Archive for the ‘security’ Category
DorobekINSIDER: Robert Carey joins Navy cyber command
Federal News Radio told you that Robert Carey, the widely respected CIO for the Department of the Navy, would be leaving that post.
The DorobekINSIDER has confirmed that Carey will join the Navy’s Fleet Cyber Command/U.S. Tenth Fleet, which is responsible for directing the Navy’s cyberspace operations. Carey has been one of the leaders for government cyber-security efforts and initiatives. And Carey mentioned the Fleet Cyber Command in a recent blog post.
No word on a timetable.
Also no word on Carey’s replacement as the Navy CIO, although I’d put money you’ll see a uniformed person in that post. (The almost unnoticed trend among DOD CIOs is that they are shifting from civilian posts to military posts. The notable exception, of course, is the nomination of Teri Takai to be the Defense Department CIO and Defense Department Assistant Secretary for Networks and Information Integration. That being said, no word on where that nomination stands.)
More on the mission of the Fleet Cyber Command and the U.S. Tenth Fleet:
The mission of Fleet Cyber Command is to direct Navy cyberspace operations globally to deter and defeat aggression and to ensure freedom of action to achieve military objectives in and through cyberspace; to organize and direct Navy cryptologic operations worldwide and support information operations and space planning and operations, as directed; to direct, operate, maintain, secure and defend the Navy’s portion of the Global Information Grid; to deliver integrated cyber, information operations cryptologic and space capabilities; and to deliver global Navy cyber network common cyber operational requirements.
U.S. TENTH Fleet Mission:
The mission of Tenth fleet is to serve as the Number Fleet for Fleet Cyber Command and exercise operational control of assigned Naval forces; to coordinate with other naval, coalition and Joint Task Forces to execute the full spectrum of cyber, electronic warfare, information operations and signal intelligence capabilities and missions across the cyber, electromagnetic and space domains.
The Fleet Cyber Command is led by Vice Admiral Bernard J. “Barry” McCullough III, and his deputy, Rear Admiral William E. Leigher.
DorobekINSIDER Reader: Federal Internet cookie policies
The Office of Management and Budget has just issued a new policy for dealing with Internet “cookies” — these are text files that a Web site can put on your computer to track how you traverse the site.
Cookies enable Web site personalization — for example, the allow a Web site to remember you and, maybe, the items you put in your online shopping cart. But they have always been watched by some privacy advocates because of the potential implications — for example, they could track a visitor’s travels to other sites. [Read how cookies work here… and how to delete them here.]
The federal government has been all but banned from using persistent Internet cookies because of those privacy concerns. OMB has just issued new policy guidance would enable agencies to use this tool. And Federal News Radio’s Max Cacas reported on the new policies on the Dorobek Insider on Friday. You can find his report here.
This is an issue I’ve followed for a long time (here is the FCW editorial I wrote on the subject back in 2006) — and, to be honest, I’m suspicious of the new policy. That being said, I have just started reading them.
The new OMB policy seeks to re-balance the privacy considerations given that the ban was instituted more than a decade ago. The idea: Times have changed and people are more accepting of these tools.
As I say, I’m reading the policies now, but… It is important to be very clear — agencies were absolutely not banned from using cookies. They had been banned from using PERSISTENT cookies — cookies that can track you long term. I didn’t get a chance to read all the comments that came in — and unfortunately OMB has not kept those comments online. And I still have to read the policies, but… I have year to hear a convincing argument why agencies must have persistent cookies. Some argue that the private sector does it, but that argument is specious — the government is not the private sector. In the end, it doesn’t matter what the private sector does. (Should government follow the Facebook privacy model?)
Let’s be very clear — this is not the most critical privacy issue facing government. That being said, it doesn’t help. People are already distrustful of government. I have yet to be convinced of the enormous public good that comes from using this tracking tool that one cannot accomplish otherwise. Again, agencies can use cookies — just not persistent cookies. How does it make people feel about their government if they feel like they are being tracked? (The stopwatch is running until the first story comes out of people using cookies to actually track people using government Web sites.)
I’m reading the new policies with an open mind, but… I’m very suspicious.
Regardless, I thought it was an opportunity to pull together the DorobekINSIDER Reader on the OMB cookie policy with background information, given that this has been going on for a long time…
The 2010 cookie/federal Web privacy policies:
* OMB policy M-10-22: Guidance for Online Use of Web Measurement and Customization Technologies [PDF] [Scribd]
* OMB policy M-10-23: Guidance for Agency Use of Third-Party Websites and Applications [PDF] [Scribd]
* The OMB “fact sheet” on the two policies
How these came about…
Giving OMB credit, they tried to evolve these policies in a relatively public way. As I seem to say a lot these days, I think they could have developed it in a public way. That being said, it would be nice if the comments were still available.
Here were some of the discussion:
White House blog post from July 24, 2009: Federal Websites: Cookie Policy
By federal CIO Vivek Kundra and Michael Fitzpatrick, associate administrator of OMB’s Office of Information and Regulatory Policy
During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on. But before we get into that, let’s provide some context.
In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a “shopping cart” at an online store, or have a website remember customized settings and preferences, cookies are being used.
Read the full post — and the comments — here.
* The Federal Register item that went along with that comment period.
* WhiteHouse.gov blog post: Enhancing Online Citizen Participation Through Policy [June 16, 2009]
By Kundra and Fitzpatrick
Last week, Vivek Kundra and Katie Stanton talked about the efforts underway to introduce more Web 2.0 technologies to the federal government sites and to open more back-and-forth communication between the American people and the government. Some of this naturally requires the adoption of new approaches and innovative technologies. But another big part of this is updating existing practices and how these tools can be used to break down barriers to communication and information.
We continue to ask for your feedback, but the best feedback is informed feedback. So what follows is background on current policies and some examples of what we’ve heard from you during the Brainstorming phase of our outreach.
Here is the specific section on cookies:
FEDERAL COOKIE POLICY: This has been a challenging issue to navigate. Put in place in 2000 to protect the privacy of Americans, the federal cookie policy limited the use of persistent cookies by federal agencies. A cookie, as many readers here know, is a small piece of software that tracks or authenticates web viewing activities by the user. In the nine years since this was put in place, website cookies have become more mainstream as users want sites to recognize their preferences or keep track of the items in their online shopping carts. We’ve heard a lot of feedback on this area. One person put it all together. “Persistent cookies are very useful as an indirect feedback mechanism for measuring effectiveness of government web sites . . . Cookies allow a greater level of accuracy in measuring unique visitors . . . Being able to look at returning visitors allows us to see what
Recognizing the fundamental change in technology in the past nine years, and the feedback that we’ve received so far, the Office of Management and Budget (OMB) is reexamining the cookie policy as part of this Open Government Initiative. There is a tough balance to find between citizen privacy and the benefits of persistent cookies, and we would welcome your thoughts on how best to strike it.
Read the rest of the post here.
* WhiteHouse.gov blog: Cookies Anyone (the http kind)? [July 24, 2009]
By Bev Godwin, who was on assignment to the White House at the time. She is currently GSA’s Director of USA.gov and the Office of Citizen Service’s Web Best Practices Office
Nine years ago – a lifetime in Internet time – the Office of Management and Budget (OMB) issued a policy commonly referred to as “the cookies policy. “This policy prohibited federal agencies from using certain web-tracking technologies, primarily persistent cookies, unless the agency head provided a waiver. This may sound like arcane, boring policy – but it is really important in the online world.
Unfortunately in this post, Godwin points to a site where people could post comments — http://blog.ostp.gov/2009/07/24/cookiepolicy. Unfortunately that page doesn’t seem to exist. It would be great to see the comments now.content is important to our citizens. We can use that data to improve the content and navigation of our sites.”
* WhiteHouse.gov blog post: On Cookies [August 11, 2009]
By Kundra and Fitzpatrick
Over the past two weeks, during the public comment period on OMB’s cookie policy, we have received significant feedback and suggested revisions to the current policy. These comments reflect individual opinions on all sides of the issue.
Our main goal in revisiting the ban on using persistent cookies on Federal websites is to bring the federal government into the 21st century. Consistent with this Administration’s commitment to making government more open and participatory, we want federal agencies to be able to provide the same user- friendly, dynamic, and citizen-centric websites that people have grown accustomed to using when they shop or get news online or communicate through social media networks, while also protecting people’s privacy.
It is clear that protecting the privacy of citizens who visit government websites must be one of the top considerations in any new policy. This is why we’ve taken such a cautious approach going forward and why we felt it so important to get feedback and hear from people on this. While we wanted to get people’s ideas for improving our policy, we also needed to hear any concerns so that we could understand better where potential pitfalls might lie.
This privacy issue has recently received some attention in the media. We want to make it clear that the current policy on Federal agencies’ use of cookies has not changed. Moreover, the policy won’t change until we’ve read the public comments that have been submitted to ensure that we’re considering all sides of the issue and are addressing privacy concerns appropriately.
Continue reading the full post here.
Going back a decade… some of the discussion that led to the persistent cookie ban.
* Letter from then Commerce Department CIO Roger Baker, now the CIO at the Department of Veterans Affairs, to John Spotila on Federal agency use of Web cookies (July 28, 2000)
[The CIO Council] strongly support the requirement that the use of any technology, including persistent cookies, to track the activities of users on web sites be approved personally by the head of the executive department (for the 14 executive departments) or agency.
As we make progress towards electronic government, personalization of web sites, typically done through persistent cookies, may become necessary in order to serve our customer’s requirements. At that time, it would be appropriate for OMB to review the “no delegation” policy in light of the then-current “state-of-the-art” in privacy protections. For example, OMB may decide to relax this policy when customers are given a choice of selecting either a personalized (i.e., with persistent cookie) or non-personalized (no persistent cookie) web experience.
* Letter from Spotila to Baker, clarification of OMB Cookies Policy (September 5, 2000)
We are concerned about persistent cookies even if they do not themselves contain personally identifiable information. Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator. For instance, a person using the computer later may give his or her name or e-mail address to the agency. It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.
* M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000)
* M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)
DorobekINSIDER: News Channel 8 discussing cyber-war — is it real?
I will be on NewsChannel 8’s Federal News Tonight at 7:30p tonight — and we’ll be talking about the ongoing debate: Is the threat of cyber-war exaggerated?
As I mentioned earlier, this question was the subject of an Intelligence Squared debate earlier this month.
You can hear the debate here… or see the debate here.
We are looking for your thoughts… how would you answer the question: The threat of a cyber-war is exaggerated?
Arguing that the threat of cyber-war was exxagerated were:
* Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC)
* Bruce Schneier, the cryptographer, computer security specialist, and writer who is the founder and chief technology officer of BT Counterpane, formerly Counterpane Internet Security. He writes the popular Schneier on Security blog.
And in opposition:
* Mike McConnell, former vice admiral in the Navy, the former director of the National Security Agency and the former Director of National Intelligence. He now works for Booz Allen Hamilton.
* Jonathan Zittrain, professor of Internet law at Harvard Law School and a faculty co-director of Harvard’s Berkman Center for Internet & Society. He writes the Future of the Internet blog and is on Twitter.
Some additional resources:
There currently are more than 40 cyber-security bills somewhere in the legislative process on Capitol Hill.
After heading up the President’s 60-day Cyberspace Review last year, Melissa Hathaway has some analysis. She has complied all that knowledge in a 31-page report which broke down the different bills into sections. Nine bills make the legislation to watch list, including updates to FISMA. Hathaway also says there great need for more public awarness for cybersecurity issues both in the U.S. and abroad.
That assessment came before Sens. Joe Lieberman (DI- Conn.), Olympia Snowe (R-Maine) and Tom Carper introduced the Protecting Cyberspace as a National Asset Act, which was discussed at a hearing today. (More information on the hearing here.) Today on Federal News Radio 1500 AM’s Dorobek Insider, we spoke to Bob Gourley, the former chief technology officer at the Defense Intelligence Agency and the the editor in chief of CTOVision.com, said he thinks the bill would be a step forward. (Read his post here.)
Finally, Gen. Dayle Meyerrose, former CIO of the Office of the Director of National Intelligence, addressed this issue on Federal News Radio 1500 AM’s In Depth with Francis Rose. More here.
DorobekINSIDER: Is cybersecurity over-hyped?
I had the pleasure last night to attend the Intelligence Squared debate series — the first one held in Washington, DC. (Yes, it was a wonk-fest. After all, there were some other big events in DC last night. Washington Nationals pitching sensation Stephen Stassburg was proving worthy of all the hype over at the Washington Nationals ballpark… and James Taylor and Carole King were in DC for their tour. Moderator John Donvan from ABC News joked that people had to be really wonky to show up given the competing events.)
The packed house at the Newseum were treated to a fascinating debate focused on the “motion”: The cyber war threat has been grossly exaggerated.
Arguing in favor of that contention:
* Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC)
* Bruce Schneier, the cryptographer, computer security specialist, and writer who is the founder and chief technology officer of BT Counterpane, formerly Counterpane Internet Security. He writes the popular Schneier on Security blog.
Arguing in opposition to that contention:
* Mike McConnell, former vice admiral in the Navy, the former director of the National Security Agency and the former Director of National Intelligence. He now works for Booz Allen Hamilton.
* Jonathan Zittrain, professor of Internet law at Harvard Law School and a faculty co-director of Harvard’s Berkman Center for Internet & Society. He writes the Future of the Internet blog and is on Twitter.
The debate started out by polling the audience asking us the question: The cyber war threat has been grossly exaggerated.
Initial results:
* Yes: 24 percent
* No: 54 percent
* Undecided: 22 percent
Before we offer more about the debate, how would you vote?
The debate actually focused on the question: Yes, there is a treat, but is it war?
The proponents of the arguement essentially made the point: Show me the war. Schneier said that the Internet has proven to be more resiliant then expected then anticipated or expected. While both he and Rotenberg acknowledged the threats, they argued that the “war” terminology is exaggerated… and dangerous.
“What you do with a threat of war is you call in the military, and you get military solutions,” Schneier said.
Rotenberg argued the militarization of the Internet is part of a long effort by the military and intelligence organizations to take the reins of the Internet — and he pointed to the infamous “clipper” chip from the 1990s, which would have given the government the keys to strong encryption. The argument: If something becomes a “war,” then other important issues — such as privacy — get shoved aside.
McConnell argued that the treats are very real, and, essentially, the country needs to understand how significant they are. And yes, there hasn’t been a “cyber Pearl Harbor,” but… during the Cold War, there were no nukes fired. The question is how you best prepare and defend these mission critical systems. He argues that society depends on trust and interdependency.
Zittrain said there is little argument that these are, in fact, hostel actors out there who are interested in attacking U.S. interests and livelihood. And he argued that these technologies are more fragile then we might believe.The two sides even disagreed about the now infamous Russian — or, more accurately, believed to be Russian — cyber-attack on Georgia. Schneier argued that it amounted to a fancy denial of service attack and he scoffed arguing that is it really a war if you can’t go to the Department of Motor Vehicles? McConnell, however, argued that the Russian attack helped bring Georgia to its knees.
Somewhat surprisingly, there wasn’t much discussion about the motivation of those stoking the cyber-war stories. Let me just say I’m not saying that the threat is exaggerated. From the people I talk to, there are real threats out there. And I have spoken to the people who, for example, are responsible for the the network at the Pentagon itself, which sustained a major attack back in 2007. That attack forced DOD officials to spend years even trying to determine what data was stolen. I am also keenly aware of how dependent we are on technology. But I thought there would be some discussion of the Threat Level piece from earlier this month that raised the issue of whether we can trust the people assessing the threats. From Wired.com’s Danger Room blog:
Coincidences sure are funny things. Booz Allen Hamilton — the defense contractor that’s become synonymous with the idea that the U.S. is getting its ass kicked in an ongoing cyberwar — has racked up more than $400 million worth of deals in the past six weeks to help the Defense Department fight that digital conflict. Strange how that worked out, huh?
The panel was asked to make policy recommendations. McConnell stressed that we are a nation of laws, and therefore we need to get the laws correct. Although somewhat unrelated, Rotenberg scoffed at that idea and pointed to NSA’s warrentless wiretapping as a case where he says the laws don’t get implemented.
Rotenberg policy proposal: More openess and transparency. And this is one that I think is important. In fact, I’m hearing a lot of cyber-security minded people talk about the importance of sharing some information. Earlier this year, I moderated a panel at the AFCEA homeland security conference. On that panel was Marcus Sachs, Verizon’s executive director for national security and cyber policy. He formerly worked at the Army was with the Joint Task Force for Computer Network Defense and for the National Security Council’s Director for Communication Infrastructure Protection. And he suggested that there needs to be more of a conversation around cyber-security. Hear highlights here. I have been quite concerned that the Web 2.0 advocates have been almost loggerheads with cyber-security advocates, when I still think there is an opportunity to collaborate around cyber-security problems.
After all the debating was done, the audience was again asked to vote on the question: The cyber war threat has been grossly exaggerated:
* Yes: 23 percent
* No: 71 percent
* Undecided: 6 percent
What do you think?
A special thanks to Chris Parente, managing director at Strategic Communications, who invited me to the debate. Very much appreciated. Parente has posted his take of the event here.
Also read Fierce Government IT’s coverage.
DorobekINSIDER: Most read items from Feb. 29-March 6: DOD Web 2.0 policy, USPS reorg, Causey, and fed tax delinquents
The most read stories from the week of February 28 through March 6, 2010… on the DorobekInsider.com, on the Daily Debrief with Chris Dorobek and Amy Morris, for Mike Causey, and for FederalNewsRadio.com…
…from the DorobekInsider.com…
- DorobekINSIDER: DOD issues its much anticipated Web 2.0 policy
- DorobekINSIDER EXCLUSIVE: GSA cancels one cloud RFQ, plans to launch a new cloud RFQ
- DorobekINSIDER EXCLUSIVE: GSA’s Drabkin to join Northrop
- DorobekINSIDER: GSA’s Johnson names Costa as associate administrator
- DorobekINSIDER: Sen. Brown to be ranking member on contracting oversight subcommittee
- DorobekINSIDER: AFCEA Homeland Security Conference panel on cyber-security — the liner notes
- DorobekINSIDER: CA CIO Teri Takai to be named DOD CIO
- DorobekINSIDER: Most read items from Feb. 21-27: DOD and Web 2.0, clud, TSP, cloud, and DHS contract
- DorobekINSIDER: Most read items for the month of FEBRUARY… a snowy month
- DorobekINSIDER: Northrop makes it official: Drabkin is the new director of acquisition policy
- DorobekINSIDER: GSA’s Johnson speaks to employees – here is what she said
- DorobekINSIDER: GSA procurement guru Drabkin to retire
- DorobekInsider: OMB hires performance guru Shelley Metzenbaum
- DorobekInsider: Sen. elect Brown: Feds making 2X the private sector
- DorobekINSIDER and the 03.05 Federal News Countdown poll: What was the big story of the week?
- DorobekInsider: USDA gets approval for employee buy outs from OPM as mega-management reorg continues
- DorobekINSIDER: Most read items from Feb. 14-20: Snow, Drabkin, and your TSP
- DorobekINSIDER: Back to work for feds in DC, OPM defends closure decisions
- DorobekINSIDER poll: The Federal News Countdown for Feb. 22 – what’s the big story of th
- DorobekINSIDER: On NewsChannel 8 talking government openness and transparency — the liner note
- DorobekINSIDER poll: Did OPM make the right decision to open DC offices on Friday?
- DorobekInsider EXCLUSIVE: NASA scores Gardner as the new Goddard CIO
… from the Daily Debrief with Chris Dorobek and Amy Morris…
- USPS plan would make dramatic changes
- Friday Afternoon Federal Newscast
- TSP funds see gains in February
- Feds, on average, earn more than their private sector counterparts
- Mike Causey talks about what has happened during past furloughs
- Capitol Hill reaction to the DoT furloughs
- Shame as a motivator at Recovery.gov
- Microsoft moves into federal cloud arena
- Tuesday Afternoon Federal Newscast
- GSA explains decision to withdraw cloud RFQ
- Timeline for TSP’s Roth option discussed
- Wednesday Afternoon Federal Newscast
- Use existing tools to comply with Open Government Directive
- Historic partnership sheds light on Web 2.0 use
- Monday Afternoon Federal Newscast
- Cloud Security Alliance releases new guidance
- DHS launches challenge on cybersecurity awareness
- How the tanker contract affects federal procurement
- VA issues final rule in Federal Register for VETS GWACs
- Furlough update from Capitol Hill
- Study shows lessons learned from military Facebook use
- Lessons learned, best practices on telework examined after blizzard
- TSP participants can now move money from other accounts
- Cybersecurity lessons learned at AFCEA’s 9th annual Homeland Security Conference
- TSP Snapshot: Things are looking up
- Use existing tools to compy with Open Government Directive
- Now a good time to review where your money is in the TSP
- Are Feds in the Danger Zone?
- Earnings down for many TSP accounts in January
- Congress will debate TSP contributions this session
- Update: USPS going through major changes
- GSA withdraws cloud RFQ, will offer new blanket purchase agreement
- Defense Department issues much anticipated Web 2.0 policy
- USAF still enforcing ban on thumbdrives
- Homeland security put to the test
- OPM makes call on snow closings
- This week on ‘Your Turn’
- Getting more feds to telework might be harder than it sounds
- Teleworking is not just about working at home
- Mueller: cyberterrorism threat is real
- Senate looks at DHS budget, contractors
- NIST asks for public input on Smart Grid
- Open Government Tracker created during 2010 blizzard
- U.S. Army offers $30K prize for new apps
- DHS rolls out ‘Facebook for first responders’
- DoD to change business system development
- DHS looks closely at domestic terrorism
- All TSP funds see gains in 2009
- Analysis: Is ‘High Road Contracting Policy’ repetitive?
…for Mike Causey’s Federal Report…
- TSP: Getting Bigger & Better
- Year of The TSP Tiger?
- Not Bad for Government Work!
- NSPS Winners: The Few, The Proud, The Scared…
- Threats: Broadcast or Bury Them?
- Danger Zone: Your Office
- Investing Unused Leave
- NSPS: Dead Duck or Sleeping Giant?
- Going Part Time Without Going Broke
- Retirees $250 Tax Credit
… and from FederalNewsRadio.com …
- Bill calls for feds who owe taxes to be fired
- DoT bureaus offer advice to furloughed feds
- Hill impasse spells more furloughs for DoT workers
- House passage of Senate jobs bill would end DoT furloughs
- Transportation Department furloughs end
- Transportation Department scrambles to fend off furloughs
- Bill calling for firing of tax delinquent feds pulled
- Congress turns up heat on DoD business systems
- OMB taking a deeper look at data centers
- Army putting up $30,000 prizes for apps
- Room for improvement found at DHS S&T
- Concern voiced about virtual fence
- Tax delinquent contractors focus of OFPP effort
- Army to transform through apps
- Small business contracting bill brings changes
- Hill impasse spells more furlough for DoT workers
- IT community prepares for major policy change
- Federal News Radio Reports
- Bunning ends Senate blockade of spending bill, DoT furloughs to end
- Federal govt. open Tuesday under delayed arrival, unscheduled leave
- GSA releases FY 2010 per diem rates
- Terrorist watchlists receiving mini-makeovers
- GAO finds OMB needs better cybersecurity coordination
- Napolitano blames hiring process for DHS contractor glut
- VA axes 12 IT projects
- Number of DHS contractors ‘unacceptable’
- Senate: Con artists are using stimulus scams to fleece citizens
- DoD tells Congress greening doesn’t affect goals
- White House proposes 1.4 percent pay raise
- DCAA and DCMA: who’s the boss?
- OMB’s Werfel lays out new plan to follow agency money
- OPM to host workshops on hiring
- White House IT budget request lower in 2011
- AFGE fires first salvo in bid to organize TSA screeners
- GSA’s Alliant contract attracting early supporters
- OPM’s decision to open gov’t. questioned after horrific commute
- DoD partially lifts ban on USB drives
- DoD gives vendors new rules to protect data
- Small business contracting changes coming
- DoD decides one-size does not fit all with DIHMRS
- OPM to test new employee health services
- Federal government closed on Thursday
- Analysis: Cracking down on contracting cheats
- VA reaping rewards from IT oversight
- Telework centers offer alternative workspace for feds
- Agencies to justify not using cloud computing to OMB
- OMB, HHS create new health IT task force
- Senate bill attempts to improve HUBZone program
- GSA reorganizes to better green the government
- Contractor integrity, performance to face higher level of scrutiny
DorobekINSIDER: AFCEA Homeland Security Conference panel on cyber-security — the liner notes
I am moderating a panel at AFCEA’s 9th Annual Homeland Security Conference — creatively named DHS – The 7-Year Itch – Renewing the Commitment: The Definitive Dialogue on Critical Homeland Security Issues. Specifically, the panel that I’m moderating is titled President’s Comprehensive National Security Initiative. And we have a good panel to discuss these issues, even if the title of the panel doesn’t fully capture it:
Thursday, February 25
9:15 a.m. – 10:30 p.m.Panel 6: President’s Comprehensive National Security Initiative
Industry insight into streamlining the cyber security effort through all levels of government. Thoughts and recommendations on policy, strategy and guidelines necessary to secure federal systems; integrate existing federal government resources; and anticipate future cyber threats and technologies.Moderator: Christopher J. Dorobek (confirmed)
Co-anchor, Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris
Editor-in-chief, the DorobekINSIDER.comPanelists:
Mr. Shawn Carroll (bio in PDF)
Executive Director of Engineering & CTO
QWEST Government ServicesMr. John Nagengast (bio in PDF)
Executive Director for Strategic Initiatives
AT&TMr. Marcus Sachs (bio in PDF)
Executive Director for National Security & Cyber Policy
Verizon
Credit where credit is due: I’m just the moderator. I did not pull the panel together. So I want to credit specifically Wray Varley, Qwest Government Service’s director of advanced programs, DHS & DoJ, for pulling all the pieces together.
As I mentioned, our title is just a tad bid misleading because it really doesn’t capture the scope of what we hope to talk about. (I’m not sure people know what the President’s Comprehensive National Security Initiative even is. I’ve put some background below, including a March 2009 report from the Congressional Research Service that lays it out.)
In the end, what we hope to talk about cyber-security broadly — and our discussion will really go beyond that rather governmental sounding initiative.
It is clear that times are changing in the cyber world. Cyber-security is becoming more of a check-list item to becoming a real national security priority. People are hearing about cyber-security repeatedly, but I’m not sure they know what they can — and should — be doing.
A few data points:
* The Google hack: This comes from Google’s announcement that the company was considering pulling out of China following a massive hack. Of course, we learned that these attacks were actually against a number of private sector companies and investigators are still searching for where these attacks came from. And on Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris, we spoke with George Kurtz, the CTO for cyber-security company McAfee, about those attacks. Hear that conversation here. McAfee and the Center for Strategic and International Studies recently came out with a new report that found people are under attack more then they generally know. You can hear the authors of that report, titled In the Crossfire: Critical Infrastructure in the Age of Cyberwar, here.
* The ZeuS attacks: After Google came word from NetWitness that some 2,400 organizations — including government agencies — had been attacked.
* Could the U.S. lose a cyber-war? That was the stark warning from Mike McConnell, the former director of national intelligence during testimony before the Senate Commerce, Science and Transportation Committee, according to GovInfoSecurity.com. McConnell told lawmakers earlier this week that if a cyberwar were to break out today — “the United States would lose.” He went on to say that this is not because the U-S doesn’t have talented people or cutting edge technology. It is simply because the country is the most dependent and the most vulnerable — and because the country has not made the national commitment to understanding — and securing — cyberspace.
During the discussion, we are going to review this from several perspectives:
* Carrier operations — Nagengast is going to discuss what the telecommunications carriers can/should/are doing to address these important issues.
* Policy issues — Sachs is going to discuss the public and private policy issues that can/should/are helping to address this issue.
* What agencies need to do — Finally, Carroll will go review what agencies can/should/are doing to address these issues.
And my guess is that somewhere in there, we will talk about Networx, which was widely hailed as a real opportunity for agencies to upgrade their network security infrastructure. And earlier this month, the Federal Trade Commission was one of the first agencies to use the Networx contract’s provisions for the Trusted Internet Connection initiative. TIC is an OMB initiative that seeks to reduce the number of government connections to the Internet to better enable agencies to secure data that passes through those connections, and OMB has been pushing agencies to move forward with TIC implementation.
Some resources — and I’ll add to these if there are links mentioned during the session:
* Congressional Research Service report: Comprehensive National Cybersecurity Initiative: Legal Authorities, Policy Considerations [March 10, 2009] Report thanks to OpenCRS — and you can download the PDF of the report from their site here.
* Center for Democracy and Technology analysis of the Comprehensive National Cybersecurity Initiative
* The China threat: Here is some appointment listening — and reading. Last week on Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris, we spoke to James Fallows of The Atlantic magazine, who wrote a fascinating piece about China generally, but also that country’s role as a cyber-attacker, which he argues is somewhat exaggerated… although he goes on to say that he doesn’t believe we are paying enough attention to cyber-security generally. Hear our conversation here. I think you’ll find the conversation — and his article — illuminating.
The DorobekInsider reader: Howard Schmidt as cybersecurity coordinator
Somehow it feels that the White House it clearing off its desk before the end of the year. What else would explain Tuesday’s announcement that Howard Schmidt would be the Obama administration’s cybersecurity coordinator — just shy of seven months after the creation of the post was originally announced.
The announcement is curious because Schmidt was one of the first names that was tossed around — and in so many ways, he seems to have the skills necessary for this still-being-defined post.
But this strikes me as an important — and complex — job. So, as we often do around these kinds of big events, I like to pull together resources, analysis and opinions around key topics. (Previous DorobekInsider readers: Obama cyber-security policy review, the Defense Department’s National Security Personnel System pay-for-performance reports and Veterans Day.)
Right at the top, I should note that the DorobekInsider reader: Obama cyber-security policy review has links to the administration’s policy review and much more.
From the White House itself:
* WhiteHouse blog: Introducing the New Cybersecurity Coordinator, which includes a short video with Howard Schmidt.
* To see how Schmidt’s thinking has evolved, read the National Strategy to Secure Cyberspace, which he helped craft before he left the Bush administration. Find the report from DHS here.
Federal News Radio 1500 AM and FederalNewsRadio.com coverage
Federal News Radio 1500 AM has has team coverage of the announcement.
* On Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris… we spoke with Karen Evans, former administrator of e-government and information technology at the Office of Management and Budget, and Randy Sabett, a partner at Sonnenschein Nath & Rosenthal, where he is a member of the Internet, Communications & Data Protection Practice. Sabett served on the Commission on Cybersecurity for the 44th Presidency, which had recommended the creation of the cyber-coordinator post.
Evans:
Now, think about it. He was doing cybersecurity in Microsoft when it wasn’t cool. So, for him to be able to do that — that experience there within a company as big as that company is and the focus that they had, which was at that point pretty consumer-oriented, [but] has now switched to a very comprehensive type of cybersecurity strategy going forward with solutions for consumers, as well as other folks — that’s due to Howard’s insight and education. That experience will really help when he’s talking with private industry people and what their part is in this.
Sabett:
The difference between the two relates to the areas where the frustration has been felt in the past. The so-called cyber czars — many of them, including Howard — have expressed the idea that they had all of the responsibility but they didn’t have the authority. I think the difference here is the emphasis on coordination, which is a recognition that that there are many pockets, both within the government and within the private sector, of excellence — of people doing really good things in the cybersecurity area. Those don’t need to be shaken up. At the same time, they do need to be coordinated and . . . having this position be the Executive Office of the President is, I think, a significant difference from where the so-called cyber czar positions have been in the past.
You can hear and read parts of those interviews here.
* Federal News Radio’s Jason Miller culled reaction from industry, while Federal News Radio’s Max Cacas got the reaction from Capitol Hill — Cacas notes that one of the more interesting comments came from Sen. Susan Collins (R-ME).
Ranking minority member of the Homeland Security Committee, Senator Susan Collins from Maine, was even more blunt, releasing a statement outlining her “disappointment at the Administration’s decision to add yet another czar at the White House.” Collins wants Schmidt’s new job elevated to one that would be subject to Senate confirmation.
Read and hear Cacas’s full story here.
* Federal News Radio’s Jason Miller is hearing Sameer Bhalotra, a staff member from the Senate Select Committee on Intelligence, is a leading candidate to be the deputy cyber coordinator. Miller also spoke to Melissa Hathaway, the former senior director for cyberspace for the National Security Council under President Obama and now president of Hathaway Global Strategies:
“I would advise him to visit those centers and know what they are doing and have a good operational understanding of what’s out there,” she says. “He should know how the partnership is growing between the different departments and agencies.”
Read and hear Miller’s full report here.
Just as an aside, something worth reading: Hathaway’s Five Myths about Cybersecurity. Number 3: Government has the solutions and will protect me. Not necessarily, Hathaway says. Read more here.
* The Federal Drive with Tom Temin and Jane Norris, soon after the announcement, Alan Paller, director of research at the SANS Institute, praised Schmidt’s appointment.
Paller:
Of all the people they were looking at, only two had on the ground experience, and this is a field you can’t do without on the ground experience. This is a job you can’t do without on the ground experience because you get lied to by people, and if you don’t have the experience of having actually managed security, you just can’t do the job.
Read more and hear the full interivew here.
And this morning on the Federal Drive with Tom Temin and Jane Norris, Jim Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies spoke about the appointment. Hear that interview here.
Other coverage…
Needless to say, there was a whole lot of coverage of Schmidt’s appointment, so if you’re looking for everything, Google News can do that. I’m just pulling some of the more interesting stories that have some above-and-beyond insights to highlight here.
* As attacks increase, U.S. struggles to recruit computer security experts [WP, 12.22.2009]
My favorite quote was right at the end from Bob Gourley, the former CTO at the Defense Intelligence Agency.
Cybersecurity lawyers, researchers and policymakers are also in short supply. The Pentagon, for instance, lacks a career path to develop “expert decision-making in the cyber field,” said Robert D. Gourley, a former Defense Intelligence Agency chief technology officer. “The great cyber-generals are few and far between.”
* Workforce Hurdles for New Cyber Czar [NextGov’s WiredWorkplace blog, 12.22.2009]
Along the lines of Gourley’s comments:
Underlying all of these goals is the challenge of improving the recruitment and retention of a top-notch federal cyber workforce. In July, the nonprofit Partnership for Public Service released a report that found that the federal government faces major human resource challenges, such as difficulty in recruiting and retaining high-skilled workers, poor management and a lack of coordination that leaves some agencies competing against one another for talent. Such problems are particularly acute within the federal cybersecurity workforce, the Partnership found.
* Obama cyber czar pick looks to secure smartphones, social nets [ComputerWorld, 12.22.2009]
Calls on social media firms to alert users about various security threats
* Finally, A Cyber Czar [Forbes.com, 12.22.2009]
The new U.S. cybersecurity coordinator, Howard Schmidt, is an impressive leader in government and industry. He’s also Obama’s fourth choice at best
At least three other candidates had been privately offered the position and turned it down, as Forbes reported in July (see: “Obama’s Unwilling Cyber Czars“). Cybersecurity industry watchers told Forbes at the time that was because the position had been stripped of much of its power in an effort to ensure that new cyber regulations didn’t hamper economic recovery.
In a campaign speech at Indiana’s Purdue University in July of 2008, Obama promised to “declare our cyber-infrastructure a strategic asset, and appoint a national cyber advisor who will report directly to me.” In the year that followed, cybersecurity has only grown as a public issue following a steady drumbeat of foreign hacking incidents that have allowed cyberspies to steal military information and breach the power grid.
But Schmidt will hardly report directly to Obama. Instead, according to a report that resulted from a 60-day government cybersecurity review ending in May, the cyber coordinator position will be “dual-hatted,” reporting to both the National Security Council and the National Economic Council under Obama’s economic advisor Larry Summers.
How Dangerous is the Cyber Crime Threat? [PBS’s NewsHour, 12.22.2009]
Talking to Jim Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies
* National cybersecurity coordinator choice widely applauded [GCN.com, 12.22.2009]
* Obama’s New Cyber Security Chief, Howard A. Schmidt, Speaks in Gibberish, but Not the Highly Technical Kind [Seattle Weekly, 12.22.2009]
DorobekInsider: Wolf warns to protect your PDAs — a good reminder. Read the CIO Council’s 2008 memo
Last week on Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris, we spoke to Rep. Frank Wolf (R-VA) about a letter he sent to President Obama essentially saying that the government was not taking proper precautions for their PDAs — BlackBerries and the like.
Rep. Frank Wolf (R-VA) today called on the president to hold a confidential cabinet briefing on the topic of cybersecurity and to make the protection of federal data a top administrative and policy priority.
Wolf, whose office computers were compromised in August 2006, continues to express concern that not enough is being done to protect critical data.
“The continued vulnerability of computer and telecommunications networks remains the ‘Achilles’ heel’ of U.S. national security in the 21st century,” Wolf wrote in a letter dated today to President Obama. “I hope you will lead our executive agencies by demonstrating to your cabinet the seriousness with which you consider this issue.”
Hear Wolf discuss this topic here.
In fact, this issue was addressed by the Federal CIO Council more than a year ago. Here is the memo:
This afternoon on Federal News Radio 1500 AM’s Daily Debrief, we’ll talk to Karen Evens, who signed that memo, about the issue.
I certainly don’t think anybody is suggesting that this issue not get full attention — so we’ll take a look at it and why it is important.
DorobekInsider: One part of the intel collaboration suite gets nixed, sparking protests — and concern
It is a story that has been generating a lot of buzz — I have been trying to nail it down for a few days — and I give a lot of credit to MarcAmbinder, the Altlantic magazine’s associate editor, who broke the story yesterday.
Shutdown Of Intelligence Community E-mail Network Sparks E-Rebellion
The intelligence community’s innovative uGov e-mail domain, one of its earliest efforts at cross-agency collaboration, will be shut down because of security concerns, government officials said.
The decision, announced internally last Friday to the hundreds of analysts who use the system, drew immediate protests from intelligence agency employees and led to anxiety that other experimental collaborative platforms, like the popular Intellipedia website, are also in the target sights of managers.
It follows reports that another popular analytic platform called “Bridge,” which allows analysts with security clearances to collaborate with people outside the government who have relevant expertise but no clearances, is being killed, and indications that funding for another transformational capability, theDoDIIS Trusted Workstation, which allows analysts to look at information at a variety of clearance levels — Secret, Top Secret, Law Enforcement Sensitive — is being curtailed.
uGov, rolled out in 2005, is an open source server designed to allow analysts and intelligence collectors from across the 16 different agencies to collaborate with ease and security. More prosaically, it processes unclassified e-mail for ODNI employees, contains an open-source contact and calendar management system, and allows employees to access less sensitive collaboration platforms from computers outside their offices.
UGov has been especially popular among the large tranche of analysts who joined the community after 9/11. The Office of the Director of National Intelligence (ODNI) runs the network.
Even if you are not in the intel community, this is a very important story — and has implications for change and innovation in government.
I have written about the Intellipedia suite of tools quite a bit — see more here… and here… and here.
I use the term “Intellipedia” to describe the suite of collaboration tools. That suite includes the Intellipedia wiki, which operates on the Media Wiki software platform, the same platform that runs the popular Wikipedia online encyclopedia. And the suite includes many of the tools that you probably use today — photo sharing, e-mail… on and on an on.
As I have said — and I continue to believe — that When the history of government 2.0 is written — in fact, when the history of this age of collaboration is written, the intelligence community will get several chapters. And, as I have noted, in just a few weeks, Harvard Business School Prof. Andrew McAfee’s wonderful book Enterprise 2.0: New Collaborative Tools for Your Organization’s Toughest Challenges will finally hit the streets… and in McAfee’s book, Intellipedia ends up being one of his four enterprise 2.0 case studies. Yes, there is a government case study on collaboration and information sharing — right up there with a case from Google.
Beyond that, it is interesting that this comes literally weeks after the Intellipedia team was recognized with the Partership for Public Service’s Service to America Medal — a SAMMIE.
To be fair, I have not spoken to ODNI officials. They are saying that they will put me in touch with somebody, but… it has not happened yet. Of course, I hope to have somebody on Federal News Radio 1500 AM to talk about this.
What we hear is that uGov is being taken down because of concerns about the security of the system. Again, ODNI officials would not officially confirm.
But the question that is now being debated behind closed doors — and needs to be a more public discussion — is that balance between security and collaboration.
There are, after all, security concerns with all software. Every one. Many security experts point to Zimbra as one of the most security e-mail systems anywhere — and it has been patched to make it more secure.
So, to be honest, I’m not buying the security issue.
Security also becomes an easy issue for organizations to hide behind — reasons not to change the way organizations have done business. It is a half-step away from the worst phrase in the English language: ‘That’s not how we do business here.’ It is a way of avoiding justifying decisions and entering a debate.
The real issue is a ‘who moved my cheese.’ That fact is that the Intellipedia collaboration suite does change the way the intelligece community has done business. I am not an intelligece expert by any means, but in my reading of the 9/11 Commission final report — something I would highly recommend. It seems there are all sorts of opportunities to try new ways of doing business.
I would also read the assessment of A-Space, which is one part of the Intellipedia collaboration suite of tools. An independent report found that people were actually sharing information in new and different ways.
Back in February, Government Computer News’s Joab Jackson had a really excellent story that garnered a lot of attention — Intellipedia suffers midlife crisis. At the time, I scoffed at that idea. I argued that these collaboration tools are barely walking yet and that they are far from a midlife crisis. And I was partially correct — I do still think we are in the infancy of what will happen with collaboration tools. But I was too literal. Intellipedia was — and is — going through growing pains. It’s not quite mid-life — perhaps this baby is taking her first steps. But ODNI is making important decisions here that will have significant impact — and ramifications.
My sense is what is actually happening is a battle with the concepts — and that is the debate that should be going on. Do we really believe that all of us are smarter then each of us individually?
Yes — all of this will mean change. The job people are doing now won’t be the same job they were doing a decade ago — or even a year ago.
We need to learn more — and ODNI needs to talk about this in a public way. But based on the information we have right now, it seems there is a lot going on here.
But let’s have the real debate. Let’s not couch it under a security blanket.
DorobekInsider: Changes within the VA IT shop
EDITOR’S NOTE: This item was updated with a correction on Oct. 7, 2009 at 9:25a ET.
We told you about those scandalous IG reports on the Department of Veterans Affairs CIO organization that showed former high-ranking VA IT officials “gave preferential treatment to certain contractors, engaged in nepotism in hiring and, in one case, took advantage of a relationship with a supervisor for personal gain.”
There has been a lot of buzz around the Beltway — and within the halls of VA. As I mentioned earlier, one of the hottest tickets in town is Thursday’s Input executive breakfast with VA CIO Roger Baker — who, it is important to note, was not at VA when all of the events alleged by the IG were supposed to have happened. I said earlier that I didn’t think that Baker will address the issue of the IG report, but… he may at least acknowledge that there have been some personnel shifts.
Jaren Doherty has been named the acting deputy assistant secretary for cyber-security, VA officials confirmed — and they noted that he is serving in an acting capacity. The emphasis comes from them. He is filling in for Adair Martinez, who is one of the players at the heart of the VA IG report drama. VA insiders say that Martinez was just recently put on administrative leave. VA officials will not discuss any of those particulars.
CORRECTION: VA officials have told me that the report about Nash is not accurate. “Laura Nash has no change to her present position, which is executive assistant in IPRM.” Your report yesterday that she was named acting associate director is not correct.” I stand corrected.
VA has also named Laura Nash to be the acting ADAS for cyber-security, filling in for Doherty. Nash’s name does appear in the IG reports.
We are also hearing that Bob Howard, the former VA CIO, who is also at the heart of the VA IG reports, has left Femme Comp Inc. (FCI), where he had landed as a as a senior vice president working on command and control and information technologies for the Defense Department. A few weeks ago, Howard sent an e-mail to a handful of people, which has been making the rounds, that merely gave a new e-mail contact. I have reached out to him, but I have not heard back.
Meanwhile, people tell me that VA is still conducting an investigation. One person who has dealt with similar kinds of issues told me that the IG report is something akin for a grand jury indictment — and it is VA management’s job to determine if there is enough evidence for administration action as recommended by the IG. VA management — the VA CIO, the general counsel, HR — have to ensure that they are fair and objective within the law.
And one person who has dealt with these kinds of issues said this process doesn’t necessarily move quickly.
Baker is in a complex situation. First off, he wasn’t at VA when all of this happened, yet it is his mess to clean up. But beyond that, he is likely to be criticized no matter what he does.
It will be interesting to see what Baker has to say on Thursday. My prediction is that he still won’t say all that much, but many people will be there — we hear that Input’s numbers are nearing 600 people.