Federal Tech Podcast: for innovators, entrepreneurs, and CEOs who want to increase reach and improve brand awareness

It is not just lemmings that follow a herd off the cliff; technology professionals are garden-variety humans and subject to herd thinking as well. If you try to keep up with trade publications you are subject to the editorial selection process of the folks who run the periodicals, newspapers, blog sites, newsletters, and podcasts.  Catchy phrases pop up and it puts some joy into the drudgery of a daily tech column. You can take that from experience, I wrote over 500 weekly technology columns for The Washington Post. Occasionally, you need to get your head out of the sand to get a wider perspective.  For each of the past fifteen years, Verizon has provided the community with the Data Breach Investigative Report, or the DBIR. During the interview, Melissa Gilbert tells listeners of the 23,816 incidents and 5,212 confirmed breaches included in the report. They gather information from over eighty organizations all over the world.  She elucidates upon the difference between an event, an incident, and a breach. She details the data schema used for the report and explains the 4 A’s:  Actor, Action, Asset, and Attribute. You can get your own copy of the free report here: The Verizon Data Breach Investigative Report One of the key findings was the 13% increase in ransomware reported in the 2021 survey.  If your agency has an initiative to prevent ransomware, you can be assured that you are not diving into an arcane topic. The conclusion is to focus on securing credentials. Most of these attacks start with credential theft and then move deeper into the system.  

In today’s interview, Darin Curtis from Menlo Security gives an overview of how to protect against these kinds of threats. To describe this new category, he uses a curious acronym HEAT, Highly Evasive Adaptive Threats. Malicious actors leave no stone unturned in creative ways to attack federal technology. We all know that the perimeter has been breached and we must rely on Zero Trust Architecture. The next level of attack is to attack the word “trust” itself. Traditionally, file formats like PDFs have been viewed as unbreakable. When most people get an email from a colleague with a PDF file, they would normally trust it. This is also true with Excel or Word documents that are transferred on a normal business day. Today, these files can have malicious code injected into them. Another approach is to take advantage of that “trust” in HTML code. Some malicious actors will disguise malware into HTML code, called HTML Smuggling. This time, instead of a PDF in an email, it may be an innocent link. This is made possible by HTML5’s ability for download capability. During the interview, Darrin reinforces the concept that compliance does not ensure an agency is secure. Some studies show ransomware is one of the biggest single threats to government networks; the delivery mechanism can include these HEAT files. If this interview piques your interest in Menlo Security, then you can download the free report titled “Modernizing Secure Access Through Zero Trust”  

Ten years ago, it was a major accomplishment to move an application from a federal on-premises server to the cloud. Fast forward to 2022. There is so much data flooding into a wide variety of clouds used by the federal government that the term “terabyte” is tossed around like a stickie note. Updated terms are being generated to make sense of the large data stores: phrases like “data lakes” and “data warehouses” are being coined to give some structure to the fire hose of zeros and ones. During this increase, large secure systems are being tasked with a transition to the cloud – while preventing attacks and absorbing data twenty-four hours a day. Federal leaders have seen the problem and have attempted to generate ways to understand data being presented from networks, storage arrays, servers, and much more. At this level, automation is the only way to be able to present information in a manner where someone can make a decision. At one level, there is a challenge to get observability of federal systems. Taken to the next level, can we harness data to be able to make predictive decisions? Today’s interview with Andrew Churchill gives a view of how technology companies can combine to help understand how the complex federal cloud can be managed. Rather than one ring to rule them all, he suggests assembling a team of disparate skills to be able to take advantage of unique skill sets. Andrew gives an overview of this approach in the interview. He touches on automation and real-time operational intelligence. If you want a deeper dive, he suggests you attend an event called “Cloud Modernization with AWS and Qlik.” It will take place near the Metro in Rosslyn, Virginia on November 14, 2022. It will have subject matter experts with serious federal experience teamed with data scientists and analysts.  

Attacks on the software supply chain have grown by an average of 742% a year since 2019. It makes complete sense if you look at several factors. Years ago, a software developer would write code as part of a large project. It is quite possible they had the opportunity to examine all aspects of their code for vulnerabilities. That transitioned to developers grabbing blocks of code from libraries. Even then, they had at least a chance to review code grabbed from software repositories. Federal mandates regarding cybersecurity are forcing systems administrators to speed along work by using code from software libraries. Unfortunately, remote work and cloud transition has made projects so complex that, if they tried to examine each line of code in the project, it would never get done. One solution is to look at options for examining open-source code before being incorporated into a project. Today’s interview is with Dr. Stephen Magill from Sonatype. He gives a detailed description of how software developers can be assured code they develop is safe. He reminds the audience that, even with bespoke code, newer versions must be added along with improved code over the long haul. Dr. Magill brings up an interesting aspect of software risk – artifacts. In this sense of the word, an “artifact” is a bit of code that can make binaries work in a system. As a result, they must be managed as carefully as traditional binaries. If you would like to have more details about security and open-source software, consider downloading the annal report from Sonatype called the “2021 Start of the Software Supply Chain” from Sonatype.  

Sometimes, success means being at the right place at the right time. BeyondTrust has been active in the world of access control for decades. They have seventy patents and have a well-earned reputation for deep knowledge of secure remote access. Before COVID hit, BeyondTrust was strong in a niche product category; when COVID forced commercial and federal systems to drastically increase remote access, BeyondTrust was ready. When cybersecurity experts started to recommend a concept called “Zero Trust,” BeyondTrust had “trust” right in their name! BeyondTrust’s Josh Brodbent works with non-profit organizations like ATARC to be able to sit on committees to listen to the needs of the federal workforce. As a result, he has seen the reasons people succeed at access control and, unfortunately, how they fail. One of his observations is that Multi-Factor Authentication may not be enough for a robust deployment of Zero Trust. Most experts would criticize MFA because it frequently relies on the public phone system to transfer code. Josh points out that, in his experience, larger organizations have so many security controls that humans can get sick of all this MFA. If you get hundreds a day you may end up with “MFA” fatigue. One innovation for BeyondTrust is a concept called “Just in time” access. When installed correctly, users can get access verification promptly because the system is structured with keeping the user happy. Another term that Josh brought up was the phrase “dynamic access.” In the past, dynamic access was designed for on-premises applications. A few rules to consider, but not many. Today, we see private clouds, public clouds, hybrid clouds – a wide range of systems that can cause a complex process like dynamic access delay response.  

Guidehouse is a well-known consulting company with a two-word motto, “outwit complexity.”  They have a track record of working with complex federal projects in areas ranging from health sciences to artificial intelligence. Today we sit down with Christine Owen, whose two-word motto is “Identity Evangelist.” The federal government has been encouraging agencies to get serious about identification.  We can list announcements from the Executive Office of the President, to NIST, Homeland Security, and even the Office of Management and Budget. The motivation has been the COVID-inspired move to the cloud.  If it were just one cloud, there would be a few issues.  The complexity begins when clouds become dependent on other systems, whether it is an on-premises system or a hybrid cloud.  Identity seems to be the best way to assure security. Christine has a legal background and, as a result, has a keen eye on the implications of the plethora of standards and regulations that are promulgated about identity. That is not to say she isn’t technically competent. For example, she can articulate the three ways to become phishing resistant. Additionally, she can articulate very clearly the implications of Role Based Access Control and Attribute Based Access Control.  There are organizations like the National Security Telecommunications Advisory Council that have run articles implying that the transition to Zero Trust may end up being an incomplete experiment.  Listen to the interview to get a balanced and detailed observation on identity management in complicated federal systems.

Everyone working for the federal government knows that basic security training is mandated.  Still, there are event that are reported in many agencies.  That would beg the question – is basic training enough? If it isn’t what options are available. As a rule, much of the training available is highly technical and best suited for systems administrators.  However, we see malicious actors targeting everyone with phishing attacks.  It would seem reasonable to consider a human-focused training regime.  A good example is the excellent technical training offered by the SANS Institute.  We may have a situation where the top of the pyramid understands sophisticated attacks, yet the vast majority are vulnerable.  In a recent article in Axios, they concluded that cyber attacks are easy to underestimate and under train employees in cybersecurity. Erich Kron is a Security Awareness Advocate for a company called KnowBe4.  They provide a long list of free tools to help you, and your team, understand some of the basic concepts to prevent social engineering, ransomware, and phishing.  During the interview, Erich details the impact of training on a group’s susceptibility to common phishing scams.  KnowBe4 takes an actual attack, makes a reasonable copy, and incorporates that into the training they offer.  Not textbook, but it very practical. Listen to the interview to gain a better understanding of Return on Investment for security training and to see what Erich has to say about vulnerabilities is using phones for remote work.          

In the commercial world, companies do competitive evaluations.  In fact, after hundreds of appearances on live television, I can confirm that each station has the other stations on screens around the office. Well, why not look at the dark web and learn what the malicious actors are discussing? After all, “Know thy enemy and know yourself; in a hundred battles, you will never be defeated” is a well-known quote from Sun Tzu Jole Bagnal from SpyCloud has credentials that are above reproach, graduating from West Point and having served at the highest levels in the federal government.  During the interview, he talks about fraud prevention, account takeovers, and much more.  The Credential Exposure Report from SpyCloud provides some stunning numbers. It talks about a 64% password reuse rate, and 687 million records with Personal Identifiable Information being available in dark areas of the Internet.  One of the trending phrases in software development is “shift left.”  This is a general term that suggests software development processes should include security measures from the jump, not after a system undergoes testing procedures. In a similar vein, Joe Bagnal says that if a system administrator has advanced knowledge of a system attack, then appropriate precautions can be taken. The discussion includes insight into threats from operational technology and brings to light some thoughts on advances in identity access management.

We are living in challenging times; citizen trust is waning. Pew Research has a great quote about citizen trust “Only two-in-ten say they trust the government in Washington to do what is right “just about always.” COVID has forced citizens to try to get information from the federal government about health issues, financial support, and taxes. Just recently, there was a drastic increase in citizens seeking information about federally backed loans. However, when it comes to citizens looking for information we can list FEMA, air travel, Social Security, and even small business loans as candidates for improved service. The Biden Administration realized that many were getting frustrated with federal online services and issued an Executive Order (EO) in December of 2021 that gave a thorough list of ways to improve online services. These were thirty-six customer experience commitments spread among seventeen agencies. The EO hits on subjects like consistency, self-service, secure identification, navigation, and even responsive assistance. During this interview, Brian Chidester from Genesys provides ideas on how to improve customer service. He devolves into un-government-like topics like Return on Investment and having empathy with the needs of citizens. He suggests that there are systems that can leverage artificial intelligence to take predictive analytics to a new level. For example, if you are contacting a call center, some systems can route your call to the best person who can manage your issue based on many factors. Brian Chidester gives an overview of automation that can improve case status tracking and provide citizens information in the context of a secure federal system.          

World famous Brian Papp from CISA has the best line when it comes to justifying the use of Artificial Intelligence in federal projects. “There is too much data and not enough people to understand it.” Bingo. We are living in a world where the term “petabyte” is tossed about like a can of beans. Sensors are in the ocean, on moving vehicles, and in outer space. The federal government needs to collect data from fields as far ranging from financial derivatives to miles per gallon of a post office truck. Unfortunately, universities and colleges do not offer degrees in artificial intelligence. As a result, much learning consists of anecdotes and case studies that may have applications in the federal world. There is no doubt that artificial intelligence can provide benefits to the federal government. Studies have shown that, when deployed properly, artificial intelligence can streamline a user’s online experience, automate processes, and provide better use of data. Paul Dillahay is the CEO of a company boldly called Empower.ai. His company bet on artificial intelligence before it became a buzzword at places like Gartner and Forrester Research. During the interview, he reviews the benefits of artificial intelligence at agencies like the GSA and the Commodity Futures Trading Commission. Paul suggests that one should start with quality data to get the best results. From this basic goal, he recommends that any initiative must align properly with agency goals; clean data that is tagged and sorted may not have any value if it is producing the result the agency is charged with. The infrastructure must be optimized, and you should start with small steps to prove the application. The conversation began and ended with trust. The Executive Order from 2020 talks about “trustworthy” artificial intelligence. It is one thing