The Wrap: National Cyber Alert System; VA Trustworthy AI Framework; GAO Nasty-Grams

Welcome to The Wrap for Thursday, September 14!?

?

From the newsroom at MeriTalk, it’s the quickest read in Federal tech news. Here’s what you need to know today:

?

National Cyber Alert System?

The Cybersecurity and Infrastructure Security Agency (CISA) took a baby step this week toward an eventual goal of establishing a national cyber alert system in the U.S., but there’s a lot of ground to cover between now and then. The agency’s Cybersecurity Advisory Committee (CSAC) voted to approve a recommendation to CISA along those lines stemming from a CSAC subcommittee led by former National Cyber Director Chris Inglis. The recommendation was received enthusiastically by CISA Director Jen Easterly, who called the idea “terrific.” What’s standing in the way? To get the kind of data that will fill out an alert system, CISA still has to complete a proceeding to put into effect the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) approved by Congress in 2022 that will require covered entities to report cyber incidents and ransomware payments to the government. CISA won’t have its notice of proposed rulemaking out until later this year, or early in 2024, and then a lengthy comment period is likely to follow that. “We do think there’s a genuine need for actionable, granular kind of information that constitutes an alert system and that is actually curated over time,” Inglis said during the advisory committee meeting on Wednesday. “So, if we go shields up, we know why we’ve done that,” he said, adding, “and we know when to bring those shields down to some degree so that we can actually target this for the circumstances.”

?

VA’s Trustworthy AI Framework

The Department of Veterans Affairs (VA) is first out of the blocks among Federal civilian agencies to integrate all of the White House’s AI policy work to date with its new Trustworthy AI Framework. VA Secretary Denis McDonough talked up the new framework in a?speech?last week, saying it incorporates work ranging from the White House’s Blueprint for an AI Bill of Rights to Executive Order 14091, which emphasizes the importance of incorporating unbiased protections in all AI activities. He said the framework will form the basis “on which VA will design, develop, acquire and use AI systems in a manner that fosters veteran trust and confidence, delivering timely access to world-class health care and earned benefits by leveraging emerging AI technologies, all while adhering to the highest ethical standards, including protecting veterans’ privacy and civil rights.” The framework was officially approved for agency-wide use in July, and is based on six principles: purposeful, effective and safe, secure and private, fair and equitable, transparent and explainable, accountable and monitored.

?

GAO Flags DHS, DoJ on Facial Recognition Training

Law enforcement component agencies of the Departments of Homeland Security (DHS) and Justice (DoJ) were plowing ahead between 2019 and 2022 with using facial recognition technologies without proper staff training, and in some cases without policies to help protect civil rights and civil liberties. That was the bottom-line finding from the Government Accountability Office (GAO) in its?latest report?on the technology issued on Sept. 12.? GAO said that seven agencies within DHS and DoJ “initially used these services without requiring staff take facial recognition training,” and that they ran about 60,000 searches without meeting training requirements. As of April 2023, two agencies – Homeland Security Investigations and U.S. Marshals Service – began to require training, the watchdog agency said.

?

Sorting out DoD Cloud Fees

In a separate?report?out this week, GAO said the Defense Department (DoD) needs to do a better job at tracking and reporting cloud computing data transfer user fees. The watchdog agency explained that cloud service providers charge user fees for transferring data from the cloud. According to the report, cloud providers usually do not charge fees to transfer data into the cloud – data ingress. However, they charge a fee when transferring data from a storage location – data egress. “The department’s recent contract negotiations with commercial providers resulted in discounts on data fees, including data egress fees. Vendor lock-in can happen in cloud computing when the cost of moving to a new provider is so high that a user stays with their incumbent provider,” GAO said, while also acknowledging other factors – including a lack of specific skills by government staff, or the reliance on cloud services unique to a specific cloud provider – that contribute to the vendor lock-in effect.? DoD is on board with GAO’s single recommendation in the report to develop a plan and time frame for adopting an egress fee tracking tool.

?

Casey Confirmed as NCSC Director

Congrats to Michael Casey, who will take over as director of National Counterintelligence and Security Center (NCSC) following Senate approval of his nomination by voice vote on Tuesday. NCSC is a component of the Director of National Intelligence (DNI) and leads U.S. government counterintelligence and security activities, provides outreach to U.S. private sector entities at risk of foreign intelligence penetration, and issues public warnings regarding intelligence threats to the U.S. Casey is a longtime Capitol Hill veteran who has served as staff director for the Senate Intelligence Committee on Intelligence since 2016. He was also a professional staff member on the House Armed Services Committee.

?

Once again, let’s “call IT a day,” but we'll bring you more tomorrow. Until then please check the MeriTalk breaking news website throughout the day for the latest on government IT people, process, and policy.

?

And finally, please hit the news tip jar [with leads, breaking news, or simply your two cents] at [email protected].