National AI Initiative Office launched by White House

The White House on Tuesday fulfilled its requirement to establish an office responsible for coordinating artificial intelligence research and policymaking across government, industry and academia.

Dubbed the National AI Initiative Office, it will implement a national AI strategy under the leadership of Founding Director Lynne Parker, who also serves as U.S. deputy chief technology officer.

The White House Office of Science and Technology Policy established the office in accordance with the National AI Initiative Act of 2020, which codified a number of policies and initiatives aimed at ensuring U.S. leadership in the technology globally.

“The National Artificial Intelligence Initiative Office will be integral to the federal government’s AI efforts for many years to come, serving as a central hub for national AI research and policy for the entire U.S. innovation ecosystem,” said Michael Kratsios, U.S. CTO, in a statement.

Some have noted the new office’s logo, which features a bald eagle clutching a neural network — the technology central to machine learning and AI.

The National AI Initiative Act of 2020 was passed as part of the National Defense Authorization Act of 2021 earlier this month.

Additionally the law codified the American AI Initiative to increase research investment, improve access to computing and data resources, set technical standards, build a workforce, and engage with allies.

The White House-based Select Committee on AI was expanded and made permanent to oversee the initiative, and the national AI research institutes and National AI Research and Development Strategic Plan were codified.

A National AI Research Resource for existing compute power and datasets is now required, as is an annual AI budget rollup of all federal investments.

The Industries of the Future Act was also included in the NDAA and requires a plan to double AI R&D investment, as suggested in the Trump administration’s final budget proposal.

DOD expanding 5G testing, partnerships with new software competition

The Department of Defense has been fast at work testing different types of 5G technology on its bases and now wants help to design competitions for building out software and endpoints that will use the fifth-generation wireless telecommunications capabilities.

The forthcoming competition tasks participants to build open “5G protocol stack software,” a core component for using the physical network hardware already being tested by the DOD. It will be run in partnership with the Department of Commerce’s National Telecommunications and Information Administration (NTIA), taking into account recent comments from industry on how best to run the competition.

While yet to launch, the competition is a step in expanding the DOD’s work testing 5G with private sector companies.

The DOD also recently unveiled its 5G implementation plan, a document that outlines how it will turn its strategy for the emerging technology into reality. The plan relies on the open software the department is calling for in its competition. DOD said it will also soon put out a request for the second tranche of 5G “testbed” sites, where commercial companies partner with military services on their bases to test their networks.

“With these testbeds, the Department of Defense is at the forefront of cutting-edge 5G research that will strengthen America’s warfighting capabilities and accelerate advancements in commercial 5G technologies,” Michael Kratsios, DOD acting head of research and engineering, said in a release.

Through these partnerships, the DOD benefits by experimenting with the emerging technology and jointly developing stronger networks to modernize base operations and military operations.

Much of the nation’s strategy to advance U.S.-made 5G tech is implicitly to counter China’s leapfrogging innovations in the telecommunications industry. The U.S. has labeled Chinese-backed companies like Huawei a national security risk.

Intelligence community grows with addition of Space Force

The U.S. intelligence community (IC) grew on Friday with the addition of the Space Force as the 18th member of the community and the ninth component from the Department of Defense.

“This accession reaffirms our commitment to securing outer space as a safe and free domain for America’s interests,” Director of National Intelligence John Ratcliffe said during a Friday ceremony. “American power in space is stronger and more unified than ever before. Today we welcome Space Force to the Intelligence Community and look forward to the power and ingenuity of a space security team unrivaled by any nation.”

The IC is a group of separate government agencies and organizations that conduct intelligence activities and work in the interest of the country’s national security. Space Force is the first new entity to join since 2006, when the Drug Enforcement Administration’s Office of National Security Intelligence became a member.

The addition highlights how space intelligence can be a key element in national security. By making the Space Force a co-equal member of the IC, the military branch can better coordinate intelligence activities and share space-related intelligence with other agencies.

“This move not only underscores the importance of space as a priority intelligence and military operational domain for national security, but ensures interoperability, future capability development and operations, and true global awareness for strategic warning,” Ratcliffe said.

The other IC members from the DoD include the Defense Intelligence Agency, the National Security Agency, the National Geospatial-Intelligence Agency, the National Reconnaissance Office, and intelligence elements of the Army, Navy, Marine Corps, and Air Force.

“Today’s change aligns our newest service with the other members of the Defense Intelligence Enterprise and will help ensure our efforts are coordinated and synchronized across all domains of warfare,” Ezra Cohen, acting Under Secretary of Defense for Intelligence and Security, said in a statement.

State Department site accidentally reports premature end to President Trump’s term

The State Department’s biographical webpages for President Trump and Vice President Pence on Monday displayed premature ends to their terms in office, sending some corners of the internet into a frenzy. Some say it was a disgruntled employee while others are calling it a recurring glitch.

The timestamps kept being pushed back, with the one for Trump reading Jan. 11 at 7:49 p.m. before a message appeared on both pages stating the State Department site was “currently experiencing technical difficulties.”

The internet caught wind of the mishap quickly, with some Twitter users speculating a possible Trump resignation.

Secretary of State Mike Pompeo ordered an internal investigation into which disgruntled employee used the department’s closed content management system to make the changes, BuzzFeed News first reported citing two current diplomats.  However, other reports have called it a glitch, citing that it’s occurred before.

The State Department did not respond to a request for comment by the time of publication.

The prank comes days after violent insurrectionists stormed the U.S. Capitol fueled by Trump’s calls to overturn the presidential election. With the House expected to vote to impeach Trump a second time on Wednesday for inciting the violence that left five people dead, some close to the president have said he’s considered preemptively pardoning himself.

Meanwhile, federal law enforcement agencies are left to hold those who stormed the Capitol accountable. Technology, particularly facial recognition, is playing a key role in identifying and arresting suspects from the mob who entered and defaced the Capitol building.

GSA introduces supply chain security process under Polaris contract

The General Service Administration is working on a tool to better gauge risks to the supply chain, and it could require on-site assessments for vendors.

The so-called Vendor Risk Assessment Program (VRAP) is described briefly in a draft request for proposals for the Polaris Governmentwide Acquisition Contract, the agency’s new information technology vehicle geared towards small businesses.

The program would use both classified and unclassified information to “identify, assess and monitor supply chain risks of critical vendors,” according to the draft. The government could then audit the supply chain for risky processes or events.

The program’s goal would be to monitor the risk of foreign influence, cyber risk and other factors that could impact a company’s vulnerability.

“In the event supply chain risks are identified and corrective action becomes necessary, mutually agreeable corrective actions will be sought based upon specific identified risks,” the draft adds. “Failure to resolve any identified risk in a timely manner may result in Government action up to and including contract termination.”

The idea of VRAP first appeared in a 2017 blog post about reducing cybersecurity risks in supply chain risk management, suggesting the creation of “a well-defined process and robust capability to evaluate known or potential risks related to suppliers of products and services using open source information.”

The creation of such a program could have increased urgency now, in the wake of the SolarWinds hack that left many federal agencies vulnerable to cyber espionage. In December, the Government Accountability Office found that many agencies do not have accurate supply chain risk management practices in place.

GSA is allowing feedback on the program and the draft solicitation as a whole until Jan. 29.

HHS officially named shared service provider for grants management systems

The Department of Health and Human Services finally received its formal designation as a shared service provider for grants management systems Monday.

As an official quality services management office (QSMO), HHS can now stand up a marketplace and its customer agencies choose from a catalog of cloud-based systems and services offered by federal shared service providers.

While HHS presented its implementation plan to the Shared Services Governance Board last July, it had the longest road to becoming the fourth QSMO because it lacked a preexisting shared services model like the others.

“The grants QSMO is unique in that its marketplace will have a direct impact on the public at large,” Federal CIO Basil Parker said in the announcement. “Modernizing and leveraging shared grant solutions across the government should improve the user experience and service quality for the grants community and the federal government.”

Systems HHS’s marketplace will cover include grant management of pre-awards, awards, post-awards and closeouts, as well as recipient oversight.

The QSMO has its roots in the HHS ReInvent Grants Management Initiative proposed in 2017 as part of ReImagine HHS, the goal of which was to reduce administrative burden while improving transparency and efficiency.

Sharing quality services is Cross-Agency Priority Goal 5 in the current President’s Management Agenda, and the Office of Management and Budget is charged with designating QSMOs for standardizing agencies’ IT.

The other initial, official QSMOs include the Cybersecurity and Infrastructure Security Agency for cybersecurity services, Treasury Department for financial management services and General Services Administration for human resources services.

Just because HHS lacked a formal QSMO designation doesn’t mean its work toward a marketplace stopped.

“While we’re awaiting formal designation, we’ve been making significant progress in understanding the existing grants management ecosystem, engaging stakeholders including federal service providers, and supporting business offices bringing quality shared services to the market to accelerate the impact once we are designated,” said Alice Bettencourt, QSMO executive lead for HHS, in September.

The Army has built the largest facial recognition database of thermal images

The Army has built the largest public dataset in the world of thermal images of faces — a major step in expanding the technology’s ability to identify people in the cover of darkness using artificial intelligence.

The service announced the creation of the Army Research Laboratory Visible-Thermal Face Dataset in a recent research paper. The dataset has more than half-a-million images of 395 subjects.

“This dataset is, to the best of our knowledge, the largest thermal face dataset publicly available for scientific research to date,” stated a paper from the Army Research Lab, which partners with West Virginia University, Booz Allen Hamilton, Johns Hopkins and the University of Nebraska-Lincoln in the project.

Such a dataset is important to the Army and other organizations that run 24/7 operations and don’t always have the benefit of sunlight when identifying a subject. The Army’s work could make facial recognition technology even more ubiquitous down the line for federal agencies, giving them the ability to work in the dark and the light.

Facial recognition is in the news of late for its use in identifying pro-Trump rioters who stormed the Capitol last week. There is still a “large gap” between the type of facial recognition technology used for that type of identification and the thermal image identification the Army hopes to improve upon, as thermal images have lower definition and quality. But, there have been recent advances in technology in the thermal cameras themselves, which can now render higher quality images with more defining features.

With the dataset of images, now comes the heavy lifting of artificial intelligence where models need to be trained on the data and adjusted for accuracy. The use of such facial recognition is a controversial topic due to its trained bias and lack of accuracy — especially on people of color and women — and privacy concerns.

The dataset is not perfect nor will it immediately lead to the night-and-day ability for facial recognition to identify people. The paper indicates that initial algorithms used with the dataset failed when subjects wore glasses or their face was “off-pose” from images in the training data. It’s also relatively small in scale. Other successful databases used to recognize faces in normal images tend to be much larger, such as Clearview AI’s. which claims to have billions of scraped photos in its dataset.

Industry urges agencies to accelerate zero trust adoption after SolarWinds hack

The SolarWinds hack could prove the spark that gets agency holdouts to adopt zero-trust security and hastens additional guidance from government, cybersecurity experts say.

Pandemic considerations delayed the National Institute of Standards and Technology‘s work on zero-trust reference architectures that will help agencies know what security tools to deploy.

Cyber experts hope that work will accelerate in the wake of one of the most serious incidents of digital espionage in U.S. history and that agencies will consult the special publication on zero trust that NIST finalized in August for the time being.

“We can’t see federal agencies kick this thing down the road anymore,” Stephen Kovac, vice president of global government and compliance at Zscaler, told FedScoop.

Zero trust could not have stopped the SolarWinds hack, which occurred when Russian hacking group APT29, or Cozy Bear, added source code into the tech company’s Orion software build process in a supply-chain attack. SolarWinds’ updating system was then used to push out malware compromising at least eight agencies.

But zero trust could, and did, mitigate that malware’s ability to spread across networks, cyber experts say.

“If SolarWinds would have happened a year ago or two years ago, I think agencies would have had a lot more consternation about it,” said Sean Frazier, federal chief security officer at Okta, in an interview.

Many agencies have started work improving their identity and access management, a component of zero trust, Frazier said.

But zero trust is a collection of solutions including cloud workload protection, micro-segmentation and secure access service edge (SASE) capabilities that provide agencies with full visibility and allow them to enforce consistent security policies across their networks.

Agencies with a zero-trust capability like SASE could’ve prevented malware from sending information out via the internet, but many agencies stop at one or two such capabilities. About 18,000 organizations were infected, though not all of them have seen malicious activity since.

“They’re kind of operating on the fly,” Kovac said. “They’re buying one solution and thinking they’ve got zero trust now.”

Agencies that haven’t already done so need to inventory the things on their network they care about, establish privileged accounts and multi-factor authentication for those things, and move identity and access management technologies to the cloud, Frazier said.

“I always think of the Star Wars movie, when they’re in the channel getting ready to blow up the Death Star, and they’re saying, ‘Stay on target. Stay on target,'” Frazier said. “That’s exactly what the situation is for zero trust: Don’t distract yourself; work on the basics.”

Other steps compromised agencies could have taken that would have mitigated the SolarWinds hack include preventing third-party vendor tools from having unnecessary privileges. SolarWinds “unfortunately” needs visibility across all the servers its software monitors, but compromised agencies could have restricted its access to the internet and limited it to only talking to its update infrastructure, said Deepen Desai, chief information security officer at Zscaler.

Agencies still would have been compromised by the SolarWinds update in that scenario, but their command-and-control infrastructure would’ve been protected.

Cloud workload protection, another zero-trust capability, could have identified anomalous activity faster when a SolarWinds server in a data center began connecting to unknown destinations, Desai said.

The concern now for agencies whose zero-trust architectures remain in their infancy is that the SolarWinds hack could have a ripple effect if another software vendor serving thousands of its own customers, including agencies, was compromised.

“If the nation-state actor has established persistence in their environment — and they’re able to do a similar supply chain attack using their supply chain infrastructure — then the possibilities are endless,” Desai said. “You will discover more and more similar types of scenarios in the coming months, as things get investigated in this Orion case.”

How the DOD is leading the charge on zero trust

The Department of Defense has been ahead of the curve in security practices on many fronts, a trend that is no different in the push for zero-trust architectures for government networks.

For many in the DOD cybersecurity workforce, zero trust is a buzzphrase that bundles practices they have helped pioneer. Defense-in-depth, compartmentalization and working in secure spaces all are practices incorporated in the central concept of zero trust, where no user or data on a network is trusted or given broad access. The difference is now zero trust is being embraced as a whole-of-network concept that DOD is ready to fully implement as more than just a security practice for sensitive material.

“In many ways, folks in DOD were practicing zero trust all along,” secure messaging platform Wickr co-founder Chris Howell said in an interview last fall. Howell added that DOD appears to be combining many of its past practices.

“It is like bundling up those things into one formal methodology,” Howell said of recent announcements from the Defense Information Systems Agency (DISA) regarding moves to zero trust for enterprise networks.

At the end of 2020, DISA announced it would be publishing a reference architecture guide for agencies across the DOD to move to a zero-trust operating model. The hope from DISA is to have an “evolving” model that can meet new security needs as threats evolve, Director Vice Adm. Nancy Norton said in January during an AFCEA conference.

That methodology is coming into greater importance with the fallout from the SolarWinds hack, where suspected Russian cybercriminals were able to access government networks through compromised technology that the DOD used. While DOD said it has yet to detect breaches, in a zero-trust world the hacker’s lateral movement across any compromised network would be truncated.

“You can shut off SolarWinds today … but how do you assess the integrity and clearness of the environment after that?” Ben Johnson, a former NSA cyber operator and co-founder of cloud security firm Obsidian, told FedScoop after the hack became public.

In a recently revised strategic planning document that DISA published for the next two years, developing the zero-trust reference guide and building out from there was one of the first milestones for the agency. DISA noted it is working with the National Security Agency, U.S. Cyber Command and DOD Office of the Chief Information Officer on zero trust adoption.

Industry following DOD

For all the hand-wringing on the sluggish pace for much of the department‘s adoption of enterprise technologies, zero trust might be one of the few that DOD has led the charge on,  Howell said.

“I’m pretty sure RSA next year will have a large majority of booths have that phrase on it,” Howell said, referring to one of the largest cybersecurity conferences.

But what puts DOD ahead of the curve on zero trust are the practices behind the buzzword. The DOD has long heavily segmented user access to information and its disparate systems have by nature created separate networks. The way to bring these practices into a true zero trust means of operating is by being more intentional and centralizing them under one operating methodology.

Being ahead of the curve also naturally means DOD is likely to hit speed bumps before others on the road to zero trust.

The first bump is the complexity of centralizing network traffic monitoring so that zero-trust principles can be applied to users. Networks need to be structured to fully incorporate zero-trust principles, Johnson said.

“You don’t have to do it all at once, but you are trying to get to a place where it’s the default method,” he said.

Monitoring data is a process that takes resources, and more resources often mean fighting for more budget space for the less-sexy back-office IT than for a new weapons program.

The second major challenge Johnson predicts is even bigger: retraining the humans on the networks to adjust to reduced network privileges.

“When you have humans in the loop it just changes the number of time requests and credentials can take,” Johnson said.

‘It’s not going to be very hard to ID them’: Feds have tools to easily track down Capitol rioters

As a riotous mob of Trump supporters filled the U.S. Capitol building Wednesday, many left plum digital footprints federal law enforcement agencies can easily use to track them down and charge them.

The FBI has some of the most powerful facial recognition systems in the country, according to outside experts. And because few arrests were made during the deadly unrest, law enforcement officials will now have to depend on that technology to speed up the process of tracking apparent criminals through the many videos, images and other digital “fingerprints” they left behind.

Paired with the reams of open source information, the FBI has the technology to easily identify possible criminals, rather than having to manually connect the dots, a former FBI official told FedScoop.

“For most people [that were] there, it is not going to be very hard to ID them,” the official said.

Some of the suspects are making it easier than others, like the man who put his feet up on House Speaker Nancy Pelosi’s desk and took a letter from her office. He volunteered his name and hometown to the media, and Friday, he was arrested by the FBI.

“This arrest demonstrates to all individuals involved in January 6 incursion into the U.S. Capitol that the FBI will find you and hold you accountable for your crimes, no matter your location,” the FBI said in a statement.

The FBI has set up a portal for the public to send videos and images that can be used to track down and investigate those who appeared to violently trespass in the Capitol. It’s unclear how other agencies — like the Capitol Police that bore the brunt of Wednesday’s insurrection and is charged with protecting the campus — are working together on the technical front.

The bureau has two facial recognition programs in its Criminal Justice Information Services (CJIS) Division: the Next Generation Identification (NGI) System and the Facial Analysis, Comparison, and Evaluation (FACE) Services Unit, according to congressional testimony in 2019.

The technology, in general, has advanced to a place where even long livestreamed videos from the event could theoretically be extracted and used to generate high-confidence identification of people in footage, Shaun Moore, CEO of facial recognition company TrueFace, told FedScoop. He added that with multiple angles and tattoo-recognition, accuracy increases.

The same is true for social media photos, according to Clearview AI founder Hoan Ton-That.

“If there is a photo that is as small as 110×110 pixels, of reasonable quality, Clearview AI’s customers are able to accurately search and help identify that person,” he told FedScoop. The company, which has faced controversy over its data-scraping practices, has over 2,400 law enforcement customers in the United States, including the Department of Homeland Security and the FBI.

But law enforcement might not even need something that powerful. Many high-quality photos exist of maskless rioters, many posted by the very people who broke the law by storming the Capitol. And the odds aren’t in their favor: Many of the people in photos and videos taken during the insurrection appear to be white males — a group that facial recognition tends to more accurately identify, according to a study on the technology’s bias by the National Institute of Standards and Technology.

There are few if any legal boundaries on how facial recognition can be used in an investigation, Jake Laperruque, senior counsel at the Project for Government Oversight, told FedScoop. The FBI’s internal policy is to use the technology only for open investigations and internal assessments, Laperruque added. Besides that, the agency can start running images through its facial recognition systems to identify rioters.

“The FBI probably has the most powerful facial recognition [technology] in the country,” Laperruque said.

Otherwise, most regulations on the technology’s use are at the state and local level, like a wide-reaching and comprehensive law in Washington state that put guardrails on the government’s use of the technology. Sen. Ed Markey, D-Mass., introduced a bill last June after the Black Lives Matter protests to curb the use of biometric technology and facial recognition, but it failed to make it past committee.

For the complex jurisdiction of Washington, D.C., evidence from a 2020 court case involving Black Lives Matter demonstrators who were cleared from Lafayette Square on June 1 revealed the existence of a facial recognition system built by the Metropolitan Washington Council of Governments. The National Capital Region Facial Recognition Investigative Leads System (NCRFRILS) has been used more than 12,000 times since 2019 and has a database with 1.4 million people, according to reporting from the Washington Post. The program, which never exited a pilot phase, was funded until December and it’s unclear whether law enforcement could use the tool to identify Capitol rioters.