Smith named CTO, Holder and Clapper back reforms, and McAfee hails Heartbleed
News and notes from around the federal IT community.
Google's Megan Smith has been hired to replace Todd Park as U.S. chief technology officer.
Now it's official: White House names new chief technologist
Google executive Megan Smith was named U.S. chief technology officer on Sept. 4, and former Twitter lawyer Alexander Macgillivray was named one of her deputies.
"Megan has spent her career leading talented teams and taking cutting-edge technology and innovation initiatives from concept to design to deployment," President Barack Obama said in a statement. "I am confident that in her new role as America's chief technology officer, she will put her long record of leadership and exceptional skills to work on behalf of the American people."
The appointment comes a week after the White House announced that Todd Park, who had served as U.S. CTO since March 2012, would be taking on a new role recruiting talented tech professionals in Silicon Valley to work for the government.
Rumors of Smith's candidacy for the CTO role surfaced last week, with Bloomberg and Fortune reporting her White House gig as basically a "done deal." Although she was vice president of business development at Google for nine years, Smith might be best known for her most recent role as vice president of Google X, the company's secretive innovation lab.
Macgillivray will focus mainly on Internet policy, intellectual property, and the intersection of big data, technology and privacy, according to the White House statement. He served as general counsel and head of public policy at Twitter from 2009 to 2013.
Holder, Clapper support paring back NSA phone record collection
The nation's top law enforcement official and top spy have co-signed a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) supporting passage of legislation that would ban bulk collection of phone records by the government.
The House passed its version of the bill, dubbed the USA Freedom Act, in May.
Attorney General Eric Holder and Director of National Intelligence James Clapper wrote that the bill "preserves essential Intelligence Community capabilities" and "is a reasonable compromise that enhances privacy and civil liberties and increases transparency."
The bulk collection program, authorized by Section 215 of the Patriot Act, was confirmed through leaks of classified information by former National Security Agency contractor Edward Snowden. Under the program, the government collected telephone billing records from telecommunications providers en masse, creating a database that covered most Americans.
NSA and other agencies queried the data to collect information about connections between targets of terrorist investigations and individuals linked to them. A presidential commission recommended changes to the practice after Snowden's disclosures.
The letter also outlines the government's understanding of what kind of collection data and querying would be permitted under the measure and the legal authorities and minimization procedures that apply. The letter notes that the intelligence community will "retain the operational capabilities of the existing bulk telephone metadata program," owing to the "existing practices in retaining metadata" on the part of leading commercial communications providers. Relevant billing records are typically retained for 18 months.
McAfee tags Heartbleed as critical security event
The Heartbleed vulnerability is an unintended gift to hackers that will keep on giving, according to cybersecurity provider McAfee's quarterly threat report.
The company said Heartbleed was by far the most important security event in the second quarter of 2014. The vulnerability contained in several versions of the OpenSSL security protocols "affected every IT organization -- knowingly or unknowingly," the report states.
McAfee estimated that Heartbleed affected about 17 percent of all TLS-enabled websites worldwide, which typically request user authentication via usernames and passwords. That comes to more than 600,000 affected sites.
Although the report praises the efforts in the IT community to find and patch Heartbleed vulnerabilities, it says some of that assistance has been undermined by criminals. For instance, websites that listed Heartbleed-vulnerable sites to help users who wanted to ensure they were authenticating safely "quickly became hit lists for cybercriminals," the report states.
Furthermore, one of the more astute cybercriminals extracted data from still-vulnerable sites and is selling it on the black market. McAfee's report states that more than 300,000 websites remain unpatched and vulnerable to that type of criminal activity.