healthcarereimagined

The latest in a series of efforts, ID advocates ask congressional appropriations committees to end the ban on government support for a national ID standard.

May 16 22

Dozens of healthcare organizations are yet again urging Congress to not impede efforts to create a national unique patient identifier.

In a letter sent to the House and Senate appropriations committees, some 119 organizations ask legislators to not include language in any legislative proposal that would prohibit the Department of Health and Human Services from spending federal money “to promulgate or adopt a national unique patient health identifier standard.”

HIPAA, enacted in 1996, called for creation of a national patient identifier. Since 1999, however, Congress has prevented federal agencies from pursuing an identifier, citing concern about patient privacy risks. But a growing phalanx of healthcare organizations says an ID would lead to far better healthcare coordination, which was lacking in dealing with the COVID-19 pandemic.

---

Dr. John Lee, CMIO, Allegheny Health Network

“If you have dozens of different ways of identifying patients, you don’t have a system.”

---

The lack of a uniform patient ID also results in expensive and unnecessary records duplication that puts patient safety at risk, according to the Patient ID Now Coalition, which includes the College of Healthcare Information Management Executives, and others that signed the letter.

Earlier efforts fall short

Last fall, the latest in a long series of efforts to eliminate roadblocks to federal involvement in the creation of a national patient ID approach fell short. A draft funding bill by the Senate Appropriations Committee sought to remove the ban, but final language was amended to contain the ban. The House Appropriations Committee has removed the ban from its bill the last three fiscal years.

The healthcare organizations’ letter, addressed to heads of both the House and Senate appropriations panels, calls the ban “archaic” and urges that it be removed from FY 2023 budgets for the departments of Health and Human Services, Labor, Education and related agencies.

“We urge the (committees) to continue the bipartisan support of repeal in Congress and ensure that Section 510, the archaic funding ban on a national unique health identifier, is NOT included in the FY2023 Labor, Health and Human Services, Education, and Related Agencies Appropriations bill,” the letter states.

Removing the language in Section 510 will enable HHS to evaluate patient identification solutions and collaborate with the private sector to identify a national strategy for patient identification that both protects privacy and is cost-effective and secure, the organizations contend.

Negative effects

The letter – as well as a May 11 presentation hosted by CHIME and the Patient ID Now Coalition – describe the challenges caused by the lack of a unified system for identifying patients and matching them to all their electronic records from various sources.

The letter contends: “Without the ability of clinicians to correctly connect a patient with their medical record, lives have been lost and medical errors have needlessly occurred. These are situations that could have been avoided had patients been able to be accurately identified and matched with their records.”

The ECRI Institute has listed patient misidentification among its top 10 threats to patient safety, the letter notes.

In addition to the safety concerns, the current hodge-podge approach to patient identification places an unnecessary burden and significant costs on all players in the healthcare industry, the letter states.

“The expense of repeated medical care due to duplicate records costs an average of $1,950 per patient inpatient stay, and over $1,700 per emergency department visit,” the letter-writers contend. “Some 35 percent of all denied claims result from inaccurate patient identification, costing the average hospital $2.5 million and the U.S. healthcare system over $6.7 billion annually.”

Healthcare organizations shoulder the burden of trying to match patients to records and unravel confusion from duplicate records, says Rachel Podczervinski, vice president for professional services at Just Associates, a consultancy. The increase in the number of mergers and acquisitions among providers, as well as increased use of portals, telehealth and patient self-scheduling, has exacerbated patient matching challenges.

Mistakes in merging records “are a major risk to patient safety,” she adds. “If you pull up someone else’s record who has similar (demographic) information and attach them to someone’s records, that person will be treated based on information in that other record. You have the potential to kill a patient because, for example, you have the wrong blood type and you may give them the wrong blood product.”

Patient self-registration has resulted in more record duplication she adds, noting that one system with which she works recorded one patient with 24 different identities linked to separate registrations. Such instances have increased because of the pandemic and the increase in virtual care.

Clinicians and reform face problems

Clinicians are already facing more data from electronic records systems, and confusion about matching patients to all those records is complicating their efforts to effectively use the information that systems contain, says John Lee, MD, chief medical information officer of Allegheny Health Network.

“There are a lot of changes that are occurring in the healthcare system,” Lee explains. “The biggest thing is the volume of data that we’re being exposed to. It’s a fallacy to think that if you just know the patient in front of you, then you can take care of that patient.

“What we’re limited by now is that we have too much information. The only way to parse and organize that information is by having a better patient ID system. That’s where it starts.”

---

Organizations use algorithms to match patients to all the right records, but that’s not always an effective approach.

---

The transition to value-based care also will be impeded by the lack of a national patient ID because identity verification is a necessary component for achieving population health efforts, Lee says. “If we want to get off of fee-for-service, we need to develop a much more accurate patient identification system. Right now, (identification is) wholly inadequate,” he says. Precision medicine requires precise patient identification, he contends.

Some patients are more affected by the lack of a patient identifier than others. For example, pediatric patients, especially those with complex care needs who are seeing a variety of specialists, are particularly at risk of misidentification, Karen Wilding, vice president and chief value officer at Nemours Children’s Health, points out.

Organizations use algorithms to match patients to all the right records, but that’s not always an effective approach. For example, migrant workers often don’t have Social Security numbers or permanent addresses, and certain populations from other countries often don’t know their birthdates and are assigned Jan. 1 as the date, with an estimate for which year they were born, Podczervinski says.

Government needs to be at the table

The healthcare organizations prodding Congress say the government doesn’t necessarily have to be the developer of a unified patient ID system. But because the government is a major healthcare payer and provider, it needs to be at the table and provide the broad strokes that will unify divergent and conflicting patient ID approaches.

“The government has a role in maybe not being the arbiter, but setting a foundation and structure upon which other things can reside,” Lee contends. “This way, it’s not a free-for-all for everyone trying to identify someone – we need standard ‘rules of the road.’ Based on the current interpretation of Section 510, the government cannot even come up with the rules of the road, because that involves money. We need it to say that this is the framework; these are the guardrails.

“If you have dozens of different ways (of identifying patients), you don’t have a system then. The opportunity to fix this is sitting in front of our face.”

Article link: https://healthdatamanagement.com/articles/more-than-100-organizations-urge-congress-to-pave-way-for-a-national-patient-id/

Federal agencies planning to adopt 5G technologies now have a new tool to vet the security of the technology: go.usa.gov/xJrDf

With our partners at the Department of Defense Office of the Undersecretary of Defense for Research & Engineering and the Department of Homeland Security Science and Technology Directorate, we released a five-step “5G Security Evaluation Process” agencies can use to evaluate the security of their 5G technologies. It is a flexible, adaptive and repeatable approach to evaluating the security and resiliency of 5G and next-generation network deployments.

The process allows agencies to conduct the Prepare step of the National Institute of Standards and Technology’s Risk Management Framework for system authorization and to identify gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies.

Additionally, it identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents and relevant methodologies for cyber assessment of 5G systems.

Read our blog for more information: go.usa.gov/xJrDf

Original release date: May 26, 2022

---

By Eric Goldstein, Executive Assistant Director for Cybersecurity

Federal agencies, along with many other organizations across the public and private sectors, are expected to adopt 5G technology that will provide new features, capabilities and services to transform their mission and business operations. These new benefits will be achieved from the numerous 5G usage scenarios delivered through the technology’s low-, mid- and high-band radio spectrum, network slicing and edge computing. However, a security assessment is required before any agency 5G technology adoptions can be granted authorization to operate. 

Today, CISA – along with its partners from the Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s (DoD) Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) – is excited to introduce a proposed five-step 5G Security Evaluation Process that is derived from research and security analyses. This process allows agencies to conduct the Prepare step of the National Institute of Standards and Technology’s Risk Management Framework (RMF) for system authorization.  

Figure 1. Proposed 5G Security Evaluation Process

The jointly proposed process, “5G Security Evaluation Process Investigation,” was developed to address gaps in existing security assessment guidance and standards that arise from the new features and services in 5G technologies. It identifies important threat frameworks, 5G system security considerations, industry security specifications, federal security guidance documents, and relevant methodologies to conduct cybersecurity assessments of 5G systems. 

In addition, the proposed process calls for flexibility in the federal government’s 5G cybersecurity assessment approach to account for the continual introduction of new 5G standards, deployment features and policies, and the constant identification of new threat vectors. 

The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies. As the nation’s cyber defense agency, CISA views a repeatable process agencies can use during the RMF Prepare step as an essential tool for new federal 5G implementations. Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology. 

Agencies and organizations are encouraged to review and provide comment on the “5G Security Evaluation Process Investigation.” This feedback will be used to assess need for additional security recommendations and guidance publications for federal agency adoptions of 5G technologies.  

The deadline for providing comment is June 27, 2022, and comments should be submitted to: QSMO@CISA.dhs.gov. We look forward to receiving and reviewing your feedback on this important 5G security effort.

Article link: https://www.cisa.gov/blog/2022/05/26/cisa-dhs-st-dod-introduce-results-assessment-5g-security-evaluation-process

“We want to make sure, of course, that the directive still reflects the views of the department and the way the department should be thinking about [autonomous] weapon systems,” Michael Horowitz told Breaking Defense in an exclusive interview.

By VALERIE INSINNA and AARON MEHTAon May 26, 2022 at 10:08 AM

WASHINGTON: The Defense Department is updating its guidance on autonomous weapons to consider advances in artificial intelligence, with a revised directive slated for release later this year, the head of the Pentagon’s emerging capabilities policy office told Breaking Defense in an exclusive interview.

DoD directive 3000.09 [PDF], signed by then-Deputy Secretary of Defense Ash Carter on Nov. 21, 2012, established policy, responsibilities and review processes for the “design, development, acquisition, testing, fielding, and employment of autonomous and semi-autonomous weapon systems, including guided munitions that can independently select and discriminate targets.”

But in the decade since its release, artificial intelligence and machine learning technologies have made a massive leap forward, and it’s “entirely plausible” there may need to be revisions that reflect the Pentagon’s “responsible AI” initiative and other ethical principles adopted by the department, said Michael Horowitz, DoD director of emerging capabilities policy.

“Autonomy and AI are not the exact same thing,” Horowitz told Breaking Defense on May 24. “But given the growing importance that AI plays, and thinking about the future of war and the way the department has been thinking about AI, I think ensuring that’s reflected in the directive seems to make sense.”

It’s important to note that, based on the definition inscribed in DoD directive 3000.09, the military currently does not operate any weapon systems that qualify as an autonomous weapon — and at least publicly is not currently developing such a weapon. The department characterizes an “autonomous weapon” as an autonomous or semi-autonomous system that can choose its own targets and apply lethal or nonlethal force without a human in the loop.

The directive does not apply to unarmed drones or armed drones like the MQ-9 Reaper, whose flight path and weapons release is controlled by a human pilot sitting at a remote location. It also doesn’t apply to systems like the Switchblade loitering munitions the US has provided to Ukraine, which are programmed by a human operator to hit specific targets and can be called off when needed.

“It was the first national policy published on autonomous weapons systems, and actually remains one of the only publicly available national policies,” Horowitz said. “It set the standard essentially for the global dialogue that followed and demonstrated America’s responsible approach to the potential incorporation of autonomy into weapon systems.”

In a 2012 interview with Defense News, David Ochmanek, then the deputy assistant secretary for policy force development, described the doctrine as “flexible” and stressed the imposition of a “rigorous review process” that would now be in place before any future autonomous weapon could be approved.

But that promise has done little to assuage opponents, who raise comparisons to Terminators and have organized into efforts, such as the eponymous Campaign to Stop Killer Robots, to preemptively ban the technology. Horowitz — a longtime drone expert who once authored a paper titled “The Ethics & Morality of Robotic Warfare: Assessing the Debate over Autonomous Weapons” — is well aware of the debate around such systems, and while avoiding commenting on those concerns directly, he noted that the department’s increased focus on autonomy and AI in recent years has always been with the idea of a human being involved in the process.

“I would say the one of the things about the approach of the United States to the role of AI and autonomous systems has been imagining these systems as a way to enhance the warfighter,” he said. “It’s why, dating back a couple of administrations, the United States has talked about things like human-machine teaming, because it tends to think about AI and autonomous systems as things that work synergistically with the best trained military in the world to improve its capacity.”

Modernized AI

The update is occurring not because a major technological breakthrough is on the horizon, but because of a department standard that requires directives be updated every 10 years. Right now, it’s unclear exactly how much of the original directive will need to be revised, but Horowitz seemed to downplay massive rewrites.

“Our instinct entering this process is that the fundamental approach in the directive remains sound, that the directive laid out a very responsible approach to the incorporation of autonomy and weapons systems,” Horowitz said.

“But we want to make sure, of course, that the directive still reflects the views of the department and the way the department should be thinking about [autonomous] weapon systems,” he continued. “You know, it has been a decade. And it’s entirely plausible that there are some updates and clarifications that would be helpful.”

Horowitz declined to go into details about where he thinks changes may be needed, but did highlight that the document reflects the Pentagon of 2012, which has morphed over the course of the Obama, Trump and Biden administrations. For instance, the review process laid out in the original directive references the Under Secretary of Defense for Acquisition, Technology, and Logistics — a position that no longer exists, whose responsibilities are now split between the Undersecretary of Defense for Acquisition and Sustainment and the Undersecretary of Defense for Research and Engineering.

He also underlined that this directive would be focused on the specific subject of autonomous weapons, and not the broader AI efforts that exist throughout the department.

“When this directive was published in 2012, the notion of the way that algorithms, how algorithms might impact the military seemed pretty futuristic, or seemed further away. And autonomous weapon systems were a specific thing that the department chose to write a directive about,” he continued. “I think it’s important that the department consider the way that should then also influence this directive … given the intersection between AI and autonomous systems, and I say autonomous systems as opposed to autonomous weapon systems deliberately.

“There’s so many AI applications that can or are already influencing the American military and will influence the American military that, you know, that have nothing to do with this.”

While Horowitz’s office — only recently established — will seek out input from the relatively new defense organizations that have been stood up in the past decade, such as the office of the Chief Digital and Artificial Intelligence Officer (CDAO), other organizations that may be relative to the revamp of DoD Directive 3000.09—the Joint Artificial Intelligence Center, Defense Digital Service and Office of Advancing Analytics—are slated to become part of the CDAO office on June 1, Breaking Defense reported earlier this week.

He also expects to get inputs from the services, Joint Staff and other stakeholders — of which, he noted, there are significantly more now than a decade ago.

Article link: https://breakingdefense.com/2022/05/updated-autonomous-weapons-rules-coming-for-the-pentagon-exclusive-details/

Jaspreet Gill in Washington contributed to this report.

by Jane Edwards May 25, 2022

The Defense Business Board performed a 24-week study of the Department of Defense’s civilian workforce and found that talent management within DOD lags behind the commercial sector and that DOD fills short-term vacancies with little attention to future technology requirements and strategy to upskill or reskill them, Federal Times reported Tuesday.

The board has recommended that the Pentagon increase training opportunities for civilian employees and improve collaboration with military talent managers to keep pace with the private sector when it comes to aligning talent with work function.

“The Department doesn’t know its employees’ capabilities and requirements for the future, the systems to manage them, the policies to enable the new generation of skilled employees, or the programs to upskill them,” the DBB report reads.

According to the study, DOD lacks the data approach, organization and cultural foundation to “take its place as a bastion of STEM development.”

The report offers three recommendations for the Pentagon to better manage civilian talent and these are transforming civilian culture to prioritize talent management; prioritizing and elevating talent management within the organization; and modernizing DOD’s workforce planning and data.

Article link: https://executivegov.com/2022/05/defense-business-board-releases-dod-civilian-talent-management-study/?

Industry 4.0 sectors are adopting private networks at a fast pace, but 5G private networks will drive innovation in all businesses.

By MIT Technology Review Insights May 19, 2022

The world is rapidly moving from human-directed manufacturing using computerized assembly lines to largely automated smart factories that manufacture more efficiently using real-time data. Considered by many to be the fourth industrial revolution, or “Industry 4.0,” this transformation requires a bevy of technologies to deliver on its promise of ultra-reliable low-latency communications (URLLC). From smart devices to machine-learning systems to pervasive communications, the need for ultra-high speeds and reliability requires technologies that can connect in a variety of situations while remaining compliant with regional regulations. Technology and telecommunications providers have created a solution—5G private networks—to address the challenge.

The manufacturing industry is exploring 5G technology at an accelerated pace, largely to enable AI-driven use cases such as closed-loop manufacturing, adaptive manufacturing, predictive analytics for maintenance, and extended reality (XR)-based worker training and safety, says Jagadeesh Dantuluri, general manager for private and dedicated networks at Keysight Technologies. “It’s not about a static assembly line performing the same action time and time again, but one that can change based on their needs,” he says. “Private networks essentially enable new business models in manufacturing.”

Yet, the benefits of 5G private networks extend beyond manufacturing. Because the technology offers more reliable connectivity, faster data rates and lower latency, and greater scalability, security, and network control than previous communications technologies, 5G private networks will drive innovations in many industrial and enterprise sectors.

The benefits of 5G private networks

A private cellular network is built on 3rd Generation Partnership Project (3GPP)-defined standards (such as LTE or 5G), but it offers dedicated on-premise coverage. This is important for remote facilities where public networks do not exist, or where indoor coverage is not robust. A private network also makes exclusive use of the available capacity; there is no contention from other network users, as on a public network. Private operators can also deploy their own security policies to authorize users, prioritize traffic, and, most importantly, to ensure that sensitive data does not leave the premises without authorization.

​​The dedicated nature of 5G private networks coupled with a customized service, intrinsic control, and URLLC capabilities provides more reliable industrial wireless communication for a wide variety of use cases, Dantuluri says “Applications include wireless, real-time, closed-loop control and process automation, and AI-based production and AR/VR-based design for onsite and remote workers,” he explains. “In addition, low-cost connectivity allows sensors to become easily deployed in a wider variety of scenarios, allowing businesses to create innovative applications and collect real-time data.”

​The industrial sector is driving toward a massive digital transformation, and the integration of information-technology (IT) systems with operational-technology (OT) systems will speed up this process.  Digital technologies will also enable many new use cases, such as automated manufacturing.  

A 5G private network enables a facility to synchronize and integrate tracking data into its workflow, allowing production lines to be configured in real time, says Dantuluri. “Since the factory’s assembly lines and infrastructure, such as robotic arms, autonomous mobile robots (AMRs), autonomous guided vehicles (AGVs), and sensors, are wirelessly connected, configuring or moving assembly elements on demand is much easier. This use case demands highly reliable, low-latency wireless connectivity and coverage, and potentially high data rates in both the uplink and downlink, and maybe support for Time Sensitive Networks (TSN) in the future. This use case application can only be achieved with 5G private networks.”

Outside the industrial sector, 5G private networks enable mobile augmented-reality (AR) and virtual-reality (VR) applications, allowing, for example, engineers to view superimposed blueprints, soldiers to have heads-up displays, and businesses to have virtual meetings in the field or working remotely. “If a machine has to be repaired, and a technician or a factory worker has AR goggles, they can have technical information superimposed on the real-world device to see what is wrong,” says Dantuluri. “And the data center can send instructions about how to do the repairs, step by step.”

As enterprises realize the benefits of pervasive, low-latency, high-bandwidth, and secure connectivity, the applications of 5G private networks will expand. By the end of 2024, analysts expect investment in 5G private networks will add up to tens of billions of dollars. A separate analysis by the research arm of investment firm JP Morgan predicts that the global enterprise opportunity for 5G will exceed $700 billion by 2030.

Better security

5G private networks have improved upon previous 4G standalone network security and are better able to address several existing security threats. Like most new technology, 5G private networks will likely have security issues that need to be addressed, but security has become a primary consideration in both developing the standards for 5G and in the implementation approaches. In addition, companies can further augment those security features with novel technologies, such as more robust encryption schemes and zero trust architecture, as private networks afford complete control to its owner—a benefit not possible on public networks.

The focus on improving security will drive new and innovative applications, especially in high-security areas such as seaports and airports, says Dantuluri. “Private networks provide the flexibility of movement that seaports require,” he says. “In airports, after a plane lands, engine data can begin downloading before the plane even docks to the gate, which saves a lot of time and helps airlines stay on schedule.”

Wireless flexibility

Most manufacturing robots are tethered to wired networks, but improved connectivity and better security means that connected devices can more easily move around and stay connected to necessary systems and data. In addition, 5G networks are built to allow devices to remain connected when moving between cells, whereas many Wi-Fi networks require devices to reconnect after moving. 

This advantage pays off in scenarios where a large area needs to be covered by a wireless network, Dantuluri says. “Facilities like mines, airports, and seaports require significant geographic coverage in the order of several square kilometers,” he says. “Other wireless technologies have very limited range, making them unsuitable for these use cases.”

In addition, there are benefits for remote applications as well. Today, most offshore oil rigs, for example, rely on separate satellite communications and local networks. Not only are 5G private network connections more secure and interoperable, but they reduce the cost of hybrid communications, combining local area, cellular, and satellite networks.

A revolution in connectivity

Industry has quickly evolved over the past two decades, from steam-powered machines automating manufacturing, to assembly lines simplifying production, to computerized systems creating more precise products. Machine learning and fast, reliable connectivity promise to make the next industrial revolution, Industry 4.0, possible.

Every industry will apply Industry 4.0 advances to help improve their operations. 5G private networks will be crucial to that effort. “Today, automation is significant, but is all done with wires, so systems—industries, robotics, sensors—are difficult to quickly customize,” says Dantuluri. “As 5G private network adoption increases, all systems will be automated and connected with low-latency wireless, which will enable adaptive business models.”

Article link: https://www-technologyreview-com.cdn.ampproject.org/c/s/www.technologyreview.com/2022/05/19/1052138/5g-private-networks-enable-business-everywhere/amp/

This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.

By Loren Blinde May 25, 2022

On May 24, the U.S. Army posted an invitation to the upcoming Machine Learning Assessment Event, which will be held August 2 to 5. Responses are due by June 28.

The Cyber Fusion Innovation Center (CFIC), in collaboration with U.S. Army Cyber Command (ARCYBER) Technical Warfare Center (TWC), will host a series of events to identify existing and/or potential capabilities and expertise to reduce cognitive workloads and optimize workflows within its four mission areas (defend, operate, influence, and attack) to further increase operational effectiveness.

Background
Machine learning (ML) and artificial intelligence (AI)-enabled systems can effectively reduce Warfighter burden by automating portions of their workflows to increase Warfighter accuracy and throughput.  Warfighters with shorter, more accurate workflows will therefore increase operational effectiveness across many various lines of effort.  Defensive and offensive cyberspace workflows involve finding a capability or technique to generate an effect somewhere in an environment under certain conditions.  Understanding the entire solution space manually is cumbersome, time-consuming, and in most cases infeasible.  An AI-based system could reduce this problem to the subset of capabilities/techniques that have the highest probability of success given past experience.  This would enable faster and more accurate solution finding, ultimately improving operational effectiveness.

Known Capability Needs

1. How to proactively and continuously support asset identification and
   compliance at the network edge via at-scale enterprise network traffic
   analytics, in support of the Cyber mission. May include but not limited to identification and status of all end-points, current status of patching, and recommendations for patching priorities.
2. Automatically identify vulnerable surfaces or likely bad-actor avenues of approach to our network.  May include but not limited to dynamically identifying adversarial Grey and Red space infrastructure.
3. How to enable dynamic automation, augmentation, or reconfiguration of network infrastructure for detection of malicious intent and intervention against adversary actions in support of cyber operations at the network edge. May or may not include human intervention.
4. How to identify malicious (preferred) or anomalous behavior in data
   related to netflow or PCAP.

While the ideal solution is preferred, capabilities that address individual components will be considered. Partnerships among potential solution providers resulting in complete solutions are highly encouraged.

Review the ARCYBER ML assessment event submission instructions.

Article link: https://intelligencecommunitynews.com/arcyber-to-host-ml-assessment-event/

Source: SAM

“Without a common understanding of risk, civilian and military leaders are unable to make informed and consistent decisions about open-source data, leading to strategic missteps and tactical knee-jerk reactions.”

From fitness trackers to aircraft monitoring apps, open-source information is everywhere. The Army needs to account for it as it develops its concept of information advantage.

Maggie Smith and Nick Starck | 05.24.22

Editor’s note: This article is part of the series “Compete and Win: Envisioning a Competitive Strategy for the Twenty-First Century.” The series endeavors to present expert commentary on diverse issues surrounding US competitive strategy and irregular warfare with peer and near-peer competitors in the physical, cyber, and information spaces. The series is part of the Competition in Cyberspace Project (C2P), a joint initiative by the Army Cyber Institute and the Modern War Institute. Read all articles in the series here.

Special thanks to series editors Capt. Maggie Smith, PhD, C2P director, and Dr. Barnett S. Koven.

---

Three months ago, as Russia invaded Ukraine, the world watched as Twitter exploded with real-time data, reporting, and analysis of the unfolding conflict. It quickly became clear that the war presented analysts with an unprecedented amount of rich, open-source data on military movements, troop location, shelling damage, weapon types, and more. Ukraine has been quick to capitalize on Russia’s poor data protection and President Volodymyr Zelenskyy has become Ukraine’s most potent weapon because of his ability to use data and information and Russia’s inability to protect it.

For the US Army, a key takeaway from the Ukrainian conflict so far should be the extent to which our modern-day habits are trackable, traceable, and predictable. Open-source data presents modern militaries, especially wealthy high-tech ones, with a very uncomfortable truth: militaries are exposed because their troops are connected. Currently, the US legal and regulatory systems do not, and cannot, protect the average citizen—and therefore, the average US service member—from risks associated with the ubiquitous open-source data produced by our surveillance economy. From a national security perspective, the accumulation of open-source data on people—their habits, their likes and dislikes, their exercise routines, and more—and its potential to impact the military’s ability to fulfill its man, train, and equip mandate from Congress is deeply concerning. Also alarming is the amount of information our adversaries can glean about US strategic interests from tracking US military activity on any number of apps, like Flightradar24, which includes US military reconnaissance platforms such as the unmanned RQ-4 Global Hawk, the RC-135V Rivet Joint, and others among the aircraft it tracks, and Strava, the fitness tracking app. Ultimately, you can intuit quite a bit about where our forces may be heading, where military planners are focusing their efforts, and where the next conflict is likely to occur if you simply track where Rivet Joints are conducting sorties and service members are working out. And for the Army specifically, the existing and emerging doctrine fails to account for the surveillance economy and its open-source data, leaving a gaping hole in our competitive strategy.

Information Advantage: What Is It?

Presently, the Army is developing its doctrine for its newest term of operational art: information advantage. Information drives friendly, neutral, and adversary actors at all levels and across all domains of warfare. Information advantage is a condition of relative advantage that enables a more complete operational picture and leads to decision dominance—the sensing, understanding, deciding, and acting faster and more effectively than the adversary. Gaining the initiative and maintaining a position of relative advantage over the information environment—regardless of where we find ourselves on the conflict continuum—largely depends on a commander’s ability to achieve an information advantage over a defined target audience or adversarial decision maker in a specific context or timeframe. Complementary to information advantage is the employment of information and other capabilities as weapons, designed to shape friendly, neutral, and adversarial perceptions, attitudes, and behaviors. Ultimately, the ability to shape perception and achieve victory in modern conflict and competition is heavily dependent on trust—trust in data, among team and unit members, in leaders, in doctrine, in equipment, and in capabilities.

To achieve information advantage, the Army conceives of five, interrelated core tasks— what have been described as “information advantage activities.” Commanders must: 1) enable decision making; 2) protect friendly information; 3) inform and educate domestic audiences (a task conducted in accordance with laws and focused on public affairs office activities); 4) inform and influence international audiences; and 5) conduct information warfare. In theory, information advantage activities are synchronized through the operations process, integrated across the Army’s six warfighting functions—command and control, intelligence, protection, movement and maneuver, fires, and sustainment—and employed using all available military capabilities. After distilling the Army’s rhetoric, information advantage requires commanders to prioritize persistent sensing, ongoing analysis, cyclical assessments, and a willingness to continuously update assumptions to ensure they maintain a dynamic situational awareness of the environment—in competition and conflict. Ultimately, the Army anticipates that victory in future warfare, and in the current era of persistent engagement, will come down to who can gain the most by effectively employing information to their advantage.

The National Security Risk

Instead of gunfire or artillery explosions, some of the first signs that Russia was invading Ukraine on February 24, 2022, came from Twitter. For example, Dr. Jeffrey Lewis, an expert in arms control and nonproliferation, compiled open-source data from the traffic layer of Google Maps and shared the Russian troop movements he identified, essentially in real time, on Twitter. According to Google Maps, he Tweeted, “there is a ‘traffic jam’ at 3:15 in the morning on the road from Belgorod, Russia to the Ukrainian border”—exactly the spot where vehicles, equipment. and manpower had massed the previous day. “Someone’s on the move,” Dr. Lewis concluded, and he was right. As the Ukrainian conflict escalated, individual researchers and organizations continued to collectand analyze open-source data—also defined as publicly available information by DoD—from social media platforms, commercial satellites, and public databases. Their analysis and reporting have emerged as a critical resource on the conflict, providing combatants and observers with incredible insight and minute-by-minute assessments of what is happening on the ground.

However, the ability to track ongoing military operations through open-source data is not new—in 2016 Bellingcat released a report that used open source data to document the full scale of the Russian artillery attacks against Ukraine in the summer of 2014. In fact, using open-source data is the new normal. And various US government agencies, including the Department of Defense, rely on open-source data for intelligence and procure data through contracts with data brokers. In response, civil society and privacy watchdogs around the world have voiced concern, highlighting the risks to personal privacy associated with government-led data collection, aggregation, and use. The likely result is new legislation, like the proposed Fourth Amendment is Not For Sale Act and others.

However, the use of open-source data and large scale, legal data collection efforts frequently pose less obvious national security risks. China, for example, aggressively collects data—legally and illegally—to support its domestic and international goals. A major threat to US citizen data is China’s Beijing Genomics Institute(BGI), which has grown into one the world’s largest genomic companies after working on the Human Genome Project. BGI developed a prenatal genetic test, in collaboration with the Chinese military, that is sold and used globally. However, in addition to providing prospective parents with important genetic information, the DNA specimens are also amassed into a vast bank of genomic data that China is using to conduct large-scale studies of population traits. More than eight million women have taken BGI’s prenatal tests globally, and China has their DNA and location data stored locally in mainland China. BGI also developed a COVID-19 test and offered to set up testing laboratories in several US states at the start of the pandemic. Mike Orlando, head of the National Counterintelligence and Security Center, identified the BGI offers as a national security risk, “citing concerns about how China might use personal data collected on Americans.” Even when done legally, DNA collection by Chinese companies should be understood as part of China’s comprehensive effort to collect records and data.

On the other hand, data also creates risk for the governments that aggressively pursue it. Experts are increasingly identifying the ways that open-source data can be used to expose government activity (e.g., military maneuvers, resource allocation, travel, or policy activity) and how the ever-growing pools of open-source data generated by modern societies pose a national security risk. But we lack precision in how we describe the sources, mechanisms, and outcomes of open-source data risks, preventing the development of a coherent mitigation strategy tailored to the national security context. Without a common understanding of risk, civilian and military leaders are unable to make informed and consistent decisions about open-source data, leading to strategic missteps and tactical knee-jerk reactions—like embedding code in the Free Application for Student Aid website that sends user information back to Facebook (the code has since been removed) or banning service members from using geolocation features on devices in deployed areas (e.g., fitness trackers).

What Is Information Advantage Missing?

The piece missing from the Army’s information advantage framework is an awareness of how the persistent aggregation of open-source data in the surveillance economy impacts the Army’s ability to achieve information advantage. Because the American public is subject to the surveillance economy, US service members are, too. George Washington famously emphasized that “when we assumed the Soldier, we did not lay aside the Citizen” as a cautious reminder that soldiers are citizens first. Since service members live alongside and among the general population, service members and veterans are not only susceptible to the same targeted marketing the average citizen experiences, but are actually the target of additional foreign manipulation and surveillance efforts. Soldiers, sailors, airmen, and Marines access social media platforms and online services just as civilians do. They also purchase items online, apply for credit cards online, do their taxes with online tax preparation tools, and surf the web just like their civilian counterparts. But unlike the civilian neighbors they barbeque with, they also fight the nations’ wars. Open-source data is produced continuously by all service members as they go about their digitally connected lives alongside their civilian counterparts, making the surveillance economy an integral part of the information environment that commanders need to consider as they conduct information advantage activities.

The military is beginning to understand the potential risks presented by open-source data, particularly in combat situations, partly because examples of how open-source data can expose military information abound—from troop location tracking on Tinder to tracking stolen AirPods to SIM cards revealing Russian troop locations in Ukraine. Of course, these known cases fit neatly within traditional operational security risks and are scenarios that senior military leaders can relate to—especially when open-source data is directly contributing to deaths on the battlefield or to the identification of war criminals. However, having a tactical appreciation of the open-source data risks during periods of declared conflict is not enough to achieve information advantage—the risks to military operations are present well before any decision to go to war is made, and persist after conventional conflict ends. In fact, the risks are a constant factor in the current competition environment, making any ex post facto restrictions, regulations, or rules placed on deployment behavior inadequate and misguided. Changes need to happen at home, well before the deployment cycle begins. Failing to consider garrison operations and the ways that soldiers interact with the surveillance economy as part of the information environment that commanders need to consider for information advantage is a failure to understand when and where the vulnerabilities and threats to the force begin and a failure to account for our modern, digitally connected, human behavior.

The “So What” of Open-Source Data

For multi-domain operations, the Army frames the operating environment as including human, physical, and informational aspects. To be effective across the competition continuum, the Army proposes positioning formations and capabilities forward, so that information advantage activities are integrated into security cooperation efforts and crisis action planning on behalf of theater commanders. To coordinate information advantage activities in an area of conflict, the Army identifies that preparation must begin in competition, or when forces develop the intelligence to identify specific vulnerabilities and then gain or prepare to request the required authorities, and train to use national-level capabilities. The overall goal is operational convergence with formations postured to degrade, disrupt, or destroy adversary capabilities, while defending those of friendly forces. However, what this framework does not consider is the intersection of the human, physical, and informational aspects, or the risks to day-to-day garrison operations from open-source data.

Ultimately, the risks of open-source data are not an individual’s problem, but an Army problem. For example, fake accounts on Facebook for US Army general officers are numerous, and in some cases, fail to violate Facebook’s terms of service and can therefore, remain active. Even LinkedIn is rife with fake profilesattempting to make connections with users in targeted marketing campaigns. Additionally, fake social media accounts managed by Russia have already mobilized the American public in connection with divisive issues, making fake accounts for authoritative figures, like US Army generals, especially concerning. From a national security perspective, open-source data enables foreign manipulation efforts that target the US military and veteran populations through the use of “misleading and divisive questions about the U.S. government’s military and veteran policies to further amplify and exploit the existing frustrations.” The relative ease with which anyone can purchase open-source data means that soldier data is already being used to target service members for products, media, or other services and presently, there is nothing preventing our adversaries from using open-source data to target them as well.

To achieve information advantage, the Army needs to give commanders the tools necessary to assess the operational risks of open-source data, social media, and related information technologies. The Army has longstanding doctrine for assessing operational risks; however, the traditional risk management framework is intentionally broad, leaving commanders without clear guidance or terminology for identifying, assessing, and making risk decisions in the information environment. As the Army develops its information advantage doctrine, it should simultaneously develop a dedicated data risk management framework to enable modern commanders to achieve information advantage. In its current form, information advantage perpetuates an antiquated notion that operating environments are (or can be) geographically bound—as the conflict in Ukraine has highlighted, kinetic actions may be limited to a geographic area, but informational risks are global. A dedicated data risk management framework would be a guide for commanders to continually and methodically assess the evolving information environment, to identify and address conceptual gaps, and to achieve their informational and operational goals. As the information environment emerges as the main effort in competition and conflict, the Army must adapt and provide its commanders with the right concepts, doctrine, and resources to succeed in a world characterized by the ubiquity of open-source data.

Article link: https://mwi.usma.edu/open-source-data-is-everywhere-except-the-armys-concept-of-information-advantage/

Captain Maggie Smith, PhD, is a US Army cyber officer currently assigned to the Army Cyber Institute at the United States Military Academy where she is a scientific researcher, an assistant professor in the Department of Social Sciences, and an affiliated faculty of the Modern War Institute. She is also the coeditor of this series and director of the Competition in Cyberspace Project.

Captain Nick Starck is a US Army cyber officer currently assigned as a research scientist at the Army Cyber Institute. His research focuses on information warfare and data privacy.

The views expressed are those of the authors and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

Image credit: Sgt. Dustin D. Biven, US Army

By Colin Demarest Wednesday, May 18

WASHINGTON — Two NATO agencies recently kicked off an artificial intelligence initiative to better understand the technology and its potential warfare applications.

More than 80 AI experts, researchers and academics from the U.S. and other member countries are involved with the venture, known as a strategic “horizon scanning,” put together by the NATO Science and Technology Organization and the NATO Communications and Information Agency.

An inaugural meeting and workshop was held this month in The Hague, Netherlands, where the NCI Agency’s data science and AI facilities are located.

“AI is one of the key emerging and disruptive technologies identified by NATO as vital for the maintenance of its technological edge,” NATO Chief Scientist Bryan Wells said in a statement. “By working together, the STO and the NCI Agency are able to bring together global experts to ensure the very best scientific expertise is available to advise NATO and its allies and partners on the latest scientific trends in this area.”

The NATO guarantee of a collective defense and the advantage of numbers, both on the battlefield and in the lab, has been much discussed amid Russia’s latest invasion of Ukraine and the subsequent membership applications made by Finland and Sweden.

NATO ministers in October adopted the alliance’s first-ever AI strategy, which describes the capability as “changing the global defense and security environment” and offering “an unprecedented opportunity to strengthen our technological edge but will also escalate the speed of the threats we face.”

The strategy emphasizes responsible use of AI for defense across six tenets: lawfulness; responsibility and accountability; explainability and traceability; reliability; governability; and bias mitigation.

AI frameworks and other guidance drafted by the U.S. and its defense community take a similar approach.

NATO allies in 2019 agreed to focus on seven emerging and disruptive technologies, data, computing and AI among them. Making sure there are shared standards, and that systems will work with systems, will be critical to success, officials said.

“One of the big challenges when we go into this new phase of disruptive technologies is how do you keep all allies on the same hymn sheet when it comes down to communicating with each other, using the same technology, being interoperable,” David van Weel, NATO assistant secretary general for emerging security challenges, told Defense News in March 2021. “So that’s a big part [of the strategy] and a big role for NATO to play.”

Article link: https://www.c4isrnet.com/artificial-intelligence/2022/05/18/nato-launches-ai-initiative-to-ensure-tech-advantage/

About Colin Demarest

Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its NNSA — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.

https://www.rand.org/pubs/research_reports/RRA1190-1.html?

Research Questions

1. What responses has the United States considered in the past to cyber compromises of U.S. government systems?
2. Has the United States been able to materially affect adversary behavior through its past responses?
3. How should the United States respond to similar cyber incidents in the future?
4. Should the United States expect those responses to achieve its objectives in the future in light of prior responses?

Cyber-enabled espionage against the United States has been a challenge for more than 20 years and is likely to remain so in the future. In the aftermath of the 2020 SolarWinds cyber incident that affected U.S. government networks, policymakers, lawmakers, and the public asked: “Why does this keep happening, and what can the United States do to prevent it from reoccurring?” It is these questions that motivate this effort. Specifically, this report summarizes three cases of Russian cyber-enabled espionage and two cases of Chinese cyber-enabled espionage dating back to the compromise of multiple government agencies in the late 1990s up to the 2015 compromise of the Office of Personnel Management. The purpose of this inquiry is to address whether U.S. responses have changed over time, whether they led to changes in adversary behavior, and what the United States can learn from these cases to inform future policymaking. The authors show that policymakers typically consider a narrow set of response options, and they often conclude that not much can be done beyond trying to improve network defenses, because the United States “does it too.” The authors suggest that the U.S. government could broaden its policy response options by increasing focus on diplomatic engagement, including working with partners and allies to call out malicious cyber behavior; expanding the use of active defense measures to root out adversaries; and employing more-sophisticated counterintelligence techniques, such as deception, to decrease the benefits that adversaries derive from cyber espionage.

Key Findings

Available response options are not limited to the cyber domain, and no one should expect them to be

• The response options that U.S. policymakers consider for cyber espionage cases do not appear to have changed much over the past two decades — and, in some respects, they may be even more constrained today.

The benefits of cyber-enabled espionage continue to outweigh any perceived repercussions for such countries as Russia and China

• The historical record suggests that the United States has felt constrained in its ability to respond vigorously against Russia or China because of the notion that cyber espionage is a standard and accepted practice by nations.
• The record also suggests that the United States would not want to take steps to constrain its own ability to engage in similar intelligence activities in cyberspace.
• U.S. policymakers have assessed that breaches of confidentiality, although damaging in the long term, did not rise to the same level of acute damage to national security that another, more destructive form of cyber operation might entail.
• The United States has proved especially vulnerable to cyber incidents, and a lack of response appears to have emboldened the Russians and Chinese to continue and expand their cyber espionage activities over the years.
• Improving the U.S. ability to deter by denial — by strengthening the cybersecurity of the U.S. government — remains an elusive but vital priority.

Recommendations

• The United States should pursue expanded diplomatic efforts, including with its partners and allies, to call out indiscriminate cyber espionage and establish guardrails for acceptable cyber espionage.
• The United States should also expand its use of active defense measures on U.S. government networks to hunt for adversary activity and offer similar support to partners and allies.
• The United States should make better use of counterintelligence, particularly deception operations, to reduce the benefits that countries might derive from cyber espionage.
• The role of diplomacy should not be diminished, and more-recent multilateral efforts to call out malicious cyber behavior have the potential to lay a foundation for shaping international norms.

Table of Contents

• Chapter OneIntroduction
• Chapter TwoCyber Espionage, Deterrence, and Response
• Chapter ThreeRussia Case Studies
• Chapter FourChina Case Studies
• Chapter FiveConclusion and Recommendations

Check out this video comparing public vs. private #5G networks. #DOD and National Telecommunications and Information Administration (NTIA) have teamed up to create a video series explaining the telecommunications technologies that impact the #5GChallenge. The United States Department of Defense and NTIA launched the challenge to advance 5G interoperability toward true 5G plug-and-play operation. https://lnkd.in/ggGm_8J8