Feds At The Edge by FedInsider
Want to know what the most brilliant minds in government and the technology industry are working on behind the scenes? The federal government is pouring thousands of man-hours and billions of dollars into cutting edge projects for the military, civilian agencies and the intelligence community. Get a front row seat to all of that innovation and more with our Feds at the Edge (FATE) podcast. Each episode of FATE features public and private officials who are changing the world with cutting edge technology. No topic is off limits or too technical for our guests to handle. Learn the inner workings of federal projects involving intelligence gathering, emergency management, modernization, artificial intelligence, cybersecurity, communications, encryption, cloud computing, robotics and much more. Don’t let FATE pass you by. Discover this exciting new podcast today!
info_outline
Ep. 146 The cyber wild west is still wild
04/25/2024
Ep. 146 The cyber wild west is still wild
When the United States expanded westward, there was a surprise around every corner; in a similar vein, we see unlimited storage, fast speeds, and artificial intelligence creating a technical “wild west” environment for the federal government. Instead of a posse of Texas Rangers, we have a group of federal experts who have demonstrated their ability to corral malicious code and prevent robbers from stealing you blind. Marisol Cruz Cain from the GAO highlights some of the unpublicized aspects of AI. She mentions that its ability to rewrite code can make attribution difficult. In other words, AI can allow malicious code to mutate frequently, preventing any signature identification. Although the federal government has many cyber compliance requirements, the idea of using an independent group to attack a system was discussed. In the parlance of the cyber community, this is called a “red” team. They attack systems to see what weaknesses they can find. This effort can help address unanticipated weaknesses. One anticipated weakness that is sitting in the front of many is legacy systems. Paul Blahusch Dept of Labor recommends taking a prudent view of your system to see which ones are legacy and which have unique vulnerabilities. He suggests funds can be appropriated based on vulnerabilities. We are at a level where leaders may be confronted with cyber tools heaped upon cyber tools. JD Jack from Google suggests a practical approach called “security validation.” This gives leaders a report on what could happen in an attack. With this method, you look at the tools you have and find a way to evaluate them.
/episode/index/show/fedinsider/id/30980983
info_outline
Ep. 145 Breaking the System into Tiny Little Pieces: a DoD approach to Zero Trust and micro segmentation.
04/17/2024
Ep. 145 Breaking the System into Tiny Little Pieces: a DoD approach to Zero Trust and micro segmentation.
Tools | What to segment | floating data centers Four years ago, we needed to have panels define Zero Trust Architecture (ZTA). Today, the federal community recognizes the benefits of ZTA. That was the first hurdle; today, we have a panel that gives the “hows” of implementation, with a focus on micro-segmentation. When Angela Phaneuf worked at the US Army Factory called Kessel Run, they made themselves famous with innovation. Angela gives some practical tips on how to deploy ZTA. She explains that tools can assist in the move to micro-segmentation, however there are many. One approach that has worked for her is to assemble a catalog of tools that can help in a variety of environments. Dr. Cyril “Mark” Taylor shares with the audience his view of the priorities to accomplish change. He mentions policy first, culture, and finally, the technology itself. His experience with the military indicates that once a team has a well-defined goal, the transition can be made. For most of its recent history, the US Coast Guard has had to rely on slow satellite service. Captain Patrick Thompson informs the audience that today’s Coast Guard is looking at satellite service that can run as high as one hundred megabits per second (Mbps). Increased speed gives crews the ability to use more compute and storage at the edge – he calls today’s ships floating data centers. Sometimes, more data can lead to trouble. A system architect should know where micro-segmentation is a benefit. Dave Zukowski from Akamai suggests one looks at the risk profile of a system – just because they can does not mean they should be integrated.
/episode/index/show/fedinsider/id/30862018
info_outline
Ep. 144 Unlocking Modernization with AI Management: Meeting the Mission Imperative
04/10/2024
Ep. 144 Unlocking Modernization with AI Management: Meeting the Mission Imperative
Today we hear perspectives on how AI can assist federal agencies. Kevin Walsh from the GSA provides observations at several federal agencies; Pritha Mehra from the U.S. Post Office gives practical examples of deployment. The overriding consensus is that AI is not the panacea to solve all federal technology problems. However, it has promise but must be approached cautiously to use its power to meet your agency’s mission. Kevin Walsh from the GAO has seen his share of federal agency AI implementation. He has concluded that effectiveness varies from agency to agency. He cautions that one cannot paint with a broad stroke and update every legacy system using AI. There may be some systems that are not a suitable candidate for any kind of upgrade. Further, some systems need to be turned off. He suggests you consider evaluating the risks associated with AI, which include oversight, false information, and acknowledging how AI makes decisions. Pritha Mehra from the Post Office gives outstanding examples of how the Post Office is already using AI to improve service. They are looking at processing, the network, and supply chain issues. They are at a maturity level where they are looking at optimizing delivery time for packages through AI analyzing data. It sure looks like other agencies can look at guidelines from the GSA as well as success stories from the Post Office to glean ways to apply AI to improve their respective agency.
/episode/index/show/fedinsider/id/30764533
info_outline
Ep. 143 Generative AI in Government
04/04/2024
Ep. 143 Generative AI in Government
Every headline one reads sings the praises of Generative Artificial Intelligence; today’s interview showcases some successes and also, some aspects that federal users should be aware of. The discussion includes concepts like hallucinations, test beds, and establishing trust. When Chat GPT was released, there was an explosion of people lauding its benefits. Finally, one can vacuum up previous knowledge and present it in many formats. What has not been highlighted is that there can be serious glitches in this approach and produce narratives where Napoleon was part of the American Civil War. Sukhvinder Singh uses a common term in the field to define this. He calls it a “hallucination.” To prevent psychedelic experiences, Sukhvinder goes on to suggest one way to prevent these entertaining, but frustrating, results is to set up a test bed. That will allow federal leaders to experiment with data, try out governance processes, and gain a better understanding of cost. By now, it is well known in Generative AI that if you vary the prompt, you can vary the results of a query. These variations do nothing to assist a public-facing website like the TSA has. They seek Generative AI to provide repeatable operational responses. Generative AI is maturing fast. Listen to this discussion to see which use cases can make this innovative technology sustainable and trustworthy.
/episode/index/show/fedinsider/id/30679573
info_outline
Ep. 142 Facing the Challenges AI Poses
03/26/2024
Ep. 142 Facing the Challenges AI Poses
ChatGPT certainly has a great public relations department. It is portrayed as the answer to every conceivable problem for the beleaguered federal technology professional. Today, we sit down with a group of experts in what may be termed “Applied Artificial Intelligence.” We look at several aspects, including preparing your data for AI, the best applications for AI, and putting up guardrails to use AI safely. Mangala Kuppa from the Department of Labor indicates that every use case is unique. If one data set can yield valid results does not mean the results will be the same with another data set. In her experience, every use case will require you to do a bit more to ensure satisfactory results. Kurt Steege from Thundercat Technology catches the attention of the listener when he lists malicious code that has been enabled by AI. He refers to Dark Bard, Poison GPT, and Deep Fakes as examples of how malicious actors are using AI to attack. It is no wonder that the best tool to counter AI attacks is . . . AI itself. For example, an AI attack enables such speed that a human may not be able to stop it. Julian Zottl indicates that we may not have a choice to whether or not to use AI in defense. When the interview winds up, the participants agree that AI should be framed within a broader context of the technology system itself. Reliable & trusted results from AI are not just technical solutions. They include governance, alignment with agency goals, and accountability.
/episode/index/show/fedinsider/id/30546188
info_outline
Ep 141 Tapping into the Strategic Power of Data
03/20/2024
Ep 141 Tapping into the Strategic Power of Data
Years ago, federal leaders would dream of getting the terabytes of data. The mechanics of collecting and processing have been solved; few thought that we would have more computing power than trusted information. Today’s discussion focuses on some of the risks in storing, sharing, and analyzing data. One of the reasons for this concern is the data generated by machines. Questions are being asked about how that data is collected and the method of collection. Let us assume the data is clean, the next step is to protect and share it. Some will suggest there has been too much focus on protecting the network, the applications, and even the API instead of the data itself. Collaboration may not mean sharing everything in a data set. It is possible that in a record with one hundred fields, an analyst may only need two fields to accomplish the task. When it comes to analysis, Casey Johnson observes that it is difficult to detach from bias and let the data tell us what to do. Jeff Shilling from the National Cancer Institute suggests that we need people with an excellent statistical background combined with human deliberation to get valid results. Technology may have gotten ahead of our ability to use data strategically.
/episode/index/show/fedinsider/id/30465278
info_outline
Ep. 140 Letting in the Good Ones, keeping the Bad Ones out: Managing Access for Zero Trust
03/14/2024
Ep. 140 Letting in the Good Ones, keeping the Bad Ones out: Managing Access for Zero Trust
Multifactor Authentication | Active Directory | Access Brokers If one takes a cursory look at cybersecurity, one may conclude that Multifactor Authentication (MFA) may be the answer to cyber woes. That might have been true a couple of years ago, but malicious actors are adapting to every blockade put in their path. Today, we sat down with several identity management experts to get updated on current threats and best practices for reducing the attack surface for federal technology. MFA has a proven weak point. Researchers have discovered that when an individual leaves an MFA session the session can remain open, leaving opportunities for attackers. Even if MFA is performing flawlessly, we live in a dynamic world. People are changing constantly; systems must be designed to adapt to today’s rapid changes. MFA just isn’t robust enough to counter today’s threats. Deeper authentication must be considered. Active Directory is all pervasive in the commercial world as well as in government. Some estimates give it a 90% market share. Jay Bonci from the Air Force observes that systems architects must design systems to eliminate weaknesses of Active Directory. Andre Murphy from CrowdStrike describes a new concept called, “access brokers.” One can purchase identities much like shoes. This leads to attackers walking in the front door with no need to break any locks. In other words, there is no need for malicious code when you have the keys to the front door.
/episode/index/show/fedinsider/id/30378543
info_outline
Ep. 139 Data and AI are Driving HR Modernization
03/07/2024
Ep. 139 Data and AI are Driving HR Modernization
Mountains of data and Artificial intelligence are impacting every aspect of all federal agencies. Today, we examine the impact of technology innovation on modernization of human resources. Jason Nelson opens the discussion with some sobering facts. Who knew the TSA gets 200,000 job applications a year? If we assume two hundred workdays in a year, this means they manage 1,000 a day! Whoa. During the discussion, we saw three methods to use data & AI to help all federal agencies: improved evaluation, automation, and bots. Evaluation. Some agencies are taking the data they have been collecting to get away from the typical “check box” method of potential employee evaluation. They are using previous success rates of team members and deriving methods to apply that to new applications. Automation Shweta Agnihotri from ICF suggests that agencies can apply artificial intelligence to existing professionals to evaluate their skill sets to help underrepresented groups. This means that analysis can be done on core related functions, rather than traditional test-based evaluations. Bots It is unfortunate the releasing bots too early has made most people not see their value. Donald Bauer from the State Department gives examples where a bot can automate pre stage data for applicants. For example, artificial intelligence can review forms and see areas that are missing better than a human can. The conclusion is simple, when deployed within guidelines, artificial intelligence can offer improved accuracy in forms, better analysis of skills, and can free up time for higher level activities.
/episode/index/show/fedinsider/id/30272568
info_outline
Ep. 138 Barbarians at the Gate: Zero Trust, Active Directory, and what you need to know
03/01/2024
Ep. 138 Barbarians at the Gate: Zero Trust, Active Directory, and what you need to know
Ep. 138 Barbarians at the Gate: Zero Trust, Active Directory, and what you need to know Our panel today will focus on Microsoft’s Active Directory and identity management. Here is an executive summary of this week’s interview: barbarians at the gates and zombies in the basement. BARBARIANS. Everyone knows about the barbarians. Chris Roberts from Quest Public Sector indicates that there are ninety-four million attacks on Microsoft’s Active Directory every day. Active Directory is popular in both the commercial and the federal market as well. Members of the panel state that a strong identity management program will stop attackers in their tracks. When it comes to implementing Zero Trust, multi-factor authentication may not be sufficient. Some of today’s weaknesses include weak passwords, inactive accounts, overuse of admin accounts, and not de-provision of what you do not need. ZOMBIES One approach to making your agency resilient is to do backups, we know all that. What you do not know is that some backup systems omit Active Directory. This means that a malicious actor Can plant code in the Active Directory. Studies show that 92% of those backups are attacked. After an attack, the data is recovered—but the code can still be lurking in the Active Directory. According to Shawn Kingsbury from SAIC, third-party AD recovery apps are better than Microsoft’s. Further, please review those apps to make sure they have backups for AD included.
/episode/index/show/fedinsider/id/30186963
info_outline
Ep. 137 Who are you – and can you prove it? Identity and Access Management
02/22/2024
Ep. 137 Who are you – and can you prove it? Identity and Access Management
The federal government poses unique challenges in identity management. They are constrained by heavy security, a surfeit of data, and, most importantly, a limited budget. Today’s interview takes all three aspects into account and offers listeners creative solutions to solve the vexing crisis in federal identity management. One of the first concerns is mobility. This does not just apply to military operations which, by definition, will be all over the world. Today’s civilian agencies like FEMA have emergency remote users as well as many employees and contractors working remotely. The initial secure environment includes PKI processes that work well on a desktop system; now so much on a mobile. During the interview, it was suggested that a centralized model of identity verification may be the solution that can manage circumstances that do not include desktop computers. In a nod to the human condition, it was observed that if the identity solution is not convenient or will be subverted. SailPoint’s Frank Brugulio points out that once a stable initial process is designed, then one must worry about continuous monitoring. The federal government includes legacy systems that may not work with new identity management systems, and a person’s attributes may change, What the first federal systems designers never imagined is a fact brought out by James Imanian from CyberArk. He states that today, we must deal with forty-five machine identities for each human. When you throw all these factors together, you must understand that we are dealing with a limited budget and staff. Well deployed artificial intelligence can do menial tasks like recognizing unauthorized devices, advanced logging analytics, some sticky compliance issues.
/episode/index/show/fedinsider/id/30063843
info_outline
Ep. 136 Building a Better Case Management System
02/15/2024
Ep. 136 Building a Better Case Management System
Eliminate silos, simplify maintenance, and add agility. “Rube Goldberg” is a term that is used to describe a ridiculously complicated mechanism. One may apply that phraseology after a quick look at some federal systems. It only makes sense. Over the years systems have been customized to respond to a specific kind of workflow inherent in an individual case. Humans being humans, all think they are unique and radically different from any other system. After a couple of decades of this, you get case management systems that are siloed with unique methods of doing the same activity. In today’s interview, we will look at a new way to streamline the entire case management process to reduce cost, simplify maintenance, and be more responsive to changing needs. Jason Adolf from Appian unpacks the concept of modularity in case management systems. That way, users do not get bombarded with change and can adapt incrementally. A system that is low code no code makes it easier to adopt leading edge methods into the application when you are ready. Prem Abuvasamy has had to manage patches with disparate systems. His experience shows that a multi-vendor approach can result in multiple timetables for system patches. It is possible that the system administrator wants to patch but is limited by the vendor. Tedious reports can take advantage of a system that allows for code to be reused and applied to a variety of case management systems. This means that reports can be generated automatically, allowing federal technology leaders to concentrate on larger agency objectives. This is a valuable discussion on change management, even if you are not responsible for case management.
/episode/index/show/fedinsider/id/29969743
info_outline
Ep. 135 Identity – One Critical Element of CISA’s Zero Trust Maturity Models
02/08/2024
Ep. 135 Identity – One Critical Element of CISA’s Zero Trust Maturity Models
Transitioning to Zero Trust for any large enterprise, be it a federal agency or a car manufacturer, can be a herculean effort. Today’s interview is with three thought leaders who specialize in the critical component of Zero Trust: Identity. Each person has been involved in many large digital transformations and offers suggestions to help the journey be less painful. The focus is on automation, risk management, and changing while still accomplishing the agency's mission. Here is a quote from Josh Brodbent that sums up his position: “The ultimate goal here is to have security while enabling the mission “ Frank Briguglio from SailPoint asserts that to reach a mature level of Zero Trust, one must automate. It seems obvious, that automation can control visibility and tie all things together. However, his caveat is one needs to not go too far. If the automation is just machine-readable, the human element is out of the loop. Starting any project, if you are rebuilding a car engine or moving to Zero trust, you need to know where to start. Bill Proffer from Leidos suggests that a federal technology leader should start by understanding the risk appetite they have. When you know where sensitive data resides, you can start with easy controls, and then move on to the grey areas. Continuous maintenance is associated with software development these days. However, a prudent approach would be to include a lifecycle aspect to access controls as well. This would include individuals and physical or logical objects. When you keep these fundamentals in place, you can make a smooth adaptation to controlling access through identification.
/episode/index/show/fedinsider/id/29855203
info_outline
Ep. 134 The Urgency of API Security
01/30/2024
Ep. 134 The Urgency of API Security
Understanding APIs: thousands of them | hard to discover | Vampire APIs The discussion starts with Patrick Sullivan from Akamai stating that 80% of the attacks they are seeing involve the API. What is an API? Originally, it was a quick way to integrate systems. When servers were down the hall, they had minimal use. The popularity of the cloud has drastically increased the number of APIs on a system. Some federal networks can have thousands of APIs. Why worry? An API is small but powerful. It can be a single line of code. Not only that, APIs are an embedded part of so many systems that it is hard to even discover where the APIs reside. How to protect federal data? Shane Barney from USCIS suggests that API protection should be “baked in” when software developers write code. If you combine that with a continuous runtime model, you will at least know where they are located. During the interview, Patrick Sullivan coins the phrase, “Vampire API.” This can be an API that was written and then replaced. However, malicious actors can access the code and modify it to serve their purposes. Another unforeseen circumstance is the logic within the API. It can be sloppily written to allow the validated code itself to be taken advantage of. Listen to the episode to learn about federal leadership in protecting APIs. These include NIST checklists and understanding the origin of code.
/episode/index/show/fedinsider/id/29723098
info_outline
Ep. 133 How to Increase Government IT Agility
01/23/2024
Ep. 133 How to Increase Government IT Agility
Large organizations, whether public or private, all have challenges in making a digital transformation. Today, we sit down with public sector leaders who have had success in managing to make large, state-based systems adapt to today’s world of rapid change. When we say some state systems are large, that is no exaggeration. Ajay Gupta tells listeners that in California they manage three million calls a day and seventy million website visits a year. Whew. How to manage this volume in a world where software development talent is almost impossible to find? Ajay talks about looking at offerings that can be customized by users, this is commonly called “low code, no code.” He explains the key to making this change is to be sensitive to legacy systems to achieve optimized performance. Nobody has all the answers, some state leaders are offering vendor days. This is where public sector leaders engage with vendors with problems they want to solve. When this leads to innovation, Ajay suggests you start in a small area, iterate, and then expand. Nadia Hansen from Salesforce looks at some financial issues. Re-inventing the wheel for every business process in a state would be ridiculous. She suggests developing a framework that can accommodate 70% of the needs of a specific task. From there, a low code no code approach can be taken to customize the process. That way, overall cost is reduced, feedback is generated from users, and funds can be managed efficiently. The bottom line: automate what you can. With that approach, you will be able to use expensive talent to solve more complex issues and the tedious processes can be accomplished through automation.
/episode/index/show/fedinsider/id/29617218
info_outline
Ep. 132 Bringing Agility to the Modern Security Operations Center
01/12/2024
Ep. 132 Bringing Agility to the Modern Security Operations Center
Secure Operations Centers (SOC’s) were designed in the early 1970 with an attempt to thwart minor malicious codes. Well, things have changed slightly in the past 50 years! Today’s SOC provides 24 hour a day, year-round protection for key government organizations. Somehow, this initial design has not kept up with the profusion of threat vectors and many need to be upgraded to manage today’s threats. This is an interview with several leaders who have decades of experience in optimizing the performance of a SOC. We have experts from the Cybersecurity and Infrastructure Agency (CISA), a couple of major research laboratories, and a subject matter expert from Palo Alto Networks. During the interview they discussed topics like tool management, the importance of standards in automation, and some help that is offered by CISA. Humans tend to be attracted to bright, shiny things. Companies like to dangle innovation in front of commercial and federal leaders, and they tend to jump on them. Some studies show that many only use 20% of a tool’s capability. Robert Roser suggests reviewing the capabilities of existing tools before adding tolls to mange threats. Several participants indicated that every incident may not be a threat; one should prioritize where to go next. That concept is nice in theory, but in practicality, it needs standards that lead to automation to allow the threats to be prioritized. A SOC can get hit with thousands of alerts a day, causing operators to misidentify threats due to alert fatigue. Michael Duffy from CISA understands and lists ways that CISA can assist. He refers to the Binding Operational Directive CISA 22-01 that is designed to cut down on alert fatigue. The threat to federal SOCs is real and the response can help everyone involved make federal systems more secure.
/episode/index/show/fedinsider/id/29462908
info_outline
Ep. 131 An Update on Improvements to CISA's Zero Trust Model
12/21/2023
Ep. 131 An Update on Improvements to CISA's Zero Trust Model
Ep. 131 Identity – One Critical Element of CISA’s Zero Trust Maturity Model When you walk down the grocery store aisle you are bombarded with “New and Improved.” The Cybersecurity and Infrastructure Security Agency sure is not selling soap, but they are in the business of improving their original model as much as Proctor and Gamble. Today, we hear comments on the new CISA Zero ‘trust Maturity Model Version 2.0. The observations will help federal leaders learn lessons from the initial recommendations. The latest version boils down to more prominence on identity, new maturity levels, and increased emphasis on visibility. Each subject matter expert agreed that funding must be applied carefully. For example, Bill Proffer from Leidos notes that added visibility allows people to prioritize data and develop a more effective risk profile. When Frank Briguglio cited the statistic that 84% of recent cybersecurity events were identity-related, each of the participants agreed. CISA recommends more robust identity management as the initial step in the Zero Trust journey. In CISA's first guidelines on Zero Trust, they had three levels of maturity: Traditional, Advanced, and Optimal. Feedback from users showed that most assessments fell between traditional and advanced. To assist in planning, a new category, called “Initial” was included. D This is the stage where automation was brought into Zero Trust, a good reflection of the sophistication of Zero Trust's progress. When you listen, you will learn of all the ways the federal government is providing learning tools for this important transition. Frank Briguglio recommends the NCOEE implementation project which looks at horizons for deploying Zero Trust.
/episode/index/show/fedinsider/id/29191653
info_outline
Ep. 130 Budgeting Priorities for Federal Deployment of Zero Trust
12/19/2023
Ep. 130 Budgeting Priorities for Federal Deployment of Zero Trust
Identification, Micro-segmentation, and Continuous Monitoring. Zero Trust is maturing. We have gone from “What is Zero Trust” to “Now that I understand it, how can I afford Zero Trust for my agency? Today’s interview is with Brian Dennis from Akamai, a well-known expert on the deployment of Zero Trust. He will give the listener an overview of the most economical way to deploy Zero Trust. Conceptually, Zero Trust is not a sole product; it is a group of products that work together. This is the main reason careful budgeting must be applied to several specific expenditures in this area. Brian’s advice to get the most “bang for your buck” you need to get Identity Access Management under control, apply micro-segmentation, and include continuous monitoring in your grouping of products. All federal initiatives directed at Zero Trust begin with identity management. This is the linchpin, and the solution must provide correct identification before anything else happens. Divide and conquer is a military concept that can be applied to computer networks. The concept of micro-segmentation was known years ago, but systems have gotten too large to segment manually. Today, we have automated systems that allow permissions to be assigned to each limited area. Ransomware is up; we see new variations of attacks every day. This means that any reasonable budget must include continuous inspection. Focusing on these three areas will enable your systems to use a Zero Trust approach. Of course, there are exceptions, like MRI machines. However, these examples of systems that cannot be upgraded can be isolated with proper security system techniques.
/episode/index/show/fedinsider/id/29144648
info_outline
Ep. 129 Going all out on securing public data
12/07/2023
Ep. 129 Going all out on securing public data
The past five years have shown us an incredible increase in the amount of data being generated. We have seen the Internet of Things combine with fast communications and cheap storage. The result is a deluge of data that has to be protected; with new challenges come new solutions. Today we sat down with a veteran in data protection, Aaron Lewis. He shares with listeners lessons learned from decades of his involvement in data protection. He focuses on three ideas that involve data: classification, mapping, and recovery. He starts with you understanding the data itself. The adage, “If you protect everything you protect nothing” applies here. A system administrator must be able to separate sensitive, classified, and top-secret information. Effort should be placed on the most valuable data. Data mapping sounds like a simple task. Well, at one time it was. Today a system may be attacked when data is residing in many locations. Aaron reminds us that in a modern enterprise, you may see data on the wrong network. It could be in a chat tool, like Slack. If you just protect data that sits in your network, you will be vulnerable. Mike Tyson famously said that everyone has a plan until they are hit in the face. However, Aaron points out that many federal leaders may not even have a plan. If they do, it is sitting on a shelf. Some have called this “shelfware.” To be able to effectively defend data, one should have a current plan that is living. Aarons says that a plan is not a plan unless it has been tested. He recommends a disaster recovery plan that responsible parties rehearse.
/episode/index/show/fedinsider/id/28971248
info_outline
Ep. 128 AI Revolution in Government: How it's Changing the Landscape
11/22/2023
Ep. 128 AI Revolution in Government: How it's Changing the Landscape
The federal government employs millions of people doing, it seems, millions of activities. With such a wide range of activities taking place, it is difficult to take a technology like AI and see how it can live up to its billing by making the federal workforce more efficient. Each federal agency will, undoubtedly, apply AI in a differing manner. One way to see how AI may fit your organization is to listen to this interview. We have a wide range of individuals representing a wide range of agencies and commercial agencies who know about federal operations. During the interview, they share ways they are using AI, including: · Department of State: Using AI to classify diplomatic cables. · Government Accounting Office: acquisition · Defense Innovation Unit: Aerospace maintenance Taka Ariga takes a view of “applied” AI from a large-scale. What he sees is AI applied to specific segments, with limited knowledge. For example, in aerospace maintenance, a system can be devised to know when aircraft wires may need to be replaced. Similar silos are represented in identity proofing, and data analytics. Taka’s observation is that AI is a team sport. Each federal project must include compliance issues, ethical issues, and transparency. He feels that projects must include team members who can understand subtle concepts like biased databases. With all the ink that has been given to AI, Jamie Fitzgibbon from the Defense Innovation Unit makes a startling statement when she says the “only 1% of DoD appropriation is dedicated to AI.” She articulated many of the use cases when AI makes the DoD more efficient but notes that military leaders have more caution than others. All participants note that one weakness in AI is in the selection of data sets. The selection process of that data can bias results. What about data sets that are sitting in storage? Can they bring valuable findings for a valid conclusion?
/episode/index/show/fedinsider/id/28761073
info_outline
Ep. 127 Learning from Log4j: How to Keep Government Applications Secure
11/15/2023
Ep. 127 Learning from Log4j: How to Keep Government Applications Secure
Prioritization Patching Pre-Authentication Logging has always been a thankless and tedious task for systems administrators. Over twenty years ago, this problem was solved with a free logging program called Log4j. It was effective, free, and easy to use. The logging framework became so popular that it was truly pervasive, being part of nearly all systems. As William Shakespeare would say, “Aye, that’s the rub.” Because it was everywhere, it made a tantalizing target for malicious actors. They knew that if they could compromise its code, it would open doors to areas that were extremely hard to find. Two years ago, Log4j was compromised by a malicious actor enabling them to get control of systems. During the interview, you will hear how leaders structured a response through prioritizing, patching, and preauthorization efforts. Prioritizing: Every federal agency has sensitive data assets. With system visibility, one could discover which assets were vulnerable as well as the location of outward-facing applications. This way, assets could be prioritized. This tiering system was important because some libraries were not being used and shouldn’t be worried about. Patching: Large systems take time to patch. The risk, of course, is that the malicious code would propagate during this time. Solomon Adote discussed his targeted response. He recommends leaders limit access to systems to buy time for the rest of the patching activities. Pre-Authentication efforts: Members of the leadership group agreed that one of the best preventative practices occurs before anyone enters the system. West Colie recommends a way to make sure software libraries are examined before they are loaded onto sensitive federal applications. He mentions a Software Bill of Materials that can assure developers that threats like Log4j are not included. In the area of prevention, it was recommended that the person asking for access to a system be authenticated “upstream.” Before even submitting a username and password, a potential visitor should be vetted at a completely different site. The world of cybersecurity is a never-ending battle. Learn lessons from the remediation efforts for Log4j so you can apply them to the next cyber threat to your federal agency.
/episode/index/show/fedinsider/id/28661368
info_outline
Ep. 126 Federal Support for Cybersecurity
11/08/2023
Ep. 126 Federal Support for Cybersecurity
“Word clouds” were popular a few years ago. If we attempted to re-popularize the visual representation of an image with terms associated with federal technology, you would see phrases like “hybrid cloud,” “Zero Trust,” and “unfunded mandate.” We may have to adjust the “word cloud” because of the Infrastructure Act of 2022, we are looking at $1.9 billion in funds appropriated for cybersecurity. Today’s discussion provides guidance on optimizing the use of these funds, so state and local governments can solve today’s threat and prepare their staff for years down the road. Tim Roemer from Thrive DX suggests that some local organizations may not have a mature position when it comes to cybersecurity posture. Because of this, a typical local area may consider spending money on advanced technology, what he calls the “Ferrari.” He suggests they should optimize funds for basics like cybersecurity awareness training. One way to optimize the funding is to take advantage of the free services that CISA provides. They offer free assessments as well as penetration tests. These activities can bring local areas up to a more mature model of cybersecurity where they can make informed decisions about funding measures. During the interview, it became obvious that, even with the increased funding nobody has 100% certainty, and nobody has 100% of all the answers. Continuous training must be part of any plan to optimize these funds.
/episode/index/show/fedinsider/id/28559033
info_outline
Ep. 125 Combatting Cyber Crime in State & Local Government
11/02/2023
Ep. 125 Combatting Cyber Crime in State & Local Government
More end points staffing challenges automation Today, we sat down with three state experts and three subject matter experts and heard them give ideas on the most effective way to combat cyber threats. The discussion can be boiled down into three main areas: risk in increased workload, staff challenges, and automation. Covid increased the number of people logging in remotely and, at the same time, there was an increase in data collected by sensors. That increased workload presented opportunities for malicious actors. Tony Lauro mentions that this data collection can involve Application Program Interfaces (APIs). They must be protected because they act as a gateway and an attack point for outsiders. This increase in data collection also includes the obligation to act in a way that protects personal information. If not done correctly, sensitive data can be collected and stored in an unsafe manner, leaving it exposed to attack. Everyone knows about the lack of staff for cybersecurity professionals. Jeremy Wilson from Texas details how Texas has an “Infosec Academy” that trains staff in principles of combatting cyber-attacks. His experience shows that a person doesn’t necessarily need a degree in computer science to be effective at preventing and remediating attacks. Automation is a double edges sword. On one hand, it can assist in updating systems and validating identity; on the other hand, attackers can use automation to accelerate attacks as well. David Morgan from Texas suggests that in a post pandemic world Identity, Credential, and Access Management must be a priority. Automation can allow platforms to talk to each other, but a systems administrator must know where the gaps are and provide end point protection.
/episode/index/show/fedinsider/id/28496240
info_outline
Ep. 124 Zero Trust: The Importance of Standardization & Consistency
10/25/2023
Ep. 124 Zero Trust: The Importance of Standardization & Consistency
Complexity Identity Credentials and Access Management (ICAM) Toxic Combinations Napoleon Hill once said that a goal is a dream with a deadline. When it comes to the federal transition to Zero Trust Architecture, the Office of Management and Budget outlines a path for implementing zero-trust architecture by 2024. Today’s discussion gives federal practitioners terrific guidelines on how to accomplish that noble goal. The group is a wonderful mix of federal experience, innovative leaders, and experts who were part of many initial network specifications. During the discussion three topics were obvious: how to manage complexity, identity, and unexpected combinations. Complexity During an exchange about “shiny new things” that seem to trap system managers, Josh Brodbent made a fantastic observation when he stated that complexity doesn’t always mean effectiveness. Drilling deeper into the concept of new technology, Frank Bruglio suggests some people will purchase a “shiny new toy” for the sole reason to check a box on a compliance requirement. ICAM Bryan Rosensteel has spent his career in the world of federal identity management. His experience leads him to believe that to fulfill the desired transition to zero-trust architecture, application developers must be taken into consideration. His point is simple, if ICAM isn’t a part of application development, how can they assure that it will be compliant? Bolting on compliance brings about delays and unneeded code revisions. Bryan expands on this concept with his thoughts on abstract authentication and centralized structures. Toxic Combinations Frank Briguglio reminds us that managing Identity Credentials and Access Management must be understood at a much deeper level. In the discussion, he revives the phrase “toxic combinations.” This is a reference to granting privileges to users that can create risks in unexpected ways. Automation has its limits, and humans must be part of the package when a federal agency commits to zero-trust-architecture.
/episode/index/show/fedinsider/id/28424414
info_outline
Ep. 123 Strengthening Your Network Security: Balancing Outer & Inner Defenses
10/20/2023
Ep. 123 Strengthening Your Network Security: Balancing Outer & Inner Defenses
Sprawl > Visibility > Segmentation & micro segmentation When technology people hear the term “segmentation” they normally apply that term to network topology. After all, networks have been segmented since the early days when subnets were devised (RFC 791 in 1984). During today’s discussion, we will learn that although network segmentation is important, we must also consider the value of applying segmentation to applications as well. Rob Thorn from ICE explains that we need both approaches to have a secure federal system. Instead of a server down the hall, a typical federal agency is encountering “sprawl.” Public clouds, private clouds, multiple data centers, and the day of saying an application is sitting on a server in the building is long forgotten. Gary Barlet from Illumnio points out that many systems administrators really don’t know what calls are being made by applications. When it comes to network visibility, applications must be included. Hence the importance of application segmentation. An argument can be made that this approach can be termed micro segmentation. The next logical step is gaining visibility into the network to have a deeper understanding of who is accessing what. Gary Barlet makes some shocking observations about visibility. Some organizations do a thorough analysis of their system and see servers they thought were taken offline; these “ghost” servers may not be patched properly and result as being a significant vulnerability.
/episode/index/show/fedinsider/id/28375334
info_outline
Ep. 122 State & Local: Using AI & Machine Learning to Improve Services
10/16/2023
Ep. 122 State & Local: Using AI & Machine Learning to Improve Services
Everyone who has driven through Missouri knows that the state motto is “Show Me.” That is the theme for today’s interview. We all have seen the hype about artificial intelligence. Well, time to give some specific examples so federal and state leaders can see how to apply AI to reduce costs and improve service for citizens. Today’s podcast is a fantastic panel of experts who reflect views from academia, states and localities, as well as corporate expertise. They manage topics ranging from AI bias to floodplain insurance. Amanda Randles opens with practical advice. She says we should not fear AI, we should focus on ways to train users on how to use these tools in the best way. Moving from academia, David Edinger gives specific examples from Denver on how he has deployed AI to improve citizen experience. For example, if AI can detect anomalies on an X-ray better than a human, why not use AI to free up time for a radiologist to face-to-face with patients? A more mundane example is Denver’s non-critical support line, what he calls “311.” David details how AI has been deployed in chatbots to help people with typical tasks like getting a license. It can also anticipate questions and provide appropriate answers. Finally, AI-enhanced response systems can work 24 hours a day 7 days a week, which improves citizen service as well as reduces the burden on staff to work weekends. Moving to the West Coast, Hong Sae describes how AI can be used to predict major events on a flood plain. This predictive ability has helped citizens with reducing the cost of flood plain insurance. This far-ranging discussion includes each person contributing to the concern of AI being used in an ethical manner as well as how to trust the data that is provided.
/episode/index/show/fedinsider/id/28325702
info_outline
Ep. 121 The Human Side of Zero Trust
10/04/2023
Ep. 121 The Human Side of Zero Trust
In 2021, the federal government provided initiatives for a move to zero trust; after two years it is time to look at the progress agencies have made. Today’s discussion includes federal experts who have made remarkable progress in the implementation of Zero Trust. The group also includes an experienced subject matter expert from a large commercial organization, IBM. The conclusion from the short discussion is the value of taking into consideration many of the human aspects of implementing zero trust. This human aspect can be divided into three areas: strategy, design, and leveraging guidance from the federal government. Strategic concerns begin with understanding the nature of a zero-trust implementation. As Wayne Rogers points out, one can’t throw a switch and have zero trust just emerge from those bits and bytes. He suggests a test pilot program, getting feedback, and then continuing until it is complete. When it comes to multiple cloud vendors, Wayne brings brilliant insight. He looks back at traditional federal tech implementations, he observes that they were using a variety of vendors. His suggestion is to apply the same strategy to cloud based zero trust. Using multiple clouds yields benefits like resiliency and reducing cyber-attack vulnerability. If one vendor gets attacked, your secondary provider will be available. As far as reducing risk goes, he details an approach where you distribute the technology for Zero Trust among several Cloud Service Providers. For example, one can place SASE on one, ICAM on another, and storage on a third. Although it can be complicated, he shows that it can increase speed drastically. IBM’s Akiba Saeedi recommends that a federal manager should look at a transition to zero trust by focusing on use cases. Take one implementation and examine it regarding disruption, privacy, and remote work. She has seen success when working with several vendors on specific use cases. All guests agreed a great place for guidance on a zero-trust transition is NIST’s Center of Excellence on Zero Trust called the National Cybersecurity Center of Excellence, or NCCOE project.
/episode/index/show/fedinsider/id/28220831
info_outline
Ep. 120 The AI Big Bang: Exploring Government’s Growing Universe of AI Applications
09/26/2023
Ep. 120 The AI Big Bang: Exploring Government’s Growing Universe of AI Applications
Most people today think the sum of Artificial Intelligence is ChatGPT; this is a discussion of a wide range of use cases where the federal government can apply AI. After listening, you will realize that ChatGPT is just one element of the advances in technology to allow federal leaders to make data-driven decisions leveraging artificial intelligence. The use cases discussed range from compliance at the Department of Education to applying Natural Language Processing to satellite images. In this range, there are five concepts about AI you may never have thought of. >What about clean data? One challenge the CDC has is it may get secondhand or even thirdhand data that they are challenged with cleaning up. That experience is reflected in other agencies as well. > Federal leaders are concerned about privacy and security. Federal leaders are skilled in understanding the use of this data and whether it complies to make sure it is safe. > No federal agency can apply artificial intelligence in a vacuum. It must be an enterprise-wide endeavor. To that end, we see Executive Order 13960 to provide overall guidance on how to handle data for larger organizations. > Analytics matter. Ten years ago, everyone talked about big data; then they realized that actionable information wouldn’t just drop out of a large data set. Leaders must have a laser focus on deriving lessons from the massive data sets they encounter. > English isn’t the only language on the planet. You can’t just translate the language into English, you must seek out annotators who can provide nuance in a foreign language. This is especially true for intelligence agencies who monitor foreign threats. Just because today’s Large Language Models are based on English, doesn’t make it apply to other countries. Vijay Sharma summed up the discussion brilliantly – he said having Artificial Intelligence is like having the best bike in town and not knowing how to ride it.
/episode/index/show/fedinsider/id/28148300
info_outline
Ep. 119 Threat Intelligence Sharing in a Complex Threat Landscape
09/12/2023
Ep. 119 Threat Intelligence Sharing in a Complex Threat Landscape
One of the challenges of raising a child is teaching them how to share; one of the challenges of federal information technology professionals is teaching them to share. Today we take a look at organizations that encounter cyber threats and their efforts at sharing threat information. Sharing cyber threat information isn’t a recent idea -- Executive Orders have encouraged sharing for years. February 13, 2015, talks about the goal of creating robust information sharing related to cybersecurity risks and incidents. May 12, 2021 “Removing barriers to threat sharing” that encourages the sharing of information across federal agencies. In the commercial world, people are afraid to share cyber threat information because it may make them look weak to customers. If they share that data with competition, then their commercial opponents may have a leg up on them. The federal world is just resistant but for different reasons. If a vulnerability is announced, there is a threat that federal systems that aren’t patched will be vulnerable to attack. This is the challenge addressed in today’s interview with federal CISOs and a commercial expert. Jonathan Feibus from the NRC looks at budget -- smaller agencies may not be able to afford to get commercial data on threats. Companies like Mitre make available public Common Vulnerabilities and Exposure (CVE) lists for free. The most recent list includes 210,558 vulnerabilities. It is indeed possible for a commercial company to have systems where vulnerabilities can be identified and remediated before they makes the CVE list.
/episode/index/show/fedinsider/id/28009845
info_outline
Ep. 118 Cybersecurity: Protect & Personalize User Experience
09/06/2023
Ep. 118 Cybersecurity: Protect & Personalize User Experience
Executing the mission, abstracting complexity, driving for speed The Biden administration didn’t just release Executive Order 14-058 to make federal websites look good, the practical aspect of user experience is making sure citizens can access information in a speedy, and safe manner. Conrad Bovell from HHS makes a strong statement when he states the reason for cybersecurity is to secure the mission of the agency. For his agency, it is quite a large mission. During the interview, he casually mentions that HHS has a #1.68 trillion annual budget. The obvious method is to lock everything down, however, the functioning of the agency means that he and his team must assess risk to when funding research. The challenge is to get both: good experience and speed. The HHS complex in suburban Maryland is quite extensive and complex, but nothing compared to the geographically remote and secure networks the military must operate in. Randy Young gives the perspective of a trusted partner who assists in making the network easy to use and secure. He maintains the way to support the warfighter drives better technology outcomes on the user’s terms, not the terms of whatever new technology is available. Putting yourself in the end user’s boots can make security experts understand how to manage risk and deliver the speed needed all the way to the feds at the edge. Twitter: @FedInsider LinkedIn: Facebook:
/episode/index/show/fedinsider/id/27955038
info_outline
Ep. 117 Zero Trust Security Transformation: A “How To” Guide
08/29/2023
Ep. 117 Zero Trust Security Transformation: A “How To” Guide
Compliance, maturity levels, edge computing Some people think the television phrase, “Set it and forget it” applies to Zero Trust. Today’s discussion throws that notion out the window. The interview takes a deep dive into how an agency can move to a Zero Trust Architecture. Three experts discuss compliance, maturity levels, and the role of edge computing. The conclusion is obvious: Zero Trust is a serious, constantly evolving methodology and federal leaders must take advantage of every resource possible to gain a thorough understanding of the process. Jennifer Franks from the GAO points out that Zero Trust is not a new concept and the federal government has all kinds of reference materials to support leaders. She lists information from DISA, NIST, the DoD as well as the OMB. She reminds listeners that there is a maturity model associated with Zero Trust change -- and leaders must be aware of revisions to these documents. Jennifer reminds the audience of the recent upgrade to the DISA model that adds more maturity levels. Guidance is nice, but where to start? During the interview, Wayne Rogers talks about looking at your respective agency’s situation and doing a gap analysis. Once that is complete, then one can set priorities. For example, when he used this process, his agency identified a weakness in their VPN system. He prototyped a transition to Secure Access Service Edge and then deployed it across the agency. Probably the best quote from this interview was provided by Akamai’s Tony Lauro. He said, “Security has to work despite users.” He is referring to the base concept behind Zero Trust – an automated system that can identify threats and provision resources with appropriate access levels that can have nothing to do with end users acting themselves. Ron Popeil’s catchphrase may work on television, but not in today’s federal government. Twitter: @FedInsider LinkedIn: Facebook:
/episode/index/show/fedinsider/id/27879264