healthcarereimagined

By MARIAM BAKSHJUNE 1, 2022

The agency has identified four topics—including considerations for cloud and online applications—it wants to hear more about from stakeholders.

Over five days in July, the Cybersecurity and Infrastructure Security Agency will hold a series of listening sessions to increase visibility across the federal enterprise—a core tenet of an executive order to improve the nation’s cybersecurity—through the use of a Software Bill of Materials, or SBOM. 

“E.O. 14028 defines SBOM as, ‘a formal record containing the details and supply chain relationships of various components used in building software,’” CISA explained in a notice published in the Federal Register Wednesday. “The E.O. further notes that ‘[s]oftware developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.’”

As noted by a backgrounder produced by the House Science Committee in advance of a recent hearing on the issue, “Modern software products depend on a vast number of components from different developers, code repositories, and other sources. Suppliers of software components also use different naming schemes for the same components. As a result, identifying which vulnerabilities compromise which products can be a challenging technical feat. SBOMs may be able to address this challenge by creating a machine-readable inventory that will enable software developers and users to track software components and dependencies and make responding to vulnerabilities in the event of an incident more straightforward.”

“However,” the committee wrote, “as the Investigations and Oversight Subcommittee heard during its hearing on Supply Chain Security in May 2021, questions remainabout the effectiveness of SBOMs as well as the ability of organizations to adopt them.”

Under Executive Order 14028, prospective vendors must provide agencies with the minimum elements of an SBOM, the use of which is one part of a larger collection of practices—including the use of multifactor authentication and similar security measures in development environments—the administration wants agencies to considerwhen purchasing software.

The notice said the agency “will not request specific outputs from meeting participants, nor is it currently CISA’s intent to use information shared during listening sessions to directly address or inform any federal policy decision.” 

Federal Chief Information Security Officer Chris DeRusha recently told Nextgov the Office of Management and Budget, the National Institute of Standards and Technology and CISA have already submitted their recommendations to the Federal Acquisition Regulatory Council on procurement laws for software, per the executive order.  

CISA said it is holding the sessions, “recognizing the importance of SBOMs in transparency and security, and that SBOM evolution and refinement should come from the community to maximize efficacy.” They “are intended to advance the software and security communities’ understanding of SBOM creation, use and implementation across the broader technology ecosystem.”

The agency welcomes additional ideas but is specifically interested in hearing about four topics: cloud and online applications, sharing and exchanging SBOMs, tools and implementation and onramps and adoption.

On the first of those, CISA said, “much existing discussion around SBOM, particularly around SBOM use cases, has focused on on-premise software. Cloud and Software-as-a-Service (SaaS)-based software comprises a large and growing segment of the software ecosystem. Potential sub-topics may include: How should the community think about SBOM in the context of online applications and modern infrastructure? How can the community integrate SBOM work into emerging cloud-native opportunities?”

The other topics will solicit discussion to guide the most effective standardization of SBOMs in federal procurement. The listening sessions will be held virtually, with connection and dial-in information available on CISA’s SBOM page.

Article link: https://www.nextgov.com/cybersecurity/2022/06/cisa-solicits-feedback-finer-points-coming-software-transparency-requirement/367631/

John B. Sherman, the Defense Department’s chief information officer, talks to Craig Martell, incoming chief of digital and artificial intelligence, about DOD ’s path toward accelerating data and artificial intelligence.

https://www.dvidshub.net/video/846404/dod-official-discusses-artificial-intelligence#

CIO John Sherman and new CDAO Craig Martell reveal priorities for the department’s approach to AI.

Kate Macri Wed, 06/08/2022 – 14:46

The Defense Department’s new Chief Digital and AI Officer Craig Martell has been on the job for three days. In fact, he doesn’t have his DOD Common Access Card (CAC) yet. But he already has a roadmap for his priorities: improving user experience and aligning new AI products and services with combatant commanders’ mission needs by balancing tactical and strategic initiatives.

“One of the things we talk about is user experience, and that’s something we’re going to be working on,” said DOD CIO John Sherman during a fireside chat with Martell at the DOD Digital & AI Symposium Wednesday. “The ADA (AI and Data Accelerator) initiative, which will be one of your (Martell’s) flagship activities, with [Deputy Secretary of Defense] Kathleen Hicks’ full backing, you’ll be working with combatant commanders to really see what the problems are to unlock their data and help them get ahead of their particular problem sets, which will admittedly vary.”

Sherman said Martell will have a “key” role in implementing the department’s Joint All-Domain Command-and-Control (JADC2) initiative as well and expects Martell’s AI efforts to help the department “get better at zero trust.”

“We need to make sure CDAO has the very best technology to get after those mission sets,” Sherman said.

Improving user experience also drives Martell’s vision for AI across the defense enterprise.

“When we deploy [technologies and capabilities], when we do something like ADA or within Ukraine, how do we make sure the foundation of today will serve us tomorrow?” he said during the fireside chat Wednesday. “The bureaucracy is real. We need to find the right gaps and places where we can leverage value that will drive a cycle of change. A lot of folks believe DOD should be more like industry, some of that is true, but we shouldn’t force a square peg in a round hole. We need to keep the DOD, but make it more efficient.”

Martell’s new office will have a direct impact on JADC2, according to Marine Lt. Gen. Dennis Crall, who serves as director for Command, Control, Communications, and Computers / Cyber and CIO for the Joint Chiefs of Staff (J6).

“The speed of warfighting, the decision-makers are inundated with the amount of data,” he said at the symposium Wednesday. “We’re talking about hypersonics, the window of decision-making has shrunk considerably. That’s the gamechanger. There is a thought that JADC2 is only sensor to shooter, when really it’s about decision-making and data.”

The biggest challenge facing JADC2 implementation right now is being able to test operations at the tactical edge.

“If we did these in a garrisoned environment where power is stable, you have a lot of options — clean data centers, big data centers, reliable connections,” Crall said. “In the warfighting environment, it’s different. We’re operating in areas that are very austere where typical data distribution services may not be available at all and then you have an active adversary looking to disrupt the electromagnetic spectrum to further limit that ability. We have to do processing at the edge, what are those critical decisions and calculations and can we do this in a disconnected environment?”

AI capabilities and the new CDAO office’s focus on improving the warfighter’s user experience will help address these questions and concerns to help make JADC2 a reality.

“If this is about decision-making at speed, we ought to divide up our problem at speed,” Crall said about how AI applications can harness data for decision-making much faster than a human. “If you have to make decisions in milliseconds, where is the data? We’ve always had the right data for the right solutions, we just don’t know how to harness it. We should have due diligence to make sure IT solutions have warfighter input. We need to make sure IT storage solutions make sense at the tactical edge and make sure policies don’t get in the way.”

Article link: https://governmentciomedia.com/dod-cdao-top-goals-include-improving-user-experience-jadc2

Robin Carnahan, administrator of the General Services Administration, wants to “make the damn websites work.”

That slogan from her Senate confirmation hearing is really shorthand for, “we’ve got to deliver better for our customers when it comes to digital services,” Carnahan said in an interview with FCW.

Carnahan, a veteran of GSA’s digital shop 18F and Georgetown University’s Beeck Center, has been leading GSA for about a year. Earlier in her career, she was the secretary of state in Missouri, where she started to understand that “government services in the 21st century have got to be digital.”

Now, “the exciting thing is we have momentum and money at the same time,” she said. “We want to take advantage of it.”

Since many parts of the online experience with government are the same, like logging into a website, shared services are a tool to implement the White House’s priorities on customer experience, said Carnahan.

The idea that the government should tap into the savings and efficiency of shared services isn’t new, but Carnahan said that the technology has evolved, as has the way that it’s developed.

“We need to be close to our customers. We need to make sure we get feedback from them before we develop programs and implement things to make sure it’s actually serving their needs and in that tight feedback loop where we’re actually improving,” said Carnahan.

Changing the culture will require educating contracting officers and building cross-functional teams with procurement, design and technology employees “holding vendors accountable to get this done,” she said. “This is something that you build into future contracts and that you train folks to know how to both ask for and make sure is being delivered.”

GSA itself is also going to continue to build its platform of shared services products, said Carnahan. The agency is currently working on a shared services roadmap, directed by a 2021 customer experience (CX) executive order and due this month.

A major focus will be USA.gov, the GSA website that is being reimagined as an online “front door” to government services, said Carnahan. That falls in line with a White House initiative to provide government services along the lines of “life experiences” and the executive order on improving CX for users of government services.

Now, “the exciting thing is we have momentum and money at the same time,” she said. “We want to take advantage of it.”

Since many parts of the online experience with government are the same, like logging into a website, shared services are a tool to implement the White House’s priorities on customer experience, said Carnahan.

The idea that the government should tap into the savings and efficiency of shared services isn’t new, but Carnahan said that the technology has evolved, as has the way that it’s developed.

“We need to be close to our customers. We need to make sure we get feedback from them before we develop programs and implement things to make sure it’s actually serving their needs and in that tight feedback loop where we’re actually improving,” said Carnahan.

Changing the culture will require educating contracting officers and building cross-functional teams with procurement, design and technology employees “holding vendors accountable to get this done,” she said. “This is something that you build into future contracts and that you train folks to know how to both ask for and make sure is being delivered.”

GSA itself is also going to continue to build its platform of shared services products, said Carnahan. The agency is currently working on a shared services roadmap, directed by a 2021 customer experience (CX) executive order and due this month.

A major focus will be USA.gov, the GSA website that is being reimagined as an online “front door” to government services, said Carnahan. That falls in line with a White House initiative to provide government services along the lines of “life experiences” and the executive order on improving CX for users of government services.

When the award was first announced in 2021, GSA said that it would initially disburse $27 million and give more funding after benchmarks were reached.

Login.gov currently doesn’t meet the standard for identity proofing, called an “identity assurance level,” set by the National Institute of Standards and Technology, something that previously prevented the IRS in particular from adopting the service. The IRS and GSA are working to add Login.gov as an option after the 2022 filing season, but the head of the IRS has said that Login.gov will need to clear identity assurance level 2 and get to a higher transaction rate.

When asked if she was confident that Login.gov could get to the standards needed by the IRS for the service, Carnahan said that “there are lots of conversations that are continuing with the IRS and throughout the administration about this” as well as how to balance security, privacy and accessibility in identity proofing.

Carnahan also noted that it’s important that Congress “understands the value” of TMF investments like Login.gov, a project where it’ll be “easier to prove value” as more agencies adopt the service.

“We need to have sustained funding in places like the TMF because it’s really the only place in government that has a governmentwide view of what the technology needs are being assessed by technologists,” she said. Current budget cycles mean that agencies can’t move quickly when they identify a digital services need. 

The administration is asking for a $300 million appropriation for TMF for fiscal year 2023. Carnahan sees that funding as an investment that will create savings for agencies down the road.

“When people have problems signing in or accessing a website because of some identity problem, what do they do? They call,” Carnahan said, noting the high costs of staffing and operating call centers.

“My view is that better CX saves a lot of money,” she continued. “If you have a good design on a website or you have easy to read instructions, you don’t get calls in the first place .And so investing in good CX is not only good for delivery, it also ultimately is going to save you money because you don’t have to deal with things on the back end.”

Article link: https://fcw.com/digital-government/2022/06/momentum-and-money/367927/

By Chris Hughes June 9, 2022

Federal Approach to the Cyber Workforce

The federal space has been aware of issues with its approach to the cyber workforce for some time. Going back to 2015, the Office of Personnel and Management (OPM) helped with what was called the Federal Cybersecurity Workforce Assessment Act. It called upon the federal government to conduct cyber workforce planning. This included aligning roles with the National Initiative for Cybersecurity Education (NICE) framework and also identifying and reporting on critical roles through 2022. 

Building on this, other organizations have also studied and highlighted just how important cybersecurity is for the public sector workforce. In its whitepaper on the topic, the Cyberspace Solarium Commission (CSC) shared its findings that one in three public-sector jobs sit open.

4 Challenges of Public Sector Hiring & Retention 

Some of the common problems plaguing the public sector when it comes to hiring and retention of cyber talent include:

• Lower compensation than peers in the private sector
• Location restrictive policies that don’t facilitate widespread remote work
• Antiquated technologies and processes
• Painfully lengthy hiring timelines

It isn’t uncommon to hear from candidates who apply via traditional methods that they don’t get a response until months and, in some cases, years after applying for a role. Even in the best of cases, timelines are projected in terms of several months, whereas commercial hiring timelines are substantially shorter. Some of this of course could be due to clearance and investigation requirements, but is also undoubtedly attributable to legacy processes and policies. 

There is also the issue of legacy and slow-moving technology and systems that the workforce has to use. Earlier this year, the Director of Operations for the Air Force’s MIT AI Accelerator program penned a viral open letter dubbed “fix our computers.”

How Can These Challenges Be Improved?

There are several efforts underway to try and improve the situation. In addition to the aforementioned CSC recommendations and a federal cyber workforce strategy, cybersecurity talent management systems have been launched by organizations such as the Department of Homeland Security (DHS). That said, despite being launched in 2014, and costing tens of millions of dollars, the system only just celebrated its first official hire with plans to ramp up beyond that to several hundred by the end of the fiscal year.

What’s the Big Deal?

Some may be asking what’s the big deal with the federal challenges of hiring and retaining cyber talent. While the private sector is absolutely critical to the economy and even national security, the criticality of the mission sets are much different. The Department of Defense (DoD) and federal civilian agencies are responsible for everything from nuclear weapons systems and military logistics to key medical and social services such as Social Security, Medicare, and Medicaid. 

Failing to secure these systems will have severe ramifications for national security and social stability. Couple that with the reality that modern warfare will and does occur in the digital domain and it doesn’t look like a bright future. 

We, as a nation, must figure out how to bring some of the best and brightest to the federal cybersecurity workforce. This will take a myriad of changes, such as workforce and hiring practices, compensation adjustments, geographic flexibility, partnerships with academia, and more. That said, the security of some of our most sensitive and significant systems as a nation depends on these changes occurring.

Article link: https://accelerationeconomy.com/cybersecurity/why-its-so-hard-to-find-public-sector-cybersecurity-talent/

A multi-year hacking campaign shows how dangerous old flaws can linger for years.

By Patrick Howell O’Neillarchive page June 8, 2022

Hackers employed by the Chinese government have broken into numerous major telecommunications firms around the world in a cyber-espionage campaign that has lasted at least two years, according to a new advisory from American security agencies. 

The hackers allegedly breached their targets by exploiting old and well-known critical vulnerabilities in popular networking hardware. Once they had a foothold inside their targets, the hackers used the compromised devices to gain full access to the network traffic of numerous private companies and government agencies, US officials said.

The advisory did not include the names of those affected by the campaign, nor did it detail the impact it has had. But US officials did point out the specific networking devices, such as routers and switches, that hackers in China are thought to have targeted repeatedly, exploiting severe and well-known vulnerabilities that effectively gave the attackers free rein over their targets.

“These devices are often overlooked by cyber defenders,” the American advisory warned. They “struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.”

The new advisory is the latest example of a radical shift among US intelligence agencies away from a culture of silence and secrecy. The organizations now routinely speak publicly to issue cybersecurity guidance. The new document is designed to help victims detect and eject hackers who have been infiltrating their networks for years. 

And it’s something bigger, too: a warning about the need for better basic cybersecurity for some of the most important networks in the world.

High risk of attack

Telecommunication firms are extremely high-value targets for intelligence agencies. These companies build and run on most of the infrastructure of the internet as well as many private networks around the world. Successfully hacking them can mean opening doors to an even bigger world of prized spying opportunities. 

The United States has its own documented history of such attacks. The National Security Agency, for example, once infiltrated the Chinese telecom and internet giant Huawei, reportedly both to spy on the company itself and to exploit the networking and telecommunications products Huawei sells worldwide. Ironically, that operation was prompted in part by continuing American fears that Beijing could use Huawei’s hardware to spy on American interests.

Related Story

The hacker-for-hire industry is now too big to fail

This is a big moment of turbulence and change for the hacking business. But the demand is here to stay.

In the newly reported cyber campaign, the Chinese hackers allegedly exploited networking devices from major vendors like Cisco, Citrix, and Netgear. All of the vulnerabilities were publicly known, including a five-year-old critical flaw in Netgear routers that allows attackers to bypass authentication checks and execute any code they choose—an opening that allows for a full takeover of the device and an unfettered window into the victim’s network.

The campaign’s success is a dramatic illustration of the danger software flaws pose even years after they’re discovered and made public. Zero-day attacks—hacks exploiting previously unknown weaknesses—pack a punch and demand attention. But known flaws remain potent because networks and devices can be difficult to update and secure with limited resources, personnel, and money.

Rob Joyce, a senior National Security Agency official, explained that the advisory was meant to give  step-by-step instructions on finding and expelling the hackers. “To kick [the Chinese hackers] out, we must understand the tradecraft and detect them beyond just initial access,” he tweeted.

Joyce echoed the advisory, which directed telecom firms to enact basic cybersecurity practices like keeping key systems up to date, enabling multifactor authentication, and reducing the exposure of internal networks to the internet.

According to the advisory, the Chinese espionage typically began with the hackers using open-source scanning tools like RouterSploit and RouterScan to survey the target networks and learn the makes, models, versions, and known vulnerabilities of the routers and networking devices. 

With that knowledge, the hackers were able to use old but unfixed vulnerabilities to access the network and, from there, break into the servers providing authentication and identification for targeted organizations. They stole usernames and passwords, reconfigured routers, and successfully exfiltrated the targeted network’s traffic and copied it to their own machines. With these tactics, they were able to spy on virtually everything going on inside the organizations.

The hackers then turned around and deleted log files on every machine they touched in an attempt to destroy evidence of the attack. US officials didn’t explain how they ultimately found out about the hacks despite the attackers’ attempts to cover their tracks.

The Americans also omitted details on exactly which hacking groups they are accusing, as well as the evidence they have that indicates the Chinese government is responsible.

The advisory is yet another alarm the United States has raised about China. FBI deputy director Paul Abbate said in a recent speech that China “conducts more cyber intrusions than all other nations in the world combined.” The Chinese government routinely denies that it engages in any hacking campaigns against other countries. The Chinese embassy in Washington, DC, did not respond to a request for comment.

Article link: https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/

BY: GRACE DILLE JUN 7, 2022

The Department of Veterans Affairs (VA) Office of Inspector General (OIG) is calling on the agency to address its slow progress in improving its cybersecurity posture, but the VA said a lack of funding causes the agency to lose high-quality IT personnel.

At a House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing on June 7, Michael Bowman, director of the IT and security audits division at the VA OIG’s Office of Audits and Evaluations, explained that the VA’s fiscal year (FY) 2021 Federal Information Security Modernization Act (FISMA) audit showed “limited progress.”

The FY2021 audit included 26 of the same recommendations from the FY2020 audit, and 23 of those have been included in every FISMA report dating back to 2018, according to Bowman.

“Our annual FISMA audit and other IG reports demonstrate VA has considerable work in order to achieve better IT security outcomes,” Bowman said during the hearing. “The number of persistent problems, such as weak access controls and deficient configuration management controls, underscores VA’s incremental progress towards improving its security program.”

However, Bowman did note that VA’s remaining FISMA recommendations are “more institutional findings and recommendations,” which he said, “are more difficult to resolve in a year’s time or maybe even five years’ time.” VA has remediated the newer findings quickly, Bowman said, and the institutional ones will “probably remain on the books for several years to come.”

VA’s Cyber Approach, Ongoing Challenges

VA’s new Chief Information Officer Kurt DelBene acknowledged VA can improve in certain areas such as manual processes, as opposed to only focusing on a longer-term approach.

“What I’ve found since I’ve joined the VA is we need to do a better job in terms of the manual processes we do to remediate vulnerabilities,” DelBene said.

“I think we’ve had this view of the long term where there’s automation across everything we do in order to secure the VA – and it turns out because of the complexity we have, that’s absolutely critical – but in the near term, especially with the issues that FISMA, that the OIG has identified, we can use old fashioned shoe leather to really just get involved in the particular systems,” he said.

Lynette Sherrill, VA’s acting chief information security officer echoed DelBene’s shoe leather vision, and said the agency is currently doing a “deep dive” into each of the 26 recommendations to “move these remediations forward on the most critical systems.”

However, at the same time, DelBene noted the VA faces ongoing challenges to improve its cybersecurity posture, such as a lack of funding to recruit and retain high-quality cybersecurity personnel.

“As you know, cybersecurity is an incredibly hot area in industry, and we compete every day with people that can earn higher salaries outside of the Federal government,” DelBene said.

“Just this past couple of weeks, we lost two people that we made offers to at the SES [Senior Executive Service] level, because they went to industry and got higher pay,” he added. “And it’s not small increases in pay – it’s actually substantial differences between what we’re able to pay and what industry will pay people right now.”

One possible solution, DelBene said, is to implement special salary rates for IT specialists. Another, he said, is reimplementing “on-call pay,” when an IT specialist is asked to sacrifice their personal time to be on-call for work.

A strong IT workforce is critical to building a strong cybersecurity posture. While the VA has a mission that energizes many employees, DelBene also said the agency needs Congress’ help to “augment that with pay that’s much more commensurate with where it is in the market.”

Article link: https://www.meritalk.com/articles/va-shows-limited-cyber-progress-calls-for-higher-pay-to-retain-cyber-employees/

By ALEXANDRA KELLEYJUNE 6, 2022

The American Data Privacy and Protection Act stands to improve American users’ data privacy and offers federal regulatory power.

A team of bipartisan lawmakers unveiled new data privacy legislation that stands to finally implement a federal set of regulations to protect Americans’ online information.

Led by Reps. Frank Pallone, D-N.J., and Cathy McMorris Rodgers, R-Wash., as well as Sen. Roger Wicker, R-Miss., the bill, titled the American Data Privacy and Protection Act, has an exhaustive list of definitions that work to give online users power over how their data is accessed and shared by host platforms and third party data brokers. 

“This bipartisan and bicameral effort to produce a comprehensive data privacy framework has been years in the making, and the release of this discussion draft represents a critical milestone,” the lawmakers said in prepared remarks. “In the coming weeks, we will be working with our colleagues on both sides of the aisle to build support and finalize this standard to give Americans more control over their personal data. This landmark agreement represents the sum of years of good faith efforts by us, other Members, and numerous stakeholders as we work together to provide American consumers with comprehensive data privacy protections.”

Should the bill become law, it would mandate corporate governing bodies of online platforms that harbor user data, in order to limit such bodies collecting that data and require them to specifically ask permission to access data in digestible language.

It also stipulates targeted advertising should be optional for online users and consumers and expands protections particularly for children and minors.

The Federal Trade Commission would be tasked with enforcing these new privacy requirements. 

“This bill strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress, including the development of a uniform, national data privacy framework, the creation of a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms,” the lawmakers continued. “We believe strongly that this standard represents the best opportunity to pass a federal data privacy law in decades, and we look forward to continuing to work together to get this bill finalized and signed into law soon.”

Taking a page out of the European Union’s playbook, The American Data Privacy and Protection Act would also request the FTC conduct deeper studies on how younger technology start-ups can thrive in the current digital ecosystem.

Dispute data privacy and security being a new frontier for domestic and national security, the U.S. lacks a federal data privacy and protection law. Other lawmakers have previously introduced a bevy of bills aimed at expanding protections for U.S. online consumers to better understand how algorithms track and collect user data to curate content.

Article link: https://www.nextgov.com/analytics-data/2022/06/bipartisan-bill-establishes-all-encompassing-federal-data-privacy-standards/367805/

https://youtu.be/Qk-oc0_WRHQ