The Wrap: Wales Warns on Resilience; After the Money’s Gone; DDOS Patching

Welcome to The Wrap for Thursday, October 12! ??

?

From the newsroom at MeriTalk, it’s the quickest read in Federal tech news. Here’s what you need to know today:

?

China Cyber Threat Resilience

The United States needs to keep its critical infrastructure running even if utilities and other crucial sectors are coming under major cyber attacks from sophisticated actors like China. That was the bottom-line message today from Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA), who warned during a Washington Post Live event that because the cyber threat from China is much more serious than it was a decade ago, the U.S. needs to focus on resilience of critical infrastructure just as much as defense. “It is incumbent upon us to realize that we may not stop every attack, we may not be able to fully defend our way out of it,” Wales explained. “What we need to ensure is that we have the degree of resilience in our systems that will allow us to continue to operate even in the face of an aggressive actor.” He continued, “our infrastructure needs to have operational resilience, functional resilience, that even in the face of degradation, even if their systems are under attack, they can continue to deliver the vital functions … the water should continue to flow even if there is a loss of the operational control technology that they utilize.”

?

When the Money runs Out

State chief information officers – who were relatively flush with Federal relief cash in the latter stages of the coronavirus pandemic – are beginning to reckon with what life will be like when that money runs out. In its latest?State CIO survey, the National Association of State Chief Information Officers (NASCIO) zeroed in on state CIO pain points heading into 2024, and found future Federal funding high on the list of worries. Funding to state CIO organizations – from sources including the Coronavirus Aid, Relief and Economic Security Act (CARES), the American Rescue Plan Act (ARPA), and the Infrastructure Investment and Jobs Act (IIJA) – was a huge factor for many, with about half of states saying that money constituted upwards of 20 percent of their annual budgets. The cash infusions have done a lot of good since then, with more than half of state CIOs agreeing that the Federal money helped to spur IT modernization. They also agreed that whatever amount of Federal funding they do receive from the Feds is needed for key programs – especially helping state CIOs provide support to localities. Cash check: two-thirds of states have obligated all of their Federal funds from CARES, ARPA, and IIJA. States that still have unobligated Federal funds are mostly still waiting for legislative approval to do so, and need to work with stakeholders and agencies to determine how to best direct the funding.

?

CISA Urges Quick DDOS Patching

The Cybersecurity and Infrastructure Security Agency (CISA) advised quick patching and updating for organizations that deliver essential internet services after news earlier this week detailing what are thought to be the largest-ever distributed denial-of-service (DDoS) attacks launched between August and October. The CISA?advisory, published on Oct. 10, is warning about a DDoS-related vulnerability in HTTP/2 protocol known as the Rapid Reset – also documented as CVE-2023-44487. In a coordinated announcement, Amazon Web Services (AWS), Cloudflare, and Google detailed how the vulnerability has wreaked havoc in the wild. “The ‘Rapid Reset’ technique leverages the ‘stream multiplexing’ feature of HTTP/2, wherein numerous requests and subsequent immediate cancellations cause substantial server-side workload with minimal client-side attacker cost,”?the companies said.

?

Dems Lobby for Tough AI EO

The Biden administration must be getting close to releasing its much-awaited AI executive order (EO) because key Democratic lawmakers are turning up the heat to make sure that the EO has plenty of teeth and hews to concepts of the White House’s Blueprint for an AI Bill of Rights unveiled last October?by the White House’s Office of Science and Technology Policy (OSTP). The blueprint encompasses a voluntary framework intended to help guide organizations on the development and deployment of AI. A group of 16 Capitol Hill Democrats led by Sen. Ed Markey, D-Mass., and Rep. Pramila Jayapal, D-Wash., urged President Biden in an Oct. 11 letter to use the existing Blueprint document as the foundation of the forthcoming AI order – which will carry the force of law as long as Biden remains in office. “The moment calls for the adoption of strong safeguards on algorithmic discrimination, data privacy, and other fundamental rights,” the lawmakers said, adding, “in particular, the Blueprint for an AI Bill of Rights … would serve as a strong foundation for the executive order.” We don’t have long to wait: OSTP Director Arati Prabhakar recently noted the EO is?expected to be released this fall, covering a “very broad” range of issues related to AI.

?

Army Closing in on Unified Data Architecture

The U.S. Army is getting closer to the goal of creating a unified data architecture with the release of the third in a series of queries to industry seeking best practices and capabilities that would help the service branch build and implement its Unified Data Reference Architecture (UDRA). The UDRA as envisioned will provide solution implementation guidance for interoperable data sharing by all Army acquisition programs. The Army explained that the goal is to build a distributed “data mesh” that all Army acquisition programs can share. Because data mesh architecture has its roots in industry practices, the Army is turning to industry for feedback on best practices and available technologies for military application and use.?They’d love to hear from you by the deadline of Oct. 30.

?

Once again, let’s “call IT a day,” but we'll bring you more tomorrow. Until then please check the MeriTalk breaking news website throughout the day for the latest on government IT people, process, and policy.

?

And finally, please hit the news tip jar [with leads, breaking news, or simply your two cents] at [email protected].