healthcarereimagined

By FRANK KONKELMAY 20, 2022

Federal cybersecurity has been on the Government Accountability Office’s High Risk list since 1997.

Defense Department IT systems were not fully compliant in any of four major cybersecurity requirement areas for controlled unclassified information systems as of January 2022, according to an audit released May 19 by the Government Accountability Office.

Controlled unclassified information, or CUI, is less sensitive than secret or top-secret classified information, but still contains data—like personally identifiable information or business practices—that could be detrimental if disclosed publicly. DOD mandates full cybersecurity requirement implementation for components, but implementation rates generally ranged from 70% to 90%.  DOD operates approximately 2,900 CUI systems across its enterprise.

“We analyzed DOD’s data and found that while the DOD components have taken actions to implement cybersecurity requirements for CUI systems, none of the components were fully compliant,” the audit states. “DOD requires 100% compliance.”

The audit examined implementation rates across four DOD CUI requirement areas. Implementation ranged from 70-79% for DOD’s Cybersecurity Maturity Model Certification program established in 2020, from 80-89% for categorizing DOD CUI systems accurately; from 80-89% for implementing 266 controls for moderate confidential impact systems, and 90% or more in authorizing systems to operate on DOD networks.

Auditors noted the DOD Office of the Chief Information Officer, the official responsible for department-wide cybersecurity of CUI systems, has taken action to address these areas. In October 2021, DOD OCIO issued a memo reiterating requirements CUI systems must meet, and included new requirements on supply chain security controls. The DOD OCIO issued a follow-up memorandum in March 2022 reminding officials to implement those controls.

Article link: https://www.nextgov.com/cybersecurity/2022/05/gao-defense-department-isnt-doing-enough-protect-sensitive-information/367220/

Elizabeth Montalbano

May 20, 2022 7:11 am

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found.

The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are more than 450,000, according to a blog post published this week.

“ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an ‘HTTP 200 OK status,’ which indicates that the request has succeeded,” according to the post.

Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK,” researchers said. In all, Shadowserver found 454,729 Kubernetes API servers. The “open” API instances thus constitute nearly 84 percent of all instances that that Shadowserver scanned.

Moreover, most of the accessible Kubernetes servers—201,348, or nearly 53 percent–were found in the United States, according to the post.

While this response to the scan does not mean these servers are fully open or vulnerable to attacks, it does create a scenario in which the servers have an “unnecessarily exposed attack surface,” according to the post.

“This level of access was likely not intended,” researchers observed. The exposure also allows for information leakage on version and builds, they added.

Cloud Under Attack

The findings are troubling given that attackers already increasingly have been targeting Kubernetes cloud clusters as well as using them to launch other attacks against cloud services. Indeed, the cloud historically has suffered from rampant misconfiguration that continues to plague deployments, with Kubernetes being no exception.

In fact, Erfan Shadabi, cybersecurity expert with data-security firm comforte AG, said in an email to Threatpost that he was not surprised that the Shadowserver scan turned up so many Kubernetes servers exposed to the public internet.

“White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured.”

Open-Source Security Exposed

The findings also raise the perennial issue of how to build security into open-source systems that become ubiquitous as part of modern internet and cloud-based infrastructure, making an attack on them an attack on the myriad systems to which they are connected.

This issue was highlighted all-too-unfortunately in the case of the Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j that was discovered last December.

The flaw, which is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover–continues to be targeted by attackers. In fact,  a recent report finding millions of Java applications still vulnerable despite a patch being available for Log4Shell.

An Achilles heel in particular of Kubernetes is that the data-security capabilities built into the platform are only at a “bare minimum”–protecting data at rest and data in motion, Shadabi said. In a cloud environment, this is a dangerous prospect.

“There’s no persistent protection of data itself, for example using industry accepted techniques like field-level tokenization,” he observed. “So if an ecosystem is compromised, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack.”

Shadabi’s advice to organizations that use containers and Kubernetes in their production environments is to take securing Kubernetes as seriously as they do all aspects of their IT infrastructure, he said.

For its part, Shadowserver recommended that if administrators find that a Kubernetes instance in their environment is accessible to the internet, they should consider implementing authorization for access or block at the firewall level to reduce the exposed attack surface.

Article link: https://threatpost.com/380k-kubernetes-api-servers-exposed-to-public-internet/179679/

The top U.S. military officer is challenging the next generation of Army soldiers to prepare America’s military to fight future wars that may look little like the wars of today

By

LOLITA C. BALDOR Associated Press May 21, 2022,

WASHINGTON — The top U.S. military officer challenged the next generation of Army soldiers on Saturday to prepare America’s military to fight future wars that may look little like the wars of today.

Army Gen. Mark Milley, chairman of the Joint Chiefs of Staff, painted a grim picture of a world that is becoming more unstable, with great powers intent on changing the global order. He told graduating cadets at the U.S. Military Academy at West Point that they will bear the responsibility to make sure America is ready.

“The world you are being commissioned into has the potential for significant international conflict between great powers. And that potential is increasing, not decreasing,” Milley told the cadets. “Whatever overmatch we, the United States, enjoyed militarily for the last 70 years is closing quickly, and the United States will be, in fact, we already are challenged in every domain of warfare, space, cyber, maritime, air, and of course land.”

America, he said, is no longer the unchallenged global power. Instead, it is being tested in Europe by Russian aggression, in Asia by China’s dramatic economic and military growth as well as North Korea’s nuclear and missile threats, and in the Middle East and Africa by instability from terrorists.

Drawing a parallel with what military officials are seeing in Russia’s war on Ukraine, Milley said future warfare will be highly complex, with elusive enemies and urban warfare that requires long-range precision weapons, and new advanced technologies.

The U.S. has already been rushing new, high-tech drones and other weapons to the Ukrainian military — in some cases equipment that was just in the early prototype phases. Weapons such as the shoulder-launched kamikaze Switchblade drones are being used against the Russians, even as they are still evolving.

And as the war in Ukraine has shifted — from Russia’s unsuccessful battle to take Kyiv to a gritty urban battle for towns in the eastern Donbas region — so has the need for different types of weapons. Early weeks focused on long-range precision weapons such as Stinger and Javelin missiles, but now the emphasis is on artillery, and increased shipments of howitzers.

And over the next 25 to 30 years, the fundamental character of war and its weapons will continue to change.

The U.S. military, Milley said, can’t cling to concepts and weapons of old, but must urgently modernize and develop the force and equipment that can deter or, if needed, win in a global conflict. And the graduating officers, he said, will have to change the way U.S. forces think, train and fight.

As the Army’s leaders of tomorrow, Milley said, the newly minted 2nd lieutenants will be fighting with robotic tanks, ships and airplanes, and relying on artificial intelligence, synthetic fuels, 3-D manufacturing and human engineering.https://d-12636358614034929289.ampproject.net/2205051832000/frame.html

“It will be your generation that will carry the burden and shoulder the responsibility to maintain the peace, to contain and to prevent the outbreak of great power war,” he said.

In stark terms, Milley described what failing to prevent wars between great powers looks like.

“Consider for a moment that 26,000 — 26,000 — soldiers and Marines were killed in only six weeks from October to November of 1918 in the Battle of the Meuse-Argonne in World War I,” Milley said. “Consider also that 26,000 U.S. troops were killed in the eight weeks in the summer of 1944 from the beaches of Normandy to the liberation of Paris.”

Recalling the 58,000 Americans killed in just the summer of 1944 as World War II raged, he added, “That is the human cost of great-power war. The butcher’s bill.”

Thinking back to his own graduation, Milley paraphrased a popular Bob Dylan song from the time: “we can feel the light breeze in the air. And right now as we sit here on the plain at West Point, we can see the storm flags fluttering in the wind. We can hear in the distance the loud clap of thunder. The hard rain is about to fall.”

Article link: https://abcnews-go-com.cdn.ampproject.org/c/s/abcnews.go.com/amp/Politics/wireStory/milley-west-point-cadets-ready-robot-drone-led-84879006

The Defense Department released guidance for using AI responsibly last year.

LAUREN C. WILLIAMS | MAY 18, 2022

The Defense Department is still finalizing an implementation plan for its artificial intelligence ethical principles, according to Jane Pinelis, the chief of AI assurance for the Defense Department’s Joint Artificial Intelligence Center, said at an event on Tuesday. 

“So we are the first military to adopt the ethical principles for AI. Since then, multiple other nations have done so, and where we stand now with [chief digital and artificial intelligence office] is we’re trying to move into implementation,” Pinelis said during a panel discussion at the Atlantic Council on May 17.  

“So we have the five ethical principles at this point. We have [gotten] direction from the deputy secretary to advance them across six different tenets. But now we’re moving into … implementation.”

The Defense Department releasedguidance for using AI responsibly in May 2021 after announcing a set of ethical principles the year before.  

Pinelis said the implementation plan, which is awaiting the deputy defense secretary’s signature, would be a “formal pathway forward” that tasks “various organizations in the Department of Defense with very specific actions as far as actually putting these principles into practice.”

Many of those tasks, she continued, overlap with testing and evaluation but there are many pieces that require everyone across DOD to take some responsibility.

“Responsible AI is, kind of, everybody’s job in the department,” Pinelis said. “And so there are pieces of it that have to do with international allies. There are pieces of it that have to do with responsibly acquiring these systems and responsibly developing these systems, and kind of again, crafting all of those arguments and evidence that go into responsible AI.”

Michael Horowitz, the Defense Department’s director of emerging capabilities policy, said faster implementation of artificial intelligence and autonomous technology solutions requires budget support and centralized leadership – both of which the Pentagon is working to address with the standing up of its chief digital and artificial intelligence office. 

“If data is the fuel that makes AI go essentially – what is an algorithm without the data that you would use to train it in one way or another – then bringing those together under the [chief digital and artificial intelligence office] construct, I think will be reflected in what a new strategy will likely look like as well,” Horowitz said during a keynote panel at the event. “What’s necessary now is to turn those thoughts into reality and to do it faster.” 

Horowitz, who has been in the brand new role for about a month, said he was “pretty optimistic” about the Pentagon’s direction and emphasis on AI and autonomy thanks to the creation of the emerging capabilities policy office, the CDAO, and innovation steering group that the undersecretary of defense for research and engineering. 

“I think all of those things make me optimistic that, as we enter the sort of FY ’24 budget cycle, that we’re going to start seeing that payoff as the department becomes — it’s not a question of just more, but smarter at thinking about AI and autonomous systems and investments in a way that really pays off for the joint force.”

Article link: https://www.defenseone.com/policy/2022/05/pentagon-closing-ethical-ai-implementation/367120/

In a recent interview with Wired, DEPSECDEF Kathleen Hicks spoke about the relevance and importance of data, technology, and innovation to the current defense mission.

According to the article, DEPSECDEF recognizes that “technology is fundamentally changing the nature of war, and the US needs to adapt in order to maintain its edge.”

As we move to the new CDAO, Advana remains as dedicated as ever to delivering world-class data science solutions and technologies, including advanced analytics, AI, and ML, to further support the Department’s competitive advantage.

Read more about the role of data and technology in the ongoing conflict in Ukraine: https://lnkd.in/gErrZu6b

Data scientists, coders, and other techies could prove decisive in future conflicts—if Uncle Sam can recruit them.

When Russia invaded Ukraine, the US Department of Defense turned to a team of machine learning and artificial intelligence experts to make sense of an avalanche of information about the conflict.

“We have surged data scientists forward,” Deputy Secretary of Defense Kathleen Hicks told WIRED in a recent interview. These tech experts crafted code and machine learning algorithms, creating systems that are “especially valuable for synthesizing the complex logistics picture,” she said.

Due to the sensitive nature of operations in Ukraine, Hicks says she cannot provide details of what the data team has done. But Hicks says this helps prove a point that she and others have been making within the Pentagon for some time—that technology is fundamentally changing the nature of war, and the US needs to adapt in order to maintain its edge.

“I like to say that bits can be as important as bullets,” Hicks says, in reference to the importance of software, data, and machine learning. It isn’t only that technology is advancing more rapidly and in different ways; the US also faces fresh international competition in emerging areas like AI. Russia might be less of a technological threat, but China has emerged as a formidable new near-peer rival. “We know that by the Chinese government’s statements in writing that they’re looking very much to advance on the AI front,” Hicks says.

During the ongoing conflict in Ukraine, AI algorithms have been used to transcribe and interpret Russian radio chatter, and to identify Russian individuals in videos posted on social media, using facial recognition tech. Low-cost drones that use off-the-shelf algorithms to sense and navigate are also proving a potent new weapon against more conventional systems and strategies. An unprecedented hacking campaign against Russia shows how cybersecurity skills have become a potent weapon against a nation-state adversary. New weapons can now be developed at breakneck speed, too, as was shown earlier this month when the US said it had developed a custom dronespecifically for use by Ukrainian forces. By contrast, the US Air Force’s latest fighter jet, the F-35, has been in development for over 20 years, at an estimated lifetime cost of $1.6 trillion.

Although the US is helping Ukraine punch above its weight by providing financial aid, conventional weapons, and new technologies, there are those—inside and outside of the Pentagon—who worry that the US is ill-equipped to adapt to the challenges presented by war in the future.

“Every large company has the same problem,” says Preston Dunlap, who resigned last week as chief architect of the Department of the Air Force, a role that involved modernizing technology development and acquisition. Dunlap compares the situation to the way big successful businesses can be disrupted by technological change and more nimble competitors, a phenomenon that the business school professor Clayton Christensen called “the innovator’s dilemma.”

Dunlap penned an open resignation letter in which he recommended steps that the Department of Defense should take to embrace a more rapid, experimental, and technology-focused culture. He says just like a business faced with technological disruption and more nimble competitors, the US military struggles to change direction because it encompasses so many people, systems, and ingrained ways of doing things. He suggests that advocates for change, such as Hicks, can only do so much. “I am concerned about operators having to go into some kind of contingency [conflict] without the available technology,” he says. “That’s just not a place I want us to be.”

A 2019 report commissioned by the Defense Innovation Board, which provides the secretary of defense and deputy secretary of defense with recommendations around technology adoption, warns that software and its development has become a crucial strategic issue for the US military. The board also notes that the DOD cannot typically compete with the salaries tech companies offer software developers.

The DOD has taken numerous steps to boost its technological chops, with a particular focus on AI. In August 2015, the department set up the Defense Innovation Unit, which is tasked with coordinating AI across different areas of the military. The latest move, on April 25, saw the Pentagon announce its first chief digital and artificial intelligence officer, Craig Martell, previously head of machine learning at Lyft. Martell was appointed by Hicks to help advance adoption and use of the technology.

There is some debate around how many software engineers and data scientists the DOD actually needs to hire itself, and how much of the work it can outsource. Job ads highlight the defense world’s shift toward a software-centric outlook. Emsi, a company that tracks job listings, says 33 percent of 370,000 defense industry job advertisements it analyzed mention software development or data science skills, a figure that has grown 91 percent since 2017.

There are many ways AI and other technology could benefit the US military besides aiding with intelligence gathering and analysis or making weapons smarter. Small trials have shown that the technology can help manage logistics, predict when machinery will fail, and improve veteran care.

But the National Security Commission on Artificial Intelligence, a Pentagon initiative to assess the changing technology landscape, has warned that the US needs to invest more in new technologies and work more closely with the private sector to avoid being blindsided by China.

Given the scarcity of in-house talent, the Pentagon has turned to the private sector for help. But attempts to increase technological resources by working closely with Silicon Valley have been fraught. Project Maven, an Air Force initiative to collaborate with tech firms, sparked controversy in 2019 when Google employees protestedthe company’s decision to develop technology for analyzing aerial imagery. Workers at Microsoft staged protests over that company’s military contracts the same year. The Pentagon continues to work with some Silicon Valley firms, but it is still likely to see pushback from some tech workers over high-profile military projects.

Will Roper oversaw procurement for the Air Force between 2018 and 2021 and led the development of groundbreaking experiments involving the rapid deployment of AI in military aircraft using agile software methods borrowed from the tech world. He says that until the DOD is able to draw on more technical expertise, perhaps by getting technical experts to volunteer their time, “we’re probably not going to see the technology lined up in the military with where it is in the private sector.” “Why are we still dead in the water when it comes to talent?” he says.

Some experts say the DOD has to reinvent existing relationships with the private sector. They argue that awarding multibillion-dollar contracts to companies like Lockheed Martin, Raytheon Technologies, or Northrop Grumman to develop technology over many years is hardly conducive to fast-paced innovation.

Chris Brose is chief strategy officer for Anduril, a company working on a range of defense systemsincorporating technologies that have emerged in Silicon Valley, such as virtual reality and AI. Brose says new technologies need to be developed and iterated on more rapidly. Anduril, which was cofounded by the virtual reality pioneer Palmer Luckey, is one of several new defense companies hoping to disrupt the existing order by doing things differently. “When you strip away all of the opacity and the complexity and the jargon, this is a very simple story of disruption,” says Brose.

Article link: https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/to-win-the-next-war-the-pentagon-needs-nerds/amp

LOS ANGELES — MITRE, the federal contractor that runs R&D labs for the U.S. government, is developing a space cyber lab where real satellite hardware and software can be tested to ensure security. It’s just one of a host of new measures that space companies are adopting to harden their systems against hackers, panelists at the CyberLEO conference said May 12.

The lab will explore how vulnerabilities discovered in software and hardware components could be exploited by hackers in real space systems, said Jeff Finke, principal engineer and group leader at MITRE’s National Cybersecurity Center of Excellence.

“We have a 3U cubesat in the lab, except for the camera being different and the solar arrays not having solar panels, we could put it on a rocket and launch it into space,” he said. That authenticity is important because satellite software and firmware runs on exotic systems unlike those used in conventional IT — which can make it harder to determine the impact of vulnerabilities for both attackers and defenders.

Initiatives like the space cyber lab are also needed in part, because of the enormous complexity of satellite supply chains, added fellow panelist Phil Robinson, chief security officer for space data relay company SpaceLink. A great deal can be achieved through careful drafting of contracts, added Robinson, but there are limits.

“It comes down to negotiating with our prime suppliers, our subcontractors, our satellite manufacturers. … Do we have our contracts appropriately written in a way that covers risk?” Robinson asked.

Covering risks might mean insuring against them, or it might come in the form of guarantees from the manufacturer or other parties, Robinson continued. “Trust, but verify, right? We’re glad you put it in the contract. But I want to verify that you’re actually doing it as well.”

Relationships with vendors require trust, yet operators needed to ask themselves: “What kind of processes are you putting in place to verify and validate that trusted relationship? Are you actually looking at their practice? Are you talking to their coders that are pulling down code libraries from Lord knows where?” Finke added.

The point, Finke said, is that risks don’t fade as they recede from the first-party vendors. “What are you doing, satellite operators, to trust that relationship from your vendors? How far back are you willing to go? It’s one thing to check out your first level of third party partners. Okay, that’s great. But who are they in business with? Are you willing to spend the resources to then go to that next level, and the next level beyond that, all the way into the chip foundry, all the way to whoever wrote that first library?”

Yet for companies working to turn a profit, the cost of peeling back the onion layers of the satellite supply chain can quickly become unsustainable, Finke warned. “How much, as a commercial entity, where I have to increase shareholder equity or make money — which is a good thing — how much am I willing to invest to mitigate some of this? … How much risk am I willing just to accept knowing it’s out there, versus where I’m going to put resources to mitigate?”

The dangers of vulnerable components are rendered worse because comparatively little research has been done on the unique architectures and embedded systems used in satellites, according to Ang Cui, CEO of Red Balloon Security. Embedded devices are specialized pieces of equipment very different from the general purpose computers of conventional IT. They generally have a single purpose and must run reliably for a dozen or more years. Cui compared satellite embedded devices to those used in industrial control systems known as ICS — the specialized computing systems that run factories, oil refineries, and power stations.

“I would say the security posture of the firmware inside those [ICS embedded] devices is about five to eight years behind general purpose computing security. Having looked at quite a bit of aerospace products … I would say a lot of the firmware inside aerospace things are about five to eight years behind ICS.”

Such a mountainous security debt put satellite companies in an impossible position, he added.  “If I went to anyone here and said, ‘Build a company, but you can only do it with an unpatched Windows 90 laptop, and you can’t make any modifications to any of the code because that’s not your property.’ You would say, ‘That’s a bad idea. That’s a crazy thing to do.’ But in a lot of these situations, that is exactly how we’re operating. We’re using these devices that we can’t change the firmware of because it has [outdated] security [requirements]. It has liability insurance, legal obligations. We’re stuck in that situation.”

As is often the case, the security debt impacts defenders much worse than attackers.

“From what I’ve seen over the last decade, that offensive capability is so much more advanced than defensive capability, in all things embedded. And that gap is growing,” Cui said.

Classified conversations tend to focus on the extraordinary capabilities of government hackers, but the real danger is that those capabilities are quickly proliferating into the hands of criminal groups, too — becoming more widely available. “Those capabilities will spill over. And it’s not just in the hands of nation states. I think that’s the thing that we’re starting to see,” Cui noted.

Not everyone agreed. In a subsequent panel, retired Air Force Maj. Gen. Brett Williams, a co-founder of IronNet Cybersecurity, dismissed the idea that it is possible to secure components through testing — especially against deliberate insiders bent on mischief.

“The thinking you’re going to inspect everything, whether it’s hardware or software, and validate that it’s safe is a non-starter,” Williams said. Instead, he argued, a better approach is to try and validate the behavior of components — to ensure they do what they are supposed to.

“The real market opportunity is finding ways to understand that this stuff is doing what it’s supposed to do,” Williams said. “Even though you and I are using the same component, we’re using it a little bit differently, it’s connected to different things, it does different things. There’s got to be an understanding, is it doing what I need it to do?”

Unlike governments, commercial enterprises can’t put absolute restrictions on their vendor relationships. “The government can say … we aren’t buying anymore Lenovo computers. We aren’t using Kaspersky antivirus. But [in the private sector] you don’t necessarily have that option,” he said.

For instance, one government requirement was that only U.S. nationals could work on coding or making other components, Williams said. “You couldn’t have any foreign nationals touch your software. How many people build software today that doesn’t have a foreign national touch it?”

Government regulations can easily become too burdensome, he noted. “I think the nuclear power industry is a good example of that. Right now, the nuclear power plants are run by commercial companies, but they’re so heavily regulated that the cost is humongous. It’s a really hard problem.”

Article link: https://www.satellitetoday.com/cybersecurity/2022/05/13/leo-operators-and-manufacturers-wrestle-with-supply-chain-cybersecurity/

By MARIAM BAKSHAPRIL 11, 2022

Reply comments are now due in 30 days to the Federal Communications Commission.

The Federal Communications Commission should consider imposing comprehensive tests and fines—after fair warning and guidance—to ensure internet service providers are taking minimal steps to protect the global internet routing system from malicious hackers, according to comments a leader in the open-source security community submitted to the agency.

“Voluntary compliance has failed to ensure compliance with even basic measures; companies have negligently allowed hijacking for decades, even when well-known and practical countermeasures exist,” wrote David Wheeler, director of open source supply-chain security for the Linux Foundation. “The FCC should establish a testing regime to ensure that Internet routing, if depended on by others, strongly resists hijacks using currently practical measures such as [Resource Public Key Infrastructure]”

Comments were due Monday in response to an inquiry the FCC made on the issue in the wake of the Russia-Ukraine conflict. The commission is concerned about hackers’—particularly powerful nation-state actors’—ability to manipulate the Border Gateway Protocol to redirect internet traffic by pretending to offer a more efficient network path. Resource Public Key Infrastructure, or RPKI, refers to a system of certificates and cryptographic attestation for stakeholders to validate the origin and authorize the route internet traffic should take.

In response to the FCC asking about the extent to which network operators have implemented available security measures, Wheeler pointed to a test established by the content distribution network Cloudflare. The test is a simple red-team exercise that advertises a route known to be spurious. Cloudflare committed to implementing RPKIin the fall of 2018.   

“Those US organizations who fail should be notified, provided guidance on how to fix the problem, & given a grace period … to (re)gain compliance,” Wheeler said. “After the grace period there need to be incentives for failing US organizations to change to implement at least minimal efforts … These incentives should include grants if the organization is a not-for-profit, publishing a list of non-compliant entities, and then increasing fines over time … These organizations who negligently continue to leave the Internet so vulnerable, by failing to apply known best practices and existing technologies, are creating a hazard for everyone.”

Comments USTelecom—the leading trade association for major internet service providers—made to the FCC noted an endorsement of RPKI implementation. But they said adoption has been increasing without a requirement on the books.

“The majority of routes are still not signed, but the trajectory is good, we are up from less than 10% in 2018 to more than 35% as of this writing,” the group wrote, adding, “Buy-in from broad sets of stakeholders is essential, not just domestically, but also internationally.”

Also in the FCC’s docket on secure internet routing were comments from ETNO, the European Telecommunications Network Operators’ Association. The organization, internet service providing members of which have deployed BGP-specific routers in their networks, shared their system for coordination and noted wide support for RPKI implementation.

“The fr.telecom [Local Internet Registry] – serving the needs of Orange France and [Orange Business Services], for example, has “close to 100% of its resources associated with an ROA – Route Origin Authorization,” the group said.

Article link: https://www.nextgov.com/cybersecurity/2022/04/open-source-leader-advocates-strong-fcc-enforcement-routing-security/365509/

Posted by Phill Swagel on May 17, 2022

Today, CBO released an enhanced version of its interactive tool for analyzing the force structure of the U.S. military and understanding how that structure influences defense spending.

What New Features Does the Tool Provide?

The enhanced tool allows users to alter the overall defense budget (annually or in total for 10 years) to see the possible effects on military forces; or to add or subtract brigades, ships, aircraft squadrons, and other units to see the effects on the defense budget; or to explore any combination of those approaches. It shows estimated effects on the Department of Defense’s (DoD’s) costs and on the size of the military. (Learn more about CBO’s approach to calculating those costs.)

In addition, CBO now provides a tutorial to help users understand how to use the tool’s new functionality to explore different types of policy choices. The tutorial, combined with the ability to alter total defense spending, makes the tool more broadly accessible by reducing the amount of specialized knowledge that users need to have about the military or the defense budget.

How Can People Use the Tool?

The new features will let Congressional staff, defense researchers, members of the media, educators, and others use the interactive tool in a wide variety of ways.

For budgeting, the tool helps people explore alternative policy choices and generate results that include standard 10-year costs. They can do that by examining potential changes to the total size of the defense budget, altering phase-in time lines, and exporting detailed data files that show 10-year costs as well as the deflators needed to convert real dollars to nominal dollars for budgeting purposes.

For force structure analysis, the tool offers a way to analyze the effects of proposed changes to forces, considering cuts or expansions of various sizes and focusing, if desired, on particular types of units. The tool also provides information about the major combat units that currently make up the U.S. military, including their number, size, functions, and average costs.

For teaching, the tool—in conjunction with CBO’s periodic report The U.S. Military’s Force Structure: A Primer—can continue to help instructors at military academies, war colleges, and security studies programs provide an introduction to U.S. forces and engage in “what if” analysis of possible changes to those forces.

To be transparent, the enhanced tool follows CBO’s practice of showing the raw cost factors and quantities used in the agency’s cost model for the U.S. military, allowing other researchers to view, use, or alter that model. In addition, CBO will continue to update the cost factors and quantities in the tool as DoD releases new budget plans. The enhanced tool also includes the ability to export more detailed data files for users who want to conduct more in-depth analysis than the tool itself permits. Those data files include documentation of all the cost factors and default settings of CBO’s cost model, as well as technical factors such as phase-in rates, deflators, and the military’s projected costs over the next decade.

Phillip L. Swagel is CBO’s Director.

BLOG ARCHIVE

• May 2022 (5)
• April 2022 (7)
• March 2022 (5)
• February 2022 (2)
• January 2022 (9)
• December 2021 (7)
• November 2021 (7)
• October 2021 (7)
• September 2021 (8)
• August 2021 (5)
• July 2021 (10)
• June 2021 (7)
• May 2021 (4)
• April 2021 (13)
• March 2021 (6)
• February 2021 (10)
• January 2021 (7)
• December 2020 (8)
• November 2020 (2)
• October 2020 (9)
• September 2020 (9)
• August 2020 (8)
• July 2020 (4)
• June 2020 (7)
• May 2020 (4)

Browse All

Article link: https://www.cbo.gov/publication/57981?

BRANDON LESHCHINSKIY AND ANDREW BOWNE

MAY 17, 2022

“I don’t know what we mean when we say we’re ‘pursuing AI.’ Do you?”

“We don’t change to accommodate new technologies, anyway … We just shove them into our current paradigm.”

“I don’t even understand what we’re supposed to be doing right now!”

Twenty officers are seated around a table, mired in the discomfort of an “adaptive leadership” workshop. This framework, developed by Ronald Heifetz and colleagues at the Harvard Kennedy School, is designed to help organizations make progress on complex, collective challenges, known as “adaptive” challenges. Unlike “technical” problems, which can be solved with existing know-how, adaptive challenges demand learning and change — adaptation — from the stakeholders themselves.

Digital transformation presents an adaptive challenge for the Department of Defense. As long as the Department of Defense relies on painless, “technical” fixes — what Steve Blank calls “innovation theater” — America will become increasingly vulnerable to exploitation by foreign adversaries, costing both dollars and lives. To make progress on the challenge of digital transformation — and to maintain technological superiority — the Department of Defense should reexamine and reshape its deeply held values, habits, beliefs, and norms.

The officers in the workshop are an excellent example of a group wrestling with adaptation. As in many groups, they begin by looking outwards. One says, “It’s the ‘frozen middle’ that prevents us from doing anything digital,” while another adds, “Our higher-ups can’t agree on what they want, anyway. … What are we supposed to do?” The instructor nudges them: “It seems the group is shifting responsibility to anywhere but here. What makes it difficult to look inward?”

Next, the officers drift away from the challenge. They share stories of previous successes, appraise the instructor’s credentials, and joke about the workshop itself. Again, the instructor intervenes: “I notice we’re avoiding uncertainty. Can we stay longer in the nebulous space of ‘digital transformation’? Or will we escape the moment it’s not clear how to proceed?”

Begrudgingly, they return to digital transformation, but after a few minutes, they ask the instructor for help: “Are you going to chime in here, or …?” The instructor responds, “You’re depending on an authority — someone in charge — to solve a problem that can only be addressed collectively — by all of you.”

At this point, the room burns with frustration. But the officers can’t be blamed. Their moves to avoid adaptive work — diverting attention away from the issue and shifting responsibility for it elsewhere — are typical for groups confronting a difficult reality.

More specifically, in what Heifetz terms the “classic failure,” groups attempt to resolve adaptive challenges via “technical fixes”: painless attempts that apply existing know-how, rather than working with stakeholders to change how they operate.

Hiring someone, firing someone, increasing the budget, expanding the timeline, creating a committee, restructuring the org, building a new tool, pushing a new policy: These are all technical fixes, which, while not inherently harmful, are easier than — and can distract from — the internal work of reevaluating values, habits, beliefs, and norms.

Even now, the Department of Defense is attempting to address digital transformation through technical means. The Department of Defense has created the Joint AI Center, partnered with the Massachusetts Institute of Technology (MIT), and established the position of Chief Digital and AI Officer. These steps are not without benefit: The Joint AI Center has developed AI ethics principlesand a new acquisitions process; MIT has produced valuable research and educational content; and the Chief Digital and AI Officer provides an opportunity to integrate across various technological functions. But these actions are not enough. In fact, they’re not even the most challenging steps.

The real obstacles to digital transformation are deep-seated norms and conflicting perspectives that exist across the entire organization. “How valuable are technologists, really? Should they be treated differently from others?”; “What about computers: Can we trust them to do our jobs as well as we do? If so, what will be the role of humans afterward?”; and perhaps most importantly, “How do we move beyond simply articulating new standards to actually living them?” These are hard questions that affect the Department of Defense’s objectives, strategies, and tasks at every level — but answers will be earned only through discussion and experimentation across the defense ecosystem itself.

Back in the workshop, at least, the officers have made a breakthrough. Toward the end of the session, the instructor says, “I feel a sense of sadness in the room. Does anyone else feel that?” Predictably, everyone shakes their head — admitting sadness feels like admitting failure — but then a major speaks up: “I’ll bite. Yeah, I do feel sad. This just feels overwhelming. If we can’t depend on our commanders to get this done …” He pauses. “I have no idea how we’re going to do it. Especially when we’re told to just keep our heads down all the time. It feels hopeless.”

The major’s comment is the most honest moment the group has seen, and the shift in the room is palpable: An hour prior, the officers were hardly aware of their own duty to generate adaptive work, and if they were, they did not appreciate its weight. Now, they are coming to terms with this responsibility, and they are doing it publicly — vulnerably — where the whole group can learn from individual experience. This shift is the stuff of real change.

The truth is, no one knows how a digitally transformed Department of Defense will operate. But no one will find out without the collective process of trying, failing, and learning. The Department of Defense should therefore become comfortable learning through experience — gathering data through discussion and experimentation — and publicizing that learning across the organization. And while the Department of Defense has good reasons for maintaining a risk-averse culture, avoiding learning creates its own set of risks. The world is changing, and America’s adversaries are improving their capabilities. We cannot afford to wait for our enemies to make clear that they’ve surpassed us.

Officers can take three actions to make progress on digital transformation now.

First, officers should generate and run low-risk experiments: actions that will produce learning for the future, not actions that will produce success based on today’s metrics — who knows whether those metrics will be relevant post-transformation? For example, at the Department of the Air Force– Massachusetts Institute of Technology Artificial Intelligence Accelerator, we have experimented with multiple forms of educating servicemembers, from live lectures and online courses to interactive exercises and project-based workshops. When an experiment produces failure, so be it: Failure is the primary ingredient of learning.

Second, officers should surface as many perspectives on digital transformation as possible. Who balks at digitization? Who supports it? Why? And what’s the wisdom in each perspective? If everyone is part of the problem, everyone should also be part of the solution — even if it means engaging people across boundaries in a way the Department of Defense has never done before.

Finally, officers should prepare those around them for a prolonged period of ambiguity, where operational reality dictates that those in charge will be unable to answer critical questions. This serves two purposes. First, it helps to manage expectations, so those in positions of authority can resist the pressure of providing answers where none exist. Second, it empowers those without authority to run their own experiments — to try something new and to fail — and report back on what they learned.

Ultimately, transforming a system requires transforming the people within it. If the Department of Defense is seriously committed to digital transformation, everyone should be engaged in the uncomfortable and personal process of change. As the work continues, both the organization and the people within it will find themselves better equipped to handle new and challenging realities.

The workshop, meanwhile, closes on a note that applies across the Department of Defense: “This moment demands courage. Try better. Fail better. Learn better. One day, you’ll look back and see that you’ve transformed.”

Article link: https://warontherocks.com/2022/05/digital-transformation-is-a-cultural-problem-not-a-technological-one/

Brandon Leshchinskiy is an AI innovation fellow at the Department of the Air Force-Massachusetts Institute of Technology Artificial Intelligence Accelerator, where he has taught over 600 servicemembers, including over sixty generals, admirals, and senior executive service members, about AI. He also works with Ronald Heifetz and others at the Harvard Kennedy School, where he has coached over 50 students, ranging from young professionals to senior executives, on complex, collective challenges. 

Andrew Bowne is an Air Force judge advocate and the chief legal counsel of the Department of the Air Force-Massachusetts Institute of Technology Artificial Intelligence Accelerator. He is also a Ph.D. candidate at the University of Adelaide examining the nexus of national security and AI, focused on the role of industry. He has published numerous articles and book chapters, including national security, security cooperation, contract law, rule of law, machine learning, and intellectual property. 

The views expressed are those of the authors and do not reflect the official guidance or position of the U.S. government, the Department of Defense, or the U.S. Air Force. Further, the appearance of external hyperlinks does not constitute endorsement by the Department of Defense of the linked websites, or the information, products, or services contained therein. The Department of Defense does not exercise any editorial, security, or other control over the information you may find at these locations.

Image: U.S. Army

Employers and private insurers in 2020 paid hospitals 224% of what Medicare would have paid for the same inpatient and outpatient services, at the same medical facilities.

Findings from Round 4 of an Employer-Led Transparency Initiative

by Christopher M. Whaley, Brian Briscombe, Rose Kerber, Brenna O’Neill, Aaron Kofner

• Related Topics:
• Employer Sponsored Health Insurance,
• Health Care Costs,
• Health Insurance Markets,
• Medicare

• Citation
• Synopsis(print-friendly)
• Embed
• View related products

• Share on Facebook
• Share on Twitter
• Share on LinkedIn

DOWNLOAD EBOOK FOR FREE

PDF file 3.1 MB

Technical Details »

DOWNLOAD SUPPORT FILES

Supplemental Materials

zip file 3.3 MB

Technical Details »

Research Questions

1. What were the levels and variations of hospital prices paid by employers and private insurers across the United States from 2018 to 2020?

Because employer-sponsored spending comes from employee wages and benefits, employers have a fiduciary responsibility to administer benefits in the interest of participants. The lack of transparency of prices in the health care market limits the ability of employers to knowledgeably develop or implement benefit design decisions. This study uses medical claims data from a large population of privately insured individuals, including hospitals and other facilities from across the United States, and allows an easy comparison of hospital prices using a single metric. An important innovation of this study is that our data use agreements allow reporting on prices paid to hospitals and hospital systems(hospitals under joint ownership) identified by name.

Key Findings

• Some states (Hawaii, Arkansas, and Washington) had relative prices below 175 percent of Medicare prices, while other states (Florida, West Virginia, and South Carolina) had relative prices that were at or above 310 percent of Medicare prices.
• In 2020, across all hospital inpatient and outpatient services (including both facility and related professional charges), employers and private insurers paid 224 percent of what Medicare would have paid for the same services at the same facilities.
• The 224 percent total for 2020 is a reduction from the 247 percent figure reported for 2018 in the previous study owing to an increase in the volume of claims from states with prices below the previous mean price.
• Among the common data contributors in this round and the previous round, 2020 prices averaged 252 percent of Medicare, which is similar to the 247 percent relative price reported in the previous round for 2018.
• Prices for common outpatient services performed in ambulatory surgery centers (ASCs) averaged 162 percent of Medicare payments, but if paid using Medicare, payment rates for hospital outpatient departments (HOPDs) would have averaged 117 percent of Medicare.
• Although relative prices are lower for ASC claims priced according to HOPD rules, HOPD prices are higher than ASC prices.
• Very little variation in prices is explained by each hospital’s share of patients covered by Medicare or Medicaid; a larger portion of price variation is explained by hospital market power.
• Prices for COVID-19 hospitalization were similar to prices for overall inpatient admissions and averaged 241 percent of Medicare.

• NEWS RELEASEPrivate Health Plans During 2020 Paid Hospitals 224 Percent of What Medicare Would Pay May 17,2022
• PROJECTHealth Care Price Transparency in the United States May 9, 2019

Table of Contents

• Chapter OneBackground
• Chapter TwoData and Methods
• Chapter ThreeFindings
• Chapter FourConclusion
• Appendix ABackground on Hospital Markets and Pricing

Article link: https://www.rand.org/pubs/research_reports/RRA1144-1.html?