Ryan Panchadsaram out as deputy U.S. CTO

Ryan Panchadsaram, a deputy chief technology officer for the U.S. government and one of the first members of the U.S. Digital Service, is stepping down from his position.

Administration sources tell FedScoop Panchadsaram will head back to San Francisco to spend more time with his family. Panchadsaram came to D.C. three years ago as part of the inaugural Presidential Innovation Fellows class, helping develop Blue Button for patients to view online and download their own personal health records.

From there, Panchadsaram was brought on board Mikey Dickerson’s team, which fixed the botched rollout of Healthcare.gov.

While at the White House, Panchadsaram helped form the U.S. Digital Services, the tech tiger team devoted to improving IT services across the federal government. He also helped implement President Barack Obama’s open data executive order, leading to a redesigned data.gov that unlocked federal data tied to health, energy, education, finance and climate issues.

Prior to public service, Panchadsaram was the head of customer and product at Ginger.io, a spin-off from MIT Media Lab aimed at using big data to transform health care. He also spent time working at Microsoft and Salesforce, working on user experience for Outlook for Mac and AppExchange.

It was not clear as of publishing time if Panchadsaram has another gig lined up in either the public or private sector, but administration sources tell FedScoop he will support the digital service teams’ recruiting efforts while in San Francisco.

FedScoop has also reached out to the White House about Panchadsaram’s successor. No comment as yet, but updates will be provided as they become available.

Senate takes up CISA, at long last

The Senate Tuesday began its long-delayed consideration of controversial legislation designed to encourage companies to share cyberthreat intelligence with each other and the federal government.

The bill’s authors, the chairman and vice chairwoman of the Senate Select Committee on Intelligence, told lawmakers they had worked hard to take into account the concerns of privacy activists, who have criticized the proposed law as a surveillance measure in cyber clothing.

“Nothing in this bill provides even the potential … for additional surveillance authorities,” said Intelligence Chairman Sen. Richard Burr, R-N.C.

Burr said the bill’s authors had met with a range of interested parties, including many of the bill’s fiercest critics. He said he hoped that changes made in committee earlier this year, and in a managers’ amendment, would allay privacy advocates’ concerns about what they say is the bill’s overly broad scope and unnecessarily vague language.

“This bill is the product of years of work and includes input from all sides of this issue,” said Vice Chairwoman Sen. Dianne Feinstein, D-Calif. “It balances security, personal privacy and liability protection.”

The bill, S. 754, the Cybersecurity Information Sharing Act of 2015, offers legal immunity to companies that share cyberthreat information with each other and the federal government. Two companion bills passed the House in April with wide bipartisan support, but the Senate bill has proved more controversial.

“I believe this bill will do little to make Americans safer,” said Sen. Ron Wyden, D-Ore. “But it will potentially reduce the privacy of millions of Americans in a very substantial way.”

Wyden has been the most vocal of a small coterie of senators who have vowed to amend or even block the legislation, saying it lacks safeguards against abuse and broadens the number of uses to which shared data can be put beyond just cybersecurity.

In addition to the managers’ amendment, 21 others have been listed for debate, but — without an agreement on time — it is unclear how many will end up being debated.

The amendments likely to provoke the most controversy include one from Sen. Sheldon Whitehouse, D-R.I., stiffening criminal penalties for hackers; one from Sen. Rand Paul, R-Ky., limiting immunity for breaches of user agreements; and a slew of proposals specifying what kind of information may be shared under the bill, with which agencies and what sorts of personal or other data has to be scrubbed.

Senate Majority Leader Mitch McConnell, R-Ky., said Tuesday he hopes to get a vote on passage by early next week. After that the bill would have to be reconciled with its counterparts in the House before going to the president for signature.

New ‘rules of the road’ for ID management aim to get past password

The Identity Ecosystem Steering Group, a public-private partnership with the goal of moving past the password as the guarantor of online identity, Tuesday released the first iteration of its flagship plan to create a more secure digital environment.

The roadmap, called the Identity Ecosystem Framework Version 1, seeks to set the nation on a path toward adopting more secure techniques for issuing and maintaining credentials, as outlined in the National Institute of Standards and Technology’s National Strategy for Trusted Identities in Cyberspace. The strategy’s goal is “helping individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation,” according to NIST’s website.

“Never before have industry, educational institutions, government agencies, non-profit organizations and consumers come together to create a trusted identity framework to protect their online identity transactions,” states the IDEF V.1. “Working alongside one another in the IDESG, their efforts serve as the foundation for the Identity Ecosystem.”

IDEF V.1 has three components: the functional model, scoping statement and baseline requirements. Each addresses a specific part of the identity management quandary, spanning from issues like third-party authentication and credential uniqueness to recovery and re-issuance. By delving into the issues at the heart of identity management, IDESG hopes to establish a set of best practices across the board for industry and government alike.

“Today is a great day for the Identity Ecosystem,” said Kimberly Little Sutherland, IDESG plenary chairwoman and senior director of identity management strategy, in a release. “We’re in the middle of an identity revolution — organizations and consumers are online conducting transactions and all face risks to their identity, security and privacy. Until now, there have been few clear ways to step forward and make things better. That all changes today.”

Former DIA boss says U.S. must move fast or ‘become irrelevant’

The former director of the Defense Intelligence Agency said Tuesday that if the U.S. government does not catch up to the speed with which technology is evolving, it will “become irrelevant.”

Speaking at the Kaspersky Government Cybersecurity Forum in Washington, retired Lt. Gen. Michael Flynn gave a veritable laundry list of things he finds disappointing with the way the United States conducts itself when it comes to cybersecurity — whether reacting to attacks or crafting new policy.

“Speed is the new big,” Flynn said. “If you can’t move at the speed of today — and our government is terrible at this — if you can’t move at the speed [of] the world of technology, you are going to become irrelevant.”

Flynn expressed frustration at the lack of action from current lawmakers and the paucity of discussion from candidates campaigning to be the next president. Flynn said people should try to reach out to candidates to get answers on cybersecurity questions, given that he believes “the next president of the United States is going to have to deal with a cyber war.”

“All of the campaigns have Twitter accounts, so ask that question,” Flynn said. “They absolutely should be answering. The interesting thing is if they actually take the question, what would their answer be? Honestly, the few components of the debate that I have watched, it’s actually been pretty embarrassing as to what we are asking about. I mean the last one, we were talking about Donald Trump’s hair? Who gives a shit?”

He also chided Congress for stalling on various pieces of legislation, saying that dragging out fights over privacy and security is leaving defenders barred from taking swift action against malicious actors, or figuring out ways the public and private sector can collaborate.

“There are 22 pending pieces of legislation which is absurd,” he said. “Congress can’t seem to get their act straight with any of this kind of stuff.”

Flynn says without action, the Internet will continue to be a “lawless ungoverned battlespace.” He pointed to the latest incident to make headlines: hackers infiltrating the personal email accounts of CIA Director John Brennan and DHS Secretary Jeh Johnson.

“No one is protected and you’re crazy to think you are going to be secure,” he said.

But whether its lone hackers or nation-states, Flynn says the U.S. has acted differently than adversaries like Russia and China in cyberspace because the U.S. adheres to the “rules of engagement.”

“We follow international law, international norms, international behaviors,” he said. “We are a society that respects law. I wouldn’t say that Russia doesn’t respect law, but the world of cyber that has allowed them to operate is so anonymous, and largely in the world of transnational organization criminal networks.”

Even with agreements like the one the U.S. signed with China last month to curb the theft of intellectual property, Flynn said it’s imperative for some action to be taken in the event that a nation-state goes past the point of no return. That action may come sooner that anyone thought: A report from cybersecurity firm CrowdStrike released Tuesday said China may have continued to attack private American companies after the last month’s agreement was signed.

Flynn said that actions like that should be a red line, and the country should have a policy in place to deal with the associated fallout.

“Eventually, [war] is going to happen. Two nations like we have, all the tension that we have, somebody is going to make a mistake,” he said. “What will take us to the gates? What will cause us to go and defend this country against the kind of things we face? I’d like to think that China will always be a competitor of ours. We have to compete in this space. But it gets really, really hard.”

ISAC directors: Privacy concerns over information sharing are misguided

Officials from private sector information sharing and analysis centers were lukewarm this week about new legislation designed to encourage the sharing of cyberthreat intelligence, saying privacy concerns about the bill were overblown, but so were claims it was a silver bullet for cybersecurity.

The directors of three different ISACs said during a panel discussion at the ISACA CSX conference in Washington, D.C., that they support the Cybersecurity Information Sharing Act, set to hit the Senate floor this week, but added that a great deal of sharing is already being done by the ISACs without the legislation.

The Senate version of CISA, like the various information sharing bills already passed by the House, gives liability protection to businesses who share cybersecurity information with each other or with the U.S. government. Privacy advocates have come out against the bill, saying it grants the government and the private sector too much leeway when it comes to accessing Americans’ private data.

But panel members Monday dismissed the privacy concerns. Denise Anderson, executive director of the National Health ISAC, said the information the centers share with their members is typically devoid of anything that could identify a person or company.

“The types of information that we are sharing is nothing that would affect somebody’s privacy or would affect some collusion on pricing on anything like that,” she said, “I find that whenever that [privacy] discussion comes up, its because people don’t understand how we’re sharing that information.”

Scott Algeier, the executive director of the IT ISAC, said the bill “doesn’t need to be controversial.”

“Some companies are saying that it would be helpful to have liability protection for the information that we are sharing,” he said. “It’s important to tilt the ratio away from the risk and more toward the reward.”

Anderson, who has sat on the board of the National Council for ISACs, said she has seen examples of centers shutting down discussions at even the hint of a company or vendor name. But she said not all sectors are the same: The telecom industry, for instance, has to deal with customer data when examining threat indicators.

“They can share if the customer gives them permission,” Anderson said, “but in order to be able to be more robust in their sharing, to be free from the concern of liability and sharing that type of information, that’s where [liability protection] could be helpful.”

The provisions in CISA are just some of the regulations and standards that ISACs, founded in the Clinton era and focused on the 17 sectors of critical infrastructure, have been dealing with this year. In February, President Barack Obama issued an executive order that established information sharing and analysis organizations. ISAOs are similar to ISACs, but are being created for businesses that do not fall into critical infrastructure silos.

Algeier said he’s “frustrated” by the standards going into these ISAOs because it adds another layer of complexity to work that ISACs were already working to accomplish.

“The great source of frustration for me is those that have been out there and doing it well for a decade and half, are now having to spend a lot of resources, a lot of time, a lot of effort on things that are being governed to make my memberships and capabilities better,” he said “Who knows where these standards will be?”

“Let’s be blunt: ISACs were original ISAOs,” Andersen said. “I definitely see the need for new user groups. Does that mean the president needed to set that order for us? Not necessarily, because many of us have already been moving down that course.”

Steve Liens, director of the defense industrial base ISAC, said whether it’s new bills or presidential decrees, it comes down to the companies understanding how information sharing can be worthwhile for their enterprises.

“One of the problems we constantly wrestle with is between sharing information and collaboration,” he said. “You can share information all day long, but if you’re not collaborating, you’re not going to get anywhere.”

Algeiers pointed to example of how ISACs can only go so far: Sony Pictures was a member of his center when hackers, said by U.S. officials to be North Korean, destroyed the company’s network and brought the studio to its knees.

“Even if you joined an ISAC, that doesn’t make you immune from attacks,” he said. “We’re one way to help manage your risk. There’s large global companies that are complex beasts. You are not going to fix all of your security concerns by joining an ISAC.”

TechCongress fellowship will station tech experts in congressional offices

To enhance the dialogue between the tech sphere and the world of politics, a nonpartisan think tank has launched a fellowship to place technologists in congressional offices.

Announced earlier this month by New America’s Open Technology Institute, the TechCongress fellowship comes among complaints that the government is failing to keep pace with technological innovation, a challenge that is “compounded by a lack of technology expertise to inform policymaking on complex issues like cybersecurity and digital copyright,” according to the mission statement.

Travis Moore, TechCongress founder, worked for six years as the director of operations under former Rep. Henry Waxman (D-Calif.) and found himself continually frustrated by the lack of an objective, tech-savvy in-house counsel.

“I spent a lot of time thinking about Congress and technology, on a whole range of things — not just technical knowledge, but use of tools and infrastructure within the institution,” Moore said in an interview. “When tech issues came up, I had no one to call who could answer questions with technical knowledge and expertise. I spent the last year thinking about how Congress was failing to modernize.”

The Office of Technology Assessment, the federal agency responsible for providing independent technological analysis to Congress, was eliminated in 1995, leaving what some in the tech world have called a knowledge gap that has not been refilled.

Unlike the health care and science industries, which have established fellowship programs through organizations like the American Association for the Advancement of Science and the Robert Wood Johnson Foundation, Congress is conspicuously lacking in experts to field questions about tech issues — at a time when cybersecurity and big data are emerging as national issues.

“There’s a gold standard for fellowships. There are programs for doctors and nurses, which creates an ecosystem of people with expertise,” Moore said. “If you compare that to the tech-centric committees, you don’t have that knowledge. I see the innovation fellows being an important part of filling that gap.”

TechCongress will place three fellows on the Hill by early 2016, for a tenure of nine months, which Moore said he hopes will be extended for future fellows. In selecting candidates, TechCongress will emphasize broad knowledge and the ability to translate technological knowledge over specific areas of expertise.

“We’re looking for folks with tech and subject matter, folks that can be translators — translate the knowledge to an audience that’s often not as technologically sophisticated,” Moore said.

‘Stoner’ hacker dumps personal data of CIA, DHS chiefs

The personal information of CIA Director John Brennan, Department of Homeland Security Secretary Jeh Johnson, and 19 other current and former intelligence officials has been dumped online by a hacker who says he is an American high school student motivated by anger at the killing of Palestinians.

The CIA and DHS declined to comment on the authenticity of the data, which includes personal email and telephone contact information, Social Security numbers and dates of birth, but other people named in the dump confirmed to FedScoop that the data about them was genuine.

The data is in the form of a list that Brennan apparently compiled in 2008 of volunteers for the Obama transition who required access to secure government offices.

The hackers, who call themselves “Crackas With Attitude,” said on Twitter they obtained the list by gaining control of Brennan’s personal email account. That account, with AOL, was deleted Friday, the hackers said.

“Even encrypted email is only as secure as the weakest link,” former DHS Secretary Michael Chertoff told FedScoop. “If someone can get your password” they can probably get around any reasonable security precautions you might have in place. If the attacker used “social engineering” as they claimed, Chertoff added, “that is an issue for the companies that manage these services … That is a training issue for them.”

One of the hackers told the New York Post in a telephone interview that he was a “stoner” high school student who had successfully tricked employees at Verizon and AOL into handing over control of Brennan’s account.

He told the paper he was motivated by anger at the killings of Palestinians in the Israeli-occupied territories.

“We are not doing this for personal satisfaction, we are doing this because innocent people in Palestine are being killed daily,” the hackers later tweeted.

The hackers also said on Twitter they had hijacked Johnson’s Comcast account, and posted screen shots of themselves exchanging messages with his wife, as well as details of his home address and phone numbers, the IP addresses of his home router and information about the car driven by his son.

“We are aware of the media reports,” a DHS spokesman emailed, “However as a matter of policy, we do not comment on the Secretary’s personal security.”

The CIA also declined to comment, beyond saying that they were “aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”

Would-be visitors to the hackers’ Twitter account Monday afternoon found a notice that the account had been suspended, effectively deleting the dumped data. But the incident underlines the vulnerability of the personal email accounts of senior officials and the possibility that, especially during transition planning, when .gov emails aren’t available, sensitive material might be transmitted over private accounts.

“You don’t have many options at that point,” said a former national security official who worked on the 2008 transition.

“This is a symptom of a broader problem,” added Chertoff, “It’s not just officials: Business executives, lawyers, all kinds of people have to handle sensitive information … We should all be mindful of our personal security.”

He noted that information made public on social media, for instance, “can be used in social engineering.”

“It’s a lesson we all have to learn,” he concluded.

Facebook to tell users if they’ve been targeted by nation-state hackers

Facebook is going to alert its users if the company finds indications their account or their computer has been compromised or even just targeted by hackers working on behalf of a nation-state.

In a Friday blog post, Facebook Chief Security Officer Alex Stamos said the company will send desktop notifications to users if there are indications their account may be targeted. “Having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware,” write Stamos. “Ideally, people who see this message should take care to rebuild or replace these systems if possible.”

Stamos would not elaborate on how Facebook is able to do detect this certain kind of malicious activity, but will only issue the warnings “where the evidence strongly supports our conclusion.”

Google, which in 2012 began issuing similar warnings to users of its Gmail service, also declines to explain the basis for its attributions.

“We hope that these warnings will assist those people in need of protection, and we will continue to improve our ability to prevent and detect attacks of all kinds against people on Facebook,” Stamos writes.

Analysis: Fed cybersecurity spend quintupled from FY2011 to FY2014

The federal government’s cybersecurity spend increased five-fold over a recent three-year period, with a large portion dedicated to offensive cyber capabilities, according to numbers crunched by a public sector business analytics firm.

Thirty-one billion dollars were spent in fiscal year 2014, according to a new report from Govini, rising from $6 billion in fiscal year 2011. The report breaks down the government’s security spend across unclassified federal networks, differentiating 11 key segments in what the company calls a “cybersecurity taxonomy.”

The largest segment of the taxonomy is categorized as “offensive cyber,” which is further defined as the “proactive and adversarial approach” to protect federal systems. Spending in offensive capabilities jumped 150 percent year over year, from $6 billion in 2013 to $15 billion in 2014. Each branch of the military spent at least $1.6 billion in fiscal year 2014, while Computer Sciences Corp. and CACI Inc. saw large revenue growth due their respective work on Navy’s SPAWAR and work the Army Command.

The segment that saw the largest overall growth, “Cyber Training and Awareness,” was also the smallest segment by dollar amount. The total spend in this category is $109 million, a 309 percent increase over the past three years. CSC also dominated this category, with $100 million capture in revenue in training alone.

“The surprising thing for us was there was no common language or definition of cybersecurity across the federal contractor base,” said Govini founder and CEO Eric Gillespie in a release. “Our customers knew there was significant capital being allocated to cyber, but they didn’t know how much or in what segments. We were challenged to create what is quickly becoming the common language of cyber for the industry.”

At the same time, the numbers only provide a segmented look across the government. The figures Govini provides cover unclassified networks, failing to take into account the money apportioned for the “black budget,” which covers resources dedicated to protecting classified networks and supports the intelligence community.

According to a Washington Post story, it is estimated that $4.3 billion of the “black budget” is dedicated to cyber operations.

Read Govini’s full cybersecurity taxonomy, released last week, on the company’s website.

US and EU get deadline for new Safe Harbor agreement

The United States and European Union have until January to hammer out a new agreement that will allow for the legal transmission of citizens’ personal data between the two continents, European data privacy regulators said Friday.

The Article 29 Working Party, which brings together the data protection and privacy regulators of all the 28 EU member states, issued the timeline after last week’s European Court of Justice ruling that tossed out the Safe Harbor agreement, a 15-year-old regulatory workaround letting American companies store Europeans’ personal data outside the EU.

The regulators said if the two sides do not come to an agreement prior to end of January, the group will take “necessary and appropriate actions, which may include coordinated enforcement actions” against U.S. companies that store personal data outside of European jurisdiction.

Safe Harbor was struck down after a case brought by Austrian privacy activist Max Schrems, following his unsuccessful attempt to get European privacy regulators to stop Facebook from moving its users’ data to the United States. Schrems argued the data would be subject to mass surveillance under the National Security Agency’s PRISM program and other online snooping revealed by Edward Snowden in June 2013.

The U.S. and EU have been in talks for the past two years on a new agreement to replace the Safe Harbor, but they failed to reach a deal before the European court handed down its ruling.

The Article 29 group stressed that a new deal is imperative, calling for both the U.S. and EU to find “political, legal and technical solutions” for legal data transfers, and noting that any transfers still taking place have to be considered unlawful due to the European court’s judgment.