cyber

PRESS RELEASE: First-Ever DEFCON "Voting Machine Hacker Village" Highlights Vulnerabilities in U.S. Voting Systems

Cambridge Global participates in event to bring together critical stakeholders to elevate cyber threats, identify solutions to safeguard our elections

Las Vegas, NV – In light of recent headlines concerning Russian attempts to “hack” and interfere in the 2016 U.S. elections, DEFCON – one of the world's largest and best-known hacker conventions – debuted an interactive "Voting Machine Hacker Village" today a its annual gathering in Las Vegas. The first of its kind in the conference's 25 year history, the Voting Village provided a national stage for hackers, voting experts, government officials and others to raise the alarm on cyber vulnerabilities and threats related to U.S. voting machines, networks, and voter file databases currently in use around the nation.

Cambridge Global Advisors (CGA) – a strategic advisory services firm with deep expertise in cyber and homeland security policy at the global, national, state and local level – provided support to the Voting Village by way of concept development, media outreach, and stakeholder engagement. CGA also contributed to the day-long speaking program, with Jake Braun, CEO of CGA emceeing speeches and panels featuring subject matter experts from a variety of public and private sector organizations such as Verified Voting, the Center for Internet Security, National Governors Association, and National Institute of Standards and Technology (NIST).  

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we've uncovered even more about exactly how,” said Jake Braun, who originally proposed the idea of the Voting Village to conference founder Jeff Moss earlier this year. “The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”

Douglas Lute, CGA principal and former U.S. Ambassador to NATO, also spoke at the conference on Friday, noting the importance of bringing the national security community to the table. “Elections have always been the concern and constitutional responsibility of state and local officials. But when Russia decided to interlope in 2016, it upped the ante. This is now a grave national security concern that isn't going away,” said Lute via Skype. “In the words of former FBI Director James Comey, ‘They're coming after America...they will be back.’”

The Voting Village featured more than 30 pieces of equipment for hackers to try their hand at, along with a cyber training range that simulated an board of elections office network and voter registration database.  Within the first 90 minutes, hackers successfully hacked several pieces of equipment, including a machine and pollbook.  The village is expected to be a fixture for DEFCON for at least the next three years, with more equipment, software and other hacking demonstrations to be added in the future.

Voting Village organizers also said that DEFCON provided an initial forum to convene various stakeholders that will be critical to forwarding solutions as a next step. Post-DEFCON, Cambridge Global and others will work to align allies for a national advocacy campaign to implement election security measures in all fifty states. Details and a campaign launch date are expected in the coming weeks.

“The Voting Hacking Village was just the start. This is one conversation that needs to leave Vegas,” said Braun. “There are ways to secure our democracy, but we need an organized advocacy campaign. We need to take these lessons back to DC, to state capitals, and to local election boards around the country to invoke change.”

About CGA

Cambridge Global Advisors (CGA) is a strategic advisory services firm with deep expertise and experience at the global, national, state and local level.  Our mission is to assist our clients in the management, development, and implementation of their national security programs, practices, and policies, with a special interest in homeland and cyber security.

CGA’s senior leadership has been working on cybersecurity policy for some of the largest end users for governments, NGOs, and corporations for a combined 100+ years of experience.  Through client work and numerous positions on advisory boards, the team has served as cyber consults for a host of entities from the President of the United States to local governments such as Cook County, Illinois. Learn more at: www.cambridgeglobal.com

###

CGA COMMENTARY: Why going small is not always the best cyber strategy

By: Chris Cummiskey, CGA Senior Advisor

**Note: This piece originally appeared in Fifth Domain Cyber, an affiliate of C4ISRNET, Federal Times and DefenseNews.**

In recent years, there has been a strong push in federal departments and agencies to emphasize the need for awarding contracts to small business. This strategy has been further re-enforced by the Small Business Administration that issues regular scorecards to show which agencies meet predetermined percentage targets for small business contract awards.

During my tenure as the acting undersecretary for management and chief acquisition officer at the Department of Homeland Security, I worked closely with our procurement teams to generate a string of “A” grades from SBA in meeting our targets.

Today, of the $13 billion or so DHS awards each year, about one-third goes to small business, while about a third goes to medium sized and large businesses each. This has led to DHS being recognized as one of the leading departments in working with small business.

There are many places in government where a small business procurement strategy is efficient and effective, yet cybersecurity is not necessarily one of those areas. My experience is that government procurement and program officials are dedicated professionals who seek to craft the best acquisition approach based on the requirements. There are, however, a growing number of instances in cyber contracting where a shift to small business could have a detrimental impact. The pressure to meet small business goals, and the feeling among many that small businesses are more flexible and less expensive,  has led to decisions, particularly with cyber contracts, to craft a strategy that is high-risk and counterproductive.

There are several considerations that need examination when crafting a successful cyber procurement approach. These include past performance, program complexity, scale, staffing and pricing.

Past Performance

Demonstrating successful past performance is a key indicator of future success in government contracting. This track record is an important consideration in evaluating which companies can effectively execute often complex federal cyber requirements.

Given the sensitivity and complexity of the cyber mission, it is essential that contracting officers carefully weigh past performance in their evaluation criteria. In this scoring process, well established companies with extensive government experience will certainly have an advantage, but the resulting lower risk to the mission is clearly an important consideration given the cybersecurity climate today.

Program Complexity

Providing cyber defenses in federal agencies has become a challenging and complex undertaking. DHS has been tasked by Congress and the White House with protecting federal networks, while serving as the lead agency for sharing information with the private sector. These vital cyber missions are executed through programs such as Einstein and Continuous Diagnostics and Mitigation (CDM) and centers like the NCCIC and US-CERT.

There is only a subset of companies that have the necessary cyber technical capabilities, large-scale integration experience and processes to effectively run these types of programs.

Breaking cyber contracts up into smaller pieces for the promise of lower cost and more agility can sound promising, yet these promises often go unfulfilled. In reality, what most often occurs is the government themselves will need to integrate across the pieces, potentially compromising the cyber mission, and stressing an already under-staffed government professional team. When coupled with other emerging technological advancements and qualifications, this will continue to be an area where small business will struggle to compete.

Scalability

Another area where small business will have difficulty in meeting requirements of the cyber mission is with scalability. Many successful cyber programs that start as pilots or trial runs eventually end up having to be brought to scale.

As an example, Einstein 3 Accelerated (E3A) started with a relatively modest number of seats covered, yet after the OPM debacle the political will materialized to bring the cyber protection to all 2 million seats in the federal government. Once the decision was made to expand E3A, there was little time to debate whether or not the vendors would be able to accommodate the request. Immediate action to rapidly scale the capability was an imperative.

Staffing

It is not hard to see that there is shortage of skilled cyber employees. Professionals in cyber-related fields have many options today. They can work for the alphabet soup of government agencies that work the cyber mission or they can choose an often more lucrative track in the private sector.

Large government cyber programs need talented and capable personnel in the seats. Often, that means hiring private sector companies to assist with staffing and capabilities. This can be a very good option if the company has solid internal controls for maintaining high quality, cleared cyber staff who receive ongoing training. Small business often has trouble competing to attract and retain high caliber cyber talent.

Pricing

One of the regular arguments one hears about awarding to small business is they are just cheaper than some of the larger outfits. In some cases that may be true, but again, in most cyber procurements that may be an illusion.

A better metric for government cyber than Lowest Price Technically Acceptable (LPTA) should be Best Value. It is not unusual for smaller companies to low ball their pricing on a RFP with the hopes of winning the award. Once secured, they sometimes struggle to meet the contract deliverables, terms and conditions. This is a dangerous trap door for government procurement officials. They are often pressed to reduce contract cost, while not sacrificing functionality.

In too many cases, the government finds out too late that program performance has suffered due to an award to a small business that just can’t get the job done.

Conclusion

These observations are not meant to slam the small business community. There are plenty of areas in federal contracting where small business is the best choice. Unfortunately, large scale government cyber is not one of those places.

Past performance, program complexity, scalability, staffing and pricing all factor into sound federal procurement decision-making. At the start of a new administration, I hope the incoming teams of appointees will take a hard look at how federal cybersecurity is planned, procured and executed to ensure the best results.

Chris Cummiskey is a former acting undersecretary/deputy undersecretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

PRESS RELEASE: CGA Announces Final License for NeMS Cybersecurity Technology

February 14, 2017 (San Francisco, CA) – Today at the annual RSA Information Security Conference in San Francisco, Cambridge Global Advisors (CGA) was proud to announce that the commercialization license for its Network Mapping System (NeMS) technology has been finalized.

Developed by Lawrence Livermore National Laboratory (LLNL) and licensed by LLNL to a CGA subsidiary, NeMS is a software-based tool that simplifies the network security process by automating several of the 20 Critical Security Controls (CIS Controls), a prioritized set of cyber practices created to stop the most pervasive and dangerous of cyberattacks as put forth by the Center for Internet Security.  Specifically, NeMS will automate three of the top five CSC components and inform users what is connected to their network so that they know what needs to be protected.

“This is an important moment for NeMS, the final license coming on the heels of multiple prominent cyberattacks that have policymakers scrambling for solutions,” said Jake Braun, CEO of CGA. “Several leaders in the last year – including the Attorney General here in California –have pushed measures requiring businesses to implement the CIS Controls as a condition of operation. As a result, enterprise consumers are searching for products – like NeMS – that will help them comply with mandatory baseline security standards.”

The commercial licensing of NeMS was aided by the U.S. Department of Homeland Security Science and Technology’s (S&T) Transition to Practice Program (TTP) which looks to transition federally-funded cybersecurity technologies from the laboratory to enterprise consumers. The program also seeks to create institutional relationships between the cyber research community, investors, end users, and information technology companies by showcasing the technologies throughout the country to develop pilot and commercialization opportunities.

Each year the TTP program selects eight promising cyber technologies to incorporate into its 36-month program. S&T introduces these technologies to end-users around the country with the goal of transitioning them to investors, developers or manufacturers that can advance them and turn them into commercially viable products.

“LLNL has a long history of successfully engaging with our industry partners to commercialize technologies that advance our national and economic security,” said Rich Rankin, the director of LLNL’s Industrial Partnerships Office.  “Commercializing LLNL-developed technologies like NeMS enables the private sector to apply the Lab’s solutions to market needs beyond the U.S. government’s immediate interests – helping solve some of nation’s biggest, most complex challenges while driving economic growth.”

PRESS RELEASE: Cybersecurity Experts Meet to Discuss 2016 Election Hacking

February 9, 2017 (Chicago, IL) – Yesterday, Cambridge Global Advisors (CGA) convened a timely discussion on cybersecurity and the U.S. democratic process. The event, hosted by and at the Chicago Council on Global Affairs, focused on how cybersecurity and hacking impacted the 2016 election outcome.  The full event is available for viewing online at: https://www.thechicagocouncil.org/event/hacked-democracy

Jake Braun, CEO at CGA, moderated the event and was joined by Cindy Cohn, Executive Director, Electronic Frontier Foundation; Siobhan Gorman, Director, Brunswick Group; Robert K. Knake, Whitney Shepardson Senior Fellow, Council on Foreign Relations; and Sherri Ramsay, Senior Advisor to the CEO, CyberPoint International; Cybersecurity Consultant.  Among various topics, this panel of experts addressed some of the key challenges currently facing both the government and private sectors as they fight cybersecurity breaches, privacy issues, and electorate concerns about the integrity of American elections.

The panel raised concrete things the Trump Administration, other governments, political groups and private sector interests can do to protect the nation, highlighting the need to balance national security concerns with civil liberties concerns within a democracy.  One of the issues raised included whether or not technology is a threat to democracy. With democratic nations amassing enormous cyber-surveillance powers, it becomes increasingly difficult for democratic nations and societies to balance both transparency and security in the new digital age.

“There’s no doubt that cyber-meddling by foreign actors is now at the forefront of the discussion around technology, cybersecurity and democracy,” said Jake Braun who has advised both public and private sector interested on cyber assessments and network security matters. “But where it was elections in November, it can be our energy grid or water resources in the future. Bottom line: When an outsider can cause this much damage, it’s not just on our government to foster solutions, it’s on the private sector to get involved too.”

The full event is available for viewing online at: https://www.thechicagocouncil.org/event/hacked-democracy