Many agencies don’t see ‘clear value’ in digital government — survey

A new report shows a majority of government agencies have adopted or are interested in adopting digital services, but not all see the clear value of such programs.

A 69-percent majority of government respondents are in someway supportive of adopting digital government programs, while the rest remain skeptical of digital government’s benefits, according to the survey, sponsored by the Unisys Corporation.

“Government agencies must meet citizens’ expectations of customer service based on what they see in commercial companies, and they should not hesitate to reap the benefits digital government can offer in terms of cost savings, enhanced security and a more efficient workforce,” said Mark Forman, global head of public sector at Unisys.

The results, however, showed that agencies are more divided in seeing a clear value in digital government. Fifty-five percent said their agency wants to offer more innovative digital government services. The other 45 percent were either neutral or disagreed.

The survey, which addresses organizations at the federal, state and local levels, defines digital government as the process by which agencies harness various digital technologies, like cloud, virtualization, advanced data analytics and mobile.

The leading reason for the pessimism behind the digital government movement, the survey found, is security. Fifty-seven percent of respondents said that their agencies were “very concerned” with potently security risks. Another 35 percent were “somewhat concerned.” Many were also concerned with their agency’s lack of staff with expertise.

Respondents believe the most important benefits of digital government are improving internal business processes and service delivery, with 66 and 65 percent, respectively, reporting these benefits as “very important.”

Despite the criticisms some respondents laid out, Unisys found that government agencies who are further along the path to adopting digital government are more likely to be superior in their capabilities in areas such as security, cloud, mobility and IT service management, compared to agencies that expressed skepticism.

“Beyond the direct benefits offered by digital government, there are multiple indirect benefits to government agencies in terms of more mature capabilities and forward-looking workplace cultures,” said Casey Coleman, group vice president for civilian agencies at Unisys Federal. “For these reasons, we believe more agencies will take the appropriate security measures and embrace digital government in the future.”

The report found 42 percent of agencies in the public sector to be digitally mature.

Volkswagen turns to Israeli cyber experts to launch new business

Volkswagen, an automobile manufacturer that is no stranger to the threats posed by hackers, is founding a specialized division to protect their next-generation vehicles from cyberattacks. 

By partnering with a foreign security research team laden with former Israeli defense officials, Volkswagen announced Wednesday it is launching a new, highly specialized venture called Cymotive Technologies. Former head of the Israeli Security Services Yuval Diskin, 27-year Israel Ministry of Defense veteran Tsafrir Kats and Claremont University professor Tamir Bechor will lead the group. 

“The car and the Internet are becoming increasingly integrated. To enable us to tackle the enormous challenges of the next decade, we need to expand our know-how in cybersecurity in order to systematically advance vehicle cybersecurity for our customers,” said Volkmar Tanneberger, head of electrical and electronic development for Volkswagen, in a statement. 

A recent report from BI Intelligence predicts that there will be more than 380 million connected cars on the road by 2021. 

News of the recently established company follows roughly one month after independent researchers from the University of Birmingham in tandem with German engineering firm Kasper & Oswald publicly disclosed a concerning software vulnerability evident in millions of Volkswagen vehicles. 

A majority of Volkswagen’s automobiles developed since 1995 are reportedly susceptible to a complex exploit that involves intercepting key fob signals and cloning them in order to unlock a door remotely, according to evidence presented by researchers at the Usenix cybersecurity conference in early August. 

Beyond industry, the federal government is also taking steps to signal it understands the threat of hackers targeting commercial-grade vehicles. 

Last week, the Department of Justice’s John Carlin, assistant attorney general for national security, announced that the DOJ had recently stood up an Internet of Things cybersecurity working group to investigate the risks associated with internet-connect cars, among other things.

Audit: Federal CISOs need more authority, guidance

Most chief information security officers in federal agencies and departments lack clear authorities — and the White House needs to issue guidance to ensure they have the powers they need to do their jobs.

That’s the conclusion of an audit by the Government Accountability Office, published this week, which looked at the CISO role in 24 the federal departments and agencies covered by the Chief Financial Officers Act. 

The 2002 Federal Information Security Management Act, and its successor, the 2014 Federal Information Security Modernization Act, collectively known as FISMA, require agency CIO’s to designate a CISO and gives those CISOs clear responsibilities. But just over half of the agencies surveyed, 13 of them, “had not fully defined the role of their CISO in accordance with these [FISMA] requirements,” write the auditors in their report.

“This lack of clarity … hinders CISOs’ ability to address challenges to their authority,” from other elements of the agency, leading to friction and conflict, auditors found. A GAO survey of the 24 CISOs conducted as part of the audit, revealed that all but two of them faced some level of problems balancing operational and security imperatives. Also, many had difficulty “ensuring that senior managers are aware of information security risks facing the agency.” 

Other difficulties identified by a majority of the CISOs included coordinating with other agency offices or components, the availability of contractor information, the oversight of contractors and indirect reports — often in other parts of the agency — and the CISO’s placement in organizational hierarchy.

“Although [the White House Office and Management and Budget or OMB] has responsibility under FISMA for providing guidance to federal agencies, it has not issued guidance clarifying how agencies should implement recent provisions in federal law aimed at strengthening their oversight of information security activities or the role of agency CISOs in carrying them out,” write the auditors.

“The Director of OMB should issue guidance for agencies’ implementation of the FISMA 2014 requirements,” the auditors conclude, to provide more clarity on the authorities and responsibilities of the CISO to enforce those new requirements.

In emailed comments about a draft copy of the report — comments that are not reproduced in the public report — OMB officials pushed back on that recommendation, saying existing guidance “provides sufficient and clear details on the expectations for agencies, to include procedures for overseeing and managing their information security programs.” OMB also contended that overly prescriptive guidance might tie the hands of agencies.

“We disagree that existing guidance and oversight mechanisms provide sufficient clarity for agencies on how to implement the new FISMA 2014 provisions,” write the auditors.

The CISOs surveyed also identified other challenges, including staffing shortages —
“insufficient personnel to oversee security activities effectively” — problems recruiting, training and retaining skilled staff and lack of resources. 

Anne Rung leaving OFPP for Amazon

U.S. Chief Acquisition Officer Anne Rung is leaving government after seven years, an Office of Management and Budget official confirmed to FedScoop.

Rung spent the past two years as the administrator of OMB’s Office of Federal Procurement Policy, and before that she served as the General Services Administration’s associate administrator for the Office of Governmentwide Policy and the Commerce Department’s senior director of administration.

She will move to Seattle to join the Amazon Business team in a government-facing role as global leader of its public sector division, the company told FedScoop. Her first day will be Nov. 1.

Of late, Rung’s biggest achievements center on promoting the governmentwide acquisition push toward category management and smarter spending on IT through centralized contracts.

“Anne has been a driving force in implementing the President’s vision for a modern, more efficient, and more effective Government,” OMB Director Shaun Donovan wrote to staff announcing Rung’s departure.

Donovan goes on to credit her with helping save “taxpayers more than $2.1 billion by reducing duplication and fragmentation in Government purchasing and by leveraging our posture as the world’s largest buyer,” strengthening the workforce by “launching the first-ever Digital IT Acquisition Professional Training program to teach contracting officers how to buy IT better” and bringing “greater innovation and efficiency to Federal contracting through the creation of such tools as the TechFAR and the establishment of the Acquisition Innovation Advocates Council to institutionalize new and innovative practices.”

“Anne has consistently advanced innovative and effective policies that are making the Federal supply chain more effective, efficient, climate-smart, and socially responsible,” he wrote.

Now at Amazon, “her strong leadership and deep knowledge of public sector procurement will help her build upon the progress Amazon Business has made in better serving public sector customers,” said Prentis Wilson, vice president of Amazon Business, the tech giant’s relatively new marketplace line tailored to businesses’ needs.

Rung is a two-time honoree on “D.C.’s Top 50 Women in Tech” list, produced annually by FedScoop.

Federal News Radio first reported Rung’s departure.

Bill would let feds use Uber, Lyft during WMATA SafeTrack maintenance

House lawmakers want to let federal employees commute using ridesharing apps like Uber and Lyft as alternatives to metro trains during the pandemonium of the transit system’s SafeTrack maintenance surges.

The House Oversight and Government Reform Committee unanimously approved Thursday the Transit Benefits Modernization Act, a bill that would let government personnel use transportation network companies — any entity “that uses a digital network to connect riders to drivers affiliated with the entity in order for a driver to provide transportation services to a rider” — under their agency’s transportation “fringe” benefits while the Washington Area Metro Transit Authority conducts “safety surge” track work.

Other hired services, like taxis and liveries, would be also covered under the bill.

Reps. Gerry Connolly, D-Va., and Mark Meadows, R-N.C., introduced the bill July 6.

Federal employees constitute about 40 percent of WMATA’s peak-hour ridership, according to the legislation. While WMATA has recommended its riders consider alternative means of commuting, government workers are incentivized to continue taking the metro because it falls under their agency benefit plans.

“The Federal Government, which is negatively affected when employees cannot easily commute to and from work, has an interest in assisting employees with alternate commuting options,” the bill reads.

The bill, if enacted, would extend through the end of calendar year 2018 within the Washington, D.C., metro area. WMATA’s SafeTrack surge is scheduled to conclude in March 2017, though “service disruptions will continue to occur following SafeTrack as routine maintenance is needed,” the bill explains.

Federal employee use of ridesharing apps is a growing concern on Capitol Hill. There are similar bills in each house — both named the Modernizing Government Travel Act — that would allow personnel to use the apps for transportation when on official government business. The House Oversight and Government Reform Committee approved its version of the bill Thursday, the same day a group of lawmakers introduced the Senate version.

“Ridesharing and bikesharing platforms provide safe transportation options for consumers, create jobs and reduce traffic,” Gary Shapiro, president and CEO of the Consumer Technology Association, said in a statement. “Federal employees deserve reassurance that they can be reimbursed when they use services such as Uber or Lyft for official business… We encourage both the House and Senate to swiftly pass these bills in order to save taxpayers money and give federal employees the transportation choices they deserve — choices already enjoyed by millions of American workers.”

NSA: no zero days were used in any high profile breaches over last 24 months

Over the last 24 months, the National Security Agency has been involved in incident response and mitigation efforts for “all the high profile incidents you’ve read about in the Washington Post and New York Times,” said Curtis Dukes, deputy national manager of security systems within the NSA. 

The one common characteristic shared between these incidents, said Dukes, was hackers were using relatively simply techniques — like spear phishing, water-holing and USB drive delivery — rather than zero day exploits to launch successful attacks. 

“In the last 24 months, not one zero day has been used in these high profile intrusions,” Dukes said Thursday during the Federal Cybersecurity Summit presented by Hewlett Packard Enterprise and produced by FedScoop. 

“The fundamental problem we faced in every one of those incidents was poor cyber hygiene,” Dukes explained, “when you walk in the door to do incident response and the first thing you ask for is ‘Can you give me a diagram of your network?’ And they can’t produce that. Well, we’ve got a problem.” 

In each of the mentioned cases, the adversaries were able to take advantage of poorly patched and managed systems, Dukes said. 

Though it remains unclear exactly which incidents Dukes spoke to, some of the largest breaches in 2015 and 2016 have included medical insurers Anthem and CareFirst. 

Publicly disclosed for the first time in February 2015, the cyberattack on Anthem, one of the U.S.’s largest healthcare insurers, caused 80 million patient records to be compromised. Those digital records contained sensitive information like Social Security numbers, birthdays, addresses, email and other employment information belonging to Anthem customers and employees. 

At the time, private sector security researchers believed that the hackers were able to infiltrate Anthem’s networks by using a “sophisticated malicious software program that gave them access to the login credential of an Anthem employee,” the New York Times reported.

So, you’ve assumed compromise. Now what?

NATIONAL HARBOR, Md. – The once-radical notion that cyber defenders should assume hackers are already in their network is now conventional wisdom. But the implications of it are still taking hold, experts and officials said Thursday.

“The guarantee [that perimeter defenses used to provide] is absolutely no longer there,” said Sue Barsamian, the senior vice president and general manager of security products for Hewlett Packard Enterprise. 

“Does anyone here not assume compromise? Raise your hand,” Barsamian urged a standing-room only crowd of federal officials and business executives gathered for the Federal Cybersecurity Summit sponsored by HPE and produced by FedScoop. Not a single hand went up.

“They’re either in, or they’re going to get in. So then, speed matters … being faster than the attacker matters,” she said, highlighting the role of the security operations center, or SOC, who have to detect intruders. 

The need to detect intruders quickly was also highlighted by comments during a discussion between National Institute of Standards and Technology senior cybersecurity adviser Ron Ross and Bill Horne, director of security research at Hewlett Packard Laboratories.

“Cyber is like cancer,” said Ross, “you might feel fine at first, but out of sight, very bad things are happening.”

Ross sounded a pessimistic note on cybersecurity overall. “We’ll get better at this, over time,” he said, “But we’ll never outpace our attack surface growth.”

Tom Powledge, vice president and general manager of ArcSight observed that “The most mature and innovative SOCs, across the world,” were being proactive in hunting down threats, standing up separate teams to look at threat intelligence with an eye to “driving strategy … proactively hunting” for intruders. 

“They’re setting up these data lakes so that they can go in and proactively look through for these anomalies,” Powledge added. He spoke at a panel discussion later in the day.

Barsamian highlighted the importance of using that data correctly. SOCs did not need that “101st alert,” she said. “Using analytics to identify threats .. is to really miss the big picture.”

“You shouldn’t stop at using analytics to throw up alerts or you’ll end up, not with a SOC that’s faster than the attacker, but with a SOC that handling more alerts,” she warned.

A second consequence of assuming compromise, Barsamian said, was “shifting to a data-centric security posture.”

“If you can’t … keep them out, you need to control access to the data they want.”

Encryption is obviously the answer, but the problem is, she said, that encryption, for the last decade, has meant encrypting the data at rest and when being transported — but not when it was actually being used.

“Encrypting the container and the pipe,” was not enough, she said.

“You have to build the protection into the data, so that the protection travels with it,” she said.

The third way that defenders were coming to grips with assuming compromise was by focusing on software security.

“The application is the new perimeter,” Barsamian said. 

The Department of Defense, recognizing this, has sought to provide engineering support “throughout the lifecycle of acquisition programs,” said Kristen Baldwin, the acting deputy assistant secretary of defense for systems engineering. “We have experts in our engineering labs and centers that care very deeply about this,” she said at an earlier session.

She touted the department’s new Joint Federated Assurance Center, where those experts hunted for vulnerabilities in new military technologies.

New tools make it possible for developers for check their coding as they go, said Rob Roy, HPE Security’s public sector CTO. 

“It’s almost like a spellchecker,” he told FedScoop.

White House calls for updated senior agency privacy positions

The Office of Management and Budget released guidance Thursday updating the roles and responsibilities of senior agency officials for privacy.

The new guidance requires each agency to assess its privacy program and either designate or re-designate someone to be the SAOP. Those designated would be “leaders who have agency-wide responsibility and accountability for the agency’s privacy program,” according to a blog post by OMB Senior Adviser for Privacy Marc Groman.

FedScoop reported in February that only a handful of departments had a legislatively mandated privacy officer.

[Read more: Obama establishes Federal Privacy Council]

The guidance was updated “in light of recent innovations in technology and advancements in information analytics so that agencies are better positioned to address the new and complex challenges of the information age,” Groman wrote.

The blog post also notes that the designated officials should be given the authority to lead and carry out agencies’ privacy programs.

It also notes the new guidance “Requires the SAOP to take a central role at the agency in policy development and evaluation, privacy compliance and privacy risk management.”

Groman wrote that improvements in technology have allowed the government to provide better service.

“At the same time, we’re working to ensure that the Government’s privacy practices evolve to appropriately reflect the Government’s use of these ever-changing technologies,” he said, “while also maintaining America’s position as a leader in innovation.”

HHS awards $87M for health center IT enhancements

The Department of Health and Human Services awarded $87 million to health care centers across the country Thursday to enhance their IT systems.

“Health centers across the country are instrumental in providing high-quality, comprehensive primary health care to millions of people,” Secretary Sylvia Burwell said in a statement. “This investment will help unlock health care data and put it to work, improving health outcomes and building a better health care system for the American people.”

The awards will help 1,310 health centers in every U.S. state, the District of Columbia, Puerto Rico, the Virgin Islands and the Pacific Basin update their systems to support the transition to value-based models of care, improve their efforts to share and use data to drive decisions, and increase engagement, an HHS release says.

Awardees are required to use the funds to purchase or upgrade to electronic health record systems that used Office of the National Coordinator for Health IT-certified technology.

This is the first major award granted by HHS for the improvement of health care center IT improvements since 2009, HHS says. The money comes from the Affordable Care Act’s Community Health Center Fund created in the Medicare Access and CHIP Reauthorization Act of 2015.

“These awards will allow health centers to deliver higher quality of care to patients and spend health care dollars in a smarter way,” said Jim Macrae, acting administrator of HHS’ Health Resources and Services Administration.

A breakdown of the awards can be found here.

Bill to help agencies modernize IT quickly passes committee

The House Oversight and Government Reform Committee approved a bill Thursday designed to help government modernize its aging technology.

The bill, which combines elements of Maryland Democratic House Minority Whip Steny Hoyer’s IT Modernization Act and Texas Republican Rep. Will Hurd’s MOVE IT Act, will next move to the House floor for a vote.

The Modernizing Government Technology Act would create individual IT working capital funds for each of the 24 CFO Act agencies and a centralized IT modernization fund housed in the Treasury Department that executive branch agencies could apply to draw from.

[Read more: New legislation blends MOVE IT Act, IT Modernization Fund]

“Last year, the federal government spent $80 billion on IT systems, 80 percent of which was spent maintaining outdated, legacy systems,” Hurd noted in a statement. “We don’t have to be stuck in the Stone Age.”

Hurd is a co-sponsor on the new hybrid bill with Rep. Gerry Connolly, D-Va., who notably helped pen the Federal IT Acquisition Reform Act passed in 2014.

“It will build on the success of FITARA by investing savings in retiring dated, legacy systems and accelerating our transition to the cloud,” Connolly said in a statement.

Hurd collaborated with Hoyer and other co-sponsors on both sides of the aisle to develop the new bill, including House Majority Leader Kevin McCarthy, R-Calif.; committee Chairman Jason Chaffetz, R-Utah; and Rep. Elijah Cummings, D-Md., who expressed his support for the bill during the markup.

“This bipartisan legislation would provide a mechanism for agencies to speed up the process in moving from legacy IT systems to cutting edge cyber technologies,” Cummings said during the markup. “Congress cannot realistically mandate that agencies stop legacy systems computer systems without offering alternative options.”

During the markup, Cummings in particular cited concerns that federal computer systems are so old that they cannot ward off cyber attacks.

“Everyday our nation’s cyber networks come under increasingly sophisticated attacks,” the committee’s Democratic ranking member said. “Those assaults often succeed because federal computer systems are so outdated that they cannot implement network defenses as basic as encryption.”

[Read more: Agencies face cyber concerns as apps rely on aging systems — report]

In his statement, Hurd also noted that “a move to growing technologies like the cloud can help keep our information secure, while saving billions of dollars.”

“It’s time to stop wasting tax dollars and move government into the 21st Century,” he said.