FCW Insider: Oct. 22

The Census Bureau is facing multiple legal and political challenges to the design of its 2020 population survey, mostly related to a controversial question about the citizenship of respondents. But as Chase Gunter reports, Census officials are confident efforts to collect online responses and to arm enumerators with new tech will make operations more efficient and cost effective.

With the 2018 midterm elections looming, the Department of Justice charged a Russian national with overseeing financial operations for a multinational, $35 million social media influence campaign tied to the Russian government. The longstanding operation included the deployment of hundreds of phony social media identities posting memes and content designed to trigger angry responses on hot-button U.S. social and political issues. Derek B. Johnson has the story.

The Department of Homeland Security is in midst of a back-and-forth with industry on IT risk management, with an eye to possibly acquiring private-sector tools that can produce supply chain maps, identify counterfeit or altered hardware and software and mitigate risks posed by such threats. But even with that capability, DHS sees its role in supply chain security as providing risk management advice, not as a buying guide. Mark Rockwell explains.

Quick Hits

*** A data system with direct links to Healthcare.gov was hacked, leading to the theft of records on 75,000 individuals, according to the Centers for Medicare and Medicaid Services. CMS reported detecting "anomalous activity" on Oct. 13 in the Federally Facilitated Exchanges, which allows insurance agents and brokers to assist health care consumers with enrollment under the Affordable Care Act. On Oct. 16, CMS declared a breach, and disabled accounts linked to the breach and shut down the Direct Enrollment system. The news was made public late in the day on Oct. 19. CMS said it was looking to have the system for agents and brokers back up in seven days. The self-service enrollment website HealthCare.gov remains operational, as does the Marketplace Call Center.

*** The Federal Energy Regulatory Commission approved a cybersecurity rule covering the U.S. electrical grid. The rule, based on standards proposed by the North American Electric Reliability Corporation in January 2018, requires covered electrical utilities to phase in new supply chain risk management practices over the next 18 months. The goal is to have better visibility into industrial control system hardware, software and networking services that are used to operate the nation's bulk electric system. FERC noted in the final rule that security gaps remain in the electrical grid, because standards do not cover firewalls, authentication servers, breach monitoring and alerting systems and other components covered under the category of electronic access control and monitoring systems. These ECAMS, if compromised, could yield attackers control of a protected asset. FERC has directed NERC to develop modifications to the rule to encompass supply chain risk management of such monitoring systems within two years.

*** The Defense Advanced Research Projects Agency is trying to find out how to make computers learn more like human children. The agency recently held a proposer's day for its Machine Common Sense program; the program is the first entrant in DARPA's $2 billion AI Next campaign. The MCS initiative is meant to give machines the ability to understand and navigate situations they are not explicitly programed for.

DARPA will be researching new machine learning techniques and advances in developmental psychology to try and make this happen.

"My deep belief is the magic answer is somehow buried in what human children know at one year old," said Dave Gunning, a program manager within the Information Innovation Office at DARPA.

Responses to the announcement are due by Dec. 18. Gunning said they will pick whom to work with by January and will begin the research by spring of 2019.

*** The United Kingdom reported that phishing and malicious spam is down as a result of the work of the National Cyber Security Centre, the centralized, all-of-government computer security agency that is part of the country's intelligence community. NCSC, which is part of the Government Communications Headquarters apparatus, handled security for all government domains and conducts incident response and threat assessment for threats aimed at the private sector as well. In its annual report for 2018, NCSC reported that more than 138,000 phishing sites were removed and that the country's share of global phishing attacks was down sharply from 5.3 percent in June 2016 to 2.4 percent in July 2018. The report credited the implementation of Domain-based Message Authentication Protocol with protecting government domains from spoofing. NCSC is also advancing a program to extend active cyber defense services to government owned devices. Currently 14,500 such devices are equipped with ACD services, and that number is expected to "increase significantly" in the coming months, according to the report.