nextgov

[Commentary] Presidential administrations since Roosevelt have faced varied and vexing challenges, domestic and abroad, that forced them to recognize the need to venture outside their comfortable circles of party loyalists, campaign volunteers and policy advisers to tap into the expertise of those not already working in government.

President Barack Obama started with his own White House, recruiting Internet-savvy entrepreneurs to serve as chief technology officer (me), chief performance officer (Jeff Zients), chief information officer (Vivek Kundra) and director for social innovation (Sonal Shah), among other senior positions. And he directed his Cabinet to do the same.

More than 50 other entrepreneurs would fill senior roles, reporting directly to department and agency heads, and tasked with applying technology and innovation to advance that agency’s mission. The participants brought a wide range of experience.

The entrepreneurs who joined the government brought more than their respective skill sets. Many also brought a different way of working, one with its roots in Silicon Valley and its fertile field of technology startup companies. Eric Ries, an entrepreneur, adviser and author who had moved to that area in 2001, called that philosophy and methodology “lean startup.”

[Chopra served as chief technology officer of the United States and is now founder of Hunch Analytics]

The State Department wants Samsung Galaxy S4 smartphones to use at the 2014 Brazil World Cup, the 2015 Pan American Games in Toronto, and the 2016 Rio de Janeiro Summer Olympics, according to contracting documents.

The phones need to have 3G and 4G mobile capabilities. They also need a good map app (to get around foreign cities, presumably) and videoconferencing (to capture and relay the action back home).

“Extensive research was done to find a phone that is compatible with both applications and can be used in both Brazil and Canada,” the solicitation said.

The Galaxy S4 was chosen partly for its antennae, which are compatible with 3G networks in both nations. But anything that’s exactly the same as the Galaxy S4 will do, according to the solicitation, which requests this model “or equal.”

Mobile work is dramatically changing the federal workplace -- effectively moving some federal offices from a place where employees go to work to a place where they go to share ideas.

That was the theme of Mobile Work Exchange’s spring Town Hall Meeting in April, where the General Services Administration and other agencies talked about a workplace transformation that brings together concepts like telework, human resources, facilities management and information technology to improve employee engagement and collaboration and also reduce agency spending in areas such as real estate.

For GSA, which in early 2014 unveiled its 1800 F headquarters building that features open, collaborative workspace, the total workplace transformation has not only positioned the agency as a more appealing place to work among young employee recruits, it also has led to the death of the federal snow day, said GSA Administrator Dan Tangherlini.

The National Institute of Standards and Technology has finally removed a cryptographic algorithm from its draft guidance on random number generators, more than six months after leaked top-secret documents suggested the algorithm had been deliberately sabotaged by the National Security Agency.

The announcement came as NIST opened to a final round of public comments its revised Special Publication 800-90a, which contains three algorithms now that the Dual Elliptic Curve Deterministic Random Bit Generator has been removed following negative feedback from the public.

According to documents leaked by former contractor Edward Snowden in September, NSA “became the sole editor” of Special Publication 800-90 and allegedly introduced weaknesses to the now-removed algorithm.

NIST responded swiftly to that news, recommending against using the standards and suggesting reopening them to public scrutiny in an effort to rebuild trust with the public.

Some Energy Department divisions were too liberal with stipends they paid contract employees under contractor-operated bring-your-own-device plans, an auditor has found.

As a result, the department sometimes compensated those contract employees more for supplying their own smartphones and tablets -- which were often loaded up with unlimited voice and data plans -- than it would have paid to give them government devices, Energy’s inspector general found.

Overall, Energy could save at least $2.3 million over three years by better handling how it buys and manages mobile devices, according to the IG report. In addition to not being strict enough about BYOD [bring your own device] policies, Energy spent $325,000 at eight separate locations on devices that were not used at all during the 2012 fiscal year, the report found.

Numerous other devices were underutilized during that time, according to the report. The department also failed to consolidate contracts with mobile carriers in order to benefit from economies of scale, the report found. The White House’s Office of Management and Budget has urged agencies to consolidate mobile contracts whenever possible as part of a government-wide digital strategy.

About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon.

The findings -- stripped of identifying information -- do not mention ex-contractor Edward Snowden's mammoth leak of national secrets. Even if Snowden's leaks had been included in the tally of results attributed to insider threats, they wouldn't have made much of a dent.

Most (34 percent) of the insider incidents in the global public sector during the past three years were miscellaneous errors such as emailing documents to the wrong person. Unapproved or malicious use of data by public servants accounted for 24 percent of reported incidents. Surprisingly, cyberspying and intrusions via security holes in websites, known to be big problems in government, represented less than 1 percent of the situations reported.

The off-kilter numbers in government reflect mandatory reporting requirements for mundane incidents, Jay Jacobs, a Verizon senior analyst and co-author of the report, said. Small data leaks that happen every day overshadow frequent, but not daily, hacks.

The tax agency needs to better audit its own accounts, according to the Government Accountability Office.

GAO officials discovered that Internal Revenue Service was not sufficiently monitoring databases for abnormal activity that could indicate a breach. They also found poor encryption on key agency systems. In addition, this is the seventh consecutive year the IRS has failed to patch security vulnerabilities that could compromise financial data, a review of GAO reports dating back to 2007 reveals.

"Serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data," Nancy Kingsbury, GAO managing director for applied research and methods, and Gregory Wilshusen, GAO director for information security issues, wrote in a new report.

The IRS did not apply critical patches in a timely fashion to multiple systems, including programs for procurement and email, the auditors said. In addition, the agency was running unsupported software on workstations and databases that developers are not even issuing security fixes for anymore. GAO officials also noticed that systems handling transfers of financial data were not configured to encrypt login information.

The Homeland Security Department announced future plans to overhaul an organization that defends DHS’ own internal networks.

A counter-hack mechanism called the intrusion defense chain, or "kill chain” -- developed by researchers at Lockheed Martin -- is expected to drive the revamp, according to DHS officials. A kill chain predicts an intruder’s attack plan and breaks it down into steps that must be taken to achieve the ultimate hack -- for instance, obtaining a map of the most critical US water plants from a DHS network. Operators then devise a countermeasure for each action that, if applied along any point in the chain, will thwart the criminal's plan.

The office of DHS Chief Information Security Officer Jeff Eisensmith is requesting security operation ideas, "including most notably the employment of an Intrusion Defense Chain methodology to 'align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise," stated a market research survey. The notice quotes a 2011 Lockheed paper. The potential plans also ask vendors how they would measure the effectiveness of the center, if given the management job. And officials want contractors to list staffing and facilities requirements DHS should consider.

One useful definition for the unstructured data that underlies most existing and theoretical big data projects is that it was often collected for some purpose other than what the researchers are using it for.

This definition points to the potential of big data analysis as more and more information is gathered online and elsewhere, but it also points to some challenges as outlined by Duncan Watts, a principal researcher at Microsoft’s research division.

First off, a large portion of the data that might be valuable to social scientists, policymakers, urban planners and others is held by private companies that release only portions of it to researchers. Facebook, Amazon, Google, email providers and ratings companies all know certain things about you and about society, in other words, but there’s no way to aggregate that data to draw global insights.

“Many of the questions that are of interest to social science really require us being able to join these different modes of data and to see who are your friends what are they thinking and what does that mean about what you end up doing,” Watts said. “You cannot answer these questions in any but the most limited way with the data that’s currently assembled.”

Second, even if social scientists were able to draw on that aggregated data, it would raise significant privacy concerns among the public.

Finally, because much of the data that’s useful to social scientists was gathered for other purposes, there’s often some bias in the data itself, Watts said.

“When you go to Facebook, you’re not seeing some kind of unfiltered representation of what your friends are interested in,” he said. “What you’re seeing is what Facebook’s news ranking algorithm thinks that you'll find interesting. So when you click on something and the social scientist sees you do that and makes some inference about what you’re sharing and why, it’s hopelessly confounded.”

With research showing a vast shortage of skilled talent to fill cybersecurity jobs, it may be time for the United States to make cybersecurity a national imperative in much the same way it did with aerospace technology, nuclear science and biotechnology.

That’s according to Sam Visner, vice president and general manager of CSC Global Security, who said that while attention is being brought to the issue through programs like the National Initiative on Cybersecurity Education, or NICE, as well as the National Institute of Standard’s and Technology’s recent cybersecurity framework, not enough is being done or coordinated to truly make those efforts effective.

“We have uncoordinated initiatives, but not a national strategy coupled with a national program,” Visner said. “We have in the case of NICE a broad statement of policy but not what I would consider to be the level of programmatic strategy and resources to be a national imperative.”