Subscribe to our daily newsletter.
Subscribe

White House names new class of Presidential Innovation Fellows

The White House named its latest round of Presidential Innovation Fellows this week, bringing 11 new minds into the Obama administration as entrepreneurs-in-residence.

Founded in 2012, the program has since brought in 108 fellows who have worked with federal agencies in to help create products and services that improve citizen services and the way the government operates.

Past fellows have gone on to work at tech giants like Microsoft, Google and Twitter or have created their own startups. Others have stayed in government, helping to establish offices like General Service Administration’s 18F or the U.S. Digital Service.

Fellows have contributed to some of the more high-profile technology efforts of the past few years, including the Data.gov launch, the Police Data Initiative, Blue Button and the RFP-EZ platform.

Last August, President Barack Obama made the program permanent within the General Services Administration.

This year’s class was announced earlier than usual — 2015’s class was announced last August — to give fellows a full 12 months of work before the Obama administration ends.

The newest fellows are:

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

18F: More than 300 applications deployed to cloud.gov

In the span of a few months, the General Services Administration’s 18F digital services team has deployed more than 300 applications from various agencies to its open source platform-as-a-service pilot project cloud.gov, the project’s leader said.

“When we launched in October, we already had several different partners we were starting to try stuff out with,” cloud.gov project lead Diego Lapiduz told FedScoop. “Now we have around 300 applications that are running … they’re all different, from different agencies that are trying different things.”

Lapiduz kept mum on specifics of how many and what agencies have used cloud.gov, but he did reference that most are projects 18F has built with and for other agencies, like the Education Department’s College Scorecard; its own Federalist platform, which helps agencies build quick and reliable websites; and a couple of other White House projects he did not specify. He also explained that the applications aren’t always necessarily grand in scheme or uniqueand sometimes constitute the testing of different environments of the same larger projects across eight departments.

“There’s a diverse population using cloud.gov right now, and we’re still trying to put a lid on how many organizations we bring in, because we’re a very small team and still in alpha mode,” Lapiduz said.

Interest in cloud.gov platform — a fee-based project 18F set out as a tool agencies can use to develop secure and compliant applications in the cloud with limited procedural work and without having to stand up a private cloud infrastructure — has blossomed because of the speed at which it can get teams to security compliance with governing policies like the Federal Information Security Management Act, and the Federal Risk and Authorization Management Program, Lapiduz said.

“There’s been a lot of interest in the project, especially because we’re not only trying to make a good experience for the developers but because we’re trying to find a way to get projects to achieve compliance faster,” he said.  

Lapiduz added that it’s like a cloud security documentation shared service so offices don’t have to start from scratch — “instead of writing a 500-page document, you just use a tool … and with that, the system is going to generate the [system security plan] that you need. And [agency authorization officials] are going to see that you’re using components that have been approved over and over and over again, so they don’t have to check it.”

And in a sense, 18F has keyed in on agencies’ need for that expedited path to compliance, making it a main focus of cloud.gov.

“We started very broad and tried to sense where the interest was going,” Lapiduz said. “We realized that our users are very interested in the compliance side, and that’s where we’re going to be spending a good amount of time in 2016.” 

The digital team is even excited about the potential that agencies may not look to cloud.gov’s total cloud infrastructure offerings but instead to only its compliance-testing capabilities. So, 18F is looking to double down on that aspect in the coming year to automate testing so it’s done on a daily basis. 

Because the program is all open source, the team hopes that industry cloud service providers and contractors developing applications in the cloud will contribute to and pull from the cloud.gov development to make their work with agencies easier. Lapiduz said 18F has already worked with several contractors who’ve used cloud.gov to implement agency projects.  

While some might see 18F’s efforts around cloud.gov as a dog in the fight for a slice of the highly competitive federal cloud market share, Lapiduz claimed this as a fallacy. 

“We want to make sure what [vendors are] offering matches what the government needs,” he said. “What we’re trying to do is show this is possible. And hopefully there’s going to be more alternatives that agencies can use than cloud.gov.” 

Lapiduz and his team will host a workshop Friday for agency personnel and industry representatives hoping to learn more about how they can leverage the cloud.gov platform. 

Rep. Hurd: Congress demands info on Juniper backdoor

will-hurd

Will Hurd, R-Texas

The chairman of the House Oversight and Government Reform IT Subcommittee took the federal government to task Wednesday over its lackadaisical response to the backdoor discovered in Juniper Network’s widely used security software last month.

Freshman Rep. Will Hurd, R-Texas, wrote in an op-ed in the Wall Street Journal that the government dragged its feet in notifying lawmakers on how it’s responded to the vulnerability discovered in Juniper’s ScreenOS software, despite the fact that the information should be easy to obtain.

“Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen,” Hurd wrote.

In December, the company discovered the backdoor that would allow sophisticated hackers to control the firewall of un-patched Juniper products and decrypt network traffic. The company’s products are used by a number of government agencies, including the departments of Defense, Justice and Treasury.

The FBI and Department of Homeland Security have been working to determine if there has been any damage done to government systems and whether they’ve been patched, but Hurd said agencies have been short on details.

The op-ed comes as members of the oversight committee issued a letter (like this one) to 24 agencies last week demanding agencies list their inventory of Juniper products and whether they’ve been patched.

“If they fail to respond they will be called before Congress to explain why they couldn’t produce this basic information — even though the 2002 Federal Information Security Management Act requires government bodies to monitor and protect the data they possess,” Hurd wrote.

The incident shines a light on two areas where the government uses technology, Hurd writes. He called for agencies to move away from legacy software — which ScreenOS can be considered as — and refrain from calls to insert backdoors into encryption for the sake of law enforcement investigations.

Read the full op-ed on the Wall Street Journal (paywall).

The 99.999 percent cybersecurity problem

Near-perfection is a lofty goal, one utilities strive for. “Five nines” has become, it’s said, the “holy grail” of reliability: Under this scenario, customers have service 99.999 percent of the time, with outages averaging only about five minutes per year. Now, that’s service.

A major telephone company set this standard, boasting of its 99.999-percent reliability. Now, some are calling for “five nines” service from Internet providers and websites.

Perhaps we should ask how cybersecurity, too, might achieve this standard. How can our industry protect data with near-perfect reliability, especially as an ever-growing number of “connected” devices join the global data network?

Telephones weren’t always so reliable. In its early years, the industry faced challenges similar to cybersecurity’s. Phone service began as a strictly local phenomenon: The earliest adopters in 1878 had to buy the phones they wanted to use on either end — one for home and one for work, for instance — and hire a telegraph line installer to connect them. Reliability wasn’t difficult to ensure at this small scale, as long as someone heard the caller whistle through the line — the pre-ringer signal that a call was coming in.

JR-Reagan-Deloitte-portrait

JR Reagan writes regularly for FedScoop on technology, innovation and cybersecurity issues.

Likewise, cybersecurity in its earliest years relied almost exclusively on firewalls to filter out “untrusted” Internet traffic. Safeguarding a single desktop computer connected by phone lines to a contained World Wide Web was fairly simple. As happened in the telephone industry, however, the cyber scale is quickly expanding – and so are the challenges.

According to the book “Seeing What’s Next,” by Clayton M. Christensen, telephones first appealed to businesses, which saw value in enabling workers to communicate more efficiently among themselves and with other offices. The trend soon spread to households, and by 1900, the number of phone users reached 1 million. By 1904, more than 6,000 telephone companies independently provided phone service, which, by most accounts, fell far short of the “five nines.”

“Coordination was difficult, network monitoring was next to impossible, operators experienced diseconomies of scale, and service quality suffered,” Christensen writes. Sound quality also suffered, shared “party lines” often forced people to wait to make calls, and long distance calling was extremely difficult, complicated and expensive.

And yet — the industry reached “five nines” availability. How?

Consolidation is one answer: As Christensen’s book details, the Bell Telephone Co. bought its competitors, forming a virtual monopoly throughout the U.S. One positive result was standardization, which enabled the utility to invest heavily in research and development. It also led to new technologies for use across its ever-expanding service area: private phone lines, direct dialing as opposed to placing calls via operators, long-distance calling and 99.999 percent reliability.

As a result, the telephone has become an essential item for all, even given for free to low-income residents under a federal program.

The telephone’s success happened, in part, because innovators moved beyond a piecemeal approach to design on a grand scale, engineering improvements across the entire network. At the same time, they figured out how to give people what they want: around-the-clock reliability, with the phone company — not the customer — held responsible when things go wrong; ease of use – making a call today, even long distance, today is a simple, intuitive task , requiring no special training; and quality experiences, without the frustrations of dropped calls or distorted sound.

What can we in cybersecurity learn from this success story? In many ways, our profession seems still in the early, “piecemeal” phase, with many focusing on protecting their own organizations’ data and that of their customers, or on developing apps to secure a single device or network.

But as the telephone’s history indicates, success may come only when we “think big,” enlarging our scale, moving beyond the local (company-focused or product-focused) to the global (industry- or even Internet-focused). To get there, we might collaborate with one another for a common good — such as data protection — and innovate strategies and solutions to thwart intrusions systemwide.

And, like the phone industry, we ought to always keep the customer front and center in whatever we design, aiming for easy-to-use cybersecurity with nearly perfect reliability.

It’s one thing to manage cybersecurity on a single cell phone, tablet or laptop. It’s more difficult when you’re protecting all the devices in a single business. And it’s exponentially more challenging to design security for systems used by millions and billions of users.

The Internet of Things, with connected devices perhaps numbering in the trillions someday — potentially serving as hackable portals to our networks and data, could explode the cyber scale almost beyond comprehension. Do we wait until that happens to finally figure out how to keep data safe?

For truly effective cybersecurity design, scale is becoming a critical factor. Ironically, as the telephone’s narrative shows, large-scale solutions can be not only the most difficult to devise, but, once achieved, the most effective. Now, as never before, we in the profession need to ask: How do we solve for the really big problems?

JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.

Lockheed, Leidos merger creates $10B government services giant

Lockheed Martin will merge its IT and government services subsidiary with Leidos Inc., in a complex and tax-advantageous deal, creating the largest government services provider in the U.S. with a $10 billion annual revenue base, the companies’ executives said Tuesday.

Bethesda, Maryland-based Lockheed’s government IT wing, with more than $5 billion in sales and 16,000 employees, is being sold to Reston, Virginia-based engineering giant Leidos for cash and stock. Leidos itself was spun off from Science Applications International Corp in 2013. 

The deal, which is subject to regulatory approval, is expected to close in the third or fourth quarter of 2016.

“By bringing together our IT business with Leidos’ already strong customer base, we will create a competitor with the scale, portfolio and expertise to deliver unparalleled solutions and incredible value in a highly competitive contractor environment,” Lockheed Martin CEO Marillyn Hewson said in a investor call Tuesday.

On the call, other Lockheed and Leidos executives said they expect the company to pull in $10 billion in revenue, nearly double that of its closest contracting competitors, Booz Allen Hamilton and CSRA, Inc.

Sixty percent of Lockheed’s information systems business is based in civilian agency work such as health, energy, aviation and space, and science, while the remaining 40 percent works with defense, intelligence and commercial cybersecurity.

Leidos CEO Roger Krone said his company gains “important mindshare” from the deal, becoming a juggernaut in technology, employees and resources for the federal government.

“By bringing these great organizations together, we will be able to provide a comprehensive and compelling range of solutions to address needs of customers in defense, intelligence, civilian and commercial markets,” Krone said during the call.

Leidos declined any further comment to FedScoop.

With the combination of portfolios, the new service provider works with a suite of government agencies, including all four branches of the military, the intelligence community, the Defense Information Systems Agency the and the Defense Health Agency on the defense side, and the departments of Veterans Affairs, Health and Human Services, and Homeland Security, the General Services Administration, and the Social Security Administration on the civilian side.

The deal was engineered as a Reverse Morris Trust, a process similar to a merger that minimizes the seller’s tax liability. Lockheed will receive a one-time special cash payment of $1.8 billion, while the company’s shareholders will receive 50.5 percent equity in Leidos, worth approximately $3.2 billion. Leidos is expected to pay its shareholders a special dividend of about $1 billion.

Shares of both companies tumbled badly in the wake of the announcement Tuesday morning, although Lockheed’s recovered somewhat during the afternoon, closing at $209.93, down just over a dollar. Leidos closed at $48.83, down $4.83, or 9 percent.

Citizen satisfaction down again for federal government, but trend slowing — report

Citizens’ satisfaction with the federal government was down again last year, but the decline has slowed pace compared to prior years, according to a new report from the American Consumer Satisfaction Index. 

The federal government’s citizen satisfaction score dropped for the third straight year in 2015 to 63.9 out of 100, down 0.8 points from a year prior. Despite the decline, the negative trend is tapering off from more severe dives of 2.3 and 1.7 points in 2013 and 2014, respectively. 

Private sector industries have also seen a multiyear skid in satisfaction, according to ACSI’s 2015 report on citizen satisfaction. Though federal government’s satisfaction rate is in some cases more than 10 points lower than the private sector — transportation scored 74, health care, 75, and retail trade, 77 — that gap is narrowing.

“Deteriorating customer satisfaction was widespread in 2015, and the slump in citizen satisfaction is similar to what we observe in the private sector or among voters in the political arena,” Claes Fornell, ACSI chairman and founder, said in a release

Breaking down the aggregate federalwide score, there were several increased sub-ratings corresponding to key drivers of citizens’ satisfaction across government, which, Fornell said, signal a possible turnaround coming soon.

“Citizens find information received from agencies to be clearer and more accessible compared with a year ago,” the report states. “Likewise, the timeliness and efficiency of processes improves, as well as customer service (measured as courtesy and professionalism of staff). User perceptions of website quality (ease and usefulness) are unchanged year-over-year.”

“If the small gains in the drivers of citizen satisfaction take hold or continue to rise, we might finally see a bit of a turnaround,” said Fornell.

Of course, the federal government is a massive enterprise, and the scores for individual departments varied widely. At the top of the citizen satisfaction index, the Department of the Interior scored a 75, and close behind were the departments of State and Defense, with respective scores of 71 and 70. The Treasury Department earned the lowest score of 55, thanks the IRS’ notoriously low citizen satisfaction rates. The Department of Veterans Affairs also saw a low score of 60, which the report attributed to “the myriad problems experienced by Veterans Affairs in delivering health services to a swelling number of veterans.”

“The disparity between the Department of Defense and Veterans Affairs is notable because it speaks to the vastly different experience of our military personnel,” ACSI Director of Research Forrest Morgeson said. “Services are great when you’re enlisted, but the federal government has many challenges in delivering health services to its massive and growing population of veterans.”

And in some cases, the evolution of digital services increased the ease with which citizens interacted with federal agencies and in turn boosted their satisfaction. For instance, citizens who filed forms electronically rated the IRS at 76, while paper filers gave it a 56 — a 20-point difference in satisfaction.

But a recent survey of federal managers conducted by Deloitte Consulting LLP, found that most agencies lack analytic tools to distinguish customer segments, don’t use customer relationship management software, and haven’t aligned their staff incentives with customer-centric service. 

“Listening to the customer and incorporating feedback would not only help the Federal Government improve its ACSI score, but more importantly, improve mission delivery by getting services to the American people in a more efficient and effective way.” said Greg Pellegrino, Deloitte principal and customer strategy specialist.

DOJ extending global reach to thwart cybercrime

The Justice Department has stationed investigators and prosecutors in five countries on three different continents in the past fiscal year, focused solely on information sharing to thwart cyber criminals.

Leslie Caldwell, the assistant attorney general in the Justice Department’s Criminal Division, spoke Monday at the Internet Education Foundation’s State of the Net conference about these partnerships and the work her team has done, addressing how technology has both “expanded and complicated” the department’s capacity to detect, investigate and prosecute crimes.  

“As law enforcers have become better equipped, so have the law breakers we’re working to disrupt,” Caldwell said. “Digital technology has transformed how police and prosecutors do our jobs, but it has also transformed how wrongdoers commit their crimes.”

In the past fiscal year, the FBI has embedded three permanent legal attaches in the United Kingdom, Canada and Australia, along with prosecutors in Eurojust, the European Union’s equivalent to the FBI, and Southeast Asia. These people have been tasked with facilitating information-sharing agreements, improving cooperation on investigations and building relationships with foreign law enforcement.

These partnerships build upon cyber-focused operations the department has already carried out, including one with the European Cybercrime Centre that brought down the Dark0de hacking forum — an online forum where hackers convened to buy, sell and trade malicious software, botnets, intrusion tools and stolen personal information.

“The Web hosts groups and individuals who seek to harm our core security interests — from state-sponsored hackers conducting economic espionage; to rogue militants and official cyber warfare units targeting our infrastructure; to terrorist groups plotting attacks, radicalizing recruits and spreading hateful ideologies,” Caldwell said. “These emerging threats require nimble, innovative and adaptive responses, and at the Department of Justice, we are committed to doing our part to ensure that law enforcement stays a step ahead of bad actors.”

Caldwell also renewed the department’s call for tech companies to provide law enforcement with a way to access encrypted communications during investigations. She said law enforcement is committed to obtaining the necessary warrants to access people’s electronic information, but investigators are often at a loss even when they follow the letter of the law.

“The Department of Justice is completely committed to seeking and obtaining judicial authorization for electronic evidence collection in all appropriate circumstances,” she said. “But once that authorization is obtained, we need to be able to act on it if we are to keep our communities safe and our country secure.”

You can read Caldwell’s full comments here.

GOP candidate Carson pitches new federal cybersecurity agency

Republican presidential hopeful Ben Carson laid out plans to establish a special agency of the federal government to protect the nation’s cybersecurity in a new policy document posted on his campaign website Monday.

Calling the current cybersecurity policy “disjointed and ineffective,” the plan pitched a new National Cyber Security Administration — an organization that would identify cyber best practices, create incentives for information sharing between industry and law enforcement, encourage students to pursue math and science careers, research viruses and vulnerabilities, and serve as a resource on digital privacy issues.

The so-called NCSA would not be “a new federal bureaucracy,” but instead consolidate “redundant programs” throughout the government, according to the plan, which is signed by Carson.

“The NCSA will create a unity of purpose, not just across federal agencies, but in cooperation with ‘We the People,’” the plan says. “This will be America’s venue to bring together experts and lay persons towards a common goal of securing the country, from the individual user at home to the highest government official.”

In the plan, Carson compares his vision to that of Democratic President John F. Kennedy when he in 1961 announced his aim to put a man on the moon by the end of the decade, calling on the country to embrace the space race.

“We are in a Cyberspace Race, and we need a leader to present a bold vision to drive American innovation,” the plan says. It adds, “A Carson administration will lead a nationwide effort, not only to secure our nation against cyber attacks, but to make America the unquestioned cyber power on the planet.”

The plan comes out days before the Iowa primary caucus on Feb. 1 — where several polls have Carson, once the Republicans’ national frontrunner, coming in at the single digits. Carson isn’t the first Republican running for a spot on the 2016 presidential ticket to release a cybersecurity plan: former Florida Gov. Jeb Bush’s plan, released in September, espoused support for the Cybersecurity Information Sharing Act and better promotion of the National Institute of Standards and Technology’s cybersecurity framework.

The Carson plan says the country’s growing reliance on the Internet underscores the importance of securing its cyber defenses.

“[W]e must be vigilant and proactive in protecting the United States and its citizens from the unique dangers it creates,” Carson’s plan says.

Champlain College, OPM team up again on new cyber skills degree

Champlain College is offering a new online Master of Science in information security operations, the first advanced degree focused on strategic prevention and response to cybersecurity attacks, and other high-tech incidents. Federal workers and their families will have access to this degree at half the price of standard tuition rates, according to officials.

The private college, based in Burlington, Vermont, wants to become the premier stop for professionals who want to learn how to respond to data loss and cybercrime, while also beefing up their technical skills and industry knowledge. It also has campuses in Montreal, Quebec, and Dublin, Ireland.

Mika Nash, academic dean of the Division of Continuing Professional Studies, said the program is designed to help fill the hundreds of thousands of open cybersecurity jobs around the country. According to the U.S. Bureau of Labor Statistics, in about seven years, there will be a nearly 37 percent employment growth for information security professionals who need a bachelor’s or master’s degree.

“Cyberspace and infrastructure vulnerabilities are constantly evolving and addressing those weaknesses is critical to enterprise-wide security,” Nash said in a statement. “Champlain College’s new online M.S. Information Security Operations degree program prepares our students to face problems with sought-after expertise and enables them to effect change at the operational level.

Last April, the college and the OPM announced a new initiative for federal workers and their families to choose from more than 60 courses online to pursue degrees in cutting-edge technology, business and healthcare.

This new program will help students learn how to identify risks, have a deeper understanding of current and future attack vectors, protect critical information in databases, and increase operator and administrator effectiveness. It is made up of two online eight-week terms per semester, three semesters a year. It was created for students who have their bachelor’s degrees in information security, as well as for IT professionals.

“There is an increasingly acute need for security professionals who can bridge big picture enterprise strategy with day-to-day operations,” said Felix Lopez, director of enterprise programs at MetLife. “This program will help fill that void, providing real strategic value to the enterprise while also supporting our company’s commitment to career growth and advancement opportunities for our employees.”

The deadline to apply for the next online M.S. in information security operations is Feb. 8. Champlain College is currently accepting applications, and prospective students can apply online here. The first session starts March 14.

This story was originally posted on EdScoop.com.

Reach the reporter at corinne.lestch@edscoop.com or follow her on Twitter @clestch and @edscoop_news.

U.S., E.U. officials: ‘Time to act’ on Safe Harbor agreement

Both U.S. and European officials said Tuesday that while negotiations over a new Safe Harbor agreement have been productive, time is running short to formally finalize an accord before European data privacy regulators decide to take action against U.S. companies.

A Commerce Department representative and member of the European Union’s delegation spoke Monday as both sides hurry to complete a deal that will allow for the legal transmission of E.U. citizens’ personal data to the U.S. Justin Antonipillai, a counselor for Commerce’s undersecretary for economic affairs said there has been “constructive dialogue,” but now is the “time to act.”

“We are very, very focused on making sure that the Safe Harbor is improved, that we respect both sides institutions and laws, that we provide enough information about how our law enforcement and national security apparatuses operate and all of the limitations in which they do operate,” Antonipillai said at the Internet Education Foundation’s State of the Net Conference in Washington, D.C.

The initial Safe Harbor agreement, which was created in 2000, was invalidated last October when the European Court of Justice ruled that the NSA’s surveillance practices violated the agreement, because the self-certifications from U.S. companies could no longer be trusted due to the legal authority the agency had to enforce their cooperation.

European privacy regulators gave officials a deadline of Jan. 31 to reach a new deal. 

Andrea Glorioso, who has represented the E.U. during the negotiations, said both sides are continuing to work in good faith despite the court ruling, noting that they were working on updating the Safe Harbor agreement long before the October ECJ ruling.

One of the bigger sticking points for the agreement has been the Judicial Redress Act, which is scheduled for markup this week. The act would extend data protections and remedies available to U.S. citizens under privacy law to European Union citizens giving them a framework for legal recourse — known as the Umbrella agreement — if U.S. agencies are found to violate the privacy rights of European citizens.

Glorioso said that despite the calls for the act to be passed in order to speed up Safe Harbor negotiations, he doesn’t feel it’s a necessary piece of the puzzle.  

“Throughout our discussions, we have not asked for legislative changes in the U.S,” he said. “Our objective is to arrive at a situation which is satisfactory on both sides. Call us naive, but we think there is flexibility for us to achieve what we want to achieve within the legal framework within the U.S.”

While both sides seem to be positive that a deal will get done, a trade group representing many companies that would be affected by the failure to reach agreement said they have are growing uneasy as the deadline looms.  

“Uncertainty is the best way to characterize where my companies currently sit,” said Bijan Madhani, a lawyer with the Computer & Communications Industry Association. “Over the past three months, they have been sitting on a knife’s edge because they are operating in good faith under the prior Safe Harbor that was in existence. With a tenuous legal basis as best, the Jan. 31 deadline has loomed ominously.”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.