Amid Schumer’s urging, FBI has created a national swatting database
The Federal Bureau of Investigation has launched a nationwide database to track swatting, according to a recent NBC News report. Incidents of “swatting” — or fake calls to emergency responders like police — have become an increasingly common in the United States. They’re also dangerous, and have cost some people their lives.
Back in May, the FBI created a national database to track incidents of swatting, according to NBC. The idea is that police departments will collaborate with other law enforcement agencies. Before this summer, there was no nationwide government approach to tracking the problem.
“In response to the national call on swatting, the FBI initiated the Virtual Command Center (VCC) known as the National Common Operation Picture (NCOP). The NCOP-VCC is a collaborative effort between the FBI and law enforcement partners to track and create a real-time picture of swatting incidents,” a spokesperson for the FBI told FedScoop. “Established in May 2023, this initiative is open to any law enforcement agencies and fusion centers who wish to participate in tracking and sharing swatting information in respective jurisdictions.”
There’s been mounting pressure on the agency to address the issue. In April, Senator Majority Leader Chuck Schumer shared that $10 million of the federal budget should be designated for a “cyberswat” team at the FBI dedicated to fighting swatting calls. At the time, he also called for a better system for tracking the incidents of these calls across the country.
“They don’t do it now,” the senator said in April. “When you can track a crime, you can find out what’s happened. How many were from overseas? How many occurred here? How many used this language? How many used that language? Maybe this is one person. Maybe it’s a whole lot of people. We just don’t know yet.”
FedScoop has to Senator Schumer’s office for comment.
Editor’s Note: This piece was updated at 1:43 PM ET to include a comment from the FBI.
Democrats push for IRS free file service, citing bipartisan demand from taxpayers
Dozens of prominent Democrats in Congress earlier this week expressed their strong support for a new free filing service the Internal Revenue Service is planning to launch for use by certain taxpayers in early 2024.
Lawmakers from both chambers, led by Sen. Elizabeth Warren, D-Mass., sent a letter to IRS commissioner Daniel Werfel and the Treasury Department on Monday in which they said a large majority of Americans support the creation of a free direct filing service.
“We write to applaud this announcement and your leadership on this issue, and to share our support for making a strong tool available to as many taxpayers as feasible next filing season and for continuing to build the free and easy filing tool that many Americans want and deserve,” the Democrats wrote in the letter to Werfel and the Treasury Department.
The Internal Revenue Service and the U.S. Digital Service are working to develop a prototype free filing service, which is expected to be made available to certain taxpayers in January 2024.
“We urge you to make this pilot of the direct file tool available to as many taxpayers as is feasible, in order to deliver real value quickly to American taxpayers and demonstrate the value of modernizing the IRS, while also gathering data to make improvements and to better serve American taxpayers,” the Democrats’ letter added.
The missive highlighted a recent IRS report to Congress which indicated that taxpayers trust the IRS to provide a direct free filing service, and think it is the agency’s role to build and operate such a system.
In the Monday letter, lawmakers argued that the Treasury agency’s existing Free File Program—which is a partnership between IRS and private tax preparation companies—has not been successful despite 70% of taxpayers qualifying for the service.
The missive also criticized companies offering tax preparation services that are advertised to be free but often are not. Last month, TurboTax began paying $141 million in settlement payments to American taxpayers who the company allegedly unfairly steered into paying for tax preparation software that should have been free, the Democrats said.
The Democrats’ letter states 72% of taxpayers across party lines are interested in an IRS direct file tool and 68% of taxpayers who currently self-prepare their returns are likely to switch to a direct free filing IRS tool if given the chance to.
State Department deputy CDO joins National Security Council
Department of State Deputy Chief Data Officer Garrett Berntsen has joined the National Security Council as director for technology and national security.
He takes up the new role at the White House agency after two years at State, during which time he has spearheaded the department’s data modernization strategy with CDO Matt Graviss.
Berntsen will serve on secondment at the National Security Council until at least the end of the year. Previously, he was a senior manager at Deloitte, and before that was a country director for Afghanistan within the Department of Defense.
According to a State Department spokesperson, Amy Ritualo will take up the role of acting deputy chief data officer while Berntsen is on detail.
The National Security Council is the president’s principal forum for national security and foreign policy decision-making. In addition to technology and cybersecurity, it brings together senior leaders in areas crucial for national security including homeland security, global public health, international economics, climate, migration and others.
At the State Department, the Office of the Chief Data Officer has worked to implement Secretary Antony Blinken’s modernization agenda, which includes the department’s first-ever enterprise data strategy.
Writing for FedScoop last September, Berntsen and Graviss said their team was focused on completing six-month sprint data campaigns to drive forward the agency’s digital transformation.
Earlier this year, the State Department appointed Laura Williams as deputy chief information officer for foreign operations. Williams took up the post on March 1 after previously serving as director of analytics at the agency’s Center for Analytics.
Editor’s note, 5/7/23 at 12:40 p.m.: This story was updated to include details of Amy Ritualo’s appointment as acting deputy chief data officer.
US Patent and Trademark Office data leak exposed 61K private addresses
The U.S. Patent and Trademark Office acknowledged Thursday that 61,000 private addresses of trademark applicants were inadvertently exposed in a years-long data leak between February 2020 and March 2023.
The trademark office said the data leak affected about 3% of the total number of trademark applicants filed during the three-year period and that the issue was fully fixed on April 1, without any data having been misused.
“Upon discovery, the USPTO reported the data exposure to the Department’s Senior Agency Official for Privacy and it’s Enterprise Security Operations Center, which in turn reported the exposure to the Department of Homeland Security. As you are aware, the USPTO also notified affected parties of the exposure,” a USPTO spokesperson emailed FedScoop.
“The USPTO has no reason to believe that the data has been misused,” the spokesperson added.
U.S. law requires trademark applicants to include their private address when submitting an application in order to combat fraudulent trademark filings.
The trademark office said in a notice sent to all those impacted by the data leak that by April 1 the issue had been fully fixed by properly masking all of the private addresses and correcting all system vulnerabilities found.
The trademark office said that in February it discovered that private domicile addresses that should have been hidden from public view appeared in records retrieved through some application programming interfaces (APIs) of the Trademark Status and Document Review system (TSDR). The APIs are used in apps by both agency staff and trademark filers to access the TSDR system for checking the status of pending and registered trademarks.
Some private addresses also appeared on the bulk data portal of the USPTO website.
The trademark office highlighted that as a federal government agency, the USPTO does not have the same reporting requirements as a private company or a state or local agency would and does have a process whereby those who do not want their address to be shown publicly can request that it is not made public or they can waive the requirement altogether.
Details of the USPTO leak were first reported by TechCrunch.
GAO sustains 93 bid protests filed over CIO-SP4 solicitation
The Government Accountability Office sustained 93 legal challenges to National Institutes of Health’s embattled solicitation, CIO-SP4, concluding that the agency “unreasonably failed” to advance proposals past the first phase on their evaluation.
In a Thursday statement, managing associate general counsel for procurement law at GAO Kenneth E. Patton said the agency’s decision to not advance those proposals was “flawed”, citing NIH’s inability to show that it both reasonably evaluated phase one proposals and determined which would move on to the next stages of the competition.
“GAO recommended that the agency reevaluate proposals consistent with the decision, and make new determinations of which proposals advance past phase 1 of the competition based on the results of these new evaluations,” Patton said, echoing previous statements from the organization.
Patton also said the GAO found the agency “unreasonably evaluated specific aspects” of a phase one proposal from Sky Solutions LLC. GAO denied remaining arguments the protesters raised, which included challenges to other aspects of the evaluations and untimely challenges, he said.
The decision was issued under a protective order because it “may contain proprietary and source selection sensitive information,” according to Patton. It addressed protests by entities represented by outside counsel who were eligible for a protective order. Protests filed by entities not represented by counsel will be addressed in a separate, forthcoming decision, Patton added.
CIO-SP4 is the fourth iteration of a contract vehicle for acquiring commoditized IT products and specialized services that has been dogged by pre-award protests since the agency first requested proposals in May 2021. The CIO-SP4 vehicle has a $50 billion ceiling.
Entities seeking inclusion in National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC)’s 10-year solicitation have made multiple challenges through bid protests over the last two years. Those challenges have focused on the process and criteria by which the awarding agency was using to select awardees. They’ve been both dismissed and sustained, as the agency pushes forward with the solicitation.
In March, the GAO dismissed a round of bid protests after the agency agreed to voluntary corrective action to make a new phase one determination on highest rated offerors. GAO previously dismissed 117 complaints in November 2022 over the use of a points based scoring system used to analyze prior performance of the entities bidding. The agency agreed to voluntary corrective action in that case as well.
Both of those decisions came after GAO partially sustained a pre-award protest arguing the procurement unfairly disadvantaged large companies in mentor-protégé arrangements in November 2021.
Commenting on the bid protest decisions, founder of federal procurement consultancy ProcureLinx, Mark Hijar, said: “This is a sign, to me, that they have some very serious retooling to do before they move to the next phase of evaluation. And for this to happen at this late date is not a good sign.”
Hijar, who has worked with contractors who were awardees under past iterations of the vehicle, said he’ll be watching how the agency addresses the recommendation efficiently “without materially changing the evaluation criteria that were originally provided.”
Editor’s note, 6/29/23: This story was updated to add further context about prior CIO-SP4 bid protests and to include comment from ProcureLinx.
Editor’s note, 7/13/23: This story was updated to correct the number of protests sustained.
The government quietly shut down a jobs app. A tricky fake took its place.
Back in May 2015, the US Office of Personnel Management — the agency in charge of coordinating the recruitment of federal employees — quietly discontinued a mobile app meant to make it easier to find and apply for government jobs. The app, which was designed as an extension of the official USAJOBS.gov online job search site, had previously been touted as evidence of the Obama administration’s push to adopt a path-breaking digital government strategy.
The app no longer exists. The system was taken offline, a spokesperson for OPM told FedScoop, after a redesign of the regular USA JOBS website incorporated a new, mobile-first design. Today, a page that used to focus on mobile apps like the USA JOBS app redirects to the USAJOBS.gov help center, while a link to usa.gov site touting the system now displays a “Page Not Found” notice. The OPM spokesperson did not say how many used the original app before it was shut down.
But a fake with a similar name eventually appeared in its place. A “USA JOBS” app was downloaded more than 50,000 times on the Google Play Store, where it had a 2-star rating. The app, which was most recently updated in June, attracted a slew of reviews complaining about it being “misleading,” as well as its advertisements, broken links, and “fake jobs.” Many users complained that the app isn’t associated with the actual USA Jobs website and that their credentials for the actual USAJOBS.gov platform didn’t work.
Google ultimately took down the app after it was flagged by FedScoop. The system, said company spokesperson Dan Jackson, violated the Play Store’s rules about misleading claims, which specifically ban apps that falsely claim affiliation with a government entity. Still, the existence of this and other fake apps also highlights that government agencies aren’t always tracking down platforms and websites impersonating their services.
“The official government website for Federal job seekers is https://USAJOBS.gov,” the OPM spokesperson told FedScoop. “Job seekers are encouraged to use the USAJOBS site to search for Federal opportunities. They may also create a USAJOBS profile, create or upload a resume, make their resume searchable by Federal recruiters, and apply for positions.”
Researchers at Stairwell, a cybersecurity firm, didn’t find any overt malicious behavior and noted that the app’s primary purpose seemed to be pulling information that’s freely available on the internet and incorporating a “tremendous amount of advertising.” The app didn’t directly claim to be affiliated with the US government, but took intentional advantage of search terms — they called it “scam-ish.”
“They might make thousands of dollars or tens of thousands of dollars just getting people to go off as keywords,” Eric Foster, a vice president at Stairwell, told FedScoop. “Lot of times we find that the government both isn’t great at branding, and then they aren’t great at protecting their brand the same way a lot of the corporations are.”
“They might make thousands of dollars or tens of thousands of dollars just getting people to go off as keywords.”
Eric Foster, vice president at cybersecurity firm Stairwell
The researchers said that there’s evidence, based on their analysis of the app, that the developer was in Zambia. FedScoop reached out to the email address listed for the developer, but did not hear back by the time of publication.
Ads like the ones on the USA JOBS app could be a potential vector for malicious activity, the Stairwell researchers noted. The app could also collect personal information, both because it requires that users provide personal information to sign up for an account on the app, and because people may use their actual USAJOBS.gov login credentials when trying to log into the app.
“In reviews, people were saying they uploaded their resumes. So if you’re uploading your resume, that’s going to include contact information and your work history. That’s not something you would want to give away to just anyone,” Chris St. Meyers, Stairwell’s head of threat research, told FedScoop. “They’re not necessarily malicious intentions, but they’re not good. I don’t know what they’re doing with that information they collect.”
Similar, but more obviously malicious, sites are an ongoing challenge for the government. The Securities and Exchange Commission warned people on government employee retirement plans that they might be targeted by fraudsters back in 2017. Earlier this year, the United States Postal Service flagged to employees that cyber criminals were attempting to steal their information by creating fake sites. This issue has been an ongoing challenge for employees, according to unions representing these workers.
‘Hundreds’ of agency internet-connected devices found running in violation of recent CISA directive, cyber firm reports
Federal agencies are running hundreds of so-called networked management devices connected to the open internet — which must be taken offline as required by a new Cybersecurity and Infrastructure Security Agency directive — per a cyber threat-hunting company’s research.
On June 13, CISA issued a binding operational directive ordering civilian agencies to remove from the internet any “networked management devices,” making them accessible only from an internal network, or to deploy zero-trust capabilities into their network architecture so an agency administrator can enforce access controls separate from the interface. Agencies were required to do so within two weeks of notification of such devices being connected to the internet.
Censys — a cybersecurity firm that specializes in threat-hunting across devices connected to the internet — used its platform to analyze more than 50 federal civilian branch agencies’ publicly exposed devices that they use to manage networks from the internet. It found ” hundreds of publicly exposed devices within the scope outlined in the [CISA] directive.”
“In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET. Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” Censys wrote in a blog post sharing its findings.
In the post, the company explained: “These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.”
Censys also found more than “15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP” — protocols that the firm says “have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure” — and “[m]ultiple out-of-band remote server management devices such as Lantronix SLC console servers,” which CISA said in its directive “should never be directly accessible via the public internet.”
To help civilian agencies meet the requirements of the directive, CISA issued accompanying implementation guidance with additional background and commonly asked questions.
IRS advisory committee calls on agency to assess public awareness of existing free file tools
An Internal Revenue Service advisory committee has said the agency should evaluate the cost of expanding awareness of existing free tax filing programs before developing a new filing tool for taxpayers.
In a report published on Tuesday, the Electronic Tax Administration Advisory Committee (ETAAC) called on the tax authority to assess how much it would cost to improve public understanding of commonly used services run by the Free File Alliance, the Volunteer Income Tax Assistance program and the Tax Counseling for the Elderly.
The intervention comes as the Internal Revenue Service and the U.S. Digital Service work to develop a prototype free filing service, which is expected to be made available to certain taxpayers in January 2024.
ETAAC is an advisory committee that provides a public forum for the discussion of electronic tax administration issues. Last September the committee appointed eight new members including Deputy Chief Financial Officer and Tax Commissioner for the District of Columbia Keith Richardson and Code for America Senior Manager RaeAnn Pilarski.
In the new report, the committee cited previous work by the nonprofit MITRE Corp., which identified low participation rates in existing free filing programs and found a low level of awareness among consumers. In 2018, just 3 million out of nearly 104 million eligible taxpayers used a free file product to submit their federal income tax returns, according to the MITRE study.
The committee said: “ETAAC reiterates MITRE’s conclusion and joins in the recommendation that Congress appropriate funds to increase awareness of existing free filing options and encourages the IRS to make use of free electronic filing resources already at its disposal to promote greater adoption of Free File.”
It added: “ETAAC further recommends that the IRS work with the Free File Alliance and other software industry associations to continue enhancing the Free File program. This could include expanding eligibility (in terms of adjusted gross income) and communication and marketing opportunities for the program.”
Details of the IRS’s new prototype tax filing platform were first reported by the Washington Post as the Treasury in May delivered a report to Congress on the feasibility of building such a service. That study was carried on behalf of the IRS by the nonprofit New America and was funded with $15 million included in the Inflation Reduction Act.
Other new recommendations from ETAAC include that IRS make tax information documents digitally available in real-time to allow easier use of third-party filing software and that the agency prioritize and allocate funding for the modernization of IRS.gov and search engine optimization.
Congressional AI proponent Ted Lieu pushes back on ChatGPT restrictions placed by House administrative office
Rep. Ted Lieu, the California Democrat who’s a major proponent of artificial intelligence policymaking in Congress, pushed back against the House Chief Administrative Office’s new guardrails around the use of popular generative AI tool ChatGPT, telling FedScoop this week that congressional staff should be free to use AI tools for any purposes they see fit.
Earlier this week, Chief Administrative Officer Catherine L. Szpindor sent a memo to all House staff saying that offices are only authorized to use the paid version of the AI tool known as ChatGPT Plus, which has a $20-per-month subscription that “incorporates important privacy features that are necessary to protect House data.”
Furthermore, Szpindor highlighted that offices are allowed to use the chatbot for “research and evaluation only” and are “not authorized to incorporate it into regular workflow” or use it for any official purposes.
Lieu — a member of the House Artificial Intelligence Caucus and one of three members of Congress with a computer science degree — pushed back on the CAO’s new rules during an interview with FedScoop, saying he planned to reach out to the CAO with a number of questions on the decision.
“I don’t believe all this is [necessary]. I don’t understand why they’re making any statements about workflow. I think that’s something within the province of each member’s office, and each member can figure out how they want the workflow of their office to function,” Lieu told FedScoop during an interview on the subject of AI in Congress.
“And so if they’ve determined that ChatGPT is not a security threat, which it looks like they’ve determined that, then I think every office should use it as they deem fit,” he said.
FedScoop first reported in April that the House of Representatives’ digital service had obtained 40 licenses of ChatGPT Plus, the first publicized congressional use of the popular AI tool. House offices said they were using ChatGPT for generating constituent response drafts and press documents, summarizing large amounts of text in speeches, and drafting policy papers or, in some cases, bill language.
Earlier this year, Lieu introduced the first measure in Congress that was written entirely by ChatGPT with a nonbinding resolution on how to comprehensively regulate AI in Congress.
Similarly, he said he gives his staff immense freedom to use tech tools without restrictions.
“So I put an enormous amount of trust in my staff, and my staff can basically do whatever they want. So if they feel like looking something up on Google Bard they can do that. If they want to use ChatGPT to draft, do the first draft of a document [or policy], they can do that,” Lieu said.
The California congressman said his staff regularly uses ChatGPT for regular day–to–day purposes but wasn’t sure if they use the CAO-authorized ChatGPT Plus service. Lieu added that his staff would look into getting the paid version of the tool if they weren’t already using it.
The CAO’s ChatGPT guidance comes as lawmakers from both parties and in both chambers are rushing to craft legislation on how to regulate AI, including Senate Majority Leader Chuck Schumer, D-NY., and Lieu, who is pushing for a new bipartisan AI regulatory commission.
The House Chief Administrative Office said the memo is not enforceable by law but is intended to provide best practice guidance based on internal research and procedures.
“Our intent in providing this information on ChatGPT was to explain best practice guidance consistent with our approved processes and procedures,” a CAO spokesperson told FedScoop. “Our House Cyber team will study this closely and continue to advise offices on the appropriate use of emerging technology.”
The CAO memo regarding limits and restrictions on ChatGPT use in Congress was first reported by Axios.