The Federal Reserve is not part of the federal government. Regrettably, most Americans are ignorant of this fact. Since the members of the Board of Governors of the Fed are appointed by the president, the assumption is that it is another agency of the executive branch, but nothing could be further from the truth. It is owned primarily by private banks that are shareholders and appoint two thirds of the members of the boards of directors of the twelve regional Federal Reserve banks.

In this context, the expanded powers of the Fed that are being proposed by the Bush administration (and the weakening of the powers of the Securities and Exchange Commission) presents an interesting event in what passes for risk management these days in the financial services system. Barney Frank, the chairman of the House Financial Services Committee, has, in effect, signed on to this plan following an epiphany some time ago that occurred during his conversation with Charles O Prince III, the former chairman of Citibank. According to the New York Times, Mr. Prince was explaining that “structured investment vehicles” were kept off the balance sheet so that his bank could compete with investment banks. Somehow the practices of commercial banks using archaic accounting to keep investments off their books led to the conclusion that regulation should extend to investment banks and hedge funds. There doesn’t seem to be any mention of getting those “structured investment vehicles” back on the balance sheet.

As a fellow of the National Academy of Public Administration, I feel I am entitled to take a gentle poke at the group now and then, and goodness knows, I have. Sometimes it has seemed to me more like a cigar-smoke-filled gentleman's club home to endless arguments about the "M" in OMB than a leader in public service innovation. But lo and behold, along comes NAPA's new Collaboration Project to blow a hole in my misconceptions.

NAPA officially kicked off the project in February, but it was born at a dinner table. NAPA president Jenna Dorn had just pushed back after a pleasant meal with old friend Kip Hawley, Administrator of the Transportation Security Administration, when Hawley said he had one word for her, ala "The Graduate." "Wiki," he said, and Dorn was off. "He’s always been cutting edge," says Dorn. "I read everything I could about it."

According to the Associated Press, the Agriculture Department is being pressured by the food industry not to identify retailers where tainted meat was sold except in cases of serious health risk.

The AP story goes on, "Had that been the rule in place last month, consumers would not have been told if their supermarkets sold meat from a Southern California slaughterhouse that triggered the biggest beef recall in U.S. history."

One reason for why the food industry opposes the rule is that it "could create confusion for consumers since retailer lists could be incomplete or take days or weeks to compile. Customers could have a false sense of security if their grocery store doesn't immediately show up on the list, the groups contend."

So, incomplete risk information is riskier than no information?

Another reason is competitive: "If lists of retailers selling recalled meat become public, competitors would know who to approach to offer the product at a lower price."

Now, I just wonder whose risk management concerns are the priority: consumers having a false sense of security or meat producers' competitive issues?

Of course, there also is the little question of the USDA definition of "serious health risk." Just how serious is serious? Is it defined by the number of people ill or does one or more people have to die before the recall is announced?

When Sen. John McCain was told of the snooping into his passport files, he said in indignant tones, "The United States of America values everyone's privacy ..."

Sen. Arlen Specter, ranking Republican on the Judiciary Committee, spewed forth that, "I think privacy is a very fundamental matter..."

This got me to thinking about what Principal Deputy Director of National Intelligence, Dr. Donald Kerr, said last year, "Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture."

That's apparently no longer a valid or reasonable idea. "In our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past. ... Protecting anonymity isn’t a fight that can be won."

So, do McCain and Specter agree with this definition of privacy or America's deeply rooted traditional value of privacy?

The ho-hum response from the Hill concerning private contractor employees accessing the passport files of Sens. Barack Obama, D-Ill., Hillary Clinton, D-N.Y., and John McCain, R-Ariz., is a bit surprising -- or on second thought, is it?

As Ari Schwartz, deputy director of the Center for Democracy and Technology, pointed out in his Nextgov blog and in a Nextgov article, the point here is the lax attitude many agencies have taken in developing privacy impact assessments, which are required by the 2002 E-Government Act. In the assessments, agencies are supposed to analyze how they collect, store, share and manage personal information in federal networks. The idea is for agencies to develop policies that limit access to information before setting up a database.

State, Schwartz says, has done only cursory assessments. And a State agency official says the department believes they "have seen the last of this."

None of the congressmen in the Congress Daily article (link above) mentioned the privacy impact assessments or the E-Government Act. This may be an opportune time to investigate how well agencies have complied with the law's requirement to properly protect the private information they have stored on databases.

In essence, the information security/assurance certification and accreditation process -- in both civilian and military realms -- represents a command and control view of decision making.

On the battlefield, the commander gathers information from advisors who are qualified to attest to the accuracy (or limitations) of the information they provide. Because no one ever operates without a degree of uncertainty, the commander makes decisions using available information but with the full realization that other factors are unknown and perhaps unknowable. The commander also recognizes that a bad decision will reflect on him or her directly.

The Kabbalists tell us that we can only see 1 percent of what is going on. The astrophysicists tell us that we can only see 5 percent (the rest is dark energy and dark matter, although no one really seems to know what either of them are). Kahneman and Tversky, in their work on how people respond to risk tell us that emotion always overrides rational thought (witness the rise in the stock market of hundreds of points on the smallest shred of information that might be considered good news).

So on a good day we are all in the tall grass. For the past 500 or 600 years we have been operating on the basis that rational thought separates us from the animals. Now we are being told – not so. What separates us from the animals is our consciousness and our ability to recognize that we are more than our thoughts. This idea comes to us from many teachers with an infinite variety of approaches (Ian Lungold, Albert Clayton Gauldin, Ester Hicks, Neale Donald Walsch and many others). It has become so mainstream that now Oprah and Eckart Tolle are in the midst of a worldwide weekly video conference designed to spread the idea that our minds and our egos are getting in the way of understanding what life wants from us.

As the 53-year-old editor chiefly responsible for the controversial photograph of a young woman with a nose piercing on the December 2006 cover of Government Executive magazine, I straddle the workplace generational divide. My gray hair gives me street cred among aging boomers. My regular use of YouTube videos on my blog, my Facebook page and my Second Life avatar give me cache among those born after 1980.

So I feel comfortable saying to those of you in my demographic and older: Millennials are here. They're wired. Get over it.

Especially in matters technological, millennials are changing the workplace whether boomers approve or not. And often, we don't. Take last week's story here on NextGov about millennials as computer security risks. You can almost see the raised eyebrows through the lines in Symantec's finding that millennials pose a risk to network security. Just about all the IT managers interviewed grumped about millennials' freewheeling Internet practices, such as checking their personal email and Facebook pages and banking online while at work.

But while the tech czars grumble, those who manage millennials or struggle to lure them into government, are mellowing. They are finding young digital natives to be an asset, not a pain. The Army, for example, was an early adapter with its computer game recruiting tool America's Army. In late 2006, the CIA's National Clandestine Service set up a Facebook group to recruit new employees. NASA, NOAA the CDC and other agencies have entered the virtual world, namely Second Life, in part to meet milennials where they live.

And in a January white paper, "On Learning: The Future of Air Force Education and Training," the Air Education and Training Command proposed creating a virtual base, called MyBase, an obvious allusion to the so-five-minutes-ago millennial hang-out MySpace.

What's fun about MyBase is that it originated in Boomer angst. The paper is based in part on research about millennials done by Art Fritzson, a Booz Allen vice president. He was commissioned by "a senior officer who had been appalled to discover a number of junior officers using the . . . Facebook Web site for the purpose of organizing their. squadrons" This according to a piece Fritzson wrote along with Lloyd W. Howell Jr., another Booz V.P., and Dov S. Zakheim, a former Defense comptroller now at Booz. Their March 10 report, "Military of Millennials" appears on Booz' Web site, strategy + business. The authors point out that Generation Y, born between 1980 and 2001, is just about as large as the baby boom, lives on the Internet, and views knowledge not as power, but as something that "belongs to everyone and creates a basis for building new relationships and fostering dialogue. . . . They have grown up seeing the thoughts reaction, and even indiscretions of their friends and peers posted on a permanent, universally accessible global record."

Yes, this does call for a more creative approach to security and the need for adult supervision, but it also makes for a multi-tasking, anti-hierarchy, adaptive group that might just be uniquely suited to defeating the loosley organized, highly networked enemies we face, as well as the elusive, multi-faceted challenges we must surmount.

And by the way, the millennials also turn out to be deeply committed to family, community and teamwork; hugely civic-minded, creative and independent and possibly the most tolerant generation on record. So what if all this comes in a wrapping of tattoos, piercings and baggy clothes? We drove our elders nuts in our time, too.

Maybe you are and you don’t know it.

Monster has released a new book: Finding Keepers. It is full of good tips for recruiting and attracting the best candidates. Feds need to change the dynamic when recruiting and consider new ways to gain talent in the organization. Networking and discussion among colleagues is often a terrific source of potential job candidates. In Finding Keepers, Monster reveals that there are many more folks willing to change jobs than have been originally estimated. It has been viewed that about 20 percent of the workforce are actively looking for new opportunities, and 80 percent are passive, or not looking. However, Monster finds this scenario:

About 30 percent of employees are Settled Loyalists - they “claim allegiance to current job and employer” and are “difficult to recruit.”

About 11 percent are Poised Loyalists – they “claim allegiance but have a lower personal barrier to switch.”

And, about 59 percent are Poised Opportunists – they “are clearly open to the next opportunity to change” and “many are actively looking.”

This research clearly impacts traditional agency recruiting techniques.

In a Google search to identify the putative “improvements” to the Federal Information Security Management Act being considered these days, I stumbled on www.fisma.org, a U.K. site for a non-profit organization called FiSMA (acronym meaning unclear). One of the terms the site has seeded for search engines is route to the loot, which has something to do with the purpose of the organization: linking companies to investors.

But I couldn’t help reflecting on how our own FISMA has been just such a route for the many companies which have been paid hundreds of millions of dollars for asking agency employees about security matters, writing the answers down in prescribed format, waiting (on the clock) for government clients to get around to reviewing the documents, rewriting for several more cycles, submitting the final versions for printing/binding/filing, and beginning the updates to the documents for the next C&A cycle. Of course, there are also companies making a nice living over training, background investigations, intrusion detection, configuration management, POA&M tracking, and the myriad of other outgrowths of the "FISMA compliance industry." Some companies actually contribute to security of government information, but most are more than willing to take the route to the loot instead.

An article in CIO Insight, states that CIOs, especially those in large companies, are to blame for the IT skills shortage; and if they were serious about ending the shortage they would make more investments in IT training. This correlates with my post, Training Anyone?" which suggests that agency CIOs should invest much more in training for their IT professionals.

The annual CIO survey recently released by ITAA and Grant Thornton again points to some of these very same issues elucidated by the CIO Insight article, but highlights the special concerns found in the federal environment. Agency CIOs are hampered by their lack of funding and agency commitment for training and staffing resources.

The “Blame” article also points out that IT executives are frustrated by the lack of skilled workers coming out of the university system, ill-prepared to function in the business world. In fact, federal agencies are lucky to be able to recruit and hire graduates of the Scholarship for Service Program. This program was designed to prepare students to graduate with specific knowledge and skills in IT Security and Information Assurance that would transfer immediately in the workplace.

Finally, “Blame” advises that many companies treat employees as disposable and fewer than half of large companies are successful in creating specific career paths. Again, federal agencies may have an advantage. The CIO Council’s IT Workforce Committee has created an IT Career Development Roadmap to assist IT Professionals in government to build long-term career progression plans.

Revelations today that contractors at the State Department read Barack Obama's passport history with no authorization in possible violation of the Privacy Act come as no great shock to the privacy community.

In fact, the only reason that this serious breach was caught was because of the high visibility of the victim. Contractors who decide to look up old girlfriends, or worse, regularly use the information for stalking may never be caught, as we have seen in other agencies that do a slightly better job of privacy control.

My organization has expressed concern about the State Department's privacy program frequently over the past two years. They simply do not have the resources to do an effective job. It seems that the goal is to meet the obviously low standard of "satisfactory" in the annual FISMA report.

If State is "satisfactory" today, think how bad things must be at the Defense Department, the only department to receive a "failing" rating on their privacy impact assessment implementation according to the inspectors general.

According to senior officials inside and outside the national security establishment, the Nation is at war in cyberspace.

This war, like many things in cyberspace, confounds traditional boundaries. It is occurring in part on U.S. soil, where many of the attacked public and private sector computers are located. While some attacks are coming from foreign powers, others are from terrorist groups, and still others come from organized crime. Often the identity and intent of the attackers is unclear.

As Samuel Adams said in 1768, “Even when there is a necessity of military power, within the land . . . a wise and prudent people will always have a watchful & jealous eye over it.” Indeed, it is longstanding policy in this country that the military not be used to enforce the law on U.S. soil, except in major emergencies. This division between national security and civilian law enforcement activities is maintained in electronic surveillance as well. It colors the current FISA extension debate.

Few observers believe these divisions work in cyberspace. Yet there is no clear vision of how to proceed while guarding the underlying principles. For that reason, this matter deserves a considered public conversation. While a national cyber security initiative is necessary and timely, the secrecy surrounding the Administration’s program does not serve the Nation's long term interest.

Former Defense Secretary Robert McNamara said, speaking of Vietnam, "We failed to draw Congress and the American people into a full and frank discussion and debate of the pros and cons of a large-scale military involvement . . . before we initiated the action." We still have the opportunity to avoid that mistake in cyberspace.

Over the past year, an increasing number of federal employees have set up blogs -- some officially sanctioned and some not. It's hard to gauge exactly how the blogs (especially the unsanctioned ones) are being received in government's top executive offices, but for one blogger, it may have not been received well.

Michael McGrath, a 26-year veteran of the Coast Guard and until recently employed by a contractor working for the Coast Guard, wrote that he was fired last week. McGrath says he was fired for expressing his views on CGBlog.org, the Unofficial Coast Guard, which he contributes to, that were not received well. In a March 17 post for the Unofficial Coast Guard Blog:

My fellow blogger, Alan Balutis, expressed significant insight when commenting that organizations should continue to employ strategic human resource planning in spite of the impending retirement tsunami that has not yet really developed. Ongoing workforce planning is critical to determine an organization’s targeted needs to meet mission goals. And, as the exodus builds, year by year, agencies must be prepared.

I was privileged to head up the IT community’s Workforce Capability Assessment for several years and realized the value of the governmentwide information that it produced. The assessment, recently released, (late partly due to my retirement) provides a macro look at the bench strength of the IT workforce and hones in on competency and skill gaps that should be addressed in critical job areas. In addition, agency-specific data can be and is used to inform analysis at various levels in individual departments and agencies.

Other communities have adopted the IT assessment model, including the Acquisitions Community, discussed in a FAI newsletter. This example of workforce planning allows agencies and functional communities to be strategically positioned for the future.

In my industry/government conference wanderings, I stopped by Orlando this month for the annual IPIC conference. This is usually a "must attend" event in government and industry circles and has been around so long that few can recall what "IPIC" stands for. (Here's a hint: The first two letters stand for "Information Processing.")

So what was a hot topic for the government folks in attendance? Well, no surprise, it is the upcoming transition. For political appointees, it's all about their life after government, with only a little over 300 days left in office. For the careerists -- many of whom have never been through one before -- there was some apprehension about what will face them.

In the midst of that uncertainty comes a request from the Industry Advisory Council (IAC) leadership to several career government leaders to co-chair IAC's Transition Report effort. What is the drawback to such an invite? The industry co-chair is Mark Forman, now at KPMG and the first e-government czar at the Office of Management and Budget. Mark is a wonderful person -- bright, hard working, considerate. I think very highly of him. But how exactly would a career SESer (Senior Executive Service) explain his or her pairing with a representative of the previous administration to his or her new political boss? Even Sen. John McCain campaign officials are thinking hard about how and where to use President Bush in the upcoming election campaign. It seems that "fundraising" and "securing the conservative base" are the main tasks at present.

But let's keep a watchful eye on what careerist lands this plum assignment from IAC. I will organize the pool on where that person lands -- after the first 120 days under a new political regime (that being the so called "cooling off" period when an SESer cannot be moved). I hope there are openings at Unisys or InterImage.

The new president, coming into office Jan. 20, 2009, will face what the current head of the Office of Personnel Management has called a “retirement tsunami." According to many experts, 60 percent of the federal government’s rank and file workforce and 90 percent of its top managers will be eligible to retire in the next decade. OPM projections show that nearly 61,000 full-time permanent federal employees will retire in fiscal 2008 and that the number of retirements will peak between 2008 and 2010 – just as an incoming president seeks to launch her or his new administration.

Over the next five years, the federal government will lose more than 550,000 employees. But the market for recruits has never been more competitive and government employees are locked in a fierce contest with the private sector.

Amazingly, it appears that the risk of contract fraud, waste and abuse doesn't exist overseas, only here in the United States. At least according to Office of Management and Budget, and the White House.

A story in the Washington Post notes that a new rule that requires U.S. contractors to report fraud, waste and abuse (FW&A) they find while performing work provided an exemption to those contractors doing work overseas.

So, the only conclusion one can reach is that OMB doesn't think there is any risk of FW&A in overseas contracts, or that it is perfectly OK for U.S. contractors to ignore (or engage in?) FW&A overseas.

So, which is it?

Is IPv6 yesterday's news? Or is it? Are organizations integrating the fucntionality promised by IPv6 into the infrastructure of the organization? What is the level of commitment to incorporating the functionality of IPv6 to provide the enhanced security and information protection that is necessary as information sharing, information dissemination become the norm?

Is the there, there to obtain the long term focus to transition an organization from IPv4 to IPV6?
Has your organization started the journey?

Headlines from around the Web for Friday, March 14, 2008
Compiled by Melanie Bender

Bush Calls for Tighter Cybersecurity
USA Today
The increase and severity of data breaches in the United States in the past year have prompted Bush to recommend a 10 percent increase in cybersecurity funding for the coming fiscal year, to $7.3 billion. That's a 73 percent increase since 2004.

FCC Defends Its Database, Management Tools
InformationWeek
The Federal Communications Commission responded to a 53-page Government Accountability Office report that says the commission doesn't properly collect and analyze data, making it impossible to analyze the effectiveness of its enforcement. According to employees, the FCC has made some changes toward improvement and the GAO report is based on old information and inaccuracies.

D.C. Subway Moves Toward Cell Reception in Tunnels
The Washington Post
Metro is taking the first step toward building a new wireless system that would let all riders talk on their cellphones while riding the subway after years of customer complaints that only Verizon users can get reception underground. This network also would also support Metro's plan to provide real-time information and advertising on flat-panel monitors in rail cars, train stations and buses.

Project Management Skills Still in Short Supply, CIO Council Finds
Federal Computer Week
A CIO Council Information Technology Workforce Capability Assessment issued on Thursday found that the number of respondents who said they are project managers decreased by 3.4 percent since 2004, and their proficiency in the skills necessary has remained largely unchanged.

Congressman Issues Warning Over Contractor Bill
Washington Technology
The House Committee on Oversight and Government Reform on Thursday passed the Contractors and Federal Spending Accountability Act, and Rep. Tom Davis (R-Va.) is warning this could result in the removal of prominent government contractors.

Maxwell Air Force Base Has High-Tech Aims
The Montgomery Advertiser
The 754th Electronic Systems Group at Gunter Annex has changed its approach to cybersecurity. Recognizing that the enemy will, at times, access military networks, the group aims to protect information from within.

Md. Governor Joins Tech Tax Opposition
The Baltimore Sun
Gov. Martin O'Malley threw his support behind a growing effort to repeal a $200 million tax on computer services. The governor, a Democrat, said it was unfair to expand the sales tax to just one industry and echoed the sentiments of many lawmakers who believe the application of the levy was not thoroughly vetted when it was approved in November.

Cyber-Curious Seniors Explore the Digital Age
The Baltimore Sun
Senior citizens once adverse to the technology have begun exploring e-mail and instant messaging to stay in touch with friends, children and grandchildren. To aid them in their quest, senior centers, retirement communities and long-term care facilities have opened Internet cafes and have begun offering classes to teach older Americans what many of them swore they would never need.

FBI Found to Misuse Security Letters
The Washington Post
The FBI has increasingly used administrative orders to obtain the personal records of U.S. citizens rather than foreigners implicated in terrorism or counterintelligence investigations, and at least once it relied on such orders to obtain records that a special intelligence-gathering court had deemed protected by the First Amendment, according to two government audits released Thursday.

In a recent piece, Allan Holmes cites:

... an editorial in the New York Times Thursday, [which] calls the 2007 Secure America Through Verification and Enforcement Act, "a bad idea compounded by the notoriously bad state of federal government records."

This reminded me about the continued hysteria about Social Security numbers in federal records, with officials hurrying to the microphone or the hearing room to decry how privacy is at risk because government agencies use Social Security Numbers as identifiers. Though apocryphal, I find it easy to believe the story about the congressman who tried to introduce a measure forbidding the Social Security Administration from maintaining records that would include a person's SSN.

I wonder if Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons, has ever been repealed (or retracted, or whatever happens to executive orders that no longer seem a good idea). The salient paragraph in EO 9397 is the first one:

Hereafter any federal department, establishment, or agency shall, whenever the head thereof finds it advisable to establish a new system of permanent account numbers pertaining to individual persons, utilize exclusively the Social Security Act account numbers assigned …

Signed by Franklin Roosevelt, November 1943.

In an editorial in the New York Times Thursday, the paper calls the 2007 Secure America Through Verification and Enforcement Act, " a bad idea compounded by the notoriously bad state of federal government records."

The act would, among other things, "force all workers, including citizens, to prove they have a right to earn a living," by relying on the Social Security Administration to verify Social Security numbers for workers, the paper contends. The problem is that one SSA database has a 4 percent error rate, which would mean possibly thousands of workers would face firings and discrimination.

Other federal databases contain errors. The inspector general at the Justice Department reported last year that the Terrorist Watch List, which is used to screen 270 million people a month to identify possible terrorists, has a large error rate. "In an examination of 105 records, for example, the auditors found that 38 percent of the records contained errors or inconsistencies that the [Terrorist Screening Center's] own quality-assurance efforts had not found," according to a Washington Post article.

As the federal government relies more on information technology to support critical decisions, the importance of how clean its data is rises.

How confident are you that your data is error free?

Headlines from around the Web for Thursday, March 13, 2008
Compiled by Melanie Bender

How Did H-1B Visas Get Such a Bad Reputation?
NetworkWorld
As the April 1 deadline to file H-1B visa applications nears, the debate is heating up among IT industry watchers and skilled workers over whether the often maligned program adequately serves U.S. companies or American workers as it was originally intended.

Harvard Grad Students Hit in Computer Intrusion
ComputerWorld
Harvard University is offering a year of free credit monitoring to over 6,000 individuals after their Social Security numbers were compromised when a Web server for the Graduate School of Arts and Sciences was hacked in February.

CIOs Promote 'Fusion' Strategy
ComputerWorld
Forget about mere IT-business alignment. At many companies, the new name of the game is melding technology and business operations, with CIOs getting a say in setting not only IT plans but business strategies as well.

Microsoft Executives Urge More Long Term U.S. Investment in Tech
InformationWeek
The United States risks falling behind other countries in innovation if the government doesn't invest and shape policy to keep it ahead,Microsoft chairman Bill Gates and chief research officer Craig Mundie warned in a speech and discussion with Virginia's technology leaders Thursday.

United States, Germany Will Share Biometric Data
Federal Computer Week
The United States and Germany will share some biometric information in their respective fingerprint databases, officials from both countries announced Tuesday. It is hoped the arrangement will help stymie the efforts of known and suspected terrorists from entering each country.

Is Parallel Computing the Next Big Thing?
CIO Insight
Parallel computing has been hyped for years as the next big thing in technology. But now, Microsoft's chief research officer thinks it's time to set the company's long-term technological direction in line with this idea.

NTP Soon to Feature Extra Timeliness
Government Computer News
Internet Engineer Task Force engineers are sharpening the Network Time Protocol's granularity of time measurements, as well as making the veritable time-synchronization standard compatible with version 6 of the Internet Protocol.

Winter Olympics Security Hinges on Information Sharing
Washington Technology
Information sharing needs to improve between the U.S. and Canadian governments, and between public agencies and the private sector, to prepare for the 2010 Winter Olympics in Vancouver, an industry expert told Congress yesterday.

Password-Stealing Hackers Infect Thousands of Web Pages
InfoWorld
According to McAfee researchers, hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days. The infected Web sites look no different than before, but the attackers have added a small bit of JavaScript code that redirects visitors' browsers to an invisible attack launched from the China-based servers.

Next Tax Proposed to Replace Md. Tech Tax
The Baltimore Sun
Support is mounting in the General Assembly for a plan to replace Maryland's new computer services tax with an income tax surcharge on top earners. If approved, the income tax would take effect July 1, the day the technology tax would otherwise go into effect.

There was an interesting story in today's Boston Globe. It appears that there are significant security gaps in "implanted devices that help regulate heartbeats and use wireless technology."

Dr. William H. Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center in FDA who led a research project into medical device security risks, says in the story:

"With some technical expertise, we were able to retrieve information from the device [built by Medtronic] in an unauthorized fashion. We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."

While Maisel says not to worry, that the technical expertise required to hack these devices is very high, how long do you think it will be before hackers actually are able to replicate what Maisel and his team of researchers were able to do?

Of course, medical device manufacturers like Medtronic don't really have to worry too much. Given the recent Supreme Court ruling on Class III medical devices, all they have to do is to add the risk to their warning label, get the FDA to approve it, and they are immune if their devices get hacked.

Government Executive's Bob Brewin reports today that the Pentagon has come closer than ever to admitting it will engage in offensive cyberwarfare if provoked, including knocking out satellites and networks operated by adversaries. That's not a good idea, says Richard Clarke, former special advisor on cybersecurity for President Bush who spoke today at the inaugural Source Boston security conference, according to an InfoWorld article.

"The concept of mutually assured destruction that was employed by the U.S. and U.S.S.R. during the Cold War to discourage nuclear attack doesn't port well to the world of cyberspace, but the president's advisors seem to think that it will, he said," InfoWorld reports.

Says Clarke:

In cyber-space, who knows what capability anybody has? It's much more important to know what you could do if someone launched an attack on the U.S., how much could [someone] really shut down and what would be the effect, I suspect that the U.S. is much more vulnerable than other countries, because we are more wired and dependent on cyberspace. China has structured its infrastructure such that it can shut itself off, and create [its] own environment if it wants to; so it seems that there are asymmetries.

Clarke says the United States should focus more on telling American corporations and government agencies where common infrastructures and applications are vulnerable and how to patch them.

Richard Clarke, former special adviser on cybersecurity for President Bush and an outspoken critic of the Bush administration, recently criticized Bush's national electronic security initiative Bush signed in January. According to an article posted by InfoWorld today, Clarke raised the specter that Americans' privacy could be at stake because the imitative focuses on "securing the government's own computing and communications networks, and adopting a more proactive approach to engaging in cyber-warfare," according to the article.

If that is true, Clarke says:

There's the idea that somehow these are government networks that we're talking about, but they really aren't, all these government sites are running through the same network of routers and the same fiber channels as everything else, there's no segmentation on these carrier networks. This means that [the plan's authors] either don't know that and merely think they need to reinforce security on state-owned servers, or data in their own facilities, in which case thy are missing most of the problem, or that they plan to do monitoring of everything going through the carriers' systems.

Over the last several weeks in Government Executive and elsewhere one has seen articles playing off the phrase coined by Office of Personnel Management Director Linda Springer of a pending "retirement tsunami." Brian Friel of Government Executive probably put it best: "Since the beginning of the decade, federal human resources watchers have been predicting a tsunami of baby boomer retirements that would empty government offices, leaving a handful of ill-prepared Generation Xers to handle all of Uncle Sam's work. How many times have we been told that half the federal workforce and 80 percent of senior executives would soon be out the door?"

The answer clearly is "too many times." I've discussed the matter with Human Resource experts in government and here is what I would come out with as a bottom line:

• The yearly increases in retirements projected by OPM were clearly too high;


• Retirements have increased, but not as much as expected;


• Lots of speculation on the reasons for the above, but no one seems to really know;


• Regardless, certain agencies -- Friel notes the Social Security Administration, others include the Federal Aviation Administration -- and certain occupations -- Federal Times has highlighted IT and medical
  personnel -- do seem to be getting hit harder; and finally,


• Strategic planning for Human Resources is still badly needed.

I think the last bullet may be key. This is a matter that has not gotten the proper attention in government. It took the "scare" of a retirement tsunami for the Government Accountability Office to put the issue on its high-risk list and for the Office of Management and Budget to add it to the President's Management Agenda. While the tsunami has yet to break -- and perhaps as a governmentwide issue or wave, it never will -- there is still a need for strategic HR planning. The real strategic thinker will look below the surface. She or he will see where the retirements are really coming and the needs really exist.

In other areas, in certain occupations, the government may actually want to encourage departures. Such positions may no longer be needed in the same numbers as in the past. In other cases, the losses can and will be devastating. Perhaps we can put the alarmist language aside. But if we do, let's not undermine efforts to strengthen government's HR planning capacities and the need for strategic thinking there.

What say you?

Headlines from around the Web for Wednesday, March 12, 2008
Compiled by Melanie Bender

Bill Gates Says Immigration, Education Reform Needed For U.S. To Compete
InformationWeek
Bill Gates told members of the House Subcommittee on Science and Technology they need to to help America remain globally competitive by increasing funding for science and math education, basic science research, and to raise the cap on green cards and H-1B visas for foreign talent.

A Heart Device Is Found Vulnerable to Hacker Attacks
The New York Times
While the threat is largely theoretical, a team of computer security researchers plans to report that it had been able to gain wireless access to a combination heart defibrillator and pacemaker, reprogramming it to shut down and to deliver jolts of electricity that would potentially be fatal — if the device had been in a person.

Philadelphia Pays Consultant $200,000 for Wi-Fi Work
The Philadelphia Inquirer
Philadelphia's CIO admitted on Tuesday that Wireless Philadelphia, the municipal Wi-Fi network that was to be built for free, has a $200,000 price tag in the form of a consultant serving as technical project manager.

Union Decries Increasing Number of Outsourced IT Contracts for California
The Sacramento Bee
A report compiled by the Service Employees International Union notes information technology contracts awarded by the state have tripled since 2003, and California could save up to $100 million annually by reducing its reliance on contractors.

New Collaboration Tools Provide Support to Soldiers Anywhere, Anytime
Government Computer News
The Army’s Telemaintenance Program, based at Fort Monmouth, N.J., can provide this direct support to warfighters by using a combination of Adobe Connect Professional, satellite communications, a headset and laptop PC. Similar satellite communications are proving essential for the U.S. Africa Command.

CDT Launches Health Privacy Initiative
InfoWorld
Privacy needs to be a higher priority as the U.S. government and other groups push for adoption of health IT as a way to improve the country's healthcare system, said the Center for Democracy and Technology , which has launched a health privacy initiative.

Box Repels Youths, but Adults Can't Hear It
The Baltimore Sun
A British inventor's security device repels youths with its high-pitched pulsating sound that can mostly be heard only by teens and people in their early to mid-20s. And it's being used and abused on both sides of the Atlantic now.

It’s Easy, and Expensive, to Forget About Old Equipment
The New York Times
Sloppy inventory control can cause major headaches for companies -- including potential tax and legal consequences. So one entrepreneur has started a company to develop a method for continuous tracking of assets from the warehouse receiving dock to the dumpster.

Traditionally, privacy experts cringe at any sentence that uses "security and privacy" together as a pairing. It is usually a cover for protecting personal information from outside misuse while creating new questionable practices for internal use of personal data.

OMB's ever-increasing privacy reporting within FISMA seem to be a clear example of where tying the two together has benefited privacy accountability within agencies. The 2007 FISMA report released earlier this month offered more detailed accounting of privacy activity than at any time since Chief Privacy Counsel Peter Swire left as OMB at the end of the Clinton Administration and showed that some agencies are making improvements.

At a Government Reform Committee Hearing yesterday, E-Government Administrator Karen Evans made a persuasive case that privacy reporting was going to improve even more in 2008 now pointing to the January Memo requiring even greater measures to be tied into FISMA reports. Evans deserves credit for standing steadfast in this strategy that has failed before, but is clearly working today.

As reported by Government Executive's Bob Brewin, the latest GAO report on the Army's Future Combat System, "Significant Challenges Ahead in Developing and Demonstrating Future Combat System's Network and Software," is not particularly flattering.

As the GAO report notes, "Almost five years into the program, it is not yet clear if or when the information network that is at the heart of the FCS concept can be developed, built, and demonstrated by the Army and LSI."

Does this mean that the FCS probability of success has slipped below the 70 percent mark (actual "in excess of 70 percent") that then Chief of Staff of the Army General Peter Schoomaker in 2004 told Congress after FCS was restructured to follow a spiral process?

Some of you may recall that before the restructuring, Schoomaker told Congress that FCS had only a 28% chance of success (which makes one wonder how given its size and importance to the Army it ever was allowed to proceed in the first place).

I would be interested, given the latest difficulties, what the Army now thinks the probability of success for FCS is today - higher or lower than 70 percent?

I hope someone in Congress asks them.

U.S. News & World Report outlines in an article posted today five ways you use your PC can get you fired. Of course, there's the viewing of inappropriate content and playing games like Solitaire. (New York City Mayor Michael Bloomberg fired an employee after seeing the game on his computer monitor.) But also included on the list are some not-so-obvious uses, such as blogging, posting photos on your social network site and writing inappropriate or offensive emails. These offenses happen more than you may think: "Nearly one third of bosses have fired workers for misusing the Internet, according to a recent study by the American Management Association and the ePolicy Institute," U.S. News reports.

Headlines from around the Web for Tuesday, March 11, 2008
Compiled by Melanie Bender

Tech Companies Feel Skilled Labor Shortage
NetworkWorld
The National Foundation for American Policy released Monday its findings that U.S. technology and defense companies average 470 and 1,265 high-skilled job openings, respectively. Research was conducted between December 2007 and February 2008.

Senator Describes Black Market in H-1B Visas
ComputerWorld
U.S. Sen. Chuck Grassley said yesterday that the White House isn't enforcing the H-1B program, and he cited a number of abuses in a letter to Homeland Security Department Secretary Michael Chertoff asking him to detail what the department is doing to enforce the program.

Security Must Evolve, CERT Official Says
ComputerWorld
Security has to evolve into something that supports business, rather than the other way around, according to Lisa Young, senior member of the technical staff at Carnegie Mellon University's Computer Emergency Response Team. She explains the tendency is to want to start locking things down, so security is something that disables, not enables, business.

Should You Hire a Convicted Hacker?
InformationWeek
The very skills that can land hackers behind bars are skills they share with high-achieving, law-abiding IT security professionals. However, convicted hackers looking for legitimate employment are not necessarily finding it in the enterprise after they complete their sentences. Some high-profile hackers have become teachers, lecturers and journalists.

Coast Guard Tests Fingerprinting at Borders
USA Today
In an ongoing test program, the Coast Guard has been taking digital fingerprints of people picked up on boats headed to Puerto Rico from the Dominican Republic. The fingerprints are then checked against a government database that shows deportation orders and criminal records; this practice has led to more than 100 prosecutions in the past year.

Ohio Supreme Court Refuses to Interfere with Secretary of State's Directive for Paper Ballots
Government Technology
The Supreme Court of Ohio unanimously denied the Union County Commissioners' request for an order that would have prevented Secretary of State Jennifer Brunner from implementing a recent directive she issued to require county boards of elections using touch screen machines to have backup paper ballots available for voters who want them.

Candidates Use Predictive Analytics to Seek Votes
eWeek
With only so much money to go around, candidates are trying to court voters in smart ways. One emerging method is microtargeting, a means of helping campaigns target their funds toward the right voters — those who haven't decided to vote for another candidate achieved by analyzing combinations of demographic, marketing and other forms of data.

Cyber Storm II Underway
Federal Computer Week
Players from nine states, four foreign governments, 18 federal agencies and 40 private companies that work in information technology, telecommunications, chemicals, and pipe and rail transportation infrastructure have begum the weeklong exercise sponsored by the Homeland Security Department.

NSA Extends Access Control to Network Storage
Government Computer News
The National Security Agency is leading an effort to extend its access control work into the arena of network file storage. Their approach calls for deploying the NSA's security architecture so organizations can ensure that machine intruders don't hijack programs to execute malicious tasks.

Fed Networks Increasingly Under Siege
Federal Times
Last year, federal agencies reported more than 5,600 cases of computer attacks, intrusions, probes and plantings of malicious code from unseen enemies around the world. That’s up 56 percent from the previous year and up 80 percent from two years ago, according to a new report by the Office of Management and Budget.

Most of us who have taught information security at one time or another have relied on the C-I-A mnemonic to help our students think of the multiple dimensions of information security. Confidentiality, Integrity and Availability are well understood to be the ways one should view the task of information protection.

But well over 90 percent of FedWorld dialogue about security of the U.S. government enterprise is about confidentiality – preventing unauthorized access to sensitive information – though the other two aspects are arguably more important.

Headlines from around the Web for Monday, March 10, 2008
Compiled by Melanie Bender

IT Harnesses the Power of Project Management
Network World
With an ecomonic downturn in sight, Industry watchers argue project and portfolio management (PPM) processes - in some cases augmented with commercial tools - can help IT managers deliver more successful projects, prioritize projects based on business need, and maximize financial resources when deploying technology.

ICANN Looks Toward End of U.S. Agreement in '09
ComputerWorld
The Internet Corporation for Assigned Names and Numbers is starting to look at how the organization might function after its current memorandum of understanding with the U.S. Department of Commerce expires in September 2009, suggesting it should become independent of Commerce Department oversight. Representatives from countries other than the U.S. question why the American government should have primary oversight of the organization.

U.S. Military Restricts Google Maps
InformationWeek
When the Department of Defense became aware that Google's roving photographic vehicles had taken pictures of Fort Sam Houston in San Antonio, Texas, and that images of the base were loaded onto Google Maps' Street View feature, military officials contacted Google to make clear that Google's image capture efforts are not allowed on bases and other restricted sites.

Online Vote Discussed for Florida
Miami Herald
While the Democratic Party debates redoing the Florida presidential primary, advocates of Internet voting say they could orchestrate a voting process that would offer security at least equal to that of an equally rare ballot by mail, while attracting more voters -- and at about half the cost.

New Sign Emerges of IT Job Weakness
CIO Insight
According to a CIO Insight analysis of U.S. Bureau of Labor Statistics data, for the first time in nearly three years, the number of people employed by IT services firms has declined, ending a 32-month stretch of employment gains in the sector the government tags computer systems design and related services.

CREW: White House Misled Court About Missing E-Mail
Federal Computer Week
Citizens for Responsibility and Ethics in Washington, a government watchdog group participating in a lawsuit against the Bush administration over the alleged loss of millions of e-mail messages, asked a federal court to hold administration officials in contempt, saying the Office of Administration’s chief information officer appeared to have knowingly submitted false, misleading and incomplete information to the court in January.

VA Adopts Microsoft's Rights Management Services
Government Computer News
When Veterans' Affairs employees send Word, PowerPoint or Excel files, or Outlook e-mail messages to others, they can set permissions on what the recipients can do with those documents. This is one measure the department is taking in hopes of increasing its data security.

States Falling in Line with Read ID
Government Computer News
All but four states have made preparations to comply with a May 1 deadline for compliance with the federal Real ID law, according to specialists inside and outside the federal government. However, a number of states are grappling with the technical issues of setting up systems that will ensure that applicants for driver's licenses are vetted for proof of identity and legal presence in the country.

AF Cyberstrategy to Focus on Disrupting Attacks
Washington Technology
The new Air Force Cyber Command issued a strategic vision statement Thursday outlining the military unit’s goal of strengthening cyberspace capabilities to defend national interests. The report noted The Cyber Command’s vision is to develop capabilities to defend against cyber attacks, to “create effects” in cyberspace against hostile attackers and to integrate those abilities with the military’s other systems.

Rural Internet Access in Maryland on Hold
The Washington Times
Though state lawmakers voted two years ago to set aside the money to build a "spine" of fiber-optic cable in three rural regions of the state where Internet-service providers don't always provide high-speed access, work has stopped at the Choptank River. Enivronment officials declare a $1-a-foot annual permit is required in order for the cables to put in place.

Food Industry Tests Techno-Tasters to Judge Flavor
The Washington Post
The successful test of an electronic tongue and nose was one of several in recent years hinting that automated food and beverage sensors may someday match, or even outperform, their human counterparts. Illustrating this point is the USDA, which has begun testing a machine to grade sides of beef.

Concerns that the Total Information Awareness system (a network to sift through Americans' personal data) never truly was killed, was resurrected (again) by the Wall Street Journal in an article published March 10. "According to current and former intelligence officials, the spy agency [National Security Agency] now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records," according to the article. The Journal cites a Federal Bureau of Investigation program to track telecommunications data called the Digital Collection System, which has attracted the attention of Congress.

One of those speculating that this has been going on for some time has been National Journal's Shane Harris.

The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.

I'm still trying to come to terms with what the term "risk" actually means to the government.

In today's Washington Post, there is a story about the Agriculture Department prohibiting the use of beef from so-called "downer cattle" in federally funded school lunch programs, but it also allows the beef under certain conditions to be sold to the general public. As the article notes, this disparity seems to undermine Agriculture's claims that there is no food safety reason to ban meat from all cows too sick or injured to stand.

My friend and former colleague, Darren Ash, chief information officer at the Nuclear Regulatory Commission, writes in Federal Times about using new tools to conduct work, retain staff and transfer knowledge to keep pace with today’s environment and changing workforce, and to meet emerging agency needs. Darren provides an excellent overview on key strategies for agency CIOs to consider to move forward technologically with an edge for the future.

Last week the Government Accountability Office placed the Census Bureau’s 2010 census effort on its high risk list. As I have noted elsewhere on this blog, this is a case of risk management JTL – Just Too Late. The GAO really needs to change the name of its High Risk List to the Very Big Problem List, since nearly every one of the programs on its list is one in serious trouble. As highlighted by Census Bureau Director Steve Murdock in relationship to the issues that landed it on the GAO High Risk List, “I cannot overemphasize the seriousness of this problem." (My emphasis.)

If the GAO really wants to do some real good, it needs to make a clear distinction between projects or programs in trouble and those headed for trouble.

Speaking of High Risk Lists, isn’t it about time for the fiscal 2008 first quarter OMB High Risk List to be published? I am really curious to see whether the fiscal 2007 fourth quarter improvement rate has continued.

In case you missed the story yesterday, the U.S. Court of Federal Claims came down this week on the side of the companies protesting the awards of the General Services Administration's Alliant contract. The contract, estimated to be worth $50 billion over 10 years, provides agencies a way to buy information technology services.

Of course the big question now is: What's next? GSA is keeping mum for the moment and none of the parties involved in the case have been eager to comment on the decision's implications. However, Kelly Fleury, federal sales manager, with MTC Technologies in Dayton, Ohio, one of the original Alliant awardees, contacted me this morning to discuss her company's outlook following the decision.

During our phone conversation, discussion of the court's ruling and GSA's plans were off-limits, but I did get the impression that MTC remains confident that this program will move forward eventually and without radical changes.

"We have no reason to believe that we need to change our business plan," Fleury said. "We are moving forward with our business plan very aggressively." She went on to talk about the marketing efforts her company is planning for April. "It's a big push towards educating end users about what Alliant is and how it can be of benefit to them," she said.

Fleury also talked at length about the importance of informing all those involved in the procurement process -- from chief information officers and program managers on down -- about the advantages of Alliant.

Noticeably missing from our conversation was any mention of a definitive date for the Alliant kick-off. "We're in no position to comment on GSA's kick-off date," Fleury said. But she added, "As of now, GSA has not announced any date, but we believe we're in the home stretch."

When asked whether the company's educational outreach efforts were in violation of the judge's ruling that prohibits further work by contractors or GSA on Alliant, Fleury again declined to comment.

So it looks like there's more to come, especially regarding the GSA's reaction to the decision, which so far has amounted to the canned two-sentence response at the end of the article. While there is widespread speculation on what the GSA is planning, the two most likely options seem to be either negotiating with the eight protesting companies in hopes of finding a mutually satisfactory solution or revamping the entire awards process and starting over. Obviously the former would be much more palatable than the latter.

Headlines from around the Web for Friday, March 7, 2008
Compiled by Melanie Bender

Washington Prepares for Cyber War Games
The Washington Post
"Cyber Storm II," the largest-ever exercise designed to evaluate the mettle of IT experts and incident response teams from 18 federal agencies, is set for next week in Washington. Escalating scenarios will test for weaknesses in the response methods of the companies and agencies.

Tech Leaders in Massachusetts Scramble to Make Hires
NetworkWorld
According to a state official, 30 percent of the IT professionals in the commonwealth plan to retire within the next five years. The dwindling number of computer science majors -- even at schools like the Massachusetts Institute of Technology -- is compounding the problem.

RFID Encryption Flawed in Smart Cards, Researchers Claim
NetworkWorld
Recent media attention given to University of Virginia research that showed with just $1,000 of technology RFID encrypted cards could be cracked has caused concern in Boston, where the subway system uses the technology for its CharlieCard.

U.S. Worried That High H-1B Demand May Tempt Some to 'Game' Visa Lottery
ComputerWorld
The U.S. is concerned that some companies, desperate to get an H-1B visa, may try to "game" the random visa lottery selection process to improve their odds. To prevent that sort of interference, the U.S. Citizenship and Immigration Service is considering regulations that would penalize any company that attempts to seek an unfair advantage for its visa petitions in the selection lottery.

Who Needs IT Experts? Workers Take Control
InformationWeek
Describing the practice as "consumerization," industry observers say savvy workers frustrated with their on-the-job computer tools are not waiting around for IT to help them, but instead pulling what they need right off the Web.

Pa. County Switches from Touch-Screen to Optical Scan E-voting Machines
ComputerWorld
The Lackawanna County, Pa., board of commissioners decided to use optical scan voting machines instead of touch-screen machines not because concerns about the controversial touch screens, but because they couldn't resolve legal concerns with the Texas company that manufactures the touch-screen machines.

What Will a Recession Mean for IT Outsourcing?
eWeek
While it seems clear the U.S. has a rough economic road ahead of it in 2008, observers have mixed views about what this might mean for outsourcing. Some argue that a depressed U.S. economic climate will make the cost savings of offshoring less dramatic, which could save jobs that were otherwise at risk of being sent.

Technologists Present Policy Recommendations to Congress
Government Technology
Chief technology officers from the world's leading computer software and hardware companies have sent a letter to U.S. House and Senate leaders requesting their support of several pending policy measures, including full funding of important high-tech initiatives in the President's FY 09 budget.

DHS Tests Northern Border Security
Federal Computer Week
While the Homeland Security Department prepares a prototype solution for protecting the northern border, new technologies already are being tested in the field, according to a 20-page report from the department’s Customs and Border Protection directorate.

Arizona Legislators Push for Transparency on Budget, Spending
The Arizona Republic
A new resolution calls for a Web site maintained by the state treasurer and the treasurers of each county, city and town to be updated monthly with details of all spending and revenue, down to whether payments were made with cash, check or debit card. The databases would have to be available by July 2010.

Wired's Danger Room blog posted an item this morning about a memo issued by the Coast Guard's leadership forbidding its employees from posting messages concerning agency business on outside blogs. "The Coast Guard headquarters Communication Center (HQ COMCEN) is designated as the only authorized CG organization to post messages to the Internet," the message read.

The message was issued in response to the Unofficial Coast Guard Blog -- which Danger Room has called "awesome" -- which at times posts unclassif