Government Executive - Authors - Aliya Sternstein

"Every American Has the Right to Know"

Aliya Sternstein — Tue, 17 Nov 2015 14:56:00 -0500

In April 2006, a young Democratic senator from Illinois and a graying fiscal conservative from
Oklahoma introduced legislation to create a searchable database of federal monetary awards, essentially a Google for government spending. The site would empower citizens to monitor how their tax dollars are spent and uncover waste. President George W. Bush signed the Federal Funding Accountability and Transparency Act five months later and USASpending.gov was born in 2007. While co-sponsor Sen. Tom Coburn, a Republican, pushed for greater financial transparency until retiring in December 2014, many say the other co-sponsor, now President Obama, ran out of steam.

]]>

The Top 10 Women Cyber Guardians You Should Know About

Aliya Sternstein — Wed, 23 Sep 2015 16:01:00 -0400

(This article originally appeared on Nextgov)

The paucity of women in math and science extends to the data security realm. Women make up 14 percent of federal government cyber personnel, according to a May (ISC)2 global information security workforce study. The number was even lower in the private sector as recently as 2013: 11 percent.

But quantity does not equal quality.

And there is top-notch talent gracing the field across government, academia and industry. Here is an unempirical roundup of 10 influential leaders in information security, who happen to be women.

Ann Barron-DiCamillo, director, U.S. Computer Emergency Readiness Team, Homeland Security Department

Oversees a round-the-clock watch center that collects, processes and shares information on cyberthreats with agencies and industry sectors. The disclosure of a theft of Office of Personnel Management files on 21.5 million national security-sensitive personnel and their families thrust her into the national spotlight -- a position she was uncomfortable with as an evangelist of confidentiality. Testifying at a House hearing in June on U.S. CERT's role in the response, she acknowledged, "Like many Americans, I too am a victim of these incidents . . . Although I am appearing today ready to provide information to this committee, I do so with some concern" about losing the trust of victims who open up to U.S. CERT. Her organization relies on voluntary cooperation from agencies and firms who believe they might have been hacked. "I worry that U.S. CERT appearing before this committee will have a chilling effect on their willingness to notify us," she said. "We especially need private companies to continue to work with government and to share information about cyberthreats and incidents so that through greater shared awareness we can all be more secure from those who to seek to do us harm."

Sally Holcomb, deputy chief Information officer, Central Security Service, National Security Agency

Tasked with protecting information systems that hold, perhaps, the world's most secret data. "You may have heard we had some leaking problems," she said in April, referring to ex-NSA contractor Edward Snowden's spilling of classified intelligence. Increasingly, the agency depends on the cloud for tighter security and, paradoxically, easier access. Metadata makes both possible, she said. Each piece of information is tagged with details on content and who can read it. "Having the ability to secure at the object layer is pretty exciting for us," she said at a cybersecurity summit organized by the Armed Forces Communications and Electronics Association. At the same time, NSA must also ensure the intelligence remains discoverable. A search "query has to result in 'Hey, you may or may not have authorization, but there is data here subject to your request' and then give a means for someone to go find it.”

Patricia Larsen, co-director of the National Insider Threat Task Force, Director of National Intelligence

Manages a growing team of leak-pluggers across government. Her mission is to guard government secrets and government staff from those who can't be trusted. "It’s a privilege to work in that program," she said last December at a forum hosted by Nextgov. "And the only reason that you are there is to help protect your colleagues, not to out them. So, we’ve got to professionalize that workforce of people who do this for a living. They have to view themselves as part of a community.” The specialists must undergo training on privacy protections, intelligence oversight and investigative procedures, should their suspicions bear truth. "It is also critical to remember the human element, and the expertise of clinical psychologists is crucial to inform insider threat analysis,” she said.

Catherine Lotrionte, director of the Cyber Project, Georgetown University

Leads a research initiative that explores the role of international and domestic laws in fighting cyber threats. Last fall, she illuminated one way the United States might be able to use the World Trade Organization to punish China for economic espionage. A provision in the 1995 Trade Related Aspects of Intellectual Property Rights Agreement deals with a country's obligation to protect undisclosed information. The clause "obliges each WTO member within its own jurisdiction -- to protect foreign companies' [undisclosed information], as they would protect their own companies' undisclosed information," she said. The snag is that cyberspace spans jurisdictions. But she pointed out a potential workaround. It is very possible the Chinese ultimately will file a cyberspying case against America with the WTO, she said. When that happens, the United States’ best move would be to “argue a defensive legal argument under our rights to counter what they are doing," she said. "That would force the panel at the WTO to bring clarity to what those obligations mean for protecting undisclosed information."

Angela McKay, director of cybersecurity policy and strategy, Microsoft

Coordinates with the private sector, customers and law enforcement to build confidence in each other and in the Web. "One of the things that as an industry we're really trying to grapple with is what should we be doing on behalf of users -- like automatic updates -- and what are the things that we want to inform users [of] to make good risk decisions” on their own, she said at a February cybersecurity symposium organized by New America. "That's something where the pendulum hasn't found a good equilibrium point." The software giant once was reluctant to push out automatic updates, "because there was some concern that Microsoft was being the big top-down antitrust” entity, she said, "but as we realized the security ecosystem was changing we realized we needed to help users in this space."

Katie Moussouris, chief policy officer, HackerOne

Widely recognized for founding Microsoft's "bug bounty" program that awards researchers with cash for reporting security holes they discover in the Seattle firm's software. Now at HackerOne, a San-Francisco-based company that organizes similar prize programs, she criticizes policies that treat bug-finders like criminals. A new presidential order authorizing sanctions against people complicit in exploiting software glitches could discourage analysts from warning about such vulnerabilities, she said. The policy's language should be tightened "to really reflect the intent, as opposed to increasing that fear among the security research community," she said during an interview. Even if not sanctioned, "there are several other pressures that researchers will face where their jobs are contacted, their careers are threatened, and all kinds of other things that are non-criminal prosecution but more like persecution." She rails against a current U.S. proposal to carry out an international arms agreement called the Wassenaar Arrangement that would control the international export of intrusion software. "The same offense techniques that are developed to bypass existing computer security measures are used in research to highlight weaknesses in order to fix the vulnerable software," she wrote in Wired last week. For spies, "no regulation will stop them. It is our job to collectively ensure that no regulation stops defenders."

Melinda Rogers, chief information security officer, Justice Department

Keeps information technology systems safe across the federal justice system. Her advice for organizations interested in surviving after a hack? “At the end of the day -- it’s knowing what is in your environment. It’s very easy to say, 'Oh, well it's an email system,' with email inside . . . but, that’s not the right answer," she said at an AFCEA symposium last December. "One most own [the data, by] knowing what’s in the data and then take proper precautions." Justice is updating acquisition guidance to make sure civil service employees understand that, when they work with vendors, encryption, contractor background investigations and other security controls must be carried out. When the inevitable data breach happens, damage control will hinge on "knowing what you have," she said.

Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications

Sees to it that Homeland Security serves as a "focal point for the security of cyberspace," per presidential directive. The cyber czar of DHS previously made a name for herself as McAfee's chief technology officer and chairman of the National Board of Directors of the FBI’s public-private InfraGard cybercrime program. Now, she works with critical sectors, like the power industry, to protect machines that increasingly are becoming accessible from the public Internet. Critical infrastructure systems are among the things in the so-called Internet of Things. These are the devices, in addition “to our refrigerators and toasters, that are connected," she said. Her “personnel are engaging cleared asset owners, the folks running and operating the water plants, the electric plants, the transportation to look through a classified briefing campaign and address the impacts of recent BlackEnergy” spyware that targets industrial control systems, she said at a May 6 meeting of the President’s National Security Telecommunications Advisory Committee.

Suzanne Spaulding, DHS undersecretary for the National Protection and Programs Directorate

Runs the DHS division tasked with defending U.S. infrastructure against cyber- and physical threats. Once a regular on Capitol Hill who worked for both Democrats and Republicans for over a quarter of a century, she is more concerned about nonpartisan matters these days. "I really do worry that in the next year or so will be the year of the destructive attacks," Spaulding said April 27, during an event organized by New York's Fordham Law School. "With the Sony incident, all of the attention was on the salacious emails and the theft of movies before they came out and far less attention was paid -- for reasons I'm not clear on -- on the destructive nature of that attack: that there was destructive malware deployed that destroyed computers and data irretrievably." She expects, no, she will put an end to further U.S. network sabotage. "Hope is not a plan. We have other plans," she said.

Up and comer: Shannon Praylow, senior officer, an intelligence community 24-hour watch center

Manages a team at an undisclosed government facility in the Washington area. The 34-year-old contractor for Maverick Cyber Defense has no college degree and had to work her way up, while training and attending boot camp in the Virginia Army National Guard. Now, the departments of Defense, Homeland Security, Justice and State are all on her resume, sometimes concurrently. Yet, the shards of the broken glass ceiling cut deep. "Right now I’m a team lead of 10 males," some of whom are upward of 45 years old, she said. "I deal a lot with name calling, talking behind my back. And I can’t let that bother me." A National Guard recruiter in 2001 first wanted to try her out as a truck driver: "I said, ‘No,’ turned around and walked out. Walked in a few months later, and he said, 'We do have this computer section, would you be interested?’”

(Image via kurhan/Shutterstock.com)

]]>

How the OPM Hackers Killed the Password

Aliya Sternstein — Tue, 08 Sep 2015 10:00:00 -0400

White House directives dating back to 2004 warned against relying on passwords as the only mechanism to lock government systems—but that didn’t stop agencies. U.S. cyber czar Michael Daniel publicly exhorted citizens to “kill the password” multiple times in 2014, but that didn’t stop password proliferation. Nor did a hack of passcode-protected personal devices that exposed nude photos of starlets like Jennifer Lawrence seem to faze federal computer users.

It was not until password-cracking actually hit home that agencies jumped to alternative forms of identification.

Briefly, here is a timeline of the death of the password:

August 27, 2004: In response to the September 2001 terrorist attacks, President George W. Bush issues Homeland Security Presidential Directive 12 demanding the creation of a common identification form for federal employees and contractors. HSPD-12 requires a credential format that is “strongly resistant to identity fraud,” can be “rapidly authenticated electronically” and only issued through an “official accreditation process.”

The directive goes mostly unheeded for a decade.

September 2014: The majority of computer users across civilian agencies still can log on to government networks with simply a password. Only 1 percent of Office of Personnel Management computer users need something more than a password to access the agency’s information. All Pentagon workers, however, are swiping common access cards for system entry.

June 4, 2015: OPM reveals a contractor’s password was exploited to unlock 4.2 million records on current and former employees across the government. The records were housed in an Interior Department data center shared by 150 federal offices.

Almost immediately, the race is on to couple passwords with at least a physical smartcard, or even better, physical proof of identity, like an iris scan.

June 12, 2015: The White House instructs all agencies to accelerate the activation of such two-step identification processes as part of a “30-day cybersecurity sprint.”

Then perceptions of federal data security worsen.

July 9, 2015: OPM discloses that personal data on 21.5 million employees, applicants for clearances to handle classified information and their family members were stolen during a separate, related intrusion.

Within hours, U.S. Chief Information Officer Tony Scott tells reporters: “We’ve dramatically increased the amount of two-factor authentication for privileged,” or high-level access, “users across the federal government.”

July 12, 2015: Ninety-seven percent of OPM computer users and more than 72 percent of users governmentwide cannot get into agency systems without a smartcard.

“That’s an important control that’s needed. We were already working on it,” ahead of the hacks, Interior CIO Sylvia Burns told a House committee this summer. “We were making slow progress. When the incident happened, it just created a different lens on looking at the need, and I think it made it crystal clear to everybody why it was so critical that we achieve two-factor authentication.”

The winner of the latchkey challenge was the General Services Administration, with only 1 percent of personnel still logging in with just a password by the end of the 30-day cybersecurity sprint. But the Energy Department, a frequent target of foreign espionage, made little headway in fortifying defenses. About 88 percent of Energy personnel can still punch in a single password to see sensitive government information. Surprisingly, 72 percent of users at the State Department, which was infiltrated by suspected Russian spies last fall, remain vulnerable to password-breaking.

“One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based personal identity verification card or an alternative form of strong authentication,” Scott said in a blog post announcing the results of the White House initiative. “Agencies made significant progress in this area.”

In the private sector, however, the password is alive and kicking—even at the company providing ID protection for victims of the smaller OPM hack. Feds who register for those services are protected only by a password they create with the company, in which case a hacker needs only to break that password to victimize those individuals again.

“When you think of all the data that credit monitoring and identity theft services aggregate, those services themselves become a potential target,” says Jeremy Grant, former head of the Commerce Department’s National Program Office for the National Strategy for Trusted Identities in Cyberspace. He is one of the victims.

Grant was pleasantly surprised to learn that ID protection services for individuals affected by the larger breach related to background checks are expected to be more secure, according to a vendor solicitation.

The contractor “will need to deliver a second factor,” like a one-time PIN sent in a text message, says Grant, now a managing director at the Chertoff Group, a consulting firm. “Protecting access to breach victims’ accounts at the portal with two-factor authentication makes sure that someone can’t access their data with a stolen password.”

In the future, feds might have to go through even more steps to log in at work, said Shonnie Lyon, acting director of the Homeland Security Department’s Office of Biometric Identity Management, days after word broke of the OPM attack.

Government employees might have to enter a smartcard, type a password and press a finger against a touchpad.

“Several organizations are looking at three-factor authentication,” Lyon said at a June 11 industry event. “I think that’s the way things are going to have to go.”

Unfortunately, now even fingerprints can be spoofed. The fingerprint records of 1.1 million victims of the OPM hack were stolen.

]]>

Mapping Threats

Aliya Sternstein — Wed, 06 May 2015 09:00:00 -0400

Around the time the computer game “Where in the World Is Carmen Sandiego?” was teaching Generation Y about geography, grown-up versions of geography software had analysts at spy agencies a little concerned about job security. Back then, Defense Intelligence Agency imagery analyst Robert Cardillo and his colleagues thought visualization technology would replace their tradecraft. Today, as director of the National Geospatial-Intelligence Agency, Cardillo and his roughly 14,500 employees only wish more powerful image recognition software existed.

“Going back to 1983 when I was welcomed into the business, somebody said to me they are going to automate our job,” Cardillo recounts in an interview. There will be “these ones and zeroes” that will pinpoint the changing positions of tanks, missiles, ships. The rumormonger told Cardillo it would be another six months or six years before the technology arrived, so he didn’t have to worry about a pink slip just yet.

“Fast-forward 32 years: We’ve come a long way, but that’s still a very hard thing for computers to do—not impossible, very hard,” he says, speaking from inside NGA’s Springfield, Virginia-based headquarters, which is shaped like a giant eyeball lens.

Right now, technology is up against a problem that didn’t exist in the Atari age: big data. The ever-increasing petabytes of pictures and other information generated by sensors require quick and constant observation.

“If you’re my analyst on sub-Saharan Africa, I don’t want you spending time scanning all that imagery searching for something that wasn’t there last year, last month,” Cardillo says. “I do want you thinking hard about the Boko Haram [terrorist group] challenge or thinking hard about Central African Republic sectarian divide, Muslim-Christian, etc., and building mental models yourself.” So, he’s got computer programs handling “broad-based change detection,” a method for flagging items that didn’t appear in the previous day’s data dump and items that have disappeared
from view.

Such analysis, however, is no substitute for the experience, education and curiosity of the human mind. The computer is “looking for those triggers—whether it’s a text or an email—and then cueing the brain to go engage,” says Cardillo.

On certain problem sets, such as Chinese aggression in the South China Sea, the software is doing a good job at prompting analysts. “That’s a very tough place to monitor,” he says. “Very big, very broad, very noisy. We have had some success with modeling to help us cue when and where something has changed.”

For instance, the Chinese slowly are “dredging up sand and they are building these islands” to mark their territory and “over time, our ability to human-cognitively process all of that coverage is just going to be overwhelmed,”
Cardillo says.

Paul Weise, who spent over three decades analyzing imagery for the Pentagon, says any rumor about software taking over the role of analysts is misplaced.

“I can’t tell you how many times we brought on a new system, a new software set, that showed promise in either doing that job entirely or greatly assisting the analyst or cartographer,” he says. “We ended up turning the tool off because it took more time for the cartographer to fix the mistakes that were falsely interpreted by such algorithms.”

Weise retired three years ago from his role as director of the Office of Geospatial Intelligence Management. Now, as Lockheed Martin’s GEOINT mission officer, he helps the agency expand its signature Map of the World project, among other things. The portal consumes and synthesizes all sorts of intelligence so analysts can submerse
themselves in the situation at hand.

The quest to automate image recognition began in the 1980s and 1990s, when it became apparent technological progress was creating too many pictures to examine. Automation has shifted the tools of the trade from wet plate
photography and hand-drawn maps to geographic information systems. Increases in computer processing power, software agility and Internet connectivity, along with decreases in the cost of storage, now allow geospatial products to be spit out faster than a hand can cut and paste. And advances in sensor technology from small-satellite providers—like DigitalGlobe, Planet Labs and Google’s SkyBox—have expanded the field of view.

In the Zone

Ultimately, however, the new equipment reveals only a basic level of the full picture.

“The reality is the most agile processor in this process remains the human brain,” says Keith Masback, chief executive officer of the U.S. Geospatial Intelligence Foundation, a professional
association. “Human engagement is required to do the quality control and the fact-checking and the ground-
truthing, especially in the world of safety of navigation.” Masback, a former NGA source operations group director, adds: “Because of the very ongoing life and death nature, the navigation products—whether subsurface, surface or air—have got to be right.”

The Arctic, for instance, is one of the more treacherous zones. Almost by definition, the North Pole is not thought of as a global hot spot. But as the polar ice melts, the Arctic is becoming a nexus of geopolitical tensions over subjects as diverse as penguins and Ukraine. New transportation routes and energy reserves are rising to the surface, accompanied by turf wars.

Because all the commotion has economic and not just military ramifications, Cardillo sees the Arctic as a place that could bring his agency out into the open. Again.

Since becoming NGA director last fall, he has garnered attention for pulling the curtain off certain geospatial data, such as maps of the Ebola spread. “I think the Arctic is a wonderful place, where we should be thinking about our next piece of open code,” Cardillo says. “A great deal of what’s known about the Arctic is unclassified. We don’t have a rich history of classified intelligence collection in the Arctic because—guess what?—it wasn’t a priority.

Now it is. President Barack Obama in a May 2013 Arctic National Strategy outlined strategic priorities for the Arctic region that call for, among other things, a greater awareness of activity in the region as well as charts and scientific research to better understand the landscape. That would include NGA’s geospatial intelligence—insights derived from pairing satellite imagery with historical data sets.

“I’m not going to dive into the ‘Why is the Arctic warmer than it used to be?’ But I know it is,” Cardillo says. “And I know there’s less ice up there now, and I know there’s more ship traffic now. I know there’s more potential for natural resource exploitation than there ever has been before. Those facts have driven state actions. Russia, as one of the claimants for the resources and maritime navigation and control, etc., has made decisions based upon those changing facts. Some of those decisions are military based.”

‘It Changes Your Thinking’

Venues for hosting public geospatial intelligence on the Arctic might include Apple’s app store, the code-sharing site GitHub and NGA.mil, where interactive viewing tools are powered by Esri mapping software. The site currently serves up unclassified data sets to aid Ebola relief efforts.

NGA’s first app, Anti-Shipping Activity Messages, or ASAM, details incidents of hijacking on the high seas all over the world. The underlying code for the app, which was released last fall, also is available on GitHub.

“We’re all in on GitHub. We’re very proud of our [GitHub] page,” Cardillo says. “I’m encouraging our team to create conditions and the context so that our policymakers and decision-makers can have a better footing to think about employment of resources, deployment of diplomatic engagement and, potentially, security-related actions—whether it’s just to protect or it’s to project. In some cases we project force throughout the world to ensure safety of navigation, for example,” Cardillo says.

Cardillo likes to show people polar projection maps. “It’s very disconcerting, it destabilizes your mind,” he says. “When you look at the North Pole at the center of a projection, it looks very unfamiliar.”

At first, gazers say, “ ‘Wait a minute, the United States isn’t that tiny. It doesn’t sit on the edge of the Earth like that. We’re at the center of the world.’ You get those reactions,” Cardillo says. But, he adds, they also “clearly see Alaska and Canada and Norway and Russia—what I like about it is the way it changes
your thinking.”

]]>

Wait

Aliya Sternstein — Thu, 12 Mar 2015 08:00:00 -0400

If there’s one thing politicians of all stripes can agree on, it’s this: The immigration system is broken. What’s less obvious is the extent to which that’s physically true. An online system that was supposed to automate the processing of green cards and other immigration benefits has struggled to function properly since at least 2009. When President Obama in November 2014 announced a series of executive actions that would expand the population of immigrants eligible to remain in the United States, he placed a highly vulnerable technology program center stage in a major policy fight.

Privacy Negotiator

Aliya Sternstein — Tue, 11 Nov 2014 00:00:00 -0500

In 2011, Government Executive spotlighted a handful of emerging leaders, including Ari Schwartz, the first-ever National Institute for Standards and Technology Internet policy adviser, who hailed from the privacy activism world. He went on to advise three Commerce Department secretaries on developing voluntary cyber standards in accordance with a landmark executive order. Then during the heat of the anti-surveillance movement, he was named to the White House National Security Council staff to instill civil liberties into cybersecurity and signals intelligence policies. Today, Schwartz, 43, has emerged. He is the White House senior director for cybersecurity. Senior Correspondent Aliya Sternstein recently looped back with Schwartz to discuss balancing the needs of operatives and privacy-
conscious citizens, along with raising kids in the smartphone era.

Do your old colleagues at the Center for Democracy and Technology civil liberties group give you a hard time about working with “the spies?”

They’ve never referred to me as “the spy.”

They don’t see you as having gone to the dark side?

They see me as a person who can answer questions about what is going on. I think they see me as helpful in that way. I would love for you to ask them that. I would like to know the answer too. I think that’s really one of the worst things that happens in Washington—when something gets reported or [comes out] through the rumor mill, and they hear the worst of it first, rather than hearing it from the people who are trying to put it together.

What information are you personally most concerned about keeping private?

I have a family and I have kids, and I think of a lot of things in my personal life—
relating to my children—as being very private and personal. It concerns me if information like that were to get out. I think communications—when taken out of context—often can raise a lot of concerns, so I do worry about what companies and what the government does with communications and making sure that it is used properly and that personal privacy is being protected. I am worried about [my 7-year-old and 10-year-old] getting on Facebook, but that’s a couple of years away. They don’t have phones. They have iPods. But my 10-year-old says everyone has a phone, except for him.

How has the discussion about privacy changed at Commerce and the NSC since the leaks by ex-intelligence contractor Edward Snowden about mass monitoring of U.S. phone records and foreign online communications?

Privacy had always been a major issue, but certainly I think that the disclosures have really heightened those issues. The president was very clear in his Jan. 17 speech about the direction that we’re headed
in [when he announced a directive to hone data collections]. Since then it’s been more about implementing those things the president pointed to—building privacy protections for non-U.S. persons in particular.

Your communications on social media, couldn’t they be swept up in some of these signals intelligence activities?

I’m a citizen just like everyone else. It depends on what type of collection it is. Under [the directive], we have these areas where bulk data still can be collected. They are a very limited set of areas. I think it would exclude many of my communications and other private citizens’ communications, but I don‘t think it completely rules that out. It’s not out of the question at all.

Have you changed your online habits?

It’s almost as much from breaches, more so than government, but I think it’s related. Using two-factor authentication and using security tools are things that I did before and that I continue to stay up on. Especially right now, with breaches in particular, I think using multifactor authentication is just essential for everybody. I think a lot of celebrities found that out the hard way from the Apple breach that happened recently.

Is it hard for you to keep quiet about White House privacy initiatives, like the new executive order requiring two-step identity verification for government charge cards?

It changes so quickly that I find even at times where I’m allowed to tell somebody, and then I tell them, then it changes and I have to call them back. That seesaw makes it so there is a natural tendency to want to hold off until you are certain that something is actually going to happen before you start telling people. That’s something I’ve learned in my four years in government. You don’t want to get people’s hopes up. It’s better to let people know that you are working on something, and give them a broad outline to get feedback from them without saying which direction the policy is going in.

Do you feel like you have made sacrifices to get where you are?

It is a demanding job and I, of course, make sacrifices for my family time because of that. But there is an awareness, if that’s the case. Particularly [National Security Adviser] Susan Rice has been really, really good about making clear that family has to come first. There are a lot of times when there is information that we’re getting on classified systems and we have to come into the office. That’s certainly not the case in nonprofit.

Do your kids grasp the gravity of your job?

They do. They get to come to the events at the White House. So, they get some fun out of it as well. But I think there is an understanding that I’m doing a serious job trying to protect the country and
our liberties.

Have your kids met the president?

They have not. But my oldest son came to Take Your Kid to Work Day and they had a question-and-answer session with the first lady. My younger one was four months too young for that, so hopefully this year he’ll get to go. There are some things they get to do that other kids would dream of doing. The first lady at that session, she said, “You know, I realize that sometimes your parents don’t get to come home for dinner and sometimes they don’t get to make it to all your soccer games,” and she kind of was apologizing to them for the sacrifices that I make, which I appreciated.

What has been the most fulfilling experience for you in the new job?

Everywhere I go, people thank me for the work we did on the cybersecurity framework and how it got better over time. The trust from the private sector to keep it voluntary; from the privacy groups, we hear that they are glad we were able to keep the Fair Information Practice Principles in the document despite the heavy pressure that we got from industry. When you start to see announcements related to and around cyber insurance, that’s pretty fulfilling because that was the original goal, to build it into the marketplace without a regulatory effort. Just like [with the proviso] “Do you have smoke alarms?” for fire insurance, which is built into most regular business policies.

Do you expect to leave anytime soon?

It’s interesting because these undergraduate college students, they say, “Oh, my dream is to work at the NSC,” and it was never my dream to work at the NSC. But now that I am here, I see why it is people’s dreams. If you want to work on formulations, if you want to work on the hot national security issues, there is not a better place to be.

]]>

Around Government

Charles S. Clark, Aliya Sternstein, and Patrick Tucker — Tue, 09 Sep 2014 08:00:00 -0400

Bravery in the Bureaucracy

Making the right decision isn’t the hard part, agency leaders say, it’s having the guts to follow through.

By Charles S. Clark

Newscaster Dan Rather was famous in the 1980s for signing off the evening news with a simple word: courage. He may have been onto something, according to an academic analysis of interviews with 10 well-regarded federal executives.

Conventional wisdom is that the toughest decisions in government are those that are “informationally complex,” note Harvard University management professor Steven Kelman and a consulting trio from Booz Allen Hamilton.

But nine of 10 of these agency leaders said the hardest challenge for them wasn’t deciding the right thing to do, but being willing to do it. “In other words, these were decisions requiring courage in the face of some personal, political or organizational risk,” said the study, delivered in August to the Academy of Management meeting in Philadelphia.

Whether rolling out a new program or dismantling old ones, all the veterans of federal bureaucracy described infighting and doubts from co-workers in the run-up to their decisions. And though
information-gathering is helpful, “a sense of moral identity” is what most said is the secret to having an impact.

“The executive must be able to organize for vigilant decision-making for the run of important decisions, but be prepared to turn this approach off when courage is required,” the authors write. “Advisers should also be able to be ambidextrous, sensing when their leader needs discussion, debate and dissent, and when he or she needs moral support.”

Scanning Smart Cards

A recent cross-agency priority goal report on cybersecurity raises questions about how many federal employees have smart ID cards and who needs them. As of December 2013, more than 5 million personal identity verification cards have been issued, but the latest audit reveals some agencies are still vexed by security and funding gaps.

Malware Magnets

Believe it or not, the government ranks toward the bottom on a list of 29 sectors most likely to experience encounters with malicious software. Between January and July, the media—not agencies—suffered the most from hacking attempts, according to a Cisco security report. The government ranked 25th.

Attackers apparently timed malware drops to high-profile events, such as the 2014 Winter Olympic Games, and big news stories, like the disappearance of Malaysia Airlines Flight 370. Scammers want to hit large swaths of the population, and websites with hot headlines provide just the right user base.

“I would have guessed that government would have been much, much higher,” said Levi Gundert, a leader of Cisco’s threat research, analysis and communications team. On average, agency networks were half as likely to be hacked. Below are the top five malware magnets.

Media | Publishing firm networks were almost four times as likely to attract malware as the average enterprise network.

Pharmaceutical and Chemical | Drug company systems were three times more at risk.

Aviation | Airline networks were more than twice as likely to be infected.

Transportation and Shipping | Transport and mailing systems were at two times the risk.

Manufacturing | Industrial systems were just under double the risk.

- Aliya Sternstein

Thinkstock

Building Brain Hacks

Detailed soldier scans could alter the neuroscience of national security.

Scientists funded by the Defense Department have announced a breakthrough that could allow researchers to create in 220 days an extremely detailed picture of the brain that previously would have taken 80 years of scans to complete.

The military has been looking to build better brain hacks for decades, with results that ranged from the frightening to the comical. This latest development could revolutionize the study of the brain, but also the national security applications of neuroscience.

Scientists at Stanford University who developed the new way to see the brain in greater detail, outlined in the journal Nature Protocols , said that it could mark a new era of rapid brain imaging, allowing researchers to see how parts of the brain interact on a cellular level.

Instead of sensing electrical activity through EEG or observing hemoglobin flow under functional magnetic resonance, called fMRI, the Stanford researchers’ technique uses light to reveal causal relationships in the circuits themselves.

The military’s research into brain science has produced some bizarre results, such as the DARPA “roborat,” a rat that had electrodes implanted into its motor cortex allowing researchers to manipulate direction and movement.

There have also been some big hits.

One program yielded some remarkable insight into the potential for better soldier performance through focused brain states. “It turns out the expert marksman has a brain state,” Amy Kraus, a former DARPA program manager, told a group at the Potomac Institute for Policy Studies.

One of the most significant near-term applications of military-funded neuroscience is observing the effects of combat on service members. “How much risk can we expect them to take over a lifetime?” Jonathan D. Moreno, University of Pennsylvania professor and author of Mind Wars , said at the Potomac Institute. “How much medication? How many devices? How much change in their behavior, through direct manipulation of their brains?”

-Patrick Tucker

Listen, Employees Want More Talk

Employee satisfaction with communication from agency leaders about goals and projects
in their organizations has declined during the past four years, according to a report from
the Partnership for Public Service. The satisfaction score for communication fell to 50.2
(out of 100), according to the group’s new analysis of responses to three questions on the latest Federal Employee Viewpoint Survey. The top-ranked agencies in communications
by leaders were NASA, the intelligence agencies and the Treasury Department. The worst
communicators were the Homeland Security, Interior and Agriculture departments.

54.1 - Leadership communication score in the 2009 Federal Employee Viewpoint Survey

50.2 - Leadership communication score in the 2013 survey

]]>

The Snowden Effect

Aliya Sternstein — Wed, 09 Jul 2014 16:00:00 -0400

Revelations last year that the National Security Agency is collecting Americans’ telephone metadata soured some people’s opinions about the U.S. intelligence community, but they apparently haven’t affected the views of many computer security professionals.

Anecdotal evidence suggests that leaks by Edward Snowden, the former systems administrator and contractor with the National Security Agency, have not hindered efforts to recruit or retain cyber staff at the three-letter agencies. Instead, the disclosures actually might have helped intelligence agencies attract computer aficionados by spotlighting the agencies’ bleeding edge technology.

“We have had no indication that cyber pros have any reticence about working for the government,” says Mark Aiello, president of Massachusetts-based Cyber 360 Solutions, a staffing firm. “It is probably the opposite, and mostly for the opportunity to work with some advanced tools or techniques. The Big Brother aspect is appealing if you are the watcher, not the watched.”

Justice Department Chief Information Security Officer Melinda Rogers says the attention to agencies’ cyber activities may pique the interest of potential recruits. “And that’s our responsibility as hiring managers to make sure that they understand the importance of the mission.”

Multiple East Coast cyber recruiters say none of their prospective hires has mentioned Snowden as a factor in their career considerations. Nor have cyber headhunters, who place departing government pros in industry positions, seen any increase in federal personnel heading for the exits.

“I normally hear regularly from people who want to leave. I haven’t seen an uptick at all,” says Kathy Lavinder, founder of Maryland-based Security and Investigative Placement Consultants. “I think there’s just always a steady stream of people who want to leave after X amount of years. And I think for the NSA, there are people who go there to get the experience to have that on their resume.”

Deborah Page, a Virginia-based executive search consultant with the McCormick Group who specializes in information security job searches, says, “We aren’t seeing any challenges at the moment” with recruiting talent in the wake of Snowden, “or at least I’m not.”

A Blow to Morale

The Snowden leaks might not have hurt recruiting or led to an exodus of talent, but the publicity they generated certainly had an impact, says Christina Ayiotis, a computer science faculty member at the George Washington University. “Morale was severely affected at NSA,” she says. “While there may be disagreement regarding whether actions were legal or not, the vast majority of employees were doing the work they always do, believing it was protecting the country. The negative impact has been in their productivity levels, I’m sure.”

While the intelligence community ranks among the best places to work in government in surveys by the Partnership for Public Service, employee satisfaction and commitment dipped from 71 percent in 2012 to 67 percent in 2013.

Nonetheless, job seekers appear undeterred.

CIA spokesman Christopher White says more than 80,000 people applied for jobs with the agency in 2013, an increase over the previous year although he would not disclose how many people applied in 2012. “What I can tell you is that recent leaks have not impacted our recruiting efforts in any significant way,” he says.

Within the office of the Director of National Intelligence, hiring managers have seen “no notable impact to our recruitment efforts or to the number of individuals submitting applications in response to the Snowden media leaks,” DNI spokeswoman Kasey Butler says.

Officials at the FBI and the Homeland Security Department declined to comment.

At the Pentagon, the opportunity to join a “unique cyberspace mission,” which involves hacking adversaries, protecting military systems and cyber spying, continues to attract candidates, Defense spokeswoman Lt. Col. Valerie Henderson says. “Recent media attention to the work cyber professionals perform provides an opportunity to correct distortions and present the facts on the critical value of this work,” she adds.

As for the elephant in the room, NSA Director Adm. Mike Rogers said recently at a Reuters cybersecurity summit that the agency had seen some impact on recruiting and retention, in certain areas: “In general I would say not to the point where it’s really impacted our ability to recruit the right people,” Rogers said.

Regarding retention, he pays particular attention to younger staff with three to five years training, “who have a skill set that is readily transferable to the outside world,” he said. “I have not seen significant loss that I would attribute to the current environment. Now, does that mean I’m going to sit here and tell you we haven’t seen any loss?

No . . . I think it just goes to the workforce believes in what they’re doing.”

]]>

Cyber Medic

Aliya Sternstein — Fri, 09 May 2014 10:28:07 -0400

After the flubbed debut of the HealthCare.gov website, Kevin Charest, chief information security officer at the Health and Human Services Department, knew he had to roll up his sleeves alongside the people who make the agency’s programs work.

“In many ways my job has been to set policies at the department level that then can be translated and adhered to at the local level,” he says. When lawmakers grilled him and another agency official on security vulnerabilities in the
online health insurance marketplace, it became clear he was not part of the operations side of the project, Charest admits.

“Here are two guys being asked to testify, but they were not involved in the design and implementation and security decisions associated with the thing they are testifying about,” he says.

Now Charest is much more attuned to managers on the front lines. “I think there’s been an awakening that we’re partners,” he says. “I’m not the boogeyman. And, in fact, when and if something does happen, it’s the department that has to bear the brunt of that.”

He acknowledges that the linkage between HealthCare.gov and networks in other federal agencies, local governments, companies and homes nationwide creates a bull’s-eye for identity thieves. But that interconnection also creates a nexus for information sharing, he says.

The upside: HHS improves the security of that entire sector with a single signal of an incoming threat, Charest says.

“The more interconnected we all become, the more we better make sure that we’re all doing our very best to defend this infrastructure,” he says. “We’ve seen a rash of threats hit the retail community over the last few months. We don’t want to see a similar thing happen in health care.”

]]>

Cyber Arms Control

Aliya Sternstein — Fri, 28 Mar 2014 09:40:59 -0400

Federal agencies during the next several months must work together on guidelines for controlling the trade of cyberwar technology. That requirement, made by Congress in late 2013, is sure to raise a host of legal, technical and operational challenges.

In programming, a cyber weapon often refers to malicious code that takes advantage of a software glitch called a “zero day,” to insert itself and manipulate data. For example, Stuxnet, an alleged U.S-Israeli cyber weapon, upended Iran’s nuclear program by exploiting a flaw in the country’s centrifuge systems.

The concern in Congress is that war worms, let loose in the black market, are being sold to the public and overseas aggressors.

The 2014 National Defense Authorization Act that lawmakers cleared in December 2013 requires federal departments, with input from industry, to devise “intelligence, law enforcement and financial sanctions” mechanisms to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.”

The law also directs the Obama administration to address the problem at the international level, an effort that began late last year. In December, the Financial Times reported that 41 nations, including the United States, Russia and Germany, were close to a deal that would equate sensitive cyber technologies to traditional arms under one of the world’s key agreements on weaponry export control. The revised terms for the Wassenaar Arrangement, as of January 2014, now include controls on “surveillance and law enforcement/intelligence gathering tools and Internet Protocol (IP) network surveillance systems or equipment,” which might damage international and regional security.

In a seemingly complementary maneuver, the U.S. defense authorization package calls on the administration to craft “principles for controlling the proliferation of cyber weapons that can lead to expanded cooperation and engagement with international partners.”

But Congress did not define what a cyber weapon is, making it hard to compare the two initiatives.

By fall, agencies must deliver recommendations for damping the proliferation of cyber weapons, including a draft statement of principles and a review of applicable legal authorities.

Some legal experts call the concept of cyber arms control impractical.

“In the physical world, the production of weaponry is restricted by the need for an industrial base. In cyberspace, weapons are bits and bytes and produced as intellectual property,” Paul Rosenzweig, a Homeland Security Department official during the George W. Bush administration, wrote on the Lawfare blog in July 2013. “With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade.”

Cyber weapon vendor and federal contractor Endgame Systems reportedly offers customers 25 zero-day exploits a year for $2.5 million.

Rosenzweig calls Congress’ proposal for cyber weapon nonproliferation “notably off target,” adding that “while the objective is certainly noble, I suspect the effort will be relatively unsuccessful.”

]]>

The Whale Whisperer

Aliya Sternstein — Tue, 21 Jan 2014 11:36:00 -0500

David Wiley, a biologist at the National Oceanic and Atmospheric Administration, spearheaded development of an app that pinpoints, on digital nautical charts, places where ships might collide with endangered North Atlantic right whales. Only 500 of the mammals remain. Their biggest threat is boats.

To protect the species, NOAA restricts speed limits and boundaries. Those barriers, however, are invisible in the ocean unless mariners have access to dynamic maps. With NOAA’s Whale Alert app mariners can simply swipe an iPad or iPhone screen to see the no-go zones.

“It’s designed to make it easier for the maritime community to comply with the ship-strike rule,” Wiley says. “Obviously, the more compliance, the more likely we are to have a conservation benefit.”

As of Dec. 6, there had been no fatal collisions in the regions charted by the app since its 2012 launch. And with funding from donations, the tool required only a small government investment.

Wiley went through unofficial channels to make all this happen. NOAA never signed off on the app. The field scientist didn’t know about federal Web management rules. But after the fact, no one is likely to deactivate such a life preserver.

For fostering technology that saves lives, money and time, Nextgov honored Wiley with a 2013 Bold Award.

Next up: A universal Ocean Alert app.

“We’re hoping to evolve Whale Alert into Ocean Alert, because there are similar problems everywhere in the ocean,” Wiley says. “For instance, there are some areas where shippers need to burn different fuels because of air pollution regulations, and they need to know where they are relative to those zones as well.”

]]>

Can You Save the Whales With a Smartphone?

Ross Gianfortune and Aliya Sternstein — Fri, 20 Dec 2013 09:30:00 -0500

Listen to the story:

Download this episode | Subscribe on iTunes

One of the rarest large animals on the planet, the North Atlantic right whale can grow up to 59 feet long. These migratory whales tend to stay close to peninsulas and near continental shelves to feed. Hunted to near-extinction, the whales were one of the first species to come under the protection of the federal government in the 1930s.

With laws against whaling and the industry dying, the the no. 1 mortality factor among the endangered whales has shifted to ship strikes. The National Oceanic and Atmospheric Administration has created a ship strike rule that requires ships slow their rate of speed in particular areas of the ocean so the whale coexist with the ships. But the species remains in trouble.

David Wiley, a NOAA researcher, was integral in making ship crews more aware of the whales and the ship strike rule with the development of Whale Alert. The mobile app provides mariners the most current information available to reduce the risk of collisions between ships and right whales.

"What we're trying to do is display that rule in a way that makes compliance with it easier," Wiley said.

Nextgov honored Wiley with a 2013 Bold Award in November for his work on Whale Alert. At Nextgov Prime 2013, Wiley spoke with senior correspondent Aliya Sternstein about the app and its contribution to conservation of the whales. Wiley said the captains of the ships pose the greatest risk, but it can be mitigated if they can understand how to comply with the rule.

"We think understanding and displaying the rule as simply as possible will lead to the greatest compliance," Wiley said. "And if you have great compliance, you have great conservation."

]]>

Tech Roundup

Aliya Sternstein, Bob Brewin, and Joseph Marks — Fri, 15 Nov 2013 00:00:00 -0500

Game On

Building an educational game for a smartphone or tablet is a pretty tall order for federal agencies. It has to be sufficiently engaging so it doesn’t wilt when compared with apps from private sector leaders such as Zynga. But you can’t ramp up the fun by compromising the app’s educational value or you’ll shortchange young learners and fail to fulfill the agency’s mission.

One app that crosses both these high bars is Solve the Outbreak, an iPad game developed by the Centers for Disease Control and Prevention. The reviewers in Nextgov’s apps rating project gave it 4.5 points out of 5, making it one of the highest scoring apps in the project’s two-year history.

The app presents players with real-world disease outbreaks and teaches them about epidemiology and data analysis as they make decisions about how to respond. Along the way, players earn points until they reach the rank “disease detective.”

Our reviewers thought the app was educational enough to be used in a classroom and fun enough to hold high school students’ interest—a high bar as anyone who’s spent much time with adolescents knows.

“This is the type of learning I love for kids to have,” says Ted Chan, founder of Practicequiz.com and chief technology officer of Cook123.com. “It teaches that a lot of the math, biology, science and statistics concepts they are learning have meaningful applications.”

The reviewers’ only criticism of the app was that it’s only available on the iPad.

For more information, check out Nextgov’s Building Better Apps project at www.nextgov.com.

Joseph Marks

Glass Half Empty

Federal agencies for 15 years have been unable to move cybersecurity off a list of the government’s most imperiled initiatives, with a new audit revealing a declining number of agencies—half—do not annually train employees on security.

Perennial weaknesses in network security endanger national security because of the pervasiveness of the Internet and sophisticated cyber threats, according to a Government Accountability Office report released in September.

In fiscal 2012, 12 of the 24 major federal agencies provided annual security awareness training to at least 90 percent of their network users, compared with 22 agencies the prior year.

These and other “weaknesses show that information security continues to be a major challenge for federal agencies,” the audit states. “Until steps are taken to address these persistent challenges, overall progress in improving the nation’s cybersecurity posture is likely to remain limited.”

Aliya Sternstein

Testing 1,2,3

Contractors that helped develop the Obama administration’s troubled online health insurance marketplace say the Centers for Medicare and Medicaid Services, which oversaw the project, performed only two weeks of testing before going live on Oct. 1.

That’s significantly less testing time than usual for major Web applications, representatives from HealthCare.gov contractors CGI Federal and QSSI say. They declined to say how much time should have been allocated.

CGI played a major role in building Medicare.gov, for which it had several months of testing, says senior vice president Cheryl Campbell.

Joseph Marks

NSA Needs a 12-Step Program

Since Edward Snowden started leaking details on how the National Security Agency gobbles up exabytes of data worldwide, it has become increasingly clear that it has an unhealthy addiction.

NSA chief Keith Alexander has said the agency needs to collect “haystacks” of data in order to detect terrorist needles, an effort The Washington Post says “occasionally threatened to overwhelm storage repositories, forcing the agency to halt its intake with ‘emergency detasking’ orders.”

Those are real signs of addiction. The explanation for this spying—everyone does it—is an excuse used by alcoholics on the 10th beer of the evening while everyone else at the bar slowly sips their second.

I’m not suggesting NSA go cold turkey, but it might try tapering off—a terabyte at a time.

Bob Brewin

]]>

Sensory Overload

Aliya Sternstein — Tue, 01 Oct 2013 00:00:00 -0400

The need for robotic eyes on the border seems like a no-brainer for most lawmakers negotiating immigration reform and border security, but calculating costs and cameras per mile might not prove so easy.

Until directed otherwise by Congress, the Homeland Security Department is moving ahead with a $465 million plan to remotely watch eight areas in Arizona that brush up against Mexico.

The multiyear project aims to dot the state with video surveillance turrets that can spot illegal activity, such as human and drug trafficking. The towers are part of a second attempt at a virtual fence, after an earlier go exhausted
$1 billion. Conceived in 2005, the Secure Border Initiative network was to be a series of one-size-fits-all interconnected
towers flanked with cameras. But the dynamic border environment tripped up the cameras and the project was abandoned in 2011.

This time, DHS officials say they will station towers only where cameras have clear visibility in Nogales, Ariz., and then add more in Sonoita, Douglas, Casa Grande, Ajo and Wellton—for a total of up to 50 towers, funding permitted. A contract is expected to be awarded by the end of the year. Functioning SBInet towers in Tucson and Ajo will remain.

In August, Rep. Mike McCaul, R-Texas, took House colleagues on a tour of the Southwest to show them where surveillance equipment, checkpoints and other border controls are situated. McCaul is chairman of the Homeland Security Committee, which passed border security legislation this year.

The bill McCaul sponsored would leave decisions about where to place border equipment up to experts from all levels of government who know best how much is needed and where, committee aides say.

For years, “resources have dictated the strategy instead of a strategy dictating what resources are provided,” McCaul told Government Executive in an email. His measure would require DHS to create a national strategy for gaining control of the border.

Right now, “we have patched up individual holes—causing illegal immigration to shift to less fortified sectors instead of stopping it altogether,” McCaul says. San Diego uses fences. Arizona uses drones and surveillance cameras on poles. And in Texas, there is a lot of unsecured space.

“The fence in the San Diego sector has pushed illegal immigrants off the California coast through our maritime borders, and advanced technology and increased enforcement in the Tucson sector has caused apprehensions to skyrocket in the Rio Grande Valley,” he says. “Today, even the most fortified sectors are full of gaping holes.”

Everything in the legislation is wrapped around achieving a 90 percent apprehension rate, aides say. By drawing up a plan first, the thinking goes, lawmakers will know which tools are necessary to get there.

“The national strategy must be presented to the Congress—using technology, fencing and manpower, and with input from local communities, ranchers and landowners,” as well as government officials, McCaul says. “If Congress sees capability gaps in the plan, we will demand changes.”

Not all of the new surveillance tools would require new funding. By redeploying unarmed military drones and robots brought back from Iraq and Afghanistan, Homeland Security could acquire additional gear at no additional cost—except for shipping fees.

On the Senate side, lawmakers already have settled on a recipe for gadgets and gizmos to tighten border control. Comprehensive immigration legislation passed in June calls for 50 integrated fixed towers in Arizona, more than 30 in Texas and three in San Diego. Other equipment would include 205 handheld thermal imaging systems or night vision goggles for the Rio Grande Valley and 19 license plate readers in Laredo, Texas. Combined with law enforcement and fencing costs, the border security tab for the Senate plan would be $46 billion.

Some former federal immigration officials have voiced concerns that the technology proposals will duplicate ongoing efforts, like the virtual fence.

Doris Meissner, who was commissioner of the Immigration and Naturalization Service during the Clinton administration, says lawmakers are overlooking DHS’ accomplishments in high-tech surveillance during the past five years—accomplishments taxpayers have already paid for.

“There is such a great deal of investment that has already taken place along the border, with a tremendous amount of support, bipartisan support, through the appropriations process,” says
Meissner, now a senior fellow at the nonpartisan Migration Policy Institute. “SBInet really failed, and it was a very large expenditure of money, most of which didn’t pay off. But they did learn from it, and they have since been employing these technologies that are available on the market.”

Plus, Congress better provide more human eyes in the courthouses to keep up with what the robotic eyes are observing, some immigration attorneys say.

“Sequestration is already harming our courts here. Who is going to be available to defend or prosecute all of the illegal entry cases? What I see is disjointed optical placations,” says
Kathleen Campbell Walker, an El Paso-based lawyer with Cox Smith.

]]>

Tech Roundup

Aliya Sternstein, Bob Brewin, and Joseph Marks — Sun, 01 Sep 2013 01:00:00 -0400

Chasing Ghost Viruses

After detecting malicious software in system components at Commerce Department headquarters, federal officials in 2012 disconnected the Economic Development Administration’s computer infrastructure, annihilated $170,000 worth of equipment and cut off staff email and website access nationwide, according to an inspector general audit released in late June.

The response was overkill. It turns out there was no widespread malware infection—something officials learned more than a year later, after the IG informed them.

The chain of destruction began in late 2011, when the Homeland Security Department notified Commerce about possible worms in the department’s systems. Commerce traced the problem to parts on the headquarters’ network that support the Economic Development Administration. Believing the issue was widespread, EDA in January 2012 asked Commerce to disconnect its systems from the network, which cut access to email for all agency employees and prevented field office personnel from accessing other vital applications as well.

Officials then began demolishing computers, printers, TVs, cameras, computer mice, keyboards and other IT parts. In April 2012, the agency brought the workforce back online using alternative services, but the demolition continued for four more months—until the agency ran out of funds. In total, EDA spent more than $2.7 million—over half of its fiscal 2012 IT budget—on recovery efforts, the IG found.

One cause for the confusion: The Computer Incident Response Team member assigned to the job was unqualified. Rather than hand the agency a list of possibly infected components, the employee mistakenly provided a roster of 146 components within the network, only six of which were actually contaminated.

- Aliya Sternstein

The Eyes Have It

New federal guidelines on iris recognition allow the Homeland Security Department to proceed with a $100 million plan for modernizing employee badges.

Following the Sept. 11, 2001, terrorist attacks, Congress passed legislation requiring that government personnel have smart card credentials to access all government buildings and networks. In May, DHS began searching for a contractor to replace the department’s fingerprint identification system with more cutting-edge technology, such as iris matching capabilities. But there was no consistent way to exchange eye images between cameras and card readers.

That changed in July after the National Institute of Standards and Technology finalized guidelines for incorporating iris scans into employee IDs.

As of July 3, DHS expected to spend up to $102.8 million to provide staff with upgraded biometric smart cards during the next decade, according to contract filings.

- Aliya Sternstein

Lagging IT Reform

Rep. Gerry Connolly, D-Va., lashed out at federal technology leaders for being slow to adopt cost-saving reforms laid out early in the Obama administration—such as consolidating data centers and shifting data to computer clouds—and for inadequately reporting on progress.

“My hope is that as we move forward all of us can try to find ways to encourage and exhort and pressure the federal government to come into the 21st century with management changes and allocation and investment changes that will better serve the country,” he said.

- Joseph Marks

China Loves the Navy’s GPS Landing System

I did a Google search for some background information on the precision GPS landing system the Navy used to help guide its unmanned X-47B to a carrier landing, and one of the first hits to pop up was a paper by three authors from China’s Naval University of Engineering.

The paper, presented in May at a conference in Wuhan, China, goes into great detail about the landing system. I wondered where China obtained so much information about a U.S. Navy program, until I stumbled across a 2010 Naval Air Systems Command presentation, which included many of the details used in the 2013 China report.

The authors even included the same graphic used by the U.S. Navy in 2010 to illustrate how the precision guidance system works.

Too bad NAVAIR can’t copyright its slide decks.

- Bob Brewin

]]>

Beyond the Breach

Aliya Sternstein — Sun, 01 Sep 2013 00:00:00 -0400

When hackers in 2011 penetrated a contractor’s computer containing the Social Security numbers of 123,000 federal employee retirement plan participants, fund administrators were unaware of the intrusion, had neglected a series of security audit recommendations, and had no legal recourse against the vendor.

Today, a year after learning of the incident, the Federal Retirement Thrift Investment Board is willing to pay the price for stronger security. There is also a new contractor taking over early next year.

Unfortunately, the Thrift Savings Plan break-in is not an exceptional case. Government systems nationwide, even those maintained by the Homeland Security Department and security contractors like RSA, are compromised every day. And the same episode could happen again at the TSP or any place else. But next time, TSP staff should be better positioned to detect something is amiss, rather than hear about it after the fact from the FBI.

Information technology audits obtained through the Freedom of Information Act, an examination of contract language, and interviews with TSP officials and congressional aides depict an organization in which security measures, in general, were implemented after the fact. A lengthy period elapsed between the time of the breach and the time Serco, the vendor whose network was attacked, found out what happened. In July 2011, intruders successfully targeted the computer of a Serco employee who helped keep track of participant accounts. It was not until April 2012 that the FBI informed Serco and TSP of the incident.

“The investigation into the data taken from the Thrift Savings Plan required months of intensive forensic analysis by FBI personnel from multiple field offices and headquarters divisions because the methods behind the intrusion were sophisticated,” bureau officials said in a statement. “Then the FBI had to execute a legal process that involved outside entities, information that also took time to develop and receive.” Officials said they were unable to discuss how the intrusion occurred.

Alan Hill, Serco’s senior vice president for corporate communications and government relations, portrays the contractor and TSP as “victims of a sophisticated and targeted cyberattack.” When pressed, he acknowledges they could have taken more security precautions.

Serco maintains a heavy footprint in the government, with more than $450 million in federal contracts last year alone. Federal officials this summer awarded the Reston-based firm a potential $1.2 billion contract to support recordkeeping for the nationwide health insurance exchanges created as part of the 2010 health care overhaul Rep. Darrell Issa, R-Calif., chairman of the House Oversight and Government Reform Committee, has criticized the selection of a company that was unable to prevent the exposure of hundreds of thousands of retirement plan records. Hill says Serco’s responsibilities primarily involve processing paper applications and do not include maintaining IT systems or networks for the exchanges.

Lack of Controls

It’s worth noting there is no evidence the hackers got into TSP’s network. The compromised machine resided on a Serco-owned network dedicated to TSP operations. And as of mid-July, there was no indication the intruders tried to divert funds or commit financial fraud. But their ambitions might be even more serious, several cybersecurity experts say. “It is important to point out that this company is intimately involved in servicing the U.S. government. We have seen many attacks originating from China against data providers trying to get personal information on military personnel—that very well could be what happened here,” George Kurtz, a former McAfee chief technology officer now at cyber forensics firm CrowdStrike, said after the 2012 revelation.

Most security specialists use the word “sophisticated” to refer to hacks that are targeted and intent on extracting specific information. In one such maneuver, intruders stole RSA’s proprietary login technology to gain access to RSA-protected defense company networks, including those at Lockheed Martin Corp.

James Lewis, a cybersecurity analyst who advises the Obama administration and Congress, said following the TSP’s announcement he had the impression that “at least one smart country is building a database on [U.S. government] employees, using things like TSP and social networks.” But, he added, “it’s hard to believe they didn’t go after any money.”

During the past year, data entrusted to contractors at several major departments has been exposed. DHS recently discovered that personal details on employees holding security clearances had been unprotected since 2009 because of a glitch in the software a contractor was using. The General Services Administration did not know about the leak of federal contractors’ personal and proprietary information held in an IBM-managed database until a good Samaritan user, whose own information was at risk, told the agency.

Months before the TSP incident, agency officials recognized they were not dedicating enough effort to system protections. “TSP still has a significant amount of work to do as far as the documentation of safety and security procedures,” agency executive director Gregory T. Long stated, according to April 2011 board meeting minutes. Seven months after the TSP breach, but before it became public, auditors from the Labor Department’s Employee Benefits Security Administration and KPMG described the TSP’s oversight of computer access and security controls as a “significant matter.”

Computer safeguards continued to be a sore spot up until the breach became public. Meeting notes from early 2012 state that Ian Dingwall, chief accountant for the Employee Benefits Security Administration, “expressed concern that not all recommendations related to technology concerns had been addressed by the board.”

Security was still an outstanding issue the month TSP officials learned about the infiltration. Notes from an April 2012 board meeting say that external auditors had “identified 18 policies related to IT controls that were not approved or implemented to date.” Auditors discovered nine inactive accounts on a recordkeeping system, and several former TSP employees did not have system access revoked immediately after leaving the organization.

A Senate Homeland Security and Governmental Affairs Committee aide told Government Executive that congressional staff felt board members knew about security problems before the assault and didn’t do enough to strengthen defenses.

The board “rejects the contention that our system security was weak,” TSP spokeswoman Kim Weaver says. “The open audit recommendations deal primarily with process and documentation—operational and management controls—not with the technical controls required to provide security to modern federal computer systems.” She acknowledges, however, that previously, the board might have underspent on security.

The board’s budget is funded through participant fees. Last year’s board wanted to reduce operating costs, including security expenses, Weaver says. The board “was hampered in its ability to address the open findings more aggressively because of budget constraints,” she says.

The new board has boosted the operating budget, “which enables us to make significant progress toward closing outstanding audit findings, which is a top priority,” Weaver explains. Between 2011 and 2012, the TSP consisted of about 100 full-time employees and a budget that grew by less than $20 million, from $128 million to $143 million. Now, 143 employees are on staff and funding has increased to $171 million.

Security After the Fact

Some of the steps TSP has taken since the incident could serve as a guide for agencies that haven’t yet been hit, cyber researchers and agency officials say.

“Attacks such as the one that happened are always going to happen. There’s no way to prevent them. It’s how are we going to respond, early on,” says Jay Ahuja, the TSP’s chief risk officer. His position and office of seven employees are new. In addition, the agency now has a chief information security officer, with whom Ahuja meets weekly. Other new positions include three information systems security officers.

The major lesson the board drew from the strike is the “need to improve the segregation of our systems” by customizing access rights for each user and heightening the protection of more critically sensitive data, Weaver says.

“It looks like a classic example of an organization that didn’t focus on security and had only rudimentary controls in place,” says Ed Skoudis, who estimates that more than 90 percent of the breaches he has examined as a computer forensics expert witness involved a lack of segmentation. Skoudis is the founder of Counter Hack Challenges, which constructed “CyberCity,” a 3-D model town that agencies and businesses use to practice securing power grids and other critical industry networks.

Describing the audit criticisms “as merely process and documentation shortcomings instead of technical is a lame excuse on their part,” he says. “Without good documented processes, even security that, through luck, is accidentally good over the short term decays rapidly.”

TSP officials disagree that fundamental security was lacking. “We are continuously making improvements to our security posture and architecture,” Weaver says. After the incident, Serco took “corrective actions” to strengthen information protections and limit the likelihood of another intrusion, she adds. Serco will be running the system until Oct. 1 and then help shift the job to a new vendor, Science Applications International Corp., until February 2014.

“If this board had stronger oversight on [Serco] this could have been avoided,” a Homeland Security and Governmental Affairs Committee aide says, referring to the extent of the damage.

Read the Fine Print

The TSP’s original $32 million recordkeeping agreement with Serco did not include contractual remedies in the event of a data breach. “That is a subject area that has been significantly altered in the new contract with SAIC,” Weaver says.

The deal with Serco included just three sentences on security requirements, according to documents reviewed by Government Executive. One provision barred the contractor from disclosing details about system protections. Another stipulated that Serco must create an inspection program to safeguard government data, and allow government officials to see Serco’s technical operations. The third was a breach notification clause that required Serco and the agency, in the event of a threat, to “immediately bring the situation to the attention of the other party”—which Serco did.

It has been standard industry practice for more than five years to spell out security requirements for contractors, Skoudis says, adding that clauses should be reviewed each time a pact is updated. “Contractors increasingly handle and store a lot of sensitive information on behalf of government agencies. They need to have just as stringent security controls as the agencies themselves,” he says.

Hill says Serco continually makes cybersecurity enhancements to deal with ever-evolving threats. “Serco remains confident of the safety and security of its systems. Through continuous monitoring and improvement, Serco is vigilant in safeguarding the information and systems with which it is entrusted, and we take cyberattacks very seriously,” he says.

Weaver says the new agreement with SAIC spells out data breach stipulations at length, including who bears what costs, and includes provisions regarding continuous background screening of personnel and security training. The six-year, $227 million deal was awarded Aug. 9.

But, she adds, “Given the sophisticated nature of the attack, it’s extremely unclear whether the attack would have been prevented even if all open audit recommendations had been fully implemented.”

]]>

Cloud Control

Aliya Sternstein — Thu, 01 Aug 2013 01:00:00 -0400

A program aimed at simplifying the required security documentation for cloud companies is more of an obstacle course than an access way into the government sector, some agency and industry officials say.

The Federal Risk and Authorization Management Program, or FedRAMP, has blessed only five out of about 100 vendors applying for certifications that affirm their Web services are safe for agencies governmentwide. All cloud providers interested in selling technology to agencies must comply with FedRAMP controls, such as data backups, by June 2014.

Federal officials say part of the reason for the low passing rate is the rigor of the criteria. FedRAMP bills itself as a standardized approach to cloud security assessments, authorization and monitoring. The idea is for companies to endure the process once and then not have to undergo separate evaluations by each agency customer, officials say.

“Every cloud provider we’ve worked with has been completely blown away by the level of effort that it takes to do this,” says FedRAMP program manager Matthew Goodrich. “While the first lift is going to be incredibly hard, you don’t have to do that lift again . . . Once it’s done once, there’s not repeated questions, there’s not additional things to ask.”

However, agencies still need to meet other security prerequisites after a company’s service is approved to activate the cloud technology. For instance, a FedRAMP-authorized cloud does not provide certain access restrictions mandated by regulations under the 2002 Federal Information Security Management Act, or FISMA. To meet those requirements, an agency must add more security components, as such as two-factor authentication and the ability to record Web sessions.

Meanwhile, agencies that are uneasy with any answers they see in FedRAMP documentation can ask the vendor to undergo additional scrutiny, or refuse to accept the contractor at all.

Kevin Dulany, chief of risk management oversight for the Pentagon’s office of the chief information officer, cites Amazon as an example. The server giant clinched a FedRAMP authorization in May.

“I’m going to use your security artifacts and that body of evidence for me to make my own risk decision,” he says. “My process is going to be about a two-week process of verification, and I’m going to make my own decision.” And the judgment, he adds, might be that “I can’t accept that risk based upon my own operational mission needs.”

In Dulany’s hypothetical situation, even if he chooses to accept Amazon’s security level, the system still would need more controls, according to Amazon’s business collaborators. So the Web services industry is not convinced that FedRAMP makes security assessments more efficient.

“It certainly runs the risk of being a process that drags everybody down,” says Mike Hettinger, a director at the Software and Information Industry Association. The small number of approvals reflects the difficulty of the method, he says.

Officials at the General Services Administration, the agency running FedRAMP, say documents illustrating how cloud providers meet federal security requirements and any associated risks will differ among providers.

Officials acknowledge that even with FedRAMP, by order of FISMA, agencies still must apply a risk management framework, as well as select, implement and assess appropriate controls.

]]>

NSA's Big Dig

Aliya Sternstein — Thu, 01 Aug 2013 00:00:00 -0400

He works at one of the three-letter intelligence agencies and oversees construction of a $1.2 billion surveillance data center in Utah that is 15 times the size of MetLife Stadium, home to the New York Giants and Jets. Long Island native Harvey Davis, a top National Security Agency official, needs that commanding presence. His role is to supervise infrastructure construction worldwide for NSA, which is part of the Defense Department. That involves tending to logistics, military installations, as well as power, space and cooling for all NSA data centers.

In May, crews broke ground on a $792 million computing center at the agency’s headquarters near Baltimore that will complement the Utah site. Together the Utah center and Maryland’s 28-acre computer farm span 228 acres—more than seven times the size of the Pentagon.

During an interview with Government Executive in June, amid the uproar over leaked details of NSA’s domestic espionage activities, Davis describes the 200-acre Utah facility as very transparent: “Only brick and mortar.” A data center just provides energy and chills machines, he says.

About 6,500 contractors, along with more than 150 Army Corps of Engineers and NSA workers, including some with special needs, are assigned to the project. Davis perks up when he talks about the hundreds of individuals with disabilities he has steered into NSA.

But ask him why the facility is so big and what’s inside, and he is less forthcoming. “I think we’re crossing into content. It’s big because it’s required to be big,” says Davis, a 30-year veteran of the spy agency.

At NSA, secrecy is not exclusive to intelligence analysts. Every civil servant in the Installations and Logistics Directorate Davis leads has a security clearance. He earned his in the early 1980s, entering the agency with a master’s degree in business administration, experience managing inventory for a women’s apparel chain, and a yearning for a higher calling than retail.

For security reasons, some of the contractors erecting the data center don’t even know its purpose, other than the equipment needed—nothing about snooping. The 2010 public work solicitation called for a 65-megawatt center with a chiller plant, fire suppression systems, electrical generators and an uninterruptible power supply backup capacity.

Davis lets out that inside there will be supercomputers, or what NSA labels “high performance computers.” These need “different cooling and different power distributions as opposed to something you bought from Best Buy,” he says. The machines, along with whatever other technology is tucked in the facility, are slated to power on by Oct. 1.

Four years ago, the stated purpose of the megaplex near Salt Lake City was to amass foreign intelligence and warnings about hackers. Officials described it as an extension of President George W. Bush’s 2008 Comprehensive National Cybersecurity Initiative, a largely classified, cross-agency program to protect U.S. computer networks against adversaries. Today, it is evident the data plantation will not be linked to any one program. Instead, the systems inside will warehouse counterterrorism information collected in aggregate, including millions of Americans’ phone logs for five years and certain foreigners’ online messages, NSA officials confirm. Spies at other locations will decipher what’s accumulated to thwart terrorist attacks, cyber assaults, and weapons of mass destruction.

The Utah effort is the largest ongoing Defense construction project in the United States. Still, it is only three-quarters the size of the department’s largest in the world—the Medical Center Replacement Project at Rhine Ordnance Barracks, Germany.

His Posse

Davis is reluctant to discuss the ratio of contractors to civil service employees in Utah—a week after The Guardian and The Washington Post have reported an NSA contractor leaked Top Secret documents. Prosecutors are pursuing former Booz Allen Hamilton employee Edward Snowden for exposing files about PRISM, the agency’s foreign Internet surveillance program, and domestic call data-monitoring while he was administering NSA data systems in Hawaii.

Compared with the 6,500 contract employees, “there is a smaller number of people on my core project management team,” Davis says. An agency official in the room adds: “We can talk in total numbers here . . . We can’t get into how many are ours, how many are theirs.”

A few days after the interview, when asked why NSA’s reliance on contractors is hush-hush, agency officials released some figures. Ten people are on Davis’ core team. About 150 employees from the Army Corps of Engineers, along with an undisclosed number of employees from the 1,000-member Installations and Logistics Directorate, are involved with the Utah project. NSA considers the total sum of agency personnel staffed to certain construction projects operational details and would not provide that statistic. A small workforce of up to 200 government and contract employees—building engineers, systems administrators and maintenance workers—will stay permanently to keep the facility running.

Davis is more eager to discuss the quality than quantity of his employees. Roughly 10 years ago, while working as an NSA human resources director, he encountered an untapped talent pool that he now draws from regularly. “The disabled population is just so thankful to have a job. They would just come in here and you’d have to actually force them to go home,” Davis says. “I have engineers that are hard of hearing, and our workforce all took sign language so they could actually communicate with one another.”

Nobody waters down security clearance exercises to facilitate special needs applicants, he adds. “Somebody who was deaf, we would do polygraph in sign language,” Davis says. “What we look for is qualifications first. We have someone developing software—working on the computers—that is blind. There is really no limitation that we have found as long we can find the skill match.” At least a dozen engineers who have disabilities work in his directorate. Grounds maintenance and snow removal contractors in Utah will be hired through SourceAmerica (formerly NISH), a nonprofit organization that fits agency needs with the skills of job seekers with disabilities.

“He has integrated this into the fabric of the company,” says Joyce A. Bender, past chair of the board of the American Association of People with Disabilities, who met Davis when he decided NSA needed more diversity. “What makes this work at any company is a passionate leader, someone in leadership, whether it’s in the private sector or a federal agency,” says Bender, a Pittsburgh-based consultant who recruits people with disabilities for work in government and industry.

Her firm refers to NSA about 200 individuals annually for positions in finance, linguistics, math and other specialties. Since 2010, about 550 candidates have been hired. “If he says, ‘I’m going to do something,’ you can count on it that he is going to do it,” Bender says of Davis. “He doesn’t sugarcoat anything. He’s very direct and to the point.”

A Leak During Construction

No matter their background or how they came to NSA, civil servants and contract employees alike all serve in silence. “That’s really the culture of this agency, and we’re really not looking for big accolades,” Davis says. “What really makes the people satisfied here is that they did the job and they did it right and they’re doing things within the appropriate manner.” The mentality is that NSA operates in the dark for the safety of Americans. Some citizens, however, argue it should operate in the sunshine a little more for the safety of democracy.

The secrecy dispute is “a distraction and a weakness that has been presented by this guy,” Snowden, who should not have seen such sensitive information in the first place, says one former NSA official. “They’ve got to do some internal homework about how to keep that data separate,” the ex-official says, adding that technical controls are not very difficult to configure. “How the heck did this guy in Hawaii gain access to all that?”

Some human rights advocates are grateful for the exposure of the agency’s surveillance methods. “Communications about millions of innocent Americans are being stored for five years in a government database—whether or not there is any reason to search our call records, and I don’t think our Constitution allows that,” says Alex Abdo, staff attorney for the American Civil Liberties Union’s National Security Project.

Even some former Pentagon officials say citizens should know NSA’s intentions for the Utah data center. “When you have this much centralization of capabilities, which in government terms can translate into real power—that and resources—it’s important that the public be able to look at these things and figure out what they are doing,” says a cyber official who recently left Defense and now works as a private contractor. The official is not involved in the project and was not authorized to speak on behalf of the department.

A 2012 article in Wired reported that NSA needs the megaplex partially because the Pentagon wants to expand the military global communications network to manage yottabytes of data. “A yottabyte is a septillion bytes—so large that no one has yet coined a term for the next higher magnitude,” the article said. “Should the agency ever fill the Utah center with a yottabyte of information, it would be equal to about 500 quintillion (500,000,000,000,000,000,000) pages of text.” NSA officials told Government Executive, however, they do not discuss such operational details.

An Open House

The contents of the NSA computer fortress might be a mystery to the public, but Davis says his project has been open to congressional and industry scrutiny.

“The military construction process by design is a very, very transparent process. We work through the Corps of Engineers,” he says. “It’s a public discourse. When we give out our request for proposal, that’s through FedBizOpps.gov.” But on the website, many of the work descriptions for that project are locked behind a firewall. NSA spokeswoman Vanee Vines says the documents are restricted because “they must be accounted for and are only for cleared defense contractors.”

Davis acknowledges the controversy over his project has taken an emotional toll. “We’ve been pressured to disclose what’s been going in the Utah Data Center for quite a while independent of the current events,” he says. “My workforce and the workforce that I work with here [in Utah] take our jobs and our responsibility very, very seriously, and for somebody to say that we’re doing something untoward is a pretty big hit on the morale here.”

No matter the outcome of the debate, the Utah computers are expected to go online within two months. This is where the MBA comes in. From choosing a site, to convincing Congress to agree with blueprints to surmounting a late-in-the-game budget chop, balancing the books is key. “Utah is a wonderful place with abundant and inexpensive power,” Davis says. “Plenty of sources of water for cooling.” NSA applied a mathematical model to select the location. The surrounding environment simplified construction. “Utah, because of the facility and the utilities, just came out far and ahead of everywhere else,” he says. “Lots of good roads. We could get the steel in. We could get the concrete in. We have lots of sand pits nearby,” he says. “We built our own cement slabs in that area. It’s pretty well offset from the road for the security that we need for the data center.”

The price tag for the project is in line with industry standards, according to NSA. “It’s actually relatively cheap and I came in under cost,” Davis says, referring to $100 million in savings gained partly by refusing to let contractors adjust the plan. Penny-pinching became mandatory when governmentwide spending cuts, known as sequestration, kicked in this year.

“One of the biggest cost drivers on a project this size is something called an engineering change proposal. They really number in the tens to hundreds in a project of this size,” but one could “count on a couple of hands the numbers of change orders that we allowed to happen,” he says. “We spent a lot of time honing the requirements tightly up front, making sure we knew what we were building, building it, and not going back and changing it later.” That’s the New York strong arm talking.

]]>

Tech Roundup

Aliya Sternstein, Bob Brewin, and Joseph Marks — Mon, 01 Jul 2013 00:00:00 -0400

Data Derby

Government agencies must collect and publish new information in open, machine-readable and, whenever possible, nonproprietary formats, according to a White House executive order and open data policy
published May 9.

The idea behind the initiative is that information the government collects for the purposes of management, regulation and security can also be used by entrepreneurs to build products that aid consumers and turn a profit—much like the billion-dollar industry that has been built on government-supplied Global Positioning System information, for example.

What’s more, public access to government data can raise awareness of an issue or lead to smarter consumer choices. The website WeMakeItSafer, for example, aggregates government information about product recalls.

“Starting today, we’re making even more government data available online, which will help launch even more new startups,” President Obama said in a statement. “And we’re making it easier for people to find the data and use it, so that entrepreneurs can build products and services we haven’t even imagined yet.”

Government contractors and the open government community both applauded the executive order.

Hudson Hollister of the Data Transparency Coalition trade association notes that better maintained government data could help contractors save money by allowing them to automate more reporting and compliance processes.

“Spending and programs would become more efficient, because data standards would permit the deployment of big data analytics to find waste and fraud,” he says. “Even our capital markets would benefit, because public regulatory filings converted into open data would be a more accessible source of actionable information
for investors.”

- Joseph Marks

Secure Those Phones

The Office of Management and Budget sent agencies instructions for securing government-owned commercial smartphones and tablets in an effort to bring consistency to what had been an ad hoc patchwork of guidelines. The 104-page compilation of controls was accompanied by a manual for picking the most appropriate mobile device setup.

The instructions are part of a digital government strategy the White House laid out one year ago that called on agencies to “adopt a coordinated approach to ensure privacy and security in a digital age.”

The departments of Homeland Security and Defense, along with the National Institute of Standards and Technology, developed the baseline protocols as first steps only. Later guidance, for example, might focus on continuous monitoring of controls, cryptography, securing the data instead of the device, and ensuring data is only shared with authorized users.

- Aliya Sternstein

Savings Shortfall

An initiative to consolidate federal data centers is well short of its goal of $3 billion in reduced spending by 2015, according to the Government Accountability Office.

Only five of 24 federal agencies have reported estimated savings through 2014 and those total less than $700 million, according to the House Oversight and Government Reform Committee’s panel on government operations.

The proposed savings, which GAO expects the White House will achieve eventually, will come from moving data to computer clouds and using more efficient centers.

- Joseph Marks

The Health Records Mess

Secretary of Defense Chuck Hagel’s decision to modernize the Defense Department’s electronic health record through the purchase of commercial software looks like a setback for development of an integrated electronic health record with the Veterans Affairs Department.

Except for a passing reference, the Hagel memo makes no reference to the iEHR, and seems more of the same go-it-alone approach favored by the Pentagon.

This approach could run into serious congressional roadblocks. On May 14, the House Appropriations Committee backed language in the 2014 Defense spending bill that said no funds could be expended on any EHR project unless it is an open architecture that serves both departments.

In addition, Frank Kendall, undersecretary of Defense for acquisition, says 20 vendors have products that could meet the Pentagon’s needs—and since they all have lawyers, protests are inevitable.

- Bob Brewin

]]>

Access Denied

Aliya Sternstein — Mon, 01 Jul 2013 00:00:00 -0400

Eleven years and a half billion dollars after launching a program to secure access to vulnerable maritime facilities in the wake of the Sept. 11, 2001, terrorist attacks, federal officials have yet to significantly improve port security, auditors say.

The Homeland Security Department is set to roll out the Transportation Worker Identification Credential nationwide at a projected cost of $3 billion, plus $234.2 million for the installation of card scanners. But a federal watchdog report released May 8 advised Congress to revoke a law requiring employees to swipe the cards to enter facilities until the Transportation Security Administration can prove the smartcards and card readers actually work. TSA oversees TWIC security threat assessments.

Acknowledging that the current card reader system is deficient, some lawmakers say they are optimistic that alternative technologies can build on TSA’s legwork and succeed.

“Repealing the requirement to deploy card readers misses the point,” Rep. John Mica, R-Fla., chairman of the Oversight and Government Reform Subcommittee on Government Operations, told Government Executive in an email. “There is no reason that in the 21st century, with the federal government already utilizing this technology, TSA cannot implement a solution that allows secure access to America’s ports.” At a subcommittee hearing the day after the report came out, Government Accountability Office researchers agreed that other types of passes, like the military’s universal credential, prove the initiative has potential.

The TWIC program requires maritime workers to undergo background checks and carry biometric IDs to enter certain harbor areas without an escort. During a recent $23 million trial, Homeland Security confirmed card readers could verify identities and restrict access.

But GAO officials say the department’s findings are unsubstantiated.

At the hearing in May, Rep. Elijah Cummings, D-Md., ranking Democrat on the full oversight committee, expressed his disappointment in the program. “Those TWIC cards are nothing more than very expensive flash passes without sophisticated electronic readers to read them,” he said. “That’s sad.”

In the report, Stephen Lord, GAO director for homeland security and justice issues, said DHS officials lacked data to back the conclusion that the smartcards and scanners provide “a critical layer of port security.” During testing, the ID readers and access control systems were unable to record reasons for errors, DHS and independent evaluators failed to collect comprehensive data on malfunctioning passes, and participants did not document instances of denied access, according to the audit.

“Eleven years after initiation, DHS has not demonstrated how, if at all, TWIC will improve maritime security,” Lord wrote, adding that Congress should consider repealing a law that directs the department to base card reader rules on the trial run and instead require that DHS “complete an assessment that evaluates the effectiveness of using TWIC with readers.”

The new report follows more than a half dozen negative audits since 2003. “If you look at a poster child for programs that sort of run amok and do not get the job done, the TWIC card—as it’s affectionately known—the Transportation Worker Identification Card, is unfortunately the poster child for not producing what, I think, Congress intended,” Mica said during the hearing. “We spent a half billion dollars on this, and we’ve got a card now that is flawed, and not by my definition, but by GAO’s evaluation.”

The day the report was distributed, Rep. Bennie Thompson, D-Miss., the top Democrat on the Homeland Security Committee, said lawmakers should put off wasting additional funds on an effort that already has cost $544 million.

“The program continues to suffer from fundamental problems,” Thompson said in an email. “Port workers and industry stakeholders have invested their time, effort and money into this troubled program, holding up their end of
the bargain.”

Thompson added he supports the auditors’ recommendation that TSA re-examine the merits of the biometric passes and scanners “before the American people are expected to invest additional money in this program. We cannot continue to throw good money after bad.”

Agency officials stand by the virtues of the credential but seem open to trying other security approaches.

“It’s not a silver bullet. It’s part of our layered security,” Steve Sadler, TSA’s assistant administrator for intelligence and analysis, told lawmakers. “And I think it provides value when it’s used properly and installed properly.”

In an April letter responding to a draft GAO report, DHS officials defended the rigor of their assessment and said the department did not have enough funding to perform the type of study GAO expected.

“There were limited fiscal and workforce resources made available at participating sites,” wrote Jim Crumpacker, director of the department’s GAO-inspector general liaison office. Also, he said, the tests needed to cover a wide range of environmental conditions but avoid interfering with daily operations, which affected
data collection.

At the House hearing, Lord and subcommittee members from both parties urged Sadler to consider a different arrangement, like the Pentagon’s common access card, which functions as a standard military ID, or a model in which local ports issue credentials.

Sadler replied, “We’ll look at anything to make this pilot better and to make the result better.”

]]>

Tech Roundup

Aliya Sternstein, Bob Brewin, and Joseph Marks — Tue, 28 May 2013 09:56:18 -0400

Transparency Moves

President Obama’s fiscal 2014 budget proposal transfers control of USAspending.gov, the spending transparency website, from the General Services Administration to the Treasury Department.

The administration plans to give Treasury $5.5 million to manage the site, previously bankrolled by the congressionally mandated e-government fund, which is devoted to using the Internet to improve citizen services and access to public information.

“Treasury will conduct an analysis of the operation and information in USAspending and determine what changes in the medium or long term may be warranted,” a department spokeswoman says. “The collection of governmentwide financial management information is closely aligned with Treasury responsibilities.”

Whether the transfer from GSA to Treasury is good or bad news for transparency advocates is unclear, says Daniel Schuman, policy counsel for the Sunlight Foundation.

Congress envisioned the e-gov fund as a proving ground for technology-driven transparency initiatives, so it’s appropriate that the five-year-old USAspending should move to a permanent home, he says.

On the one hand, Treasury may be seen as a less political home for USAspending than the White House-based Office of Management and Budget; on the other hand, OMB has a better bully pulpit to force agencies to report spending and to make other transparency reforms, he says.

The USAspending transfer may leave more of the e-gov fund for other transparency initiatives such as the federal IT Dashboard, which tracks tech spending.

The president requested $20 million for the e-gov fund this year, but Congress typically appropriates less money than the White House requests.

- Joseph Marks

Budget Shift

The Defense Department has quietly shifted management and oversight of health information technology, including procurements, from the Military Health System and the TRICARE Management Activity, to Frank Kendall, undersecretary of Defense

for acquisition, technology and logistics.

One official said the move reflects frustration among senior Pentagon leaders with MHS’ efforts to procure new health IT systems, both independently and in partnership with the Veterans Affairs Department to develop an integrated electronic heath record. The departments have spent at least $1 billion during the past five years pursuing an integrated system.

The shift is a major blow to MHS and TRICARE.

Defense Secretary Chuck Hagel told lawmakers at a hearing of the House Appropriations Committee’s Defense panel on April 16 that he had taken personal responsibility for the iEHR and said in late March he had deferred a request for proposals for a new Defense electronic health record because “I didn’t think we knew what the hell we were doing.”

- Bob Brewin

CIOs Support IT Reform

Many government chief information officers think a proposed congressional overhaul that would give them broader authority over how their agencies buy information technology is a “step in the right direction,” according to TechAmerica’s CIO Insights survey.

In congressional testimony, CIOs typically avoid saying whether such budget authority would be helpful. Federal CIO Steven VanRoekel has said authority over IT spending is less important than CIOs having “a seat at the table” during agency mission discussions.

The survey found 76 percent of IT spending still goes to the operation and maintenance of existing systems, despite attempts to shift more funding to new initiatives.

- Joseph Marks

About That Job Description

In August 2010, then-Defense Secretary Robert Gates shut down the Office of the Assistant Secretary for Networks and Information Integration as one small piece of a budget cutting exercise, with a new and improved chief information officer shop taking over many of the tasks once performed by the office.

In late April, Deputy Secretary Ashton Carter sent out a memo that finally got around to transferring the responsibilities and functions of the disestablished Networks and Information Integration Office to the Defense CIO.

That memo clarified that the CIO—currently Teri Takai—will provide policy guidance on cybersecurity and gives her what looks like considerable sway over the IT budgets of the four services.

- Bob Brewin

]]>

No Dead Zones

Aliya Sternstein — Tue, 28 May 2013 09:56:09 -0400

A U.S. military officer in Seoul, South Korea, texts another officer across town on his government-issued iPhone—the same model his Boston-based teenager uses. An hour earlier, the father and son spoke on their twin gadgets using a commercial cellular frequency. Now, the officer is about to share geospatial maps of allied troop coordinates using an insulated Secret military mobile network.

Such communications on consumer smartphones could happen within a year under the Army’s commercial smartphone plan.

Across the globe, from the barracks to the battlefield, service members are testing the reliability and safety of non-BlackBerry devices, such as iPhones, iPads and Android-based products. Their efforts coincide with plans outlined earlier this year by Defense Chief Information Officer Teri Takai to support smartphones on classified and unclassified networks.

There are kinks in the wires to smooth out. The Army, for instance, does not yet have a way to combine networks carrying Top Secret information with administrative applications, such as streamed distance learning courses and supply order forms, says Mike McCarthy, head of the Army’s smartphone project.

“Right now my office looks like Best Buy because they haven’t converged yet into a single solution. I can’t do classified on the same device that I do unclassified on. So we’re working on those kinds of solutions,” he said during a Webcast presentation hosted by Government Executive Media Group in March.

McCarthy, who spoke with Government Executive in April, doubts the Army ever will reach the point of accessing Top Secret information on commercial handhelds. “But Secret and below is something that I am confident will be realized within months, not years,” he says.

Another disconnect: Sometimes overseas soldiers literally hang up on each other when commercial Internet service is unavailable or vulnerable. But there will be apps for that. Mobile tools for scrambling texts and calls already are in use at other U.S. military organizations. And the Army might procure air-based cellular stations—even drones mounted with hot spots—as workarounds.

“The answer is not just putting up towers,” McCarthy says.

An Empty Smartphone

The most secure approach would be a phone that shows no traces of its owner when not in use.

“One of the solutions we’re looking at, truly, is keeping everything off the devices—or as much off of it as we can,” he says. All communications would take place in a secure cloud network anchored to a remote data center. That way, “we don’t have anything stored on the device itself. When you need information, you’re able to reach into a cloud environment and pull that data in so that it is accessible while you need it. When you’re done with it, it goes away,” McCarthy explains. If the device is lost or falls into the wrong hands, there’s nothing to hack.

Separately, several military organizations, including Special Operations forces, are using a set of apps that code voice and texts. The software suite was developed in part by former Navy SEALs at security firm Silent Circle. “When it hits the Internet of [whatever country the user is in], it’s already encrypted. So it doesn’t matter if you’re on Iraqna or you’re on AfSat or you’re in China,” says company co-founder Mike Janke, referring to various foreign Internet service providers.

“Forget just war zones. I’m talking first-world countries that monitor their communications. How do you protect that?” he asks. The security, Janke explains, relies on disposable keys that encrypt communications as soon as they leave the device. When an officer dials or texts, the encryption happens instantly on the handset, so there’s nothing a host-nation service provider or interceptor can grab.

And the technique works on any telecom channel officers might use, on devices ranging from older cell phones to those using 4G. The apps’ encryption protocols create a unique key each time the user makes a call or sends a text. “Then, after the call, the keys are deleted. There’s nothing there. There’s no history of calls,” says Janke, a former SEAL sniper.

The group of apps for mobile calls and text messages costs nongovernment civilians $20 a month. Defense personnel receive bulk discounts that vary depending on the size of the user base, company officials say.

A Hybrid Model

Another method of making private calls really private: toggle between two types of phone connections. The local Internet service would be sufficient when commercial infrastructure is available and considered secure. When a host nation’s infrastructure is unsafe, a separate backup line would be used.

Take Afghanistan. The main service providers there are an Afghan government-owned system influenced by opposition forces and a system maintained by a Russian company, McCarthy says. So, the best choice would be to “take us off the commercial frequencies and put us onto frequencies that are controlled by the military,” he explains. These include drone hot spots. Unmanned aerial aircraft are one of many affordable proposals, McCarthy says.

“The solution is not to just lease a phone from Taliban Bell,” he adds.

One more kink: making sure every device and human user complies with these safeguards. How do organizations enforce security policies on devices that, by nature, are not centrally controlled? They work with vendors to develop so-called enterprise mobile management tools.

The Air Force Space Command, for example, has contracted with Good Technology to let employees download smartphone and tablet applications that control personal apps and allow managers to control military data. The company would not disclose the size of the contract. According to federal business databases, the Defense Commissary Agency in 2012 spent $8,009 on 45 Good Technology licenses for a “bring your own device” experiment in which employees used their personal devices.

McCarthy says the Army is considering Good’s products for Android-based phones.

According to a June 2012 Defense mobile device strategy, counter-hack techniques must work on any mobile brand and any operating system. “This is supposed to be a device-agnostic, OS-agnostic program,” McCarthy says. By the end of 2013, between 20,000 and 25,000 gadgets of various makes and models powered by various software programs should be under evaluation servicewide, he expects.

The Insider Threat

Ultimately, military mobile security comes down to personal hygiene. A Pentagon internal investigator recently chastised the Army CIO and service members for disregarding the rules on thousands of devices.

The service’s CIO “was unaware” of more than 14,000 commercial mobile devices that were in use, Alice Carey, a Pentagon assistant inspector general, wrote in a March report.

The audit reviewed a number of smartphone initiatives, including a trial that substituted handhelds for pen and paper to coordinate disaster aid. Participants could snap photos of hurricane-ravaged areas, capture the latitude and longitude, and upload the data to a military server. Security lapses occurred during these activities and others because managers did not realize the devices were connected to Army networks and storing sensitive information, according to Carey.

Meanwhile at West Point, U.S. Military Academy phones were not configured to require passwords for access. Instead, officials left it up to users to add that security layer, so 14 out of 48 mobile devices had no password protection. Also, the Military Academy and U.S. Army Corps of Engineers’ Engineer Research and Development Center failed to devise a way of wiping data drives remotely if lost, stolen or assigned to another employee.

“The Army CIO did not develop clear and comprehensive policy” for commercial devices, Carey wrote. These errors “left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.”

In a letter responding to the investigation’s findings, Maj. Gen. Stuart Dyer, head of the Army CIO/G-6 cybersecurity directorate, said the organization agreed with the observations and “in many cases, the Army has already begun implementing improvements.”

McCarthy says the auditors did not talk to him or his program team during the inspection. But, now, his team, the Army CIO, the Pentagon’s National Security Agency cryptographers, and Defense Information Systems Agency support staff are working closely to resolve the concerns highlighted.

A key goal of the smartphone project “is to find the kinds of solutions that will provide that safe and secure environment,” as well as managed access, he says. And one day Best Buy might just carry it.

]]>

Taking a Flier on Big Data

Aliya Sternstein — Tue, 28 May 2013 09:53:56 -0400

Airline passengers might soon be subjected to probes more controversial than body scans if the Transportation Security Administration pursues plans to profile passengers based on commercial analytics.

TSA is considering letting private data brokers calculate the threat-level of fliers. Agency officials say they expect to finish exploring this approach by the end of this year. Passengers whose digital footprints check out clean wouldn’t have to strip off shoes, overcoats and belts, or unpack laptops and liquids.

Set aside privacy fears about TSA peering into citizens’ gun shopping receipts, pharmacy purchases or online dating activities. Are commercial data aggregations even accurate? No one knows. Not the Federal Trade Commission, nor the Justice Department. Not the data brokers. And not the people being tracked—who typically can’t even see their own records.

Personal information gathered in commercial forums could prove valuable for public safety, authorities and privacy advocates agree. But they also say judging citizens based on outdated or inaccurate underlying data could do more harm than good for society.

TSA’s thinking is that a company would aggregate biographic and biometric “nongovernmental data elements to generate an assessment of the risk to the aviation transportation system that may be posed by a specific individual,” states a Jan. 8 request for strategy suggestions.

The system would have to provide a “reliable method that effectively identifies known travelers, based on a sound analysis and the application of an algorithm that produces dependable results,” the work requirements state.

Fliers and most TSA officials would be in the dark about the data those algorithms are munching on. “The specific sources and types of information employed for pre-screening purposes under this initiative may not be publicly disclosed,” agency documents state, adding that the data will not be disclosed to TSA except during audits. The quality requirements are vague: The vendor must use “specific sources of current, accurate and complete nongovernmental data.”

Spotty Track Records

Increasingly, big data taps the same kinds of digital evidence for authorities as it does for marketers: social media posts, voter registrations, credit reports and clickstreams—which are Web browsing histories—to name a few.

The FTC in December 2012 ordered nine data brokers to report whether their company “monitors, audits, or evaluates the accuracy of personal data” used to target advertising. Commission officials, however, say they are not inquiring about the accuracy of personal data used to track criminals. “Our focus is on consumer privacy and commercial data practices—rather than the use of commercial data for law enforcement purposes,” says Peder Magee, senior attorney for FTC’s Division of Privacy and Identity Protection.

It’s too late anyway. Justice’s Bureau of Alcohol, Tobacco, Firearms and Explosives already uses big data to predict gun violence. Justice officials would not comment on how they measure the integrity of this information.

The consequences of relying on dubious statistics and computations can vary. Some researchers suggest that a few mistakes won’t affect results because the scope of these analyses is so huge. “We can accept some messiness in return for scale,” Viktor Mayer- Schonberger and Kenneth Cukier write in their book, Big Data (Eamon Dolan/Houghton Mifflin Harcourt, March 2013). “We’re willing to sacrifice a bit of accuracy in return for knowing the general trend. Big data transforms figures into something more probabilistic than precise.”

However, the level of precision that satisfies marketers is very different from the exactitude required by government agencies, says Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. “You can have 15 percent accuracy for advertising,” which might be better than other forms of behavioral analyses, “but if you are getting 85 percent of it wrong when you are denying people government benefits or sending out police to interview them, that would be completely wasteful and dangerous,” she says.

One major concern among some law enforcement experts is that most data warehouses store obsolete records. “The biggest problem is they don’t update,” says Paul Wormeli of the Integrated Justice Information Systems Institute, a federally funded organization. A citizen’s profile is not automatically adjusted if a credit report or human resources form turns out to have been mistyped.

The Data Police

There’s no easy answer to the potential accuracy problem with big data.

Directing a government agency, or even a bunch of agencies, to regulate data quality would be nearly impossible and futile, information management experts say. Plus, the private sector has a financial incentive to tidy up a person’s entry: the aggregator market competes on the sharpness of its databases. People should have the ability “to correct it and to remove it if the info is sensitive,” says Craig Wills, a computer science professor at Worcester Polytechnic Institute. Still, fixes made to one database don’t always carry over to other systems relying on the same information, Granick notes. “There’s no right to access the profile that whatever advertisers of the world have compiled on me,” she says. “Amazon has a profile on me and what they think I like, and I can refine it, but I can’t get a copy.”

Marketing firms argue new industry guidelines that let Internet users opt out of online tracking address many of these problems. Principles adopted by the Digital Advertising Alliance, whose members include Datalogix, Acxiom and other data wholesalers, prohibit browsing histories from being used to determine eligibility for employment, health care treatments and insurance coverage. “To date it’s proven to work. We have very broad reach and people are following it,” says Stuart Ingis, counsel for the alliance.

Unlike the data mining industry, credit bureaus are required by law to correct commercial data.

Credit information is updated every 30 days, or each payment cycle, according to the Consumer Data Industry Association. Citizens are responsible for communicating name and address changes to lenders, who furnish those modifications to the bureaus. “The furnisher may have more up-to-date address information than the post office,” says Norm Magnuson, the association’s vice president of public affairs.

So for TSA and other agencies, vetting the accuracy of big data will be nothing short of a big challenge.

]]>

Rolling Out The iPhone

Aliya Sternstein — Mon, 01 Apr 2013 00:00:00 -0400

Following a three-month trial, Immigration and Customs Enforcement in January began distributing as many as 17,000 secure iPhones to employees for work and personal use. The devices are equipped with software to protect both government and personal data.

Personnel allotted iPhones are allowed to download apps for private use, as long as the software and data do not violate policies, according to ICE officials.

“These are government devices and ICE has a limited personal use policy that provides for users to add applications and data that does not violate professional conduct standards of the agency,” ICE Press Secretary Barbara Gonzalez says. “The devices are subject to inspection or retrieval—just like any piece of government equipment.”

The agency is distributing the devices in batches to investigators, legal personnel and other staff.

“We’re using a geographical-based deployment plan,” Gonzalez says.

In October 2012, ICE disclosed that it would replace its existing Research in Motion BlackBerry smartphones with Apple iPhones because RIM’s products could no longer meet the agency’s needs.

After evaluating RIM’s rate of innovation, business model sustainability and the attributes of other smartphones, including Android devices, ICE chose the iPhone, according to contracting papers.

The iPhones are set up for selective wiping if a device is misplaced or stolen so ICE can erase government data remotely
but preserve personal apps and files, according to Good Technology, a mobile security firm facilitating the rollout.

Eugene Liderman, director of public sector technology for Good Technology, says the agency has the infrastructure to scale up to 17,000 users. The company is under contract to secure up to 25,000 users, he adds.

For 18 months before the iPhone announcement, Good Technology worked with Homeland Security Department officials, including the inspector general, to ensure its technology could shield data and applications from hackers and unauthorized people using the phones, company officials say.

Beyond tight security, the features ICE was looking for in a new smartphone included reliability and the flexibility to handle “fingerprint and retina scanning for immediate identification of an individual,” as well as facial recognition, according to agency documents.

Agencies are shedding BlackBerrys to buy Apple and Android-based smartphones that offer more features, according to Government Executive Media Group research. BlackBerry use among federal managers dropped 77 percent between August 2009 and September 2011, while iPhone use nearly tripled.

Hoping to bounce back, RIM announced in December that ICE is testing its BlackBerry 10 business line. Like older versions, the new Blackberrys comply with a government encryption specification for sensitive data called Federal Information Processing Standard 140-2. Apple’s phones are not FIPS-certified yet.

Good Technology officials say their software provides the same kind of agencywide control over device settings and data access that comes with BlackBerry services, when layered on top of the iPhone’s operating system.

Last fall, ICE officials gave both Apple and RIM top security scores in documents justifying the agency’s plan. ICE praised the companies for controlling both the hardware and operating systems in their products. Google’s Android, which received a low security score, provides only an operating system and allows other companies to run it on their devices.

“What is a strength for Google is a risk for ICE,” the documents state.

“Analysis conducted by ICE has concluded that for the near term, Apple iPhone services offer the agency the best solution for its mobile technology,” the justification says. “Apple’s strict control of the hardware platform and operating system, independent of telecommunication vendor, provides ICE with the greatest degree of control and management to ensure the most reliable delivery of services to ICE’s mission users.”

]]>

Carhacking

Aliya Sternstein — Fri, 01 Feb 2013 01:00:00 -0500

A U.S. senator drives from Capitol Hill to her home in Virginia, listening to the CD a constituent gave her. Going with the speed of traffic at 60 miles per hour, her brakes suddenly engage. Then an SUV rams the politician’s sedan from behind, killing her on impact. It turns out an extremist assassin had hijacked the car’s controls after infecting the CD with malicious code that penetrated the vehicle’s network.

In another scenario, two intelligence agents driving to CIA headquarters get a call from their branch chief, which the driver answers on a hands-free Bluetooth connection. After hanging up, the agents brainstorm how to pursue the tip they’ve just received while a foreign intelligence operative records their conversation. The adversary had cracked the Bluetooth system to bug the in-car microphone.

Think about cyber threats and probably the last thing that comes to mind is your car. But cars can expose personal information through features like OnStar and Ford SYNC. Hackers can unlock the doors, kill the engine and deactivate the starter. For now, the chances of such exploits happening at this point are slim, given the sophisticated technical skills required. But they will become easier as car systems become more intertwined with commercial communications networks.

Researchers have proved during live road tests that these wireless attacks can work. Aggressive driving could take on new meaning in the absence of cyber rules for the road.

Wireless services like SYNC and OnStar embedded in an in-dash electronics panel can offer attackers access to personal information and critical operational components, like brakes.

Bluetooth and cellular links have “roots in other worlds,” says Stefan Savage, a Univer-sity of California, San Diego computer science professor and principal investigator on the hack experiments. “Bluetooth is not just used in your car. It’s used in your iPod. It’s a very general protocol that’s designed to do a lot of different things and that tends to create problems.”

No Rules

The really scary part: There are no guidelines for automobile cyber safety. Regulators either won’t or can’t do much about the risks.

In response to questions about the status of network security research and mandates, National Highway Traffic Safety Administration officials said in a statement that “NHTSA is aware of the potential for ‘hackers’ and other cybersecurity issues whenever technology is involved; however, the agency is not aware of any real-world cybersecurity issues in vehicles.” When asked by Government Executive whether NHTSA is developing recommendations for manufacturers, officials referred back to the statement.

Security problems are real, however. In 2010, a disgruntled former employee of an auto dealership allegedly remotely deactivated the ignition systems of customers’ vehicles in Austin, Texas. That same year, the researchers showed how intruders can infiltrate computers tied to virtually every aspect of a car’s functionality, including speedometers and entertainment consoles.

Practically speaking, regulating cybersecurity on the road would be a feat for many reasons, say academics and privacy advocates. For one thing, the rule-making process would constantly lag behind quick-morphing threats. Also, NHTSA might not even know what to say, judging by a recent National Academy of Sciences study that found the agency is in the early stages of understanding vehicular network security. Some experts reason that NHTSA is not acting because the agency typically doesn’t until a safety issue is pervasive on the road.

“There’s no clear evidence or no clear strict need for regulation at this point,” says John Maddox, who was NHTSA’s associate administrator for vehicle safety research until August 2012. “What we do need is to conduct the research to study the problem very carefully.”

Most experts agree that regulators, manufacturers and consumers must get a better handle on vehicle cyber defenses.

At least four institutions and two automobile associations are developing recommended best practices. In 2011, the Transportation Department’s John A. Volpe National Transportation Systems Center presented NHTSA with advice on how to go about drafting guidelines. In November 2012, an agency official involved in cyber research planning spoke out about car safety and dependability at a workshop the University of Maryland hosted.

Revving Up Research

NHTSA’s 2013 budget request suggests that the agency may be weighing regulations. The document reveals plans to “conduct rule-making-ready research to establish electronic requirements for vehicle control systems” in everyday cars. The budget proposes establishing a $10 million program to study cyber risks, starting this year.

The National Academy of Sciences’ study, which was released in January 2012—and famously dispelled allegations that Toyota electronics caused unintended acceleration—urged NHTSA to get up to speed in cyber. The report criticized the agency for lacking the technical competency to probe the Toyota issue without outside help. NHTSA’s Office of Vehicle Safety Research does not study cybersecurity, according to the academy.

The proposed 2013 agenda aligns with the academy’s advice and also would involve other cyber-related federal agencies. Already, the Defense Department’s Cyber Crime Center, which is the Pentagon’s computer forensics hub, has examined the SYNC in-car voice- recognition system to flag potential threats, according to contractor Lockheed Martin Corp. Under the budget strategy, NHTSA staff would attempt to pinpoint problems in car electronics before they go into production.

Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, plans to follow the regulator’s progress in charting cyber concerns, committee aides say. “The chairman is aware of the potential issues revolving around in-car computers,” Rockefeller spokesman Kevin McAlister says, noting the committee “will work to ensure that NHTSA performs the necessary actions to protect drivers and passengers.”

In the lab, researchers from UC San Diego and the University of Washington overrode an assortment of car safety systems, unafraid to meddle with the engine. “The kinds of things you worry about is either that your car is leaking information that you wish to be private,” such as your driving habits or what your passengers are saying, “or that an adversary can control features of your car,” Savage says.

During one expedition, the team was able to access a car’s internal network to disengage the brakes, making it difficult for the driver to stop. The investigators also succeeded in forcing the brakes to deploy, lurching the driver forward. Another demonstration showed how seemingly innocuous car tools facilitate these sorts of attacks, such as infected music CDs, FM radios and wireless tire pressure sensors.

Car-Code Attacker

Citing the researchers’ work, the academy pointed to an actual cyber incident that highlights looming dangers. The dealership ex-employee reportedly manipulated in-car systems that lock the engine when clients skip payments—essentially an alternative to repossession. By exploiting the program, he immobilized the starters and Global Positioning Systems on about 100 vehicles, leaving drivers’ parked cars stranded. “Obviously, had such an attack compromised a vehicle’s power train, braking and other operating systems while being driven, the consequences could have been much more severe,” the academy report stated.

Perhaps the creepiest situation, albeit highly theoretical, is one in which thugs send unwitting drivers on suicide missions. “One can easily envision hypothetical cyberwar or terrorist scenarios,” in which attackers commandeer vehicles en masse via an infected audio file “and then, later, trigger them to simultaneously disengage the brakes when driving at high speed,” the research team speculated.

Some former NHTSA officials say that until there is hard proof of real-life threats, mandatory standards would be superfluous and costly for manufacturers and the government. “I’m not ruling out the need for regulation,” but it has not presented itself yet, says Maddox, now director of collaborative program studies at the Texas A&M Transportation Institute.

If the auto industry develops voluntary standards, NHTSA then should consider whether to release its own guidelines, he says. The U.S. Council for Automotive Research, which includes engineers from Chrysler Group, Ford Motor Co. and General Motors, has deputized a task force to work on cybersecurity controls. SAE International, an association of automotive engineers, also is examining the issue.

Ford officials rolled off a list of cybersecurity precautions they take in assembling vehicles, including SYNC-enabled cars. The manufacturer checks key interfaces in “fuzz” tests—a technique that spews random information at automobile software while specialists monitor for signs of failure. Ford spokesman Alan Hall says specialists simulate possible vulnerabilities during production by looking at the people, parts, data flows and other functional elements “to determine where we may have issues with things like data integrity, information disclosure, denial of service, escalation of privilege, tampering or spoofing, etc., and then determine one or more mitigation strategies.”

SYNC has a built-in firewall and an application white-listing function that dictates which programs can be launched in car systems. Also, the vehicle control system network is separate from SYNC’s infotainment features, according to Hall. Software updates must be “code-signed,” or validated as Ford-authored to launch, “thus preventing unauthorized software installation and access to private information,” he says.

Industry Standards

Maddox says a voluntary regime of cybersecurity safeguards, like the manufacturers’ ongoing efforts, might be appropriate for the constantly evolving field of hacking. “The industry would be more knowledgeable and more nimble than government can be in this area,” he says. Some privacy groups agree that automotive companies should take the lead in writing cyber standards. “The car manufacturers have a lot of incentive to not put cars on the road that are inherently vulnerable,” says Joseph Lorenzo Hall, senior staff technologist with the Center for Democracy and Technology, a civil liberties organization.

If drivers start complaining about “someone messing with you on their OnStar,” that’s where NHTSA might have to step in, he says. Such a gaping security hole might force a recall and ex post facto regulations for cyber safety tests. A computer weakness “probably doesn’t reach their radar until there is big potential for something very bad happening on the road,” he adds.

Other activists, however, want hard regulations because they believe rules are both necessary and within the agency’s authority to hand down.

“The potential for drivers in the United States to have their cars tracked or compromised by security flaws in vehicles’ embedded computers is a matter of both driver safety and security,” says Amie Stepanovich, associate litigation counsel for the Electronic Privacy Information Center. “Regulations would provide guidance for vehicle manufacturers and baseline protections for all drivers in the United States.” She adds that existing state data breach laws might offer citizens some protections, but such legislation is inconsistent and nonexistent in some states.

The university researchers are reluctant to press for regulations, acknowledging standards development will be challenging, but they are encouraged by NHTSA’s apparent attention to their studies. “We’ve talked with them many times, we’ve been at workshops with them on the topic . . . From my standpoint there certainly appears to be interest and activity related to better understanding the cybersecurity problem and what to do about it,” Savage says. He says he is not familiar with regulatory politics or NHTSA’s thinking.

“It would be very easy to dictate a set of requirements that would either do little good or would be unworkable in practice,” Savage says. Today’s global marketplace means many hands from many part-makers in many facilities touch U.S. cars. “There are complex supply chain issues here because automotive manufacturers are really integrators. There may be no single person who has access to all the source code that goes into a modern vehicle,” he says, adding that requiring manufacturers to test the whole vehicle may be unfeasible.

Savage adds, “The standards process is going to take a while.”

]]>