The Secure AI Act of 2024, introduced by Sens. Mark Warner, D-Va., and Thom Tillis, R-N.C., requires the National Institute of Standards and Technology to update the National Vulnerability Database (NVD) and the Cybersecurity and Infrastructure Security Agency to update the Common Vulnerabilities and Exposure (CVE) program, or create a new process, according to a summary of the bill. 

Additionally, the bill would charge the National Security Agency with establishing an AI Security Center that would provide an AI test-bed for research for private-sector and academic researchers, and develop guidance to prevent or mitigate “counter AI-techniques.”

“Safeguarding organizations from cybersecurity risks involving AI requires collaboration and innovation from both the private and public sector,” Tillis said in a press release. “This commonsense legislation creates a voluntary database for reporting AI security and safety incidents and promotes best practices to mitigate AI risks.” 

Under the legislation, CISA and NIST would have one year to develop and implement a voluntary database for tracking AI security and safety incidents, which would be available to the public. 

Similarly, NIST would only have 30 days after the enactment of this legislation to initiate a “multi-stakeholder process” to evaluate if the consensus standards for vulnerability reporting accommodate AI security vulnerabilities. After establishing this process, NIST would have 180 days to submit a report to Congress about the sufficiency of reporting processes. 

“By ensuring that public-private communications remain open and up-to-date on current threats facing our industry, we are taking the necessary steps to safeguard against this new generation of threats facing our infrastructure,” Warner said in the press release.

The post Bipartisan Senate bill on AI security would bolster voluntary cyber reporting processes appeared first on FedScoop.

In a Thursday complaint, the ACLU asked the U.S. District Court for the Southern District of New York to compel the release of documents detailing the agency’s integration of the technology and plans for the future. Despite the agency’s public comments about its AI efforts and past pledges to be transparent, those documents haven’t yet been released, the ACLU argued.

“Immediate disclosure of these records is critical to allowing members of the public to participate in the development and adoption of appropriate safeguards for these society-altering systems,” the ACLU said in its filing, which was first reported by Bloomberg Law.

In addition to the NSA, the complaint also names the Department of Defense and the Office of the Director of National Intelligence — which oversee the spy agency — as plaintiffs.

The Freedom of Information Act lawsuit comes as the Biden administration has underscored the need for transparency in the use of AI by the government. In an Office of Management and Budget memo released last month, the administration expanded what civilian agencies are required to report in their annual, public AI use case inventories, adding requirements for safety- and rights-impacting uses. Certain intelligence community agencies and DOD, however, continue to be exempt from that process.

“Transparency is one of the core values animating White House efforts to create rules and guidelines for the federal government’s use of AI, but exemptions for national security threaten to obscure some of the most high-risk uses of AI,” Patrick Toomey, deputy director of the ACLU’s National Security Project who is representing the civil rights organization, told FedScoop.

Toomey said the NSA has described itself as a leader among the intelligence agencies in the development and deployment of AI, and officials have noted that it’s using the technology to gather information on foreign governments, assist with language processing, and monitor networks for cybersecurity threats. 

“But unfortunately, that’s about all we know,” Toomey said. “And as the NSA integrates AI into some of its most profound decisions, it’s left the public in the dark about how it uses AI and what safeguards, if any, are in place to protect everyday Americans and others around the world whose privacy hangs in the balance.”

The complaint pointed to several actions the NSA has taken on AI, including a joint evaluation of the agency’s integration of AI, conducted by its inspector general and DOD, and studies and roadmaps NSA has completed about its use of the technology.

The specific documents being requested include an October 2022 report from DOD and NSA titled “Joint Evaluation of the National Security Agency’s Integration of Artificial Intelligence,” several roadmap documents created by NSA starting in January 2023, and documents related to the agency’s proposed uses of AI and machine learning created on or after January 2022.

The NSA didn’t immediately respond to FedScoop’s request for comment on the lawsuit. 

While the intelligence community is exempt from the inventory process that other civilian agencies must complete, President Joe Biden’s October 2023 executive order on AI required the development of a memo on the governance of AI that’s used for national security, military or intelligence. That memo is required to be produced 270 days after the issuance of the order. 

Toomey said the ACLU is hopeful that memo “will incorporate some of the very important transparency principles that the Biden administration and even the intelligence agencies have publicly committed themselves to.”

The post ACLU seeks AI records from NSA, Defense Department in new lawsuit appeared first on FedScoop.

The guidance released this week from a CISA and NSA-led panel of government and industry experts highlighted confusion over MFA terminology and vague policy instructions as primary challenges that have so far prevented seamless application of the user authentication process. 

While one seemingly simple proposed fix from the panel is to settle on a more standardized MFA vocabulary, a thornier problem identified is the “lack of clarity regarding the security properties that certain implementations provide.” Additional steps to standardize and simplify the benefits provided by MFA were recommended by the panel, including greater investments by vendors into “phishing-resistant authenticators to more use cases to provide greater defense against sophisticated attacks.”

Other MFA-related challenges raised by the panel centered on sustainability and governance of user sign-ups, noting that a reliance on self-enrollment and “one time enrollment code[s]” leaves systems vulnerable to cyber threats.

On the single sign-on front, experts highlighted the “significant tradeoff” between functionality and complexity, adding that R&D efforts should prioritize a “secure-by-default, easy to use, SSO system to address these gaps in the market.”

Additionally, the panel suggested that SSO accessibility could be improved by bundling those capabilities in all high-enterprise product features, ensuring that small- and medium-sized organizations aren’t priced out.  

The concepts called out in the CISA-NSA guidance fall under the broader framework of identity and access management, a critical component of zero-trust security and a pillar of the government’s efforts in that space. The White House’s 2021 executive order on improving the nation’s cybersecurity called for advancements in zero-trust architecture within the federal government, while the 2022 OMB memorandum doubled down on the strategy, calling for stronger enterprise identity and access controls, including MFA.

The post Stumbling blocks abound in federal push to stronger identity and access management, CISA and NSA panel finds appeared first on FedScoop.

The company announced in an 8-K financial filing with the U.S. Securities and Exchange Commission that it would “substantially curtail” its operations due to significant losses in the past two years. 

“The company currently does not have the ability to satisfy its debts and related obligations, including with respect to any current or future defaults,” IronNet President and CFO Cameron Pforr wrote Tuesday in a Securities and Exchange Commission filing. “The company’s existing cash and cash equivalents and anticipated cash flows from operations are not sufficient to meet the company’s operating and liquidity needs.”

A network threat detection platform in use by federal agencies and commercial businesses, IronNet was co-founded in 2014 by retired Gen. Keith Alexander, the former National Security Agency director and commander of U.S. Cyber Command, along with other former defense officials.

Alexander stepped down as CEO in July, nine years after founding the company, but remains as chairman of its board of directors. He is also a board member of Amazon, which he joined in 2020.

IronNet has collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) for many years on prominent public-private cyber partnerships and in 2022 was named by the agency as a member of its Joint Cyber Defense Collaborative (JCDC). The company is “FedRAMP Ready” and is pursuing a FedRAMP high authorization to work with sensitive government workloads.

In a securities lawsuit filed last year, IronNet investors claimed that Alexander gave false promises of government contracts and inflated revenue numbers, all while selling off his shares in the company.

IronNet’s board recently authorized the company to furlough nearly all its workers and substantially curtail business operations as the board tries to find funding to resume business operations and also evaluates bankruptcy protection. 

The company posted losses in its last two fiscal years, $111 million for the past year and $242.6 million in the previous year.

IronNet drastically reduced the size of its workforce prior to the furloughs, going from 316 employees in January 2022 to just 104 employees a year later.

The board’s latest decision to take steps to downsize comes less than eight weeks after reaching an agreement with venture capital firm C5 Capital to take the firm private. 

IronNet didn’t respond to requests for comment at the time of publication. 

The post Federal cyber contractor IronNet, founded by Keith Alexander, considering bankruptcy, will furlough workers appeared first on FedScoop.

In a press release Monday, the company said it has named Amy Davis as senior vice president and chief security officer.

Most recently, Davis was deputy chief of the National Security Agency’s Office of Security and Counterintelligence, leading a team responsible for protecting civilian, military and contractor personnel around the world. Her two-decade career at the agency included appointments that focused on insider risk, emerging threats, physical security and crisis management.

In the new role, Davis will be responsible for leading, managing and directing Leidos’ corporate security division. She will also oversee the company’s compliance with U.S. and foreign government national security standards.

Commenting on the appointment, Leidos Executive Vice President of Corporate Operations Vicki Schmanske said: “As a career intelligence officer, Amy brings a wealth of experience and skills from the highest levels of the federal government. We’re excited to leverage Amy’s ability to combine strategy with innovative capabilities and support our customers with exceptional service to execute their missions in a secure environment.”

Her appointment follows that of longtime federal IT leader Bobby Saxon, who in January left government service to join Leidos as a vice president focused on customer advocacy. He was most recently deputy CIO at the Centers for Medicare and Medicaid Services.

The post Leidos names former NSA executive as chief security officer appeared first on FedScoop.

In an alert warning agencies about the malicious use of remote management software, in this case ConnectWise Control and AnyDesk, officials said that while the specific activity “appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and [advanced persistent threat] actors.” 

The joint alert from the Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center did not specify which agencies were affected, but noted that at least two were victims.

Additionally, the alert said help desk-themed phishing emails were sent since at least June 2022 to multiple federal civilian agencies. CISA detailed the two instances of suspected malicious activity discovered in October using the federal intrusion detection program known as EINSTEIN. In mid-June, a federal civilian agency received a phishing email and the victim called a phone number contained in the message and led them to a malicious domain. In mid-September, CISA identified traffic flowing between an agency network and a malicious domain.

The campaign continued until at least early November, the alert said. The hackers impersonated help desk services such as Geek Squad Services, general tech support owned by Best Buy, as well as Norton, Amazon, McAfee and PayPal in order to dupe victims. Once the hackers had access to the victims’ machines, they could potentially sell any network access to other cyber criminals or APT groups, according to the alert. “This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software.”

The report warned that, generally, remote management software does not trigger antivirus or anti-malware defenses and that hackers can use legitimate RMM software in a portable executable which can “bypass administrative privilege requirements and software management control policies.” Additionally, RMM software can reduce the need for a malicious hacker to use custom malware and can act as a backdoor to keep on the victim’s network.

The post Cybercriminals scam two federal agencies via remote desktop tool, CISA warns appeared first on FedScoop.

In a court filing submitted in late December, the U.S. government said it would not move to reopen the litigation unless either Booz Allen Hamilton or EverWatch withdraw bids for a major signals intelligence contract.

It marks the end of a lawsuit that has run since June last year after the Department of Justice sought multiple injunctions to halt the transaction.

The DOJ’s withdrawal from the case comes as the Biden administration ramps up its focus on pursuing antitrust cases against some of America’s biggest tech companies.

In subsequent arguments to the court, the government sought to show that the deal would directly threaten competition for contracts provided to the National Security Agency, including for the major Optimal Decision signals intelligence contract.

However, it struggled to demonstrate precisely how the competitive landscape would be affected by the deal, and a Maryland federal judge in November blocked multiple attempts by the DOJ to obtain an injunction.

In an opinion dismissing the second attempt at the time, Judge Catherine Blake said it did not meet the required legal standard to proceed. 

“[T]he Government once again asks this court to pause Booz Allen’s acquisition of EverWatch. But that ship has sailed. In denying the Government’s initial attempt to stop the transaction, the court allowed the defendants to ‘merge on their own terms, if they so choose,'” she said.

Booz Allen Hamilton closed the acquisition, which according to court documents valued EverWatch at about $440 million, on Oct. 14.

Commenting on the outcome, a Booz Allen spokesperson said: “We are extremely pleased to resolve this matter as we continue to serve national security missions with the most innovative and competitive solutions.”

The Department of Justice did not respond to a request for comment.

The post Department of Justice drops challenge of Booz Allen-EverWatch deal appeared first on FedScoop.

Through the five-year, single-award contract, the company will provide cyber engineering support to NSA’s cybersecurity directorate as the pace and scope of cybersecurity threats within government increases.

“This award reflects CACI’s ongoing commitment to support the NSA’s critical missions,” John Mengucci, CACI president and CEO said in a statement. “We appreciate the NSA’s trust and confidence in our ability to find the right people with the right skills to protect these systems against an everchanging range of threats and to bring engineering solutions to reality.”

NSA has awarded the new contract, even as it rethinks a $2.4 billion contract given to CACI last year after it was challenged by two competitors, Booz Allen Hamilton and Leidos.

The IT services heavyweights filed complaints with the GAO on Oct. 31 over NSA’s FocusedFox contract which is intended to provide the agency with analysts who have a deep understanding of adversary networks, network defenses, and cyber network operational capabilities.

This is the second major multi-billion dollar contract won by CACI that has been challenged in the past year.

In August, the Air Force chose CACI for a potential $5.7 billion enterprise IT services contract in August that was challenged by three other competitors, Accenture, Peraton, and Science Applications International Corp.

The post NSA awards $284M cybersecurity services contract to CACI appeared first on FedScoop.

The Quantum Computing Cybersecurity Preparedness Act earlier this month progressed through the Senate after companion legislation passed the House in July. It is co-sponsored by Sens. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H.

The newly enacted legislation comes amid fears that significant leaps in quantum technology being made by countries hostile to the United States, including China, could allow existing forms of secure encryption to be cracked much more quickly.

In particular, the law requires the Office of Management and Budget to prioritize federal agencies’ acquisition of and migration to IT systems with post-quantum cryptography. It mandates also that the White House create guidance for federal agencies to assess critical systems one year after the National Institute of Standards and Technology issues planned post-quantum cryptography standards.

It stipulates that OMB should send an annual report to Congress that includes a strategy for how to address post-quantum cryptography risks from across the government.

In a Nov. 18 memo, the White House gave federal agencies until May 4 next year to provide an inventory of assets containing cryptographic systems that could be cracked by quantum computers.

Meanwhile, in September the National Security Agency issued guidance in which it set out requirements for owners and operators of national security systems to start using post-quantum algorithms by 2035.

In an advisory note at the time, the intelligence agency recommended that vendors start preparing for the new technology requirements but acknowledged that some quantum-resistant algorithms have yet to be approved for use.

President Biden on Wednesday also signed into law the SBA Cyber Awareness Act, which requires the Small Business Administration to submit an annual report regarding the cybersecurity of the agency.

The post Biden signs quantum computing cybersecurity bill into law appeared first on FedScoop.

Canada led the Western world in considering a switch to post-quantum cryptography (PQC) prior to the Office of Management and Budget issuing its benchmark-setting memo on Nov. 18, which has agencies running to next-generation encryption companies with questions about next steps.

The memo gives agencies until May 4, 2023, to submit their first cryptographic system inventories identifying vulnerable systems, but they’ll find the number of systems reliant on public-key encryption — which experts predict forthcoming quantum computers will crack with ease — is in the hundreds or thousands. Agencies, software, servers and switches often have their own cryptography, and agencies don’t necessarily have the technical expertise on staff to understand the underlying math.

“This will be the largest upgrade cycle in all human history because every single device, 27 billion devices, every network and communication needs to upgrade to post-quantum resilience,” Skip Sanzeri, chief operating officer at quantum security-as-a-service company QuSecure, told FedScoop. “So it’s a massive upgrade, and we have to do it because these quantum systems should be online — we don’t know exactly when — but early estimates are three, four years for something strong enough.”

Bearish projections have the first quantum computer going live in about a decade, or never, with scientists still debating what the definition of a qubit — the quantum mechanical analogue to a bit — should even be.

QuSecure launched three years ago but became the first company to deploy PQC for the government this summer, when it proved to the U.S. Northern Command and North American Aerospace Defense Command that it could create a quantum channel for secure aerospace data transmissions at the Catalyst Campus in Colorado Springs, Colorado. The company used the CRYSTALS-KYBER cryptographic algorithm, one of four the National Institute of Standards and Technology announced it would standardize, but a quantum computer doesn’t yet exist to truly test the security.

The first quantum security-as-a-service company to be awarded a Phase III contract by the Small Business Innovation Research program, QuSecure can contract with all federal agencies immediately. Customers already include the Army, Navy, Marines and Air Force, and the State, Agriculture, Treasury and Justice departments have inquired about services, Sanzeri said. 

QuSecure isn’t alone.

“We are having discussions right now with various federal agencies around what they should be doing, what they can be doing, in order to start today — whether it’s in building out the network architecture or looking at Internet of Things devices that are being sent into the field,” said Kaniah Konkoly-Thege, chief legal officer and senior vice president of government relations at Quantinuum, in an interview.

Defense and intelligence agencies are better funded and more familiar with classified programs requiring encryption services and therefore “probably in a much better position” to transition to PQC, Konkoly-Thege said.

Having served in the departments of the Interior and Energy, Konkoly-Thege said she’s “concerned” other agencies may struggle with migration.

“There are a lot of federal agencies that are underfunded and don’t have the resources, either in people or funding, to come and do what’s necessary,” she said. “And yet those agencies hold very important information.”

That information is already being exfiltrated in cyberattacks like the Office of Personnel Management hack in 2015, in which China aims to harvest now, decrypt later (HNDL) data with fully realized quantum computers.

Post-Quantum CEO Andersen Cheng coined the term, and his company’s joint NTS-KEM error-correcting code is in Round 4 of NIST’s PQC algorithm competition.

Cheng points to the fact he could trademark his company’s name as proof PQC wasn’t being taken seriously even in 2015 and certainly not the year prior, when he and two colleagues were the first to get a PQC algorithm to work in a real-world situation: a WhatsApp messaging application downloadable from the app store.

They took it down within 12 months.

“One of my friends in the intelligence world called me one day saying, ‘You’re very well known.’ I said, ‘Why?’ He said, ‘Well, your tool is the recommended tool by ISIS,’” Cheng told FedScoop in an interview. “It was a wonderful endorsement from the wrong party.”

While there wasn’t one moment that caused the U.S. government to take PQC seriously, Cheng said the “biggest” turning point was the release of National Security Memo-10 — which OMB’s latest memo serves as guidance for implementing — in May. That’s when the largest U.S. companies in network security infrastructure and finance began reaching out to Post-Quantum for consultation.

Post-Quantum now offers a portfolio of quantum-ready modules for not only secure messaging but identity, quorum sensing and key splitting.

Cheng said the Quantum Computing Cyber Preparedness Act, sent to President Biden’s desk Friday, should become law given PQC’s momentum, but he has “slight” reservations about the OMB memo’s aggressive deadlines for agencies to declare a migration lead and to conduct an inventory audit.

“People are probably underestimating the time it will take because the entire migration — I’ve spoken to some very top-end cryptographers like the head of crypto at Microsoft and so on — our consensus is this is a multi-year migration effort,” Cheng said. “It will take 10 years, at least, to migrate.”

That’s because public-key encryption protects everything from Zoom calls to cellphones, and the National Security Agency isn’t yet recommending hybridization, which would allow for interoperability among the various NIST-approved algorithms and also whichever ones other countries choose. Agencies and companies won’t want to swap PKE out for new PQC algorithms that won’t work with each other, Cheng said.

Complicating matters further, NIST is approving the math behind PQC algorithms, but the Internet Engineering Task Force generally winds up defining connectivity standards. Post-Quantum’s hybrid PQ virtual private network is still being standardized by IETF, and only then can it be added to systems and sold to agencies.

Cheng recommends agencies not wait until their inventory audits are complete to begin talking to consultants and software vendors about transitioning their mission-critical systems because PQC expertise is in short supply. Large consulting firms have been “quietly” building out their quantum consulting arms for months, he said.

OMB’s latest memo gives agencies 30 days after they submit their cryptographic system inventory to submit funding assessments, a sign it won’t be an unfunded mandate, Sanzeri said. 

“This is showing that all of federal will be well into the upgrade process, certainly within 12 months,” he said.

The post Post-quantum cryptography experts brace for long transition despite White House deadlines appeared first on FedScoop.