Page 902 | FedScoop

The votes are in for the 2025 FedScoop.

HHS Innovation Day tries to ‘hack red tape’

An office in the Health and Human Services Department told a team of the department’s innovators that its current model for website design is “launch, leave and hope.”

Usability testing is difficult, the HHS team learned, because collecting information from the public has to be approved to comply with the Paperwork Reduction Act if 10 or more people are asked standardized questions.

This is just one of many problems employees tried to tackle Thursday at the department’s HHS Innovation Day, an event packed with discussions on cutting through bureaucracy to solve tech, science and workforce-related problems. The day also included team presentations from HHS’ startup-style program, called Ignite Accelerator.

“Innovation is a force for good in this department and all across the federal government,” said Susannah Fox, HHS chief technology officer, in a speech to kick off the morning.

After her opening remarks and a Q&A, another panelist held audience members an information session on design thinking. Post-it notes were placed around the room for participants to jot down ideas on how to promote design thinking within their workplaces.

Then, Ignite Accelerator teams competed for a chance to present as a finalist in the afternoon. The group assessing consumer usability was one of nine finalists.

Their project would aim to get around the Paperwork Reduction Act approval rule by providing a toolkit on how to use only nine people to improve web design, called “Talk to 9.”

“We are missing the mark because we are not talking to our audience before we create resources that are aimed for them,” said presenter Margeaux Akazawa, presidential management fellow of the Office of the National Coordinator of Health IT at HHS.

Another project touched on a much-discussed issue this summer: improving Freedom of Information Act processes.

The Centers for Medicaid and Medicare Services receives the most information requests per year of any entity in HHS — often on Healthcare.gov operations, the Affordable Care Act and the Medicare and Medicaid programs. But the process for submitting and tracking requests is fraught with inefficiencies, team presenters said.

CMS’ preferred method for requests is still paper, and citizens submitting information or correspondence requests have to sort through at least eight entry points to find the right one, the team wrote in their executive summary.

But the Ignite Accelerator team is trying to change that — by moving to FOIA Online.

In June, the Obama administration announced the government would launch in 2017 “a consolidated FOIA request portal,” which would be inspired by the service FOIA Online provides.

“What our goal is, is to bring a fresh new approach moving towards the 21st century,” Janis Nero of the Office of Strategic Operations and Regulatory Affairs at CMS, in her presentation. “We really want to modernize our process, which will increase customer service and customer satisfaction, and of course decrease wait time and decrease litigations, we hope, in the future.”

Survey: Health industry cyber pros moving beyond compliance

Information security professionals in the healthcare industry say their top priority is finding ways to deal with novel threats, rather than simply meeting standards set out in law or regulation, according to a new survey.

“The primary operational priority [of respondents] is the need to be able to deal with new threats, rather than compliance,” said Barbara Filkins, an analyst with the SANS Institute, a cybersecurity training and certification provider, who conducted the survey.

“Respondents are looking at their whole [IT] infrastructure, rather than just the database with the patients [electronic health records or] EHR in it,” she said.

“They’re taking a more holistic approach, not just ticking the box on their compliance … That’s the good news.”

Filkins said she believes the shift is due to the increasing tendency towards virtualization and outsourcing of data centers, along with the growth of mobile devices.

“Smartphones, tablets and laptops have become the stock in trade” of health professionals, she said. “Layer on that the increasing use by patients of mobile devices [to access their EHR] and the fitness industry wearables [that are also] hooked into them.”

“These endpoints are not something the security professionals have control over,” especially when they’re patient-owned, she added.

All this has “brought its own set of dark alleys to the healthcare industry,” she concluded.

The respondents, the largest number of whom (about 40 percent) work in hospitals, are overwhelmingly (80 percent) analysts or IT security managers, Filkins told CyberScoop. The remaining 20 percent are compliance specialists or privacy officers. The non-hospital based respondents work for other kinds of healthcare service providers, like urgent care centers, or for health insurers, she said.

The full results of the survey will be published next week in association with a webinar the institute is staging.

The survey reveals a notable disconnect or lag between threat perceptions and threat realities. For example, 38 percent of respondents consider medical devices on their network to be a high risk. Yet when asked about actual breaches, only 6 percent have experienced any that can be attributed to such devices.

Filkins speculated this might be due to awareness of new threats leading their implementation by hackers and cyber criminals. “There is a [time] lag” between the research that’s identified medical devices as a vulnerability on healthcare networks and the implementation of actual attacks, she said.

Real breaches continue to come mainly from traditional attacks, according to the survey, with the leading cause being phishing and spearfishing (56 percent) followed by insiders (39 percent).

“There’s a natural human curiosity that goes with access to medical information,” Filkins noted, adding there will always be the temptation to look up the records of celebrities or neighbors.

In general, “the industry has fairly rigorous controls and strong sanctions against privacy violations,” she said, giving as an example a geolocation function which will flag any queries where an employee is looking up records of someone who lives near them. “Usually there will be some type of alert and a follow up audit or request for justification,” she said.

“The healthcare industry gets beat up a lot for not being as secure as they should be,” Filkins said, adding she might be seen as biased because she works in the sector. “But from another angle, this is the most complex IT and business environment there is … Providing security is really hard … The problem is the complexity is so great and getting greater every time something new gets thrown at us.

“The industry can’t keep up and I don’t see that changing.”

NSA wants to hire people that plan to leave for Silicon Valley

The NSA will explore the potential for cybersecurity-focused hiring programs that more easily allow for people to transition between the agency and private sector during the course of their careers, according to NSA and U.S. Cyber Command chief Michael Rogers.

“This is the one mission set that I have been involved with as a military professional for 35 years that we’re not even waiting for a team to be fully constructed,” said Rogers during a speech at the National Press Club Thursday. “As soon as we get a cadre together, we are putting teams on targets.”

That model is similar to the strategy released by the White House on Tuesday, which aims to recruit up to 6,500 new cybersecurity professionals into government. However, Rogers has been dealing with a new series of challenges while his organization’s budget is not expected to grow.

A stagnant budget in the face of growing costs is one of the reasons that the NSA has launched NSA21, according to Rogers, a campaign to reorganize the agency to focus on “people, integration and innovation.”

“It’s almost visceral, I feel like everyday we’re in a race to generate capacity and capability before the adversary,” said Rogers. “Think about what that means: We do not tell a fighter squadron: well, you’ve got five of your 24 aircraft ready, we’re sending you to Afghanistan.”

Acquiring the technological capabilities and people necessary to keep up remains a significant challenge, Rogers said, given the NSA’s intelligence gathering expectations are greater than ever before.

“You can’t do the same thing the same way over and over again and always expect to get the same result,” he said. The world around us is changing and we have to change with it,” he explained.

In recent months, Rogers says he’s spent time in Silicon Valley, gathering advice from tech executives who have not only successfully hired top cybersecurity professionals, but also retained their talents.

“One of the challenges I found in the two and a half years I have been in these jobs is I am watching two cultures [that of Silicon Valley and the U.S. intelligence community] at times talk past each other,” said Rogers. “That’s why one of the things I am focused on is can we create a more permeable membrane whether people can come back and forth.”

“The model in the military and the NSA has traditionally been once we get you in the door you tend to stay with us for a long time,” he continued “I am not sure that that’s a model optimized for the future. I am interested in a model, for instance, where you can start with us but then go work in the private sector for a while and come back.”

The NSA’s reorganization project has brought together the offensive and defensive cyber operations — NSA’s Signals Intelligence and Information Assurance Directorate, respectively — to form what is known as the Directorate of Operations.

Additionally, another five directorates have been created at the NSA which individually perform functions like research, engagement and policy, workforce and support activities and a “new mission mode,” according to a diagram published on the NSA’s website.

To contact the reporter on this story: send an email via chris.bing@fedscoop.com or follow him on Twitter at @Bing_Chris. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.

Lawmakers introduce alternative to White House’s modernization fund

A group of computer-savvy lawmakers Thursday introduced an alternative to the IT modernization bill that has been languishing on Capitol Hill since April, offering a different path for how agencies could upgrade their legacy systems.

Rep. Will Hurd, R-Texas, introduced the “Modernizing Outdated and Vulnerable Equipment and Information Technology Act of 2016,” or MOVE IT Act, which would give agencies the ability to create a working capital fund that could be used to modernize the swath of outdated technology currently in use.

““Last year, the federal government spent $80 billion on IT,” Hurd said in a release. “What’s outrageous is that 80 percent of that is spent simply to maintain and operate outdated, legacy systems, some of which are not even supported any more by their manufacturers,” said Rep. Hurd. “Using these old systems makes data housed by federal agencies more vulnerable to digital attacks, and it’s a gigantic waste of tax-payers’ money! There is a better way to do this. This legislation is an outside the box, innovative solution and is another step forward in modernizing our digital infrastructure.”

The bill is a spin-off of the IT Modernization Act, which looked to set up a revolving $3.1 billion fund across the federal government that would be continually replenished by agencies as they realized savings from modernization. With the Move IT Act, agencies would be required to use their own funds but could keep the money saved from upgrades.

The bill would also call on the White House’s Office of Management and Budget and the National Institute of Standards and Technology to form performance metrics for the Federal Risk and Authorization Management Program, including the creation of a report to Congress of the program’s efficacy.

The bill, which was co-sponsored by Reps. Gerry Connolly, D-Va., and Ted Lieu, D-Calif., comes as the House leaves of D.C. for its summer recess. A Senate companion, introduced by Sens. Jerry Moran, R-Kan., and Tom Udall, D-N.M., will also languish as the Senate does not plan to return to Washington until September.

While the MOVE IT Act awaits the return of the House, sources have told FedScoop the introduction of this bill means the IT Modernization Fund, which was introduced by House Whip Rep. Steny Hoyer, D-Md., is all but dead.

The House version is also sponsored by Reps. Robin Kelly, D-Ill., Barbara Comstock, R-Va., Jaime Herrera-Beutler R-Wash., Derek Kilmer D-Wash., Kevin Yoder, R-Kan., and John Culberson, R-Texas. The Senate version is also sponsored by Sens. Steve Daines R-Mont., and Mark Warner, D-Va.

You can read the full bill here.

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

Chinese web browser found beaconing back to Beijing

A Chinese-made internet browser, used by millions worldwide, is collecting sensitive data from its users and sending it back in an encrypted zip file disguised as an image, security researchers announced Thursday.

“Essentially, the information that is being transmitted back contains almost everything you would want in conducting a reconnaissance operation to know exactly where to attack,” wrote Fidelis Cybersecurity CSO Justin Harvey in a blog post.

The exfiltration was discovered, using Fidelis tools, by one of the company’s partners: Polish security firm Exatel. The browser is made by Chinese cloud firm Maxthon. The firm has between three-quarters and one percent of the global browser market, mostly in China, but with millions of users around the world.

Maxthon’s PR contractors did not immediately respond to an email requesting comment.

The discovery highlights the opacity of installed code. For the ordinary user downloading software from the Internet, there is almost no way to tell what data it may be collecting or where it might be sent.

“Often we’re installing software onto our endpoints at home and at work, but we’re not verifying that the code is doing what it is purported to do. Visibility into both the network and endpoints has become critical for organizations,” writes Harvey.

“There is still relatively low awareness of these practices,” he added, urging users to “trust but verify” software.

The Maxthon browser sends back information including the operating system being used by the user’s computer, the type/speed and installed memory of the CPU, the web address of each and every page the user visited, including Google searches and a list of all installed applications including their version numbers.

“Knowing the exact operating system and installed applications, and browsing habits it would be trivial to send a perfectly crafted spearphish to the victim or perhaps setup a watering hole attack on one of their most frequented websites,” writes Harvey.

Criminal probe opened into FDIC data breaches

The inspector general at the Federal Deposit Insurance Corp. has opened criminal investigations into “several” data breaches at the agency involving the transfer to removable media by staff of highly sensitive banking data and massive files of personal information, lawmakers were told Thursday.

“We also have open criminal investigations relating to several of the incidents, which have not reached a stage where further public discussion would be appropriate,” acting Inspector General Fred Gibson Jr. told a hearing of the House Science, Space and Technology Committee. He declined to give further details.

The revelation came at a hearing where Republicans cross-examined FDIC Chairman Martin Gruenberg about a series of breaches at the agency last year that were not reported to Congress — as required by a new Office of Management and Budget policy rolled out Oct. 30.

Democrats defended the agency, alleging the charges from their Republican colleagues were premature and based on a selective reading of the evidence

An interim report from GOP committee staff released Wednesday accused officials at the agency — and in particular FDIC CIO Larry Gross — of trying to cover up breaches, deliberately misleading congressional investigators, and retaliating against whistleblowers and anyone else who disagreed with him. The report was based primarily on interviews with a handful of current and former staffers.

The investigation began earlier this year after the FDIC acknowledged that eight breaches had not been reported as they should have under the new OMB policy. Gross gave evidence at a May 12 subcommittee hearing he sought to tamp down members’ concerns about the breaches.

Following the May 12 hearing, agency personnel sent the committee “redacted summaries of responsive documents and a limited set of email communications,” Chairman Lamar Smith, R-Texas, complained. “Whistleblowers and the IG’s staff immediately informed the committee that we were not getting the whole story.

“This has been the over-reaching theme of the committee’s dealings with the FDIC: We’re not getting the whole story. Based on interviews and documents, there is a culture of concealment at the FDIC.”

As an example, Smith cited instructions from the Office of the General Counsel in the agency to staff “not to put certain opinions or analysis in email or other written form, presumably to avoid discovery through the congressional oversight process.”

But Gruenberg said that, rather than any effort to cover up, the inconsistencies and failures of the agency’s responses, first to the breach and then to the committee, were a result of changing policies and a new CIO.

He described a rapid “confluence of developments” that included the identification of the first breach, the issuance of the new OMB guidance and the appointment of the new CIO all of which took place within 10 days.

“Our CIO assumed his new position [Nov. 2] and was sort of presented, if I may say, for a guy just starting the job, with a pretty difficult situation to sort through,” Gruenberg said.

He said the agency decided to “even though the breach occurred before the guidance was issued, it should be assessed in line with the guidance.” The CIO initially decided that the breach did not count as “major” — requiring an immediate report to Congress — but then reversed course after the inspector general weighed in.

“In retrospect, and in light of the [inspector general ‘s] report findings, we should not have considered what we believed to be mitigating factors when applying the OMB guidelines,” he said.

“What I want to suggest,” concluded Gruenberg, “is that while we might have gotten it wrong, while the CIO might have gotten it wrong, there was an honest effort … The judgment may have been wrong but I don’t think there was malintent here.”

And Democrats on the committee said their colleagues were jumping the gun — and jumping to conclusions, saying the agency had made mistakes, but was now fixing its data security problems and cooperating with investigators.

Ranking Democrat and fellow Texan Rep. Eddie Bernice Johnson told the chairman, “I think it’s fair to say that our May hearing yielded bipartisan agreement that the FDIC’s [implementation] of the OMB guidelines was flawed.”

She said there was also agreement that the agency “did not initially provide all documents responsive to the committee’s request. However I do not agree with my majority colleagues as to what constitutes evidence of intent. The majority is likely to allege that the CIO intentionally misled the committee and that the agency attempted to obstruct the committee’s investigation into these events.

“I do not believe that that the committee has uncovered convincing evidence to support these allegations,” she said.

“I’m not dismissing the testimony [of whistleblowers and others] but it is our responsibility to make sure we have all the evidence and have heard from all the parties, before we begin to wave around serious allegations of criminal intent.”

Her Democratic colleague from Virginia, Rep. Don Beyer agreed.

“Some of the responses were incomplete … however I don’t agree we can or should infer from the facts gathered so far by the committee, as the majority has clearly done, that individual FDIC employee intentionally lied to this committee or have engaged in deliberate obstruction of this committee’s investigation,” he said.

He accused Republicans of “selectively pull[ing] some information that helps them paint that narrative.”

As an example, he noted that the advice from the general counsel’s office not to create records was issued “four months before the committee became aware of the data breach, so to paint it as part of an attempt to obstruct our investigation makes no sense.”

Gruenberg pointed out that the agency had taken a series of corrective actions, including having “discontinued individuals’ ability to copy information to removable media such as external hard drives, flash drives, and CDs or DVDs to prevent these types of incidents from occurring in the future.”

Gibson, the agency’s inspector general, agreed that if the corrective actions were implemented properly, they would be “effective” in mitigating the risks the FDIC faced.

He also noted that his office was investigating the role and position of the agency’s chief information security officer — a job currently vacant.

“We believe that the CISO as a matter of principle, should be in a position to speak up and to inform those in the corporation who need to know what the status is of [security] incidents,” Gibson said, adding that, “We obviously haven’t reached any conclusions yet, but the goal is to reach a reasoned assessment as to whether the CISO, in the present structure where the CISO reports to the CIO, is able to provide that independent security-minded voice … or whether its a position that should organizationally and from a governance standpoint be separated so there a degree of independence and a degree of ability to speak up.”

https://www.youtube.com/watch?v=gJqagI_3F4w

McCain threatens to subpoena Apple CEO Tim Cook to talk encryption with feds

Top security and law enforcement officials are pushing Congress to continue fighting for some sort of encryption legislation that would grant access to secured systems in the event of a criminal investigation.

“We now find ourselves at what is a complete impasse [in the encryption debate], and it is time I urge for congress to step in and break that impasse,” Former Assistant Attorney General for National Security Kenneth Wainstein told a Senate Armed Services Committee, or SASC, hearing Thursday.

“While I fully appreciate the validity of concerns by the tech companies, I do not believe that that is the end of the discussion,” he added.

Weinstein, along with former NSA Deputy Director Chris Inglis and Manhattan District Attorney Cyrus Vance, Jr., spoke before lawmakers in an effort to restart negotiations concerning so-called “backdoors” and other workarounds to encryption. This Senate committee launched effort — largely led by veteran Sen. John McCain, R-Ariz., and comprised of members from both sides of the aisle — aims to formalize definitive encryption policy in the future.

The panel members’ opinions were noticeably one-sided, in favor of regulating encryption in order to give law enforcement access as they need it.

During the hearing, McCain repeatedly criticized his colleagues from the Senate for not mandating that data from encrypted communication services be accessible to law enforcement during an investigation.

McCain said continued inaction effectively protects child pornographers and human traffickers. He vowed to subpoena tech company executives — specifically naming Apple CEO Tim Cook — if they continue to refuse attendance in follow-up hearings.

According to Vance, the number of unaccessible electronic devices captured by law enforcement grows by the day. He said that in his New York office alone, there are encrypted smartphones carrying evidence related to a range of crimes from murder to child abuse.

“It seems to me that there are some in the technology community who have come to the conclusion that the inability to find a path to victims — in the cases I describe — is simply collateral damage,” Vance testified.

Inglis and Vance both said technology exists that wouldn’t “weaken” protection and yet could help law enforcement close cases.

“I think there are systems that we can develop which provide appropriate security … and at the same time deliver appropriate access to the government where it needs that.”

Inglis left the door open to the development of security absent of encryption, but his statements also directly contradict what many security experts and privacy advocates fundamental believe an encrypted product is designed to do.

“There are no technical systems that can be developed that guarantee ‘appropriate security’ for the user, while also guaranteeing regulated access to law enforcement only,” Gustaf Bjorksten, Chief Technologist at Access Now, said in response to the hearing through an email to FedScoop.

“Weakening the encryption of applications with backdoors allows for the possibility of criminals and foreign powers utilizing the same mechanism to access the sensitive user communications. In this digital age, any mandating of backdoors in encryption applications will harm the privacy of users, erode confidence in online transactions, and fail to achieve the results touted by law enforcement,” Bjorksten wrote.

Whether a U.S. company’s cybersecurity apparatus is strong enough to fend of attacks without broad encryption technologies is, at least until today, an internal decision — but the panel, in step with McCain, is advocating for a working partnership between the private and public sector on such choices.

Notably, the McCain-led SASC hearing comes more than seven months after Senate Select Committee on Intelligence leaders Sen. Dianne Feinstein, D-Calif., and Sen. Richard Burr, R-N.C., attempted to introduce legislation that would have compelled private tech companies to grant access to encrypted data if a court order is presented.

The Feinstein-Burr bill came shortly after a terrorist attack on American soil that left 14 people dead in San Bernardino, Calif.

Silicon Valley subsequently denounced the proposal, calling the move an attack on consumer privacy. At the moment, the Intelligence Committee bill is frozen — having never been introduced for a vote.

A Feinstein spokesperson told McClatchy DC that no decisions has been made concerning whether the Senator will move forward with the proposal — “staff continue to consult” on the matter.

Ex-NSA chief: Responding to cyberattacks is a government responsibility

In warfare, rules of engagement are a fundamental necessity to curtail violence against non-military targets. But with millions of Americans already victim to cyber attacks perpetrated by nation state actors, lawmakers question if a response with conventional weapons is appropriate to stop future online attacks.

The U.S. government must design “an effective strategy not only to limit the impact of cyberattacks, but to meaningfully deter cyber attackers,” Rep. Will Hurd, R-Texas, told a House Oversight Subcommittee hearing Wednesday.

Hurd and other lawmakers asked a star-studded panel of cybersecurity officials and experts what they believe constitutes a “cyber act of war.” The hearing, Hurd explained, is the first step in launching a more comprehensive debate about who should and how one would define a “red-line” in cyber space.

The panel — comprised by former NSA Director Keith Alexander, State Department Coordinator for Cyber Issues Chris Painter, Department of Defense Deputy Assistant Secretary of Defense for Cyber Policy Aaron Hughes and New America Senior Fellow Peter Singer — made several recommendations on what should be considered when evaluating a cyber attack against the U.S.

Until now, the Obama administration’s general policy has been to handle the response of significant attacks on a “case-by-case basis” with a “whole of government approach” — one that includes consultation with leaders from the U.S. defense and intelligence agencies.

“If you think about Sony being attacked, Sony has no capability to fire back. In fact, if we think about Sony firing back, we quickly get to the realization that if Sony fires back that could get us into a war on the Korean peninsula. We don’t want that to happen. That is an inherently government responsibility,” testified Alexander.

Attacks that cause major loss of life, destruction or incapacitation of significant portions of key infrastructure, or even attacks that cause “massive economic damage” fall within the parameters of what the U.S. should be prepared to call acts of war, Alexander wrote in prepared testimony.

Even so, a military strike may not be the best way to counter a cyber attack attributed to a specific actor, the panel said.

“Incidents described as cyber attacks or computer network attacks are not necessarily considered armed attacks for the purpose of triggering a nation’s right of self-defense,” said Aaron Hughes.

The U.S. boasts a “large toolbox” to choose solutions from in responding to cyber attacks, explained Painter. They include, he said, but are not limited to: diplomatic outreach, economic sanctions, law enforcement oversight, offensive cyber operations and a military strike. Additionally, there may be a strategic advantage to consider when choosing whether or not to publicly disclosing the attribution of an attack — as was the case following the now historic Sony hack, orchestrated by North Korea.

However, one of the biggest challenges in deciding a response remains the issue of accurate attribution, the panel unanimously agreed.

According to Sean Kanuck, formerly a national intelligence officer in the Office of the Director of National Intelligence, attribution is a difficult challenge. And timely attribution — vital to a quick response, whether political or military — is even more difficult.

“In response to particular incidents, they are usually ad-hoc [cyber forensics] investigations dealing with a particular set of circumstances,” Kanuck told the committee, “It is very difficult to define the intentions of would be adversaries or actors in specific instances. Often you might derive that information from other sources of information — intelligence collection, other areas — in order to know what an actor’s objectives might have been.”

He added, “in the realtime context of an ongoing incident … that would be a very high challenge … It is not a certainty that you will always know who did it and why.”

Nonetheless, both formal and informal boundaries already exist in cyberspace between nations, said Painter, who leads a division within the State Department that implements the President’s International Strategy for Cyberspace. At the center of this effort, Painter explained, is “international norm building,” focused on cyber — the promotion of rules and standards to guide nations’ conduct.

“The norms we’ve been promoting are, for instance, don’t attack the critical infrastructure of another country — absent wartime — that provide services to the public; don’t attack CERTs, don’t attack the computer emergency response teams, use them for good not for bad; and an expectation that if you get a request from another state and there is malicious code coming from that state, you’re going to mitigate it by technical or law enforcement means. And finally, don’t steal the intellectual property using cyber means of another country for your commercial benefit,” said Painter.

When Hughes was pressed by Rep. Jody Hice, R-Ga., to directly describe when the DOD believes a cyberattack warrants military action, Hughes explained: “not to be cliche, but it really needs be decided on a case-by-case basis” — which, in this context, is also a fair summary of the panel’s overall recommendation.

You can watch the hearing below.

Certified VA-DOD interoperability still lacking, lawmakers say

The Department of Veterans Affairs claims it’s made it easier than ever to swap electronic health records with the Pentagon, but lawmakers say the underlying platform still lacks key capabilities — like the ability to provide images or things like analytics.

With the new “read only” Joint Legacy Viewer EHR exchange platform, the VA and the Defense Department already reached the level of interoperability required by the 2014 National Defense Authorization Act, VA CIO LaVerne Council testified before the Senate Appropriations Committee’s Subcommittee on Military Construction, Veterans Affairs, and Related Agencies Wednesday. As of July 7, she said in prepared testimony, “JLV had more than 198,000 authorized users in VA and DOD together, including 158,159 authorized VA users.”

Even so, senators on the committee argued the two departments hadn’t yet met true interoperability because those exchanges still lack a number of capabilities veterans would expect to see after leaving active duty.

“It does not provide the X-ray data of patient,” Chairman Sen. Mark Kirk, R-Ill., said of JLV, which he referred to as a “Band-Aid” solution. “So we would say now, ‘Welcome to the VA, we have no X-ray data on you from all the X-rays the Navy, the Army, the Air Force did for you.’”

CT scans are also not included in the exchange of EHRs between the two departments, he said.

“I think most members of this committee would say that is not interoperable,” Kirk said.

JLV is only part of the VA’s larger move to a more modern health IT environment and away from its decades-old Veterans Health Information Systems and Technology Architecture, known as VistA. More recently, Council announced, VA will look to depart from the VistA platform in coming years in favor of a more modern, centralized and open source-based Digital Health Platform project.

For now, the VA and DOD only share narrative reports on that type of imagery missing from JLV, which the VA officials said can be just as important as the imagery itself in helping to interpret it.

“The data we are exchanging now is all of the health record data, which includes 25 domains of standardized data where standards exist,” said David Waltman, VistA Evolution program executive and senior adviser to the undersecretary for health at the Veterans Health Administration. “So that includes progress nodes, lab reports … it includes the reports from all of those imaging studies. And as we know, the size of the data for the studies themselves is exponentially larger.”

VA is in the process for delivering the image-viewing component for JLV, which it plans to release in September, Council said.

Even then, Kirk argued, JLV won’t have the advanced capabilities like analytics needed to ensure the care of veterans that is found in many commercial health IT solutions. He frequently mentioned Cerner, the health care company helping to lead DOD’s development of its Defense Healthcare Management System Modernization project, as an example of a provider that currently uses data to calculate, for example, suicide risk.

“JLV is 100 percent incapable of those analytics,” Waltman agreed.

“We need an integrated capability of all of the clinical data, the process management for managing clinical workflows, integrated with analytics that can use algorithms … that can predict, based on the information in the record and pathways and courses of action available, what interventions should be taken and what the processes and care pathways should be,” he said.

Agreeing to that as a more accurate definition of complete interoperability, the subcommittee pushed Waltman for a timeline when that might happen.

“The middle of calendar year 2018,” he responded.

Given that, it may be necessary to revise the definition of interoperability between VA and DOD — because, Kirk said, the current one that doesn’t cut it.

“When we got to the heart of this hearing, you certified that you were interoperable based on the JLV’s existence, and we now know that the JLV does not have X-rays or CT scans — and that is interoperable from your viewpoint,” he said in closing. “I would say to expect some further definition from this committee on that point. We need to move forward on this point to make sure that there is no net burden on the soldier or sailor when they come out of the service, that we 100 percent transfer their data to VA.”

You say you want a revolution: DARPA’s Cyber Grand Challenge

In a much larger setting than this, hackers will try their hands at launching a fully autonomous security system at DEFCON next month. (DEF CON/Wikipedia/CC 2.0)

In a few weeks, a town better known for events like the World Series of Poker will host the World Series of Hacking.

The finals of the Cyber Grand Challenge, which will be held by the Defense Advanced Research Projects Agency at the DEFCON security conference in Las Vegas next month, aim to see if a high performance computer system can discover and patch security systems automatically — without human intervention.

Seven teams will compete in the finals in front of 5,000 spectators packed into the Paris Las Vegas auditorium, waiting to see if a computer will be able to put the best human penetration testers and security researchers to shame.

While the event has the aura of a sporting finale, DARPA program manager Mike Walker says the efforts undertaken by the finalists are important for eliminating a glaring problem when it comes to cybersecurity: vulnerabilities often go hundreds of days without being discovered and it some instances take more than a year to patch.

[Brand new: Sign up for the CyberScoop Newsletter, a daily look at all things cybersecurity]

“The reaction to unknown flaws in software is entirely manual,” Walker told reporters on Wednesday. “We want to build autonomous systems that can arrive at their own insights, do their own analysis, make their own risk equity decisions of when to patch and how to manage that process.”

The entries, all built on custom high-performance computers, will be responsible for monitoring a network running software with previously unexamined code. The finalists’ systems will need to comprehend the software’s language or author their own logic; explore the almost infinite possible inputs into that software; and arrive at the diagnosis of new vulnerabilities entirely on their own.

Walker says the systems must “then form the solution, whether it’s network defense or patching defense, and manage the solution. If the solution breaks, it’s the machine’s responsibility to fix it.”

If the winners want to test their luck, DEFCON organizers have invited the winning automated system to compete against the world’s best human hackers in their Capture the Flag competition the following day, marking the first-ever inclusion of a mechanical contestant in the event.

DARPA is comparing the Capture the Flag competition to similar competitions, such as the famed Jeopardy! competition where IBM’s Watson cognitive computer defeated two human competitors. Walker said the competition is geared toward these systems, known as reasoning systems, because it tests how close researchers are to achieving full autonomy.

“We wanted to follow in the tradition of reasoning machines like Deep Blue and Watson and AlphaGo,” Walker said. “This is an adversarial domain. In adversarial domains, the way you build a metric — like the Elo rating in chess — is, you measure [your] efficacy by the opponent you can defeat.”

Beyond the competition, Walker wants the challenge to kick off a “revolution” in security automation, eventually getting to the point that it’s as commonplace as nutrition labels on food packaging.

“When you buy [software] and you look on the back, what you don’t have today is a sticker that tells you what machine investigated [its] security and what machine will guard its security in the future,” he said. “That’s something we could see as an open technology revolution in security automation.”