Page 844 | FedScoop

Vote today for the 2025 FedScoop 50 awards.

Las Vegas security conferences were crawling with feds

A team competing in the CTF competition at DEF CON 17 // Creative Commons

What used to be a side game among DEF CON attendees is now as commonplace as the security conference’s electronic badges.

“We used to do ‘spot the fed,’ where we would try to oust feds, and now we have invited feds to our panels to sit there and talk with us in a productive manner,” said Beau Woods, Atlantic Council deputy director, during an event Wednesday at the D.C.-based think tank.

Woods, along with Federal Trade Commission Chief Technologist Lorrie Cranor, Tenable Network Security strategist Cris Thomas and former White House cybersecurity official Jason Healey, spoke to how U.S. government officials descended on Las Vegas last week to strengthen existing and form new relationships with the cybersecurity and hacker communities.

This year’s Sin City-based BSides, DEF CON and Black Hat cybersecurity conferences were well attended by government officials, Thomas said — especially so in comparison to past years.

One of the keystone moments of the week was a fundraiser held by Democratic presidential nominee Hillary Clinton’s campaign, which was hosted by Black Hat founder Jeff Moss. Moss has bridged both the hacker and government communities in recent years, including serving on an advisory council for the Department of Homeland Security.

“From the earlier days of these conferences … it was so apolitical,” said Healey. “I think the [fundraiser] really caught a lot of people as the maturation of the field. Like all of a sudden now we matter. We used to have to go to D.C. to testify and now it is coming to us.”

Cranor spoke at BSides and DEF CON, the latter with FTC commissioner Terrell McSweeny about privacy and digital security. Cranor explained that the FTC attended the conferences to “learn, listen and do outreach.” In the past, the FTC has operated a trade show booth and organized contests for conference attendees.

Among other feds, officials from 18F, the Department of Homeland Security, Commerce Department and National Institute of Standards and Technology, or NIST, attended DEF CON.

Capitol Hill also had a presence in Vegas. Two sitting congressmen, Reps. Will Hurd, R-Texas, and Rep. Eric Swalwell, D-Calif., were interviewed by Facebook Chief Security Officer Alex Stamos during a panel on how information security professionals can approach elected officials with cybersecurity issues.

“I think we’re seeing a change in government attitudes towards ‘hackers,’ said Thomas. “Twenty years ago it was nothing but FBI raids, now you have groups like Commerce and FDA and FTC and [Defense Department] who are reaching out and trying to bridge that gap … they’re trying to say, ‘Hey, come help us out.’”

Healey — a longtime DEF CON attendee and former NSA officer — believes that the White House holds the power to help accelerate and foster broad relations between the government and hacker community by pursuing specific policy remedies, he told FedScoop following the event.

Healey said if Washington supports strong encryption without compromise it would be a big first step. Additionally, Healey said the White House should compel law enforcement to be more candid about how it can access encrypted data stored on electronic devices.

“I, for example, want to know what the White House was doing on the Apple-FBI bug … the FBI was saying ‘We don’t know what this vulnerability is we can’t possibly submit it to the Vulnerabilities Equities Process,’ ” he said, referring to the bureau’s fight to unlock the iPhone owned by one of the San Bernardino shooters. “To me, that’s against the policy, that’s against the president’s clear intent — it was the president who originally approved this policy.”

Healey also said the federal government must be careful about how sitting judges use the Computer Fraud and Abuse Act. to prosecute computer researchers.

“The memory of Aaron Swartz goes a long way on this and what can happen under the laws — and not being convinced that those days are over — that really hurts,” he said, referring to the computer programmer who committed suicide in 2013 while in the midst of a contentious legal battle with federal prosecutors.

‘Gray hat’ cyber firm outbidding Apple for iOS zero days

A Texas-based cybersecurity firm announced this week it will offer up to $500,000 for newly discovered security holes in Apple’s mobile operating system, iOS — effectively outbidding the tech giant’s own bug bounty program just days after it was unveiled.

“Want $200k for an iOS hack — head to #Apple. Want real $$? You know where to find us,” tweeted Austin, Texas-based Exodus Intelligence Tuesday.

In a statement announcing their new “Research Sponsorship Program,” the company said it is “focused on acquiring vulnerability research and exploits from the global cybersecurity research community.”

Exodus will also pay big money for new flaws found in Google Chrome ($150,000), Microsoft Edge ($125,000), and Mozilla’s Firefox ($80,000).

Apple’s own big bounty program, announced last week at the 2016 Black Hat security conference, offers a maximum of $200,000.

In addition to newly discovered zero-days, the company also says it will buy exploits — fully developed malicious software — that use existing, known vulnerabilities.

That puts the company firmly in the so-called “grey-hat” market segment, with products that can be used for cyber offense — although they say they do due diligence on their customers.

“Our clients are largely made up of defensive vendors,” wrote Exodus President Logan Brown in an email to FedScoop. “Once we have a report about the vulnerability and exploit written up, we distribute the report to all of our subscribing clients in order for them to build defenses into their products or for red and blue team exercises.”

Exodus is also offering a novel reward system, where, in addition to the bounty, the researcher will get payments “every quarter the zero-day exploit is still alive.”

The company also offers payment in the form of the anonymous crypto-currency, bitcoin.

FDA issues draft guidance for software updates in medical devices

The Food and Drug Administration released new draft guidance to help clarify when makers of certain types of medical devices may need additional clearance for a software update.

Unveiled this week, the draft applies to medical devices, like MRI machines, that were put through FDA’s 510(k) submission process — a pathway, meant for products that pose a medium-to-low risk to patients, that requires manufacturers to demonstrate their product is “at least as safe and effective” as similar devices already on the market. The draft lays out under what circumstances makers of these devices would need to file another 510(k) submission to account for a change.

While Beau Woods, deputy director of the Atlantic Council’s Cyber Statecraft Initiative, said he didn’t see a lot that was new in the draft guidance, it could help to clear up some misconceptions about FDA’s policies among device-makers.

“It’s a great clarification that answers a lot of questions very explicitly and formally that a lot of manufacturers and health care delivery organizations have,” he said of the document.

Woods also highlighted the decision-making flowchart included in the draft, saying it would be a “powerful” resource for “anyone needing to make these types of decisions.”

Notably, the draft also reiterates that updates made solely to boost the device’s cyber defenses would not require a 510(k). That approach aligns with a separate draft medical device cybersecurity guidance from earlier this year and another final guidance on cybersecurity from 2014, according to Axel Wirth, health care solutions architect at Symantec cybersecurity company.

“I see a constant line here: Regulate where necessary, but don’t stifle for the sake of regulating,” he said. “I applaud the FDA for taking that approach.”

The draft was released at the same time as a separate, more broad draft guidance about what kinds of updates might require a 510(k). Both would update a guidance from 1997 — “a millennia ago,” Wirth joked.

“When finalized, the two guidances will provide improved clarity, regarding minor changes that do not require FDA review, and help ensure that the FDA receives appropriate submissions for modifications that do require premarket review by the agency,” according to an FDA press release.

The public has until Nov. 7 to comment before the agency begins work on the final version.

Report: Global cyber market set to grow 10 percent a year

The global marketplace for cybersecurity goods and services, driven by increasing corporate fear of hackers and spiraling compliance and regulatory demands, will grow more than 10 percent annually over the next five years, according to new research.

That explosive increase will take the total value of the market from its current size of $122.45 billion to $202.36 billion by 2021, predicts the latest report from Dublin-based Research and Markets.

The predicted 10.6 percent compound annual growth is a couple of points off from a similar forecast the firm produced at the beginning of the year. That study estimated global growth would be 12.3 percent compound from 2016 to 2020.

Network security — fueled by fears of enterprise data breaches and by “the need for stringent compliance and regulatory requirements” — is currently the largest market segment, the new report says.

Driven by the exponential growth of the Internet of Things and corporate “bring your own device” policies, application security will be the market segment experiencing the highest growth rate over the next five years.

The banking, financial services and insurance market vertical “is expected to witness the highest [growth] during the forecast period because of the increasing adoption of web and mobile applications, which are prone to advanced cyber-attacks,” the market researchers conclude.

Asia and the Pacific will be among the fastest growing regional markets, because of “emerging economies, such as India and China, which are rapidly deploying cyber security solutions.”

Facebook Messenger: The new way to contact the president

Starting Wednesday, you can message the White House on Facebook and let the president know what is on your mind.

The White House has launched a Facebook Messenger chatbot to walk you through the process to reach the commander-in-chief.

The new bot is just one more way to make it easier for citizens to engage with government and reach citizens where they are, wrote Jason Goldman, White House chief digital officer, in a Medium post.

“The White House’s Messenger bot, a first of its kind for any government the world over, will make it as easy as messaging your closest friends,” Goldman wrote.

The use of chatbots coincides with the administration’s recent efforts to get ahead on potential future uses and risks of artificial intelligence. The White House Office of Science and Technology Policy announced an initiative in May to discuss artificial intelligence and held several workshops on various topics related to AI. OSTP also put out a request for information on artificial intelligence in June.

And as FedScoop reported in a recent article, Booz Allen Hamilton claims that messaging, through the use of chatbots, will in the next five years become the customer service norm.

FedScoop took the tool for a test drive. Upon opening a message window to chat with the White House, the bot promptly jumped into conversation.

“Hi! It’s great to hear from you—and we’re excited to learn what’s on your mind,” it said. “(Fun fact: the President reads ten of these messages every night.)”

“Ready to get started?” the bot asks.

The automated chatbot then invites users to write a message to the president, giving them a chance to check it over before sending and taking down their contact information.

To wrap up the conversation, the bot sent FedScoop a video of the president talking about what citizen letters mean to him and a parting smiley face emoji.

You too can message the White House by clicking here.

Happy birthday, USDS — a look back on 5 of the team’s defining moments

The White House’s U.S. Digital Service celebrates its second birthday Thursday.

In that time, the team has grown from a tiny tech SWAT team built around the core groups of former private technologists who helped rebuild Healthcare.gov after its epic launch meltdown in 2013 to a 170-member-strong institution addressing some of the federal government’s biggest headaches involving digital technology. USDS had also launched smaller outposts at agencies across the government, like the Defense Department and the Department of Veterans Affairs, that are particularly flummoxed in delivering modern services and need a dedicated team to help lead a digital reinvention.

While team has faced recent controversy around how USDS works with agency CIOs and questions whether it will be as effective after the transition to a new administration, the team has a laundry list of achievements to show for the last two years of work.

So, to celebrate USDS’ foray into its third year, we’ve compiled five of USDS’ biggest engagements and moments in the past two.

The Digital Services Playbook

Released with USDS’ launch two years ago, the playbook serves as a governmentwide guide for agencies considering building or buying a new digital service. The playbook list 13 plays “drawn from successful practices from the private sector and government that, if followed together, will help government build effective digital services,” it explains.

Since then, the Digital Services Playbook — along with its corresponding TechFAR handbook, which gives agencies a look at alternative types of acquisitions — has served as the gospel for digital teams across government, often cited as blueprint of how agencies should address their acquisitions and services developments to be more successful.

Hack the Pentagon

The only thing more impressive than the team’s ability to persuade DOD to allow a bug bounty called “Hack the Pentagon” is that it was the first of its kind in the federal government. Bug bounties are programs in which an organization, like a software company or in this case the Pentagon, pays independent cybersecurity researchers to find vulnerabilities on their systems.

The Defense Digital Service team successfully operated a bug bounty engagement earlier this summer inviting 1,400 hackers to participate, 250 of whom found at least one vulnerability, though not all were eligible for a bounty because they were already reported or other reasons. In total, DOD remediated 138 vulnerabilities discovered by the white-hat hackers. And now DOD Secretary Ash Carter wants to make the model a fixture within the Pentagon.

“We’ve done more with this pilot than make our networks more secure for the short term,” Carter said during a June press conference. “We’ve built relationships of trust for the long term. We’ve provided a roadmap for other government departments and agencies to crowdsource their own security.”

Vets.gov

Information and other resources for veterans to apply for their benefits are scattered across thousands of Department of Veterans Affairs websites. USDS partnered with the VA to launch Vets.gov last Veterans Day to consolidate those pages into one central portal. Though the project is still in development, the VA digital service team plans to continue rolling out new functions and features every week driven by customer feedback.

“Our process building Vets.gov will be one of constant refinement and improvement,” VA Secretary Bob McDonald said then. “Your feedback will guide and shape everything we do. That’s as it should be. This site isn’t about us — it’s about you.

Work on the Immigration Application Process

The Department of Homeland Security U.S. Citizenship and Immigration Services’ digitization of its visa-granting process has been a costly and messy transformation, earning it a mention on the Government Accountability Office’s most recent biennial high-risk list. In particular, the agency’s five-year Electronic Immigration System project has run into all kinds of problems with its projected costs jumping by half-a-billion dollars since its launch.

USDS has since launched a team to join DHS and right the ship. In May 2015, USDS member Vivian Graubard explained how “[t]he scope of the project was too large and the timelines too long” and that “[i]t used a traditional waterfall methodology, which meant that the first product releases happened years after the project began; and the agency was heavily reliant on specific vendors. Years into the process, when the project was finally due to deliver results, it fell short of expectations.”

Another USDS member Eric Hysen has since been appointed to lead a DHS digital service team and continue redeveloping ELIS. That team created MyUSCIS, a portal to streamline U.S. Citizenship and Immigration Services’ offerings. And earlier this year, his team launched an online app, simplifying the process for the more than 700,000 people each year who choose to apply for American citizenship.

“While immigration reform is a deeply political issue, what shouldn’t be politically at all is that those … people deserve a system that is effective an efficient,” Hysen said then.

College Scorecard

This tool, launched last September for the Education Department, allows students and families to look up data about colleges, including median and average debt rates, graduation rates, and salaries after graduating. USDS’ Lisa Gelobter led the tool’s design “with direct input from students, families, and their advisers to provide the clearest, most accessible, and reliable national data on college cost, graduation, debt, and post-college earnings.”

On its first day, the site saw 500,000 visits and 1.2 million page views.

These are just a few of the memories USDS has made over the past two years. Learn more about the team’s projects in an impact report released this week by the White House.

How government is tracking Zika using GIS technology

As pressure mounts to tackle the Zika outbreak, the Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness and Response is using Esri’s GIS software to create maps that monitor the virus as it spreads.

ASPR, as the HHS office is known, has used Esri software to create a publicly available interactive map that tracks the number of Zika cases in each state. The map is automatically updated weekly.

Esri, one of the world’s leading geospatial mapping software companies, has also pulled demographic data from the U.S. Census Bureau and other sources to help organizations like ASPR supplement their own data, Este Geraghty, Esri’s chief medical officer and health solutions director, told FedScoop.

To address the Zika crisis, Esri is using that data to show ASPR and other agencies in HHS where to best target information to educate women of childbearing age and their partners, according to a press release.

With Esri’s demographic data, ASPR “can calculate where they need to focus on populations, maybe provide additional education,” Geraghty said.

Pregnant women can pass the Zika virus to their fetus, which can cause certain birth defects, according to the Centers for Disease Control and Prevention. People typically contract Zika through bites from infected mosquitoes, but they can also spread it through intercourse.

This is not the first time ASPR has teamed up with Esri — the office also responded to the water crisis in Flint Michigan in part with mapping information, and it used mapping capabilities to help prepare this year for both the Republican and Democratic national conventions, Geraghty said.

“Everything happens somewhere, and that somewhere actually turns out to be really important. In health, place can determine a lot of different things,” Geraghty said. “When you think about Zika, it can determine your risk for getting the disease. It can determine if you have access to health care. And in a lot of places it might determine what your likelihood is of a good outcome, even if you have health care.”

Esri often identifies tools for organizations that could best solve their specific problems, Geraghty said.

For example, Esri introduced the World Health Organization and the CDC to its predictive analysis tools, showing them how they could be applied to predicting where Zika might be, she said.

“Predictive analysis tools can be very helpful among other types of analysis to really understanding where you have risk and how you might plan your response strategy,” Geraghty said.

With the predictive tools, organizations can map out which areas have suitable habitats for Aedes mosquitoes, which can carry the Zika virus. The tools pull in data on factors like temperature, land cover, elevation and precipitation to see where there are environments conducive to mosquitoes.

The predictive model also considers whether those factors are seasonal in certain regions, Geraghty said.

Doing this kind of work could help health organizations target their resources more effectively based on the places that are most at-risk to getting cases of the virus, she said.

The model of Aedes-mosquito-friendly habitats can also be layered with the demographic data identifying vulnerable populations to further narrow down where organizations should focus treatment or education efforts, she noted.

“Our mission is to help people think spatially so that they understand some of the questions they can ask of location to make better decisions,” Geraghty said. “And to allocate their resources more smartly and efficiently.”

She added: “Despite the large funding for Zika, it’s come out slowly, and so people need to manage their resources very well and hopefully there will be more funding to come. But we try to make sure there’s an inexpensive way to get the job done.”

FDIC joins DHS’ Einstein, hires Booz Allen to raise cyber bar

The Federal Deposit Insurance Corp., seeking to reassure the public and congressional overseers about its online security, says it will sign up for the Department of Homeland Security’s Einstein intrusion detection service and has hired Booz Allen Hamilton to independently assess its IT security and privacy procedures.

The agency — which has come under fire this year from independent watchdogs and congressional investigators for its cybersecurity following a series of “insider” breaches last fall and and revelations about a 2010 penetration by suspected Chinese hackers — last week quietly launched a new page on its website touting measures it is taking to improve its cyber posture.

“The FDIC is committed to protecting sensitive information and is seeking to ensure the public is aware of the steps we are taking on cybersecurity,” spokeswoman Barbara Hagenbaugh told fedScoop via email.

The webpage says the agency has signed a “memorandum of understanding” with DHS to implement Einstein 3A — the department’s signature-based intrusion detection and prevention system.

FDIC “has begun an active engagement with [DHS] to implement Einstein,” said Hagenbaugh.

The webpage also states that the agency has “engaged an independent, third-party firm to conduct an end-to-end assessment of the FDIC IT security and privacy programs.”

Hagenbaugh confirmed that the firm was Booz Allen Hamilton, a fact first reported by Federal News Radio, but she declined to give any further details.

Officials said the assessment would look at process, technology and staffing, and would provide a measurable plan for improvement.

China accused of launching ‘cyber war’ over contested islands

China, in pursuit of its territorial claims in the resource-rich South China Sea, is resorting to low-level cyber warfare against the Philippines and Vietnam — the two nations who recently won an international legal case against the Communist government.

Reports in local media and by regional cybersecurity companies have attributed a rash of cyber vandalism attacks in the past two weeks to a Chinese hacktivist group calling itself 1937cn — an apparent reference to the Japanese invasion of China that year.

In the highest profile attack at the end of July, hackers took over the website of Vietnam’s national airline and the display screens in the country’s two largest airports and displayed pro-Chinese, anti-Vietnam and anti-Philippine messages.

Websites in the Philippines were also attacked, with local security companies saying the hacks were part of a long-running campaign aimed at the computer networks of government agencies and critical infrastructure owners and operators.

Vietnamese sources have blamed China and linked the attacks to last month’s ruling by the Permanent Court of Arbitration in The Hague, which denied Beijing’s extensive territorial claims in the South China Seas. About $5 trillion worth of shipping trade passes each year through the seas’ waters — which abut China, Malaysia, the Philippines, Taiwan and Vietnam, and are believed to house huge fish stocks as well as vast deposits of undersea oil and gas.

The self-described leader of 1937cn told Chinese state media the group is a patriotic non-government organization, but didn’t entirely deny responsibility.

Security experts and former officials in the region say the plausible deniability of using patriotic hacktivists as a cut-out for government-inspired or -directed online attacks is straight out of China’s cyber playbook.

“China’s strategic cyber doctrine is the basis of the current [cyber] operations against Vietnam and the Philippines,” wrote S. D. Pradhan, the former chairman of Delhi’s Joint Intelligence Committee, in a Times of India op-ed.

In Russian doctrine, security analysts have identified cyberwarfare a part of a “hybrid warfare” strategy, in which information operations and deniable military forces (the “little green men” of Ukraine fame) are fused to leverage Russian strategic might and advance national goals.

But in China’s military thinking, Pradhan states, cyber-operations are aimed at deterrence and are also seen as potentially part of “no contact warfare” — “winning war without casualties,” and projecting power over great distances “to achieve a quick decisive victory by disrupting, denying and destroying the enemy’s war waging potential and its command and control systems through remote delivery of destructive kinetic energy and effective cyber operations.”

In China’s concept of “‘integrated strategic deterrence,’ cyber operations have the central role,” he noted, adding, “Deterrence is achieved by projecting its capabilities for infiltration of critical infrastructure of adversaries,” such as the computer networks at a major airport.

By successfully attacking the national airline’s website and airport announcement systems, Pradhan added, “China has conveyed her capabilities to infiltrate into [an] adversary’s … most critical and secured infrastructure.”

Underlining the seriousness of the threat represented by the airports hack, Vietnamese banks also briefly suspended online banking and payment services in its wake, as a precautionary measure until the extent of the attack was clear, one bank executive told TalkVietnam.

“This is an appropriate move as we haven’t fully assessed the effects of the cyber attacks,” said the executive.

Later, local security firm Bvak told the official Vietnam News Agency that the malware used in the attack was a keylogger and remote access trojan, which disguised itself as an anti-virus program.

An executive from the firm, Ngo Tuan Anh, said the malware had been active on the networks of government agencies, business groups, banks, and universities since 2012, underlining the importance of battle-space preparation in the cyber world.

Nuclear Regulatory Commission gets new CIO

Centers for Medicare and Medicaid Services CIO David Nelson is moving to head up the Nuclear Regulatory Commission’s IT department.

“David’s lengthy experience with the government’s use of information technology will help the NRC keep pace with today’s interconnected world,” Victor McCree, executive director for operations, said in a statement. “We’re glad to have him on board.”

Nelson’s start date as NRC CIO has not yet been finalized.

Nelson has been with CMS since 2004, during which time he served in a variety of roles, including leading efforts to fix the long-troubled HealthCare.gov.

“Nelson managed the Centers’ $2.6 billion portfolio of applications, trusted data exchanges and other information technology,” the statement says.

Before his work at CMS, Nelson worked in the private sector, where he co-founded two broadband development companies. He also served in the U.S. Air Force.

Nelson will replacing acting NRC CIO Frederick Brown, who has been in that role since Darren Ash moved earlier this year to serve as the CIO of the Farm Service Agency at the U.S. Department of Agriculture.