Home Page

How Feds Are Trying to Bring Order to Blockchain Mania

How Feds Are Trying to Bring Order to Blockchain Mania

Blockchain hype is at a fever pitch. The distributed ledger technology is hailed as a cure for everything from identity management to electronic health records and securing the Internet of Things. Blockchain provides a secure, reliable matter of record for transactions between independent parties, entities or companies. There are industry trade groups, a Congressional Blockchain Caucus and frequent panel discussions to raise awareness.

Federal agencies are plunging ahead, both on their own and in concert with the General Services Administration’s Emerging Citizen Technology Office (GSA ECTO). The office groups blockchain with artificial intelligence and robotic automation, social and collaborative technologies, and virtual and augmented reality as its four most critical technologies. Its goal: Develop use cases and roadmaps to hasten government adoption and success with these new technologies.

“There’s a number of people who assume that fed agencies aren’t looking at things like blockchain,” Justin Herman, emerging technology lead and evangelist at GSA ECTO, told a gathering at the State of the Net Conference held Jan. 29 in Washington, D.C. “We got involved in blockchain because there were so many federal agencies coming to the table demanding government wide programs to explore the technology. People had already done analysis on what specific use cases they thought they had and wanted to be able to invest in it.”

Now his office is working with more than 320 federal, state and local agencies interested in one or more of its four emerging tech categories. “A lot of that is blockchain,” Herman said. “Some have already done successful pilots. We hear identity management, supply chain management…. We should be exploring those things together, not in little silos, not in walled gardens, but in public.”

Among those interested:

  • The Joint Staff’s J4 Logistics Directorate and the Deputy Assistant Secretary of Defense for Maintenance, Policy and Programs are collaborating on a project to create a digital supply chain, enabled by additive manufacturing (also known as 3-D Printing). Blockchain’s role would be to secure the integrity of 3-D printing files, seen as “especially vulnerable to cyber threats and intrusions.” The Navy is looking at the same concept.“The ability to secure and securely share data throughout the manufacturing process (from design, prototyping, testing, production and ultimately disposal) is critical to Additive Manufacturing and will form the foundation for future advanced manufacturing initiatives,” writes Lt. Cmdr. Jon McCarter, a member of the Fiscal 2017 Secretary of the Navy Naval Innovation Advisory Council (NIAC).
  • The Office of the Undersecretary of Defense for Acquisition, Technology and Logistics (OUSD (AT&L)) Rapid Reaction Technology Office (RRTO) has similar designs on blockchain, seeing it as a potential solution for ensuring data provenance, according to a solicitation published Jan. 29.
  • The Centers for Disease Control’s Center for Surveillance, Epidemiology and Laboratory Services is interested in using blockchain for public health tracking, such as maintaining a large, reliable, current and shared database of opioid abuse or managing health data during crises. Blockchain’s distributed ledger system ensures that when one user updates the chain, everyone sees the same data, solving a major shortfall today, when researchers are often working with different versions of the same or similar data sets, rather than the same, unified data.
  • The U.S. Food and Drug Administration has similar interests in sharing health data for large-scale clinical trials.
  • The Office of Personnel Management last fall sought ideas for how to create a new consolidated Employee Digital Record that would track an employee’s skills, performance and experience over the course of an entire career, using blockchain as a means to ensure records are up to date and to speed the process of transfers from one agency to another.

Herman sees his mission as bringing agencies together so they can combine expertise and resources and more quickly make progress. “There are multiple government agencies right now exploring electronic health records with blockchain,” he said. “But we can already see the hurdles with this because they are separate efforts, so we’re adding barriers. We’ve got to design new and better ways to move across agencies, across bureaucracies and silos, to test, evaluate and adopt this technology. It should be eight agencies working together on one pilot, not eight separate pilots on one particular thing.”

The Global Blockchain Business Council (GBBC) is an industry group advocating for blockchain technology and trying to take a similar approach in the commercial sector to what GSA is doing in the federal government. “We try to break down these traditionally siloed communities,” said Mercina Tilleman-Dick, chief operating officer for the GBBC.

These days, that means trying to get people together to talk about standards and regulation and connecting those who are having success with others just beginning to think about such issues. “Blockchain is not going to solve every problem,” Tilleman-Dick said. It could prove effective in a range of use cases where secure, up-to-date, public records are essential.

Take property records, for example. The Republic of Georgia moved all its land titles onto a blockchain-based system in 2017, Sweden is exploring the idea and the city of South Burlington, Vt., is working on a blockchain pilot for local real estate transactions. Patrick Byrne, founder of Overstock.com and its subsidiary Medici Ventures, announced in December he’s funding a startup expressly to develop a global property registry system using blockchain technology.

“I think over the next decade it will fundamentally alter many of the systems that power everyday life,” GBBC’s Tilleman-Dick said.

“Blockchain has the potential to revolutionize all of our supply chains. From machine parts to food safety,” said Adi Gadwale, chief enterprise architect for systems integrator General Dynamics Information Technology. “We will be able to look up the provenance and history of an item, ensuring it is genuine and tracing the life of its creation along the supply chain.

“Secure entries, immutable and created throughout the life of an object, allow for secure sourcing, eliminate fraud, forgeries and ensure food safety,” Gadwale said. “Wal-Mart has already begun trials of blockchain with food safety in mind.”

Hilary Swab Gawrilow, legislative director and counsel in the office of Rep. Jared Polis (D-Colo.) who is among the Congressional Blockchain Caucus leaders, said the government needs to do more to facilitate understanding of the technology. The rapid rise in value of bitcoin and the overall wild fluctuations in value and speculation in digital cryptocurrencies, has done much to raise awareness. Yet it does not necessarily instill confidence in the concepts behind blockchain and distributed ledger technology.

“There are potential government applications or programs that deserve notice and study,” Swab Gawrilow said.

Identity management is a major challenge for agencies today. In citizen engagement, citizens may have accounts with multiple agencies. Finding a way to verify status without having to build complicated links between disparate systems to enable benefits or confirm program eligibility would be valuable. The same is true for program accountability. “Being able to verify transactions – would be another great way to use blockchain technology.”

That’s where the caucus is coming from: A lot of this is around education. Lawmakers have all heard of bitcoin, whether in a positive or negative way. “They understand what it is, Gawrilow said. “But they don’t necessarily understand the underlying technology.” The caucus’ mission is to help inform the community.

Like GSA’s Herman, Gawrilow favors agency collaboration on new technology projects and pilots. “HHS did a hackathon on blockchain. The Postal Service put out a paper, and State is doing something. DHS is doing something. It’s every agency almost,” she said. “We’ve kicked around the idea of asking the administration to start a commission around blockchain.”

That, in turn, might surface issues requiring legislative action – “tweaks to the law” that underlie programs, such as specifications on information access, or a prescribed means of sharing or verifying data. That’s where lawmakers could be most helpful.

Herman, for his part, sees GSA as trying to fill that role, and to fill it in such a way that his agency can tie together blockchain and other emerging and maturing technologies. “It’s not the technology, it’s the culture,” he said. “So much in federal tech is approached as some zero-sum game, that if an agency is dedicating time to focus and investigate a technology like blockchain, people freak out because they’re not paying attention to cloud or something else.”

Agencies need to pool resources and intelligence, think in terms of shared services and shared approaches, break down walls and look holistically at their challenges to find common ground.

That’s where the payoff will come. Otherwise, Herman asks, “What does it matter if the knowledge developed isn’t shared?”

Related Articles

AFDC Cyber Summit18 300×600
GM 250×250
GDIT HCSD SCM 5 250×250 Truck

Upcoming Events

AFCEA Bethesda – Agile 250×250
AFDC Cyber Summit18 250×250
GDIT Recruitment 250×250
Vago 250×250
Relocatable Video Surveillance Systems Give CBP Flexibility on Border

Relocatable Video Surveillance Systems Give CBP Flexibility on Border

Illegal border crossings fell to their lowest level in at least five years in 2017, but after plunging through April, the numbers have risen each of the past eight months, according to U.S. Customs and Border Protection (CBP).

Meanwhile, the debate continues: Build a physical wall spanning from the Gulf of Mexico to the Pacific Ocean, add more Border Patrol agents or combine better physical barriers with technology to stop drug trafficking, smuggling and illegal immigration?

Increasingly, however, it’s clear no one solution is right for everyplace. Ron Vitiello, acting deputy commissioner at CBP, said the agency intends to expand on the existing 652 miles of walls and fencing now in place – but not necessarily extend the wall the entire length of the border.

“We’re going to add to fill some of the gaps we didn’t get in the [previous] laydown, and then we’re going to prioritize some new wall [construction] across the border in places where we need it the most,” he said in a Jan. 12 TV interview.

Walls and barriers are a priority, Vitiello said in December at a CBP press conference. “In this society and all over our lives, we use walls and fences to protect things,” he said. “It shouldn’t be any different on the border.…  But we’re still challenged with access, we’re still challenged with situational awareness and we’re still challenged with security on that border. We’re still arresting nearly 1,000 people a day.

“So we want to have more capability: We want more agents, we want more technology and we want that barrier to have a safer and more secure environment.”

Among the needs: Relocatable Remote Video Surveillance Systems (R-RVSS) that can be picked up and moved to where they’re needed most as border activity ebbs and flows in response to CBP’s border actions.

CBP mapped its fencing against its 2017 apprehension record in December (see map), finding that areas with physical fencing, such as near the metropolitan centers of San Diego/Tijuana, Tucson/Nogales and El Paso/Juarez are just as likely to see illegal migration activity as unfenced areas in the Laredo/Nueva Laredo area.

CBP mapped its fencing against its 2017 apprehension record in December (see map below), finding that areas with physical fencing are just as likely to see illegal migration activity as unfenced areas.

Source: U.S. Customs and Border Protection

Rep. Will Hurd (R-Tex.), vice chairman of the House Homeland Security subcommittee on Border and Maritime Security, is an advocate for technology as both a complement to and an alternative to physical walls and fences. “A wall from sea to shining sea is the least effective and most expensive solution for border security,” he argued Jan. 16. “This is especially true in areas like Big Bend National Park, where rough terrain, natural barriers and the remoteness of a location render a wall or other structure impractical and ineffective.”

CBP has successfully tested and deployed video surveillance systems to enhance situational awareness on the border and help Border Patrol agents track and respond to incursions. These RVSS systems use multiple day and night sensors mounted on poles to create an advance warning and tracking system identifying potential border-crossing activity. Officers can monitor those sensors feeds remotely and dispatch agents as needed.

Savvy smugglers are quick to adjust when CBP installs new technologies, shifting their routes to less-monitored areas. The new, relocatable RVSS systems (R-RVSS) make it easy for CBP to respond in kind, forcing smugglers and traffickers to constantly adapt.

Robert Gilbert, a former Border Patrol sector chief at CBP and now a senior program director for RVSS at systems integrator General Dynamics Information Technology (GDIT), says relocatable systems will empower CBP with new tools and tactics. “Over the past 20 or 30 years, DOJ then CBP has always deployed technology into the busiest areas along the border, the places with the most traffic. In reality, because of the long procurement process, we usually deployed too late as the traffic had shifted to other locations on the border. The big difference with this capability is you can pick it up and move it to meet the evolving threat. The technology can be relocated within days.”

GDIT fielded a three-tower system in CBP’s Laredo (Texas) West area last summer and a similar setup in McAllen, Texas, in December. The towers – set two to five miles apart – were so effective, CBP is now preparing to buy up to 50 more units to deploy in the Rio Grande sector, where the border follows the river through rugged terrain. There, a physical wall may not be viable, while a technology-based virtual wall could prove highly effective.

Each tower includes an 80-foot-tall collapsible pole that can support a sensor and communications payload weighing up to 2,000 pounds. While far in excess of current needs, it provides a growth path to hanging additional sensors or communications gear if requirements change later on.

When CBP wants to move the units, poles are collapsed, sensors can be packed away and a standard 3/4- or 1-ton pickup truck can haul it to its next location.

Roughly two-thirds of the U.S.-Mexico border runs through land not currently owned by the federal government, a major hurdle when it comes to building permanent infrastructure like walls or even fixed-site towers. Land acquisition would add billions to the cost even if owners agree to the sale. Where owners decline, the government might still be able to seize the land under the legal procedure known as eminent domain, but such cases can take years to resolve.

By contrast, R-RVSS requires only a temporary easement from the land owner. Site work is bare bones: no concrete pad, just a cleared area measuring roughly 40 feet by 40 feet. It need not be level – the R-RVSS system is designed to accommodate slopes up to 10 degrees. Where grid power is unavailable – likely in remote areas – a generator or even a hydrogen fuel cell can produce needed power.

What’s coming next
CBP seeks concepts for a Modular Mobile Surveillance System (M2S2) similar to RVSS, which provide the Border Patrol with an even more rapidly deployable system for detecting, identifying, classifying and tracking “vehicles, people and animals suspected of unlawful border crossing activities.”

More ambitiously, CBP also wants such systems to incorporate data science and artificial intelligence to add a predictive capability. The system would “detect, identify, classify, and track equipment, vehicles, people, and animals used in or suspected of unlawful border crossing activities,” and employ AI to help agents anticipate their direction so they can quickly respond, and resolve each situation.

At the same time, CBP is investigating RVSS-like systems for coastal areas. Deploying pole-mounted systems would train their sensors to monitor coastal waters, where smugglers in small boats seek to exploit the shallows by operating close to shore, rather than the deeper waters patrolled by Coast Guard and Navy ships.

In a market research request CBP floated last June, the agency described a Remote Surveillance System Maritime (RSS-M) as “a subsystem in an overall California Coastal Surveillance demonstration.” The intent: to detect, track, identify, and classify surface targets of interest, so the Border Patrol and partner law enforcement agencies can interdict such threats.

Legislating Tech
Rep. Hurd, Rep. Peter Aguilar (D-Calif.) and a bipartisan group of 49 other congress members support the ‘‘Uniting and Securing America Act of 2017,’’ or “USA Act.” The measure included a plan to evaluate every mile of the U.S.-Mexico border to determine the best security solution for each. After weeks of Senate wrangling over immigration matters, Sens. John McCain (R-Ariz.) and Chris Coons (D-Del.) offered a companion bill in the Senate on Feb. 5.

With 820 miles of border in his district, Hurd says, few in Congress understand the border issue better than he – or feel it more keenly.

“I’m on the border almost every weekend,” he said when unveiling the proposal Jan. 16. The aim: “Full operational control of our border by the year 2020,” Hurd told reporters. “We should be able to know who’s going back and forth across our border. The only way we’re going to do that is by border technologies.” And in an NPR interview that day, he added: “We should be focused on outcomes. How do we get operational control of that border?”

The USA Act would require the Department of Homeland Security to “deploy the most practical and effective technology available along the United States border for achieving situational awareness and operational control of the border by Inauguration Day 2021, including radar surveillance systems; Vehicle and Dismount Exploitation Radars (VADER); three-dimensional, seismic acoustic detection and ranging border tunneling detection technology; sensors, unmanned cameras, drone aircraft and anything else that proves more effective or advanced. The technology is seen as complementing and supporting hard infrastructure.

Related Articles

AFDC Cyber Summit18 300×600
GM 250×250
GDIT HCSD SCM 5 250×250 Truck

Upcoming Events

AFCEA Bethesda – Agile 250×250
AFDC Cyber Summit18 250×250
GDIT Recruitment 250×250
Vago 250×250
Unpleasant Design Could Encourage Better Cyber Hygiene

Unpleasant Design Could Encourage Better Cyber Hygiene

Recent revelations that service members and intelligence professionals are inadvertently giving up their locations and fitness patterns via mobile apps caught federal agencies by surprise.

The surprise wasn’t that Fitbits, smartphones or workout apps try to collect information, nor that some users ignore policies reminding them to watch their privacy and location settings. The real surprise is that many IT policies aren’t doing more to help stop such inadvertent fitness data leaks.

If even fitness-conscious military and intelligence personnel are unknowingly trading security and privacy for convenience, how can IT security managers increase security awareness and compliance?

One answer: Unpleasant design.

Unpleasant design is a proven technique for using design to discourage unwanted behavior. Ever get stuck in an airport and long for a place to lie down — only to find every bench or row of seats is fitted with armrests? That’s no accident. Airports and train terminals don’t want people sleeping across benches. Or consider the decorative metalwork sometimes placed on urban windowsills or planter walls — designed expressly to keep loiterers from sitting down. It’s the same with harsh lights in suburban parking lots, which discourage people from hanging out and make it harder for criminals to lurk in the shadows.

As the federal government and other agency IT security leaders investigate these inadvertent disclosures, can they employ those same concepts to encourage better cyber behavior?

Here’s how unpleasant design might apply to federally furnished Wi-Fi networks: Rather than allow access with only a password, users instead might be required to have their Internet of Things (IoT) devices pass a security screening that requires certain security settings. That screening could include ensuring location services are disabled while such devices are connected to government-provided networks.

Employees would then have to choose between the convenience of free Wi-Fi for personal devices and the risks of inadequate operations security (OPSEC) via insecure device settings.

This of course, only works where users have access to such networks. At facilities where personal devices must be deposited in lockers or left in cars, it won’t make a difference. But for users working (and living) on installations where personnel routinely access Wi-Fi networks, this could be highly effective.

Screening – and even blocking – certain apps or domains could be managed through a cloud access security broker, network security management software that can enforce locally set rules governing apps actively using location data or posing other security risks. Network managers could whitelist acceptable apps and settings, while blocking those deemed unacceptable. If agencies already do that for their wired networks, why not for wireless?

Inconvenient? Absolutely. That’s the point.

IT security staffs are constantly navigating the optimal balance between security and convenience. Perfect security is achievable only when nothing is connected to anything else. Each new connection and additional convenience introduces another dent in the network’s armor.

Employing cloud-access security as a condition of Wi-Fi network access will impinge on some conveniences. In most cases, truly determined users can work around those rules by using local cellular data access instead. In most parts of the world, however, those places where the need for OPSEC is greatest, that access comes with a direct cash cost. When users pay for data by the megabyte, they’re much more likely to give up some convenience, check security and privacy settings, and limit their data consumption.

This too, is unpleasant design at work. Cellular network owners must balance network capacity with use. Lower-capacity networks control demand by raising prices, knowing that higher priced data discourages unbridled consumption.

Training and awareness will always be the most important factors in securing privacy and location data, because few users are willing to wade through pages-long user agreements to discover what’s hidden in the fine print and legalese they contain. More plain language and simpler settings for opting-in or out of certain kinds of data sharing are needed – and app makers must recognize that failing to heed such requirements only increase the risk that government steps in with new regulations.

But training and awareness only go so far. People still click on bad links, which is why some federal agencies automatically disable them. It makes users take a closer, harder look and think twice before clicking. That too, is unpleasant design.

So is requiring users to wear a badge that doubles as a computer access card (as is the case with the Pentagon’s Common Access Card and most Personal Identity Verification cards). Yet, knowing that some will inevitably leave the cards in their computers, such systems automatically log off after only a few minutes of inactivity. It’s inconvenient, but more secure.

We know this much: Human nature is such that people will take the path of least resistance. If that means accepting security settings that aren’t safe, that’s what’s going to happen. Though interrupting that convenience and turning it on its head by means of Wi-Fi security won’t stop everyone. But it might have prevented Australian undergrad Nathan Ruser – and who knows who else – from identifying the regular jogging routes of military members (among other examples) from Strava’s house-built heat map and the 13 trillion GPS points all collected from users.

“If soldiers use the app like normal people do,” Ruser tweeted Jan. 27, “it could be especially dangerous … I shouldn’t be able to establish any pattern of life info from this far away.”

Exactly.

Related Articles

AFDC Cyber Summit18 300×600
GM 250×250
GDIT HCSD SCM 5 250×250 Truck

Upcoming Events

AFCEA Bethesda – Agile 250×250
AFDC Cyber Summit18 250×250
GDIT Recruitment 250×250
Vago 250×250
The Cyber Divide:  Feds Split on Their Cyber Security

The Cyber Divide: Feds Split on Their Cyber Security

Related Articles

Strategy, Tools and Training: Three Keys to Cyber Defense

Strategy, Tools and Training: Three Keys to Cyber Defense

A piecemeal approach to cybersecurity overly focused on tools, automation and training without an underlying strategy cannot hope to succeed against the constant threats and attacks federal systems face today, information technology leaders say.

Yet most agencies do not have comprehensive cyber strategies in place, according to a Brookings Institution study of federal agency strategic plans. “[T]the focus on cybersecurity is abysmal,” Brookings found. “Half of the federal agency strategic plans make no mention of cybersecurity, and less than one quarter of IT objectives make any mention of efforts to secure IT systems.”

At the Department of Energy, however, a comprehensive cyber strategy has been in place for a year and a half, providing for “a transparent, inclusive, and collaborative governance process” across the agency, said Michael Johnson, the agency’s chief information officer. Speaking at MeriTalk’s Cybersecurity Brainstorm Sept. 13 in Washington, D.C., Johnson said the strategy guides investment decisions and organizational requirements, for “both information sharing – which is enabling the mission – and information safeguarding – which is protection and guarding the mission.”

Energy’s plan covers everything “from the very mundane, standard things like multifactor authentication, all the way through cyber research and development,” he said. The framework includes specific operational details and a big-picture vision, and is used to prioritize and distribute funding where it’s needed most.

“If we get one more dollar, we already know where we need to invest that and where we need to go with that,” said Johnson, whose networks support 120,000 people and 17 national labs. Driven by this strategy, “we can focus broadly as an enterprise on making sure we are advancing where we need to go.”

The Department of Homeland Security has taken a similar approach, developing what Chief Information Security Officer Jeff Eisensmith calls the Cybersecurity Capability Maturity Model as a means of assessing cybersecurity capabilities and prioritizing actions and investments across its networks and the 300,000 accounts they support.

The model helps analyze existing capabilities versus likely threats, enabling the agency to plan spending accordingly, he said. “We can look at what are the gaps we have, what are the capabilities we have, what are the threats coming at us,” he explained. “Then I can look at the very next dollar and where do I need to spend it to cover my exposure.”

The agency is also using the model to demonstrate the effectiveness of investment in order to show return on investment to funding committees in Congress. “That’s a big piece of what we’re pushing this year,” he said.

The Kill Chain Approach
At the Defense Information Systems Agency, cyber strategists have organized their planning efforts by looking at the cyber kill chain, defenses along that kill chain and actual threats, and then highlighting which capabilities proved effective against those known threats.

This model breaks down attacks into stages, beginning with reconnaissance and continuing through delivery and exploitation. The sooner in the kill chain the attack can be disrupted, the less damage an adversary can inflict. The key is to focus on solutions that stop threats as far “to the left,” or earlier in the kill chain, as possible, said DISA Infrastructure Development Executive Jack Wilmer.

Applying this principle to events has yielded practical improvements across both DISA and the Department of Defense, Wilmer said. “As we looked at that cyber kill chain, as we looked at some of the known threats, we were able to come up with, let’s say, five threats that right now we didn’t really have good defenses against,” Wilmer said.

The approach has also helped the agency identify duplication of effort. “You may have originally bought two tools to counter two different threats,” he said. But over time, those products evolve. “Generally both of those tools are adding in other features all the time, and a lot of times you will end up with two tools that really do similar things,” Wilmer said.

“There is never quite enough money to cover everything we would love to do, so that is why we do focus on anywhere we find duplication, to be able to shut some of those capabilities down and reinvest in some of those more important gaps,” he said.

At DHS, Eisensmith calls the kill chain analysis “really once of the best metrics you have,” citing its ability to describe an attack in fine detail.

“What is the sophistication of the adversary and how well are they doing as they come at you?” he said. Using kill chain analysis, “you can begin to get metrics that say ‘I have a vulnerability that is systemic in the following links,’ and then you chase that down to what is the cause. That’s when you can say either the product I have is not doing a good job, or I need training, or some other investment has to occur.”

Both DHS and the Defense Department use score cards to measure security and effectiveness, focusing on metrics to demonstrate performance. “If you don’t do well on that scorecard, it’s a guaranteed trip before Congress where you’re going to have to explain why you’re not doing so well,” Eisensmith said.

The new tools
Among government information security managers, investment in training is seen as a top priority, noted Stan Tyliszczak, chief engineer with General Dynamics Information Technology. Citing a new MeriTalk study, Tyliszczak noted that “across the board, pretty much everybody believes one of the biggest bangs for the buck in cyber investment is training.”

Indeed, the study found that respondents believed 43% of security breaches could have been prevented with better training. And 57 percent cited training as the most important investment their agency could make in protecting information networks.

Wilmer outlined DISA training initiatives supporting the entire Defense Department. Among the newest initiatives, he said, is a daily cyber security question posed to users when they log in. The system keeps score and, if users answer too many questions incorrectly, they are directed to mandatory training. The agency also sends its own simulated phishing emails, forcing anyone who clicks on the fake links to submit to mandatory training before they can log on to their own computers at work.

At Energy, Johnson said, cyber operators are given intense two- to three-day training and then take part in exercises “in a game like environment,” to test those skills. “We require people to basically solve puzzles and compete against each other,” he said.

Just as important – or possibly more so – is a new executive and management level cyber training program Energy began rolling out this year. “One of the major limitations we found is that you can train your workforce and you can train your operators on common toolstack, but what often gets lost is your business owners understanding what cyber is, why it impacts their mission, why they should be investing in cyber,” Johnson said of what he calls “the Cyber 201 level” of training. “What’s a SQL injection attack? Why should you care? That’s been highly effective, as well.”

Asked by Tysliszczak to describe the weak point in cyber training, Eisensmith said it was people. “The most dangerous part of any environment is the wet ware,” he said. “We all know what firmware and hardware is, right? The wet ware is the human beings sitting in front of a terminal.” Increasingly sophisticated spear-phishing training is one response, as is the use of sandbox technologies that protect against inadvertent launches of malware by employees. Combining education with those technologies helps increase awareness among employees, he said.

“It’s no longer a good bet to think that our users will not be fooled by a really well crafted spearfishing attack,” Eisensmith said. Planners must assume users will be fooled and build in protections that will guard against mistakes. “We have to put some underlying technical solutions in the environment,” he said. IT needs to take a closer look at sandboxing, hypervisors and similar technologies that can defend systems automatically. When users make poor choices, “you have to have a mechanism down there to catch it.”

Automated tools should, in turn, generate insights that help improve systems over time, so that systems can defend and heal themselves. “We have to change the paradigm,” he said.

Darlene Renee Tarun, deputy director of the National Security Agency’s Cyber Task Force, speaking in a separate panel, agreed. “IT leaders here are responding to the growing realization that humans will always be the weak link in the security chain. No matter how well trained, “the known, trusted inside users sometimes do things accidentally that essentially open us up to vulnerably,” said Tarun said. “That is going to be a big area of research: How we solve that human frailty problem.”

As automation and tools evolve, procurement delays can get in the way of rapid adoptions. Bad actors devise new attacks and schemes faster than the government can acquire tools to stop them.

Wilmer said this remains “one of the most challenging things” planners face. “It is very easy to bring something into a lab, test it out, kick the tires,” he said. “But then we start on a potential multi-year procurement process for something that is a need right now.”

Eisensmith sees the government’s Continuous Diagnostics and Mitigation (CDM) Program as part of the solution. Cyber tools approved under CDM are readily available to agencies and can be acquired under a Blanket Purchase Agreement (BPA). There’s no need to go through a lengthy procurement process. Updates to those tools and systems can also be easily acquired. “So my security workforce is actually doing security,” Eisensmith said. “And not doing procurement.”

Related Articles

AFDC Cyber Summit18 300×600
GM 250×250
GDIT HCSD SCM 5 250×250 Truck

Upcoming Events

AFCEA Bethesda – Agile 250×250
AFDC Cyber Summit18 250×250
GDIT Recruitment 250×250
Vago 250×250
To Do Agile Development, Contractors Should Be Agile, Too

To Do Agile Development, Contractors Should Be Agile, Too

Do it faster, make it better, be more efficient.

Every organization wants to improve. But knee deep in the day-to-day business of getting work done, few have the capacity to step back, survey the landscape and take time for more than incremental improvement.

Today however, more and more government agencies are turning to private sector models to achieve better results.

They’re employing agile development techniques to roll out new systems more quickly; setting up innovation centers to encourage and facilitate new ways of thinking; and seeking ways to change the procurement process to lower barriers to innovation. Each approach has proven its merit in practice.

Going Agile
Agile software development emphasizes quick iterative development cycles, in which developers roll out and then improve one version after another, learning as they go, rather than striving for perfection at the end of a single, long development cycle. Agile has been a mainstay in commercial industry for years, but it’s still a relatively new concept in government. To be successful, agile demands changes on all sides of the government acquisition process.

The American Council for Technology & Industry Advisory Council (ACT-IAC) hosted an annual Igniting Innovation competition last spring, in which 140 public-private entries vied for recognition. Among the eight finalists: InCadence Strategic Solutions, which employed agile methodologies to develop a mobile fingerprint ID system for the FBI, allowing field agents to capture fingerprints on Android smartphones and tablets and then “receive near-real time identity information on a suspect, wherever they have cellular service or WiFi access to the Internet, worldwide.”

Anthony Iasso“Agile brings us closer to the end user,” says Anthony Iasso, InCadence president. “That’s really the key: It’s about users. Oftentimes, we find there’s too many people between developers and end users. Adhering to agile allows us to quickly get to the functionality that the end user needs. It reduces the risk that a long-running program misses the mark.”

Adding engineers to the mix is also important, Iasso notes. “You have to pair agile with V1 engineers. They can go to an empty compiler and make version 1 of an application. If you let them learn as they code, then you get great capabilities,” he said.

Now the system is being marketed to state and local law enforcement, along with the military.

When the EPA decided it was finally time to replace paper forms with a digital system for evaluating firms seeking approval to remediate lead-based paint from aging buildings, developers at contractor CGI shaved months off the project by employing agile development. The whole thing was done in six months, a 20 to 30 percent versus a conventional waterfall approach.

That meant EPA needed to be actively involved, observes Linda F. Odorisio, a vice president at CGI. “If you want to do it and you want to do it right, you have to be right in there at the same table with your sleeves rolled up.”

Center for Agile Innovation
The state of North Carolina’s Innovation Center is essentially a laboratory for agile development. “Before we had the center, practically all projects appeared to be waterfall in nature,” says Eric Ellis, head of the Innovation Center. “We maybe had one or two trying to do agile methodology.”

But one goal for the new center was to conduct-proof-of-concept studies to test out new systems as they were being developed.

For example, a new application and renewal system for commercial fishing licenses was developed with agile techniques, saving the state $5 million in development costs.

“We would have gotten there [without agile], but it would taken us longer and cost us more money,” says state Chief Information Officer Keith Werner. “I had reservations that they wouldn’t have gotten the functionality they were looking for.”

Innovation centers are not without risk. Separate from the rest of an organization, they can be seen as disconnected or elitist, creative experts focused on innovating but disconnected from the real business of government.

“If you create an innovation group then they’re seen as the innovation group,” says Ellis. “The rest of the people, who aren’t in the innovation group, don’t feel compelled to innovate.”

To guard against that, the North Carolina Innovation Center, located on the first floor of the state’s Department of Environment and Natural Resources HQ, has no full-time resources of its own. The idea is to create an open environment that can change as needs change. Even its office space is flexible, easily reconfigured to encourage open-space interactions, so ideas can be demonstrated with little fuss.

Agile Contracting
Changing the software development process alone is not enough, says Michael Howell, senior director of the Institute for Innovation and Special Projects at ACT-IAC. The contracting piece also has to change.

“You can’t say I want to be agile, so here’s what I’m going to do: ‘I’m going to put a request in my 2018 budget and wait and see if I get any money,’” Howell says. It doesn’t work. They have to have flexibility to come up with the money. Then they have to have flexibility … to actually spend the money.”

Bob Gleason, director of the Division of Purchases and Supplies in the Virginia Department of General Services, says conventional procurement practices focus on known solutions and avoid unknowns, which add risk and uncertainty to programs.

Traditional requests for proposals define in specific detail exactly what is wanted, and suppliers respond in kind. “It gives you what it is you’re looking for,” Gleason says. “But there’s no incentive for any added value.”

It’s better, he said, to focus on the desired outcome, rather than on the detailed requirements intended to produce that same result, and to invite industry to offer innovative solutions the government customer may not have imagined on its own.

Contracts also must be flexible so vendors can improve their products or services over time, as they learn. Otherwise, vendors can be contractually locked into inefficient systems and approaches.

“You need to have a contract that’s not structured in fixed points in time, but is structured in a way that enables change over the life of the agreement,” Gleason says.

Managing Risk
“Part of the challenge we have as integrators is not just coming up with that new capability,” but also making sure that contracting officers’ technical advisors are well informed so they have the ability to compare very different proposals, says David Gagliano, chief technology officer for global solutions at General Dynamics Information Technology. Innovation inevitably involves risk, and contracting officials are trained to be risk-averse. Selection based on price is clear and straightforward in a way that value comparisons are not. So acquisition officers need skills to evaluate the benefits of different technical proposals and the confidence to take on reasonable amounts of risk.

“Two years ago, the government published the ‘TechFAR Handbook for Procuring Digital Services Using Agile Processes,’” Gagliano says. “It’s a pretty good starting point for contracting officers and their technical representatives who want to learn more about Best Practices in Agile procurement.”

“People don’t want government to fail at all,” says Darrell West, director of the Center for Technology Innovation at the Brookings Institution. “When government fails, it often ends up on the front page. The private sector model of failing nine times to have that initial success has been difficult to incorporate in the public sector.”

So to accept failure, the threshold must be low enough that risk can be tolerated. Pilot programs and related short-term, proof-of-concept contracts can lower risk by reducing the amount of money at stake. West contends they can “encourage innovation while protecting against large-scale failures.”

The Defense Department’s DIUX initiative, which brings together venture capital firms, small technology businesses and Pentagon technologists to accelerate the injection of new technologies into the department, exemplifies the approach. New concepts can be conceived and proven in a low-risk, small contract environment, independent of conventional contracting rules and schedules. Then, once the technology has matured to the point of a wider roll-out, bigger firms can compete for the right to manage that implementation.

In this case, government gets the best of both worlds: rapid-fire innovation from small firms unfettered by cumbersome acquisition rules followed by a managed implementation by experienced contractors steeped in the intricacies of doing business with large-scale government organizations.

Related Articles

AFDC Cyber Summit18 300×600
GM 250×250
GDIT HCSD SCM 5 250×250 Truck

Upcoming Events

AFCEA Bethesda – Agile 250×250
AFDC Cyber Summit18 250×250
GDIT Recruitment 250×250
Vago 250×250