The government quietly shut down a jobs app. A tricky fake took its place.
Back in May 2015, the US Office of Personnel Management — the agency in charge of coordinating the recruitment of federal employees — quietly discontinued a mobile app meant to make it easier to find and apply for government jobs. The app, which was designed as an extension of the official USAJOBS.gov online job search site, had previously been touted as evidence of the Obama administration’s push to adopt a path-breaking digital government strategy.
The app no longer exists. The system was taken offline, a spokesperson for OPM told FedScoop, after a redesign of the regular USA JOBS website incorporated a new, mobile-first design. Today, a page that used to focus on mobile apps like the USA JOBS app redirects to the USAJOBS.gov help center, while a link to usa.gov site touting the system now displays a “Page Not Found” notice. The OPM spokesperson did not say how many used the original app before it was shut down.
But a fake with a similar name eventually appeared in its place. A “USA JOBS” app was downloaded more than 50,000 times on the Google Play Store, where it had a 2-star rating. The app, which was most recently updated in June, attracted a slew of reviews complaining about it being “misleading,” as well as its advertisements, broken links, and “fake jobs.” Many users complained that the app isn’t associated with the actual USA Jobs website and that their credentials for the actual USAJOBS.gov platform didn’t work.
Google ultimately took down the app after it was flagged by FedScoop. The system, said company spokesperson Dan Jackson, violated the Play Store’s rules about misleading claims, which specifically ban apps that falsely claim affiliation with a government entity. Still, the existence of this and other fake apps also highlights that government agencies aren’t always tracking down platforms and websites impersonating their services.
“The official government website for Federal job seekers is https://USAJOBS.gov,” the OPM spokesperson told FedScoop. “Job seekers are encouraged to use the USAJOBS site to search for Federal opportunities. They may also create a USAJOBS profile, create or upload a resume, make their resume searchable by Federal recruiters, and apply for positions.”
Researchers at Stairwell, a cybersecurity firm, didn’t find any overt malicious behavior and noted that the app’s primary purpose seemed to be pulling information that’s freely available on the internet and incorporating a “tremendous amount of advertising.” The app didn’t directly claim to be affiliated with the US government, but took intentional advantage of search terms — they called it “scam-ish.”
“They might make thousands of dollars or tens of thousands of dollars just getting people to go off as keywords,” Eric Foster, a vice president at Stairwell, told FedScoop. “Lot of times we find that the government both isn’t great at branding, and then they aren’t great at protecting their brand the same way a lot of the corporations are.”
“They might make thousands of dollars or tens of thousands of dollars just getting people to go off as keywords.”
Eric Foster, vice president at cybersecurity firm Stairwell
The researchers said that there’s evidence, based on their analysis of the app, that the developer was in Zambia. FedScoop reached out to the email address listed for the developer, but did not hear back by the time of publication.
Ads like the ones on the USA JOBS app could be a potential vector for malicious activity, the Stairwell researchers noted. The app could also collect personal information, both because it requires that users provide personal information to sign up for an account on the app, and because people may use their actual USAJOBS.gov login credentials when trying to log into the app.
“In reviews, people were saying they uploaded their resumes. So if you’re uploading your resume, that’s going to include contact information and your work history. That’s not something you would want to give away to just anyone,” Chris St. Meyers, Stairwell’s head of threat research, told FedScoop. “They’re not necessarily malicious intentions, but they’re not good. I don’t know what they’re doing with that information they collect.”
Similar, but more obviously malicious, sites are an ongoing challenge for the government. The Securities and Exchange Commission warned people on government employee retirement plans that they might be targeted by fraudsters back in 2017. Earlier this year, the United States Postal Service flagged to employees that cyber criminals were attempting to steal their information by creating fake sites. This issue has been an ongoing challenge for employees, according to unions representing these workers.
‘Hundreds’ of agency internet-connected devices found running in violation of recent CISA directive, cyber firm reports
Federal agencies are running hundreds of so-called networked management devices connected to the open internet — which must be taken offline as required by a new Cybersecurity and Infrastructure Security Agency directive — per a cyber threat-hunting company’s research.
On June 13, CISA issued a binding operational directive ordering civilian agencies to remove from the internet any “networked management devices,” making them accessible only from an internal network, or to deploy zero-trust capabilities into their network architecture so an agency administrator can enforce access controls separate from the interface. Agencies were required to do so within two weeks of notification of such devices being connected to the internet.
Censys — a cybersecurity firm that specializes in threat-hunting across devices connected to the internet — used its platform to analyze more than 50 federal civilian branch agencies’ publicly exposed devices that they use to manage networks from the internet. It found ” hundreds of publicly exposed devices within the scope outlined in the [CISA] directive.”
“In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET. Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” Censys wrote in a blog post sharing its findings.
In the post, the company explained: “These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.”
Censys also found more than “15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP” — protocols that the firm says “have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure” — and “[m]ultiple out-of-band remote server management devices such as Lantronix SLC console servers,” which CISA said in its directive “should never be directly accessible via the public internet.”
To help civilian agencies meet the requirements of the directive, CISA issued accompanying implementation guidance with additional background and commonly asked questions.
IRS advisory committee calls on agency to assess public awareness of existing free file tools
An Internal Revenue Service advisory committee has said the agency should evaluate the cost of expanding awareness of existing free tax filing programs before developing a new filing tool for taxpayers.
In a report published on Tuesday, the Electronic Tax Administration Advisory Committee (ETAAC) called on the tax authority to assess how much it would cost to improve public understanding of commonly used services run by the Free File Alliance, the Volunteer Income Tax Assistance program and the Tax Counseling for the Elderly.
The intervention comes as the Internal Revenue Service and the U.S. Digital Service work to develop a prototype free filing service, which is expected to be made available to certain taxpayers in January 2024.
ETAAC is an advisory committee that provides a public forum for the discussion of electronic tax administration issues. Last September the committee appointed eight new members including Deputy Chief Financial Officer and Tax Commissioner for the District of Columbia Keith Richardson and Code for America Senior Manager RaeAnn Pilarski.
In the new report, the committee cited previous work by the nonprofit MITRE Corp., which identified low participation rates in existing free filing programs and found a low level of awareness among consumers. In 2018, just 3 million out of nearly 104 million eligible taxpayers used a free file product to submit their federal income tax returns, according to the MITRE study.
The committee said: “ETAAC reiterates MITRE’s conclusion and joins in the recommendation that Congress appropriate funds to increase awareness of existing free filing options and encourages the IRS to make use of free electronic filing resources already at its disposal to promote greater adoption of Free File.”
It added: “ETAAC further recommends that the IRS work with the Free File Alliance and other software industry associations to continue enhancing the Free File program. This could include expanding eligibility (in terms of adjusted gross income) and communication and marketing opportunities for the program.”
Details of the IRS’s new prototype tax filing platform were first reported by the Washington Post as the Treasury in May delivered a report to Congress on the feasibility of building such a service. That study was carried on behalf of the IRS by the nonprofit New America and was funded with $15 million included in the Inflation Reduction Act.
Other new recommendations from ETAAC include that IRS make tax information documents digitally available in real-time to allow easier use of third-party filing software and that the agency prioritize and allocate funding for the modernization of IRS.gov and search engine optimization.
Congressional AI proponent Ted Lieu pushes back on ChatGPT restrictions placed by House administrative office
Rep. Ted Lieu, the California Democrat who’s a major proponent of artificial intelligence policymaking in Congress, pushed back against the House Chief Administrative Office’s new guardrails around the use of popular generative AI tool ChatGPT, telling FedScoop this week that congressional staff should be free to use AI tools for any purposes they see fit.
Earlier this week, Chief Administrative Officer Catherine L. Szpindor sent a memo to all House staff saying that offices are only authorized to use the paid version of the AI tool known as ChatGPT Plus, which has a $20-per-month subscription that “incorporates important privacy features that are necessary to protect House data.”
Furthermore, Szpindor highlighted that offices are allowed to use the chatbot for “research and evaluation only” and are “not authorized to incorporate it into regular workflow” or use it for any official purposes.
Lieu — a member of the House Artificial Intelligence Caucus and one of three members of Congress with a computer science degree — pushed back on the CAO’s new rules during an interview with FedScoop, saying he planned to reach out to the CAO with a number of questions on the decision.
“I don’t believe all this is [necessary]. I don’t understand why they’re making any statements about workflow. I think that’s something within the province of each member’s office, and each member can figure out how they want the workflow of their office to function,” Lieu told FedScoop during an interview on the subject of AI in Congress.
“And so if they’ve determined that ChatGPT is not a security threat, which it looks like they’ve determined that, then I think every office should use it as they deem fit,” he said.
FedScoop first reported in April that the House of Representatives’ digital service had obtained 40 licenses of ChatGPT Plus, the first publicized congressional use of the popular AI tool. House offices said they were using ChatGPT for generating constituent response drafts and press documents, summarizing large amounts of text in speeches, and drafting policy papers or, in some cases, bill language.
Earlier this year, Lieu introduced the first measure in Congress that was written entirely by ChatGPT with a nonbinding resolution on how to comprehensively regulate AI in Congress.
Similarly, he said he gives his staff immense freedom to use tech tools without restrictions.
“So I put an enormous amount of trust in my staff, and my staff can basically do whatever they want. So if they feel like looking something up on Google Bard they can do that. If they want to use ChatGPT to draft, do the first draft of a document [or policy], they can do that,” Lieu said.
The California congressman said his staff regularly uses ChatGPT for regular day–to–day purposes but wasn’t sure if they use the CAO-authorized ChatGPT Plus service. Lieu added that his staff would look into getting the paid version of the tool if they weren’t already using it.
The CAO’s ChatGPT guidance comes as lawmakers from both parties and in both chambers are rushing to craft legislation on how to regulate AI, including Senate Majority Leader Chuck Schumer, D-NY., and Lieu, who is pushing for a new bipartisan AI regulatory commission.
The House Chief Administrative Office said the memo is not enforceable by law but is intended to provide best practice guidance based on internal research and procedures.
“Our intent in providing this information on ChatGPT was to explain best practice guidance consistent with our approved processes and procedures,” a CAO spokesperson told FedScoop. “Our House Cyber team will study this closely and continue to advise offices on the appropriate use of emerging technology.”
The CAO memo regarding limits and restrictions on ChatGPT use in Congress was first reported by Axios.
White House releases cybersecurity budget priorities for FY 2025
Regulations to govern use of AI in health records could come later this year
The Office of the National Coordinator for Health Information Technology is leveraging its regulatory powers to mandate a “nutrition label” for artificial intelligence use in the electronic health record systems it vets.
While this proposed rule has received less attention, the inclusion of algorithms represents an important example of how Biden administration regulators are hoping to rein in AI. ONC wants to get that final rule out as soon as possible, “perhaps as early as later this year,” an ONC spokesman said in an email.
The proposal — the comment period closed earlier this month — would require electronic health record systems using predictive tools like AI and algorithms to provide users with information about how that technology works, including a description of the data it uses. That would add to a certification process already overseen by ONC.
“The idea is that you should have a standardized nutrition label for an algorithm,” Micky Tripathi, who leads the health IT division housed within the U.S. Department of Health and Human Services, said in an interview with FedScoop.
ONC’s certification program for health IT — which includes electronic health record technologies — is voluntary. It’s incentivized, however, by requirements that hospitals and physicians use certified systems when participating in certain Centers for Medicare and Medicaid Services payment programs.
While ONC hopes that more transparency will help avoid unintended consequences of algorithmic bias, the rule has received some pushback from medical professionals, health IT companies, and associations for both not going far enough and being too hard to comply with. The division will next review those comments and work on finalizing the rule.
The AI and algorithm requirements are part of ONC’s proposed rule titled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing” (HTI-1), which includes a variety of updates for the division’s Health IT Certification Program.
Specifically, the artificial intelligence portion of the rule would build upon its existing certification requirements for clinical decision support (CDS) systems by defining a new category for predictive tools, which includes AI and algorithms.
Artificial intelligence presents “a whole new dimension in this area of clinical decision support,” Tripathi said. There are things about AI that are “fundamentally different” and require ONC to again weigh in on how these technologies are incorporated into electronic health records systems, he explained.
ONC doesn’t want to be in the position of telling people they can’t use a particular algorithm, Tripathi said, which is why it’s pointing to transparency as a way to help people “navigate” the technology.
For example, Tripathi said, a user in San Juan, Puerto Rico, might learn that an algorithm in an electronic health record system was trained on data from the Mayo Clinic in Minnesota and question whether that would be appropriate for their patient population.
ONC’s emerging approach to AI regulation has won support from a variety of healthcare industry stakeholders, public comments revealed. For example, the College of American Pathologists — a nonprofit with thousands of members — has said that more information about the datasets AI systems are trained on would boost transparency, and also help pathologists with their “AI-related responsibilities.”
Ron Wyatt, the chief scientist and medical officer at the Society to Improve Diagnosis in Medicine, said the rule didn’t go far enough, and argued that the information that’s made available to “end users,” like health systems and patients, should also be shared in the public domain — so that it’s “exposed to the expert academic research and developer communities that now are sensitized” to the problems with using AI in healthcare.
Unsurprisingly, there’s also been pushback. The HIMSS Electronic Record Association, on behalf of 30 companies, has suggested that ONC’s requirements for “decision support interventions” would be hard for electronic health record developers to implement, since — they argue — these tools are often created by third parties.
The American College of Cardiology, a nonprofit association that credentials cardiovascular professionals, said the algorithms proposal was “overly broad,” could potentially cover “thousands of technology solutions utilized in health care,” and may also be confusing for clinicians dealing with software that’s defined differently by other agencies.
It’s not yet clear how ONC will incorporate this feedback. Still, the proposal and the feedback it received show the mounting effort to regulate AI across the Biden administration.
The Office of Science and Technology Policy, for example, has emphasized fighting algorithmic discrimination in the Blueprint for an AI Bill of Rights, which was released in October. The Department of Justice and the Department of Housing and Urban Development have looked at algorithmic bias in systems used to screen tenant applications. Senator Charles Schumer highlighted fighting bias in the SAFE Innovation Framework he introduced earlier this month.
ONC’s own work on artificial intelligence isn’t limited to the proposed rule. Separately, Tripathi said the ONC is working on the department’s broader efforts to develop AI regulatory strategies and is exploring how to make sure a type of application programming interface (API) used for healthcare interoperability — known as Fast Healthcare Interoperability Resources (FHIR) — is able to interact with AI.
“As ONC, and as the HHS, and as the federal government, we want to balance the ability to allow us to continue to have innovation in a really — what we recognize is — a really important space that could offer tremendous benefit at the end of the day,” Tripathi said.
OPM launches federal intern experience program
The Office of Personnel Management has launched a new program to standardize and improve the quality of internships offered by agencies across federal government.
In a missive sent to government chief human capital officers on Tuesday, the agency said it had created the scheme to offer the training, information and support needed to support early career talent.
As part of the program, interns working at federal agencies will have access to mentoring, executive speakers, self-directed training and new intern hub.
OPM’s launch of the program is intended to support the “strengthening and empowering the federal workforce” priority included in the Biden administration’s President’s Management Agenda.
In a final iteration of the latest President’s Management Agenda, which was published in September, the Biden administration set out three broad questions: How can the federal government strengthen and empower its workforce to best serve the American people? How can the federal government deliver programs and services that build trust? What can federal government do to advance equity and support underserved communities?
Central to the Biden administration’s core priorities of improved service delivery and equity is the need to ensure that each government agency has an appropriately skilled workforce and talent pipeline.
The administration has launched schemes including cybersecurity internships and apprenticeships at differing federal agencies in an attempt to kickstart recruitment.
In November, the Department of Labor and the Department of Veterans Affairs were among the departments to hire cybersecurity apprentices as a result of an 120-day cybersecurity sprint program led by the White House.
On his first day in office in January 2021, President Biden signed an executive order mandating that the federal government pursue a “comprehensive approach” to advancing equity for all, including for people of color and those who have historically been marginalized.
Watchdog says counterterrorism information sharing system needs program manager
An interagency counterterrorism information-sharing system that was established after 9/11 needs to appoint a program manager, according to the Government Accountability Office.
In an audit published Monday, the congressional watchdog said that the information and technology-sharing initiative known as the Information Sharing Environment (ISE) has not had a program manager since 2017.
GAO said: “Without assessments from a program manager or other designated entity, the impact of agencies’ ISE-related efforts on completing the open priority objectives is unknown. Consequently, it remains unclear how much work remains for the ISE implementation plan overall.”
According to the watchdog, following the resignation of the system’s program manager in 2017, functions of the program manager’s office were redistributed to other offices within the Office of the Director of National Intelligence.
The Federal Information Sharing Environment is a platform that was established following recommendations of the 9/11 Commission to improve the sharing of law enforcement information between federal, state and local, and private sector entities through the use of standardized policies and technology systems.
In its report, GAO noted that conflicting statutory provisions have played a role in delaying the appointment of a new program manager.
The system is one of several technology platforms used by the Department of Homeland Security, the Department of Justice and the Office of the Director of National Intelligence to share terrorism-related information with non-federal and private sector partners.
In April last year, DHS announced that it would replace its well-known information-sharing portal, the Homeland Security Information Network. This is the agency’s platform for sharing sensitive but unclassified information with federal, state, local, territorial, tribal, international, and private sector entities.
CISA issues updated cloud security resources for federal agencies
The Cybersecurity and Infrastructure Security Agency has published final cloud cybersecurity guidance for U.S. government agencies as part of its Secure Cloud Business Applications Project.
With the project, the federal cybersecurity agency has issued an extensible visibility reference framework guidebook and a technical reference architecture document, which it says will help public and private entities implement cloud cybersecurity best practices.
The fresh guidance comes after CISA in October issued recommended Microsoft 365 security configuration baselines for use in cloud security pilots by federal agencies and for public comment.
CISA’s Secure Cloud Business Applications project is focused on helping to protect sensitive information by providing agencies with minimum system specifications they must adhere to.
According to the agency, the technical reference architecture document is focused on helping government agencies to adopt technology for cloud deployment, adaptable solutions and zero-trust frameworks.
Commenting on the new documentation, CISA Executive Assistant for Cybersecurity Eric Goldstein said: “As evidenced by supply chain compromises and associated cyber threat campaigns, persistent threat actors continue to evolve their capabilities with the intent to compromise federal government networks and critical infrastructure, whether on on-premises or cloud-based environments.”
“The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” he said.
Last month, a report issued by the Government Accountability Office found that four federal agencies were not fully implementing requirements set out in the Federal Risk and Authorization Management Program.
Despite the decade-old mandate that agencies use FedRAMP to ensure services meet federal cloud security standards, the four departments — Treasury, Labor, Homeland Security and Agriculture — inconsistently implemented the program’s requirements, according to the audit.
Years later, the Marshals Service is still looking for help with seized crypto
Amid a surging number of criminal convictions involving cryptocurrency, the U.S. Marshals Service has been tasked with managing and disposing of bitcoin and other digital assets. Like other seized property, the law enforcement agency is in charge of taking custody of crypto through the Department of Justice’s Asset Forfeiture Program — and even periodically auctioning it off.
But, at least from a software perspective, keeping track of crypto is a lot harder than selling a Chagall. For that reason, the law enforcement agency has spent the past few years trying to hire a private tech company to help. But despite settling on contracts with crypto companies, at least two agreements appear to have fallen through. Today, the Marshals Service is still maintaining seized crypto on its own.
“As the seizure and forfeiture of cryptocurrency has become commonplace, the USMS has sought to create a contract with private industry, just as it does with nearly all other asset types,” a spokesperson for the DOJ’s Asset Forfeiture Division told FedScoop. “Currently there is no private company that manages USMS’s cryptocurrency portfolio.”
The search for a contractor started several years ago, when the US Marshals Service requested information from companies about the prospect of managing the agency’s cryptocurrency. In April 2021, a company called Bitgo, a crypto security company based in California, won a $4.5 million contract.
But, then, BitGo lost the agreement a few months after the Small Business Administration flagged the company as being too big to meet the contract eligibility. (Back in May, a company called Galaxy Digital had announced it planned to spend $1.2 billion to acquire BitGo, though the deal fell apart afterward.) In July, the Marshals Service hired another company, Anchorage Digital, which is based in San Francisco and also offers cryptocurrency holding services.
Now, though, the Anchorage Digital contract also appears to have collapsed. As with the BitGo contract, the federal procurement data system shows that a Marshal Service contract with Anchor Labs was “terminate[d] for convenience.” Anchorage Digital is a subsidiary of Anchor Labs, according to its website. The company appears to have taken down a Medium post touting the agreement.
“Both awards were subsequently stayed pending the outcome of protests filed with the U.S. Small Business Administration (SBA), challenging the companies’ business size,” the USMS spokesperson told FedScoop. “Ultimately, SBA determined that both companies were other than small business.”
The company did not respond to a request for comment, though it’s worth noting that the Comptroller of the Currency issued a consent order against the company, which has an OCC banking charter, in 2022. The Small Business Administration did not provide a comment by the time of publication.
“Not all cryptocurrency seized for forfeiture by the federal government is transferred to the USMS for custody and liquidation,” added the DOJ spokesperson. “The USMS utilizes the best practices and services of private industry to most effectively and securely manage and liquidate all assets in its custody.”
The USMS has struggled with handling crypto, as a DOJ Office of Inspector General report highlighted last summer. At the time of the report’s publication, the Marshals Service was using multiple spreadsheets to manage its crypto, primarily because digital assets like bitcoin aren’t easily tracked in a DOJ property management program called the Consolidated Asset Tracking System (CATS).
These documents, according to the inspector general, don’t have “inventory management controls” and “documented operating procedures.” Policies for handling, storing, and valuing crypto are also “inadequate or absent, and in some instances provide conflicting guidance.”
“The USMS’s supplemental spreadsheets do not have the capability to track edits made to the cryptocurrency entries in the USMS’s inventory records,” warned the inspector general. “As a result, these inventory records could be edited or deleted without a record of such a change being made and without the knowledge of individuals responsible for maintaining the spreadsheets.”
In some circumstances, the Marshals Service was “not fully complying” with rules for tracking crypto in CATS, the reported added.
The inspector general also said that the Marshals Service needs to develop more fleshed-out crypto policies before beginning work with a private company, cautioning that “without properly documented policies and procedures, the USMS lacks an adequate foundation for building performance requirements for a cryptocurrency services contract.”