Vulnerabilities, the Search for Buried Treasure, and the US Government

oodaloop | January 14, 2020

Most weeks, it is far outside the normal job responsibilities for cybersecurity professionals to understand what the United States (or other governments) do to find or use computer vulnerabilities. Just stay patched and keep the board of directors happy. This is not one of those weeks. This week we learned that the National Security Agency disclosed to Microsoft that it had discovered a major vulnerability (dubbed CVE-2020-0601) in Windows 10. A Washington Post article, by veteran cyber journalist Ellen Nakashima, declared this to be a “a major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.” This unique story puts the spotlight on vulnerabilities and the U.S. government process for determining whether to disclose or retain the vulnerability. This first half of a two-part article looks examines these issues, while the second half assesses that program and the implications for enterprise technologists.

Spotlight

The Broward County Board of County Commissioners’ goals, with the CreativeBROWARD 2020 community cultural plan, provides the vision for the future. The Broward Cultural Division (BCD) continues to strive to improve the cultural environment, whether it is the physical aesthetics, economic impact or the experience of the audience or participation in making art. The BCD encourages and welcomes public involvement at over 40 workshops held throughout the year and the Annual Planning Forum. The BCD portfolio of services includes community cultural planning, public information, financial incentives and marketing, technical assistance and capacity building programs, public art & design, arts education and artist fellowships. The Division produces the Broward County Arts Teacher of the Year awards ceremony, in partnership with the Business for the Arts of Broward, held annually in the fall honoring outstanding Broward County arts educators and arts students in various disciplines. An intensive needs assessment throughout the entire community, including participation of more than 1,000 individuals, resulted in a ten-year community cultural plan CreativeBROWARD 2020. The CreativeBROWARD 2020 community cultural and economic development plan calls for bold new directions for cultural development and local arts agency management. The plan includes 49 recommendations that focus on diversity, the creative economy, public art and cultural tourism. Since the plan’s implementation in late 2010, 16 of the formal recommendations have already been completed and 16 are underway.


Other News
GOVERNMENT BUSINESS

GovOS Announces New Partnership with the Vermont Short-Term Rental Alliance

GovOS | May 17, 2022

GovOS, a leading provider of digital transformation solutions for local governments, announced it is partnering with the Vermont Short-Term Rental Alliance (VTSTRA), a nonprofit business association for vacation rental owners and short-term rental (STR) hosts operating in Vermont. The partnership will support both organizations in their ongoing efforts to encourage responsible renting through expanded access to resources and software solutions that promote healthy STR communities. "The VTSTRA is dedicated to helping make vacation rentals a responsibly-operated and reasonably-regulated part of Vermont's culture, economy, and way of life," said Julie Marks, Founder, Director, and Board President of the VTSTRA. "GovOS has extensive experience helping local governments improve engagement with STR communities in their jurisdiction. That experience combined with our own expertise and educational resources will help us build a stronger, more sustainable lodging ecosystem throughout Vermont." VTSTRA's mission is to establish standards that protect the well-being of Vermont's STR hosts, guests, neighbors, and communities, while also supporting policies that incentivize smart growth development to correct the deficiency in the state's housing supply. The VTSTRA advocates for the use of STR registration systems to help ensure operators are aware of and adhere to legislation at the state and local levels. GovOS is aligned with VTSTRA's desire to support STR hosts and the communities in which they operate. From its inception, GovOS has taken a holistic approach to offering solutions that have a positive impact. By supporting local governments and the communities they serve, we have fundamental insight into what citizens, businesses, and government agencies need to achieve their goals. Our companies' shared interest in advocating for more awareness, understanding, and cooperation is what makes this partnership so valuable." Kevin Lafeber, President, GovOS Chosen by communities across the U.S., the GovOS STR solution helps local governments understand and mitigate the impacts of STRs on their community and the local economy. In addition to the identification and compliance components, GovOS STR provides an industry-leading registration system for local communities that require STR operators to apply for a license. The solution also supports tax collection (including both state and local lodging taxes, where applicable) as well as a 24/7 bilingual complaint hotline for local residents. The system is designed to provide a comprehensive solution that helps improve engagement between STR operators and their government agencies. About the Vermont Short-Term Rental Alliance (VTSTRA) The VTSTRA is a nonprofit business association for vacation rental owners and short-term rental hosts operating in Vermont. The VTSTRA works collaboratively with state and municipal lawmakers to craft regulatory solutions that will effectively mitigate potential negative impacts on Vermont communities while protecting the vital economic opportunity that the STR industry brings to Vermont. About GovOS GovOS is the leading digital transformation platform for local governments. Headquartered in Austin, TX, GovOS serves government agencies of all sizes across the United States. Through its secure and integrated suite of cloud-based solutions, governments can automate and streamline operations, provide seamless access to resources and information, and deliver cutting-edge digital services to businesses, residents and agencies.

Read More

CYBERSECURITY

BedRock Systems Joins United States National Cybersecurity Excellence Partnership (NCEP) Program

BedRock Systems | June 06, 2022

BedRock Systems, the leading software company delivering an unbreakable foundation for secured computing from edge to cloud, announced it has joined the National Cybersecurity Excellence Partnership (NCEP) program. NCEP is a collaborative public-private partnership between U.S. companies and the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE), formed to advance the state of cybersecurity practice in the United States. It’s an honor to participate in the NCEP program. Through partnership and collaboration with NCCoE and other NCEP participants, we look forward to identifying pressing cybersecurity challenges and driving innovations that bolster the security of U.S. information systems.” John Walsh, SVP Strategy and Business Development at BedRock Systems BedRock Systems joins a community of NCEP partner companies that have pledged to provide hardware, software, and expertise to foster rapid adoption and broad deployment of integrated cybersecurity tools and techniques and address technology gaps affecting multiple sectors of the economy. In addition to contributing equipment and other products to the NCCoE’s test environments, partner companies can designate guest researchers to collaborate and work with NCCoE researchers at the center, in person or remotely. To address the challenges of securing the country’s IT environments, the NCCoE has developed 167 publications, which have been downloaded more than 1 million times. In addition to joining the NCEP program, BedRock Systems has participated in reviewing NIST’s recent Special Publication 1800-32, titled “Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity.” “Fostering collaboration and leveraging the expertise that exists across the private and public sectors is an important part of NCCoE’s strategy to drive innovation and address technology gaps affecting critical systems and industries,” said Jim McCarthy, Senior Security Engineer, National Cybersecurity Center of Excellence (NCCoE). “We are pleased to have BedRock Systems join the community of NCEP partners who help NIST and NCCoE design, build, deploy, and document standards-based solutions that can be leveraged across multiple segments in our economy.” McCarthy recently joined BedRock for a webinar discussion on Dissecting Critical Infrastructure Risks: The Double-Edged Sword of Interoperability. The expert panel of cybersecurity professionals discuss requirements and challenges related to connecting the OT and IT systems that power critical infrastructure. About BedRock Systems BedRock Systems is the leading software company delivering an unbreakable foundation for secured computing from edge to cloud. Designed on the principles of Zero Trust and formal methods, BedRock Systems provides unprecedented levels of security and resiliency to the world’s most critical systems and infrastructure. Industries like Financial Services/DeFi, Government, Defense, Healthcare, Pharmaceutical and critical infrastructure sectors all use BedRock to improve cyber security, reduce cost and unlock new revenue by enabling innovation, even while under attack. BedRock your applications and workloads today.

Read More

GOVERNMENT BUSINESS

Governments Face Urgent Demand for Digital Solutions and E-services; Low-Code Proves Value as Go-To Platform

Mendix | May 31, 2022

According to Mendix, a Siemens business and global leader in modern enterprise application development, the convergence of post-pandemic trends and technological advancements are fundamentally reshaping the distribution, provision, and access to e-government and digital-first services for the public sector. Although the emergence of data-driven, tech-enabled "Smart Cities" dates back to 1974, pandemic-related mitigation measures required the public sector to reinvent secure, accessible digital channels for constituents and workforce administrators. Recent findings by the U.S.-based National Association of State CIOs describe a seismic shift in the pace of digitalization by state and local agencies that felt like "10 years' worth of deployments in 8 months." However, the successful expansion of e-government services has raised expectations for government agility and responsiveness by administrators, constituents, policy makers, and regulators alike. Research shows accelerating numbers of use cases — generated by increased demand for next-generation cloud-based computing, artificial intelligence, Internet of Things, 5G connectivity, and hyperautomation — for federal, state, and local agencies to digitalize their services and planning processes. Yet analysts also cite the public sector's long-established oversight, budgeting, and procurement requirements as a potential bottleneck to rapid transformation. E-government for future needs and rising expectations To navigate this perfect storm, a low-code software development platform with a robust ecosystem has proven invaluable for public sector agencies tasked with reinventing digital government for a new era. During the pandemic, Mendix public sector customers developed scalable, innovative digital solutions embraced by a range of policy makers and agencies. Today, there is no going back. Public agencies are expected to make decisions at speed and deliver value in real time. Governments can no longer operate in a reactive mode. In our complex, volatile era, the public sector must leverage technology to collaborate across multiple jurisdictions and successfully engage with constituents." Mark Smitham, head of public sector EMEA at Mendix According to Gartner, 60% of worldwide public agencies expect to triple their citizen-facing digital services by 2023. On the national level, governments are aiding the call to modernize critical legacy applications to be more responsive in this changing landscape. In the U.S. for example, a bipartisan proposal moving through congress would prioritize replacing federal legacy IT systems with modern infrastructure. Low-code software development platforms are uniquely positioned to help the public sector maximize allocated resources while rapidly iterating and deploying innovative solutions. Here are five ways that best-in-class software development platforms will drive digital success for public sector needs. Composable solutions, tailored for future needs Research shows that government employees have the highest usage of shadow IT, turning to these workarounds when red tape and other barriers halt procurement of the technology they need to get the job done. Such ad-hoc solutions expose the organization to increased risk of cyber hacking. Plus, commercial off-the-shelf systems from single-solution vendors can prove costly later, when unexpected crises or changing conditions require customization for new use cases. A robust software development platform, on the other hand, is specifically designed for iterative collaboration. Open architecture with built-in governance and connectivity control can stabilize an agency's provision of digital services regardless of procurement cycle timing or budget allocation. Gartner analysts recently cited the use of composable software apps (characterized as modular, adaptable, and reusable digital solutions) as the most important factor for government enterprises tasked with meeting changing regulatory, legislative, and public expectations. Modernizing legacy systems for new needs Widespread support for public sector digitalization is driving the accelerated pace of legacy modernization. Local and regional governments are charting the impact of IoT and connected devices, AI, and 5G connectivity to achieve operational efficiencies across a range of services, including traffic and transportation flows, energy use and lighting, health monitoring of waste, water, and air quality, public works and safety, emergency services, and resource planning and allocation. Technology has always been an essential ingredient for a range of local services. The next phase, however, will come from hyperconnected public infrastructure. The ultra low latency of long-promised 5G connectivity linking massive, multiple connections of IoT sensors will be the linchpin that makes real-time decision-making at scale a reality for the public sector. "This will be a game-changer, enabling the promise of smart cities to become a wide-spread reality," Smitham said. He cautions, however, that ease of data integration across the digital ecosystem will determine progress or delay. "An adaptable, flexible low-code platform that extends the technology stack in a malleable way will allow service providers to stay current with changing technologies, partners, and services," said Smitham. "Mendix's low-code platform can be the glue enabling communication and integration across these different protocols." Security by design, embedded from the start In today's high-threat environment, enhanced cybersecurity, data protection, and trustful interactions across e-government's digital ecosystem is top of mind for public sector managers. Even minor government transactions can potentially lead to financial and reputational exposure and loss if not adequately protected. "What used to be an afterthought must be embedded into systems, infrastructure, and implementation standards," said Smitham. Citing the Charter of Trust and the Paris Call for Trust and Security in Cyberspace, an international framework signed by 1,200 governments, NGOs, and academic institutions, he added, "Digital security must be addressed from the very beginning. It's not something that can be added later, piecemeal." The public sector must vet potential software development platforms for governance, control, and monitoring of activity across the application landscape. They should seek out platform providers with the highest level of third-party certifications and accreditations, such as ISO, the benchmark of global compliance for information security. Another layer of protection is found in strategic partnerships. Microsoft operates the global, nonpartisan Defending Democracy program to protect election infrastructure, including emails and networks of voters, political parties, and staff. CloudFlare specializes in endpoint security software as a service, protecting, for example, hospital networks and infrastructure. Cloud-based hyperscalers, including Alibaba, Amazon Web Services, Google, Huawei, and Microsoft, operate at the highest level of security and oversight, employing large contingents of software engineering talent to operate safe and secure cloud platforms. A key to the city that safely unlocks silos The next challenge facing e-government? Providing an accurate, digital "proof of identity" that will unlock the full potential of e-government services, expanding access while reducing costs. There are, however, two interrelated challenges: First, the public must trust how agencies collect, store, safeguard, and control access to sensitive information, such as tax and health records, welfare payments, certifications, licensing, and more. At the same time, government services must find a way to share and validate ID credentials across agency silos, creating what researchers term "digital identity ecosystems." Three EU countries, Belgium, Netherlands, and Estonia, have pioneered a single identity registration service that validates digital services for constituents regardless of geographic location. But for most countries, including the U.S. and the United Kingdom, hybrid systems of paper-based identification — passports, drivers licenses, social security cards, insurance cards, and biometric scans of fingerprints — are standard practice. According to Smitham, low-code platforms have a unique advantage in building and managing digital identity ecosystems. "Connecting securely to other systems and data sets easily and readily is the fundamental driver for adopting an enterprise software development platform," he said. "It doesn't matter whether the customer is a bank, a store, or a government agency." Platforms with certified governance and control capabilities will integrate identity authentication via secure, low-code built connectors. Smitham added, "This is the future of digital public services." Don't reinvent the wheel when it's possible to share Around the world, municipal agencies provide constituents with similar services, be it tax collection, waste management, traffic and parking enforcement, emergency services, birth or marriage registration. Unlike private enterprises seeking competitive advantage, public sector organizations are free to collaborate and share digital solutions, thereby driving innovation and speeding time to value. Furthermore, public sector activity must be transparent, responding to feedback from multiple stakeholders. When public trust evaporates, solutions can prove controversial, as evidenced by the recent IRS proposal to use facial recognition scans for U.S. taxpayers. "Cities have begun sharing best practices on regulating public sector uses of AI," says Smitham. "Less well-known are the multitude of digital services that have been successfully delivered and adopted. Public agencies become more agile and responsive when they collaborate and share their approaches for modernizing their practices and prioritizing technology adoption." Such collaboration also extends the public sector's digital skill set and reduces the burden on under-resourced IT departments. Smitham cited the EU's powerful "Research Online Platform" application that tracks side effects of Covid-19 vaccines. The digital tool was built on the Mendix platform in collaboration with the European Medicines Agency and the University Medical Center Utrecht in the Netherlands, and is now used in 45 countries. "The solution enables researchers to collect data internationally on a secure, scalable cloud platform with anonymized user profiles, balancing technological innovation with public needs for privacy and security," he said. Digital solutions for the benefit of all The new era of expanded e-government services has the potential to advance sustainability, civic engagement, and promote economic prosperity. "Low-code software development and platform integration will speed the public sector towards this goal, removing the pain points caused by monolithic processes, legacy systems, and proprietary architecture," said Johan den Haan, chief technology officer at Mendix. "Digital solutions that empower both end users and local governments while leveraging the flexibility of today's technology, tools, and services will greatly expand the public commons for every 21st century citizen." About Mendix In a digital-first world, customers want their every need anticipated, employees want better tools to do their jobs, and enterprises know that sweeping digital transformation is the key to survival and success. Mendix, a Siemens business, is quickly becoming the engine of the enterprise digital landscape. Its industry-leading low-code platform and comprehensive ecosystem integrates the most advanced technology to support solutions that boost engagement, streamline operations, and relieve IT logjams. Built on the pillars of abstraction, automation, cloud, and collaboration, Mendix dramatically increases developer productivity and empowers a legion of not-so-technical, 'citizen' developers to create apps guided by their particular domain expertise, facilitated by Mendix's engineered-in collaborative capabilities and intuitive visual interface. Recognized as a leader and visionary by leading industry analysts, the platform is cloud-native, open, extensible, agile, and proven. From artificial intelligence and augmented reality to intelligent automation and native mobile, Mendix is the backbone of digital-first enterprises. The Mendix enterprise low-code platform has been adopted by more than 4,000 leading companies in 46 countries.

Read More

CYBERSECURITY

New Black Kite Research Reveals Top 100 U.S. Defense Contractors at Risk for Ransomware Attack

Black Kite | May 26, 2022

Black Kite, the leader in third-party cyber risk intelligence, released Centralizing Supply Chain Cybersecurity: U.S. Federal Government Risk in 2022, which finds cyber risks for top defense contractors are rising. Most notably, 72% of contractors have had at least one leaked credential in the last 90 days – a 71% increase from six months ago. "In today’s geopolitical landscape, the federal sector is under constant threat of cyberattack. There’s a heightened sense of urgency to protect critical infrastructure and the nation -- but hackers across the globe are getting better at flying under the radar. Some of the most critical federal agencies are unprotected, which leaves our country vulnerable and at risk. Our latest research highlights the need for better third-party cyber risk intelligence, and where to start today.” Bob Maley, CSO of Black Kite Black Kite Research analyzed the top 100 U.S. defense contractors’ overall cyber hygiene, including susceptibility to ransomware attacks, and compared the data against its 2021 report. In addition to the alarming increase in leaked credentials, key findings include: The cyber posture of defense contractors in critical technical categories (such as credential management, Secure Socket Layer (SSL) / Transport Layer Security (TLS), and strength and application security) is dangerously low. Nearly half (46%) of defense contractors are three times more likely to experience a cyber breach than those with “A” technical ratings (on a scale from A to F). 32% are vulnerable to ransomware attacks such as phishing – and 20% of agencies examined in last year’s report are still vulnerable, meaning quick improvement is critical. 17% utilize out-of-date systems, creating a critical vulnerability for ransomware attacks. According to a survey of government organizations by Sophos, 40% of central government and 34% of local government organizations experienced a ransomware attack in the past year. The Federal Bureau of Investigation’s Cyber Division recently issued Private Industry Notification finds “ransomware attacks against local government entities are especially significant due to the public’s dependency on critical utilities, emergency services, educational facilities, and other services overseen by local governments.” With the government being one of the largest holders of personal identifying information (PII), these entities are desirable targets for cyber criminals. “Government agencies are prime targets for hackers due to the sheer amount of data they possess. It’s a virtual candy store for those with malicious intent,” said Jeffrey Wheatman, SVP and Cyber Risk Evangelist (CRE) of Black Kite. “Understanding third-party susceptibility to cyber threats must come first as contractors look to reduce their risk. At Black Kite, we’re committed to helping the most critical agencies safeguard their data – and in doing so – safeguard the information of all citizens.” Black Kite provides third-party cyber risk intelligence from a technical, financial, and compliance perspective to eliminate false positives and ensure a holistic approach to vendor risk management. In addition to Centralizing Supply Chain Cybersecurity: U.S. Federal Government Risk in 2022, Black Kite issues an annual Third-Party Breach Report as well as regular risk assessment reports on the automotive manufacturing, energy and insurance sectors. About Black Kite One in four organizations suffered from a cyber attack in the last year, resulting in production, reputation and financial losses. The real problem is adversaries attack companies via third parties, island-hopping their way into target organizations. At Black Kite, we're redefining vendor risk management with the world’s first global third-party cyber risk monitoring platform, built from a hacker's perspective. With 350+ customers across the globe and counting, we're committed to improving the health and safety of the entire planet's cyber ecosystem with the industry’s most accurate and comprehensive cyber intelligence. While other security ratings service (SRS) providers try to narrow the scope, Black Kite provides the only standards-based cyber risk assessments that analyze your supply chain's cybersecurity posture from three critical dimensions: technical, financial and compliance.

Read More

Spotlight

The Broward County Board of County Commissioners’ goals, with the CreativeBROWARD 2020 community cultural plan, provides the vision for the future. The Broward Cultural Division (BCD) continues to strive to improve the cultural environment, whether it is the physical aesthetics, economic impact or the experience of the audience or participation in making art. The BCD encourages and welcomes public involvement at over 40 workshops held throughout the year and the Annual Planning Forum. The BCD portfolio of services includes community cultural planning, public information, financial incentives and marketing, technical assistance and capacity building programs, public art & design, arts education and artist fellowships. The Division produces the Broward County Arts Teacher of the Year awards ceremony, in partnership with the Business for the Arts of Broward, held annually in the fall honoring outstanding Broward County arts educators and arts students in various disciplines. An intensive needs assessment throughout the entire community, including participation of more than 1,000 individuals, resulted in a ten-year community cultural plan CreativeBROWARD 2020. The CreativeBROWARD 2020 community cultural and economic development plan calls for bold new directions for cultural development and local arts agency management. The plan includes 49 recommendations that focus on diversity, the creative economy, public art and cultural tourism. Since the plan’s implementation in late 2010, 16 of the formal recommendations have already been completed and 16 are underway.

Resources