UK government homepage knocked offline by Fastly glitch

The homepage of the U.K. government was among websites affected early Tuesday by an outage at content delivery network Fastly.

Gov.uk was unavailable to some users for more than an hour, along with those of major news organizations including the New York Times, Bloomberg, and the Financial Times.

Content delivery networks are a key part of the global internet infrastructure and provide servers that improve the performance and availability of web services to users in different locations. Media content is often cached at a CDN server so that it doesn’t have to be fetched on the original server every time a user loads a web page.

Fastly’s services had fully recovered as of 7am eastern time on June 6. In a blog post, Fastly Senior Vice President of engineering and infrastructure Nick Rockwell said the global outage had been caused by an undiscovered software bug that surfaced when it was triggered by a valid customer configuration change.

“This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them,” said Rockwell.

Commenting on the outage, Matt McDermott, a senior officer at technology policy consultancy Access Partnership, said the incident served as a reminder that government agencies should have a rapid response plan in place for dealing with such outages.

“Organizations and government bodies need to look at implementing the steps that look to assess, stabilize, improve and monitor to ensure this issue do not pose further problems in the future,” he said. “Assessment is needed to determine the server’s bottleneck then stabilizing the issue with implementation of quick fixes will mitigate impact to broader stakeholders and users.”

Speaking with FedScoop, McDermott said that depending on the nature of the issue, automated early warning systems can allow serious cyber incidents to be averted.

“Even just a few minutes’ additional warning of a coming outage can help to preserve critical services. In these situations, it becomes very difficult to keep up everything, but emergency capacity can be used to protect key assets,” he said.

A spokesperson for the U.K. government’s digital service said: “We are aware of the issues with gov.uk which means that users cannot currently access the site. This is a wider issue affecting a number of other websites. We are investigating this as a matter of urgency.”

Veterans Affairs awards $725M EIS contract to AT&T

The Department of Veterans Affairs has awarded a $725 million task order to AT&T to modernize the agency’s data communications platform.

AT&T has already begun work improving the security, scalability, availability and resiliency of VA‘s Internet Protocol-based data network with cloud infrastructure.

VA made the maximum 12-year task order as part of the the $50 billion Enterprise Infrastructure Solutions contract for federal government enterprise telecommunications and networking solutions.

“VA is continuing to explore and innovate with advancing technologies to help us provide
exceptional customer service to our nations veterans,” said Daniel Mesimer, a director within the agency’s Office of Information and Technology.

AT&T is providing wide area networks (WANs), virtual private networks (VPNs) and managed network services as part of the deal. The VA says that WANs will allow care providers access veterans’ health-care records in near-realtime on connected devices to eliminate paper and save time.

VA needs a high-speed urban and rural data network to provide care and benefits to about 18 million veterans and their families out of 1,255 facilities comprising the largest integrated health-care system.

“We’re thrilled to complement our broad array of AT&T programs that benefit veterans with an advanced data communications platform and capabilities that will power VA’s mission for years to come,” said Chris Smith, vice president of civilian and shared services at AT&T Public Sector and FirstNet.

CISA launches platform to allow hackers to report flaws in federal tech

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure platform (VDP) that will allow federal agencies to identify cybersecurity flaws with the help of ethical hackers.

The platform will be available to all civilian agencies overseen by CISA, and is intended to allow government departments to take advantage of the skills of civilian cybersecurity experts, often known as white-hat hackers.

In the private sector, white-hat hackers use their skills to identify and report weaknesses in companies’ cyber defenses.

The launch of the platform is designed to help agencies comply with a directive, which was published by CISA in September last year, requiring that agencies develop a procedure for reporting cybersecurity flaws and to clarify what types of security testing are allowed.

Under the directive, agencies must also provide a system for the anonymous reporting of weaknesses and commit to not pursing legal action against security research conducted in good faith.

CISA did not comment on which agencies would join the VDP first, or the timeline for onboarding.

The platform is being administered by private contractors Bugcrowd and EnDyna, through CISA’s Quality Service Management Office (QSMO).

Speaking to FedScoop, Bugcrowd CEO Ashish Gupta said the platform would allow government departments to speed up the sharing of information about a high number of vulnerabilities.

According to Gupta, in a similar program working with a large financial institution, Bugcrowd was able to identify a vulnerability that affected more than 250 domains and over 5,000 URLs.

CISA’s executive assistant director for cybersecurity, Eric Goldstein, said: “A key component of any organization’s cybersecurity program should be a transparent and clear way for security researchers to report vulnerabilities, which is why CISA issued a directive last year to require federal civilian executive branch agencies to implement a vulnerability disclosure policy.

“As we work to raise the baseline of cybersecurity across the executive branch, CISA will continue to work with federal agencies to ensure they have the support they need to strengthen their cybersecurity operations, including by quickly identifying and mitigating vulnerabilities,” added Goldstein.

CISA initially awarded Bugcrowd and EnDyna the platform contract in September, however, a series of protests delayed its first of three initial shared services being offered by its QSMO until now.

The use of VDPs could even become widespread for federal contractors should California Democratic Rep. Ted Lieu‘s Improving Contractor Cybersecurity Act, introduced on June 1, become law.

The SolarWinds hack, discovered to have compromised at least nine federal agencies in December, prompted President Biden‘s cybersecurity executive order pushing new investments in zero-trust security architectures.

More recently the Supreme Court narrowed the scope of the Computer Fraud and Abuse Act, in part, to protect well-intentioned, white-hat hackers from being unfairly prosecuted for investigating vulnerabilities.

Army clarifies that it does not have a policy banning smart devices

The Army has overturned its May 20 policy, instructing soldiers and civilians either to switch off or remove all Internet of Things (IoT) devices from their home telework offices.

A service spokesperson told FedScoop that the policy had been removed for additional “staffing and review,” and that it would need to be further assessed before being officially implemented.

At the time of the initial edict last month, all Army personnel including contractors working for the service were required to follow the guidance.

“Current teleworking policy does not specifically address IoT, but employees are provided [with] tools to allow secure network access and guidance to use best practices to prevent vulnerabilities and maintain readiness in a maximum telework environment,” the spokesperson added.

IoT stands for internet of things, or devices like TVs, refrigerators and other “things” now connected to the internet and there for hackable. Many of them have functions that constantly listen to user’s voices, waiting for them to use keywords like “Hey, Google,” to prompt action.

Federal Claims Court judge sides with AWS on JEDI lawsuit timing

A federal claims court judge has granted Amazon Web Services’ requested timeline for hearings in ongoing Joint Enterprise Defense Infrastructure (JEDI) cloud contract litigation.

According to court documents, Amazon is seeking the disclosure of additional internal communications from the Department of Defense — including emails and Slack messages — which lawyers representing the government say cannot be disclosed because of national security concerns.

Both the U.S. government and contract winner Microsoft were seeking to expedite the case schedule. Lawyers for the government said its implications for national security also merit that the case be fast-tracked, while lawyers for Microsoft say it should be sped up because of the large financial losses the technology giant stands to accrue. The company declined to comment further.

Under the schedule put forward by AWS, the cloud services company will file a renewed motion to complete the administrative record by June 18. The U.S. government and Microsoft will then have until July 9 to respond, and Amazon will have until July 16 to file another reply.

It represents the latest stage in the legal challenge, which was launched by Amazon after the Joint Enterprise Defense Infrastructure contract was awarded to Microsoft in 2019.

Pentagon officials have previously indicated that they may be willing to drop the cloud computing project, which has been slowed by the litigation.

In March this year, a federal judge refused a request by the DOD to dismiss much of Amazon’s case, and Deputy Defense Secretary Kathleen Hicks said the department would review the project.

In a statement to FedScoop, a DOD spokesperson said: “We are aware of the Court’s decision relating to the protest; however, it does not affect the DoD’s commitment to establish an enterprise-wide cloud capability.”

AWS did not immediately respond to a request for comment.

USCIS seeks information on contract cybersecurity personnel

U.S. Navy inks $2.5B contract with Dell for enterprise software licenses

The Department of Defense has awarded Dell a $2.5B blanket purchasing agreement to provide the U.S. Navy with enterprise software licenses.

Under terms of the five-year deal, the technology company will provide user-based subscription licenses for products including Microsoft 365 and Microsoft Azure.

The contract award comes as the DOD transitions to DOD365, which is a higher-security version of Office365 that was purchased through the $4.4 billion Defense Enterprise Office Solutions (DEOS) contract.

The enterprise software licenses will be used by the Department of Defense and U.S. Coast Guard, and the ordering period began on June 1.

Funds will be paid through delivery orders using operations and maintenance DOD funds, although the agreement will not obligate the immediate payment of funds. Two proposals were received for the contract award.

Purchasing software has been a perennial challenge for DOD, as its contracting methods were designed for the procurement of major weapons systems rather than code-based systems that require continual updates.

DISA identity management service to reach entire DOD by next year

The Defense Information Systems Agency‘s new identity, credentialing and access management (ICAM) tool will be available to the entire department “within the next year,” an official said Thursday.

The enterprisewide “global directory,” as it’s called, will give the Department of Defense a centralized directory for identifying users by fiscal 2022, according to DISA. Such an ICAM solution is a central element for the DOD’s top priority adoption of a zero-trust architecture.

The capability will also allow DOD to use new multi-factor identification tools like biometric sign-in and other new approaches.

“We are definitely going beyond two-factor authentication,” Lt. Col. Pete Godbey, a user engagement officer at DISA’s Cloud Computing Program Office, said during Okta’s Age of Identity Summit produced by CyberScoop. He added, “that’s really what our centralized authentication platform can do.”

DISA has been experimenting with a range of access management tools, like using artificial intelligence-based biometric data that measure everything from a user’s stride to the way they tap their phone to validate their identity.

Godbey said the global directory already has more than 100,000 users and is on the “glide path” to being fully rolled out across the department by the end of fiscal 2022.

“As we start finding where these new technical capabilities can be implemented, instead of trying to implement across dozens or more of the systems out there, really what we can do is implement it on a smaller scale and then provide a massive DOD-wide impact in near-immediate term,” Godbey said, adding that a centralized ICAM tool implementing new ways to check identities is easier than having to update a range of ICAM applications.

While DISA didn’t confirm a specific date for completion, other leaders in the DOD have highlighted the technology’s importance.

“That will be the exemplar that we adopt across the board, throughout the department,” Dave Mckeown, DOD’s chief information security officer, told Congress about the tool.

Ransomware Task Force co-chair says a ban on ransom payments would need to be phased

Any federal ban on the payment of ransom demands by hackers in cyberspace would likely need to be phased, according to a co-chair of the Ransomware Task Force.

In an interview with FedScoop, Chris Painter said that any such move would be introduced incrementally, and would be accompanied by new measures to support entities hit with online attacks, such as a victims recovery fund.

While federal agencies don’t pay hacker ransoms, legislation would be needed to create a fund so ransomware victims could avoid paying or to elevate cybersecurity resiliency over a period of several years, he added.

“You can phase [a ban] in over time. You can come up with various backstops to help fund or protect them to get them up to a particular level of standards over a period of a couple of years,” Painter told FedScoop.

“Obviously some of the things we suggested require legislation like having a pool of funds and helping victims so they don’t have to pay the ransom or do better in terms of resiliency for these victims,” said Painter, a former federal cybersecurity official. “There’s a lot we can do to disrupt the business model of these ransomware groups and do more to protect victims.”

Painter is the co-chair of the White House-backed Ransomware Task Force (RTF), which was set up in December to foster public-private collaboration in response to the epidemic of ransomware attacks.

He was previously the U.S. government’s most senior cyber diplomat and was a senior member of the team that carried out President Obama’s Cyberspace Policy Review in 2009. He has also held senior roles at the Department of Justice, FBI, the National Security Council and the State Department.

The question of whether companies that fall victim to cyberattacks should pay digital ransom demands has proved central to discussions of how the federal government and the private sector should respond to ransomware attacks.

According to the RTF’s “Combating Ransomware” report, which was published at the end of April, public and private sector representatives were unable to reach an agreement over whether to implement a unilateral ban on such payments. In the report, RTF recommended that government establish cyber response and recovery funds to support ransomware response and other cybersecurity activities.

Advocates of banning the payments say they fuel a market for cyber criminality by guaranteeing hackers that their demands will be met. Opponents say that the cost of paying ransom demands is often a fraction of the damage caused to companies and their shareholders by refusing to pay.

The Department of Justice elevated ransomware investigations to a similar priority as terrorism for that reason and ordered information sharing with RTF, Reuters reported Thursday.

Speaking to FedScoop, Painter said that without a ban, victims who pay risk violating federal law if the ransom winds up going to a group on the Treasury Department‘s prohibited enemies list, which currently is hard to determine.

“To enable more companies to bear the financial cost of remediation, national governments should create ‘Cyber Response and Recovery Funds’ (CRRFs),” the report said.

It proposed the creation of a CRRF to help cover the cost of restoring IT functionality for local governments, critical national functions, or other entities as their recover from a ransomware attack.

The late April report recommends the creation of a cyber backstop scheme that could function like the Terrorism Risk Insurance Program (TRIPA), which was created after 9/11 and creates a federal requirement for the government to act as reinsurer of last resort.

TRIPA permits the private sector to provide terrorism insurance by guaranteeing that the government would pay a portion of claims in the event of a major terror attack.

Painter added that the Biden administration’s cybersecurity executive order and its recent budget proposal to allot $9.8 billion to cybersecurity were a “good start” in moving forward the country’s response to the ransomware epidemic.

The cyber expert noted also that the recent ransomware attacks on Colonial Pipeline and food processing giant JBS differed from traditional espionage, because of the direct impact they had on the day-to-day lives of U.S. citizens.

“It does make a difference when people can’t get gas or can’t get a hamburger; it brings it home for people,” he said.

Secretary of Defense Austin approves JADC2 strategy

U.S. Secretary of Defense Lloyd Austin has signed off on one of the biggest changes to how the military will fight future wars, approving the Joint All Domain Command and Control (JADC2) strategy that aims to fast-track the use of artificial intelligence and data sharing on the battlefield.

The strategy defines how the military services will approach connecting sensors in the air, land, sea, space and cyberspace and use a networked approach to operations. Secretary Lloyd Austin signing the JADC2 strategy marks the beginning of implementing much of the nascent work the military has started, from testing new technologies and developing new concept of operations to use them.

“We have been given the clear signal to begin,” Lt. Gen. Dennis Crall, chief information officer for the Joint Staff and director of the J-6, which oversees all of the military’s command and control networks, said. “It’s outcome delivery time.”

JADC2 is intended to give the U.S. a greater military advantage by allowing for data sharing through a global, resilient network. Advocates of the new concept say that if a fighter jet can automatically share data with a soldier on the ground, the two units can coordinate more easily.

Within the JADC2 framework, each military service has its own project. The Army has Project Convergence and the Air Force has the Advanced Battle Management System (ABMS). Both are focused on implementing the JADC2 framework, but with their own focuses on areas on things like increasing the precision of ground munitions for Project Convergence, and in-flight data sharing for ABMS. The Navy also has Project Overmatch, focused on building seafaring networks.

One of the critical points of the new strategy is coordinating the disparate efforts across the military into one interoperable framework of technology and operations. The strategy relies on a cross functional team (CTF) that has members from the across the department that can coordinate between services that often do not like working with each other.

“The CTF, that is the widest table setting you can imagine to get after these problems,” Crall told reporters Friday. He added, “we have had pieces of this in the past, we have never had this compressively put together.”

Crall added that the DOD need an enterprise cloud solution for work on JADC2 to continue past experimentation, whether that is the Joint Enterprise Defense Infrastructure (JEDI) or some other contract. JEDI continues to be stuck in legal limbo, with continued protests from Amazon Web Services over the two-time award to Microsoft Azure.

“Where I am at today…I am able to take advantage of that multi-cloud provision,” he said, referring to the DOD’s current cloud offerings. “I think the real question is…how long can you do that?”

Security for any joined-up data sharing system remains a principal concern, and Crall highlighted the need for the DOD to improve identity, credentialing and access management (ICAM) on JADC2 networks.

“If we don’t have a real ICAM solution it will be impossible,” he said.