Subscribe to our daily newsletter.
Subscribe

If sanctions don’t stop China’s hacking, what will?

It’s getting to the point where elected officials and cybersecurity policy experts agree the Obama administration should do something in retaliation for China’s continued cyber espionage against American companies — they just can’t agree on what.

Since China and the U.S. inked a deal in September pledging that neither country would engage in hacking for economic gain, there have been a smattering of reports that China has not lived up to the agreement. Earlier this week, Bill Evanina, the head of the National Counterintelligence and Security Center, said he’s seen “no indication” that China has curbed its state-sponsored hacking capabilities, according to a Reuters report.

Experts discussed what should come next during a forum Wednesday held by the Bipartisan Policy Center, which examined policy options from economic sanctions to indictments to arming companies with the ability to hack back.

Sen. Cory Gardner, R-Colo., who serves as the chairman of the Senate Foreign Relations’ Subcommittee on East Asia, The Pacific and International Cybersecurity Policy, said language needs to be added to the September agreement that better defines punishment if China violates its terms.

“There is no real punitive context read out of this agreement,” he said. “They need to agree to some kind of punitive action. I don’t think we can take anything off the table.”

In a report released Wednesday, the US-China Economic and Security Review Commission, a group created by Congress to measure national security implications of the economic relationship between the U.S. and China, said one of those punitive actions should be allowing companies to hack back, given that China is pushing policy that would limit U.S. companies’ participation in the Chinese market on top the country’s theft of their intellectual property.

“For these reasons we believe it is important for Congress to assess whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks,” the report reads. “In addition, Congress should study the feasibility of a foreign intelligence cyber court to hear evidence from U.S. victims of cyberattacks and decide whether the U.S. government might undertake counterintrusions on a victim’s behalf.”

Gardner said he would prefer to “tread lightly” on hack-backs, rather focusing any sort of punishment on economic sanctions on indictments, like the one issued in May against five members of China’s People’s Liberation Army.

The indictments are something closer to what former State Department official Randall Schriver thinks should be done if the U.S. is to present China with a level of deterrence that would curtail hacks.

“If what we want to do is stop this, then we have to get serious and we have to target the people that are doing it,” Schriver said. “[Hacking] is national level policy guidance through [China’s] Central Military Commission, to the General Staff Department to the PLA.”

Robert Knake, a former director of cybersecurity policy for the National Security Council, said it would be easier for the government to move past sanction threats if companies would admit they’ve been targeted by China, something he has yet to see occur.

“[Companies] fear what will happen if they stand up and say they were targets,” he said. “From their perspective, [hacking] is the cost of doing business.”

Former National Security Agency counsel Stewart Baker said sanctions might be the best route, with the added support from other G-20 countries, such as Germany, France or Britain that have also come against state-sponsored corporate espionage. Earlier this week, G-20 countries signed a pact saying no countries should conduct “theft of intellectual property, including trade secrets or other confidential business information.”

“Pick sanctions where U.S. industry isn’t vulnerable to hostage taking by the Chinese and the evidence is such that we can talk about it publicly,” Baker said. “I think the Germans, the French and the British would all get on board with that.”

The U.S. and China plan to hold ministerial-level talks in Washington, D.C., at the beginning of next month related to the September agreement. Gardner hinted that those talks could turn toward sanctions, given that China has shown no signs of curbing their hacking practices.

“I find it hard to believe in the world of digital communication that [the Chinese] haven’t heard that this isn’t appreciated and that we’ve agreed to knock this off,” he said. “We are approaching the end of the grace period.”

U.S.-E.U. safe harbor collapse affects all of us

Last month, the European Court of Justice found that the privacy of European data is not sufficiently protected by the trans-Atlantic agreement known as Safe Harbor. As a result, the court invalided the agreement.

The E.U. and U.S. government are now working to establish a new trans-Atlantic data-transfer accord. As an example of these efforts, the House recently passed the Judicial Redress Act (H.R. 1428) — a step in the right direction. The act enables foreign citizens to have the same legal rights as U.S. citizens, if their individual privacy is violated by government. In many ways, the Judicial Redress Act will serve as the foundation for the agreement that replaces Safe Harbor and must be considered a part of the solution, starting with passage of the legislation in the Senate.

Safe Harbor allowed for the flow of data between the E.U. and the U.S. without the need for individual agreements between each jurisdiction and company. Without Safe Harbor, every type of industry that relies on trans-Atlantic data transfers has been required to quickly come up with an alternative legal basis for data transfers — from airline companies to financial services, data storage providers to social media platforms. Given the economic and social costs to industry and individuals, a new data sharing agreement must be developed to address the security and privacy concerns in the U.S. and E.U. A new agreement must also provide a process that allows law enforcement to access and exchange data across borders, while simultaneously respecting individual privacy.

A balancing act: Privacy and national security

In 2000, the U.S. Department of Commerce and the European Commission agreed to a set of data transfer principles for outlining the protection of data no matter where the data is processed and stored — Safe Harbor. Under these principles, a U.S. or E.U. company that declared it would uphold Safe Harbor was then allowed to transfer data between countries.

In response to the terrorist attacks in September 2001, the Patriot Act was enacted, giving the U.S. government the ability to collect information about U.S. citizens and foreigners without consent or a search warrant. While companies agreed to uphold Safe Harbor for trans-Atlantic data transfers, the U.S. government had given itself a surveillance mechanism that was in conflict with the E.U. data directive and the Safe Harbor framework on which it has been based. The dissonance between these two laws was the starting point for disagreement. This was only exacerbated in 2013 by the revelations that the National Security Agency was collecting data without regard to E.U. data protection laws. Europeans felt their rights had been violated.

Given the length of time that the U.S. government has gathered data without consent, it is surprising that the Safe Harbor framework lasted as long as it did. A new Safe Harbor agreement must include a streamlined process for law enforcement to get information and data across borders that also respects individual privacy rights. Passing the Judicial Redress Act in the Senate will be the first step in ensuring these protections and establishing much-needed processes.

What this means for government, companies and consumers

Without the Safe Harbor framework, companies are faced with the almost insurmountable task of establishing data sharing agreements with individual regional jurisdictions. Without these agreements, a global company’s operations are now in question and they must think twice about investing abroad.

Consumers, if not directly effected as employees of companies that curtailed trans-Atlantic operations, would be faced with the loss of the Internet as its known today, a means of global commerce, information and communication exchange. Without agreements in place to provide “borderless” transfers of data, there will be no trans-border mechanism for e-commerce, sending and receiving emails, or sharing personal information using social media. In other words, without Safe Harbor, the backbone of modern technology — information exchange — will be significantly hampered.

While the U.S. and E.U. governments have reached an agreement in principle on a new data sharing agreement, leaders of both governments, privacy advocates and technology companies must continue to work together quickly to establish a new data sharing agreement that builds upon Safe Harbor. This new agreement must put privacy first and strengthen the protections afforded in the E.U., U.S. and across the world. We are in desperate need of a streamlined process to send information across international borders that also respects individuals’ privacy rights.

What needs to be done

Much has changed in the U.S. since the 2013 revelations about the NSA’s surveillance activities, and new meaningful limitations are now placed on the U.S. government’s bulk data gathering practices. However, the European Court of Justice’s invalidation of Safe Harbor has serious consequences for both U.S. and European economies unless a solution is found quickly.

Privacy advocates and technology companies alike have suggested that the invalidation of Safe Harbor is an opportunity to improve upon the status quo. Moving forward, the Judicial Redress Act and other similar legislation in the U.S., such and the Law Enforcement Access to Data Stored Abroad Act that works to reform the Electronic Communications Privacy Act, must be enacted with a sense of urgency.

As policymakers in Washington, D.C. continue to discuss Safe Harbor and digital trade after multiple hearings on Capitol Hill and a recent visit from E.U. Justice Commissioner Vera Jourova, they must work with their partners across the Atlantic to put aside their differences and fast track new digital privacy laws that address the fundamental human rights to privacy and national security in a way that protects both U.S. and European citizens.

Experts weigh benefits, problems of open data

While open data experts extoll the benefits of encouraging governments to open their information vaults, some fret about unintended negative consequences that could come with it.

Speaking on a panel on the topic hosted by the Microsoft Innovation & Policy Center in Washington, D.C., Ryan Calo, assistant professor of the University of Washington School of Law, said there was “an opportunity” to strengthen the security of the data governments manage.

“I think that governments of all kinds, local and federal, can improve the overall ecosystem on privacy and security,” he said during the panel.

Calo referenced a paper he co-authored and released earlier this year that evaluated Seattle’s open data practices. The city was ahead of the curve when it came to data, but the vendors it used to gather data — on anything from 911 calls to parking violations — each faced different security requirements, he told FedScoop.

“It wasn’t that we found too many smoking guns exactly,” he said of the report. “It was rather that it was all over the place. Some vendors would make no guarantees about security.” Others had to have cryptology in place and agreed to notify the city in case of a breach.

Among his recommendations was that the city should have an overarching policy governing how vendors use and safeguard the data they gather for the city. And he said the recommendations could carry over to other cities and even the federal government.

Indeed, Joel Gurin, president of the Center for Open Data Enterprise, said data shouldn’t be opened up by accident.

“We’re seeing a couple instances of conflicting public goods,” Gurin said. In some cases, to get the highest value from data requires getting into territory where the risk of exposure is great, he said.

It’s a balancing act that the Consumer Financial Protection Bureau is trying to navigate as it makes available digital data of mortgage transactions under the Home Mortgage Disclosure Act, he said. The act means to avert discrimination in housing practices, and in a recent rulemaking the agency outlined efforts to continuously weigh the need for data with the importance of ensuring privacy.

“It’s a very innovative approach and we must start seeing that there is some kind of trade with some risk of some privacy exposure versus a public good,” Gurin said.

Gurin said open data has a number of economic benefits: For example, it could encourage the development of precision medicine — the idea that physicians could better tailor treatments to their patients’ genetic makeup and environment — and companies like online real estate firm Zillow and The Weather Channel are built on government data.

But there are other uses too. He pointed to the Education Department’s recently released College Scorecard, which allows users to look up information about average debt and average starting salary for colleges across the country.

“Had we known [the information from this scorecard] 10 years ago or five years ago, this would have dramatically changed every conversation with our kids, every conversation with our guidance counselor and would have given us a framework of reality of ‘What is this education really worth,’” said Gurin, who had three children graduate from college.

In all, he said the government’s data belongs to the citizens.

“It’s not just the government needs to put data out there because that is their own accountability,” he said. “It’s also saying government needs to put data out there because we pay for it as taxpayers, and it can actually help us.”

Pentagon’s digital service team gets a leader

Seattle-based serial entrepreneur Chris Lynch has been given the reins of the Pentagon’s digital service team.

Defense Secretary Ash Carter announced Lynch’s hiring Wednesday during a speaking engagement at George Washington University focused around his “Force of the Future” program.

Wednesday was Lynch’s first day as director of the Defense Digital Service, Carter said. The small team is based at the Pentagon.

A long-time tech entrepreneur, Lynch founded and led several startups, like North by Nine, a customer experience management platform that was acquired by ConversIQ. He also served as vice president of product engineering at Daptiv, a business software company, for seven years, and before that in a development role for Microsoft.

The DDS is based on and will resemble the White House’s U.S. Digital Service team, founded in the wake of the Healthcare.gov meltdown of 2013 to focus on getting the federal government’s most pressing digital priorities right. Since then, digital teams — essentially spokes off of the USDS hub — have popped up around government within agencies like the departments of Veterans Affairs, Education and Homeland Security.

The DDS “will bring in talent from America’s technology community to work for a specific time or for a specific project to apply a more innovative and agile approach to solving our most complex problems,” Carter said Wednesday.

Carter first announced the creation of such a team in April, saying then that it was imperative to find ways to attract a new generation of Americans “who grew up entirely in the Internet age, whose memories of 9/11 are either faded or dim or non-existent, and attract them to the mission of national security and national defense.” The team quickly went to work addressing insufficient health record interoperability between DOD and the VA, FedScoop reported previously.

Halfway down the West Coast from Lynch’s Seattle, the Pentagon is also building relationships with Silicon Valley technology talent through its Defense Innovation Unit – experimental team.

While the Pentagon is concerned with attracting America’s best and brightest innovative minds, Carter said Thursday that part of what will make the DOD an attractive employer for millennials will be letting them come and go between DOD and private industry.

Carter said civil service is typically seen as riding a career-long “escalator” to the top, based on merit, but he wants Defense personnel to “be able to get off the ‘escalator’ for a time, and then get back on without hurting their career but instead helping it” through options like the Secretary of Defense Corporate Fellowship program, which DOD is doubling in scope. The program allows highly qualified candidates to work in private industry — at companies like Google and SpaceX — for a year.

“Offering those kinds of opportunities will make us more attractive to future generations, too,” Carter said. “As long as our military continues to harness the best talent America has to offer, we’ll always come out ahead.”

New FBI warning after Brennan doxing

The FBI has revised a warning to senior police officers and other public officials about hacktivism and doxing, following the successful takeover last month of the personal email account of CIA Director John Brennan by teenage hackers.

The new warning, posted Wednesday evening, outlines a method of social engineering against an official’s personal email provider that self-described stoner hacktivists say they used to repeatedly take over Brennan’s AOL account. The hacktivists, in what they said was a protest against U.S. support for the Israeli occupation, later published Brennan’s Social Security number and other personal information — and that of family members and colleagues on the Obama 2008-09 transition team.

The new guidance includes an expanded set of defensive measures that all potential targets are advised to take on social media and online generally, but no new advice for telecom, email and Internet service providers.

“In a recent threat,” reads the new warning, a “threat actor” contacts the target’s ISP posing “as an employee of the company, and requests details regarding the target’s account. Utilizing these details, the caller then contacts the target’s email provider, successfully provides answers to security questions established for the email account, and is granted a password reset for the account.”

This is the process described by “Crackas With Attitude” in a series of encrypted chats, Twitter exchanges and other online communications with reporters after they began posting first boasts about penetrating Brennan’s email account, then data stolen from it.

“Ultimately,” concludes the FBI warning, the hacktivist “gains access to the victim’s email account and begins to harvest personal or other information.”

The FBI press office, in a statement emailed to FedScoop, said merely that “Recent media reports have highlighted hacktivism threats to law enforcement and public officials, causing them to update a doxing warning posted in April.

The original warning highlighted the way that hacktivists from the Anonymous collective were able to compile information available on the Internet, especially on social media sites, into revealing profiles of police officials and other public figures. It included a list of defensive measures individuals could take, like adjusting the privacy settings on social media accounts.

Wednesday’s warning offers an expanded list of defensive measures, including using invented, incorrect answers to security questions, especially ones like mother’s maiden name, which might be discoverable from public records. The revised warning also offers the following new advice:

Lawmakers don’t want feds to lead on connected car tech

The nation’s highway safety regulator plans to finalize a standardized system for vehicle-to-vehicle communication sometime in early 2016, an official said Wednesday, but some lawmakers are unimpressed, believing private industry could do the job better.

The National Highway Traffic Safety Administration will release a public proposal for its dedicated short-range communications (DSRC) system, which will enable vehicles to communicate instantaneously with one another and with nearby wired infrastructure like crash barriers and traffic lights, early next year, said Nat Beuse, NHTSA associate administrator for vehicle safety research.

“What the department is doing is putting hardware behind that system,” Beuse told lawmakers on the House Oversight and Government Reform Committee’s subcommittees on IT and Transportation and Public Assets. “What’s been done to date has been a lot of hard work with a lot of smart people coming up with the design. But now we feel that we have to actually build this and operate it to see what are the vulnerabilities in it and do some large-scale testing.”

He said NHTSA thinks it is ready to deploy for security and privacy testing DSRC technology and the associated standards, which many believe could address more than 80 percent of crashes caused by humans and drive efficiency in cars.

But Transportation and Public Assets Subcommittee Chairman Rep. John Mica, R-Fla., balked at the idea, saying DOT has already spent $500 million in taxpayer money on this project without seeing much, even sliding “behind the advances in technology.”

“We spend a lot of money, and we don’t see a lot of progress,” said Mica, a persistent critic of federal government programs and an advocate of privatization.

IT Subcommittee Chairman Will Hurd, R-Texas, brought up a similar concern, comparing the complexity of developing V2V communication technologies and standards with the unsuccessful, years-long struggle of the departments of Veterans Affairs and Defense to make their electronic health records system interoperable.

“DOD and VA spent over half a billion dollars trying to get two electronic health records to work together, and after four years, they said, ‘This is really hard. We’re going to have to go separate,’” Hurd said.

With so much prior investment from the automobile industry, “Why are we even thinking about the federal government getting involved in doing this when a standard hasn’t developed out of the private sector?” he questioned. “The private sector is going to be better equipped to develop this type of technology, and the thing is probably going to work a little bit better.”

Dean Garfield, president and CEO of the Information Technology Industry Council, said “there are complementary technologies being developed … that we can’t tell which is going to prove most effective” including the DSRC.

But Beuse said NHTSA hasn’t seen evidence of any competing developments, particularly in response to its 2014 advance notice of proposed rulemaking for the DSRC.

“If at some point in the future, or even in response to the proposal [next year], data comes in that shows there’s an alternative technology that can meet the safety potential,” NHTSA would consider that, he said.

Hurd objected, saying “the cat’s already out of the bag,” with companies like Tesla and General Motors developing these sorts of V2V communications. And he’d rather put his trust in the private sector to protect American drivers as well as their information stored in their cars, he said, acknowledging his concerns after the Office of Personnel Management was hacked, compromising the information of million of Americans, and “had the audacity to not even say ‘My bad.’”

Hurd finished, “I’m always concerned when we put too much faith in federal agencies to protect our information.”

DHS head: Agency to ‘strike balance’ between cybersecurity and counterterrorism

The Department of Homeland Security will look to “strike a balance” between cybersecurity and counterterrorism through the remainder of the Obama administration, DHS Secretary Jeh Johnson said Wednesday.

Speaking at a Federal Times event, Johnson said his cybersecurity goal for DHS before President Barack Obama leaves office is for civilian agencies to be covered by a common baseline of cybersecurity and to maximize the number of companies that benefit from information sharing.

“The reality is we live in an interconnected, networked world,” Johnson said. “Cybersecurity must strike a balance between basic security, online information and the ability to communicate with and benefit from that networked world.”

Johnson said that while DHS is primarily tasked with keeping the country safe from terrorist attacks, the department is upping its focus on protecting the country’s digital infrastructure. During his remarks, he addressed four areas in which he sees progress in regards to the nation’s cybersecurity stance.

He commended Congress for work done on two bills, including the Senate passage of the Cybersecurity Information Sharing Act and the House passage of the National Cybersecurity Protection Advancement Act. Johnson said the bills “strengthen the role of the Department of Homeland Security and our nation’s cybersecurity efforts.”

“Congress is actually getting stuff done in a bipartisan fashion,” he said.

He also spoke of a new dialogue with China over Beijing’s online plunder of U.S. firms’ trade secrets and intellectual property. An agreement reached earlier this year between President Barack Obama and his Chinese counterpart Xi Jinping would curb Chinese commercial espionage in cyberspace. Johnson said DHS is preparing for “ministerial level dialogue” during talks with Chinese officials to be held in Washington at the beginning of December. He said he doesn’t believe the talks will “resolve all of our challenges” with China, but they are a step forward to address “one of our sharpest areas of disagreement” in the countries’ relationship.

“Time will tell whether China’s government’s commitments are matched by action,” he said.

With regard to the federal government, Johnson touted the use of DHS’ intrusion prevention system Einstein 3A and the Continuous Diagnostics and Monitoring program. Since being rapidly deployed as part of the White House’s cybersecurity sprint, Einstein, or E3A, has stopped 700,000 possible attempts to steal government data or disrupt government systems. Additionally, CDM phase one has been rolled out to 97 percent of .gov systems, discovering 363 vulnerabilities. Johnson said 99 percent of those vulnerabilities have since been remedied.

Johnson also called for much greater education for IT users about the dangers of spear phishing, the highly targeted email spoofing method malicious actors use to enter networks.

“Whether it be .gov, .mil, .com, .edu, or .org, perhaps the most effective thing we can do for cybersecurity is create awareness among everyone who uses your systems to the damages of spear phishing,” Johnson said.

He detailed how DHS has run training programs within the agency, sending out fake phishing emails offering free Washington Redskins tickets. If employees click through the phony links, they are directed to training programs designed to educate users about the dangers of spear phishing.

Johnson concluded by saying there is “no one silver bullet” for cybersecurity, but the agency is moving to address what he considers a “shared problem” between the government and private industry.

“As the OPM breach painfully demonstrated, our federal cybersecurity efforts are not where they need to be,” he said. “But we are improving and detecting more and more intrusions every day.”

Kaspersky: APTs will ‘cease to exist’ in 2016

High-profile advanced persistent threats, such as the Stuxnet cyber weapon which crippled Iran’s nuclear program and the Duqu 2.0 surveillance platform, will “cease to exist” as we currently know them next year, according to predictions by computer security company Kaspersky Labs.

Instead, in an effort to maximize return on investment, Kaspersky said, nation-state hackers will move away from labor-intensive, customized programs in favor of off-the-shelf malware and opt for a blitzkrieg style flurry of attacks rather than subtle long-term strategies. The “threat,” in other words, will remain just as real, but the concepts of “advanced” and “persistent” will wane.

“2016 will see significant evolution in cyber espionage tradecraft, as sophisticated threat actors minimize investment by repurposing commercially available malware and become more adept at hiding their advanced tools, infrastructure, and identities by ditching persistence altogether,” Juan Andrés Guerrero-Saade, senior security expert of the Global Research and Analysis Team at Kaspersky, said in a statement.

Hacking trends such as ransomware attacks, in which attackers steal the contents of a target’s hard drive and hold them for cash ransom, have made hacking into a lucrative pursuit, and according to Kaspersky’s report, the emphasis now is less on proving advanced skills and more on maximizing profits. This same modus operandi applies to other operators as well, including hacktivists and even nation state actors whose interests lie in information over money.

“As the urge to demonstrate superior cyber skills wears off, return on investment will rule much of the nation-state attacker’s decision-making,” Kaspersky noted in the report. “Nothing beats low initial investment for maximizing ROI.”

Kaspersky predicts targeted attacks on Internet of Things devices, such as smart televisions or even coffee makers. By singling out technology often affiliated with a wealthier demographic, “mercenary” hackers will increase the likelihood of scoring a higher payout. Alternative payment apps like ApplePay and Android Pay will also be increasingly at risk.

With the stakes steadily rising, Guerrero-Saade noted that a large swell in the number of active hackers is also expected.

“The profitability of cyberattacks is indisputable and more people want a share of the spoils,” he said. “As mercenaries enter the game, an elaborate outsourcing industry has risen to meet the demands for new malware and even entire operations. The latter gives rise to a new scheme of Access-as-a-Service, offering up access to already hacked targets to the highest bidder.”

This influx could coincide with an anticipated rise in “DOXing,” public shaming and extortion attacks, similar this year’s Ashley Madison scandal. Hacktivists are expected to execute more strategic dumping of private pictures, customer lists and personal identity information.

To counter the new wave of threats, Guerrero-Saade counseled cooperation and information sharing.

“We believe that sharing insights and predictions with our colleagues across the industry as well as with government, law enforcement, and private-sector organizations will promote the necessary collaboration to proactively face oncoming challenges head-on.”

NIST lists winners of its first public app-building contest

The National Institute of Standards and Technology’s ambition to make troves of scientific data easily accessible to the public via mobile devices took a step toward fruition Wednesday as it announced the victors of the Reference Data Challenge, its inaugural public app-building competition.

The challenge, announced in July, prompted developers to use six of NIST’s most popular data sets — from speed of light constants to the ionization energies for neutral atoms — to craft a user-friendly app that scientists could rely on to save time in the lab.

“We know that a lot of the data sets cover a range of basic and fundamental information to super-applied, everyday engineering data,” Heather Evans, a NIST policy analyst who oversaw the challenge, told FedScoop in July. “We don’t really have anything that we can give our stakeholders that want to view these websites on a mobile device.”

Over a span of two months, 25 developers submitted apps for consideration. A panel of experts from NIST and industry then evaluated the apps on four criteria: potential impact, creativity and innovation, user engagement, and effective use of NIST’s data.

First place, which carried a $30,000 prize, was awarded to Kris Reyes, founder of Meru Apps in Princeton, N.J., for his Meru Lab Reference. Reyes’ app takes advantage of near-field communication tags — “smart” chips which can exchange information with smart phones and other mobile devices — to allow scientists to access chemical species data with a simple tap, minimally interrupting workflow.

“In my first research job after earning my Ph.D., I became involved in research that combined data analysis and experimental materials science to accelerate scientific discovery,” Reyes said in a NIST announcement. “It’s there that I became really passionate toward developing techniques to use data to help scientists in their day-to-day work in a practical, data-driven manner.”

Second and third place awards, with prizes of $10,000 and $5,000, were awarded to Lab Pal, a quick reference engineering app, and Chembook, a compilation of chemical compounds and elements, respectively.

“I was really impressed with the creativity and hard work the app challenge participants put into generating fresh approaches to using NIST data,” said Evans. “I’m looking forward to building on the success of this challenge with more events in the future.”

VA plans national network to spur medical innovation

The Department of Veterans Affairs and its employees have pioneered some of the most notable innovations in medical history over the past half century — implantable pacemakers, nicotine patches and the first successful liver transplants, to name a few. Now, to continue driving those types of medical breakthroughs, the VA has launched the Innovators Network.

Described as “a community of VA employees who are actively engaged in work that is moving the agency forward,” VA’s Innovators Network is meant to spur collaboration among VA personnel, “no matter the distance,” Secretary Bob McDonald wrote in a little noticed blog post about the launch Monday.

“VA needs to continue to increase its ability to rapidly respond to Veterans’ needs and to deliver the best possible experience for Veterans. We can accomplish this by developing a culture of innovation,” McDonald said. “The innovation we aim for is a framework —  a mode of operating, a toolset  —  through which we can constantly find, test, and create better ways to deliver services to our customers.”

Currently, the department is piloting the program at eight of its medical facilities across the country, including the Boston, Atlanta and Milwaukee VA medical centers. “Innovation specialists” will head up each pilot location’s development of “a culture of innovation,” according to the program’s website.

Screen-Shot-2015-11-18-at-11.52.42-AM

A map of the VA’s eight Innovators Network pilots. (VA)

The Innovators Network resembles the IDEA Lab at the Department of Health and Human Services and the Office of Personnel Management’s Innovation Lab — efforts to support federal staff with resources and connections to like-minded colleagues across the country when they have innovative ideas that might not necessarily fall under their job description but nevertheless they are passionate about and want to implement. VA employees will have the opportunity to apply for small amounts of special funding for their projects through the network’s Spark-Seed-Spread Innovation Funding Program.

Much like the HHS and OPM programs, the Innovators Network also employs human-centered design — a methodology that primarily focuses on users’ needs to shape outcomes — as a guiding principle.

“Simply put, people are better served when their needs are aligned with the application and purpose of the products and services they use,” McDonald wrote. “The Innovators Network leans heavily on this development approach, and innovators will use it to build a strong understanding of VA’s clients, generate ideas for new products and services, test concepts with real people, and ultimately delver easy-to-use, consistent products and positive customer experiences.”

Additionally, the program is rooted in a variety of other core principles, such as diversity, innovation from the field, agile development and employee empowerment. That latter principle, Secretary McDonald believes, is integral to improving the veteran’s experience.

“We have no hope of improving the Veteran experience unless we improve the employee experience,” he said. “We must enable and empower employees to better care for Veterans. Innovation is how we improve the way we improve Veterans’ lives.”