Conrad joins Accenture, feds fine-tune stingray policies and more

Conrad joins Accenture Federal Services

Kathy Conrad, who stepped down in July from her General Services Administration post, has had her summer break and is back on the job -- this time at Accenture Federal Services.

Her new title is director of digital government; Oct. 21 was her first day on the job.

Conrad told FCW that her job will focus on "providing leadership for federal agencies' digital transformation initiatives" and delivering "solutions that further improve citizen services."

At GSA, Conrad was deputy associate administrator of the Office of Citizen Services and Innovative Technologies. A three-time Federal 100 winner, she was a central figure in the Obama administration's launch of 18F, Data.gov, Connect.gov and the Federal Risk and Authorization Management Program for cloud security. She also served as acting leader of OCSIT and 18F for much of 2014.

DOJ, DHS defend stingray policies while leaving some questions unanswered

In an Oct. 21 hearing of the House Oversight and Government Reform Committee's Information Technology Subcommittee, representatives of the Homeland Security and Justice departments touted their new policies governing the use of cell phone tower simulators -- known generically as stingrays -- but weren't able to answer several key questions.

Thanks to the new DHS and DOJ policies, most federal law enforcement agencies will need a warrant to deploy a stingray, said Rep. Ted Lieu (D-Calif.). The devices work by tricking cell phones into emitting identifying data that can be used to track suspects.

Although the policies block stingrays from taking texts, email messages and other data from phones, are the devices capable of such exfiltration?

Elana Tyrangiel, principal deputy assistant attorney general at the Justice Department, couldn't say. DHS Assistant Secretary for Threat Prevention and Security Policy Seth Stodder said DHS devices were "absolutely configured by the vendor not to collect content."

Tyrangiel and Stodder could not say whether their agencies collected such content before their new policies went into effect -- in September and October, respectively. They also couldn't give estimates of how widespread stingray use was in agency investigations.

DHS and DOJ guidelines provide for the prompt deletion of collected data, Tyrangiel and Stodder noted.

Subcommittee Chairman Will Hurd (R-Texas) pledged to investigate legislative fixes to stingray policy concerns.

CIA director's docs published online

On Oct. 21, WikiLeaks published a trove of information apparently gleaned from CIA Director John Brennan's personal email account.

The documents appear to include Brennan's unredacted security clearance application form -- Standard Form 86 -- and various high-level communications.

The hacker who claimed credit for infiltrating Brennan's AOL account told Wired he's a teenager who worked with two accomplices.

He said he started with Brennan's cell phone number, which he used to trick Verizon and then AOL into revealing Brennan's personal information.

According to a CIA statement, the Wikileaks release did not include any material from Brennan's time at CIA, or any documents forwarded to his private account from an official U.S. government account.

Study reveals growing number of nation-state attacks against U.S. companies

Companies and government agencies are ill prepared for the rise in nation-state attacks, according to a new Ponemon Institute report released Oct. 21.

Ponemon surveyed 639 U.S. security and IT specialists and found that 35 percent are certain they have been the victim of an attack. Meanwhile, 88 percent of organizations rated their ability to recognize such an attack as middling to low.

Cybersecurity has remained a hot topic as high-profile breaches, including successful attacks against the Office of Personnel Management and Sony, filled the headlines in the past year. Senior and C-level executives have taken notice. In the survey, 81 percent of senior executives and 74 percent of C-suite executives said they were concerned or very concerned about nation-state attacks.

Nevertheless, many organizations have not established measures to prevent threats. Forty-nine percent admitted to taking a "wait-and-see approach" to security, which will not reduce potential data loss or collateral damage. Despite the respondents' experience and knowledge, many reported uncertainty in recognizing nation-state attacks.