FedScoop http://fedscoop.com Federal technology news and events Wed, 22 Oct 2014 03:35:22 +0000 en-US hourly 1 Point-of-sale crisis: Anatomy of a cyberattack http://fedscoop.com/point-sale-crisis-anatomy-hack/ http://fedscoop.com/point-sale-crisis-anatomy-hack/#comments Tue, 21 Oct 2014 23:00:48 +0000 http://fedscoop.com/?p=64513 What's behind the alarming increase in cyberattacks on point-of-sale systems? The Secret Service and the FBI say it's pretty simple: POS systems are easy to hack and they hold all the money.

The post Point-of-sale crisis: Anatomy of a cyberattack appeared first on FedScoop.

]]>
point-of-sale

Federal law enforcement agencies are stepping up their outreach efforts to educate businesses about how to detect cyberattacks targeting point-of-sale systems, as office supply giant Staples Inc. confirmed Monday it is investigating an incident that may add the company to a growing list of retail chains that have suffered massive data breaches.

A group of special agents from the Secret Service and the FBI briefed industry representatives Monday during a special awareness event hosted by the Financial Services Roundtable in Washington, D.C. Agents presented a detailed explanation of the steps cybercriminals go through when they target a POS system and try to make off with thousands or even millions of credit card numbers.

The briefing came only hours before Staples confirmed for the first time publicly that it was investigating a potential data breach and had contacted law enforcement for help. If confirmed, the breach would add to an alarming escalation in the number of credit and debit cards that have been stolen from U.S.-based retailers during the past year.

But officials are emphasizing that the high-profile incidents involving some of the nation’s largest retail chains are not the only such crimes taking place. In fact, Ari Baranoff, the assistant special agent-in-charge of the Secret Service’s Criminal Investigative Division, said the Secret Service has responded to 350 network intrusions so far this year, and the majority of the incidents involved small and medium-sized businesses.

“We view those small and medium-size businesses as ground zero for a lot of the malware that is introduced into the wild,” Baranoff said. “Many of the actors that we look at on a daily and weekly basis have capabilities that far exceed the capabilities of most nation-states.”

The Syracuse connection

In July, several banking institutions notified the Secret Service that they had detected credit and debit card fraud trends that pointed to a small store in Syracuse, New York, as a so-called “common point of purchase” for stolen credit card data.

Two agents were dispatched to analyze the server that managed the store’s point-of-sale terminal, and they soon discovered malware on the system. The agents removed the malware from the store’s network and brought a sample back to Secret Service headquarters, where forensics experts were able to reverse engineer the code.

Analysis of the malware revealed the code was what is known as an “initial finding, that this malware had not been seen yet by traditional anti-virus companies,” Baranoff said. The Secret Service then issued an advisory to industry, leading network security specialists at United Parcel Service Inc. to discover the malware on UPS’ network. It had gone undetected for six months.

“They were able to contain the issue to just 1 percent of their stores, just under 50 stores out of 5,000 in 25 states,” Baranoff said.

Anatomy of a hack

The most sophisticated cybercriminals are difficult to detect, Secret Service Special Agent Katherine Pierce said. “They do their homework. Their goal is financial gain. This is their job, this is their livelihood,” she said.

But there is a process that most attackers generally follow and understanding that process can help businesses know what to look for on their networks. According to Pierce, the six steps in the attack process are reconnaissance, initial compromise, establishing a foothold, escalating privileges, exfiltrating data and maintaining presence.

Once an attacker has conducted a thorough reconnaissance and gained initial entry into your network, one of the first things a cybercriminal will attempt to do is escalate their privileges on the network, according to FBI Supervisory Special Agent Jason Truppi.

“This is where the rubber meets the road. Any hacker can get in your front door … but to really escalate privileges and start moving laterally takes a different level of skill,” Truppi said. And this is also an opportunity for the defender to catch the attacker in the act, he said. Not only can this process take a long time, but “depending on the skill set, it may be very loud, it may be very noisy,” he said.

“You’re going to see internal scanning, internal access to authentication servers, password dumping utilities are going to be sitting on internally compromised hosts [and] brute force attacks on servers,” he said. Victims may also see typical recon tools, such as nmap and ping requests, as well as Mimikatz — a tool that dumps plain text passwords out of memory.

To help defend against attacks at this stage, Truppi suggests companies deploy host-based intrusion detection systems, use strong domain passwords and limit the use of service accounts that have administrative privileges.

“Limit local admin access,” he said. “It’s the basic hygiene of any network. This is the No. 1 killer.”

The heist

There are generally two phases to the actual exfiltration of credit card data from a victim’s network and both are more or less impossible to defend against, according to Truppi. This is the stage of the attack you don’t want to find yourself defending against, he said.

The first phase involves staging the data for removal. Since cybercriminals are there to steal as many card numbers as possible in as few steps as possible, they will need to compress the data to get it off the network.

The second stage involves placing the compressed data file on a server where it can be masked. “They need to move it to a higher volume server to mask the data so you don’t see it,” he said, referring to the process of hiding the compressed file in a data stream where it won’t look out of place.

“Look for things like FTP, believe it or not,” Truppi said. Other tools used include Secure FTP, SSH, P-LINK command-line utility for Windows and Web Dropboxes since most companies aren’t defending against the use of drop boxes.

The POS connection

Almost every POS system compromise comes to the attention of the Secret Service because one or more banks notice an uptick in fraudulent activity on cards that were all used at the same retail location. That’s exactly how Secret Service Special Agent Matt O’Neill busted a Romanian cybercrime ring that compromised the POS systems used by 150 Subway restaurants and 50 other retailers around the country between 2008 and 2011.

“The bad actors were simply port scanning for folks who had remote desktop applications on their point-of-sale terminals,” O’Neill said. Then they would use known generic passwords or passwords that they knew POS manufacturers used as default passwords. From there, they would crack the administrator password and install a keystroke logger on the merchant POS system.

O’Neill managed to find where the hackers stored all of their cracking tools, and, for five months, he was able to identify new breaches as they occurred and notified the victims in near real-time to allow them to remove the malware.

The two main suspects were logging into a compromised system owned by a trucking company in Pennsylvania, where they would engage in chat sessions and email malware.

“One of the suspects liked gambling and the ladies,” O’Neill said. So the Secret Service created an online persona of a young woman working at a hotel casino and worked with the hotel chain to actually list the undercover agent on the hotel employee directory.

“Over the period of about six months, I developed what I’ll call a quasi-romantic relationship with him,” O’Neill said. The operation succeeded in luring the suspect to Boston, where he made a full confession upon arrest. The ringleader of the group was also identified and was extradited to the U.S., where he was sentenced to 15 years in prison.

“These guys were gaining access into approximately 100 to 200 victim locations every single day,” O’Neill said. “The bad guys that I’ve spoken to have all said ‘we could have tried to obtain the payment card data from a variety of locations, but quite frankly the easiest is through the merchant.’”

The post Point-of-sale crisis: Anatomy of a cyberattack appeared first on FedScoop.

]]>
http://fedscoop.com/point-sale-crisis-anatomy-hack/feed/ 0
DHS sees wearables as the future for first responders http://fedscoop.com/dhs-wearables-first-responders/ http://fedscoop.com/dhs-wearables-first-responders/#comments Tue, 21 Oct 2014 22:13:14 +0000 http://fedscoop.com/?p=64516 The Department of Homeland Security outlined a new vision Tuesday that focuses on how to leverage emerging technology for the nation's first responders.

The post DHS sees wearables as the future for first responders appeared first on FedScoop.

]]>
 

DHS

The Science & Technology Directorate at the Department of Homeland Security wants wearables that can operate in these conditions. (Credit: iStockphoto.com)

Robert Griffin, the new deputy undersecretary for the Department of Homeland Security’s Science and Technology Directorate, knows data is the last thing people are thinking about in a life-threatening situation. He also knows that first responders aren’t like most people.

“Sane people don’t run into burning buildings,” Griffin said Tuesday. “But I need data to let me run into those buildings.”

Griffin’s remarks came during a presentation at a wearable technology conference in Arlington, Virginia, outlining a new research and development vision for the S&T office that will focus on how DHS can leverage emerging technology for the nation’s first responders.

After spending a portion of this year reaching out to state and local governments as well as private industry, S&T has established a soon-to-be-released five-point vision that will make first responders and their technology more intuitive, instinctive and interoperable.

“Because we saw there was such an interest in having a participatory conversation, we’re looking to expand that on a series of specific dialogues about different areas, and the first one is going to be about wearables,” Griffin told FedScoop.

The part about wearables Griffin is referring to is a multimillion-dollar project that will help create public-safety-grade wearables from existing technology over the next three to five years.

“What we’re looking for is not government-off-the-shelf products, but commercial-off-the-shelf products,” Griffin said. “What wearable technology can we adapt that already exists to realize the dream we laid out.”

DHS

A picture that shows the various technological advances the Department of Homeland Security wants to for first responders. (Courtesy of DHS)

This project coincides with the relaunch of S&T’s website on Nov. 17, which DHS expects to help further a national conversation about the next generation of first responders. The new website will feature meetups, hackathons, webinars and challenges all geared toward new S&T directives. The site will also have a big crowdsource component run on the Ideascale platform.

“We’re going to try and take multiple approaches because one size doesn’t fit all,” Griffin said. “[Ideascale] is a better way to crowdsource some of these ideas, particularly where some of these areas can get pretty down into the weeds. This is part of what we are trying to do to be more transparent but also to begin a process of engaging industry and users and begin to think about the operators.”

The wearables project is one part of what DHS sees as a larger vision that could span decades into the future.

“The long-term vision is that fully aware, fully connected, fully integrated responder,” Griffin says. “We recognize that it could take us 20 to 30 years, maybe longer to get there. It’s not just a technology issue, it’s usage, it’s operating procedures, it’s governance, training. It’s part of the whole continuum we need to think about.”

Part of that continuum includes FirstNet, the nationwide public safety broadband network for first responders that will be built in the coming years. Griffin said, while DHS fully supports the network, he wants to take the technology discussion beyond FirstNet.

“It’s no good to come to depend on a technology that you can only use during pristine, perfect conditions,” Griffin said. “We need to think about how first responders are able to use this technology in situations when there is even degraded or no communications.”

As for the wearables project, Griffin drove home what he saw as “huge market potential” when he painted a scene for the crowd on how a first responder differs from how the rest of the public uses wearables.

“When I’m in a 1700-degree fire, I can’t roll up my sleeve to look at a wearable,” Griffin told the crowd. “We need to start to think about how to integrate and connect, because you can help me do my job in ways I can’t imagine.”

While Griffin may not be able to currently imagine the products future first responders will use, he does know that DHS’s new vision will ultimately lead to lives being saved.

“The beauty of wearables is that we haven’t even begun to scratch the surface of what it could potentially mean to a safer community,” Griffin told FedScoop. “Once we can get this into the hands of first responders and into the hands of the community, it’s going to do amazing things.”

The post DHS sees wearables as the future for first responders appeared first on FedScoop.

]]>
http://fedscoop.com/dhs-wearables-first-responders/feed/ 0
House science committee to examine NSF grant to study Twitter activity http://fedscoop.com/house-science-committee-examine-nsf-grant-study-twitter-activity/ http://fedscoop.com/house-science-committee-examine-nsf-grant-study-twitter-activity/#comments Tue, 21 Oct 2014 22:07:08 +0000 http://fedscoop.com/?p=64524 The House Science, Space and Technology Committee will investigate a nearly $1 million grant the National Science Foundation awarded to a project that looks to decipher how online interactions affect popular sentiment, specifically on Twitter.

The post House science committee to examine NSF grant to study Twitter activity appeared first on FedScoop.

]]>
Rep. Lamar Smith, the chairman of the House Science, Space and Technology Committee.  Source: House Science, Space and Technology Committee.

Rep. Lamar Smith, the chairman of the House Science, Space and Technology Committee. (Source: House Science, Space and Technology Committee.)

The House Science, Space and Technology Committee plans to investigate a nearly $1 million grant the National Science Foundation awarded to a project that looks to decipher how online interactions affect popular sentiment, specifically on Twitter.

In a release from the majority side of the committee, Chairman Rep. Lamar Smith, R-Texas, said by funding the project, the government was funding the limitation of free speech.

“While the Science Committee has recently looked into a number of other questionable NSF grants, this one appears to be worse than a simple misuse of public funds,” Smith said in the release. “The NSF is out of touch and out of control. The Science Committee is investigating how this grant came to be awarded taxpayer dollars.”

The Truthy project, based out of Indiana University’s Center for Complex Networks and Systems Research and its School of Informatics and Computing, first received funding in 2011. Since then, NSF has funneled a total of $919,917 into the project.

Not much has changed since the original award in 2011. In fact, according to the NSF information for the grant, the last amendment to the contract came in 2012.

The Truthy Project's depiction of online engagement for the hashtag #gop from 2010-2011.  Source: The Truthy Project

The Truthy project’s depiction of online engagement for the hashtag #gop from 2010-2011. (Credit: The Truthy project)

Smith’s statement comes two years later, “after media reports highlighted a one million dollar research project funded by the National Science Foundation in 2011 to analyze political messages and discussion on Twitter,” according to a release from the committee.

The media reports referenced in the release came from a story first reported by the Washington Free Beacon, the online publication for the conservative advocacy group the Center for American Freedom on Aug. 25. Three days later, Fox News Insider ran a story about the project comparing it to George Orwell’s “1984.”

Last week, nearly two months after the the Washington Free Beacon and Fox News stories, Federal Communications Commission Commissioner Ajit Pai authored an op-ed to the Washington Post criticizing the funding decision.

“If you take to Twitter to express your views on a hot-button issue, does the government have an interest in deciding whether you are spreading ‘misinformation?’” Pai wrote. “My guess is that most Americans would answer those questions with a resounding no. But the federal government seems to disagree.”

Pai went on to suggest the Truthy project’s mission of preserving open debate and mitigating the diffusion of false and misleading ideas was a government overreach and a violation of free speech.

FCC Commissioner Ajit Pai Source: FCC

FCC Commissioner Ajit Pai (Credit: FCC)

“Truthy’s entire premise is false,” Pai wrote. “In the United States, the government has no business entering the marketplace of ideas to establish an arbiter of what is false, misleading or a political smear.”

President Barack Obama appointed Pai to the FCC in 2012. Pai was confirmed unanimously by the Senate. His term ends in 2016.

The release from the committee also said the goal of the project “is to analyze and detect ‘subversive propaganda’ in order to mitigate ‘misleading ideas’ on social media.”

The filing at the NSF for the grant said the project “is aimed at modeling the diffusion of information online and empirically discriminating among models of mechanisms driving the spread of memes.”

The “about” page of the Truthy project’s website said the team behind the project intends to use it “to detect political smears, astroturfing, misinformation and other social pollution.”

Among the projects featured on Truthy’s site is a tool to determine whether or not a Twitter account is a bot as well as an examination of several hashtags and accounts to examine the “memes” surrounding the accounts from 2010 to 2011.

In a comment to FedScoop, a Democratic House Science, Space and Technology Committee spokesperson called Smith’s attempts to investigate the funding of the project “the latest in the Chairman’s Congress-long questioning of NSF grants.”

In a letter to the chairman dated Sept. 30, the committee’s ranking member, Rep. Eddie Bernice Johnson, D-Texas, expressed “deep concern over the direction” Smith has taken the committee in terms of how it dealt with NSF.

“You have been engaged in a puzzling – and troubling – investigation of the merit-review process with respect to 20 NSF grants and have sought all of the confidential, pre-decisional peer-review materials associated with those grants,” Johnson wrote.

Johnson also wrote that there were no credible allegations of waste, fraud or abuse from the 20 awards under investigation.

“The only issue with them appears to be that you, personally, think that the grants sound wasteful based on your understanding of their titles and purpose,” Johnson wrote. “The path you are going down risks becoming a textbook example of political judgment trumping expert judgment.”

Neither the professors behind the Truthy project nor the NSF could be reached for comment by publication time.

FedScoop’s Keely Quinlan contributed to this story.

The post House science committee to examine NSF grant to study Twitter activity appeared first on FedScoop.

]]>
http://fedscoop.com/house-science-committee-examine-nsf-grant-study-twitter-activity/feed/ 0
Ga. technical college receives USDA grant for IT program http://fedscoop.com/technical-college-receives-usda-grant-program/ http://fedscoop.com/technical-college-receives-usda-grant-program/#comments Tue, 21 Oct 2014 21:34:06 +0000 http://fedscoop.com/?p=64515 A public technical college in Georgia will receive a nearly $100,000 Agriculture Department grant to upgrade the wireless network equipment for its information technology training program, according to an agency release.

The post Ga. technical college receives USDA grant for IT program appeared first on FedScoop.

]]>
upgrade the wireless network equipment for its information technology training program,

Coastal Pines Technical College student Deidre Durance works on wireless network equipment in 2012. A USDA grant will help the school upgrade its technology. (Credit: Coastal Pines Technical College)

The IT training program at a Georgia technical college will receive a nearly $94,000 infusion from the Agriculture Department to upgrade its wireless network equipment, according to an agency release Tuesday.

Eddie Murray, a computer information systems instructor for Coastal Pines Technical College who helped prepare the grant proposal, said there’s a particular demand for workers with IT skills in southeast Georgia, the region the public school serves.

“We’re slowly getting to the technology level that our larger cities in our state – Atlanta, Macon – are starting to go towards,” he said. “And so, there’s a giant need now for people who are technically savvy.”

Sponsored by Cisco Systems Inc., the program is offered as a specialization track for an associate’s degree, a diploma or a technical certificate. It prepares students to work as network technicians, network troubleshooters and systems administrators — though, most of the students who enroll in the program have no IT experience coming in.

“They expect the students to come in green as a gourd,” said Murray, who also graduated from the program.

According to the state’s Department of Labor, the southern Georgia regional unemployment rate stood at just over 9 percent in August.

The grant comes through the Agriculture Department’s Rural Business Enterprise Grant program, which aims to cultivate opportunities for small and emerging businesses and support adult education in rural areas.

Other grantees include an eastern Missouri group trying to buy a greenhouse, an Iowa program providing mentoring and training to farm businesses, and an organization in Montana that offers technical assistance to small businesses in rural Native American communities.

The post Ga. technical college receives USDA grant for IT program appeared first on FedScoop.

]]>
http://fedscoop.com/technical-college-receives-usda-grant-program/feed/ 0
GSA: Information secure despite physical HQ security vulnerabilities http://fedscoop.com/gsa-information-secure-despite-physical-hq-security-vulnerabilities/ http://fedscoop.com/gsa-information-secure-despite-physical-hq-security-vulnerabilities/#comments Tue, 21 Oct 2014 20:05:22 +0000 http://fedscoop.com/?p=64501 A report from GSA's Office of Inspector General released last week revealed several physical security concerns related to the agency's open office space and management of devices and documents, which included stolen items. GSA, however, said the vulnerabilities aren't putting critical data and other sensitive information at risk as the report might suggest.

The post GSA: Information secure despite physical HQ security vulnerabilities appeared first on FedScoop.

]]>
GSA-office

GSA employees working at hotel desks at the agency’s headquarters. (Credit: GSA via YouTube)

A report from the General Services Administration’s Office of Inspector General released last week revealed several physical information security concerns related to the agency’s open office space and management of devices and documents. GSA, however, said the vulnerabilities aren’t putting critical data and other sensitive information at as high a risk as the report might suggest.

One night in late July, GSA’s OIG Office of Forensic Auditing, Evaluation and Analysis performed a random inspection of the agency’s open-office headquarters in Washington, D.C. During the inspection, essentially playing the role of an intruder, the officers found physical weaknesses in GSA’s securing of sensitive information controlled under the Privacy and Trade Secret acts. Additionally, the inspectors easily accessed what the report called “highly pilferable government-furnished personal property.”

An active HSPD-12 PIV card was found in an unsecured drawer during the inspection. (Credit: GSA OIG)

An active HSPD-12 PIV card was found in an unsecured drawer during the inspection. (Credit: GSA OIG)

“The inspection found an unsecured HSPD-12 PIV card, sensitive contract files, architectural drawings marked ‘SENSITIVE BUT UNCLASSIFIED,’ unlocked file cabinets containing sensitive information, a combination code for a bay of personal lockers that was left directly on top of those lockers, and a door cipher lock combination taped to the back of the door,” the report states. “The inspection also found valuable property that was unsecured, including laptops and other electronics.”

GSA recently renovated its central offices and changed to an open office design with hoteled workspace, leaving many workers sharing desks rather than using a permanent space. Because of this, the agency instituted a locker system for employees to secure valuable items and documents when they leave the office to prevent thefts. According to the report, GSA has also held several workshops on crime prevention and security in the new environment.

Despite the prevention methods put in place, when the auditors entered the office, they easily found several items of interest. In cases where the items were not securable, they took them, leaving a note that said, “We identified unsecured sensitive information. Due to the sensitive nature of this information, we have taken possession of it to secure its privacy,” with contact information to retrieve them.

Items like an active HSPD-12 PIV card or a laptop could act as gateways to further information theft. The active PIV card “permits unrestricted physical access to the GSA Central Office building, and potentially any federal building,” the report says. And for the laptops, if the security is breached, the user could possibly access the computer’s direct contents or GSA networks.

GSA spokeswoman Jackeline Stewart said while there have been actual issues of possible theft within the agency — five laptops have gone missing so far in 2014 — the agency is confident in its efforts to digitally secure the devices.

This folder, labeled “CONFIDENTIAL – OPEN BY ADDRESSEE ONLY,” was found in plain sight and contained sensitive employee performance reviews and assessments. (Credit: GSA OIG)

This folder, labeled “CONFIDENTIAL – OPEN BY ADDRESSEE ONLY,” was found in plain sight and contained sensitive employee performance reviews and assessments. (Credit: GSA OIG)

“While any loss or theft is unacceptable, this suggests that the problem is a manageable one,” Stewart said in a statement, referring to the five computers. “Additionally, the agency’s tech is equipped with security measures that minimize data security risk associated with leaving laptops unsecured. Laptops require two-layer authentication and hard-drives have 128-bit encryption. If lost or stolen, the network and hard-drive cannot be accessed. Mobile devices are loaded with software that enables GSA IT to wipe the devices within seconds of being reported lost or stolen. In essence, any information on stolen or lost laptops is virtually inaccessible.”

Stewart also said the likelihood of any non-GSA person accessing the open office space is highly unlikely, because “[c]redentialed employees are the only individuals authorized to enter the building independently. All visitors will be required to be escorted by a GSA employee and will be given a temporary ID that will expire within one day of issuance.”

Nevertheless, GSA said it isn’t taking the inspection lightly. The agency will work with the IG to address the issues in the report, Stewart said, and has already began developing a personal property course to reinforce the security protocol.

The post GSA: Information secure despite physical HQ security vulnerabilities appeared first on FedScoop.

]]>
http://fedscoop.com/gsa-information-secure-despite-physical-hq-security-vulnerabilities/feed/ 0
A federal robotics agency? Law professor makes the case http://fedscoop.com/law-professor-calls-new-federal-robotics-agency/ http://fedscoop.com/law-professor-calls-new-federal-robotics-agency/#comments Tue, 21 Oct 2014 19:33:45 +0000 http://fedscoop.com/?p=64476 Law professor Ryan Calo calls for the formation of a federal robotics agency. We interview him about the unique nature of robots and the need for oversight.

The post A federal robotics agency? Law professor makes the case appeared first on FedScoop.

]]>
Very few things capture the imagination like robots. The ability to create a being with lifelike properties and some degree of autonomy is probably about as close as humans will get to being a god.

In The Case For A Federal Robotics Commission, Ryan Calo argues for federal oversight of robotics technology.

In The Case For A Federal Robotics Commission, Ryan Calo argues for federal oversight of robotics technology. (Credit: Brookings Institution)

Robots certainly have the power to be transformative. Just look at the space program, which has more or less been taken over by robots, at least for deep space and planetary exploration. No human has ever been to Mars, yet our robots are making tire tracks all over the red planet. And we are getting closer to more terrestrial uses of robotics, from self-driving cars to military drones with increasing intelligence to cutting-edge technology like cognitive radios that can choose the frequency and power of signal to use.

Robots are also unique in that, unlike most other forms of technology, they can actually affect the physical world. That makes them much more useful — but also potentially more dangerous than something like an application or notebook.

Those two factors — their ability to be transformative and their ability to affect the world — contribute to the need for federal oversight of robotics programs. That is the argument made by Ryan Calo, an assistant professor at the University of Washington School of Law in a recent paper published by the Brookings Institution. Calo goes a step beyond regulation, calling for a new, independent federal agency centered on robots and robotics technology.

I tracked down Calo and asked him to explain his views on the subject and how he envisions the “Federal Robotics Commission” would operate within the federal government.

John Breeden II: How did you get into the study of robotics, and how long have you been doing that?

Ryan Calo and his first robotic friend.

Ryan Calo and his first robotic friend. (Courtesy of Calo)

Ryan Calo: I have been studying robotics law for about six years, since I was a fellow at Stanford Law School. I began to see that the technology has different essential qualities than the Internet and therefore raises distinct questions of law and policy. I have been interested in robotics since I was a kid, as this photo shows.

JB: Robots are often defined in different ways. For example, there used to be a TV show featuring fighting robots, but they were really just remote-controlled vehicles. I assume that you would not consider them a true robot? So how would you define a robot today, and can you give some examples?

RC: As I discuss in my article “Robotics and the Lessons of Cyberlaw,” which is forthcoming in 2015 from California Law Review, I think of robots as having three elements: They sense the world around them, they process what they sense and they act upon the world. This definition is mostly meant to distinguish robots from previous or constituent technologies, as your question suggests. Each of the elements also exists on a spectrum. Thus, a remote-control car, or drone, with a camera is not a robot because it does not process information. Whereas the Mars rover, though it mostly executes commands, is a robot because it has an autonomous mode and knows to disregard or alter commands in some instances as operational realities demand.

JB: One of the points you make in the Brookings paper is that robots are special in that they have the ability to transform our society. You make comparisons to things like how train travel transformed the U.S. Can you explain how you believe robots will have this type of transformative effect?

RC: I think that robotics, taken as a whole, will constitute a transformative technology on par with computers or trains, yes. They permit action at a distance, for instance, and can solve problems in ways no human would or would expect. The evidence has to do with the pattern of interest in robotics. First, the military, artists and hobbyists. Then, large-scale investment by private industry. The final step is the mainstream consumer adoption, which I believe to be around the corner.

JB: In term of this new federal robotics agency, do you envision that it should be its own entity, or would it fall under the banner of something else, such as Transportation or Homeland Security?

Ryan Calo is calling for a new federal agency to regulate robots.

Ryan Calo is calling for a new federal agency to regulate robots.

RC: I hope for a standalone agency, largely because I believe each branch of government —executive, legislative, and judicial — plus the states would benefit from greater expertise in robotics.

JB: What should the responsibilities of the robotic agency be, and what powers or authority would it possess?

RC: The agency, as I envision it, would not regulate or enforce the way, say, the Securities and Exchange Commission does. Indeed, it may have very little power or authority in the classic sense. Rather, its main charge would be to accrue and share expertise in much the same way as the Congressional Research Service or the Office of Science and Technology Policy.

JB: Can you give some examples where having a federal agency dedicated to robots would help improve a situation or provide a benefit that we wouldn’t experience without it?

RC: In the white paper, I give a few examples of what I think of as unwise or stalled policy that might have been avoided. Perhaps a Federal Robotics Commission could help the Federal Communications Commission or Federal Aviation Administration green light technologies like cognitive radio and drones about which they remain uncomfortable. Conversely, the commission could have sounded a cautionary note about robotic surgery before the Food and Drug Administration let it through.

JB: What can people do to learn more about robotics technology and the laws and oversight you feel is needed in order to properly govern them in the future?

RC: I would welcome readers who want to learn more to read my articles, and to register for the fourth annual robotics law and policy conference at werobot2015.org.

The post A federal robotics agency? Law professor makes the case appeared first on FedScoop.

]]>
http://fedscoop.com/law-professor-calls-new-federal-robotics-agency/feed/ 0
Recovery Board names Hemanth Setty next CIO http://fedscoop.com/recovery-board-names-hemanth-setty-next-cio/ http://fedscoop.com/recovery-board-names-hemanth-setty-next-cio/#comments Tue, 21 Oct 2014 02:50:41 +0000 http://fedscoop.com/?p=64464 The Recovery Accountability and Transparency Board took little time replacing Shawn Kingsberry, the board's former chief information officer who retired Screen Shot 2014-10-20 at 6.03.56 PMFriday from federal government.

The post Recovery Board names Hemanth Setty next CIO appeared first on FedScoop.

]]>
Screen Shot 2014-10-20 at 6.03.56 PM

Hemanth Setty (Credit: FedScoop)

The Recovery Accountability and Transparency Board took little time finding a replacement for Shawn Kingsberry, the board’s former chief information officer who retired Friday from federal government.

Hemanth Setty has been named the board’s next CIO, Kingsberry confirmed in a tweet Monday. Setty has been with the Recovery Board since 2010, when he started as a solutions architect before being promoted to chief technology officer in 2012.

Soon after taking over the board’s CTO reins, FedScoop spoke with Setty, recognizing him as a FedMentor. Setty described working with “cutting edge technologies” as RATB CTO and explained how he’s passionate about being a public servant. Prior to joining RATB, Setty worked in the private sector for 14 years.

Setty will have big shoes to fill in replacing Kingsberry, a noted cloud pioneer who led the board’s swift effort to host Recovery.gov on Amazon Web Services’ cloud in just 22 days. Kingsberry, who spent 22 years in government and the last five with RATB since it launched, confirmed in an email to FedScoop last week that he will join Arlington, Virginia-based TASC Inc. as the director of cloud services. He will officially begin Nov.3.

The Recovery Board, which began in 2009 to provide transparency on the spending of the $787 billion allotted to stimulus efforts in the American Recovery and Reinvestment Act of 2009, is scheduled to sunset Sept. 20, 2015. According to Recovery.gov, the board’s license will not be renewed.

The post Recovery Board names Hemanth Setty next CIO appeared first on FedScoop.

]]>
http://fedscoop.com/recovery-board-names-hemanth-setty-next-cio/feed/ 0
GSA introduces FedRAMP Ready to speed up cloud procurement http://fedscoop.com/gsa-introduces-fedramp-ready-speed-cloud-procurement/ http://fedscoop.com/gsa-introduces-fedramp-ready-speed-cloud-procurement/#comments Tue, 21 Oct 2014 02:44:30 +0000 http://fedscoop.com/?p=64434 The General Services Administration has introduced a new category for its Federal Risk and Authorization Management Program to highlight cloud systems proven to be FedRAMP ready.

The post GSA introduces FedRAMP Ready to speed up cloud procurement appeared first on FedScoop.

]]>
FedRAMP-cloud-computing

The General Services Administration has introduced a new category for its Federal Risk and Authorization Management Program to highlight cloud systems proven FedRAMP ready.

Dubbed “FedRAMP Ready” systems, the new category will “allow potential agency customers and authorizing officials a starting point to initiate an authorization,” according to the FedRAMP Cloud.cio.gov website. These cloud service providers (CSPs), to be featured on the FedRAMP website, differ from others in that they have been reviewed by the FedRAMP project management office (PMO), Matt Goodrich, acting FedRAMP director for GSA, said in a statement.

“As more and more cloud services enter the FedRAMP assessment process, FedRAMP is providing more information to help agencies and CSPs achieve a FedRAMP authorization faster,” Goodrich said. “FedRAMP Ready systems have documentation that has been reviewed by the FedRAMP PMO and at a minimum have gone through the FedRAMP PMO readiness review process.”

At publication, just four cloud systems were listed on the FedRAMP website with varying degrees of demonstrated readiness. The elements of readiness featured with them will give agencies a jumping off point for their cloud procurement process, Goodrich said. “Agencies can use this documentation to initiate an assessment and authorize these systems in a faster time than starting from scratch.”

Likewise, the more complete a provider is in conducting third-party assessments or providing FedRAMP documentation, the quicker agencies can navigate the assessment and authorization process, the website says.

The new FedRAMP category comes as agencies struggle to achieve FedRAMP compliancy. A recent report from the Council of the Inspectors General on Integrity and Efficiency surveying federal cloud efforts found that 59 of 77 of the systems observed didn’t meet the FedRAMP-compliant deadline of June 5.

Citing a similar study, Susan Palermo, senior vice president of emerging programs and services for Creative Computing Solutions Inc. (CCSi), said FedRAMP isn’t getting the agency focus it should.

“Although the federal government has established cloud computing as a priority through initiatives like cloud first, adoption has been relatively slow,” Palermo said. “A recent report from the Government Accountability Office found that agencies have only dedicated two percent or $529 million of their IT budgets to cloud spending. Security and acquisition processes were identified as the most significant barriers to cloud adoption identified in the report.”

But with FedRAMP Ready, Palermo said, agencies and vendors alike could get an easier start navigating FedRAMP and the federal cloud procurement process, especially if a provider is accredited by a third-party assessment organization (3PAO) like CCSi.

“Vendors that are 3PAO accredited will have a more robust profile on FedRAMP Ready, which will allow agencies to initiate an assessment and procure services more quickly,” she said. Those vendors lacking this accreditation with a PMO readiness review only, she notes, are on their way to being FedRAMP compliant, but not fully there yet.

FedRAMP Ready will also accommodate open source code that agencies can deploy for their cloud solutions. So far, there are no open source builds listed on the FedRAMP website.

The post GSA introduces FedRAMP Ready to speed up cloud procurement appeared first on FedScoop.

]]>
http://fedscoop.com/gsa-introduces-fedramp-ready-speed-cloud-procurement/feed/ 0
FDA issues recs on when a medical device update requires a recall http://fedscoop.com/fda-issues-recs-medical-device-update-requires-recall/ http://fedscoop.com/fda-issues-recs-medical-device-update-requires-recall/#comments Mon, 20 Oct 2014 21:48:38 +0000 http://fedscoop.com/?p=64453 The FDA issued new guidance that aims to clarify whether a change in a medical device may require a recall – or is simply an “enhancement.” According to a notice published last week in the Federal Register, companies may have trouble determining whether an update to their product meets the criteria for a recall. The guidance formally defines an enhancement and presents a Q-and-A as well as sample scenarios to illustrate its recommendations. “It will make the process of determining whether a modification is an enhancement that much clearer, and companies can proceed with more confidence that they’re doing the right…

The post FDA issues recs on when a medical device update requires a recall appeared first on FedScoop.

]]>
The FDA issued new guidance that aims to clarify whether a change in a medical device may require a recall – or is simply an “enhancement.”

According to a notice published last week in the Federal Register, companies may have trouble determining whether an update to their product meets the criteria for a recall. The guidance formally defines an enhancement and presents a Q-and-A as well as sample scenarios to illustrate its recommendations.

“It will make the process of determining whether a modification is an enhancement that much clearer, and companies can proceed with more confidence that they’re doing the right thing,” said Jeffrey Secunda, vice president of technology and regulatory at Advanced Medical Technology Association (AdvaMed), a medical device trade group.

According to FDA, an “enhancement” is a change that improves the quality of the device — something that makes the device better meet the consumer’s needs — but it is not something that remedies a violation of the Federal Food, Drug and Cosmetic Act.

Joe Penkala, who runs a consulting firm that represents several medical device manufacturers called Compass Strategies LLC, said the guidance was needed.

“Up until this point, the FDA had never really defined the term ‘enhancement’ and so manufacturers risked the possibility that their routine upgrades and enhancements aimed at improving performance might be incorrectly viewed as a recall by the FDA,” he said via email.

It’s particularly an issue in software-driven medical devices, like pacemakers or infusion pumps, that are designed to receive software upgrades, Penkala said. Much like phone apps, these devices receive updates to improve their software’s efficiency.

Secunda said that his group was pleased with the guidance. In an earlier draft, the FDA had recommended establishing a reporting requirement for product enhancements that had a safety component, even if it did not require a recall. For example, a company that was increasing the volume on an alarm as a result of customer feedback, and not as a result of a violation, might have to make a report, he said. The new guidance does not make this requirement.

The guidance, though technically nonbinding, shows FDA’s current thinking, Secunda said. “One can expect that the guidance will be used by both premarket reviewers as well as the client looking at devices on the market.”

Secunda added, “This is big stuff. Companies put a lot of effort into getting it right when they think of an enhancement.”

The post FDA issues recs on when a medical device update requires a recall appeared first on FedScoop.

]]>
http://fedscoop.com/fda-issues-recs-medical-device-update-requires-recall/feed/ 0
Audit: IRS won’t hit HSPD-12 ID card benchmark until 2018 http://fedscoop.com/tigta-irs-hspd-12-audit/ http://fedscoop.com/tigta-irs-hspd-12-audit/#comments Mon, 20 Oct 2014 21:26:00 +0000 http://fedscoop.com/?p=64439 New Treasury Department CIO Sonny Bhagowalia has only been on the job for a few hours, but he already has a major department headache to deal with.

The post Audit: IRS won’t hit HSPD-12 ID card benchmark until 2018 appeared first on FedScoop.

]]>
Source: Wikimedia

The IRS may not be 100 percent compliant with HSPD-12 until 2018. (Credit: Wikimedia)

New Treasury Department Chief Information Officer Sonny Bhagowalia has only been on the job for a few hours, but he already has a major department headache to deal with.

The Treasury Inspector General for Tax Administration released the results of an audit Monday stating the IRS will not meet the Treasury Department’s goal of becoming fully compliant with Homeland Security Presidential Directive 12 (HSPD-12) by fiscal year 2015, with some authentication standards not being reached until fiscal 2018, as long as funding is made available.

HSPD-12 requires agencies to issue personal identity verification (PIV) cards that meet a governmentwide standard for secure and reliable forms of identification. Created in 2004 under then-President George W. Bush, the directive was meant to reduce variations in identification used to access secure facilities where there is potential for terrorist attacks. The Obama administration has made it a goal to achieve HSPD-12 compliance at 75 percent of federal agencies by the end of fiscal 2014, and the Treasury Department planned to have all of its components meet the requirements by fiscal 2015.

The report states that while 85 percent of IRS’ workforce has been issued PIV cards, only 130 of 625 IRS locations (21 percent) have been upgraded with authentication for physical access. Also, logical access authentication has only been granted to 5 percent of the necessary workforce.

TIGTA identified several factors for the IRS’ lag in meeting the Treasury Department’s goals. The report states that IRS is having trouble distributing PIV cards due to the need to manually verify contractor data before issuing them, the distance between remote IRS offices and credentialing stations, and a high turnover rate among IRS employees. The Treasury Department has said it plans on implementing a solution, PIV Data Synchronization, that will allow for PIV cards to be issued to new employees on their first day of work.

With the lack in access authentication, the IRS said there has been a number of barriers it has had to overcome, including a lack of funding, last year’s government shutdown and several software systems that are not HSPD-12 compliant.

TIGTA issued a number of recommendations to the IRS’ chief technology officer and chief of agencywide shared services, including that officials ensure that all IRS facilities are equipped to meet HSPD-12-compliance and that all HSPD-12 requirements are integrated into the IRS’s existing computer systems.

IRS CIO Terry Millholland agreed with all of TIGTA’s recommendations and has planned corrective actions but noted the service’s financials present a challenge.

“The IRS is continuously improving its security posture, but we are limited by a shortage of financial resources,” Millholland wrote in his response. According the audit, the IRS said it would need $123 million and six new, full-time employees to make 361 IRS offices HSPD-12 compliant. The IRS has already spent more than $110 million to implement HSPD-12 and has budgeted an additional $19 million for fiscal year 2014.

The post Audit: IRS won’t hit HSPD-12 ID card benchmark until 2018 appeared first on FedScoop.

]]>
http://fedscoop.com/tigta-irs-hspd-12-audit/feed/ 0