U.S. Veteran Affairs Department Puts Out RFI for Help with Dark Web
Like the Sergio Leone classic movie, The Good, the Bad and the Ugly, the so-called Dark Web stirs passion. It has its advocates and detractors, and both sides are resolute in their perspectives and certainly not shy about making their opinions heard. In fact, the value and threats posed by the free software that provides anonymous surfing and sharing, via a simple to download browser courtesy of Tor , was the subject of the world’s conference subject, Inside Dark Web which TMC (News - Alert) held with partners Bob Miko and Alan Meckler in New York City. TMC CEO Rich Tehrani has a great blog about the event for those of you who were unable to attend.
What Tehrani rightly points out is that in the face of IT security people at enterprises and governments around the world have concerns about the Dark Web the ability to leverage anonymity has extremely beneficial uses as well. This includes, for example, the ability to not track those with malicious intent who use the dark web for things like publishing stolen IDs and account information, how to guides on malware of all types, pornography, drug and human trafficking, and a host of other criminal activities, just to name a few. It is why it bears the “Dark Web” name. It is why the searchable and trackable Internet we all know and use now carries the appellation, “The Clear Web.”
The best analogy that comes to mind is the invention and development of what we in the tech industry would call “use cases” for atomic energy. Fission and fusion are capable of both powering the world as well as destroying it. The famous phrase, of questionable origin, “With great power comes great responsibility,” comes to mind. Like it or not, the Dark Web is here and here to stay, and everyone needs to be mindful of its capabilities for good and evil.
That said, a reflection of government concern is the following request for information (RFI) published by the U.S. Department of Veterans Affairs (VA) on May 12, 2016:
D--Dark Web - Request for Information
Solicitation Number: VA11816Q1211
Agency: Department of Veterans Affairs
Office: VA Technology Acquisition Center
Location: VA Technology Acquisition Center
Like other federal departments and agencies the VA is the target of hackers. And, we are not talking about “ethical” ones. It admits to being subjected to millions of cyberattacks and attempted breaches every month. As a repository of extremely sensitive personal information about millions of veterans it must be concerned about that information being compromised and possibly sold or used by rogue nations and terrorists on the Dark Web.
As part of your consideration as to whether you are interested in the RFI below is what the VA is interested in. It involves a software product that provides ALL these capabilities:
1.The software shall be capable of searching the "Dark Web" for exploited VA data improperly outside of VA control;
2.The software shall be capable of taking VA data and creating a one-way encrypted hash or pattern matching capability from that data ensuring that neither the vendor nor any other party not affiliated or working with VA can ascertain and/or use the data for any purpose other than this exercise;
3.The software shall be capable of using VA's encrypted data hash or pattern matching to search the "Dark Web" and report back to VA what was found;
4.The software shall be capable of distinguishing VA-sourced data on the "Dark Web" from data from any other source;
5.The software shall be capable of integrating with the VA network and existing software platforms; and
6.The software shall conform to all VA information technology security policies, as outlined in VA Handbook 6500, in particular:
a.The software shall not put any VA Personally Identifiable Information (PII) or Protected Health Information (PHI) at risk of breach;
b.If the software processes VA PII and/or PHI data, the data shall be encrypted using FIPS 140-2 compliant methods; and
c.The software shall not expose the VA network to any type of malware or cyber-attack.
7.Include commercial Bailment agreement
The VA adds that: “Parties should address how software meets all the capabilities listed above. Parties are invited to provide information concerning any such products, as well as limited licenses that will permit VA evaluation of existing products. Please note that this RFI is strictly for the purposes of market research, will be at no cost to the government, and does not imply any commitment or intention by the VA to invest in any future project and/or award any future contract.”
One of the most interesting and important public policy conundrums of our times involves the balance act between governments’ right to know in order to protect its citizenry, and individuals and organizations’ right to privacy. It is a moving target that for the most part suffers from what could be called “legislative jet lag.” What IT security professionals already know, is that the Dark Web is a major root cause of good and evil. In fact, many of the IT security professionals I have had the pleasure of chatting with, vendors as well as those working for organizations, are regular users of Dark Web capabilities even as they fear for and try to defend against the worst.
How all of this gets sorted out is anyone’s guess. After all, we are not talking about something that is static. Rather the Dark Web is evolving, and how to reap its benefits while tackling its threats is something that we all need to know and care about. Indeed, that may have been the biggest message to come out of Inside Dark Web, i.e., knowledge can be power.
Edited by Stefania Viscusi