and serve in and “infect” three separate units within five years. The residual effect of lowered employee performance shows how a small percentage of bad leaders can have an outsized organizational impact.

In closing

Hundreds of long-gone, private-sector firms ignored the need for radical innovation, including Swiss watchmakers, Compaq, and Blockbuster. Hopefully, the IC can innovate fast enough that HUMINT and other vital IC functions are not added to the list.

Widely used change and transformation models often don’t deliver what they promise. They may pay lip service to the importance of employees’ and managers’ change resistance, the power of culture, and the difficulty of sustaining management commitment, yet these models too often underestimate the tenacity of these barriers.

What works when implementing change or spurring creativity? Take human nature into account when launching a transformation initiative. Despite the fact that humans are innately risk-averse, we see innovation all around. But how does this happen?

Step 1 is to define what makes people tick. We can do that by reviewing the current findings in psychology and neuroscience—for example, brain imaging is fine-tuned enough to give us an understanding of why humans are risk-averse and what managers can do to overcome it. I’ll dive into this more in part two of this series.

Step 2 is to apply leadership techniques that conform with the findings from Step 1—guiding employees around their innate change resistance. Best of all, this new way of leading and managing is less painful and easier to apply than current practices. I’ll focus more on that in part three of this series.

In Part II, I’ll visit a neuroscience lab and peer inside the brain to learn what went on in Matt’s head as his idea was killed. We’ll see how the tragedy goes deeper than just one fewer idea in the IC. The managers drowned his initiative—we’ll look into an fMRI to see why they may as well have fitted Matt’s motivation with tiny concrete shoes, wrapped it in chains, and tossed it over the side of a boat. And then we’ll ask whether the IC afford this.

Article link: An Opinion Series on Innovation: How the Intelligence Community Kills Ideas

This is an opinion piece, which means the views of the author are one perspective on an important issue. Have an opinion to contribute?  Drop a note to Editor@thecipherbrief.com

Read more expert-driven national security insights, perspective and analysis in The Cipher Briefbecause National Security is Everyone’s Business.