Page 833 | FedScoop

FWS plans to digitize its employee performance tracking system

The Fish and Wildlife Service’s method of tracking the performance of its employees may soon get an upgrade.

Human resources software company Acendre is developing a pilot with the Interior Department agency to replace its paper-based performance management system with a new automated platform. The agency aims to deploy a pilot of the system in early 2017 — and, if all goes well, potentially launch the system to the agency’s 9,000 workers.

The pilot is part of a larger project within the agency to streamline its business processes, Pamela Sirotzky, chief of FWS’ Office of Business Innovation and Transformation, told FedScoop.

When the Office of Personnel Management in 2008 issued its End-to-End Hiring Roadmap, aiming to reduce the time it takes to hire a federal worker to 80 days, FWS conducted an analysis of its own processes and found it missed the mark, she said.

“We wanted to come up with ways to improve what we felt were the bottlenecks in the hiring process as well as in employee management processes,” Sirotzky said.

So FWS started replacing paper-based HR processes with automated systems, first constructing a digital library of job descriptions and then building on it with new applications to create a suite of interconnected web tools, called the Human Capital Management System.

Acendre’s cloud-based software will use APIs to draw from that system information about job titles and reporting structures to help provide a dashboard for managers.

The program presents managers with a picture of who reports to them and allows them to electronically enter goals for each of their employees, Mike Giuffrida, co-founder and CEO of Acendre, told FedScoop.

Employees, over the course of each performance appraisal period, can use the system to take note of their achievements in an electronic journal. During the performance review, the employees and managers can then access that information.

The system can also automatically generate a development plan for employees who are falling short in an area. In the long term, the platform will be able to gather data on how engaged workers are over time based on how they self-report their job satisfaction.

“There’s big challenges in the federal government [workforce] at the moment with aging baby boomers and having to do more with less, so performance engagement are fundamental,” Giuffrida said.

Acendre started in Australia but came to the U.S. in 2010. While FWS is the first U.S. federal agency to use the company’s performance management system, the Agriculture Department uses Acendre’s recruiting tool, Giuffrida said.

After FWS launches a performance management application, Sirotzky said she’s not sure what her team will tackle next. She noted, though, that a benefit to streamlining the HR process is it helps standardize how the decentralized agency — which manages the country’s 150 million-acre National Wildlife Refuge System and has offices across the country — operates, Sirotzky said.

“At the end of the day … these tools are not created to make HR’s lives better, they’re created to make managers’ lives better,” she said. She added, “A manager’s time is better spent doing mission-critical work.”

Contact the reporter on this story via email Whitney.Wyckoff@fedscoop.com, or follow her on Twitter @whitneywyckoff. Sign up for all the federal IT news you need in your inbox every morning at 6:00 here: fdscp.com/sign-me-on.

Library of Congress hit with a denial-of-service attack

Update, 7/20/16 4:10PM: a blog post written by Library of Congress Chief Information Officer Bernard Barton reads: “Our team of Library IT professionals and contract partners have returned our networked services to normal functionality … This was a massive and sophisticated DNS assault, employing multiple forms of attack, adapting and changing on the fly. We’ve turned over key evidence to the appropriate authorities who will investigate.”

Some of the U.S. Library of Congress’s websites are currently inaccessible as the result of a denial-of-service attack, the Library of Congress announced Monday.

The cyberattack was originally detected on July 17, a spokesperson told FedScoop. The attack has also caused other websites hosted by the LOC, including the U.S. Copyright Office, to go down. Library of Congress employees were reportedly unable to access their work email accounts or visit internal websites.

“The Library is working to maintain access to its online services while ensuring security,” the spokesperson said.

As of mid-morning Tuesday, outages continued to affect some online properties managed by the Library. Another Library of Congress spokesperson told FedScoop that some email accounts are now functioning.

In June 2015, the Government Accountability Office published a limited-distribution report — undisclosed publicly though it was sourced in a 2015 GAO testimony to the Committee on House Administration — highlighting digital security deficiencies apparent at the Library of Congress, including poor software patch management and firewall protections.

A DoS-style attack typically interrupts or temporarily suspends the services of a host who is connected to the internet by flooding their online address with fake internet traffic. Cybersecurity experts tell FedScoop that DoS — also known as a domain name system-based attack — are commonly employed by hackers to disrupt online assets. These cyberattacks, however, remain difficult to guard against.

“DoS attacks that leverage DNS as a transport is a common mechanism for flooding target sites with unwanted traffic for two reasons,” Tod Beardsley, a senior research manager for Boston-based cybersecurity firm Rapid7, wrote to FedScoop in an email.

Beardsley explained, “DNS traffic is often passed through firewalls without traffic inspection, since timely responses to DNS are critical for many networked environments. [And] second, DNS nearly always uses User Datagram Protocol, or UDP, rather than Transmission Control Protocol, or TCP, and UDP-based protocols like DNS are connectionless. As a result of this design, it’s easier for attackers to forge data packets with many fake source addresses, making it difficult to filter good data over bad.”

LookingGlass Chief Scientist Jason Lewis said that DoS attacks are popular because they are “easy to perform.”

“Filtering DNS requests to ensure they meet DNS protocol standards are a good way to move the attack load onto a network filtering device … there is hardware that can filter requests and reduce the attack impact, [but maybe] the Library of Congress isn’t using a service provider that specializes in the DoS and DDoS,” Lewis said.

The attack was first reported by FCW.

Want more stories like this? Sign up for the CyberScoop newsletter and allow us to make sense of it all. To contact the reporter on this story: send an email via chris.bing@fedscoop.com or follow him on Twitter at @Bing_Chris.

Report: ransomware crooks rely on customer service to cash in

Cyber criminals infecting computers with ransomware — a type of malware that holds data hostage until a victim pays a ransom — are dependent on the customer service and reputation of their operations to make money, a new study conducted by Finland-based cybersecurity firm F-Secure shows.

F-Secure’s team of security researchers were able to learn how ransomware hackers conduct business by creating a fake Hotmail account owned by a fictional character they dubbed Christine Walters — a 40-year-old married mother with no security knowledge — who subsequently became the target of numerous ransomware attacks.

“[These] ransomware criminals walk a certain line — on one hand, they’re the nasty criminal, but on the other hand, they have to establish a degree of trust with the victim and be ready to offer a certain level of service in order to realize the payment in the end,” a new report by F-Secure published Monday explains.

In the study, F-Secure focused on understanding the customer experience involved in making a ransomware payment — which is typically required on the part of a victim to unlock stolen files.

This payment process, according to the report, can be better understood as what comparable, legitimate small businesses would traditionally call the “customer journey.” A salesperson in both instances effectively relies on a step-by-step sales procedure to reliable secure a purchase by the customer or, in this case, victim.

“The paradox of ransomware is that the perpetrators are criminals with a customer mindset. They’re disreputable, yet reputation is everything: Without establishing a reputation for providing reliable decryption, their victims won’t trust them enough to pay them,” the report describes.

F-Secure’s pseudonym spoke with representatives from five different ransomware brands: Cerber, Jigsaw, CryptoMix, Shade and Torrent Locker. All five boast online platforms, customer service representatives and only accept Bitcoin as payment.

Some of the ransomware operations showcased websites that support several languages and oddly provide basic FAQ pages. Customer support forums were also a common theme, available so that a victim can quickly ask questions and receive a response.

The fake F-Secure account spoke with ransomware “agents” on four out of the five platform’s respective support forums.

While the ransomware operators set different deadlines, used different platforms and requested unique, fluctuating prices to decrypt victims’ data, their unnamed customer service representatives each showed a willingness to lower prices over time and to educate victims who were unaware of their situation.

In one exchange, F-Secure’s Walters asked a ransomware agent why her files were unaccessible. The anonymous agent responded: “File encryption is a virus. Not a service. You clicked on a link or downloaded a program and your files were encrypted so you have to pay if you want them back … The ransom for your files doubles after 24 hours to $225. We have contacted you several times before so we should be charging you the $225. Since you don’t understand what a ransom virus is we will keep it at $125 for today.”

Last year, Kaspersky Labs, a prominent, international security software company, detected ransomware on 179,209 computers. In April, the Departments of Justice and Homeland Security said in a statement that ransomware victims in the U.S. paid over $24 million, according to data obtained by the Internet Crime Complaint Center, or IC3.

“Out of the five [ransomware operations], we were able to make contact with four of them. In those exchanges, we were able to negotiate an average of a 29 percent discount from the original ransom. We were also able to obtain more time for payment,” F-Secure’s security researchers wrote.

The report concludes that ransomware operations are idiosyncratic cyber crimes — it cannot be thought about generically, like any other strain of malware. To avoid such data breaches, F-Secure recommends for organizations to regularly backups of files, keep software up to date and be cautious of phishing emails and other online scams.

German researchers find dam control systems exposed on web

More than 100 pieces of vital infrastructure, including four hydroelectric dams, had their computer control systems connected to the public internet where anyone could access them and potentially carry out acts of sabotage, according to German security researchers.

Researchers at InternetWache.org in Berlin began looking for routers used by industrial control systems last year. Lead researcher Tim Philipp Schafers was surprised to find unprotected management interfaces for industrial control systems, or ICS, showing up in searches.

Using a simple Python script and some free search tools, he eventually catalogued more than 100 of them, according to a post by Kaspersky Labs on their Threatpost blog.

ICS are special computerized systems that control industrial processes or other machinery, including dam sluice gates. They are typically built with a user dashboard or control panel attached through which they can be remotely controlled. Generally experts recommend against deploying these kinds of applications on the internet, and if they are on the web, they need to be protected by encryption, firewalls and strong passwords.

None of the systems that Schafers found was protected like that.

“It’s possible to access the web applications that control processes in these plants; you don’t need to know a special configuration,” Schafers told Threatpost. “We found more than 100 systems, and about half required authentication, while some were without any and were administrator accessible [to anyone].”

Cyber crime is outpacing all other crime in the UK

There were more cybercrimes or cyber-enabled crimes last year in Britain than offline offenses, according to statistics in a new report from the UK’s equivalent of the FBI.

The National Crime Agency says in its Cyber Crime Assessment 2016 that 2015 was the first year that data on cybercrimes was collected as part of the annual crime survey for England and Wales. The survey, which is carried out every year by the UK’s Office of National Statistics, does not rely on crime reports to police, but instead questions Britons directly about their experience as victims over the past 12 months.

“The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cybercrime in the UK in 2015,” states the assessment. That amounts to 53 percent of all the crimes in the country, unevenly divided between “cyber-enabled fraud” at 36 percent and “computer misuse” at 17 percent.

Create pie charts

The figures suggest that there is massive under-reporting of such crimes, since only 16,349 cybercrimes and roughly 700,000 cyber-enabled crimes were reported to authorities in the same period. NCA states that although the most serious crimes are the work of highly organized international groups, “the majority of cyber criminals have relatively low technical capability.”

These low-level crooks rely on “the growing online criminal marketplace, which provides easy access to sophisticated and bespoke tools and expertise, allowing these less skilled cyber criminals to exploit a wide range of vulnerabilities.”

The authorities cannot keep up, the assessment says, and are unlikely to be able to any time soon.

“The accelerating pace of technology and criminal cyber capability development currently outpaces the UK’s collective response to cyber crime. This ‘cyber arms race’ is likely to be an enduring challenge,” the authors state.

The assessment was published July 7 and the figures were first reported by security blogger Brian Krebs.

What’s next in shared services? – U.K. trends the U.S. should follow

With milestones such as the General Services Administration’s new Unified Shared Services Management and the successful transition of the U.S. Department of Housing and Urban Development’s finance, travel and acquisition services to the Treasury’s Administrative Resource Center (ARC), shared services have been taking off.

But that just poses the question, where can we go from here?

One answer is for the federal government to tap into the spirit of innovation and gain insights from our peers in the U.K.

Recently, Hampshire County Council, a local government in the south of England made customer service and digital innovation a focus in their new shared services program led by Carolyn Williamson, the county’s director of Corporate Services. In this effort, Hampshire County Council, another county council, and police and fire departments all joined this shared service partnership – breaking down boundaries between public sector organizations.

The scale of the organizations involved in this partnership is significant with about 90,000 employees. More than 1.8 million people live in the picturesque southern coastal county of Hampshire, which is England’s third largest county and the historic home of “Pride and Prejudice” author Jane Austen.

It includes two critical ports, which handle a large share of container freight and a Royal Navy base. Given the county’s large footprint, one goal was to incorporate customer service as a way to support an increasingly mobile workforce while enhancing mission delivery.

At a recent event with the Shared Services Leadership Coalition, Williamson shared with us their focus on customer service as well as three things to consider when moving to a shared services model.

1. Know your Audience.

In any large-scale change, it can be convenient to focus on the system and not the resulting end user experience. The Hampshire country council created this integrated business center with the goal to create an exceptional customer experience.

One critical component to this is a new mobile application through which employees can manage personal data and undertake transactions such as leave requests and expense reports. Now that transactions are handled through the application, it is easier for managers to track and forecast impacts on their business operations. For employees, the customer in this case, it is a central hub to track their benefits and comply with policies in a real-time way without being tethered to a desk.

2. Share, Simplify, Innovate.

Not only does the mobile application provided improved customer service, it also enables the county to utilize integrated analytics. Information is presented to allow the county leaders to make more informed and insightful decisions, and there is a toolkit that allows data manipulation without the need for downloading to spreadsheets.

The county is already looking at the next version of the application – one that could automate manual hand-offs between systems, provide performance analytics through dashboards, and allow broader supplier and customer self-service capabilities within the application.

3. We Can Work it Out.

The nearly 90,000 government employees — from first responders to office employees — all had to change the way they interacted with their employer. It was important that they were invested in this new approach that would be shared across the county and at the end of the day, would mean better service for themselves and an improved ability to serve the community.

There will likely be uncertainty and challenges in preparing employees for this transition so it is crucial to stay true to the project goals and end-goal result in order to ensure that benefits are delivered in the end. The key to the success of the program lies with both the players and the leaders.

Just like any other major modernization effort, Hampshire County Council faced challenges and acknowledged that there are certain areas that agencies may overlook which makes these projects even more complex than they need to be. Hampshire County Council learned that in a large-scale migration there will always be periods of uncertainty; therefore, agencies should consider a six-to-nine-month stabilization period to support the transition.

Despite the challenges, this shared service partnership shows different ways governments — in the U.K., U.S. and around the world — can affect change by focusing on the user experience.

Adapting lessons from Hampton County Council, the U.S. government and the GSA’s Unified Shared Services Management can continue to ride the wave of innovation rolling in from the U.K. and help lead a cultural change that will transform the business of the U.S. federal government.

Audit: Immigration agency not using agile development properly

Although the Department of Homeland Security agency that processes new immigrants says it has adopted agile software development techniques for its huge, $3.1 billion technology transformation from paper to digital, it has only partially implemented the fashionable new management method, a congressional audit has found.

The Government Accountability Office examined U.S. Citizenship and Immigration Services’ efforts to move its immigration services online and digitize the processing of applications — known as its Transformation Program. The failure to properly implement agile practices; challenges USCIS has faced with contract management; and the difficulties the agency has encountered in testing and deploying software are putting the huge program at risk, say the auditors.

“These management weaknesses — which at times mirror those previously reported — increase the risk that the system will continue to exceed cost and schedule goals and that it may not meet performance expectations,” they write in the report, released late last week.

The Transformation Program was launched a decade ago amid growing concern that the paper-based processes that USCIS was using made it hard to share information with the FBI and other agencies trying to stop terrorists or their supporters from gaining immigration benefits. At that time, in 2006, the effort was slated to cost $2.1 billion and finish by June 2014.

In May last year, auditors found that USCIS expected the program to cost up to $1 billion more, and take until March 2019. Auditors say they find this cost estimate, “well-documented and substantially comprehensive, accurate, and credible. “

In April this year, the agency announced it was scrapping the original version of a major component of the program, the Electronic Immigration System or ELIS — despite having spent more than $475 million developing it.

According to DHS, on an average day, USCIS completes 23,000 applications for various immigration benefits; welcomes 3,200 new citizens; answers 44,000 phone calls to its toll-free customer service line; serves 9,500 customers at 84 local offices; fingerprints and photographs 15,000 applicants at 136 application support centers; conducts 148,000 national security background checks; and processes 2,040 petitions filed by employers to bring foreign national workers to the U.S.

USCIS said that, when it was abandoned, ELIS 1.0 was only able to process about 31 percent of the agency’s workload.

Regarding the use of agile techniques, the auditors say that “software development and systems integration and testing … have not consistently been managed in line with the program’s policies and guidance or with leading practices.”

Of the eight key practices that make up agile management, the Transformation Program has fully implemented one key practice “prioritizing user stories,” failed to implement another “setting outcomes,” and “partially implemented” the other six, according to the report.

New NASA, USAID hub to solve climate-related problems

NASA and U.S. Agency for International Development are partnering to fund a facility in West Africa that will use NASA satellite data to tackle issues like food security and water availability.

SERVIR-West Africa, based in Niamey, Niger, officially opened last week, becoming the fourth NASA-USAID-sponsored center. The hub will be managed by a local group — a subsidiary of the Permanent Inter-State Committee for Drought Control in the Sahel called the Agriculture, Hydrology and Meteorology Regional Center. But NASA could support the group and expand its capacity to use satellite information by explaining available technological resources, or training the group in new technologies.

Tetra Tech, an engineering and consulting company, also announced Monday that they received a $13 million contract to support the group’s efforts.

Dan Irwin, SERVIR global program manager for NASA, told FedScoop that the partnerships are distinctive because they allow local researchers to guide development in their own communities.

“It’s not like NASA’s just going and developing the products,” he said. “But because we have this unique partnership, we’re working hand in hand with the scientists here in the region to develop the products and services to meet these needs.”

Now that the center has been opened, the next step will be for the local organization to meet with different government ministries to determine what the needs are — and how those problems could be addressed using satellite data or forecast models, Irwin said. Some of the big issues in the region are food security and agriculture, water and land degradation.

Irwin said the space agency has an array of satellites that can measure rainfall, soil moisture and changes in land cover from space. Hubs like the one in Niger can opt to use any of NASA’s public data and draw from other sources as well.

“There’s so much data out there … But how do you bring all this data together? And convert data into actionable information that really meets a need?” he said. “And that’s really, I’d say, the hardest part.”

SERVIR serves more than 40 countries, according to a press release.

“What’s really exciting about the model is it’s not just NASA or our U.S. government partners sharing and working with the hubs, but it’s the community of these different hubs now working with each other,” Irwin said. “And I think that’s the huge thing behind the whole model of SERVIR is that it’s really a network.”

He added: “So each of these hubs are developing capabilities for their region and they’re sharing these things with each other and sharing experiences.”

The eventual goal, said Alex Deprez, director of USAID’s West Africa regional office, in a press release, is “African solutions to African problems.”

Halvorsen makes Silicon Valley trip with NATO, allied CIOs

Pentagon CIO Terry Halvorsen is on the West Coast this week talking to the big names in tech — and he will be joined by his counterparts from NATO and the militaries of several U.S. allies.

The group, which includes CIOs or deputy CIOs from the militaries of Australia, Canada, Germany, Japan, New Zealand and the United Kingdom, will meet with established tech companies and new startups to look at innovations including those that solve issues related to identity and access management, data sharing between allies and cloud computing.

The weeklong trip to Silicon Valley and Seattle is not just about the company visits, Halvorsen told reporters Friday, but about using the time to reflect on shared problems.

“All of those,” he said of the participants, “are of a scale that they have the exact same problems we do. So it makes sense for us.”

Since the end of the Vietnam war, major U.S. military operations outside the Western hemisphere have been almost exclusively coalition efforts

“Part of the problem that we all share is how do we share and do coalition communications and allied communications. So I think it’s important that we spend some time together to work that issue,” Halvorsen said.

This is not his first trip west — he even made visits to Silicon Valley as the Navy CIO. But since he has visited as DOD CIO, he has tried to expand the partners. Over time, the group traveling to the West Coast has widened to include other agencies within the DOD.

Some of the slated visits are with companies that already do business with the DOD.

The main question Halvorsen wants answered in those meetings, he said, is: “What are they doing to keep us relevant? How are they staying up on top of their game?”

The whole group is interested in cloud computing, Halvorsen said, so at Microsoft, Amazon and Google he anticipates discussing cloud.

He added that the DOD would probably make a big announcement on cloud later this summer.

Another issue the group plans to discuss is identity management. Halvorsen has said he wants DOD to eliminate the common access card in two years.

Halvorsen said last year’s trip, technology changes, and where DOD allies are with identity management all contributed to his determination to get rid of the CAC card.

“One of the other reasons is none of the other allies use it,” Halvorsen said. “So if we’re going to go in partnership, how do you move forward, keeping the same or better — and I actually think in this case the technology is going to push us to a much better level of security without the CAC card.”

Halvorsen said he expects identity management is something the group will tackle together.

The CAC card system is expensive to maintain, and “not where we want to be in a couple of years with security,” Halvorsen said.

On Wednesday, the group plans to visit two venture capitalist firms to hear presentations from 15 to 20 companies. Some of these, Halvorsen said, will likely be conversations about identity management.

To replace the CAC card, Halvorsen said he thinks it would be a combination of personal data, biometrics and behavior.

“No there is not one system that does this. Is there a combination of systems that could be available today? My answer is going to be no, because I haven’t seen anything yet that really answers all of the requirements that I have in my head,” Halvorsen said Friday.

He added: “But could there be very quickly? I think the answer to that is yes.”

The DOD’s Defense Innovation Unit Experimental, or DIUx director will also be joining the group on part of the trip, and will be there for the presentations on Wednesday.

“We’re also going to spend some time with DIUx getting to talk to this whole group, including allies so that they can understand even better what are some of the edge requirements that we would like to see DIUx focus on,” Halvorsen said.

Another common goal the countries share is standardizing their basic operating systems. Halvorsen said most of them use Microsoft, so they are also looking to move to Windows 10.

“If all of us get there, that’s a big security gain for us that we’re all using the same operating system,” Halvorsen said. “It’s not that it’s Microsoft, it’s just that it’s the same and we just happen to be using Microsoft.”

The DOD has a tight timeline to migrate to Windows 10, with a January 2017 goal. The department is meeting its overall goals, Halvorsen said, but the project will likely not be 100 percent finished by that time.

“What I’m trying to figure out right now is just what percentage of the stuff might not, might take another year to 15 months to get done,” Halvorsen said.

Tactical and embedded systems will be the most complicated to move to Windows 10, he said.

Hoyer: MOVE IT Act ‘falls short’ of what’s needed for federal IT

The top House Democrat who introduced White House-backed legislation to create a revolving fund for modernizing federal IT says a similar bill introduced this week with bipartisan support does not go far enough.

Rep. Steny Hoyer, D-Md., said the MOVE IT Act is not realistic given the amount of agency systems that need to be upgraded.

“The MOVE IT Act is unfunded and would only be a meager step toward modernizing our government technology, which is far short of what is urgently needed,” Hoyer said in a statement emailed to FedScoop. “My IT Modernization Act is the only proposal on the table that has a realistic chance of upgrading many of our most vulnerable and costly legacy systems in a short time frame. We must do that to prevent the next major OPM-like data hack, to lower our IT maintenance costs, and to lay the foundation for a 21st century digital government.”

Introduced Thursday by Rep. Will Hurd, R-Texas, the MOVE IT Act would give agencies the authority to create a working capital fund that could be spent to modernize outdated technology they currently use. The bill is co-sponsored by Reps. Gerry Connolly, D-Va., and Ted Lieu, D-Calif.

H oyer’s bill would set up a revolving $3.1 billion fund across the federal government that would be continually replenished by agencies as they realized savings from modernization.

Earlier this week, a number of companies and trade associations voiced their support for the IT Modernization Act, saying it will allow agencies to keep pace with private sector.

“We applaud Rep. Hoyer’s efforts and welcome and endorse the IT Modernization Act as an essential step in advancing modern, digital government for the 21st Century,” said ServiceNow Vice President of Federal Steve Alfieris. “The IT Modernization Fund provides critical resources to federal agencies in migrating from inefficient and poorly performing IT platforms to newer, more secure systems that reflect ‘cyber by design.’ ”

“This legislation, consistent with the Administration’s proposal released earlier this year, will help the Federal government take advantage of innovation to build a more secure and efficient IT infrastructure,” read a statement from BSA The Software Alliance. “We look forward to working with Congressman Hoyer and the other supporters of this bill as it moves through Congress.”

Despite the support, industry sources told FedScoop earlier this week that the IT modernization fund is “all but dead.”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.