How the ‘New IP’ can help federal agencies

As the federal government looks to harness the best of emerging enterprise architecture, its current network presents considerable hurdles. Innovations like cloud, big data and the Internet of Things call for a network that is fast, flexible and able to adapt to rapidly changing needs.

Brocade calls such a network the “New IP.” The company showcased some of technologies that make the New IP possible Wednesday during its Federal Forum, which was produced by FedScoop. Several Brocade leaders at the event said the New IP could help agencies reduce their network costs and become more agile in a changing technology landscape.

During a keynote at the forum, Phil O’Reilly, Brocade’s federal chief technology officer, said the way the government procures and carries out its IT functions is unsustainable from a cost and technological perspective.

“We have made a mistake in consolidating and concentrating our focus in the various elements of delivering this user experience to the American citizen,” O’Reilly said. The government spends at least 70 percent of its IT budget on legacy systems, he said. “That needs to change. That changes by making the infrastructure more flexible, more able to be adaptive continuously, without having to make a wholesale change to your network.”

According to Brocade, a key part of the New IP is software-defined networking, or SDN, which is already in place in some agencies. The underlying technologies that make SDN possible are what makes Amazon Web Services, virtual machines and hypervisors possible.

“You’ve already embraced this change,” O’Reilly said to federal government officials attending the event.

It’s a change that government IT personnel see as necessary. In a survey released at the forum, less than 15 percent of respondents felt their agency’s current network infrastructure will be able to support their future missions. Additionally, 70 percent of respondents are considering, planning or have already moved to SDN, citing performance and ease of management as major advantages.

O’Reilly said SDN allows agencies to cut costs while delivering citizen experiences the public is growing to expect.

“This is not a rock and a hard place anymore,” he said. “We are giving you an option to consider technology that can solve problems in a brand-new way, giving you efficiency and cost reduction.”

Aside from citizen services, O’Reilly said this new software is crucial for warfighters, who are consistently in the field with an array of sensors that deal with everything from health monitoring to communication capabilities.

“Think about the ramifications as that data runs upstream on these creaky, rigid, topologically dependent, capacity-planned networks that we have in place,” he said. “If the New York Stock Exchange drops some packets, someone loses some money. When this network drops packets, somebody dies.”

Whether it is innovations related to the warfighter, the ability to bring cloud into a large agency or allowing the government to tap into the Internet of Things, Brocade sees SDN giving feds the opportunity to work in an agile, responsive network.

“The ultimate goal of this is to move workloads anywhere in your environment,” O’Reilly said. “And by workload, I mean application, data and network characteristics. Movement without impunity. That flexibility gives you the kind of scale that will allow you to work in a world where you cannot predict today what’s going to happen tomorrow.”

 

Additional reporting from the Federal Forum 2015:

Government needs agile networks, federal CIOs say – At Brocade’s Federal Forum, produced by FedScoop, IT leaders emphasized the need for flexible computing networks as the U.S. faces a mounting cyber threats.

Federal IT isn’t keeping up with new technology – Brocade CEO – CEO Lloyd Carney argues the federal government must modernize its legacy IT systems to create stronger defenses against countries using newer technologies.

CIOs turn focus to business outcomes and mission – As they update their IT infrastructure, federal CIOs are beginning to focus on how technology can impact business and mission.

Tony Scott’s plan for restoring confidence in federal cybersecurity – The new U.S. chief information officer outlined his strategy for improving the government’s cybersecurity posture — faster, newer, better.

Agencies using hybrid clouds need orchestration tools – As agencies expand their IT into multiple clouds, the need for a single, open source orchestration platform is becoming more crucial, a cloud expert argues.

Federal, industry leaders recognized for ‘Breaking the Status Quo’ – At Brocade’s 2015 Federal Forum, four federal and industry leaders were recognized for their innovative work in government information technology.

Government needs agile networks, federal CIOs say

Agencies must develop more flexible networks as they look to update their legacy systems, IT officials said Wednesday during Brocade’s Federal Forum 2015.

“I think we’re entering a period where there’s going to be a new computing platform,” said Health and Human Services CIO Frank Baitman at the Washington, D.C. event, produced by FedScoop. “The focus on technology, the focus on building things custom ways is going away … We’re going to be enabled to focus more on our mission.”

More than 1,100 attendees heard from speakers from all corners of government — including U.S. CIO Tony Scott, Department of Homeland Security CIO Luke McCormack and Commerce Department CIO Steve Cooper — talk about the potential to update the federal government’s IT systems.

Discussion focused on the “New IP,” a term used by Brocade to refer to how an organization’s network must change to accommodate the proliferation of cloud, mobile and big data — particularly using software-defined IT. Speakers also talked more generally about innovative approaches to acquiring technology and modernizing federal networks.

Richard McKinney, the CIO of the Transportation Department, said networks must be updated so that agencies are ready to face challenges ahead.

“What I have been trying to do is a re-imaging of how we can do infrastructure differently,” McKinney said. “We need to get out of the IT business so the CIOs can sit down with the business units and begin to imagine what the future looks like.”

He added, “Our IT is so needlessly complex and difficult to manage that we spend all of our cycles becoming firefighters. We fight fires all the time because our legacy construct requires that of us.”

Cooper said any network upgrades offer faster IT services will be critical.

“It’s all about quality with speed,” Cooper said. “If I could speed up everything that I’m doing in terms of actually delivering solutions, outcomes and value as defined by my customers … then I can better manage risk.”

Recent security breach hangs over talks

Throughout the Federal Forum, the specter of the recent Office of Personnel Management hack, which compromised the data of millions of current and former federal employees, loomed. Several speakers talked about how updating its existing systems could make federal IT more secure.

“If there’s one takeaway from today’s talk, I hope that it is we need to do a lot more and a lot sooner,” Scott said.

During his keynote, the federal CIO emphasized the need to move away from just having cybersecurity exist as a budget line item. “We need end-to-end security in everything that we do,” Scott said. “The overall mission for cyber is to dramatically reduce the number of cyber incidents that affect government information. This is our most important mission today,” he said.

He also said the government needs digital services teams that focus on everything from cybersecurity to networking and that cybersecurity investments will likely increase as a percentage of overall IT spending.

Brocade presenters argued that using an open platform, as prescribed by their New IP philosophy, could make systems more secure.

“Security now means agility. It’s not locking down a device,” Brocade CEO Lloyd Carney said.

Scott agreed. “My measure of success is speed to market,” he said. “In today’s world, speed means everything.”

Carney, and several other speakers, mentioned that the federal government spends only 20 percent of its IT funding on new systems — and the rest goes toward legacy infrastructure. Carney said that foreign governments like China, which was blamed for the recent breach, are allocating a lot of resources to overtake the U.S. in technology. The U.S. must invest in new systems, he said.

“Too much of what we spend today on networking … is spent maintaining these old platforms,” Carney said.

Improving procurement requires communication

Soraya Correa, chief procurement officer at the Department of Homeland Security, told a panel of IT officials that procurement often “is not as complex as we try to make it out to be.” When asked about the secret to a successful procurement, she said, simply, that procurement officers and IT officials need to talk early and often about what they need to achieve.

“It’s all about understanding what it is we’re trying to do, defining what we’re trying to do, and when we don’t know, when we’re not sure, getting out there, talking to industry — who has done this before, who’s done it for other organizations, companies, state and local government — and learning from them.”

Correa said she and CIO McCormack meet regularly to talk about what he needs and how she can help him get it.

“Luke and I probably talk two or three times a week, and he shares with me his vision, where’s he’s trying to go, what his plans are, what he’s thinking about doing,” Correa said. “Even if he doesn’t really know exactly what he’s trying to do, he starts talking to me early, and I’m starting to think about ways that we can accomplish it.”

As part of the event, Brocade recognized the winners of the Breaking the Status Quo Award, leaders in the public and private sector who have make contributions to federal IT. Homeland Security Department’s Rob Karas, Walter Reed’s William Walders and the Defense Department’s Lt. Col. Ahmed Williamson were selected from 23 federal government nominees. In the industry category, Steve Charles, the co-founder of immixGroup, received the honor.

In all, federal leaders were optimistic about the ways that innovations in IT could better support the work their agencies do.

“I think this is a very exciting time to be in our world,” said Margie Gravies, deputy CIO at DHS. “The innovation we bring to [the agency] really ensures the success of each of our missions.”

Corinne Lestch, Billy Mitchell, Greg Otto, Wyatt Kash, Dan Verton, Jake Williams and Grayson Ullman contributed to this story.

Additional reporting from the Federal Forum 2015

Federal IT isn’t keeping up with new technology – Brocade CEO – CEO Lloyd Carney argues the federal government must modernize its legacy IT systems to create stronger defenses against countries using newer technologies.

How the ‘New IP’ can help federal agencies –Brocade said federal agencies that use software-defined networks will get the fast and flexible systems that they have wanted for years.

CIOs turn focus to business outcomes and mission – As they update their IT infrastructure, federal CIOs are beginning to focus on how technology can impact business and mission.

Tony Scott’s plan for restoring confidence in federal cybersecurity – The new U.S. chief information officer outlined his strategy for improving the government’s cybersecurity posture — faster, newer, better.

Agencies using hybrid clouds need orchestration tools – As agencies expand their IT into multiple clouds, the need for a single, open source orchestration platform is becoming more crucial, a cloud expert argues.

Federal, industry leaders recognized for ‘Breaking the Status Quo’ – At Brocade’s 2015 Federal Forum, four federal and industry leaders were recognized for their innovative work in government information technology.

 

Federal IT isn’t keeping up with new technology – Brocade CEO

Brocade CEO Lloyd Carney warned that the government’s legacy IT systems, once the pride of America’s IT leadership, need to be modernized to function more effectively and respond to cyber attacks from foreign countries, many of which are using newer generations of network technology.

He said that countries like China, which was blamed for the recent hack of Office of Personnel Management data, have co-opted infrastructure developed here and out-maneuvered our own innovations — while the U.S. is left behind, he said during Brocade’s Federal Forum Wednesday.

“You can no longer put a firewall around the infrastructure — they’re inside the firewall,” Carney said, referring to the Chinese hackers. “And they’re using modern tools against us, so it’s imperative for us that we modernize our infrastructure.”

Carney emphasized the need for a more open, flexible stack over smooth interoperability.

“Look at the flexibility on the platform you use every day,” he advised. “It’s about having a flexible stack, which is your network layer, and within that, having solutions that are interchangeable and open so it drives down cost and enables you to scale.”

Carney said the government has to spend more on new solutions to catch up with countries abroad. He noted that the IT systems used by federal agencies in many cases were built 20 years ago, before the advent of cloud and mobile computing and the need for integrated security systems were ever envisioned.

The Chinese and others, he said, “aren’t spending 85 percent of every new dollar on old stuff.” Of the more than $80 billion the federal government spends on IT annually, between 80 percent and 85 percent goes to maintaining and operating existing IT systems, according to federal figures.

In simple terms, “stop buying old stuff and start buying modern switches,” he said. “That’s the first step along the journey.”

And if there’s a dominant single vendor that continues to receive the most business, “you have higher cost, no innovation,” he said. “So breaking the status quo means we have to change that paragon.” He argued that using an openly developed, versus proprietary, system “will enable you to develop a defense against an asymmetrical network.”

Later, in a sit-down interview with FedScoop, Carney, who is on the board of Visa, said government and civilians have a lot to learn from the private sector.

Finance companies are deploying machine-learning tools that measure what is normal behavior and then run analysis to detect anything fishy.

“They work hard at verifying users who come into their enterprise, and limiting access to those customers,” he said. “They also make sure they encrypt aggressively.”

An important point, he said, is that banks have extra firewall protections — because they assume the threat is already there.

“They spend time ferreting out the threat already within” and getting rid of the hazard, he said.

 

Additional reporting from the Federal Forum 2015

Government needs agile networks, federal CIOs say – At Brocade’s Federal Forum, produced by FedScoop, IT leaders emphasized the need for flexible computing networks as the U.S. faces a mounting cyber threats.

How the ‘New IP’ can help federal agencies –Brocade said federal agencies that use software-defined networks will get the fast and flexible systems that they have wanted for years.

Government needs agile networks, federal CIOs say – At Brocade’s Federal Forum, IT leaders emphasized the need for flexible computing networks as the U.S. faces a mounting cyber threats.

CIOs turn focus to business outcomes and mission – As they update their IT infrastructure, federal CIOs are beginning to focus on how technology can impact business and mission.

Tony Scott’s plan for restoring confidence in federal cybersecurity – The new U.S. chief information officer outlined his strategy for improving the government’s cybersecurity posture — faster, newer, better.

Agencies using hybrid clouds need orchestration tools – As agencies expand their IT into multiple clouds, the need for a single, open source orchestration platform is becoming more crucial, a cloud expert argues.

Federal, industry leaders recognized for ‘Breaking the Status Quo’ – At Brocade’s 2015 Federal Forum, four federal and industry leaders were recognized for their innovative work in government information technology.

Federal, industry leaders recognized for ‘Breaking the Status Quo’

Four leaders from industry and the federal government were recognized Wednesday with a “Breaking the Status Quo” leadership award at Brocade’s 2015 Federal Forum.

The Homeland Security Department’s Rob Karas, Walter Reed National Military Medical Center’s William Walders and the Defense Department’s Lt. Col. Ahmed Williamson were selected from 23 federal government nominees as winners of the federal leadership award.

For industry, out of the four nominees, Steve Charles, the co-founder of immixGroup, received the honor.

“The 2015 Breaking the Status Quo Awards recognize thought leaders who have developed and operationalized innovative strategies, who think outside the box, aren’t afraid to shake things up and who continue to raise the bar higher,” FedScoop CEO Goldy Kamali said during the awards presentation at the Federal Forum, which was produced by FedScoop. “Their significant contributions in their IT innovation efforts set them apart from the status quo.”

The federal winners of the award are:

• Robert Karas — At DHS, Karas leads the National Cybersecurity Assessments and Technical Services team, which develops risk-based assessments of agencies’ cybersecurity. Through those assessments, Karas’ team helps agencies close capability gaps, limit exposure and reduce exploitation on the network. Karas’ team works with more than 150 state, local, tribal, territorial and other critical infrastructure entities.
• William Walders — As the chief information officer for the Walter Reed National Military Medical Center in Bethesda, Maryland, Walders has embarked on an effort to improve the center’s financial transparency through a more defined IT catalog. Walders and his team have also worked to ensure that the IT services in the catalog can be delivered consistently — not only to reduce risk and cost overages, but to help doctors deliver services more quickly to patents.
• Lt. Col. Ahmed Williamson — Inside the confines of the Pentagon, Williamson is the force behind the Joint Chiefs of Staff IT services’ move to a common provider. The change came out of an efficiency review conducted by the department’s deputy secretary and will serve as a pilot for transforming more than 30 organizations within the Pentagon to a common IT service provider.

The industry leadership award winner is:

• Steve Charles — Charles has spent his career helping IT manufacturers sell to the federal government and, in turn, helping the government acquire IT. This year, Charles worked to educate the government on the advantages of infrastructure-as-a-service — and the best ways to procure it. Charles helped build a program for government to acquire a network from operating funds, allowing agencies to get state-of-the-art technology and upgrade at any time.

Additional reporting from the Federal Forum 2015:

Government needs agile networks, federal CIOs say – At Brocade’s Federal Forum, produced by FedScoop, IT leaders emphasized the need for flexible computing networks as the U.S. faces a mounting cyber threats.

Federal IT isn’t keeping up with new technology – Brocade CEO – CEO Lloyd Carney argues the federal government must modernize its legacy IT systems to create stronger defenses against countries using newer technologies.

How the ‘New IP’ can help federal agencies –Brocade said federal agencies that use software-defined networks will get the fast and flexible systems that they have wanted for years.

CIOs turn focus to business outcomes and mission – As they update their IT infrastructure, federal CIOs are beginning to focus on how technology can impact business and mission.

Tony Scott’s plan for restoring confidence in federal cybersecurity – The new U.S. chief information officer outlined his strategy for improving the government’s cybersecurity posture — faster, newer, better.

Agencies using hybrid clouds need orchestration tools – As agencies expand their IT into multiple clouds, the need for a single, open source orchestration platform is becoming more crucial, a cloud expert argues.

Lynn to take over as DISA director

Army Maj. Gen. Alan Lynn will succeed Lt. Gen. Ronnie Hawkins as director of the Defense Information Systems Agency, a Defense Department official confirmed Tuesday.

Lynn, who was confirmed for promotion to lieutenant general in April, is currently the DISA vice director. Hawkins announced in January that he plans to retire by the end of the year.

News of Lynn’s succession came as DISA — the Pentagon’s main networking and IT infrastructure services agency — released its latest five year strategic plan. The updated strategy focuses on “assured, scalable, managed access to services and data, in all environments, at the point of need, provided from cost effective infrastructure and computing.”

DISA and the Defense Department are “at an operational crossroads,” Hawkins wrote in the director’s statement accompanying the strategy. “We continue to operate in a contested battlespace, where the barrier to entry is low and oftentimes unchallenged. We will be aggressive in our pursuit of efficiency and effectiveness, and no longer support the operations of legacy and costly applications without senior leadership’s approval and direction. We recognize our value added within this mission space and will continually fine tune our efforts.”

18F set to launch agile blanket purchase agreement

After months of waiting, the General Services Administration’s digital shop 18F will launch its agile delivery blanket purchase agreement to vendors Wednesday.

Meant as a contracting vehicle within GSA’s IT Schedule 70 that would serve the growing demand for quick-turnaround software development in the federal government, the agile BPA’s request for quotes is going to look similar to traditional federal procurement solicitations, but it’s going to be evaluated in a different way. Instead of providing a lengthy, text-based proposal, vendors will submit work on software prototypes and code to an open GitHub repository, which 18F will pull and evaluate.

“I don’t want to hear a management narrative,” said Dave Zvenyach, director of acquisition management at 18F Consulting and project manager for the agile BPA. “I want to see working software.”

In the hours before the release of the request, Zvenyach, for competitive reasons, wouldn’t budge on exactly what participating vendors — he estimates there will be about 250 of them — would have to build. He did, however, note they would be given “a pretty well documented data set and API, and they’re going to be building something from that.”

This data set will be used in three different pools of competitors: designer-only and developer-only pools, both of which are set aside for small businesses; and a full-stack pool, which is unrestricted. So it’s possible a huge contracting company could compete on the full-stack award, Zvenyach said. “If they’re on Schedule 70 and they want to do agile, they can compete.”

For 18F, while this initial request process is a vehicle to bring on industry support to help scale its service to agency customers, it’s also a learning process. 18F officials call this version the “alpha stage.” In a recent blog post by Zvenyach and his colleagues, they wrote, “There’s a reason we are describing the BPA in an alpha stage: we expect to continue to learn and improve as we proceed.”

Indeed, this is a learning process for 18F, and since an industry day in February after the BPA was first announced, many things have changed. For instance, the idea to give vendors just 24 hours to hack out their prototypes has been expanded to a dayslong sprint, based on feedback from industry.

Also, 18F has fine-tuned some procedural operations. The digital services team has partnered with GSA’s Office of Integrated Technology Services, part of the Federal Acquisition Service, “to really make sure we get something solid” out of the BPA, Zvenyach said. GSA’s ITS is acting as 18F’s contracting office throughout this process. “We’re working lockstep with them,” the project manager said.

And when the alpha is done, 18F hopes to continue on to a beta version of the BPA and scale it up even further, based on what it learned the first go around.

“A lot of what we’re going to be doing in the alpha phase is trying to improve upon our processes, improve upon our tooling, so that when we go to beta — if we go to beta — it’s going to scale appropriately,” Zvenyach said. “So what I expect will happen in the alpha phase is we’ll spend a lot of time … on iteration to test things, experiment on how to do things better, build the tools that we think are necessary to scale up appropriately and eventually scale it up beyond the initial phase.”

18F plans to improve on the BPA as an agile procurement vehicle as well. The team wants to continue adding agile principles, like encouraging collaboration between units, to the process, Zvenyach said.

By the end of summer, perhaps early fall, 18F plans to award roughly two dozen contracts to vendors, who will work in a variety of settings — from 18F-specific projects to 18F-managed ventures at other agencies.

But in the procurement world, it’s risky to guarantee any exact time requirements, Zvenyach said. His team learned that first hand. “We said the RFQ would be out by the end of April, and here we are in June,” he said.

FCC weighs ‘Lifeline’ for low-income kids without Internet

Melissa Baranic is trying to usher her fourth-graders into the modern age with computers.

What’s available at Oak Street Elementary School in Inglewood, California, is not much: Out of 38 laptops at the school, about 10 of them actually work if the network doesn’t fizzle out, but at least the children’s hands touch keyboards and their eyes become accustomed to screens.

“I have fourth-grade students who have never typed an email or a paragraph,” Baranic, 35, said in an interview with FedScoop. “Just to get students familiar with reading on screen, scrolling up and down, enlarging text — it’s an enormous amount of new technology that my students need to practice.”

But while Baranic has introduced the machines at school, she faces another enormous challenge: getting her 33 students to continue practicing and learning at home.

“It would be amazing for me to say, ‘Continue reading this at home, print it out, highlight the page and bring it in tomorrow and be ready for our discussion,'” she said. “But that’s not even an option.”

As the Federal Communications Commission is set to vote Thursday on including in its agenda a sweeping proposal to modernize a 30-year-old program, called Lifeline, teachers like Baranic say expanding access to broadband service would help poor, struggling students connect to the Internet, and be better prepared to enter college and the workforce.

The program currently offers a monthly subsidy of $9.25 to some 14 million households across the country for landlines and wireless phone and communication services — but not for an Internet connection.

Advocates of broadband expansion say the FCC’s proposal would help students as well as low-income families and adults complete basic functions that many take for granted in the 21st century.

“If you don’t have access, you’re also losing out on myriad opportunities to excel in school, do homework, access health care, pay your bills on time, check your credit,” said Scott Simpson, director of media and campaigns for the Leadership Conference on Civil and Human Rights. “So we view an issue like broadband access as something with the potential to change lives.”

Fraught with abuse

The Lifeline program started in 1985 under the Reagan administration, providing a discount on phone service for low-income consumers who are at or below 135 percent of the federal poverty line, or who participate in a federal assistance program like Medicaid or the Supplemental Nutrition Assistance Program, known as SNAP. Lifeline had just about 1,000 subscribers two years after the program launched.

But that number had reached about 7,000 by 2005, when President George W. Bush decided to update the program to subsidize wireless service.

That’s when the trouble started.

Playing on loopholes in the law, multiple subscribers who lived in the same home could qualify for the program, even though the government allots one subsidy per household. Carriers were also collecting money on cell phones from customers even though they were supposed to be free.

“The wireless companies, because they knew they could make a profit, were very successful at drawing attention to the program and getting a lot of people signed up,” said Cheryl Leanza, an independent consultant with expertise in media and communications policy. “The recession hit in 2008, and there were not enough controls in place that we needed to make sure everybody was abiding by the rules.”

The FCC addressed the rampant waste and fraud in 2012, issuing robust reforms to ensure that subscribers had documented proof of eligibility and that they re-certified each year. The agency also established a national database to get rid of duplicate subscriptions, and carriers cracked down on customers who hadn’t used their phones in 60 days.

After the reforms kicked in, the number of Lifeline subscribers reduced dramatically — from about 16 million in 2012 to 13 million as of April 2014, according to agency figures.

Updating a complicated program

In recent months, FCC Chairman Tom Wheeler and Commissioner Jessica Rosenworcel have publicly pushed for the program to include subsidies on broadband service, setting the stage for the upcoming vote.

Rosenworcel has said that roughly 5 million children across the country lack access to the Internet at home.

Wheeler will introduce the new principles around broadband that will be up for discussion on Thursday, and a formal vote to update the program would likely take place later in the year, according to an FCC spokesman.

But there are still lingering questions and gaping holes in the proposal, experts and stakeholders say, mainly because broadband is much more expensive than phone service.

“We don’t know how it’s going to get funded,” said Javier Rosado, senior officer for business development for TracFone Wireless, which is owned by América Móvil.

The Mexico-based carrier has 26 million Lifeline customers and submits more claims to the government than Sprint Corp., AT&T Inc. and Verizon Communications Inc., according to FCC statistics. The company currently offers 250 minutes a month, along with unlimited texting, which is covered by the federal subsidy. Customers pay out of pocket for additional services or minutes.

Rosado said TracFone and several other carriers did a broadband test with the FCC about a year ago, and the results showed that low-income customers need financial support not just for monthly payments, but for the actual hardware — laptops and computers — as well.

He added that the FCC needs to define what the minimal broadband service would look like, since just 5 gigabytes of 4G LTE data would run about $50 a month.

“We don’t know how to support that,” Rosado said. “If you have a $40 or $50 monthly payment, and you give them $9.25, the amount of people who would be able to use that is very small.”

Consumers would also likely have to decide what to use their discount for — wired, wireless or broadband service — forcing them to choose how they prefer to communicate.

“The most likely outcome of this process would be that the consumer would choose how to use their Lifeline benefit in the same way that a SNAP recipient decides what food to buy in the supermarket,” Leanza said. “The consumer would take the support and go to whichever provider they choose. The good part is it really leverages competition.”

Raising awareness

Then there is the challenge that people simply don’t know about the program, experts said.

“One of the problems when you deal with any eligibility programs like this is outreach and education,” said Danny Weiss, vice president for national policy at Common Sense Media, a nonprofit that promotes technology access for kids. “If they do know about the program, they may not apply for it. How to reach an eligible market, and then getting the cost right, is probably one of the challenges.”

Baranic, the elementary school teacher, also worries that the parents of her students — mostly Spanish speakers — won’t find out about the program if it is updated.

“If parents aren’t aware of it or don’t know how to do it, or they’re undocumented and afraid of the hurdles, they’re not going to do it,” she said.

For now, Baranic’s students will have to settle for learning on outdated computers about three times a week with shoddy connections. She creates online scavenger hunts using WebQuest to teach kids about different living environments, like aquatic and desert biomes, and they use PowerPoint to make their own presentations.

“When I roll in the computer cart, they’re very excited,” she said. “They ask me every day, ‘Are we going to work on the computer today?'”

​Why the OPM hack demands accountability

The massive data breach at the Office of Personnel Management is indicative of a federal government approach to cybersecurity policy that has been an abject failure — full stop.

There’s no other way to describe the history of OPM’s cybersecurity efforts in light of the fact that it has presided over the compromise of personal identity information and highly sensitive background investigation information belonging to as many as 14 million current and former federal employees.

In addition to a series of inspector general reports that skewered the agency in the most public fashion for its cybersecurity shortcomings, OPM’s own annual security reports required by the Federal Information Security Modernization Act (FISMA) provided ample warnings that the agency was a cybersecurity disaster waiting to happen.

Yet nobody in the federal government did anything about it — not the White House, not the Department of Homeland Security, not Congress and certainly not the technology leadership at OPM.

The security gaps identified during OPM’s 2014 annual FISMA audit included having no remote access connections configured for malware scanning or for forcing users to re-authenticate after a session timed out. These glaring security holes not only went unnoticed as hackers were infiltrating the OPM network for more than a year but are also present at more than a dozen other federal agencies. DHS, which receives the detailed reporting through CyberScope, knew about these vulnerabilities, yet nothing was done.

Then there is OPM’s leadership, which remains in a state of denial. During heated exchanges Tuesday with members of the House Oversight Committee, OPM Director Katherine Archuleta defended her agency’s record on cybersecurity, arguing that the cybersecurity shortfalls faced by OPM were not the making of this administration but of years of neglect before she arrived.

We should also be asking serious questions of OPM’s Director of Security Operations Jeff Wagner, who published a white paper in March — just a month before the latest data breach was discovered — that was highly critical of the government’s defense-in-depth approach to cybersecurity and called for a more proactive approach involving searching for unknown malware and compromises.

“Given what they’ve seen with regard to highly sophisticated malware that’s been hidden for years (Energetic Bear, Poodle Bug, APT1, and Heartbleed) and the even more insidious activities of trusted insiders, agencies should approach security as if they’ve already been compromised,” Wagner said. “By beginning here we can take a proactive approach to searching for those intruders rather than a reactive approach that focuses on known incidents – government has to start searching for the unknown.”

Did Wagner know something about the security of OPM data when he wrote this paper? Of course he did. He may not have been aware of an ongoing intrusion targeting the crown jewels of federal employee identity information (even though his own thinking on cybersecurity would indicate he was looking for one), but he certainly understood the vulnerabilities that remained open.

There’s one core leadership trait that Archuleta, Wagner and his boss, OPM Chief Information Officer Donna Seymour, cannot escape. I learned it as a young Marine Corps officer, and it applies to every IT leader in the federal government: You’re responsible for everything your organization or unit does and fails to do.

“You have completely and utterly failed,” Oversight Committee Chairman Rep. Jason Chaffetz, R-Utah, told Archuleta.

Rep. Ted Lieu, D-Calif., called on OPM’s IT leaders to resign. “I’m looking here today for a few good people to step forward, take responsibility and resign for the good of the nation,” Lieu said.

“Well said,” responded Chaffetz.

For once Congress might be on the right track here. But they should not limit their condemnations to OPM’s failed leadership. DHS and the larger federal cybersecurity reporting structure, including the White House, has a lot to answer for.

As one former White House official told me in the immediate aftermath of the OPM hack, “Washington is full of people who are spending hundreds of thousands of dollars traveling to speaking engagements on cybersecurity, but what we need is people who can execute.”

Well said.

OPM short on answers for hack during oversight hearing

Members of the House Committee on Oversight and Government Reform ripped officials from the Office of Personnel Management and the Department of Homeland Security Tuesday in the wake of one of the biggest hacks in American history.

OPM Director Katherine Archuleta spent most of the hearing dodging questions about the amount of information leaked, what that information entails and why the agency ignored multiple inspector general reports that labeled OPM’s IT systems as woefully outdated on security.

Rep. Jason Chaffetz, R-Utah, the committee’s chairman, described OPM as “grossly negligent,” adding that its security position was comparable to “opening all the doors and windows and hoping nobody would walk in.”

“We’re about to hear testimony that you’re doing a good job,” Chaffetz said at the start of the hearing. “You’re not! You’re failing!”

Any time a committee member tried to press Archuleta for answers, she deferred, claiming she would answer the majority of questions in a classified briefing held Tuesday afternoon. Neither Archuleta nor OPM Chief Information Officer Donna Seymour could confirm the number of current and former federal employees who have been affected by the two breaches, but they admitted that most of the information taken, including Social Security numbers, was not encrypted due to the legacy systems on which the information was stored.

Seymour and DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment did highlight how Einstein, DHS’ intrusion detection and prevention system, helped OPM discover the breach, leading to OPM immediately instituting two-factor authentication for remote access and tightening other network user permissions.

Those fixes did little to placate Chaffetz, who was indignant after Michael R. Esser, an assistant investigator general at OPM, rattled off a number of problems he discovered in OPM systems stretching back to 2007.

“The IG has been warning you since 2007, and you made a conscious decision not to do that,” Chaffetz said to Archuleta. “You kept vulnerabilities open, the information was vulnerable and hackers got it.”

Rep. Ted Lieu, D-Calif., called for someone either to resign or be fired.

“When there is a culture problem, we should send a signal to others that it’s unacceptable and leadership has to resign,” Lieu said.

Rep. Will Hurd, R-Texas, chairman of the committee’s IT subcommittee, said it’s time for the federal government to increase the speed at which agencies are putting modern security systems in place.

“We got to stop thinking about this like we have years to solve the problem,” Hurd said “We don’t. We should be thinking about this in days.”

Officials from OPM and DHS, along with Federal CIO Tony Scott, told committee members there will never be a complete fix to guard against cyber attacks, but they are working to create new programs as fast as possible.

“There’s very sophisticated attackers out there, there is not one silver bullet,” Scott said.

However, when members pressed for answers on how those systems will be put into place at OPM or why those programs weren’t already working, Archuleta said she’d answer the questions during the classified hearing. That did not sit well with Rep. Stephen Lynch, D-Mass.

“You’re doing a great job stonewalling us — hackers, not so much,” Lynch said.

Duqu 2.0 virus poses threat to government, private sector

Cyberspace has a new apex predator.

Duqu 2.0, the elusive malware that experts suggest might be linked to the Israeli government, was discovered last week lurking in the systems of thousands of organizations across Western, Middle Eastern, and Asian countries, according to antivirus company Kaspersky Labs.

The lab predicts that their findings so far are only the beginning.

“These are only preliminary results of its investigation,” said Kurt Baumgartner, principal security researcher at Kaspersky. “There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what we already know, Duqu 2.0 has been used to attack a complex range of targets at the highest levels.”

Victims include high-profile and seemingly innocuous targets. Notably, the virus was discovered infecting the systems of European hotels that hosted the P5+1 talks, which were held to negotiate the terms of Iran’s nuclear program. It was also found on computers linked to the 70th anniversary celebration of the liberation of Auschwitz concentration camp at the end of World War II.

Duqu 2.0 was first identified in early spring, when a prototype program at Kaspersky detected evidence of a sophisticated malware in the bowels of the anti-malware lab’s own network.

An internal investigation was launched, and Kaspersky’s task force of analysts, reverse engineers and researchers confirmed that an “exceptional” attack had indeed been made on its systems and had gone undetected for an indeterminate amount of time.

Researchers concluded that the virus was the product of an advanced hacking group thought to have gone dark in 2012. Kaspersky had deemed the group “Duqu,” after the “~DQ” files its malware creates.

The new program, a type of advanced malware known as an advanced persistent threat, or APT, was deemed Duqu 2.0, and further study proved it to be among the most potent offensive software ever created.

“The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world,” Baumgartner said. “The group behind Duqu is very skilled, powerful and did everything possible to try to stay under the radar.”

According to Kaspersky, the sophistication of Duqu 2.0 surpasses even the programs of the Equation Group, a shadowy hacking organization suspected to be an NSA affiliate and widely recognized as the “crème de la crème” of APT production.

Duqu 2.0 exists only in a system’s memory, which prevents detection by anti-malware scans. It also has no need to directly connect with a command-and-control center, instead acting autonomously to infect network gateways and firewalls. This allows it to proxy internal network traffic directly to hackers’ command centers.

These factors, combined with its array of complex encryption algorithms, make hunting Duqu 2.0 a daunting task.

The composition of such a complex program is no easy feat, and Kaspersky’s investigation has turned into a cyber detective story in its own right.

By collecting logs from the proxies used to channel their data, technicians were able to determine that attackers worked significantly less on Fridays and not at all on Saturdays. Their regular workweek appears to start on Sunday. Additionally, the hackers compiled binaries on Jan. 1, indicating that it was not a holiday for them.

Timestamps in the binary logs suggest that the hackers operate in a GMT+2 or GMT+3 time zone, areas that include parts of Africa and the Middle East. Baumgartner noted that the binary logs contained mostly perfect English, but a few telltale mistakes, which may mean the Duqu group is comprised of nonnative speakers. Among these he cited an example of “Excceeded” as opposed to “Exceeded.”

As the hunt to identify the hackers continues, Kaspersky has recommended simple measures to ameliorate the threat of Duqu:

• Update Windows to the latest version using Microsoft Windows Update. Make sure to install Microsoft’s Patch Tuesday update from June 9.
• Reboot all computers at once – for instance simulating a power failure. It is very important to reboot everything at the same time; otherwise the malware might survive on a machine and re-infect the others.
• Change all passwords.
• Perform regular updates and rebooting of all machines in the network, including domain controllers. Rebooting removes the active malware from memory.
• Make sure all servers run x64 (64-bit) Windows. This forces the attackers to use signed drivers for persistence mechanisms.
• Change passwords regularly (every 1-2 months) and use strong passphrases that are longer than 20 characters. Disable old-style LM hashes.

As far as identifying the perpetrators beyond a reasonable doubt, Baumgartner remains cautiously optimistic. “Attribution of cyber attacks over the Internet is a difficult thing,” he said.

“But the attackers always leave some traces.”