Page 895 | FedScoop

The votes are in for the 2025 FedScoop.

EPA releases limited summary of cybersecurity report

Auditors found that the Environmental Protection Agency had 30 systems containing sensitive personally identifiable information — but didn’t reveal much else — in a summary of a cybersecurity report released Wednesday.

“There could be a little bit more transparency in here,” said John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity research company.

EPA’s Office of Inspector General said in the overview that of the 30 relevant systems identified, auditors sampled two for its report. It also noted that EPA does not own any systems that hold national security information. The EPA IG on Thursday also released a separate summary of a similar audit for the Chemical Safety Board, which it also oversees, reporting the board has one system that stores sensitive PII.

“Because the report contains sensitive information, we only made available to the public the ‘At a Glance’ page of the report,” Jennifer Kaplan, EPA’s deputy assistant inspector general for congressional and public affairs, said in an email.

The reports were put together to comply with the Cybersecurity Act of 2015, passed last year as part of a larger bill in the wake of the data breach at the Office of Personnel Management and intended to evaluate how agencies fare in some of the most important security indicators, Pescatore said.

Speaking about the EPA report summary, Pescatore noted that he thought evaluating two systems of 30 “seems a little low,” even if the figure accounts for nearly 10 percent of the systems. Also, he said some of the items said to be included in the report — like “reasons why monitoring and detecting capabilities are not used if applicable” — could potentially be released to the public.

“I think there is some information that could be released publicly that’s not going to give away information to attackers,” he noted. The report, he said, could be redacted or sensitive sections could be eliminated.

He added, “This thing they released is pretty much nothing but saying, ‘OK, we did what we had to do.’”

At the same time, Kaplan defended the size of the sample reported in the summary, saying, “It is typical for an audit to review a sample of the total number of systems in place.”

And Braden Perry, a cybersecurity attorney for Kansas City, Kansas-based firm Kennyhertz Perry LLC and a former senior attorney at the Commodity Futures Trading Commission, noted if the agency’s systems are similarly set up from a security standpoint, their processes, practices, policies and procedures would be similar.

“Two out of 30 is a small percentage but could be indicative of the systematic nature of their cyber environment,” he noted in an email.

He added that he wasn’t surprised the findings weren’t made public.

“[T]he EPA agreed with the findings, so likely there are no extraordinarily controversial findings,” he said.

DeSalvo stepping away from national coordinator for health IT role

Karen DeSalvo is leaving her position as national coordinator for health IT to pursue her second role as the acting assistant secretary for health at the Department of Health and Human Services full time.

HHS Secretary Sylvia Burwell named Vindell Washington, currently the principal deputy national coordinator in the department’s Office of the National Coordinator for Health IT, to replace DeSalvo.

“Karen has served tirelessly as the National Coordinator since joining the Department in January 2014,” Burwell wrote in a staff announcement. “Under her leadership, ONC has advanced interoperability across the health system – which underpins progress on a wide range of department and administration priorities. She has also made significant advances to the Health Information Technology Certification Program to promote and expand the safe and secure flow of electronic health information when and where it matters most for individuals and clinicians.”

DeSalvo has been serving in both positions since Burwell appointed her as her acting assistant in October 2014 to help in the fight against Ebola. She joined ONC in January 2014 replacing Farzad Mostashari, who left the previous October.

During her time at ONC, DeSalvo has lead updates to the Federal Health IT Strategic Plan and development of the Nationwide Interoperability Roadmap.

As her replacement, Washington will “continue to lead the administration’s efforts to leverage health information technology to reform how we pay for and deliver care; transform health research and innovation to empower clinicians, individuals and communities to manage their health; and oversee implementation of the Federal Health IT Strategic Plan and the Nationwide Interoperability Roadmap to unlock digital health data and ensure it is widely accessible, usable, and transferable throughout the public and private sectors,” Burwell wrote.

White House: Competitions and challenges growing in use, sophistication

In the coming years, more agencies will likely create increasingly ambitious and sophisticated prize competitions and challenges that leverage partnerships, a White House report published Wednesday predicts.

The White House Office of Science and Technology Policy’s report analyzed public-sector prize competitions and challenges, and found that in fiscal year 2015, the public sector was using prize competitions and challenges more often, and using partnerships to make them more ambitious.

More competitions and challenges in 2015 were also focused on technology development, the report found. Of the 116 prize competitions agencies conducted in fiscal 2015, half of those listed “develop technology” as one of their goals, a 23 percent increase from the year before.

The report — which OSTP is providing to the House Committee on Science, Space, and Technology and the Senate Committee on Commerce, Science, and Transportation — comes after the Senate committee approved legislation this summer that would work to spur science and technology research and development, and would reaffirm agencies’ authority to conduct prize challenges.

In fiscal 2015, partnerships enabled more ambitious prize designs, the report notes, but it added that the government could still work to expand overall level of ambition in competitions. The report provided several examples of “ambitious projects,” including competitions held by the National Institute of Standards and Technology, and NASA.

“Partnerships with other Federal agencies, not for-profit and for-profit entities allow agencies to be more ambitious in designing and executing challenges because partners are able to provide additional resources and perspectives,” the report says.

The NIST Head Health Challenge III, one of the examples listed, is a challenge to develop materials with good energy absorption and energy dissipation. NIST partnered with the National Football League, Under Armour and General Electric, offering up to $2 million in prizes. Five teams have been selected as first round awardees, and early next year, the judges will select a winner for the grand prize.

The challenge “is quite ambitious in that it relies on multiple partnerships, provides testing for a technology development challenge and involves NIST in a complex judging process,” the report says.

NASA’s Cube Quest Challenge, another example, has a total of $5.5 million in prize money. The overall goal is to “develop and test subsystems necessary to perform deep-space exploration using small spacecraft,” according to the report. Selected teams will launch as a secondary payload on the Space Launch System rocket.

“This incentive is the first time NASA has offered a ride on a rocket through a prize, which shows a more serious use of prizes for in-space technology demonstration,” the report notes of the challenge, in which NASA’s Ames Research Center is partnering with San Jose State University.

Registration for the challenge began in 2014, and the challenge is expected to run for four years.

The report also noted that some competitions used new ways to engage the public, including:

Soliciting comment on draft rules;
Running pilot challenges to get feedback;
Publishing winning resources as open source;
Using crowdfunding to support participants; and
Asking winners to create webinars on their solutions.

Overall, challenges and prize competitions have unique benefits, the report notes.

“As Federal employees extend the use of leading innovation techniques such as prizes and challenges, our public sector workforce will be better equipped tackle intractable problems like climate change and infectious diseases, while making meaningful advancements in scientific research, technological development, educational attainment, and economic prosperity,” the report summary says.

Marines must train for when network’s not there — corps commandant

Modern Marines depend heavily on information dominance, electronic and cyber warfare, and network-based communication for their battlefield advantage. Despite that, it’s imperative they also train with the mindset that those technologies won’t always be there when they need them, a Marine Corps general said this week.

“There’s a balance. We have to leverage the technology we have — it gives us an operational advantage — but at the same time, which makes training even harder, you have to work through or be prepared for when it’s not there,” Commandant Gen. Robert Neller said during a discussion with the Center for Strategic and International Studies.

With more than 40 years as a Marine, Neller recalls his own combat experience “when we were underneath the poncho at night with a flashlight stuck in our mouth trying to read the map and figure out where the hell we were, hoping some sergeant could tell us” and “where you’re operating on single-channel radio and if it worked 50 percent of the time, you were ecstatically happy.”

Marines today have grown up and been trained in an environment that’s much different, he said.

“[T]hey walk into the operations center and they’ve got big screen TVs with common operational picture, they know exactly where all their people are cause they have ‘blue force tracker,’ they can see the airplanes, they’ve got perfect comms, they’ve got multiple means digitally to chat or to text, let alone voice…,” Neller said.

“The fight that we used to think about in air, land and sea, and under the sea, has now expanded to space, to cyber and to the information domain,” he said.

As much as Marines have come to expect those technologies will be at their disposal on the battlefield, Neller isn’t so sure that will always be the case. Some oppositional forces may have the capability to jam communications and contest Marine networks, especially when the fight is on their own turf.

“We have developed a system of warfighting that is very dependent on the Internet, the network and space,” he said. “So looking at our potential adversaries, do we think that that’s going to be there if we were to engage with these folks? I would say I don’t know. I don’t think you can assume that.”

Neller added: “In fact I would think our friendly center of gravity from a tactical sense is we have to protect our network. If we lose that, then now we’re back to paper maps and [high frequency] radio…”

So they’re training more for that very scenario. In force-on-force training at Twentynine Palms training center in San Bernardino, California, the corps is purposely throwing a wrench into the plans of Marine trainees.

“It’s simple stuff like that, jamming the radio or saying, ‘Hey the GPS doesn’t work,’ or ‘The whole network server just crashed,’” Neller said. They even give the oppositional training teams new technologies like small unmanned aerial vehicles that many trainees haven’t encountered.

Despite these Marines’ dependency on modern technologies, Neller believes they will be able to adapt with the right training.

“I have no doubt in my mind that our force will figure it out — that they’re much smarter, more capable, more adaptive than we ever were, cause they’ve grown up in this, and they’ll adjust,” he said. “But we’ve got to put them in situations to where they deal with it. Because you train based on what you think is going to happen to you in the environment.”

Las Vegas security conferences were crawling with feds

A team competing in the CTF competition at DEF CON 17 // Creative Commons

What used to be a side game among DEF CON attendees is now as commonplace as the security conference’s electronic badges.

“We used to do ‘spot the fed,’ where we would try to oust feds, and now we have invited feds to our panels to sit there and talk with us in a productive manner,” said Beau Woods, Atlantic Council deputy director, during an event Wednesday at the D.C.-based think tank.

Woods, along with Federal Trade Commission Chief Technologist Lorrie Cranor, Tenable Network Security strategist Cris Thomas and former White House cybersecurity official Jason Healey, spoke to how U.S. government officials descended on Las Vegas last week to strengthen existing and form new relationships with the cybersecurity and hacker communities.

This year’s Sin City-based BSides, DEF CON and Black Hat cybersecurity conferences were well attended by government officials, Thomas said — especially so in comparison to past years.

One of the keystone moments of the week was a fundraiser held by Democratic presidential nominee Hillary Clinton’s campaign, which was hosted by Black Hat founder Jeff Moss. Moss has bridged both the hacker and government communities in recent years, including serving on an advisory council for the Department of Homeland Security.

“From the earlier days of these conferences … it was so apolitical,” said Healey. “I think the [fundraiser] really caught a lot of people as the maturation of the field. Like all of a sudden now we matter. We used to have to go to D.C. to testify and now it is coming to us.”

Cranor spoke at BSides and DEF CON, the latter with FTC commissioner Terrell McSweeny about privacy and digital security. Cranor explained that the FTC attended the conferences to “learn, listen and do outreach.” In the past, the FTC has operated a trade show booth and organized contests for conference attendees.

Among other feds, officials from 18F, the Department of Homeland Security, Commerce Department and National Institute of Standards and Technology, or NIST, attended DEF CON.

Capitol Hill also had a presence in Vegas. Two sitting congressmen, Reps. Will Hurd, R-Texas, and Rep. Eric Swalwell, D-Calif., were interviewed by Facebook Chief Security Officer Alex Stamos during a panel on how information security professionals can approach elected officials with cybersecurity issues.

“I think we’re seeing a change in government attitudes towards ‘hackers,’ said Thomas. “Twenty years ago it was nothing but FBI raids, now you have groups like Commerce and FDA and FTC and [Defense Department] who are reaching out and trying to bridge that gap … they’re trying to say, ‘Hey, come help us out.’”

Healey — a longtime DEF CON attendee and former NSA officer — believes that the White House holds the power to help accelerate and foster broad relations between the government and hacker community by pursuing specific policy remedies, he told FedScoop following the event.

Healey said if Washington supports strong encryption without compromise it would be a big first step. Additionally, Healey said the White House should compel law enforcement to be more candid about how it can access encrypted data stored on electronic devices.

“I, for example, want to know what the White House was doing on the Apple-FBI bug … the FBI was saying ‘We don’t know what this vulnerability is we can’t possibly submit it to the Vulnerabilities Equities Process,’ ” he said, referring to the bureau’s fight to unlock the iPhone owned by one of the San Bernardino shooters. “To me, that’s against the policy, that’s against the president’s clear intent — it was the president who originally approved this policy.”

Healey also said the federal government must be careful about how sitting judges use the Computer Fraud and Abuse Act. to prosecute computer researchers.

“The memory of Aaron Swartz goes a long way on this and what can happen under the laws — and not being convinced that those days are over — that really hurts,” he said, referring to the computer programmer who committed suicide in 2013 while in the midst of a contentious legal battle with federal prosecutors.

‘Gray hat’ cyber firm outbidding Apple for iOS zero days

A Texas-based cybersecurity firm announced this week it will offer up to $500,000 for newly discovered security holes in Apple’s mobile operating system, iOS — effectively outbidding the tech giant’s own bug bounty program just days after it was unveiled.

“Want $200k for an iOS hack — head to #Apple. Want real $$? You know where to find us,” tweeted Austin, Texas-based Exodus Intelligence Tuesday.

In a statement announcing their new “Research Sponsorship Program,” the company said it is “focused on acquiring vulnerability research and exploits from the global cybersecurity research community.”

Exodus will also pay big money for new flaws found in Google Chrome ($150,000), Microsoft Edge ($125,000), and Mozilla’s Firefox ($80,000).

Apple’s own big bounty program, announced last week at the 2016 Black Hat security conference, offers a maximum of $200,000.

In addition to newly discovered zero-days, the company also says it will buy exploits — fully developed malicious software — that use existing, known vulnerabilities.

That puts the company firmly in the so-called “grey-hat” market segment, with products that can be used for cyber offense — although they say they do due diligence on their customers.

“Our clients are largely made up of defensive vendors,” wrote Exodus President Logan Brown in an email to FedScoop. “Once we have a report about the vulnerability and exploit written up, we distribute the report to all of our subscribing clients in order for them to build defenses into their products or for red and blue team exercises.”

Exodus is also offering a novel reward system, where, in addition to the bounty, the researcher will get payments “every quarter the zero-day exploit is still alive.”

The company also offers payment in the form of the anonymous crypto-currency, bitcoin.

FDA issues draft guidance for software updates in medical devices

The Food and Drug Administration released new draft guidance to help clarify when makers of certain types of medical devices may need additional clearance for a software update.

Unveiled this week, the draft applies to medical devices, like MRI machines, that were put through FDA’s 510(k) submission process — a pathway, meant for products that pose a medium-to-low risk to patients, that requires manufacturers to demonstrate their product is “at least as safe and effective” as similar devices already on the market. The draft lays out under what circumstances makers of these devices would need to file another 510(k) submission to account for a change.

While Beau Woods, deputy director of the Atlantic Council’s Cyber Statecraft Initiative, said he didn’t see a lot that was new in the draft guidance, it could help to clear up some misconceptions about FDA’s policies among device-makers.

“It’s a great clarification that answers a lot of questions very explicitly and formally that a lot of manufacturers and health care delivery organizations have,” he said of the document.

Woods also highlighted the decision-making flowchart included in the draft, saying it would be a “powerful” resource for “anyone needing to make these types of decisions.”

Notably, the draft also reiterates that updates made solely to boost the device’s cyber defenses would not require a 510(k). That approach aligns with a separate draft medical device cybersecurity guidance from earlier this year and another final guidance on cybersecurity from 2014, according to Axel Wirth, health care solutions architect at Symantec cybersecurity company.

“I see a constant line here: Regulate where necessary, but don’t stifle for the sake of regulating,” he said. “I applaud the FDA for taking that approach.”

The draft was released at the same time as a separate, more broad draft guidance about what kinds of updates might require a 510(k). Both would update a guidance from 1997 — “a millennia ago,” Wirth joked.

“When finalized, the two guidances will provide improved clarity, regarding minor changes that do not require FDA review, and help ensure that the FDA receives appropriate submissions for modifications that do require premarket review by the agency,” according to an FDA press release.

The public has until Nov. 7 to comment before the agency begins work on the final version.

Report: Global cyber market set to grow 10 percent a year

The global marketplace for cybersecurity goods and services, driven by increasing corporate fear of hackers and spiraling compliance and regulatory demands, will grow more than 10 percent annually over the next five years, according to new research.

That explosive increase will take the total value of the market from its current size of $122.45 billion to $202.36 billion by 2021, predicts the latest report from Dublin-based Research and Markets.

The predicted 10.6 percent compound annual growth is a couple of points off from a similar forecast the firm produced at the beginning of the year. That study estimated global growth would be 12.3 percent compound from 2016 to 2020.

Network security — fueled by fears of enterprise data breaches and by “the need for stringent compliance and regulatory requirements” — is currently the largest market segment, the new report says.

Driven by the exponential growth of the Internet of Things and corporate “bring your own device” policies, application security will be the market segment experiencing the highest growth rate over the next five years.

The banking, financial services and insurance market vertical “is expected to witness the highest [growth] during the forecast period because of the increasing adoption of web and mobile applications, which are prone to advanced cyber-attacks,” the market researchers conclude.

Asia and the Pacific will be among the fastest growing regional markets, because of “emerging economies, such as India and China, which are rapidly deploying cyber security solutions.”

Facebook Messenger: The new way to contact the president

Starting Wednesday, you can message the White House on Facebook and let the president know what is on your mind.

The White House has launched a Facebook Messenger chatbot to walk you through the process to reach the commander-in-chief.

The new bot is just one more way to make it easier for citizens to engage with government and reach citizens where they are, wrote Jason Goldman, White House chief digital officer, in a Medium post.

“The White House’s Messenger bot, a first of its kind for any government the world over, will make it as easy as messaging your closest friends,” Goldman wrote.

The use of chatbots coincides with the administration’s recent efforts to get ahead on potential future uses and risks of artificial intelligence. The White House Office of Science and Technology Policy announced an initiative in May to discuss artificial intelligence and held several workshops on various topics related to AI. OSTP also put out a request for information on artificial intelligence in June.

And as FedScoop reported in a recent article, Booz Allen Hamilton claims that messaging, through the use of chatbots, will in the next five years become the customer service norm.

FedScoop took the tool for a test drive. Upon opening a message window to chat with the White House, the bot promptly jumped into conversation.

“Hi! It’s great to hear from you—and we’re excited to learn what’s on your mind,” it said. “(Fun fact: the President reads ten of these messages every night.)”

“Ready to get started?” the bot asks.

The automated chatbot then invites users to write a message to the president, giving them a chance to check it over before sending and taking down their contact information.

To wrap up the conversation, the bot sent FedScoop a video of the president talking about what citizen letters mean to him and a parting smiley face emoji.

You too can message the White House by clicking here.

Happy birthday, USDS — a look back on 5 of the team’s defining moments

The White House’s U.S. Digital Service celebrates its second birthday Thursday.

In that time, the team has grown from a tiny tech SWAT team built around the core groups of former private technologists who helped rebuild Healthcare.gov after its epic launch meltdown in 2013 to a 170-member-strong institution addressing some of the federal government’s biggest headaches involving digital technology. USDS had also launched smaller outposts at agencies across the government, like the Defense Department and the Department of Veterans Affairs, that are particularly flummoxed in delivering modern services and need a dedicated team to help lead a digital reinvention.

While team has faced recent controversy around how USDS works with agency CIOs and questions whether it will be as effective after the transition to a new administration, the team has a laundry list of achievements to show for the last two years of work.

So, to celebrate USDS’ foray into its third year, we’ve compiled five of USDS’ biggest engagements and moments in the past two.

The Digital Services Playbook

Released with USDS’ launch two years ago, the playbook serves as a governmentwide guide for agencies considering building or buying a new digital service. The playbook list 13 plays “drawn from successful practices from the private sector and government that, if followed together, will help government build effective digital services,” it explains.

Since then, the Digital Services Playbook — along with its corresponding TechFAR handbook, which gives agencies a look at alternative types of acquisitions — has served as the gospel for digital teams across government, often cited as blueprint of how agencies should address their acquisitions and services developments to be more successful.

Hack the Pentagon

The only thing more impressive than the team’s ability to persuade DOD to allow a bug bounty called “Hack the Pentagon” is that it was the first of its kind in the federal government. Bug bounties are programs in which an organization, like a software company or in this case the Pentagon, pays independent cybersecurity researchers to find vulnerabilities on their systems.

The Defense Digital Service team successfully operated a bug bounty engagement earlier this summer inviting 1,400 hackers to participate, 250 of whom found at least one vulnerability, though not all were eligible for a bounty because they were already reported or other reasons. In total, DOD remediated 138 vulnerabilities discovered by the white-hat hackers. And now DOD Secretary Ash Carter wants to make the model a fixture within the Pentagon.

“We’ve done more with this pilot than make our networks more secure for the short term,” Carter said during a June press conference. “We’ve built relationships of trust for the long term. We’ve provided a roadmap for other government departments and agencies to crowdsource their own security.”

Vets.gov

Information and other resources for veterans to apply for their benefits are scattered across thousands of Department of Veterans Affairs websites. USDS partnered with the VA to launch Vets.gov last Veterans Day to consolidate those pages into one central portal. Though the project is still in development, the VA digital service team plans to continue rolling out new functions and features every week driven by customer feedback.

“Our process building Vets.gov will be one of constant refinement and improvement,” VA Secretary Bob McDonald said then. “Your feedback will guide and shape everything we do. That’s as it should be. This site isn’t about us — it’s about you.

Work on the Immigration Application Process

The Department of Homeland Security U.S. Citizenship and Immigration Services’ digitization of its visa-granting process has been a costly and messy transformation, earning it a mention on the Government Accountability Office’s most recent biennial high-risk list. In particular, the agency’s five-year Electronic Immigration System project has run into all kinds of problems with its projected costs jumping by half-a-billion dollars since its launch.

USDS has since launched a team to join DHS and right the ship. In May 2015, USDS member Vivian Graubard explained how “[t]he scope of the project was too large and the timelines too long” and that “[i]t used a traditional waterfall methodology, which meant that the first product releases happened years after the project began; and the agency was heavily reliant on specific vendors. Years into the process, when the project was finally due to deliver results, it fell short of expectations.”

Another USDS member Eric Hysen has since been appointed to lead a DHS digital service team and continue redeveloping ELIS. That team created MyUSCIS, a portal to streamline U.S. Citizenship and Immigration Services’ offerings. And earlier this year, his team launched an online app, simplifying the process for the more than 700,000 people each year who choose to apply for American citizenship.

“While immigration reform is a deeply political issue, what shouldn’t be politically at all is that those … people deserve a system that is effective an efficient,” Hysen said then.

College Scorecard

This tool, launched last September for the Education Department, allows students and families to look up data about colleges, including median and average debt rates, graduation rates, and salaries after graduating. USDS’ Lisa Gelobter led the tool’s design “with direct input from students, families, and their advisers to provide the clearest, most accessible, and reliable national data on college cost, graduation, debt, and post-college earnings.”

On its first day, the site saw 500,000 visits and 1.2 million page views.

These are just a few of the memories USDS has made over the past two years. Learn more about the team’s projects in an impact report released this week by the White House.