Security

White House adds ‘agile and responsive’ security practices to trusted internet connections updates

The White House
(Official White House Photo by Tia Dufour)

The White House announced updates to the federal government Trusted Internet Connections initiative with the intent to empower agencies with security practices that aim to remove barriers to modern technology adoption.

An Office of Management and Budget memo provides agencies with pilot program guidance and an implementation timeline.

From OMB:

The purpose of the Trusted Internet Connections (TIC) initiative is to enhance network security across the Federal Government. Initially, this was done through the consolidation of external connections and the deployment of common tools at these access points. While this prior work has been invaluable in securing Federal networks and information, the program must adapt to modem architectures and frameworks for government IT resource utilization. Accordingly, this memorandum provides an enhanced approach for implementing the TIC initiative that provides agencies with increased flexibility to use modern security capabilities. This memorandum also establishes a process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats.

One component of TIC is Pulse.cio.gov, the U.S. government’s program that monitors HTTPS protocol status of federal (.gov) domains.

From Matt “Mr. FedRAMP” Goodrich:

Memo: Update to the Trusted Internet Connections (TIC) Initiative

New center wants to help Congress grok deep space, deep fakes

U.S. Capitol

The U.S. Government Accountability Office launched a new Center for Strategic Foresight to help Congress better understand issues related to emerging notorious technologies, such as deep space and deep fakes, that impact a well-functioning democracy.

From the announcement:

“The Center for Strategic Foresight helps to keep us agile by encouraging creative and critical thinking on the latest trends facing government and society. Our goal is to stay focused on Congress’ top policy priorities and to help prepare policymakers for future challenges.”

GAO created the Center to enhance its ability to identify, monitor, and analyze emerging issues. Located in GAO’s Office of Strategic Planning and External Liaison, the Center is a unique entity in the federal government, one that reflects the non-partisan independent watchdog agency’s broad mandate to provide Congress with reliable, fact-based information for overseeing federal agencies and programs. 

Details: Deep Space & Deep Fakes: New “Center for Strategic Foresight” Launched

Intelligence community names privacy, civil liberties leaders

Wat is Privacy graffiti (Photo: Cory Doctorow)
Wat is Privacy graffiti (Photo: Cory Doctorow)

The Office of the Director of National Intelligence and U.S Central Intelligence Agency named new leaders of their respective privacy, civil liberty units.

ODNI named Benjamin Huebner the chief of the Office of Civil Liberties, Privacy, and Transparency. Huebner previously worked as the privacy and civil liberties officer at the CIA. The CIA named Kristi Scott to replace Huebner.

From ODNI:

CLPT leads the integration of civil liberties and privacy protections into the policies, procedures, programs, and activities of the IC. Its overarching goal is to ensure that the IC operates within the full scope of its authorities in a manner that protects civil liberties and privacy, provides appropriate transparency, and earns and retains the trust of the American people.

And CIA:

The PCLO serves as an independent, primary advisor to the CIA Director and other senior Agency officials to ensure that privacy and civil liberties are integrated into the day-to-day conduct of the Agency’s mission. Ms. Scott serves as CIA’s primary liaison with the Privacy and Civil Liberties Oversight Board (PCLOB) and as the lead Agency officer for implementing the Principals of Intelligence Transparency for the Intelligence Community. In addition, Ms. Scott will serve as the designated CIA Senior Agency Official for Privacy.

Democracy and ‘The Great Hack’

The Great Hack

The new Netflix documentary, The Great Hack, is an eye-opening account of how voter and social media profile data, particularly from Facebook, combined with a sophisticated, incendiary digital media campaign, can undermine democracy, as we saw happen with Brexit and the 2016 presidential campaign.

As Vice writes, the fundamental issue is the surveillance capitalism business model, where the users — and their personal data — are the product. It’s also the general public’s willingness to forgo their privacy to engage with others online, as well as its ignorance of how their political opinions can be swayed or inflamed. It’s becoming more difficult to escape unfavorable terms and conditions, but the willingness for social media users to provide their data — via polls, likes, shares — is alarming and ripe for political opportunists to target them during elections or active social movements.

The Great Hack is a must-watch for anyone active on social media or cares about how democracy can be influenced by foreign interference, especially those who expect to vote in the next elections.

As The Great Hack gets at, data rights is the new human rights.

Trailer:

Pineapple or pepperoni? Homeland Security’s pizza analogy hopes to educate the public on foreign interference of elections

Sailors prepare pizzas.
Photo: U.S. Navy

Because “responding to foreign interference requires a whole of society approach,” the U.S. Department of Homeland Security has published resources that help educate the public on ways hackers can impact U.S. elections.

These include primers on how foreign interference works (using the relatable example, “American Opinion is Split: Does Pineapple Belong on Pizza?”), associated terms, and the intricate nuances of social media bots.

DHS defines foreign interference as:

Malign actions taken by foreign governments or foreign actors designed to sow discord, manipulate public discourse, discredit the electoral system, bias the development of policy, or disrupt markets for the purpose of undermining the interests of the United States and its allies.

The initiative is part of Homeland Security’s #Protect2020 campaign to “enhance the security and resilience of election infrastructure, and to ensure the confidentiality, integrity, and availability of the free and fair elections foundational to the American way of life.”

Coast Guard alert shows that even commercial vessel security is just basic government security

U.S. Customs & Border Protection Air & Marine Boat patrols past shipping containers.
Photo: U.S. Customs and Border Protection

Based on recent cyber incidents aboard commercial vessels, the U.S. Coast Guard issued a security alert to vessel and facility owners and operators that is essentially basic security practices, even ones that could potentially save governments from the ransomware attacks we see happening more frequently.

The report puts in perspective that basic security issues are universal and the real-world scenario documented by the Coast Guard is eye-opening and relatable to everyone:

In February 2019, a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a significant cyber incident impacting their shipboard network. An interagency team of cyber experts, led by the Coast Guard, responded and conducted an analysis of the vessel’s network and essential control systems. The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities. Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard. It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep draft vessels. However, with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery. It is imperative that the maritime community adapt to changing technologies and the changing threat landscape by recognizing the need for and implementing basic cyber hygiene measures.

The Coast Guard security recommendations include:

Implement network segmentation.

Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary.

Be wary of external media.

Install anti-virus software.

Keep software updated.

Read the alert.

The security book everyone in government must read in 2019

If we’re ever going to get security right, technologists must embrace the need for policy and government leaders must do the same with technology, which is why Bruce Schneier’s Click Here to Kill Everybody: Security and Survival in a Hyper-connected World is the 2019 must-read book for every government leader, elected and administrative.

Specific security prescriptions range from standards and principles to the creation of a new federal agency, a National Cyber Office, that would advise and hold other agencies accountable, but also manage government-wide security efforts, such as the NIST Cybersecurity Framework.

Click Here to Kill Everybody is accessible to anyone who wants to learn about the problems and potential solutions of our increasingly Internet connected world, without feeling overwhelmed by the nuances and technological details that leave most people paralyzed with confusion.

Key excerpts:

“The admittedly clickbait title of this book refers to the still-science-fictional scenarios of a world so interconnected, with computers and networks so deeply embedded in our most important technical infrastructures, that someone could potentially destroy civilization with a few moue clicks. We’re nowhere near that future, and I’m not convinced we’ll ever get there. But the risks are becoming increasingly catastrophic.”

“It’s easy to discount the more extreme scenarios in the chapter as movie-plot threats. Individually, some of them probably are. But collectively, these are classes of threat that have precursors in the past and will become more common in the future. Some of them are happening now, to a varying degree of frequency. And while I certainly have the details wrong, the broad outlines are correct. As with fighting terrorism, our goal isn’t to play whack-a-mole and stop a few particularly salient threats, but to design systems from the start that are less likely to be successfully attacked.”

“All the blame shouldn’t fall on the technology. Engineers already know how to secure some of the problems I’ve mentioned. Hundreds of companies, and even more academic researchers, are woking on new and better security technologies against the emerging threats … And while nothing is a panacea, there really isn’t any limit to engineers’ creativity in coming up with novel solutions to hard problems. … My pessimism stems primarily from the policy challenges. The current state of Internet security is a direct result of business decisions made by corporations and military/espionage decisions made by governments … What we’ve learned from the past few decades is that computer security is more a human problem that a technical problem. What’s important is the law and economics, and the psychology and sociology — and what’s critical is the politics and governance.”

“I’m not optimistic in the near term. As a society, we haven’t even agreed about any of the big ideas. We understand the symptoms of insecurity better than the actual problems, which makes it hard to discuss solutions. We can’t figure out what the policies should be because we don’t know where we want to go. Even worse, we’re not having any of these big conversations. Aside from forcing tech companies to break encryption to satisfy law enforcement, Internet+ security isn’t an issue that most policy makers are concerned about — apart from the occasional strong words. It’s not debated in the media. It’s not a campaign issue in any country I can think of. We don’t even have a commonly agreed-upon vocabulary for talking about these issues.”

Washington gives national security innovation a boost

Photo: U.S. Department of Defense

Photo: U.S. Department of Defense

Two good things just happened in Washington – these days that should be enough of a headline.

First, someone ideal was just appointed to be Deputy Assistant Secretary of Defense.

Second, funding to teach our Hacking for Defense class across the country just was added to the National Defense Authorization Act.

Interestingly enough, both events are about how the best and brightest can serve their country – and are testament to the work of two dedicated men.

Soldier, Scholar, Entrepreneur

Joe Felter was just appointed Deputy Assistant Secretary of Defense for South and Southeast Asia. As a result, our country just became a bit safer and smarter. That’s because Joe brings a wealth of real-world experience and leadership to the role.

I got lucky to know and teach with Joe at Stanford. When we met, my first impression was that of a very smart and pragmatic academic. And I also noticed that there was always a cloud of talented grad students who wanted to follow him. (I learned later I was watching one of the qualities of a great leader.) Joe had appointments at Stanford’s Center for International Security and Cooperation (CISAC), where he was the co-director of the Empirical Studies of Conflict Project and at the Hoover Institute where he was a research fellow. I learned he’d gone to Harvard to get his MPA at the Kennedy School of Government in conflict resolution. But the thing that really caught my attention: his Stanford Ph.D thesis in Political Science had the world’s best title: “Taking Guns to a Knife Fight: A Case for Empirical Study of Counterinsurgency.” I wondered how this academic knew anything about counterinsurgency.

This was another reminder that when you reach a certain age, people you encounter may have lived multiple lives, had multiple careers, and had multiple acts. It took me a while to realize that Joe had one heck of a first act before coming to Stanford in 2011.

As I later discovered, Joe’s first act was 24 years in the Army Special Operations Forces (SOF), retiring as a Colonel.
His Special Forces time was with the 1st Special Forces Group as a team leader and later as a company commander. He did a tour with the 75th Ranger Regimentas a platoon leader. In 2005, he returned to West Point (where he earned his undergrad degree) and ran the Combating Terrorism Center. Putting theory into practice, he went to Iraq in 2008 as part of the 75th Ranger Regiment, in support of a Joint Special Operations Task Force. In 2010 Joe was in Afghanistan as the Commander of the Counterinsurgency Advisory and Assistance Team. At various points his Special Forces career took him to countries in Southeast Asia where counterinsurgency was not just academics.

Ironically, I was first introduced to Joe not at Stanford but through one of his other lives – that of an entrepreneur and businessman – at the company he founded, BMNT Partners. It was there that Joe and I along with another retired Army Colonel, Pete Newell, came up with the idea of creating the Hacking for Defense class. We combined the Lean Startup methodology – used by the National Science Foundation to commercialize science  – with the rapid problem sourcing and solution methodology Pete developed on the battlefields in Afghanistan and Iraq when he ran the US Army’s Rapid Equipping Force.

My interest was to get Stanford students engaged in national service and exposed to parts of the U.S. government where their traditional academic path and business career would never take them. (I have a strong belief that we’ve run a 44-year experiment with what happens when you disconnect the majority of Americans from any form of national service. And the result hasn’t been good for our country. Today if college students want to give back to their country, they think of Teach for America, the Peace Corps, or Americorps or perhaps the U.S. Digital Service or the GSA’s 18F. Few consider opportunities to make the world safer with the Department of Defense, State Department, Intelligence Community or other government agencies.)

Joe, Pete and I would end up building a curriculum that would turn into a series of classes — first, Hacking for Defense, then Hacking for Diplomacy (with the State Department and Professor Jeremy Weinstein), Hacking for EnergyHacking for Impact, etc.

Hacking For Defense

Our first Hacking for Defense class in 2016 blew past our expectations – and we had set a pretty high bar. (See the final class presentations here and here).

Our primary goal was to teach students entrepreneurship while they engaged in national public service.

Our second goal was to introduce our sponsors – the innovators inside the Department of Defense and Intelligence Community –  to a methodology that can help them understand and better respond to rapidly evolving asymmetric threats. We believed if we could get teams to rapidly discover the real problems in the field using Lean methods, and only then articulate the requirements to solve them, then defense acquisition programs could operate at speed and urgency and deliver timely and needed solutions.

Finally, we also wanted to show our sponsors in the Department of Defense that students can make meaningful contributions to understanding problems and rapid prototyping of solutions to real-world national security problems.

The Innovation Insurgency Spreads

Fast forward a year. Hacking for Defense is now offered at eight universities in addition to Stanford – Georgetown, University of PittsburghBoise StateUC San Diego, James Madison University, University of Southern Mississippi, and later this year University of Southern California and Columbia University. We established Hacking for Defense.org, a non-profit to train educators and provide a single point of contact for connecting the DOD/IC sponsor problems to these universities.

By the middle of this year Hacking For Defense started to feel like it had the same momentum as when my Lean LaunchPad class at Stanford got adopted by the National Science Foundation and became the Innovation Corps (I-Corps). I-Corps uses Lean Startup methods to teach scientists how to turn their discoveries into entrepreneurial, job-producing businesses. Over 1,000 teams of our nation’s best scientists have been through the program. It has changed how federally funded research is commercialized.

Recognizing that it’s a model for a government program that’s gotten the balance between public/private partnerships just right, last fall Congress passed the American Innovation and Competitiveness Act, making the National Science Foundation Innovation Corps a permanent part of the nation’s science ecosystem.

It dawned on Pete, Joe and me that perhaps we could get Congress to fund the national expansion of Hacking for Defense the same way. But serendipitously, the best person we were going to ask for help had already been thinking about this.

The Congressman From Science and Innovation
Before everyone else thought that teaching scientists how to build companies using Lean Methods might be a good for the country, there was one congressman who got it first.

In 2012, Rep. Dan Lipinski (D-Il), ranking member on the House Research and Technology Subcommittee, got on an airplane and flew to Stanford to see first-hand the class that would become I-Corps. For the first few years Lipinski was a lonely voice in Congress saying that we’ve found a better way to train our scientists to create companies and jobs. But over time, his colleagues became convinced that it was a non-partisan good idea. Rep. Lipinski was responsible for helping I-Corps proliferate through the federal government.

While Joe Felter and Pete Newell were thinking about approaching Congressman Lipinski about funding for Hacking for Defense Lipinski had already been planning to do so. As he recalled, “I was listening to your podcast as I was working in my backyard cutting, digging, chopping, etc. (yes, I do really work in my backyard,) when it dawned on me that funding Hacking for Defense as a national program – just like I did for the Innovation Corps – would be great for our nation’s defense when we are facing new unique threats. I tasked my staff to draft an amendment to the National Defense Authorization Act and I sponsored the amendment.”

(The successful outcome of I-Corps has given the Congressman credibility on entrepreneurship education among his peers. And it doesn’t hurt that he has a Ph.D and was a university professor before he ended up in Congress.)

Joe Felter and Pete Newell mobilized a network of Hacking for Defense supporters. Joe and Pete’s reputations preceded them on Capitol Hill, but in part a testament to the strength of Hacking for Defense, there’s now a large network of people who have experienced and believe in the program, and were willing to help out by writing letters of support, reaching out to other members of Congress to ask for support, and providing Congressman Lipinski’s office with information and background.

Congressman Lipinski led the amendment. He brought on co-sponsors from both sides of the aisle: Representatives Steve Knight (R-CA 25), Ro Khanna (D-CA 17), Anna Eshoo (D-CA 18), Seth Moulton (D-MA 6) and Carol Shea-Porter (D-NH 1).

On the floor of the House, Lipinski said, “Rapid, low-cost technological innovation is what makes Silicon Valley revolutionary, but the DOD hasn’t historically had the mechanisms in place to harness this American advantage. Hacking for Defense creates ways for talented scientists and engineers to work alongside veterans, military leaders, and business mentors to innovate solutions that make America safer.”

Last Friday the House unanimously approved an amendment to the National Defense Authorization Act authorizing the Hacking for Defense (H4D) program and enabling the Secretary of Defense to expend up to $15 million to support development of curriculum, best practices, and recruitment materials for the program.

This week the H4D amendment moves on to the Senate and Joe Felter moves on to the Pentagon. Both of those events have the potential to make our world a much safer place – today and tomorrow.

DISA kicks off overhaul of federal background checks

Photo: U.S. Navy

Photo: U.S. Navy

The Defense Information Systems Agency has released a series of videos and request for information for the National Background Investigation System, created in the wake of security incidents that lead to data breaches of millions of federal government employees and contractors.

According to the RFI, NBIS is “is a new entity that changes how the Federal Government performs background investigations for military, civilian, and government contractors.” DISA will “design, develop, secure, and operate” NBIS which supports the National Background Investigation Bureau, formerly the Federal Investigative Services, managed by the Office of Personnel Management.

The overview and video references read straight out of agile and open source playbooks, so it will be interesting to see how far this goes on those fronts:

NBIS PMO must establish an enterprise IT enclave that enables business process reengineering, including modular system development to accommodate changes in data requirements, advanced security protections to safeguard data, enables broad shared services to maximize investments, and not only meets the needs of the end users, but also connects those users to the process.

Intro video:

Cloud.gov is FedRAMP Ready, moves feds closer to internally deploying tech projects faster

cloud.govIn a Hacker News post, the cloud.gov team shares that the platform has attained FedRAMP Ready status, moving it closer to operating as a full-service cloud provider for federal technology projects.

The team responsible for the project is hosting an open “Ask Me Anything” style question and answer session, and the post has already unearthed a number of conversations around hiring and the nuances of federal government operations related to cloud deployment.

From cloud.gov product lead Bret Mogilefsky:

I’m the product lead on cloud.gov… Thanks for noticing us! There are other Cloud Foundry deployments, but what makes cloud.gov special is the focus on ensuring federal agencies are actually able to use it. Federal compliance for a cloud service provider is a tough bar to clear, and without it most agencies are simply unable to take advantage of capabilities the rest of the world now takes for granted. That in turn impedes improvements in the many services the government has to offer. We’ve just reached the “FedRAMP Ready” status, which is a signifier of confidence that cloud.gov will make it through the exhaustive auditing process to come. Best of all, everything were doing is open source, including all the compliance work, so others will be able to follow in our footsteps. AMA!

Once cloud.gov achieves full FedRAMP status, coupled with the internal open source and agile/DevOps development environment they’ve created, the opportunities for 18F to help agencies quickly and fully deploy projects are endless.

“18F is going to be a model Cloud Service Provider (CSP) in the federal space,” Mogilefsky said in a May interview with Cloud Foundry. “Cloud.gov is only part of the equation.”

Have questions or comments for the cloud.gov team? Ask them anything.