SOCOM wants to prioritize stronger communications encryption

U.S. Special Operations Command, the elite group that undertakes some of the military’s most sensitive and high-stakes operations, is prioritizing finding technology to improve the encryption of its communications, its commander said Thursday.

“I personally changed our modernization priorities and restructured our funding to modernize those capabilities,” SOCOM Commander Gen. Richard Clarke told the Senate Armed Services Committee during a hearing about the need for stronger encryption as quantum computing emerges as a threat to traditional security measures.

For the past two decades, SOCOM has mostly focused on fighting non-state actors with limited tech. But as the entire military pivots to great power competition, it’s expected that strategic competitors like China and Russia will bring more-advanced cybersecurity and technology means to any fight.

During Thursday’s Senate hearing Clarke did not mention any particular new electronic warfare or encryption tools, just saying they broadly would be used to hide his operators’ movements from enemies.

“We also have to have encrypted communications and electronic warfare capabilities so that our forces…reduce the probability of them to be targeted,” he told lawmakers.

As quantum computers become more readily available, the concern is that they will be able to guess passwords and break through the layers of security in current communications technology. Other military agencies like the Defense Information Systems Agency also announced research into quantum-proof encryption.

Other new priorities for the command are “data and data management,” Clarke added. SOCOM has been a leader in testing new artificial intelligence capabilities, like predictive maintenance for its helicopters. The command has touted itself as being a sort of beta tester or “pathfinder” for AI tech the DOD can possibly use at scale.

 

Tackling two challenges every agency faces getting to the cloud

Dave Levy leads the U.S. government, nonprofit and healthcare businesses at Amazon Web Services (AWS). Prior to joining AWS in 2017, he led Apple’s U.S. government business. He also serves as Chair of the Space and Procurement council for the U.S. Chamber of Commerce, on the boards for the Professional Services Council and Fairview Medical, and on the Innovation and Research Board for Children’s National Medical Center in Washington, D.C.

Part of successful leadership starts with listening. Just prior to the pandemic, I set out on a 100-day listening tour to hear directly from federal agencies about their aspirations, their challenges and what would make a difference in accomplishing their missions. Two themes repeatedly emerged.

First was the challenge of keeping up with so many transformational technologies, such as machine learning, flexible databases and computing at the edge. Second was the ongoing imperative to train and empower federal workforces — and get them and their agency partners foundationally grounded in cloud and emerging technologies.

The world of cloud computing has grown explosively in the 15 years since Amazon launched its Simple Storage Service and Elastic Compute Cloud. It’s not just the massive amount of cloud infrastructure that’s been built; it’s also the accumulated development of high-performing, rapidly-deployable services now available to enterprises.

However, many organizations, including most federal agencies, lack the know-how, skill and experience to take fuller and faster advantage of the cloud’s evolving capabilities.

To help our customers stay ahead of the technology learning curve,  Amazon Web Services (AWS) is committed to putting our unrivaled experience, expertise and innovation to work to help agencies and their partners better understand the art of the possible with cloud computing. We’re also committed to helping our customers train and expand a new generation of employees who can use those skills to innovate faster and improve the delivery of their missions.

The power of experience

On the first front, it is our hard-earned belief that there is no compression algorithm for experience in cloud computing. AWS was born not only out of the wellspring of clever engineering, but from the more fundamental desire to develop services that make sense for our customers — either by building for them, inventing with them, or inventing on their behalf.

This proven experience is why government agencies trust AWS to handle their most sensitive workloads. We offer federal government customers two AWS GovCloud (US) Regions, designed to allow U.S. government agencies and contractors to move sensitive workloads to the cloud by addressing their specific regulatory and compliance requirements. Many regulated industries, including the defense industrial base, have also put their confidence in AWS GovCloud (US). AWS GovCloud (US) helps federal and state government agencies manage and analyze vast amounts of data securely — from sensitive patient medical information to export trade data to “controlled unclassified information” (a.k.a. Impact Level 5) data at the Department of Defense.

AWS continues to lead the way in developing, or co-developing, new and innovative cloud-based products and services — much of which can be seen in action at our AWS re:Invent and government sector events. Our team is driving advances in everything from the latest in Kubernetes containers; to high-performance flexible databases; to our pioneering work in AI — from the machine learning layer to cognitive applications like Alexa. We’re also bringing greater compute and storage capabilities to the edge, with devices like AWS Snowball, which promises to revolutionize the types of IT services available to our nation’s warfighters and the global government workforce.

Just as important as having the broadest and deepest assortment of on-demand IT and data management services is AWS’s wealth of experience. Our experts continue to bring that experience to federal agencies, to help them experiment, iterate and innovate with cloud solutions and do so quickly and effectively.

The need for training

We’re also committed to expanding the availability of cloud technology training. We want to make sure the barriers are as low as possible for our customers and our partners to access the cloud services they need. That’s why, at re:Invent 2020, we announced that by 2025 AWS will help 29 million people globally grow their technical skills with free cloud computing skills training.

Our commitment to training drove us to develop a large organization dedicated to providing training and certification tailored for the U.S. government. We’re continuing to expand a cafeteria-style curriculum to meet a variety of skill levels and learning goals that support agencies and their workforces.

As cloud computing becomes more ubiquitous, it’s easy to lose sight of the fact that the potential of the cloud is not in the technology or apps themselves; it’s in how the cloud is harnessed and utilized to help organizations fulfill their missions more effectively. AWS stands ready to help federal agencies and their partners by leveraging our unrivaled experience to support workforce development and mission delivery.

Learn how AWS can help your agency capitalize on today’s cloud or contact us at AWS Public Sector.

Read more insights from AWS leaders on how agencies are using the power of the cloud to innovate.

Tech industry requests TMF process updates to fast-track COVID-19 and SolarWinds recovery projects

Tech companies called on the government to revise its process for doling out the Technology Modernization Fund, now that it’s received $1 billion for urgent IT and cybersecurity projects, in a letter Wednesday.

The Alliance for Digital Innovation and nine other tech associations sent the letter to the Office of Management and Budget and the General Services Administration asking that TMF projects be proactively funded and repayment requirements for agencies loosened.

Tens of millions of dollars remained unspent in the TMF when lawmakers appropriated a record $1 billion in the American Rescue Plan Act earlier this month, which has agencies and industry worried the money won’t be spent quickly on critical COVID-19 and SolarWinds recovery projects.

“You can’t have OMB and GSA just sit around and wait for agencies’ projects,” Matthew Cornelius, executive director of ADI, told FedScoop. “You have to be proactive about identifying areas you want to invest in, and then find the best way to do that.”

Tech companies had no trouble identifying five TMF investment opportunities in their letter: federal operations, citizen services, remote work, cybersecurity shared services, and secure cloud adoption.

The pandemic has highlighted government’s struggles with identity management, while the SolarWinds hack that left at least nine agencies compromised emphasized a greater need for vulnerability management and secure remote work capabilities, Cornelius said. Collaboration tools, secure data sharing and data analytics platforms are also in high demand.

GSA should immediately tap its army of tech and acquisition professionals inside the Technology Transformation Services‘ Centers of Excellence and 18F to begin flagging government’s biggest enterprise and shared services challenges because more TMF money requires more manpower, Cornelius said. Project flow, execution and oversight must scale.

U.S. Digital Service staff could also be brought in to handle digital services delivery and Cybersecurity and Infrastructure Security Agency employees to find cyber opportunities, all of whom will improve the vetting of projects and can even assist agencies with implementation, Cornelius said.

“It’s not a knock on the folks that are running the Program Management Office now,” he said. “But that was an office that was designed to handle a million dollars for a few projects, not a billion dollars and scores of projects.”

Tech companies expect to be part of the process, requesting quarterly meetings in the letter with the TMF Board and representatives from interagency councils for information and status updates.

Unfortunately TMF’s current five-year repayment window is “unduly burdensome” for many agencies with “inherently riskier projects,” especially when the projects funded through Congress’ normal appropriations process aren’t subject to the same requirements, Cornelius said.

“The [OMB] director clearly has the authority to suspend, waive or alter the repayment requirements to make the fund more like a grant, rather than a loan,” he said.

Doing so will incentivize more agencies to seek TMF funds for multi-agency projects and commercial shared services that need stable funding over multiple years and take as long to retire legacy systems and yield savings, according to the letter.

The letter also asks that GSA consider waiving service fees the TMF PMO charges for processing funding awards.

DARPA’s AI fighter pilot gets more capabilities in latest tests

The artificial intelligence system the Defense Advanced Research Projects Agency (DARPA) is building to pilot fighter jets has added several new capabilities in recent tests.

The Air Combat Evolution (ACE) program made headlines in August when the AI system successfully defeated a human pilot in virtual dogfights 5-0. And now, in the system’s latest tests in February, DARPA added new weapons systems and multiple aircraft to the virtual battles, DARPA said in a March news release.

The trials put ACE on track for live, in-flight tests later in 2021.

“Adding more weapon options and multiple aircraft introduces a lot of the dynamics that we were unable to push and explore in the AlphaDogfight Trials,” Col. Dan “Animal” Javorsek, program manager at DARPA said about the initial trials in August. “These new engagements represent an important step in building trust in the algorithms since they allow us to assess how the AI agents handle clear avenue of fire restrictions set up to prevent fratricide. This is exceedingly important when operating with offensive weapons in a dynamic and confusing environment that includes a manned fighter and also affords the opportunity to increase the complexity and teaming associated with maneuvering two aircraft in relation to an adversary.”

One of the biggest increases in complexity during the testing came from adding a second aircraft for the AI system to try maneuver against. Whereas the initial tests were one-on-one dogfights, the latest rounds had two virtual F-16s matched against the AI system.

In that initial run, different companies designed different systems using machine learning to virtualize millions of dogfights for the AI to learn from. Heron Systems, a small defense contractor came out victorious.

Some criticized the initial tests as “AI theater,” meaning they bared little technological fruit but made for an interesting show. Dogfights are relatively simple tasks on the scale of what fighter pilots have to do in combat, and the AI system was only tested in a virtual environment.

“I appreciate that the DOD wants to show the world that it is on the cutting edge of AI deployment, but this simply is not it,” Missy Cummings, director of the Humans and Autonomy Laboratory at Duke University and former Navy pilot told FedScoop in August following the initial tests.

But the latest tests add new capabilities DARPA says will contribute to future systems. The agency also used the tests to ensure human trust in machines, an important topic the DOD is lacking in, according to a recent study.

“This enables us to see how much the pilot is checking on the autonomy by looking outside the window, and comparing that to how much time they spend on their battle management task,” Javorsek said.

DHS migrating to ‘cloud-first’ identities en route to zero trust

Migrating from legacy identity solutions to “cloud-first” identities is the next step in the Department of Homeland Security’s implementation of zero-trust security, according to the CISO of one of its component agencies.

Zero-trust security requires a network’s users to provide credentials before granting them access, after which they’re typically subject to continuous validation. That remains a challenge for DHS‘s external partners, Alma Cole, CISO of Customs and Border Protection, said during an ATARC event Tuesday.

Migrating identities to the cloud will make it easier and more secure to link them with those at other agencies or companies DHS contracts with, as well as add device identities.

“We’ve all had to deal with usernames and passwords and things for all these disconnected services at agencies,” Cole said. “So having that cloud-based identity that can actually federate with other entities in a really seamless way is key.”

Once that’s out of the way, DHS can begin using policy enforcement mechanisms to control what those identities have access to on the network.

DHS will use a network access control plane and comply-to-connect (C2C) framework — as well as a software-defined network (SDN) that verifies the posture of devices, user and user authorizations and entitlements — when granting on-premise users access to portions of the network.

As for external users like remote workers, DHS plans to replace its virtual private network with secure access service edge (SASE) cloud services.

“That is probably the first real, meaningful way to start implementing some hard, zero-trust access control policies and really lock down your agency,” Cole said.

By connecting offsite users to the network via a cloud-based tunnel, DHS need only expose the applications they’re authorized to use instead of the entire network, he added.

That’s especially useful if an advanced persistent threat (APT) nation state or state-sponsored group attempts to access the network because hacking one host, desktop or laptop will no longer allow them to see everything in the environment, Cole said.

DHS’s CISO would like to see more zero-trust guidance at the federal level.

While the NSA released a basic roadmap about a month ago, agencies haven’t even begun to scratch the surface of the data provided by programs like the Continuous Diagnostics and Mitigation program, Cole said.

That will require greater zero trust maturity, which comes with implementing more security capabilities and ultimately artificial intelligence.

“It’s so all-encompassing,” Cole said. “And it’s so overwhelming.”

Pentagon’s Joint Common Foundation AI platform is up and running

The Department of Defense launched a new coding platform aimed at helping users across the military build their own artificial intelligence models.

The Joint Artificial Intelligence Center’s Joint Common Foundation (JCF) has reached “initial operating capability” and already has some users in the services, center Director Lt. Gen. Michael Groen said Tuesday, although he did not specify what type of projects or who is involved.

The JCF is meant to be a one-stop-shop for anyone from dabbling data amateurs looking to fill out a slide-deck to full-on machine-learning developers hungry for clean data and an environment to write code. It will play a central role for the developing JAIC, especially as it turns to being an “enabling force” across the DOD rather than working on specific AI projects.

“The JCF is live, we have the tools, we are starting to develop, we are starting to host data, we are starting to host algorithms,” Groen said during the National Defense Industry Association’s inaugural National Security AI Conference and Exhibition. “We hope to grow that into full operating capability.”

The plan is to add a “block upgrade” every month to the platform to expand its data hosting, coding and other capabilities.

“Every month we want to add more services,” Groen said.

Other DevSecOps platforms, somewhat similar to the JCF, exist across the military services, including the Air Force’s Platform One. But Groen said the JAIC’s market for the JCF is made up of those who do not already have access to such a service-designed platform.

User feedback will play a major role in the early development of the platform. The JAIC is using user surveys to solicit initial users and those who would be using the JCF to hear what they will want. Working more closely with the individual services and the many AI offices across the department is a new focus of the JAIC. While initially the center was stood up as an AI fielding office to deliver products in key mission areas, now in its second iteration as the “JAIC 2.0,” it is focused on enabling others to build their own tools.

“We think that is a key tool to broad enablement across the department in the transformation of AI,” Groen said.

The hope is to eventually stitch together a common “data fabric” for enhanced interoperability and usage across the department, Groen added.

The JAIC inked a $106 million deal in August with Deloitte to help build the JCF platform.

Treasury awards its final EIS task order

The Treasury Department awarded the last of its six planned Enterprise Infrastructure Solutions task orders to AT&T, the telecommunications company announced Tuesday.

The 12-year, $231 million task order covers modernization of the Treasury‘s voice and data networks and cybersecurity as the department looks to enable its increasingly mobile workforce of more than 100,000 employees across about 700 locations.

Lawmakers initially expressed concern Treasury wasn’t keeping pace with the $50 billion EIS contract’s final deadline of Sept. 31, 2022, for transitioning off its predecessor Networx, but the department’s transition is now more than three-quarters complete.

“Hats off to the technology leadership and team at Treasury for making a deliberate and comprehensive commitment to network modernization,” said Chris Smith, a vice president with AT&T Public Sector. “We look forward to working with Treasury to help transform its communications capabilities and help ensure it is future-ready for further innovation.”

Work is already underway with Treasury poised to obtain EIS technology and cost savings quickly, according to AT&T‘s announcement.

AT&T’s last big EIS task order award was a 10-year, $311 million contract with the National Oceanic and Atmospheric Administration in November to prepare for 5G and edge computing by consolidating the agency’s networks into one Internet Protocol-based network.

DOD at risk of not meeting its own electromagnetic spectrum goals, experts tell Congress

The Department of Defense might know that it needs to put in more work to better manage its use of the electromagnetic spectrum — but so far that work has been lacking, according to expert testimony Friday.

The DOD still needs to empower high-ranking leaders to push spectrum initiatives, a key goal of the department’s spectrum strategy published in September, according to Joseph Kirschbaum, director for the Government Accountability Office’s Defense Capabilities and Management Team.

The Pentagon developed its spectrum strategy hoping to claim “superiority” in building and defending robust networks after two decades of warfare with low-tech adversaries. That lack of a need to use spectrum atrophied much of DOD’s EMS muscles, senior leaders have said. As the military starts measuring its readiness to fight a large-scale, great power war, it has acknowledged it needs to play catch up.

“The Department uses the electromagnetic spectrum for situational awareness, communicating with friendly forces, identifying enemy capabilities, directing strikes, navigation, and countless other tasks … the military is facing unseen challenges in the electromagnetic spectrum right now,” Rep. Jim Langevin, D-R.I., said during Friday’s hearing. Langevin is chairman of the newly created House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems.

Kirschbaum highlighted previous recommendations of a GAO report from December for the department to create a long-term oversight mechanism to ensure the spectrum strategy gets implemented during his testimony.

“The United States can no longer be assured of superiority in the spectrum,” Kirschbaum said. Previous strategies have not been fully implemented due to “bureaucratic and organizational hindrances,” and the current one could meet the same fate without action, he warned.

Strategic competitors like China and Russia have been hard at work developing weapons to disrupt U.S. networks and communications using spectrum, the hearing’s witnesses told lawmakers. The ability to disrupt DOD’s networks would be damaging in a battle now, and even more devastating in the future as the DOD turns to rely more and more on spectrum to run operations.

“The greatest risk I see today is continuing to apply a legacy strategy to the strategic realities of today,” William Conley, former director for electronic warfare in the Office of the Secretary of Defense, told lawmakers.

Developing new tools in spectrum management crosses into the DOD’s software goals since much of it is based on software-defined radios. Instead of working with antennas and other hardware, the latest research involves coding advanced algorithms and artificial intelligence to instruct the hardware to jump between frequencies, avoid jamming and finding innovative ways of communicating.

“That merging of the software and the hardware world I think will be very exciting,” Bryan Clark, a senior fellow at the Hudson Institute, told lawmakers at the hearing.

Missing E-Tran controls saw SBA issue $692M in duplicate pandemic relief loans

The Small Business Administration issued $692 million in duplicate pandemic relief loans because it failed to add the proper controls to its electronic application system, according to its Office of Inspector General.

E-Tran didn’t always prevent duplicate Paycheck Protection Program (PPP) loans made between April 3 and Aug. 9, when the loans were disbursed. Reasons included the computer script for detection stopped working, lender submissions used employer identification numbers and Social Security Numbers interchangeably, and some buyers applied via multiple lenders, according to SBA OIG‘s report.

The House Select Subcommittee on the Coronavirus Crisis requested the report, in part, because it wants to ensure E-Tran vulnerabilities are addressed before the remaining $150 billion in PPP loans are disbursed.

“Loans given to ineligible borrowers place taxpayer funds at risk of financial loss and delayed the amount of available critical capital needed for eligible businesses to withstand the effects of the pandemic during the first round of PPP funding,” reads the report.

Congress appropriated $659 billion, all told, for PPP loans intended to cover struggling small businesses’ payroll, rent and utilities.

About 4,260 borrowers received multiple PPP loans, despite SBA working with lenders to implement E-Tran controls in May. OIG found SBA temporarily turned off those controls between June 23 and 30 to resolve duplicate loans already identified with lenders, leading to more duplicate loans being made during that time.

OIG recommended SBA review potential duplicate loans and recover improper payments, review E-Tran controls to ensure those loans aren’t forgiven, strengthen controls for future PPP-type programs, and improve guidance for lenders — all of which SBA agreed to do.

“The inspector general’s report is consistent with the select subcommittee’s findings last year that billions of dollars in PPP loans issued by the prior administration may have been diverted to fraud, waste and abuse,” Rep. Jim Clyburn, a Democrat from South Carolina who chairs the subcommittee, said in a statement. “Today’s report is yet more evidence of the Trump Administration’s poor implementation of PPP, which ignored the intent of Congress by failing to get vital assistance to the neediest small businesses.”

SBA argued it was unlikely that borrowers intentionally exploited E-Tran’s initial vulnerabilities because only lenders have access, but OIG was quick to point out fraud still occurred.

The agency’s loan review plan states PPP loans are subject to automated screening. But software company Giant Oak ran the Department of Justice‘s first 57 PPP loan fraud defendants through its GOST screening platform and found 25% of them had committed fraud previously that should have barred them from receiving relief, CEO Gary Shiffman, who’s also a Georgetown professor, told FedScoop.

“That’s a very strong indication that they weren’t doing screening,” Shiffman said. “And in their statements, they were trying to get the money out quickly, so they were relying on the investigation as the deterrent.”

Most fraudsters assume the odds of an investigation into a loan less than $150,000 is low, and investigating fraud after the fact is “incredibly inefficient” compared to deterring it all together with screening, he added.

SBA did not respond to multiple requests for comment.

Fraud occurred 16% of the time when the Federal Emergency Management Agency disbursed relief after hurricanes Katrina and Rita, which in PPP’s case could mean as much as $105.4 billion in jeopardy, Shiffman said.

If SBA is committed to screening now, it will need to abandon static lists of past criminal convictions in favor of machine learning that examines patterns of fraudulent behavior, he said.

Machine-learning models can create prioritized lists of the highest to lowest threats, and if SBA vets the top 1%, then they’ve done a “phenomenal job,” Shiffman said.

New industry partnership promises to strengthen authentication security

Andrew Whelchel is a certified principal sales engineer at Okta, specializing in enterprise security architecture, identity risk, data privacy, cloud, mobile and API security.

The pandemic is speeding up plans of most organizations to embrace the cloud and meet new needs of a remote and hybrid workforce. But for federal agencies, even though the structure of the workplace has changed, federal regulations setting access and identity verification standards have not.

Cloud’s ability to bring greater speed, agility and security to the mission is within reach, as long as agencies can find provide access to cloud-based applications which meet Federal Identity, Credential and Access Management (FICAM) policies.

That’s been a challenge for many agencies. But it’s also the promise of a new partnership between Okta and Amazon Web Services. Okta Identity Cloud is now available through Amazon Marketplace, to give agencies access to a FedRAMP-approved cloud identity platform that supports their modernization goals.

Access tools that minimize cyber risk

The uptick in security threats — like recent ransomware attacks and compromised supply chains — continue to put agencies at risk. Systems are increasingly interconnected. That makes FICAM more than a just a check box to meet federal security regulations. FICAM lays the groundwork for agencies to implement modern identity and access controls and ultimately paves a path forward to architecting a zero-trust environment.

The remote and hybrid workforce increases agencies’ cyber risk as long as employees are not working inside government buildings. It is critical that federal IT infrastructure moves away from traditional credential validation, like PIV and CAC, and traditional remote access security such as VPN, to an access solution that solidifies a zero-trust security posture.

Those organizations which have already fallen victim to a ransomware attack learned that in the event of a breach or attack, IT security teams can benefit from segmentation, to isolate threats quickly. But at the same time, multiple accounts create more access complexity. Organizations with hundreds and thousands of users will exponentially increase the number of accounts per person.

Without a tool like Okta’s Identity Cloud, users have to remember a lot of passwords and credentials. Consequently, IT administrators need to be mindful that with segmentation also comes the need to take a heightened management posture for access and identity verification controls.

Okta’s single sign-on and multifactor authentication solutions comply with a number of FICAM policies — not just for access controls, but for logging, auditing and even providing attestations that someone should continue to have the rights that they have. The universal directory consolidates users, groups and devices into a single directory, giving administrators the ability to manage the lifecycle of users’ access.

Additionally, Okta Identity Cloud operates both on-premises and in cloud environments and supports agencies’ moves to embrace either hybrid or multi-cloud infrastructure. Ultimately, the goal is to create a more resilient infrastructure against cyber threats that doesn’t complicate the user’s experience.

Testing the waters with pilot projects

Using Okta with AWS’ cloud infrastructure offers both speed and agility of access that agencies are looking for their applications today and in the future. By getting users approved for certain capabilities, and then mirroring those attributes inside of AWS, agencies can have certainty that the right people are the right privileges to access federal data. That includes employees, contractors, partners and citizens who interact with the government at different levels.

Those who are hesitant to move forward need only test this concept with a pilot program to get started. Those who’ve already begun testing workloads related to home connectivity, zero-trust connectivity, ticketing management or automation software are seeing the benefits almost immediately. And because these pilot tests are managed in the cloud, there are no setup costs and no provisioning to spin up a Okta’s tool inside AWS.

Once agencies understand how easy it is to move their data and connect their identity to that cloud, it doesn’t take long to begin moving a lot more projects and workloads to the cloud.

Okta is a leader in the identity space, and its broad network of application integrations simplifies the deployment and management of cloud apps, services and infrastructure for those organizations migrating to the cloud.

Also, read more from leaders about how state and local agencies are modernizing identity authentication.

Learn more about the availability of Okta Identity Cloud and its products in AWS Marketplace.