Aspen Institute study finds women make up just 24% of cybersecurity workforce
Women make up just 24% of the cybersecurity workforce, according to new research into the demographics of the technology industry by the Aspen Institute.
The study identified also low representation of minority groups within the sector. Hispanic, African American, Asian and American Indian/Native Alaskan workers made up 4%, 9%, 8% and 1% respectively.
The publication of Aspen’s research comes amid a push from senior technology leaders at federal agencies to expand the government’s technology talent base and to create a more diverse pipeline of new recruits.
Late last month, General Services Administration leader Robin Carnahan in a speech called on women working in tech to consider a career in public service, and described the current gender balance of technologists working in government as “not good enough.”
Women currently make up less than one-quarter of all technologists working in the federal government.
In June, the Biden administration issued an executive order intended to boost diversity within the federal government.
As part of this, agencies are required to work with education institutions that specialize in cybersecurity to advance opportunities for groups that previously have faced employment discrimination, including people of color, women, and individuals with disabilities.
The legislation mandates that all agencies assess the current state of diversity, equity, inclusion and accessibility within their workforces and that they develop plans to eliminate any barriers to success faced by underserved employees. It directs agencies to seek opportunities to establish or elevate chief diversity officers within their organizations.
Army’s first phase of unified network ’18-24′ months away
The army anticipates that it will take 18-24 months to launch its new Unified Network Plan, a framework for combining network support for everything from waging war to streamlining back-office business operations.
The timeline was spelled out in broad terms by Lt. Gen. John Morrison, the deputy chief of staff, G-6. He added one of the milestones within the timeline is finishing an implementation plan within the next two months which will provide more detail on anticipated progress. The strategy relies on building out common services, like a common data fabric and global transport layer, that will unify the Army’s disparate networks.
“Unified Network is not ‘a thing,’ it’s not a new program of record .. it’s a new operations framework,” Morrison said during a panel at the Association of the U.S. Army Annual Meeting and Exposition.
The concept is “completely nested” within the broader DOD framework of building Joint All Domain Command and Control (JADC2), a strategy to allow the military the use data from any point of the battlefield in operations.
Phase one of implementing the unified network approach includes building a security architecture based on zero-trust principles, expanding the Secret Internet Protocol Router Network (SIPRnet) and using software-defined 5G networks to increase bandwidth.
As the Army builds out those systems, Morrison said it will take a testing-heavy approach that will aim to get new tech into the hands of operators to get their feedback.
“The mindset is we are going to build from the edge back,” he said.
One of the first points of contact the Army will push the new tech to is its Multi Domain Task Force (MDTF) at Joint Base Lewis-McChord, in Washington. The task force is building a new multi-domain operations center that is being designed to use a unified network as a means to ingest as much data as possible.
“Best way to build out this enterprise is get it into an operational environment,” Morrison said.
CISA issues third TIC use case covering remote users
A finalized Trusted Internet Connections 3.0 use case, defining how network and multi-boundary security should be applied when agencies permit remote users, was released by the Cybersecurity and Infrastructure Security Agency on Thursday.
The document provides guidance on how agencies can configure data flows and apply TIC capabilities across three network security patterns: secure remote user access to a campus, agency-sanctioned cloud service providers, or the internet.
Originally released as Interim Telework Guidance responding to vendor requests for help aiding agencies during the pandemic in April 2020, the finalized use case aims to prevent against cyberthreats resulting from users’ ability to access resources from outside network boundaries.
“The Remote User Use Case helps agencies preserve security while they gain application performance (e.g., latency, throughput, jitter, etc.); reduce costs through reduction of private links; and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services as well as supporting additional options for agency deployment,” reads the document. “This use case is also intended to support policy enforcement parity for devices and connectivity options.”
More than 70 agencies, companies and trade organizations weighed in on the document.
Agencies may implement a subset of the three network security patterns or additional ones from a different use case. The other two available are the Traditional TIC and Branch Office use cases.
The document is intended to be used alongside the updated Security Capabilities Catalog and TIC overlays applicable to service providers. The Pilot Process Handbook was also finalized.
Zero trust and partner research and development use cases might also come in 2021, with infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), platform-as-a-service (PaaS) and email use cases already planned.
CISA is also working to finalize IPv6 Considerations for TIC 3.0 guidance, given the expanded cyberthreat landscape it presents. The draft version remains open for public comment through Friday.
Government tech contractors that conceal cyber breaches could be forced to pay triple damages
Technology contractors that fail to disclose cybersecurity breaches could face hefty fines of up to three times the amount their failure costs the government, under a prosecution push by the Department of Justice (DOJ).
The DOJ last week announced a new Cyber-Civil Fraud Initiative, under which it intends to use the False Claims Act (FCA) to pursue contractors working with federal government agencies — as well as recipients of federal grants — that fail to report incidents in which their systems are compromised.
The FCA was first enacted in 1863 in response to defense contractor fraud during the American Civil War. It was amended in 1986 to increase incentives for whistleblowers to come forward with allegations of fraud.
Under the FCA any person that submits false records to the government can be forced to pay triple the damages caused to the government from fraudulent contract submissions. The offending entity can also be hit with a civil penalty of up to $10,000.
Technology companies working with certain government departments are already subject to strict disclosure requirements around cybersecurity breaches. For example, Section 204.7302 of the Defense Federal Acquisition Supplement requires companies to “rapidly report cyber incidents directly to the Department of Defense (DOD).” The DOD defines “rapidly report” as within 72 hours of discovery.
In a press release announcing the new initiative last week, the DOJ said it would seek to hold “contractors and grantees to their commitments to protect government information and infrastructure.” The initiative comes as lawmakers consider new measures to ramp up pressure on private sector companies and government agencies to ensure timely disclosure of cyber breaches.
Legal sources speaking to FedScoop said it remains unclear just how aggressive the DOJ’s new enforcement campaign will be and precisely how penalties for a company’s failure to notify would be assessed.
The False Claims Act imposes a separate penalty for each violation of the statute, which can add up to tens of thousands – or in some cases millions – of dollars.
In March this year a federal appeals court affirmed a $111 million award to the government and a whistleblower in a case brought against BlueWave Healthcare Consultants. The complaint alleged that the defendants paid kickbacks to induce physicians to order medically unnecessary tests, which were ultimately paid for by Medicare and Tricare.
The Cyber-Civil Fraud Initiative is being led by the Civil Division’s Commercial Litigation Branch, Fraud Section, at the DOJ. It is a direct result of the department’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Lisa Monaco in May.
Congress is currently considering the Cyber Incident Reporting Act and the Federal Information Security Modernization Act of 2021.
OMB provides agencies with guidance on accelerating endpoint detection and response
Agencies have 90 days to provide Cybersecurity and Infrastructure Security Agency personnel and contractors access to existing endpoint detection and response (EDR) deployments or identify future state options, according to a Friday memo.
The Office of Management and Budget issued the memo to accelerate governmentwide adoption of EDR solutions, which combine real-time continuous monitoring with data collection from endpoints like workstations, cellphones and servers for rules-based automated response to and analysis of increasingly sophisticated cyberthreats.
EDR is an essential component of zero-trust architecture, which the Biden administration required agencies to begin implementing in its cybersecurity executive order issued in May.
Polymorphic malware, advanced persistent threats and phishing necessitate a centralized EDR initiative led by CISA, according to the memo. Granting CISA access to existing EDR solutions allows for proactive threat hunting.
CISA has 90 days to develop a continuous performance monitoring process and coordinate with the Chief Information Officer Council on both recommendations for accelerating EDR adoption and publishing a technical reference architecture and maturity model. CISA and the council have 180 days to release a playbook on best practices for EDR solution deployments.
Meanwhile agencies have 120 days to conduct an analysis with CISA of their EDR capabilities and any gaps, before coordinating on deployments in accordance with the technical reference architecture. The memo requires they work with their chief financial officers and the OMB Resource Management Office to ensure proper resources and staffing for EDR tools, licenses and updates.
Agencies must also ensure endpoint data is consolidated, retained and archived for analysis in accordance with the technical reference architecture and that their solutions comply with privacy and statistical laws.
Army delays update to its largest HR system
The Army is delaying the launch of its largest digital human resources IT system after tests showed issues with its data transfer, among other things, the Army said in a release.
The Integrated Personnel Pay System-Army (IPPS-A) will have its third release moved from December 2021 to September 2022, according to the Army. The latest release would have expanded the userbase to all active and reserve components of the Army and added new capabilities to the system.
“The stress tests revealed some interface and data-integration challenges, and we determined additional time will be needed to correct data-transfer issues and resolve software defects. The testing phase is working as designed by identifying issues that need to be addressed before going forward. IPPS-A is a giant leap forward and we are going to get it right,” said Col. Rebecca Eggers, IPPS-A functional management division chief.
Army leaders have stressed the need for a modern talent management system, saying the Army struggles to retain soldiers because of its antiquated system. Other systems the Department of Defense has created to try and improve HR include an Army program for guaranteed career paths and an Uber-like app for reservists called up for assignments that matched specialized skills they might have.
The Army also released an app on the Apple App Store that aims to allow users to log into the system to view their records, but that will not be possible until the third release of the IPPS-A system is tested and finished.
The IPPS-A system is the Army’s “No. 1 human resources modernization effort” and is being built to replace the current paper-based system that the Army says contributes to errors in pay and personnel records management. The tech is expected to give soldiers access to their personnel records and even integrate self-service functions into the system.
“We must make sure that IPPS-A is a thoroughly tested and high-quality product when delivered to Soldiers, HR professionals and leaders,” Lt. Gen. Gary Brito, deputy chief of staff, G-1, said in a release. “We are fully committed to delivering IPPS-A across all three components, meeting the needs of our Soldiers and the Army of the future with a 21st-century talent management system.”
IPPS-A is supported by ORACLE PeopleSoft Suite, according to the system’s website. It first launched for just the Army National Guard in January 2019.
“Our focus remains on training, testing the system, and preparing our Soldiers,” said Eggers. “Units need to use this time to refine the required steps for full go-live preparation and maximum support of our Soldiers.”
OMB looks to hire federal chief statistician again
The Office of Management and Budget reposted a job announcement for the federal chief statistician — a position that’s been vacant almost two years — to USAJobs.gov on Thursday.
As leader of the Federal Statistical System, the chief statistician chairs a number of committees, facilitates discussions on governmentwide data standards, serves as the U.S. statistical representative in international forums like the U.N., and drives implementation of the Foundations for Evidence-Based Policymaking Act.
OMB tried and failed to fill the opening left by Nancy Potok in January 2020, even conducting interviews before removing the initial job posting, and the agency has missed deadlines for two Evidence Act regulatory actions as a result.
“All of those regulatory actions are behind schedule,” Nick Hart, president of the Data Foundation, told FedScoop. “The chief statistician role is one of the most important roles for the federal data infrastructure.”
OMB did not respond to multiple requests for comment.
Even if a chief statistician is eventually hired, the process will take months, Hart said.
In the absence of a chief statistician, other people have stepped in to chair the Advisory Committee on Data for Evidence Building and the Equitable Data Working Group in an acting capacity. But “major gaps” have emerged in the federal data infrastructure and discussions around race and ethnicity data standards have suffered, Hart said.
OMB missed the Evidence Act deadline to promulgate the Presumption of Accessibility regulation by Jan. 14, 2020, though it’s on the regulatory agenda for October. Under the rule, OMB is to require the timely provision of data assets, identify legal exemptions, establish standards compliant with the Privacy Act and establish a transparent request process.
The agency also missed the Jan. 14, 2020, deadline to promulgate the Responsibilities of Statistical Agencies regulation covering their timely dissemination of information, the accuracy and objectivity of their activities, and preserving public trust confidential and exclusive statistical use of their responses. While the Biden administration added the rule to the regulatory agenda for July, it has yet to be handled.
A chief statistician would normally be driving such efforts.
“For all of the really important things that the chief statistician does for the United States, it’s not a sufficiently senior role within the White House organizational structure today,” Hart said.
The role is at the level of branch chief, when it should probably be elevated one level up to a deputy associate director, he added.
OMB Director Shalanda Young could make that change, which would likely encourage more qualified candidates to apply for the job.
“It definitely needs a strong leader with some experience, both in government but also working with data issues,” Hart said. “There are probably a lot of people who are imminently qualified for that role.”
JAIC chief wants AI progress to be ‘slow and incremental’
The Department of Defense’s Joint Artificial Intelligence Center is looking to field AI across the military slowly, so products can be broadly usable across combatant commands, the center’s director said Friday.
That mindset appears to be different from some innovative upstart organizations within the government that have emphasized the private-sector mentality of speed and agility in finding solutions to pressing challenges. Growth for the center’s AI tools will come from solutions to common challenges that senior leaders across the military face, JAIC Director Lt. Gen. Michael Groen said during the Billington Cybersecurity Summit.
Groen said the the JAIC is “fielding through slow, incremental progress” with the hope that trusted applications can be useful across combatant commands.
“If we build an application for one combatant command, well, then we have the ability to do that horizontally,” Groen added. “Their problems are very similar.” By that, he means the JAIC will find solid solutions that can be applied across different combatant commands that face similar problems.
The goal of working slowly is to build both quality products and trust among leaders that will form the core of the JAIC’s customer base.
Eventually, the JAIC hopes to create its own app store of sorts, with catalogs of algorithms trained and ready to be applied to new data.
“We will actually start to build a library, an App Store if you will,” Groen said.
The technology behind that library is the Joint Common Foundation, a tech development stack the JAIC is building with contractors as the central repository for code, data and products.
The JAIC has been through two major strategy evolutions. It first stood up as a product-focused office, building AI tools tailor-made for specific problem sets. Then, when Groen took over the JAIC in October 2020, he soon declared a “JAIC 2.0” strategy that turned the center into an AI “enabling” force, working throughout the DOD to find ways to field AI by coordinating with other tech-focused offices.
The latest program to help the DOD field AI tools came with the deputy secretary of defense’s launch of the AI and Data Initiative (ADA), which is sending AI and data experts to combatant commands to identify technical gaps and areas were AI can help.
Groen added that as the JAIC builds its AI tools, its work is rooted in a foundation of ethical principles.
“We have our feet really firmly grounded in a responsible AI ecosystem,” he said.
His comments come after the JAIC’s head of responsible AI recently departed. The office is looking for a replacement, according to a job posting.
CDM program evolving to help agencies make sense of their data
The Continuous Diagnostics and Mitigation (CDM) program began emphasizing vulnerability detection and response because agencies altered their network architectures to accommodate increased remote work during the pandemic, according to the head of the program.
Employees connecting to federal networks remotely, often via unsanctioned internet connections, altered the cyberattack surface for agencies — forcing the CDM program to evolve.
CDM helps agencies understand what’s happening on their networks in near-real-time by implementing tools that feed data to dashboards for proactive risk management. But lately, those dashboards have flagged more vulnerabilities than understaffed agencies can readily fix.
“We have to figure out a way to almost direct our stakeholders on what they need to do, instead of just letting them drown in the data because there’s just too much out there,” said Richard Grabowski, CDM acting program manager within the Cybersecurity and Infrastructure Security Agency, during the Billington CyberSecurity Summit on Thursday.
Adversaries have learned to flood agencies with data so they miss threats, which means better CDM tools are needed to cut through the noise. And threat intelligence needs to go beyond Internet Protocol addresses and pings to identifying threat actors, what they’re attempting to accomplish and the information they’re sharing, said Gilman Louie, CEO of LookingGlass.
Recent CDM discussions around threat hunting aren’t enough.
“The authorities are also going to need to expand if we’re going to have an effective program,” Louie said. “The authorities in which CDM operates are good authorities, but they’re not broad enough to actually execute the mission going forward.”
CDM has started correlating information from its vulnerability management capability with threat reports to reveal what’s actually being exploited and sharing the results in a report to agencies. That allows them to perform triage based on real-world factors.
Figuring out threats and vulnerabilities should be a shared responsibility for agencies and CISA, Grabowski said.
“That’s a model for how we can try to make this more poignant for agencies,” he said.
An endpoint prediction scoring system complements information on the severity of vulnerabilities with the likelihood one will be exploited by a threat actor, but the system requires information sharing.
Such capabilities need to be deployed much faster than they are, said Michael Daniel, president and CEO of the Cyber Threat Alliance.
For that, cybersecurity must become an enterprise service. Small agencies and commissions don’t have the resources and shouldn’t be expected to do their own cyber, Daniel said.
“We don’t have every agency run its own payroll; we have seven payroll providers across the federal government, and the agencies have to pick which payroll provider they want to use,” he said. “Much more of the cybersecurity needs to be centrally provisioned across the federal government from a few of the larger, more sophisticated agencies.”
Army CDO pushes tech companies to be more interoperable with one another
The Army wants contractors to offer tech that is interoperable with other parts of industry in order for it to meet data and cybersecurity goals.
This message comes from Army Chief Data Officer David Markowitz, who said that to achieve its new requirements like zero-trust security, industry needs to follow new guidelines that allow technology from different companies to work together.
That’s a departure from the competitive business practices that often lead to “vendor lock,” where contractors provide technology that only works with other systems that it owns or approves of and limits the government’s ability to consider new solutions on the market.
“It would be very helpful for industry to be interoperable with itself,” Markowitz said during the Billington Cybersecurity Summit.
To support its interoperability, the Army is working on an enterprise Application Programming Interface (API) that allows different systems to communicate with each other.
Having industry interoperability and an enterprise API would bring the service closer to implementing the recent cybersecurity executive order mandating agencies move toward zero-trust network architecture. With its current patchwork of systems and data management tools, the Army is “still struggling” to implement new cybersecurity mandates, Markowitz said.
“We are looking to industry … and we would really like a good price,” he said.
Markowitz added that if industry builds interoperability into its systems, the Army can also rethink how it can license tech from industry. If systems work together across companies, the Army would not need to buy entire suites of systems but instead license specific tools that could work across systems.
“We could mix and match with what we think is best,” he said.