healthcarereimagined

BRANDON LESHCHINSKIY AND ANDREW BOWNE

MAY 17, 2022

“I don’t know what we mean when we say we’re ‘pursuing AI.’ Do you?”

“We don’t change to accommodate new technologies, anyway … We just shove them into our current paradigm.”

“I don’t even understand what we’re supposed to be doing right now!”

Twenty officers are seated around a table, mired in the discomfort of an “adaptive leadership” workshop. This framework, developed by Ronald Heifetz and colleagues at the Harvard Kennedy School, is designed to help organizations make progress on complex, collective challenges, known as “adaptive” challenges. Unlike “technical” problems, which can be solved with existing know-how, adaptive challenges demand learning and change — adaptation — from the stakeholders themselves.

Digital transformation presents an adaptive challenge for the Department of Defense. As long as the Department of Defense relies on painless, “technical” fixes — what Steve Blank calls “innovation theater” — America will become increasingly vulnerable to exploitation by foreign adversaries, costing both dollars and lives. To make progress on the challenge of digital transformation — and to maintain technological superiority — the Department of Defense should reexamine and reshape its deeply held values, habits, beliefs, and norms.

The officers in the workshop are an excellent example of a group wrestling with adaptation. As in many groups, they begin by looking outwards. One says, “It’s the ‘frozen middle’ that prevents us from doing anything digital,” while another adds, “Our higher-ups can’t agree on what they want, anyway. … What are we supposed to do?” The instructor nudges them: “It seems the group is shifting responsibility to anywhere but here. What makes it difficult to look inward?”

Next, the officers drift away from the challenge. They share stories of previous successes, appraise the instructor’s credentials, and joke about the workshop itself. Again, the instructor intervenes: “I notice we’re avoiding uncertainty. Can we stay longer in the nebulous space of ‘digital transformation’? Or will we escape the moment it’s not clear how to proceed?”

Begrudgingly, they return to digital transformation, but after a few minutes, they ask the instructor for help: “Are you going to chime in here, or …?” The instructor responds, “You’re depending on an authority — someone in charge — to solve a problem that can only be addressed collectively — by all of you.”

At this point, the room burns with frustration. But the officers can’t be blamed. Their moves to avoid adaptive work — diverting attention away from the issue and shifting responsibility for it elsewhere — are typical for groups confronting a difficult reality.

More specifically, in what Heifetz terms the “classic failure,” groups attempt to resolve adaptive challenges via “technical fixes”: painless attempts that apply existing know-how, rather than working with stakeholders to change how they operate.

Hiring someone, firing someone, increasing the budget, expanding the timeline, creating a committee, restructuring the org, building a new tool, pushing a new policy: These are all technical fixes, which, while not inherently harmful, are easier than — and can distract from — the internal work of reevaluating values, habits, beliefs, and norms.

Even now, the Department of Defense is attempting to address digital transformation through technical means. The Department of Defense has created the Joint AI Center, partnered with the Massachusetts Institute of Technology (MIT), and established the position of Chief Digital and AI Officer. These steps are not without benefit: The Joint AI Center has developed AI ethics principlesand a new acquisitions process; MIT has produced valuable research and educational content; and the Chief Digital and AI Officer provides an opportunity to integrate across various technological functions. But these actions are not enough. In fact, they’re not even the most challenging steps.

The real obstacles to digital transformation are deep-seated norms and conflicting perspectives that exist across the entire organization. “How valuable are technologists, really? Should they be treated differently from others?”; “What about computers: Can we trust them to do our jobs as well as we do? If so, what will be the role of humans afterward?”; and perhaps most importantly, “How do we move beyond simply articulating new standards to actually living them?” These are hard questions that affect the Department of Defense’s objectives, strategies, and tasks at every level — but answers will be earned only through discussion and experimentation across the defense ecosystem itself.

Back in the workshop, at least, the officers have made a breakthrough. Toward the end of the session, the instructor says, “I feel a sense of sadness in the room. Does anyone else feel that?” Predictably, everyone shakes their head — admitting sadness feels like admitting failure — but then a major speaks up: “I’ll bite. Yeah, I do feel sad. This just feels overwhelming. If we can’t depend on our commanders to get this done …” He pauses. “I have no idea how we’re going to do it. Especially when we’re told to just keep our heads down all the time. It feels hopeless.”

The major’s comment is the most honest moment the group has seen, and the shift in the room is palpable: An hour prior, the officers were hardly aware of their own duty to generate adaptive work, and if they were, they did not appreciate its weight. Now, they are coming to terms with this responsibility, and they are doing it publicly — vulnerably — where the whole group can learn from individual experience. This shift is the stuff of real change.

The truth is, no one knows how a digitally transformed Department of Defense will operate. But no one will find out without the collective process of trying, failing, and learning. The Department of Defense should therefore become comfortable learning through experience — gathering data through discussion and experimentation — and publicizing that learning across the organization. And while the Department of Defense has good reasons for maintaining a risk-averse culture, avoiding learning creates its own set of risks. The world is changing, and America’s adversaries are improving their capabilities. We cannot afford to wait for our enemies to make clear that they’ve surpassed us.

Officers can take three actions to make progress on digital transformation now.

First, officers should generate and run low-risk experiments: actions that will produce learning for the future, not actions that will produce success based on today’s metrics — who knows whether those metrics will be relevant post-transformation? For example, at the Department of the Air Force– Massachusetts Institute of Technology Artificial Intelligence Accelerator, we have experimented with multiple forms of educating servicemembers, from live lectures and online courses to interactive exercises and project-based workshops. When an experiment produces failure, so be it: Failure is the primary ingredient of learning.

Second, officers should surface as many perspectives on digital transformation as possible. Who balks at digitization? Who supports it? Why? And what’s the wisdom in each perspective? If everyone is part of the problem, everyone should also be part of the solution — even if it means engaging people across boundaries in a way the Department of Defense has never done before.

Finally, officers should prepare those around them for a prolonged period of ambiguity, where operational reality dictates that those in charge will be unable to answer critical questions. This serves two purposes. First, it helps to manage expectations, so those in positions of authority can resist the pressure of providing answers where none exist. Second, it empowers those without authority to run their own experiments — to try something new and to fail — and report back on what they learned.

Ultimately, transforming a system requires transforming the people within it. If the Department of Defense is seriously committed to digital transformation, everyone should be engaged in the uncomfortable and personal process of change. As the work continues, both the organization and the people within it will find themselves better equipped to handle new and challenging realities.

The workshop, meanwhile, closes on a note that applies across the Department of Defense: “This moment demands courage. Try better. Fail better. Learn better. One day, you’ll look back and see that you’ve transformed.”

Article link: https://warontherocks.com/2022/05/digital-transformation-is-a-cultural-problem-not-a-technological-one/

Brandon Leshchinskiy is an AI innovation fellow at the Department of the Air Force-Massachusetts Institute of Technology Artificial Intelligence Accelerator, where he has taught over 600 servicemembers, including over sixty generals, admirals, and senior executive service members, about AI. He also works with Ronald Heifetz and others at the Harvard Kennedy School, where he has coached over 50 students, ranging from young professionals to senior executives, on complex, collective challenges. 

Andrew Bowne is an Air Force judge advocate and the chief legal counsel of the Department of the Air Force-Massachusetts Institute of Technology Artificial Intelligence Accelerator. He is also a Ph.D. candidate at the University of Adelaide examining the nexus of national security and AI, focused on the role of industry. He has published numerous articles and book chapters, including national security, security cooperation, contract law, rule of law, machine learning, and intellectual property. 

The views expressed are those of the authors and do not reflect the official guidance or position of the U.S. government, the Department of Defense, or the U.S. Air Force. Further, the appearance of external hyperlinks does not constitute endorsement by the Department of Defense of the linked websites, or the information, products, or services contained therein. The Department of Defense does not exercise any editorial, security, or other control over the information you may find at these locations.

Image: U.S. Army

Employers and private insurers in 2020 paid hospitals 224% of what Medicare would have paid for the same inpatient and outpatient services, at the same medical facilities.

Findings from Round 4 of an Employer-Led Transparency Initiative

by Christopher M. Whaley, Brian Briscombe, Rose Kerber, Brenna O’Neill, Aaron Kofner

• Related Topics:
• Employer Sponsored Health Insurance,
• Health Care Costs,
• Health Insurance Markets,
• Medicare

• Citation
• Synopsis(print-friendly)
• Embed
• View related products

• Share on Facebook
• Share on Twitter
• Share on LinkedIn

DOWNLOAD EBOOK FOR FREE

PDF file 3.1 MB

Technical Details »

DOWNLOAD SUPPORT FILES

Supplemental Materials

zip file 3.3 MB

Technical Details »

Research Questions

1. What were the levels and variations of hospital prices paid by employers and private insurers across the United States from 2018 to 2020?

Because employer-sponsored spending comes from employee wages and benefits, employers have a fiduciary responsibility to administer benefits in the interest of participants. The lack of transparency of prices in the health care market limits the ability of employers to knowledgeably develop or implement benefit design decisions. This study uses medical claims data from a large population of privately insured individuals, including hospitals and other facilities from across the United States, and allows an easy comparison of hospital prices using a single metric. An important innovation of this study is that our data use agreements allow reporting on prices paid to hospitals and hospital systems(hospitals under joint ownership) identified by name.

Key Findings

• Some states (Hawaii, Arkansas, and Washington) had relative prices below 175 percent of Medicare prices, while other states (Florida, West Virginia, and South Carolina) had relative prices that were at or above 310 percent of Medicare prices.
• In 2020, across all hospital inpatient and outpatient services (including both facility and related professional charges), employers and private insurers paid 224 percent of what Medicare would have paid for the same services at the same facilities.
• The 224 percent total for 2020 is a reduction from the 247 percent figure reported for 2018 in the previous study owing to an increase in the volume of claims from states with prices below the previous mean price.
• Among the common data contributors in this round and the previous round, 2020 prices averaged 252 percent of Medicare, which is similar to the 247 percent relative price reported in the previous round for 2018.
• Prices for common outpatient services performed in ambulatory surgery centers (ASCs) averaged 162 percent of Medicare payments, but if paid using Medicare, payment rates for hospital outpatient departments (HOPDs) would have averaged 117 percent of Medicare.
• Although relative prices are lower for ASC claims priced according to HOPD rules, HOPD prices are higher than ASC prices.
• Very little variation in prices is explained by each hospital’s share of patients covered by Medicare or Medicaid; a larger portion of price variation is explained by hospital market power.
• Prices for COVID-19 hospitalization were similar to prices for overall inpatient admissions and averaged 241 percent of Medicare.

• NEWS RELEASEPrivate Health Plans During 2020 Paid Hospitals 224 Percent of What Medicare Would Pay May 17,2022
• PROJECTHealth Care Price Transparency in the United States May 9, 2019

Table of Contents

• Chapter OneBackground
• Chapter TwoData and Methods
• Chapter ThreeFindings
• Chapter FourConclusion
• Appendix ABackground on Hospital Markets and Pricing

Article link: https://www.rand.org/pubs/research_reports/RRA1144-1.html?

MAY 13, 2022 , DOD NEWS

As America’s strategic competitors advance their technological advantage, the U.S. must take action to avoid losing its edge, said the undersecretary of defense for research and engineering.

On Capitol Hill Thursday, Heidi Shyu told lawmakers at the House Armed Services Committee what the Defense Department must do to maintain its technological advantage. The first step, she said, is building a strong foundation for research and development within the department. The second, she said, is changing how DOD does business.

Spotlight: Engineering in the DOD

“Every strong structure needs to stand on a solid foundation to ensure this country retains our edge and fuels the future technologies and capabilities,” Shyu told lawmakers. “We must make a commitment to science and technology, particularly in basic research.”

Shyu said the department must, among other things, increase efforts to attract the best talent, must build more robust and necessary infrastructure for R&D, must perform joint experimentation and must do better at collaborating across the technology ecosystem. 

“If we expect the department to attract the world’s best and brightest, to produce state-of-the-art technologies, we must modernize our laboratories and test ranges,” she said. “The future of the department depends on talented people, and we’re committed to developing this talent.” 

As part of that commitment, she said, the department has invested in a variety of workforce, educational and research programs ranging from K-12 robotic systems to STEM scholarships and social science research.

The Defense Department has historically been a leader in R&D and still is. But now, in the U.S., the private sector’s capacity for R&D — without the DOD’s involvement — has exploded, Shyu said. 

Spotlight: Support for Ukraine

“As seen in Ukraine, novel commercial technology, paired with conventional weapons, can change the nature of conflict,” she said. “The department’s processes, ranging from programming, to experimentation, to collaboration, should be updated to reflect the dynamic landscape of today and anticipate the needs of tomorrow.”

The U.S. private sector, Shyu said, is America’s competitive advantage. 

“We must focus on improving how the government and private sector work together,” she said. “I am committed to working with you to ensure the department can move as quickly as possible as it engages with the private sector, and the whole innovation ecosystem, to rapidly transition technology to future capabilities.”

Article link: https://www.defense.gov/News/News-Stories/Article/Article/3031868/dod-must-take-action-to-keep-tech-edge/

By FRANK KONKELAPRIL 26, 2022

The future of warfare could be determined by the Defense Department’s ability—or lack thereof—to quickly adopt emerging technologies.

Decades ago, the federal government and U.S. military drove nationwide technology advancements, funding countless cutting-edge initiatives that resulted in technologies like GPS and the internet.

Today, technology research and development funding is led by private sector companies, with federal agencies and the Defense Department serving as customers for—and not necessarily leaders in—cutting-edge technologies.

However, accessing, acquiring and employing new technologies spearheaded by startups and innovative technology firms has become increasingly problematic for a host of reasons for the Defense Department and government broadly, resulting in what’s been termed the “valley of death.”

To begin Season 13 of Critical Update, Nextgov spoke with Pete Modigliani, Software Acquisition Lead for the Office of the Undersecretary of Defense for Acquisition and Sustainment at MITRE, about how the Defense Department can bridge the valley of death and ensure warfighters today won’t miss out on technologies of the future.

You can listen to the full episode below or download and subscribe to Critical Update in Apple Podcasts or Google Play

Article link: https://www.nextgov.com/podcasts/2022/04/critical-update-bridging-defense-departments-valley-death/366061/

• NIST agency running competition for new encryption standards
• Quantum computing comes with risks for modern data protection

By Katrina Manson

May 13, 2022, 8:34 AM EDTUpdated onMay 13, 2022, 9:52 AM EDT

The US is readying new encryption standards that will be so ironclad that even the nation’s top code-cracking agency says it won’t be able to bypass them.

The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards.

“There are no backdoors,” said Rob Joyce, the NSA’s director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor.

The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today’s computers can’t. But it’s also one that the White House fears could allow the encrypted data that girds the U.S. economy – and national security secrets – to be hacked. 

Scientists estimate viable quantum computing could arrive anywhere from five to 50 years from now, if ever.

The contest by the National Institute of Standards and Technology, or NIST, is intended to update the algorithms that underpin widespread public-key cryptography that secures emails, online banking, medical records, access to control systems, some national security work and more. That system, developed in the 1970s, allows for the private exchange of information by relying on publicly accessible algorithms. Announcement of the winners is imminent, officials said.

The Biden administration last week unveiled a plan to switch the entire US economy to quantum-resistant cryptography, which will rely on new NIST algorithms, as much “as is feasible by 2035.” 

Joyce, of the NSA, said it was a question of “when, not if.” He is among those who worry U.S. adversaries are stealing and stockpiling encrypted data intended to remain secret for decades or more in anticipation of being able to unlock it when viable quantum computing arrives. China, for one, is pouring billions of dollars of investment into developing quantum computing, according to US researchers.

NIST, which started the post-quantum contest in 2016, has taken pains to stress independence in overseeing the public competition, which is now down to seven finalists from 69 initial viable submissions “from all over the world.” While the NSA has helped design and edit NIST standards in the past, this time the institute has made all decisions about the new algorithms internally, relying on the expertise of its post-quantum cryptography team, a NIST spokesperson told Bloomberg.

The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didn’t enter any of its own in the contest. The agency’s mathematicians, however, worked with NIST to support the process, trying to crack the algorithms in order to test their merit.

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

The purpose of the open, public international scrutiny of the separate NIST algorithms is “to build trust and confidence,” he said.

Leaked documents from former NSA contractor Edward Snowden in 2013 revealed some of the NSA’s techniques for penetrating encryption and lent credence to allegations that the algorithm it created included a backdoor. Afterward, NIST revoked its support for the algorithm.

Choosing the algorithm is only a first step. NIST will then oversee an effort to turn the winning algorithms into public standards. The plan is to make them available in 2024 so that government and industry can adopt them.

The NIST spokesperson said the final standard will also be open to scrutiny for any weakness or flaws.

“The reason they take so long to standardize is our confidence in them is a function of how many hours really smart people are taking to try to break them,” said Charles Tahan, director of the national quantum coordination office at the White House, in an interview.

Article link: https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech

By NATALIE ALMS May 11, 2022

Immigration and Customs Enforcement has used facial recognition to search through the driver’s license photos of one in three adults in the U.S., according to a new report by Georgetown Law’s Center on Privacy and Technology.

Immigration and Customs Enforcement, or ICE, “now operates as a domestic surveillance agency,” according to a new report by Georgetown Law’s Center on Privacy and Technology based on a two-year investigation.

The report details how, since the agency was established in post-9/11 legislation, ICE has moved beyond cooperating primarily with other law enforcement agencies to assemble an infrastructure that enables it to pull detailed information on Americans, immigrants and non-immigrants alike, with data from private data brokers and state and local governments.

ICE’s “surveillance dragnet” also uses facial recognition, especially the scanning of driver’s license photos for immigration enforcement, according to the report, which involved hundreds of Freedom of Information Act Requests and reviews of the agency’s contracting and procurement records.

Between 2008 and 2021, ICE spent about $96 million on biometrics, a category that also includes fingerprinting and DNA testing, according to the report.

Currently, “there are few regulations limiting law enforcement’s use of face recognition generally and almost no regulations addressing ICE’s use of the technology,” the report states.

ICE did not reply to a request for comment on the report from FCW.

The use of facial recognition dates to a 2008 contract between the agency and biometrics company L-1 Identity Solutions, which gave ICE access to the face recognition database of the Rhode Island motor vehicle department, according to the report, which details ICE’s use of facial recognition searches of DMV databases.

ICE has used facial recognition tech to scan the drivers license photos of one in three adults in the U.S., and since 2015, the agency has requested face recognition scans of DMV databases in at least 14 states, according to the report.

“The use of face recognition on DMV data is particularly egregious because people don’t expect to have their images and personal data be shared with other agencies. This is a betrayal of the trust that people put in their state agencies and needs to stop,” said Allison McDonald, research fellow at the center and one of the report’s authors, in a statement to FCW.

“This doesn’t mean that other, less covert uses of face recognition are unproblematic. There is ample evidence that face recognition is unreliable and biased, and is not a technology that should be used by police or immigration authorities,” she continued.

The report urges ICE to stop the use of facial recognition for immigration enforcement, pointing to concerns with race and gender bias in algorithms, the potential for misidentification and wrongful arrests and concerns about privacy and due process. 

Since May 2020, ICE policy has prohibited the use of facial recognition tech in its Enforcement and Removal Operations, the report states, but not its Homeland Security Investigations.

ICE isn’t the only agency to tap into facial recognition technology.

A 2021 report from the Government Accountability Office surveyed 24 agencies to find that most were using the technology for either domestic law enforcement, cybersecurity or physical security. The General Services Administration, for example, is currently considering the use of facial recognition for Login.gov.

The agency’s surveillance work has occurred largely without judicial, legislative or public oversight, the report states. Most congressional leaders didn’t know about ICE’ use of facial recognition scans of DMV photos until media reports in 2019 – over a decade after the first known contract in 2008, the report states. 

Another major source of information for the agency detailed by this investigation is data and algorithmic tools.

ICE has tapped into databases from private data brokers and state and local governments – often data given in order to get essential services, the report states, pointing to records from the Department of Motor Vehicles, as well as utility information, employment records and housing records.

In 16 states and the District of Columbia, for example, undocumented people can get drivers licenses. In six of those states, ICE has used facial recognition to scan driver’s license photos;  in five, it can look for driver’s license information to use for civil immigration enforcement without a warrant.

The report also estimates that ICE can likely obtain address information for 74% of adults in the U.S. using utility records created when they tap into gas, electricity, phone or internet in a new home – information that can help trace people for deportation, the report states.

The sharing of data handed over to get essential services has already created evidence of  a “chilling effect,” or the deterrence of immigrants from interacting with government systems and enrolling in critical services, the report states.

The report does include recommendations, urging Congress to reform immigration laws, enact new data protections, update laws that limit the disclosure of information given by Americans to the DMV and conduct more oversight of ICE, including the agency’s use of biometrics. 

It also includes recommendations for state lawmakers on the use of water, gas, electricity, phone and internet records for immigraiton enforcement and ICE access to DMV data.

Article link: https://www.nextgov.com/cxo-briefing/2022/05/ice-has-assembled-surveillance-dragnet-facial-recognition-and-data-report-says/366826/

By Melissa Heikkiläarchive page May 13, 2022

The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.

It’s a Wild West out there for artificial intelligence. AI applications are increasingly used to make important decisions about humans’ lives with little to no oversight or accountability. This can have devastating consequences: wrongful arrests, incorrect grades for students, and even financial ruin. Women, marginalized groups, and people of color often bear the brunt of AI’s propensity for error and overreach. 

The European Union thinks it has a solution: the mother of all AI laws, called the AI Act. It is the first law that aims to curb these harms by regulating the whole sector. If the EU succeeds, it could set a new global standard for AI oversight around the world.

But the world of EU legislation can be complicated and opaque. Here’s a quick guide to everything you need to know about the EU’s AI Act. The bill is currently being amended by members of the European Parliament and EU countries. 

What’s the big deal?

The AI Act is hugely ambitious. It would require extra checks for “high risk” uses of AI that have the most potential to harm people. This could include systems used for grading exams, recruiting employees, or helping judges make decisions about law and justice. The first draft of the bill also includes bans on uses of AI deemed “unacceptable,” such as scoring people on the basis of their perceived trustworthiness. 

The bill would also restrict law enforcement agencies’ use of facial recognition in public places. There is a loud group of power players, including members of the European Parliament and countries such as Germany, that want a full ban or moratorium on its use in public by both law enforcement and private companies, arguing that the technology enables mass surveillance. 

If the EU manages to pull this off, it would be one of the strongest curbs yet on the technology. Some US states and cities, such as San Francisco and Virginia, have introduced restrictions on facial recognition, but the EU’s ban would apply to 27 countries and a population of over 447 million people.

How will it affect citizens? 

In theory, it should protect humans from the worst side effects of AI by ensuring that applications face at least some level of scrutiny and accountability. 

People can trust that they will be protected from the most harmful forms of AI, says Brando Benifei, an Italian member of the European Parliament, who is a key member of the team amending the bill. 

Related Story

Deepfake porn is ruining women’s lives. Now the law may finally ban it.

After years of activists fighting to protect victims of image-based sexual violence, deepfakes are finally forcing lawmakers to pay attention.

The bill requires people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Lawmakers are also debating whether the law should set up a mechanism for people to complain and seek redress when they have been harmed by an AI system. 

The European Parliament, one of the EU institutions working on amending the bill, is also pushing for a ban on predictive policing systems. Such systems use AI to analyze large data sets in the interest of preemptively deploying police to crime-prone areas or to trying to predict a person’s potential criminality. These systems are highly controversial, and critics saythey are often racist and lack transparency.

What about outside the EU?

The GDPR, the EU’s data protection regulation, is the bloc’s most famous tech export, and it has been copied everywhere from California to India. 

The approach to AI the EU has taken, which targets the riskiest AI, is one that most developed countries agree on. If Europeans can create a coherent way to regulate the technology, it could work as a template for other countries hoping to do so too. 

“US companies, in their compliance with the EU AI Act, will also end up raising their standards for American consumers with regard to transparency and accountability,” says Marc Rotenberg, who heads the Center for AI and Digital Policy, a nonprofit that tracks AI policy.

The bill is also being watched closely by the Biden administration. The US is home to some of the world’s biggest AI labs, such as those at Google AI, Meta, and OpenAI, and leads multiple different global rankings in AI research, so the White House wants to know how any regulation might apply to these companies. For now, influential US government figures such as National Security Advisor Jake Sullivan, Secretary of Commerce Gina Raimondo, and Lynne Parker, who is leading the White House’s AI effort, have welcomed Europe’s effort to regulate AI.

“This is a sharp contrast to how the US viewed the development of GDPR, which at the time people in the US said would end the internet, eclipse the sun, and end life on the planet as we know it,” says Rotenberg.

Despite some inevitable caution, the US has good reasons to welcome the legislation. It’s extremely anxious about China’s growing influence in tech. For America, the official stance is that retaining Western dominance of tech is a matter of whether “democratic values” prevail. It wants to keep the EU, a “like-minded ally,” close. 

What are the biggest challenges? 

Some of the bill’s requirements are technically impossible to comply with at present. The first draft of the bill requires that data sets be free of errors and that humans be able to “fully understand” how AI systems work. The data sets that are used to train AI systems are vast, and having a human check that they are completely error free would require thousands of hours of work, if verifying such a thing were even possible. And today’s neural networks are so complex even their creators don’t fully understand how they arrive at their conclusions. 

Tech companies are also deeply uncomfortable about requirements to give external auditors or regulators access to their source code and algorithms in order to enforce the law.

“The current drafting is creating a lot of discomfort because people feel that they actually can’t comply with the regulations as currently drafted,” says Miriam Vogel, who is the president and CEO of EqualAI, a nonprofit working on reducing unconscious bias in AI systems. She also chairs the newly founded National AI Advisory Committee, which advises the White House on AI policy. 

There’s also a giant fight brewing over whether the AI Act should ban the use of facial recognition outright. It’s contentious because EU countries hate it when Brussels tries to dictate how they should handle matters of national security or law enforcement. Several countries, such as France, want to make exceptions for using facial recognition to protect national security. In contrast, the new government of Germany, another big European country and an influential voice in EU decision making, has said it supports a full ban on the use of facial recognition in public places. 

Another big fight will be over what kinds of AI get classified as “high risk.” The AI Act has a list that ranges from lie detection tests to systems used to allocate welfare payments. There are two opposing political camps—one fearing that the vast scope of the regulation will slow down innovation, and the other arguing that the bill as written will not do enough to protect people from serious harm. 

Won’t this stifle innovation? 

A common criticism from Silicon Valley lobbyists is that the regulation will create extra red tape for AI companies. Europe disagrees. The EU counters that the AI Act will only apply to the riskiest set of AI uses, which the European Commission, the EU’s executive arm, estimates would apply to just 5 to 15% of all AI applications.

Tech companies “should be reassured that we want to give them a stable, clear, legally sound set of rules so that they can develop most of AI with very limited regulation,” says Benifei. 

Organizations that don’t comply face fines of up to €30 million ($31 million) or, for companies, up to 6% of total worldwide annual revenue. And experience shows that Europe is not afraid to dish out fines to tech companies. Amazon was fined €746 million ($775 million) in 2021 for breaching the GDPR, and Google was fined €4.3 billion ($4.5 billion) in 2018 for breaching the bloc’s antitrust laws. 

When will it come into effect? 

It will be at least another year before a final text is set in stone, and a couple more years before businesses will have to comply. There is a chance that hammering out the details of such a comprehensive bill with so many contentious elements could drag on for much longer. The GDPR took more than four years to negotiate, and it was six years before it entered into force. In the world of EU lawmaking, anything is possible.

Article link: https://www.technologyreview.com/2022/05/13/1052223/guide-ai-act-europe/

By LAUREN C. WILLIAMSMAY 11, 2022 06:03 PM ET

While there’s no such thing as completely secure software, open source can make it stronger through the “power of the crowd,” said Lauren Knausenberger, the Air Force’s chief information officer.

The future of warfare could depend on the Defense Department’s ability to update weapons or communications systems with a software patch, and embracing open source software could help make that a reality. 

That was a key point Lauren Knausenberger, the Air Force’s chief information officer, stressed Wednesday when testifying about the benefits of open source software. 

“It is entirely possible that a future conflict to preserve our way of life is decided by features, fixes, and updates to software intensive systems that must take place in minutes or hours. And this means that we must learn quickly as a department and leverage the knowledge and best practices of the entire development community,” Knausenberger told the House Committee on Science, Space, and Technology Subcommittees on Investigations and Oversight And Subcommittee on Research and Technology on May 11.

While there’s no such thing as completely secure software, open source makes it stronger through the “power of the crowd,” Knausenberger said.

“The same concerns are there whether it’s commercial software or open source. But if it’s open source software, you have the power of the crowd looking at it and then you can also run your own tests internally because it is open code…you can redo the work yourself if you so choose,” she said. 

Knausenberger prefaced her testimony on May 11, saying she was “bullish” on open source technology and noted that fewer eyes on commercial software’s source code could mean significant cybersecurity breaches go undetected for longer periods of time. 

“With commercial software, you can’t see the source code. You do have situations where like with SolarWinds, you could have a sophisticated adversary come in, inject malware, and have it be months before anyone knows that there’s a problem,” the tech chief said. 

“Whereas in the open source community we’ve seen with a number of examples that we just catch it faster, we can push it faster, we have more people trying to fix it faster and spread the word. Whereas the commercial side, you have some really smart companies working on it, but we might not know about it as soon.”

Brian Behlendorf, the general manager for the Open Source Security Foundation, a Linux Foundation project, testified that the open source community previously had a “buyer beware” reputation when it came to software security. And while things have changed culturally, resources will be needed to ensure proper oversight. 

“Culturally speaking, there’s a greater emphasis on security in the open source software community. There used to be very much a perspective of caveat emptor: I’m just throwing this out there anyone who wants it is welcome to it, but buyer beware and let us know if you find any bugs,” Behlendorf said. 

Now, he said, open source foundations formalize structured security or incident response teams  for projects, sometimes using paid part-time or full-time security researchers dedicated to improving the underlying code, or utilize third-party audits before a product release. 

“So it gives me a lot of hope. But there also is a very long tail that is getting longer and longer of very, very small components that … aggregated together create interesting things, but [are] where there’s perhaps less oversight.”

Behlendorf said there often aren’t enough “eyeballs” on open source projects, even the ones that are highly relied on, “so one thing we’re really trying to do is just make sure that we find the pieces that are critical, find the ones that are under-resourced then where we can direct resources of whatever form are required to increase the level of trust that we might have in that component.” 

While it’s been discussed (if not urged) for many years, the Defense Department has been more vocal recently about embracing open source software. In January, DOD chief information officer John Sherman issued guidance on how to use open source software and the department’s security concerns, including the potential to create “a path for adversaries to introduce malicious code into DoD systems” alongside the “imprudent sharing of code developed for DOD systems.”

During her testimony, Knasuenberger said vulnerabilities are a fact of life in software design.

“If there are no bugs found in a particular piece of software, it’s because no one’s looking,” she said. “It’s not because it’s perfect.”

Article link: https://fcw.com/security/2022/05/why-usafs-it-chief-bullish-open-source/366836/

By MARIAM BAKSHMAY 12, 2022 02:04 PM ET

The new protocol is officially being added to the Budapest Convention—an arrangement between 66 member-states—after four years of negotiations.

The United States has signed onto a new protocol under the first international treaty on the prevention of cybercrime that would, among other things, allow law enforcement to seek information directly from service providers with access to electronic evidence that can be used to catch criminals. 

The new protocol is “specifically designed to help law enforcement authorities obtain access to such electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies,” reads a press release from the Justice Department Thursday. “All these tools are subject to a system of human rights and rule of law safeguards.”

Representatives are signing onto the “second additional protocol” to the convention Thursday at the Council of Europe, amid an international conference on enhanced cooperation and disclosure of electronic evidence in Strasbourg, France. According to the press release, officials from the U.S. departments of Justice and State spent almost four years negotiating the addition to the convention, which was adopted back in November, 2021.

“The Budapest Convention is a truly remarkable international instrument. Its technology-neutral approach to cybercrime has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods,” said Deputy Assistant Attorney General Richard Downing, who signed the agreement on behalf of the U.S. government. “It is our collective vision that every country that is serious about fighting cybercrime and that provides for the protection of human rights should become party to the Budapest Convention. The Convention strikes the right balance between imposing obligations on nations to have robust laws and capabilities and providing the flexibility necessary for nations with different legal systems to join.”

China and Russia, are notably not signed on to the Budapest Convention. The Justice Department release noted that the State Department’s Bureau of International Narcotics and Law Enforcement Affairs majorly funds the Council of Europe Cybercrime Program to increase the ranks of the treaty’s member countries.

The Budapest Convention was established in 2001. The first additional protocol added to the treaty concerned “the criminalisation of acts of a racist and xenophobic nature committed through computer systems.” 

“As cybercrime proliferates, electronic evidence is increasingly stored in different jurisdictions,” Justice said. “The United States remains committed to the Budapest Convention as the premier international legal instrument for fighting cybercrime.”

Article link: https://www.nextgov.com/cybersecurity/2022/05/us-signs-new-electronic-evidence-protocol-international-cybercrime-agreement/366874/

6 May 2022 10:39am, by Steven J. Vaughan-Nichols

With the release of Kubernetes 1.24 on May 4, for the first time, over five million Kubernetes developers can verify that the distributions they’re using are what they claim to be. That’s because with this release Kubernetes is adopting Sigstore for signing artifacts and verifying signatures. This is a major move forward for Kubernetes security.

As we all know, container supply chain security has become a critical issue. All too often software components are poisoned, and every program built on them wither and die with them. Introduced last year, Sigstore is a free software signing service. It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries. Once signed, the signing record is kept in a tamper-proof public log. The sigstore will be free to use by all developers and software providers. This gives software artifacts a safer chain of custody that can be secured and traced back to their source.

A Huge Step

One reason this is such a big deal, Tracy Miranda, developer security company Chainguard‘s head of open source, explained is that it’s “a huge step in protecting the integrity of the Kubernetes ecosystem and demonstrates that code signing at an enormous scale is possible and frankly necessary due to the increase in supply chain attacks.”

It’s the ease of use that’s important here. We’ve long known that it was good security to cryptographically sign and verify programming elements, but most earlier cryptographic signature tools have either been too cumbersome or too confusing to use. Without easy-to-use tools to digitally sign their code, few developers are going to bother. That’s where Sigstore came in.

As Bob Callaway, a Google Staff Software Engineer and Sigstore project founder, said “We built Sigstore to be easy, free, and seamless so that it would be massively adopted and protect us all from supply chain attacks. Kubernetes’ choice to use Sigstore is a testament to that work.”

SLSA Compliance

The Kubernetes release team saw the importance of this effort. In early 2021, the crew began exploring Supply chain Levels for Software Artifacts, (SLSA, pronounced salsa) compliance to improve Kubernetes software supply chain security. SLSA is a security framework that includes a checklist of standards and controls to prevent tampering, improve the integrity, and secure the packages and infrastructure of your projects. Sigstore was a key project in achieving SLSA level 2 status and getting a head start towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August.

Sigstore Benefits

Sigstore also delivers a variety of benefits to the Kubernetes community, including:

• Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.
• Sigstore’s public transparency log (Rekor) and APIs mean Kubernetes consumers may easily verify signed artifacts.
• Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), meant it could integrate seamlessly with other tools and services.
• The active, open source, vendor-neutral Sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard.

“Security is a never-ending journey, but each step delivered to decrease attackers’ ability to undermine the integrity of our supply chains is an important one,” said Tim Pepper, VMware’s Head of Open Source Technology Center and Kubernetes Steering Committee. Sigstore’s adoption by Kubernetes in its next release is a big step forward.

Article link: https://thenewstack.io/kubernetes-adopts-sigstore-for-supply-chain-security/

Featured image by Steve Buissinne from Pixabay