healthcarereimagined

By VINCENT BERKMAY 23, 2022 09:00 AM ET

Lessons from Germany’s World War II code machine, Enigma, show that even “unbreakable” encryption can be cracked eventually.

The previous two years have proven the importance of proactively working to secure our data, especially as organizations underwent digital transformations and suffered increased cyberattacks as a result. For those organizations that have been breached, but their data hasn’t yet been exploited and released to the wild, it may already be too late. 

Organizations that have already experienced a data breach may become victims of “harvest today, decrypt tomorrow” or capture-now-decrypt-later attacks. These attacks, also referred to as “harvesting” for short, capitalize on known vulnerabilities to steal data that may not even be truly accessible using today’s decryption technologies. 

These attacks require long-term planning and projections on the advancement of quantum-computing technologies. While these technologies may still be years away from being commercially available and widely used, organizations should look to protect against these threats now to prevent themselves from becoming a future casualty.

Before getting into more detail on the future threat posed by quantum computing, we should look to a historic example to inform our present decision-making. 

Lessons from the Enigma

In 1919 a Dutchman invented an encoding machine that was universally adopted by the German army, called “the Enigma.” Unbeknownst to Germany, the Allied powers managed to break the coding scheme, and were able to decode some messages as early as 1939, when the first German boots set foot in Poland. For years, however, the German army believed the Enigma codes were unbreakable and was communicating in confidence, never realizing their messages were out in the open. 

History may already be repeating itself. I can’t help but think that most organizations today also believe that their encrypted data is safe, but someone else may be close to, or already, reading their “secure” mail without them even knowing. 

Today’s modern cryptography is often deemed unbreakable, but a big, shiny black building in Maryland suggests that governments may be better at this than is widely believed. Although a lot of credit goes to the magical and elusive quantum computer, the reality is different: poor implementations of crypto suites are the primary vector for breaking encryption of captured traffic. So are certificates captured through other means, brute-forced passwords and even brute-forced crypto, because insufficient entropy is used to generate random numbers.  

All these techniques are part of the arsenal of any nation who wants to strategically collect information on the happenings of other international players—whether government or private companies. These techniques also require higher levels of coordination and financial backing to be a successful part of an intelligence strategy. As I continue to see, when the value of the captured information is high enough, the investment is worth it.  Consider then the vast data centers being built by many governments: they are full of spinning disks of memory storage just in case current approaches don’t yield access. Data storage has become an investment in the future of intelligence gathering. 

Looking towards the future

Harvesting attacks does not just work as a strategy for quantum computers. We will likely have more powerful processors for brute-forcing in the future.  Additionally, other types of stochastic computation machines, such as spintronics, are showing promise and even the de-quantification of popular algorithms may one day see a binary computer version of Peter Shor’s algorithm. The latter helps us explain how quantum computing may help to make quick work of current encryption techniques. This will allow breaking of Diffie-Hellman key exchanges or RSA on a conventional computer in smaller time frames.

So how do we shield ourselves?  It is hard to imagine armoring oneself against any possible threat to encryption. Just like it is difficult to predict exactly which stocks will do well, and which ones won’t.  There are too many factors and too much chaos. One is left with only the option of diversification: using an out-of-band key distributing strategy that allows multiple paths for key and data to flow, and a range of algorithms and keys to be used. By diversifying our cryptographic approaches we are also able to minimize the damage in case a particular strategy fails us. Monocultures are at risk of pandemics, let’s not fall victim to encryption monoculture as we move into the future.

It is past time to take steps now that will protect organizations from future threats. This includes developing actionable standards. Both federal agencies and the private sector need to embrace quantum-safe encryption. Additionally, they should look to develop next-generation, standards-based systems that will address current encryption method shortcomings and poor key management practices. This will help to ensure not only quantum-safe protection from future threats, but also stronger security from contemporary threats. 

Organizations face a dizzying array of threats and need to constantly remain vigilant to thwart attacks. While looking to protect against current threats is certainly important, organizations should begin projecting future threats, including the threat posed by quantum computing. As technology continues to advance each day, one should remember that past encryption, like the Enigma machine, didn’t remain an enigma for long and was broken in time. The advent of quantum computing may soon make our “unbreakable” codes go the way of the dinosaur. Prepare accordingly.

Article link: https://www.nextgov.com/ideas/2022/05/back-future-protecting-against-quantum-computing/367231/

Some worry that the chatter around these tools is doing the whole field a disservice.

By Melissa Heikkiläarchive page May 23, 2022

Earlier this month, DeepMind presented a new “generalist” AI model called Gato. The model can play the video game Atari, caption images, chat, and stack blocks with a real robot arm, the Alphabet-owned AI lab announced. All in all, Gato can do 604 different tasks. 

But while Gato is undeniably fascinating, in the week since its release some researchers have gotten a bit carried away.

One of DeepMind’s top researchers and a coauthor of the Gato paper, Nando de Freitas, couldn’t contain his excitement. “The game is over!” he tweeted, suggesting that there is now a clear path from Gato to artificial general intelligence, or ‘AGI’, a vague concept of human or superhuman-level AI. The way to build AGI, he claimed, is mostly a question of scale: making models such as Gato bigger and better. 

Unsurprisingly, de Freitas’s announcement triggered breathless press coverage that Deepmind is “on the verge” of human-level artificial intelligence. This is not the first time hype has outstripped reality. Other exciting new AI models, such as OpenAI’s text generator GPT-3 and image generator DALL-E, have generated a similar amount of grand claims. For many in the field, this kind of feverish discourse overshadows other important research areas in AI. 

That’s a shame because Gato is an interesting step in AI. Some models have started to mix different skills, like DALL-E, which generates images from text descriptions. Others use a single training technique to learn to recognise pictures and sentences. And DeepMind’s AlphaZero learned to play Go, chess and shogi. 

But here’s the crucial difference: AlphaZero could only learn one task at a time. After learning to play Go, it had to forget everything before learning to play chess, and so on. It could not learn to play both games at once. This is what Gato does: learns multiple different tasks at the same time, which means it can switch between them without having to forget one skill before learning another. It’s a small step but a significant one.

But Gato performs tasks worse than models that can only do one thing. Robots still need to learn “common sense knowledge” about how the world works from text, says Jacob Andreas, an assistant professor at MIT who specializes in artificial intelligence and natural language and speech processing.   

This could come in handy in robots that could help people around the house, for example. “When you drop [a robot] into a kitchen and ask them to make a cup of tea for the first time, they know what steps are involved in making a cup of tea and in which cabinet tea bags are likely to be located in,” says Andreas. 

Some external researchers were explicitly dismissive of de Freitas’ claim. “This is far from being ‘intelligent’,” says Gary Marcus, an AI researcher who has been critical of deep learning. The hype around Gato demonstrated that the field of AI is blighted by an unhelpful “triumphalist culture,” he says.

He argues that the deep learning models that often generate the most excitement about the potential to reach human-level intelligence make mistakes that “if a human made these errors, you’d be like, something’s wrong with this person,” Marcus says.

“Nature is trying to tell us something here, which is, this doesn’t really work, but the field is so believing its own press clippings, that it just can’t see that,” he adds. 

Even de Freitas’s DeepMind colleagues, Jackie Kay and Scott Reed, who worked with him on Gato, were more circumspect when I asked them directly about his claims. When asked about whether Gato was heading towards AGI, they wouldn’t be drawn. “I don’t actually think it’s really feasible to make predictions with these kinds of things. I try to avoid that. It’s like predicting the stock market,” said Kay.

Reed said the question was a difficult one. “I think most machine learning people will studiously avoid answering. Very hard to predict, but, you know, hopefully we get there someday.”

In a way, the fact that DeepMind called Gato a “generalist” might have made it a victim of the AI sector’s excessive hype around AGI. The AI systems of today are called “narrow” AI, meaning they can only do a specific, restricted set of tasks such as generate text.

Some technologists, including at Deepmind, think that one day humans will develop “broader” AI systems that will be able to function as well or even better than humans. Some call this artificial “general” intelligence. Others say it is like “belief in magic.“ Many top researchers, such as Meta’s chief AI scientist Yann LeCun questionwhether it is even possible at all.

Gato is a “generalist” in the sense that it can do many different things at the same time. But that is a world apart from a “general” AI that can meaningfully adapt to new tasks that are different from what the model was trained on, says MIT’s Andreas. “We’re still quite far from being able to do that.”

Making models bigger will also not address the issue that models don’t have “lifelong learning”, meaning they can be taught things once and they will understand all of the implications and use it to inform all of the other decisions that they are going to make, he says.

The hype around tools like Gato is harmful for the general development of AI, argues Emmanuel Kahembwe, an AI/robotics researcher and part of the Black in AI organization co-founded by Timnit Gebru. “There are many interesting topics that are left to the side, that are underfunded, that deserve more attention, but that’s not what the big tech companies and the bulk of researchers in such tech companies are interested in,” he says.

Tech companies ought to take a step back and take stock of why they are building what they are building, says Vilas Dhar, president of the Patrick J. McGovern Foundation, a charity that funds AI projects “for good.” 

“AGI speaks to something deeply human—the idea that we can become more than we are, by building tools that propel us to greatness,” he says. “And that’s really nice, except it also is a way to distract us from the fact that we have real problems that face us today that we should be trying to address using AI.”

Article link: https://www.technologyreview.com/2022/05/23/1052627/deepmind-gato-ai-model-hype/

By FRANK KONKELMAY 20, 2022

Federal cybersecurity has been on the Government Accountability Office’s High Risk list since 1997.

Defense Department IT systems were not fully compliant in any of four major cybersecurity requirement areas for controlled unclassified information systems as of January 2022, according to an audit released May 19 by the Government Accountability Office.

Controlled unclassified information, or CUI, is less sensitive than secret or top-secret classified information, but still contains data—like personally identifiable information or business practices—that could be detrimental if disclosed publicly. DOD mandates full cybersecurity requirement implementation for components, but implementation rates generally ranged from 70% to 90%.  DOD operates approximately 2,900 CUI systems across its enterprise.

“We analyzed DOD’s data and found that while the DOD components have taken actions to implement cybersecurity requirements for CUI systems, none of the components were fully compliant,” the audit states. “DOD requires 100% compliance.”

The audit examined implementation rates across four DOD CUI requirement areas. Implementation ranged from 70-79% for DOD’s Cybersecurity Maturity Model Certification program established in 2020, from 80-89% for categorizing DOD CUI systems accurately; from 80-89% for implementing 266 controls for moderate confidential impact systems, and 90% or more in authorizing systems to operate on DOD networks.

Auditors noted the DOD Office of the Chief Information Officer, the official responsible for department-wide cybersecurity of CUI systems, has taken action to address these areas. In October 2021, DOD OCIO issued a memo reiterating requirements CUI systems must meet, and included new requirements on supply chain security controls. The DOD OCIO issued a follow-up memorandum in March 2022 reminding officials to implement those controls.

Article link: https://www.nextgov.com/cybersecurity/2022/05/gao-defense-department-isnt-doing-enough-protect-sensitive-information/367220/

Elizabeth Montalbano

May 20, 2022 7:11 am

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found.

The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are more than 450,000, according to a blog post published this week.

“ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an ‘HTTP 200 OK status,’ which indicates that the request has succeeded,” according to the post.

Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK,” researchers said. In all, Shadowserver found 454,729 Kubernetes API servers. The “open” API instances thus constitute nearly 84 percent of all instances that that Shadowserver scanned.

Moreover, most of the accessible Kubernetes servers—201,348, or nearly 53 percent–were found in the United States, according to the post.

While this response to the scan does not mean these servers are fully open or vulnerable to attacks, it does create a scenario in which the servers have an “unnecessarily exposed attack surface,” according to the post.

“This level of access was likely not intended,” researchers observed. The exposure also allows for information leakage on version and builds, they added.

Cloud Under Attack

The findings are troubling given that attackers already increasingly have been targeting Kubernetes cloud clusters as well as using them to launch other attacks against cloud services. Indeed, the cloud historically has suffered from rampant misconfiguration that continues to plague deployments, with Kubernetes being no exception.

In fact, Erfan Shadabi, cybersecurity expert with data-security firm comforte AG, said in an email to Threatpost that he was not surprised that the Shadowserver scan turned up so many Kubernetes servers exposed to the public internet.

“White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured.”

Open-Source Security Exposed

The findings also raise the perennial issue of how to build security into open-source systems that become ubiquitous as part of modern internet and cloud-based infrastructure, making an attack on them an attack on the myriad systems to which they are connected.

This issue was highlighted all-too-unfortunately in the case of the Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j that was discovered last December.

The flaw, which is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover–continues to be targeted by attackers. In fact,  a recent report finding millions of Java applications still vulnerable despite a patch being available for Log4Shell.

An Achilles heel in particular of Kubernetes is that the data-security capabilities built into the platform are only at a “bare minimum”–protecting data at rest and data in motion, Shadabi said. In a cloud environment, this is a dangerous prospect.

“There’s no persistent protection of data itself, for example using industry accepted techniques like field-level tokenization,” he observed. “So if an ecosystem is compromised, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack.”

Shadabi’s advice to organizations that use containers and Kubernetes in their production environments is to take securing Kubernetes as seriously as they do all aspects of their IT infrastructure, he said.

For its part, Shadowserver recommended that if administrators find that a Kubernetes instance in their environment is accessible to the internet, they should consider implementing authorization for access or block at the firewall level to reduce the exposed attack surface.

Article link: https://threatpost.com/380k-kubernetes-api-servers-exposed-to-public-internet/179679/

The top U.S. military officer is challenging the next generation of Army soldiers to prepare America’s military to fight future wars that may look little like the wars of today

By

LOLITA C. BALDOR Associated Press May 21, 2022,

WASHINGTON — The top U.S. military officer challenged the next generation of Army soldiers on Saturday to prepare America’s military to fight future wars that may look little like the wars of today.

Army Gen. Mark Milley, chairman of the Joint Chiefs of Staff, painted a grim picture of a world that is becoming more unstable, with great powers intent on changing the global order. He told graduating cadets at the U.S. Military Academy at West Point that they will bear the responsibility to make sure America is ready.

“The world you are being commissioned into has the potential for significant international conflict between great powers. And that potential is increasing, not decreasing,” Milley told the cadets. “Whatever overmatch we, the United States, enjoyed militarily for the last 70 years is closing quickly, and the United States will be, in fact, we already are challenged in every domain of warfare, space, cyber, maritime, air, and of course land.”

America, he said, is no longer the unchallenged global power. Instead, it is being tested in Europe by Russian aggression, in Asia by China’s dramatic economic and military growth as well as North Korea’s nuclear and missile threats, and in the Middle East and Africa by instability from terrorists.

Drawing a parallel with what military officials are seeing in Russia’s war on Ukraine, Milley said future warfare will be highly complex, with elusive enemies and urban warfare that requires long-range precision weapons, and new advanced technologies.

The U.S. has already been rushing new, high-tech drones and other weapons to the Ukrainian military — in some cases equipment that was just in the early prototype phases. Weapons such as the shoulder-launched kamikaze Switchblade drones are being used against the Russians, even as they are still evolving.

And as the war in Ukraine has shifted — from Russia’s unsuccessful battle to take Kyiv to a gritty urban battle for towns in the eastern Donbas region — so has the need for different types of weapons. Early weeks focused on long-range precision weapons such as Stinger and Javelin missiles, but now the emphasis is on artillery, and increased shipments of howitzers.

And over the next 25 to 30 years, the fundamental character of war and its weapons will continue to change.

The U.S. military, Milley said, can’t cling to concepts and weapons of old, but must urgently modernize and develop the force and equipment that can deter or, if needed, win in a global conflict. And the graduating officers, he said, will have to change the way U.S. forces think, train and fight.

As the Army’s leaders of tomorrow, Milley said, the newly minted 2nd lieutenants will be fighting with robotic tanks, ships and airplanes, and relying on artificial intelligence, synthetic fuels, 3-D manufacturing and human engineering.https://d-12636358614034929289.ampproject.net/2205051832000/frame.html

“It will be your generation that will carry the burden and shoulder the responsibility to maintain the peace, to contain and to prevent the outbreak of great power war,” he said.

In stark terms, Milley described what failing to prevent wars between great powers looks like.

“Consider for a moment that 26,000 — 26,000 — soldiers and Marines were killed in only six weeks from October to November of 1918 in the Battle of the Meuse-Argonne in World War I,” Milley said. “Consider also that 26,000 U.S. troops were killed in the eight weeks in the summer of 1944 from the beaches of Normandy to the liberation of Paris.”

Recalling the 58,000 Americans killed in just the summer of 1944 as World War II raged, he added, “That is the human cost of great-power war. The butcher’s bill.”

Thinking back to his own graduation, Milley paraphrased a popular Bob Dylan song from the time: “we can feel the light breeze in the air. And right now as we sit here on the plain at West Point, we can see the storm flags fluttering in the wind. We can hear in the distance the loud clap of thunder. The hard rain is about to fall.”

Article link: https://abcnews-go-com.cdn.ampproject.org/c/s/abcnews.go.com/amp/Politics/wireStory/milley-west-point-cadets-ready-robot-drone-led-84879006

The Defense Department released guidance for using AI responsibly last year.

LAUREN C. WILLIAMS | MAY 18, 2022

The Defense Department is still finalizing an implementation plan for its artificial intelligence ethical principles, according to Jane Pinelis, the chief of AI assurance for the Defense Department’s Joint Artificial Intelligence Center, said at an event on Tuesday. 

“So we are the first military to adopt the ethical principles for AI. Since then, multiple other nations have done so, and where we stand now with [chief digital and artificial intelligence office] is we’re trying to move into implementation,” Pinelis said during a panel discussion at the Atlantic Council on May 17.  

“So we have the five ethical principles at this point. We have [gotten] direction from the deputy secretary to advance them across six different tenets. But now we’re moving into … implementation.”

The Defense Department releasedguidance for using AI responsibly in May 2021 after announcing a set of ethical principles the year before.  

Pinelis said the implementation plan, which is awaiting the deputy defense secretary’s signature, would be a “formal pathway forward” that tasks “various organizations in the Department of Defense with very specific actions as far as actually putting these principles into practice.”

Many of those tasks, she continued, overlap with testing and evaluation but there are many pieces that require everyone across DOD to take some responsibility.

“Responsible AI is, kind of, everybody’s job in the department,” Pinelis said. “And so there are pieces of it that have to do with international allies. There are pieces of it that have to do with responsibly acquiring these systems and responsibly developing these systems, and kind of again, crafting all of those arguments and evidence that go into responsible AI.”

Michael Horowitz, the Defense Department’s director of emerging capabilities policy, said faster implementation of artificial intelligence and autonomous technology solutions requires budget support and centralized leadership – both of which the Pentagon is working to address with the standing up of its chief digital and artificial intelligence office. 

“If data is the fuel that makes AI go essentially – what is an algorithm without the data that you would use to train it in one way or another – then bringing those together under the [chief digital and artificial intelligence office] construct, I think will be reflected in what a new strategy will likely look like as well,” Horowitz said during a keynote panel at the event. “What’s necessary now is to turn those thoughts into reality and to do it faster.” 

Horowitz, who has been in the brand new role for about a month, said he was “pretty optimistic” about the Pentagon’s direction and emphasis on AI and autonomy thanks to the creation of the emerging capabilities policy office, the CDAO, and innovation steering group that the undersecretary of defense for research and engineering. 

“I think all of those things make me optimistic that, as we enter the sort of FY ’24 budget cycle, that we’re going to start seeing that payoff as the department becomes — it’s not a question of just more, but smarter at thinking about AI and autonomous systems and investments in a way that really pays off for the joint force.”

Article link: https://www.defenseone.com/policy/2022/05/pentagon-closing-ethical-ai-implementation/367120/

In a recent interview with Wired, DEPSECDEF Kathleen Hicks spoke about the relevance and importance of data, technology, and innovation to the current defense mission.

According to the article, DEPSECDEF recognizes that “technology is fundamentally changing the nature of war, and the US needs to adapt in order to maintain its edge.”

As we move to the new CDAO, Advana remains as dedicated as ever to delivering world-class data science solutions and technologies, including advanced analytics, AI, and ML, to further support the Department’s competitive advantage.

Read more about the role of data and technology in the ongoing conflict in Ukraine: https://lnkd.in/gErrZu6b

Data scientists, coders, and other techies could prove decisive in future conflicts—if Uncle Sam can recruit them.

When Russia invaded Ukraine, the US Department of Defense turned to a team of machine learning and artificial intelligence experts to make sense of an avalanche of information about the conflict.

“We have surged data scientists forward,” Deputy Secretary of Defense Kathleen Hicks told WIRED in a recent interview. These tech experts crafted code and machine learning algorithms, creating systems that are “especially valuable for synthesizing the complex logistics picture,” she said.

Due to the sensitive nature of operations in Ukraine, Hicks says she cannot provide details of what the data team has done. But Hicks says this helps prove a point that she and others have been making within the Pentagon for some time—that technology is fundamentally changing the nature of war, and the US needs to adapt in order to maintain its edge.

“I like to say that bits can be as important as bullets,” Hicks says, in reference to the importance of software, data, and machine learning. It isn’t only that technology is advancing more rapidly and in different ways; the US also faces fresh international competition in emerging areas like AI. Russia might be less of a technological threat, but China has emerged as a formidable new near-peer rival. “We know that by the Chinese government’s statements in writing that they’re looking very much to advance on the AI front,” Hicks says.

During the ongoing conflict in Ukraine, AI algorithms have been used to transcribe and interpret Russian radio chatter, and to identify Russian individuals in videos posted on social media, using facial recognition tech. Low-cost drones that use off-the-shelf algorithms to sense and navigate are also proving a potent new weapon against more conventional systems and strategies. An unprecedented hacking campaign against Russia shows how cybersecurity skills have become a potent weapon against a nation-state adversary. New weapons can now be developed at breakneck speed, too, as was shown earlier this month when the US said it had developed a custom dronespecifically for use by Ukrainian forces. By contrast, the US Air Force’s latest fighter jet, the F-35, has been in development for over 20 years, at an estimated lifetime cost of $1.6 trillion.

Although the US is helping Ukraine punch above its weight by providing financial aid, conventional weapons, and new technologies, there are those—inside and outside of the Pentagon—who worry that the US is ill-equipped to adapt to the challenges presented by war in the future.

“Every large company has the same problem,” says Preston Dunlap, who resigned last week as chief architect of the Department of the Air Force, a role that involved modernizing technology development and acquisition. Dunlap compares the situation to the way big successful businesses can be disrupted by technological change and more nimble competitors, a phenomenon that the business school professor Clayton Christensen called “the innovator’s dilemma.”

Dunlap penned an open resignation letter in which he recommended steps that the Department of Defense should take to embrace a more rapid, experimental, and technology-focused culture. He says just like a business faced with technological disruption and more nimble competitors, the US military struggles to change direction because it encompasses so many people, systems, and ingrained ways of doing things. He suggests that advocates for change, such as Hicks, can only do so much. “I am concerned about operators having to go into some kind of contingency [conflict] without the available technology,” he says. “That’s just not a place I want us to be.”

A 2019 report commissioned by the Defense Innovation Board, which provides the secretary of defense and deputy secretary of defense with recommendations around technology adoption, warns that software and its development has become a crucial strategic issue for the US military. The board also notes that the DOD cannot typically compete with the salaries tech companies offer software developers.

The DOD has taken numerous steps to boost its technological chops, with a particular focus on AI. In August 2015, the department set up the Defense Innovation Unit, which is tasked with coordinating AI across different areas of the military. The latest move, on April 25, saw the Pentagon announce its first chief digital and artificial intelligence officer, Craig Martell, previously head of machine learning at Lyft. Martell was appointed by Hicks to help advance adoption and use of the technology.

There is some debate around how many software engineers and data scientists the DOD actually needs to hire itself, and how much of the work it can outsource. Job ads highlight the defense world’s shift toward a software-centric outlook. Emsi, a company that tracks job listings, says 33 percent of 370,000 defense industry job advertisements it analyzed mention software development or data science skills, a figure that has grown 91 percent since 2017.

There are many ways AI and other technology could benefit the US military besides aiding with intelligence gathering and analysis or making weapons smarter. Small trials have shown that the technology can help manage logistics, predict when machinery will fail, and improve veteran care.

But the National Security Commission on Artificial Intelligence, a Pentagon initiative to assess the changing technology landscape, has warned that the US needs to invest more in new technologies and work more closely with the private sector to avoid being blindsided by China.

Given the scarcity of in-house talent, the Pentagon has turned to the private sector for help. But attempts to increase technological resources by working closely with Silicon Valley have been fraught. Project Maven, an Air Force initiative to collaborate with tech firms, sparked controversy in 2019 when Google employees protestedthe company’s decision to develop technology for analyzing aerial imagery. Workers at Microsoft staged protests over that company’s military contracts the same year. The Pentagon continues to work with some Silicon Valley firms, but it is still likely to see pushback from some tech workers over high-profile military projects.

Will Roper oversaw procurement for the Air Force between 2018 and 2021 and led the development of groundbreaking experiments involving the rapid deployment of AI in military aircraft using agile software methods borrowed from the tech world. He says that until the DOD is able to draw on more technical expertise, perhaps by getting technical experts to volunteer their time, “we’re probably not going to see the technology lined up in the military with where it is in the private sector.” “Why are we still dead in the water when it comes to talent?” he says.

Some experts say the DOD has to reinvent existing relationships with the private sector. They argue that awarding multibillion-dollar contracts to companies like Lockheed Martin, Raytheon Technologies, or Northrop Grumman to develop technology over many years is hardly conducive to fast-paced innovation.

Chris Brose is chief strategy officer for Anduril, a company working on a range of defense systemsincorporating technologies that have emerged in Silicon Valley, such as virtual reality and AI. Brose says new technologies need to be developed and iterated on more rapidly. Anduril, which was cofounded by the virtual reality pioneer Palmer Luckey, is one of several new defense companies hoping to disrupt the existing order by doing things differently. “When you strip away all of the opacity and the complexity and the jargon, this is a very simple story of disruption,” says Brose.

Article link: https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/to-win-the-next-war-the-pentagon-needs-nerds/amp

LOS ANGELES — MITRE, the federal contractor that runs R&D labs for the U.S. government, is developing a space cyber lab where real satellite hardware and software can be tested to ensure security. It’s just one of a host of new measures that space companies are adopting to harden their systems against hackers, panelists at the CyberLEO conference said May 12.

The lab will explore how vulnerabilities discovered in software and hardware components could be exploited by hackers in real space systems, said Jeff Finke, principal engineer and group leader at MITRE’s National Cybersecurity Center of Excellence.

“We have a 3U cubesat in the lab, except for the camera being different and the solar arrays not having solar panels, we could put it on a rocket and launch it into space,” he said. That authenticity is important because satellite software and firmware runs on exotic systems unlike those used in conventional IT — which can make it harder to determine the impact of vulnerabilities for both attackers and defenders.

Initiatives like the space cyber lab are also needed in part, because of the enormous complexity of satellite supply chains, added fellow panelist Phil Robinson, chief security officer for space data relay company SpaceLink. A great deal can be achieved through careful drafting of contracts, added Robinson, but there are limits.

“It comes down to negotiating with our prime suppliers, our subcontractors, our satellite manufacturers. … Do we have our contracts appropriately written in a way that covers risk?” Robinson asked.

Covering risks might mean insuring against them, or it might come in the form of guarantees from the manufacturer or other parties, Robinson continued. “Trust, but verify, right? We’re glad you put it in the contract. But I want to verify that you’re actually doing it as well.”

Relationships with vendors require trust, yet operators needed to ask themselves: “What kind of processes are you putting in place to verify and validate that trusted relationship? Are you actually looking at their practice? Are you talking to their coders that are pulling down code libraries from Lord knows where?” Finke added.

The point, Finke said, is that risks don’t fade as they recede from the first-party vendors. “What are you doing, satellite operators, to trust that relationship from your vendors? How far back are you willing to go? It’s one thing to check out your first level of third party partners. Okay, that’s great. But who are they in business with? Are you willing to spend the resources to then go to that next level, and the next level beyond that, all the way into the chip foundry, all the way to whoever wrote that first library?”

Yet for companies working to turn a profit, the cost of peeling back the onion layers of the satellite supply chain can quickly become unsustainable, Finke warned. “How much, as a commercial entity, where I have to increase shareholder equity or make money — which is a good thing — how much am I willing to invest to mitigate some of this? … How much risk am I willing just to accept knowing it’s out there, versus where I’m going to put resources to mitigate?”

The dangers of vulnerable components are rendered worse because comparatively little research has been done on the unique architectures and embedded systems used in satellites, according to Ang Cui, CEO of Red Balloon Security. Embedded devices are specialized pieces of equipment very different from the general purpose computers of conventional IT. They generally have a single purpose and must run reliably for a dozen or more years. Cui compared satellite embedded devices to those used in industrial control systems known as ICS — the specialized computing systems that run factories, oil refineries, and power stations.

“I would say the security posture of the firmware inside those [ICS embedded] devices is about five to eight years behind general purpose computing security. Having looked at quite a bit of aerospace products … I would say a lot of the firmware inside aerospace things are about five to eight years behind ICS.”

Such a mountainous security debt put satellite companies in an impossible position, he added.  “If I went to anyone here and said, ‘Build a company, but you can only do it with an unpatched Windows 90 laptop, and you can’t make any modifications to any of the code because that’s not your property.’ You would say, ‘That’s a bad idea. That’s a crazy thing to do.’ But in a lot of these situations, that is exactly how we’re operating. We’re using these devices that we can’t change the firmware of because it has [outdated] security [requirements]. It has liability insurance, legal obligations. We’re stuck in that situation.”

As is often the case, the security debt impacts defenders much worse than attackers.

“From what I’ve seen over the last decade, that offensive capability is so much more advanced than defensive capability, in all things embedded. And that gap is growing,” Cui said.

Classified conversations tend to focus on the extraordinary capabilities of government hackers, but the real danger is that those capabilities are quickly proliferating into the hands of criminal groups, too — becoming more widely available. “Those capabilities will spill over. And it’s not just in the hands of nation states. I think that’s the thing that we’re starting to see,” Cui noted.

Not everyone agreed. In a subsequent panel, retired Air Force Maj. Gen. Brett Williams, a co-founder of IronNet Cybersecurity, dismissed the idea that it is possible to secure components through testing — especially against deliberate insiders bent on mischief.

“The thinking you’re going to inspect everything, whether it’s hardware or software, and validate that it’s safe is a non-starter,” Williams said. Instead, he argued, a better approach is to try and validate the behavior of components — to ensure they do what they are supposed to.

“The real market opportunity is finding ways to understand that this stuff is doing what it’s supposed to do,” Williams said. “Even though you and I are using the same component, we’re using it a little bit differently, it’s connected to different things, it does different things. There’s got to be an understanding, is it doing what I need it to do?”

Unlike governments, commercial enterprises can’t put absolute restrictions on their vendor relationships. “The government can say … we aren’t buying anymore Lenovo computers. We aren’t using Kaspersky antivirus. But [in the private sector] you don’t necessarily have that option,” he said.

For instance, one government requirement was that only U.S. nationals could work on coding or making other components, Williams said. “You couldn’t have any foreign nationals touch your software. How many people build software today that doesn’t have a foreign national touch it?”

Government regulations can easily become too burdensome, he noted. “I think the nuclear power industry is a good example of that. Right now, the nuclear power plants are run by commercial companies, but they’re so heavily regulated that the cost is humongous. It’s a really hard problem.”

Article link: https://www.satellitetoday.com/cybersecurity/2022/05/13/leo-operators-and-manufacturers-wrestle-with-supply-chain-cybersecurity/

By MARIAM BAKSHAPRIL 11, 2022

Reply comments are now due in 30 days to the Federal Communications Commission.

The Federal Communications Commission should consider imposing comprehensive tests and fines—after fair warning and guidance—to ensure internet service providers are taking minimal steps to protect the global internet routing system from malicious hackers, according to comments a leader in the open-source security community submitted to the agency.

“Voluntary compliance has failed to ensure compliance with even basic measures; companies have negligently allowed hijacking for decades, even when well-known and practical countermeasures exist,” wrote David Wheeler, director of open source supply-chain security for the Linux Foundation. “The FCC should establish a testing regime to ensure that Internet routing, if depended on by others, strongly resists hijacks using currently practical measures such as [Resource Public Key Infrastructure]”

Comments were due Monday in response to an inquiry the FCC made on the issue in the wake of the Russia-Ukraine conflict. The commission is concerned about hackers’—particularly powerful nation-state actors’—ability to manipulate the Border Gateway Protocol to redirect internet traffic by pretending to offer a more efficient network path. Resource Public Key Infrastructure, or RPKI, refers to a system of certificates and cryptographic attestation for stakeholders to validate the origin and authorize the route internet traffic should take.

In response to the FCC asking about the extent to which network operators have implemented available security measures, Wheeler pointed to a test established by the content distribution network Cloudflare. The test is a simple red-team exercise that advertises a route known to be spurious. Cloudflare committed to implementing RPKIin the fall of 2018.   

“Those US organizations who fail should be notified, provided guidance on how to fix the problem, & given a grace period … to (re)gain compliance,” Wheeler said. “After the grace period there need to be incentives for failing US organizations to change to implement at least minimal efforts … These incentives should include grants if the organization is a not-for-profit, publishing a list of non-compliant entities, and then increasing fines over time … These organizations who negligently continue to leave the Internet so vulnerable, by failing to apply known best practices and existing technologies, are creating a hazard for everyone.”

Comments USTelecom—the leading trade association for major internet service providers—made to the FCC noted an endorsement of RPKI implementation. But they said adoption has been increasing without a requirement on the books.

“The majority of routes are still not signed, but the trajectory is good, we are up from less than 10% in 2018 to more than 35% as of this writing,” the group wrote, adding, “Buy-in from broad sets of stakeholders is essential, not just domestically, but also internationally.”

Also in the FCC’s docket on secure internet routing were comments from ETNO, the European Telecommunications Network Operators’ Association. The organization, internet service providing members of which have deployed BGP-specific routers in their networks, shared their system for coordination and noted wide support for RPKI implementation.

“The fr.telecom [Local Internet Registry] – serving the needs of Orange France and [Orange Business Services], for example, has “close to 100% of its resources associated with an ROA – Route Origin Authorization,” the group said.

Article link: https://www.nextgov.com/cybersecurity/2022/04/open-source-leader-advocates-strong-fcc-enforcement-routing-security/365509/

Posted by Phill Swagel on May 17, 2022

Today, CBO released an enhanced version of its interactive tool for analyzing the force structure of the U.S. military and understanding how that structure influences defense spending.

What New Features Does the Tool Provide?

The enhanced tool allows users to alter the overall defense budget (annually or in total for 10 years) to see the possible effects on military forces; or to add or subtract brigades, ships, aircraft squadrons, and other units to see the effects on the defense budget; or to explore any combination of those approaches. It shows estimated effects on the Department of Defense’s (DoD’s) costs and on the size of the military. (Learn more about CBO’s approach to calculating those costs.)

In addition, CBO now provides a tutorial to help users understand how to use the tool’s new functionality to explore different types of policy choices. The tutorial, combined with the ability to alter total defense spending, makes the tool more broadly accessible by reducing the amount of specialized knowledge that users need to have about the military or the defense budget.

How Can People Use the Tool?

The new features will let Congressional staff, defense researchers, members of the media, educators, and others use the interactive tool in a wide variety of ways.

For budgeting, the tool helps people explore alternative policy choices and generate results that include standard 10-year costs. They can do that by examining potential changes to the total size of the defense budget, altering phase-in time lines, and exporting detailed data files that show 10-year costs as well as the deflators needed to convert real dollars to nominal dollars for budgeting purposes.

For force structure analysis, the tool offers a way to analyze the effects of proposed changes to forces, considering cuts or expansions of various sizes and focusing, if desired, on particular types of units. The tool also provides information about the major combat units that currently make up the U.S. military, including their number, size, functions, and average costs.

For teaching, the tool—in conjunction with CBO’s periodic report The U.S. Military’s Force Structure: A Primer—can continue to help instructors at military academies, war colleges, and security studies programs provide an introduction to U.S. forces and engage in “what if” analysis of possible changes to those forces.

To be transparent, the enhanced tool follows CBO’s practice of showing the raw cost factors and quantities used in the agency’s cost model for the U.S. military, allowing other researchers to view, use, or alter that model. In addition, CBO will continue to update the cost factors and quantities in the tool as DoD releases new budget plans. The enhanced tool also includes the ability to export more detailed data files for users who want to conduct more in-depth analysis than the tool itself permits. Those data files include documentation of all the cost factors and default settings of CBO’s cost model, as well as technical factors such as phase-in rates, deflators, and the military’s projected costs over the next decade.

Phillip L. Swagel is CBO’s Director.

BLOG ARCHIVE

• May 2022 (5)
• April 2022 (7)
• March 2022 (5)
• February 2022 (2)
• January 2022 (9)
• December 2021 (7)
• November 2021 (7)
• October 2021 (7)
• September 2021 (8)
• August 2021 (5)
• July 2021 (10)
• June 2021 (7)
• May 2021 (4)
• April 2021 (13)
• March 2021 (6)
• February 2021 (10)
• January 2021 (7)
• December 2020 (8)
• November 2020 (2)
• October 2020 (9)
• September 2020 (9)
• August 2020 (8)
• July 2020 (4)
• June 2020 (7)
• May 2020 (4)

Browse All

Article link: https://www.cbo.gov/publication/57981?