AWS DOD Director Liz Martin on how cloud is transforming defense missions

A technologist by trade, few things spark Liz Martin’s imagination more than using the latest technology to solve complex mission challenges.

So by almost any measure, she landed the ideal assignment four years ago, when Amazon Web Services (AWS) hired her to help the U.S. Department of Defense (DOD) gain a deeper understanding of the art of the possible using cloud technologies.

That opportunity took on new significance in March, when AWS promoted her to lead all of its global business with the Defense Department.

Since her days as a developer, and later as a solut

ions architect in the telecom sector, “I always understood the need to work backwards from customers’ challenges,” Martin says. In her role with AWS, that means working backwards from defense missions. “The DOD has made significant progress in adopting cloud technologies in the time since I joined AWS. But as the security landscape continues to evolve, it remains critical for defense agencies to stay ahead of the emerging threats with the latest technology developments.”

What struck Martin most about the Defense Department when she first joined AWS was the critical nature of DOD’s mission. “DOD’s most sensitive missions pose different challenges than running a back-office IT system. When our warfighters are in the field or at the tactical edge, those missions leave no room for failure.”

According to Martin, cloud technologies are helping DOD agencies address challenges such as the need for speed, resiliency and reliability, as well as supporting operations on a global scale.

“While our mission is focused on technology delivery, we have a similar commitment to the idea that our warfighters deserve access to the best technology in the world. And I think that resonates with our DOD customers and with the defense community at large.”

Need for speed

“One of the areas that we are helping the DOD is around speed,” she says. Pentagon and military leaders understand it’s critical “to accelerate the speed to adopting innovative technologies — to continue to stay ahead. It’s a very challenging global environment, and technology can provide a significant edge in a way that it hasn’t in the past.”

One of the key components to achieving that edge, she says, revolves around gathering and analyzing data faster and where it’s needed most.

“All of the server power in the world isn’t going to deliver your mission outcomes if you don’t have the data you need available to you when and where you need it,” says Martin. So, AWS is working with DOD teams on ways to integrate sensor data in austere environments and the so-called tactical edge.

“Analytics at the edge is very important because critical missions require an incredible number of sensors, diverse areas for collecting data, and the ability to make sense of that sensor data to make decisions in real time,” says Martin.

“We have a variety of products, like our ruggedized AWS Snowball Edge and AWS Snowcone computing and storage devices — ranging in size from a Kleenex box to a piece of carry-on luggage — that can be deployed in forward positions to create a local cloud,” she explains. “They can process all of that data locally, in real time, and also upload it into one of our larger regional data stores or analytics platforms, when conditions permit.”

Another problem the military faces when it comes to IT solutions is its massive scale.

AWS is helping DOD develop creative solutions to take the cloud to austere environments while also utilizing secure cloud computing regions to handle the large scale of the military’s IT requirements.

Reimagining what’s possible

Martin says AWS continues working with defense and military leaders to better understand the full capabilities available through the cloud, as well as how those capabilities might be put to more effective use.

“There are still a lot of folks who think the cloud is just a server in someone else’s location,” she recalls. “The notion of expandable compute and storage capabilities is certainly part of the story. What’s more compelling are the high-value activities that customers can achieve by leveraging the AWS cloud and the functions it offers, like high performance computing and real-time analytics,” she says.

At the same time, she also sees many pockets of cloud-based innovation through her work with the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Combatant Commands.

She credits defense officials for tackling significant problems over the past three years, including “some very large workloads moving into the cloud at all classification levels — as well as massive enterprise IT systems where scale is essential.”

DOD agencies can now move classified and mission-critical IL 6 workloads securely into AWS’s exclusive Secret Region cloud facility. Those and other initiatives promise to give defense officials greater speed and flexibility as they continue to scale up digital warfare capabilities and focus on initiatives like the Joint All-Domain Command and Control (JADC2) program.

Martin adds that AWS is committed to helping DOD customers develop their workforces, as well as supporting veterans, reservists and military families at Amazon. There are more than 40,000 veterans and military spouses employed at Amazon across the United States. “We find that many of the qualities that are foundational to military service align well with our Amazon culture,” Martin says.

What’s different today than when Martin first started her role at AWS, she adds, is the extent to which DOD mission owners are realizing the benefits of cloud technology. “By eliminating the undifferentiated heavy lifting of the underlying IT infrastructure, the DOD can focus on delivering its critical missions,” Martin says.

Learn how AWS can help your agency capitalize on today’s cloud.

Read more insights from AWS leaders on how agencies are using the power of the cloud to innovate.

Telework is here to stay in the Navy, at least for now

The Navy is extending its remote work policy even as many across its forces get vaccinated against COVID-19, according to a memo published Monday.

The Navy said sailors and other personnel will need to continue working remotely at least 50 percent of the time in accordance with “health protection level B” for vaccinated sailors and civilians.

“This update continues to build on what we have learned about combatting COVID-19 while still maximizing our operational readiness,” said Vice Adm. Phil Sawyer, the Navy’s operations chief in charge of coordinating the service’s response to COVID-19. “I expect we will continue to improve services available for our Sailors and their families while protecting the force as the number of personnel vaccinated grows. The key is for everyone that is eligible to get vaccinated.”

Health protection level B, the Navy’s highest level for vaccinated employees, is set for 2-15 new cases per 100,000 population in the last seven days.

The Air Force and Army are also both in discussions for how long they will continue teleworking, with the Army expended to update its telework guidance soon. The changes come as the larger Department of Defense works to build out its “enduring” suite of virtual work tools to support continued telework.

The DOD’s technology to support both in-person work and telework is planned to be rolled out by summer. DOD365 is a new high-security version of Microsoft’s Office suite of tools.

The current telework platform, the Commercial Virtual Remote (CVR) environment, is scheduled to sunset in June and was always designed to be temporary, even though the military’s telework policies are extending.

“Our enduring capability is going to be with us for a long time,” acting DOD Chief Information Officer John Sherman told FedScoop in March.

The DOD recently published new guidance for how leaders should evaluate their facilities’ risks to coronavirus spread. The guidance gives different levels for how many employees should work in-person based on the level of community transmission.

The Air Force does not have updated policies for how it plans to address a workforce with a growing number of vaccinated airmen and other personnel.

The federal government gets a central AI website in AI.gov

The National Artificial Intelligence Initiative Office compiled all government activities advancing the effort on a single website launched Wednesday.

AI.gov features recent AI reports and news across agencies; details the initiative’s six strategic pillars; archives related legislation and executive orders; and explains the structure of not only the office but various AI committees, working groups and task forces.

The website is part of the government’s push to increase transparency around every agencies’ work with cognitive technologies and develop trustworthy AI, where people believe in the reliability of the algorithms involved. Office Director Lynne Parker announced the site in a post on LinkedIn.

The most recent publication on the site is the National Security Commission on AI’s final report released March 1, which found that the U.S. remains unprepared for the “assertive role” government must play scaling public resource to ensure the country achieve global dominance in the sector.

Parker maintained her role as deputy federal chief technology officer during the presidential transition to the Biden administration and has been quiet about NAIIO‘s work up to this point. She’s currently assisted by four policy advisers in her capacity as the office’s director.

The National AI Initiative Act of 2020 became law on Jan. 1, 2021, creating a governmentwide program to accelerate AI research and development in ways that improve the U.S. economy and national security. NAIIO sits within the White House Office of Science and Technology Policy.

HoloLens 2 headset will be model for Army’s future acquisitions

The Integrated Visual Augmentation System (IVAS) the Army recently procured for $21 billion will be the gold standard for other acquisition programs to follow, the Army’s top general told lawmakers Wednesday.

The IVAS system, designed by Microsoft and based on its HoloLens 2 headset, is a “transformation” from the night vision systems the Army currently uses as it also has augmented and virtual reality capabilities built into the headset, Gen. James McConville told the House Appropriations Defense Subcommittee on Wednesday during a hearing on the Army’s budget.

The program shattered the usual multi-year — even multi-decade — timeline for fielding major Army acquisition programs, taking just 28 months to go from prototype to purchase, largely thanks to a novel structure of embedding soldiers in the design process, McConville said. “IVAS is a good example of where we are trying to go with acquisition as a whole.”

Microsoft President Brad Smith told the Senate in February that the company hedged it would win the award and had started building manufacturing facilities early to help speed up the scaling of production.

The system will allow soldiers to train in environments projected in their headsets, giving them experiences in far-flung environments. The Army also hopes the tech will reduce training injuries.

“That cap I think is going to transform how our soldiers operate,” McConville said.

McConville spoke about wanting to transform the Army from an Industrial Age one in the information age, as he has repeated often in public remarks. He pointed to having constant “soldiers touch points” on the project as a successful part of the IVAS process that will be repeated in other programs to make the broader transformation he wants to achieve.

“We must transform the Army,” he said.

CISA has a better understanding of critical software post-SolarWinds hack

Following the SolarWinds hack, the Cybersecurity and Infrastructure Security Agency believes it has developed a better understanding of critical software across government.

CISA’s National Risk Management Center has spent the four months since the hack was discovered determining the risks such software poses to national critical functions and developing tools to mitigate the threat, said Assistant Director Bob Kolasky.

The SolarWinds hack compromised at least nine agencies when Russian operatives used its updating system to push malware to Orion software users, and now all agencies should take stock of their IT infrastructure, Kolasky said.

“We call this supply chain security; we call it supply chain risk management — about understanding the hardware and software that you rely on to do business and do critical processes,” he said. “But that actually means differentiating between the hardware and software you rely upon to do critical processes and doing your own survey of what your critical processes are.”

Even SolarWinds customers unaffected by the hack had to reevaluate their IT environments now that supply chain attacks of this magnitude are no longer simply theoretical.

A large, nation-state adversary was nothing SolarWinds was “really, truly prepared for,” said Tim Brown, the company’s chief information security officer and vice president of security.

“This adversary was not simple,” Brown said. “They were quiet, they were stealthy, they lived off the land, they only were there when they needed to be there, they weren’t noisy.”

SolarWinds can do better as a software provider when it comes to development transparency and is looking to help industry after pushing releases the last four months, he added.

CISA is a partner in those efforts.

Government information sharing needs to improve, and the National Risk Management Center wants to ensure agencies aren’t entering into software contracts where, should a breach happen to one, it winds up affecting another’s systems, Kolasky said.

“What is the overall national response capability?” he said. “And how are we going to have depth of remediation, so that we can anticipate things bigger than what just happened?”

That will require working with companies like SolarWinds. Adversaries currently share information better than the public and private sectors do, Brown said.

SolarWinds attackers hit the company at the endpoint, and it didn’t have double checks in place. Now SolarWinds not only builds software but installs, decompiles and checks it back against source code, Brown said.

“I truly gave a little too much flexibility to my developers and my development network,” he added.

Many software companies do when it comes to allowing developers different operating systems and administrative and application rights. But SolarWinds has since imposed tighter policies, procedures and controls on its development team. They’ve “kind of slowed things down,” but the development team has been “very accepting” when they wouldn’t have been even six months prior, Brown said.

Check-ins to source code no longer just require a peer review but also an architect review. And SolarWinds stood up a triple-build environment, where it builds in a disconnected clean room — with both a developer and lab environment — compares results and prevents anyone from having access to all three, Brown said.

Pentagon leaders emphasize role of emerging technologies in battle

The top two leaders in the Pentagon in some of their first major public speeches shared visions for a Department of Defense that heavily relies on emerging technologies and creating new strategies to use them.

Secretary of Defense Lloyd Austin emphasized the need to depart from previous ways of waging war and focus on new, technology-driven tools and strategies during his first major speech, given in Honolulu at the change of command ceremony for Indo-Pacific Command last Friday. The same message was echoed later that same day by Deputy Secretary Kathleen Hicks, who said that the department must “aggressively take steps to be a data-centric organization” and create new ways to use data in the field and in command centers.

These remarks designate a much more specific stance than in past administrations around building a military force of the future that is dependent on tech.

They want “to mark a departure from the approach of DOD under [former Secretary of Defense James] Mattis,” Bryan Clark, a senior fellow at the Hudson Institute, told FedScoop about the leaders’ remarks.

Mattis focused on traditional lethality and readiness during his two years as President Trump’s secretary of defense, rather than the long-term technology-driven competition. And Mark Esper, Trump’s second confirmed defense secretary, often referenced artificial intelligence changing the “character” of warfare, but rarely spoke on its applications or specific uses.

But Austin and Hicks are taking a very different, much more direct approach when it comes to tech. “Our fiscal year [2022] budget will provide early insight into our strategic approach,” Hicks said at the Aspen Security Forum. “It will support defense research, development, test and evaluation funding. This will lead to breakthrough technologies that drive innovation and underpin the development of next-generation defense capabilities.”

While not mentioned directly by either Hicks or Austin, both implicitly pushed the capability that the new digital concept of operations called Joint All Domain Command and Control (JADC2) promises to deliver. The idea is to create a so-called “internet of military things” where weapons can share data to enable distributed, speedier decision-making. It’s a wonky topic that has been getting increasing nods of support from leaders in public.

“In this young century, we need to understand faster, decide faster, and act faster,” Austin said in his speech. “Our new computing power isn’t an academic exercise.”

Austin also foot-stomped the domains where threats are increasingly proliferating: space and cyberspace.

“So what we need is the right mix of technology, operational concepts, and capabilities — all woven together in a networked way that is so credible, flexible, and formidable that it will give any adversary pause,” he said.

Hicks directly identified China as the leading threat driving the department’s accelerated tech-driven push. China has the advantage of combining its economic, military and tech capabilities to challenge U.S. interests, she said.

And while China is the top threat, it isn’t the only one. “We have never had the luxury of being faced with only one threat,” she said.

This landscape will require the DOD to overcome “institutional inertia” and find new processes that can keep pace with rapid changes to capabilities. Hicks stressed the need to change the budgeting process to account for what the DOD needs to buy, including software and tech that changes faster than the current two-year cycle allows for.

“Platforms will always matter, but it’s the software…it’s those pieces that make such a critical difference in our capability,” she said. “That’s a different funding picture.”

Neither Austin nor Hicks detailed exactly how their view of tech-driven warfare will play out. But that was to be expected, Clark said. With the department’s full budget request coming in late May, they wanted to keep their cards close to the chest.

“They started out in a very aligned point,” he said. “That’s different and I think that’s useful for them.”

Air Force brings Hack-a-Sat back for second year

The U.S. Air and Space Forces will once again allow security researchers to penetrate some of their most precious assets: satellites.

During last year’s first Hack-a-Sat bug bounty initiative, the Air Force opened a satellite to more than 6,000 white hat security researchers to see if they could break-in, in turn helping the Air Force to learn about its vulnerabilities.

This year’s contest will follow much of the same format as last year’s hosted at DEF CON 2020. and aims to attract even more participants to test the security of satellites. Registration is now open for the qualification round which includes a new “Jeopardy-style format” with hackers being able to earn points based on speed and accuracy of solving problem sets.

“The security and cyber-resiliency of our on-orbit systems is an absolute necessity as we look to ensure the peaceful development of the global commons of space over the coming decades,” Lt. Gen. John Thompson, commander of the Space Force’s Space and Missile Systems Center, said in a release. “This required a multitude of specialties, so partnerships across the entire professional cybersecurity spectrum are vital to developing the next-generation of secure space systems.”

The initiative extends on the Air Force’s work to build stronger connections across the hacker community, which once was suspicious of working with the military and federal government.

“Working with the Air Force on this was awesome because it’s not every day you get access to this kind of technology to mess around with,” Cyrus Malekpour, a winning team member for last year’s Hack-a-Sat, told FedScoop at the time.

The top three finishing teams that make it through the qualifying rounds are eligible for $50,000, $30,000 and $20,000 for first, second and third place, respectively. Will Roper, the Air Force’s former head of acquisition, technology and logistics, said he wanted hackers to be able to “make a living” off bug bounty programs like this.

Federal CDO Council preparing 10 data science training program use cases

The Federal Chief Data Officers Council plans to release 10 data science training program use cases soon in a sign of the agency collaboration to come, according to Chair Ted Kaouk.

Each use case will feature a different agency like the Department of Health and Human Services‘ Data Science CoLab or the Air Force‘s data governance certification program.

The use cases were compiled by the council’s Data Skills Development Working Group, which aims to bolster agencies’ data workforce.

“We have an opportunity to accelerate that learning because we can learn about what others are doing — what’s worked for them,” said Kaouk, who primarily serves as CDO of the U.S. Department of Agriculture, during an ACT-IAC event Tuesday. “And I think that crosses the data skills domain; that crosses data sharing.”

The use cases come shortly after the joint hiring announcement for data scientists issued by 10 agencies in January, a project led by the U.S. Digital Service in partnership with the Federal CDO Council.

Meanwhile, the council’s COVID-19 Data Coordination Working Group has developed a number of prototypes addressing data-sharing challenges between agencies.

“That’s really focused on working with HHS to facilitate broader access to key public health data across internal agencies and developing decision support tools that are primed to be shared across agencies,” Kaouk said.

The council is similarly working with the Census Bureau to improve agencies’ access to its American Community Survey data.

And Kaouk anticipates agencies will create their first artificial intelligence inventories later this year, once the council releases the guidance it’s developing with the Federal Chief Information Officers Council. The inventories will detail each agency’s existing and planned AI use cases for everyone’s benefit.

The council is developing a framework for coordinating with the other Foundations for Evidence-Based Policymaking Act councils geared toward evaluation officers, statistical officials and privacy officials. And it’s updating existing guidance to reflect the Biden administration’s priorities.

Those priorities include better data management, skills and infrastructure; racial equity; and analysis of data collection practices and privacy protections for COVID-19 data in particular.

The council has about 80 member agencies currently.

Using the momentum of the pandemic to advance zero trust security

Getting buy-in from agency leaders to prioritize investments into zero-trust security has been challenging. But the pandemic — resulting in work-from-home initiatives and the loss of physical access controls — is forcing agency leaders throw their security and access planning assumptions out the window.

With the loss of the ability to manage devices, control software updates and establish trust for users accessing government systems, CIOs and CISOs need to build security strategies that future-proof their agency against new threats and cyber risks, according to a new report.

The FedScoop report, “Pandemic Forces Agencies to Accelerate Zero Trust Security Plans,” underwritten by Duo Security, looks at two key pillars of establishing zero trust: centralized authentication and strong digital identity capabilities.

Core tenets of zero trust

“Ideally, agencies want to get to a place where it doesn’t necessarily matter what credential an employee was issued, or whether or not the employee is using a managed device. With strong MFA and identity assurance, the organization can centralize a policy engine in such a way as to determine whether or not access should be granted,” says the report.

That means reprioritizing what security and access controls look like when establishing trust for bother users and devices, according Helen Patton, advisory CISO at Duo Security, now part of Cisco.

At the top of risks to address, says Patton, are compromised privileged accounts which allow for the lateral spread of breaches across the network. This is especially true with shared administrative accounts.

“If agencies are still using accounts with just a password and no multi-factor enacted, they are missing critical controls to authenticate that the user is who they say they are,” Patton warns.

She goes on to explain that in shared admin accounts, “agencies give multiple users access to a primary username and password. These are the kinds of weaknesses threat actors hope to exploit to gain access and move laterally across the network.”

Two of the core tenets of zero trust require that an organization see where authentication is occurring — at the application level — to enact policy engines where they will be most effective; and authenticate digital identity to gain insight into the network, the perimeter and what devices are accessing agency resources.

Zero trust controls in action

Patton illustrates how these modern security controls can work during an active security incident.

In January 2021, when Apple announced the iOS 14 vulnerability, Duo’s parent company, Cisco, implemented a policy change for access authentication.

“In a matter of minutes, Cisco rolled out the policy to all of its protected applications accessed by more than 400,000 endpoints, making it a requirement for devices to install the iOS 14.4 update before they were able to connect to the network,” explains Patton.

At the end of the day, dynamic policies helped Duo and Cisco push a policy updates across the network and place responsibility with the user to manage their device and access.

Read more about modernizing authentication controls to allow your agency to react quickly to the next security threat.

This article was produced by FedScoop and sponsored by Duo Security.

Army planning open-architecture guidelines for contracts

The Army is working with industry to unify the technology it will buy for future platforms and vehicles by creating a modular and open-architecture approach.

Called the Common Modular Open Architecture (CMOA) initiative, the modernization push is in a feedback-seeking phase where the Army still hopes to hear more from industry. A team within the Office of the Chief Systems Engineer (OCSE) is developing the future contracting language and reference guides.

The service recently completed its first industry day event on how best to balance the military’s desires for interoperability and industry’s push to keep intellectual property rights for competitive advantage. Open-architecture technology has grown in popularity recently for the ease of upgrading and swapping out pieces of software in a system, but commercial companies are often reluctant to break away from building proprietary products.

“We want to have the flexibility to allow for modernization,” Jeannette Evans-Morgis, chief systems engineer and head of the CMOA initiative, said on a call with reporters Monday.

Evans-Morgis said her office is looking to make changes on areas considered “low-hanging fruit.” In that basket are data standards for programs like the Optionally Manned Fighting Vehicle (OMFV), the Army’s replacement for the Bradley Fighting Vehicle that has been a staple of Army operations for decades.

Starting with data interoperability and software reference guides will be a jumping-off point for the broad push to make it easier for the Army to “plug and play” new tech, Evans-Morgis said.

One of the outcomes the Army wants to see through this initiative is machine-to-machine data sharing. The OMFV is being designed with data and software as central elements so that it will operate like an iPhone that can constantly upgrade and download new applications through a common architecture, like the Apple App Store. But, using that analogy, many of the Army’s platforms would be the devices that need to be completely replaced to allow for upgrades.

The team behind the CMOA will be producing multiple kinds of documents to guide industry’s future work with the Army, including reference guides, contracting language and standards. Evans-Morgis committed to giving industry plenty of time to adjust its practices and tools to what the Army needs once those new documents are finalized and put into contract solicitations.

“That’s what really critical: We have to get it before we start writing those RFPs,” Evans-Morgis said.

The Army is encouraging more feedback on its plans from both industry and offices across the service that run programs like the OMFV.

“Obviously, this is always going to be a work in progress,” Evans-Morgis said.