Quick Hits for Oct. 24

*** Coordinated vulnerability disclosure is a proven way for cybersecurity researchers to share news of security weaknesses with private firms and government entities, but the rules governing the process are virtually non-existent, according to a new congressional white paper. Some organizations welcome and even reward third-party disclosures, while others threaten legal action against researchers. The paper from the majority staff of the House Energy and Commerce Committee cites the benefits of a disclosure program as shown in industry sectors including cloud, software, automotive, medical device manufacturing and others, and notes the variety of government agencies that are support disclosure programs or sponsoring "bug bounties." However, the report notes, "there still exists significant uncertainty regarding the legal differences between the types of research that typically inform CVD programs and 'hacking.'"

Further complicating issues is the fact that the internet is a highly interdependent ecosystem. Gatekeeper firms like Google and independent researchers and academics routinely patrol the software and architecture underpinning ecommerce, games and other connected services. Moreover, companies that do participate willingly in disclosure firms run the risk of being tagged as having weak cybersecurity as news of their vulnerabilities becomes public.

The report recommends that Congress look at drawing distinctions between hacking and security research, and "offer protections to CVD participants who perform CVDs in accordance with modern best practices." Congress should also "explore ways to encourage federal agencies and private sector stakeholders to address and minimize the negative public responses to CVDs."

*** The MITRE Corporation published a report with recommendations for modernizing the federal workforce, based on feedback and observations from public and private sector participants at a White House workforce symposium in September. The report recommended that government look at how high-performing private sector organizations monitor employee engagement and how to "build mobility into their organizational models and career paths." Many of the recommendations were squarely inside the box of existing civil service reform proposals, including the use of streamlined hiring authorities and pay flexibilities. Other ideas included building retraining requirements into technology procurements, to make sure that current employees are given the opportunity to keep pace with the future of work at their agency. The report also suggests remaking the troubled USAJOBS website as a platform for federal employees to update their skills and access training.

*** The Army has a new plan to keep new technologies from withering away in the so called valley of death -- and it comes in the form of four pilots. Adam Jay Harrison, Army Futures Command's innovation officer, said during an Oct. 23 National Defense Industry Association event that the Army Applications Lab -- the Army’s version of the Defense Innovation Unit -- would be the "bridge" between existing but unmet requirements and functional capabilities.

"We produce a lot of goodness in our laboratories [and] in our industrial base. Where we tend to have the most problem is translating the great things that we build into scalable products," Harrison said.

To remedy that, Harrison said the Army Application Lab will "provide that bridge of scalability" through a series of pilots and developing new business approaches for internally developed or shopped prototypes from startups and the private sector.

One pilot, Army Capability Accelerator, is utilizing small teams with subject matter experts, researchers, scientists, engineers, and industry members to accelerate design and prototyping development to address top modernization areas. But there’s no specific end goal besides usable tech. AAL has three other pilots: Catalyst, which kicks up ideas from small businesses and universities, another that focuses on funding alignment a la venture capitalists, Cooperative Development Fund. The Halo pilot focuses on fielding products and speeding up acquisition and production.

*** Michael Garris, the founder and chair of the AI community of interest at the National Institute of Standards and Technology, said at the Oct. 23 NVIDIA conference that it’s important to consider an AI system's accuracy and potential biases before implementation. "We're talking today about the government directing and distributing citizen benefits and services" with AI, he said, "and this requires the highest bar of assurance that AI-driven systems will be and are reliable, safe, secure, privacy preserving and -- very important -- unbiased and not discriminatory."

NIST is working to understand the best ways to measure the trustworthiness of AI and using those testing methods to help develop standards for the industry.