Information technology experts and analysts have written about extensively: If you want IT to help drive an organization to meet its mission, the chief information officer must report directly to the head of the organization. California Gov. Arnold Schwarzenegger (R) has taken that to heart in his bid to improve the state's convoluted and disparate computer systems that resemble the federal government. He's placed the state's new CIO, Teresa "Teri" Takai, on his cabinet, "which means she has direct access to the governor, who also will hold her accountable," according to an article posted by the San Jose Mercury News. "In addition, the elevated stature earns her the respect of other cabinet secretaries, with whom she will need to work closely to institute any major changes that affect how computers are run across the state's dozens of departments and agencies."

In the federal government, rarely does a CIO have such a lofty position in a department, much less the president's cabinet. We'll watch closely to see how successful Takai is.

Computer forensics is becoming more important to law enforcement agents as criminals use computers to commit crime. Microsoft has made it easier for officers to get that information off a computer by providing, for free, a USB thumb drive that can bypass all Windows security programs. "The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime," according to an article published by the Seattle Times. "It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer." Microsoft first distributed the thumb drives last year and now more than 2,000 officers in 15 countries are using them.

As expected, privacy experts and techies aren’t too keen on this development.

Hat tip: Slashdot

Does it seem like agencies just aren’t coming up with any groundbreaking, innovative technology projects lately? If you think so, you just may be on to something.

Forrester Research released its federal government spending forecast for 2008 (including some insights into what 2009 may be like), as Nextgov reported, and it concludes that any new spending will go to consolidate information technology infrastructure and replace or upgrade servers and applications systems. And for more storage. This is real mundane stuff. Important to build new programs on, for sure, but still ho hum.

The wars in Iraq and Afghanistan, and any IT needs there, are sucking up almost all new spending, Forrester reports. During the Bush administration, IT spending has ranged between 1 percent and 7 percent, with the larger increases coming after 9/11 to build IT systems to fight terrorism – many of them controversial for compromising Americans’ privacy. President Bush asked for a 4 percent increase in IT spending for fiscal 2009. But a lot of that will go to support IT on the battlefield and to support health care for veterans. The rest will just keep the lights on, Forrester concludes.

Even a new administration, which Forrester predicts will focus on domestic IT spending, won’t bring bold thinking in 2010. Forrester predicts: “The new administration … will likely include priorities around reducing costs and improving efficiency.” Sounds like more consolidation.

There’s always 2011.

As reported in Government Executive, Congress is pretty angry with the Veterans Affairs and Defense departments over their "sending the wrong message" - a polite term for misleading it over the number of veterans attempting or successfully committing suicide. The VA claimed last year that only 790 veterans it saw in medical facilities attempted suicide, whereas the real number was over a 1,000 per month.

VA Deputy Secretary Gordon Mansfield, however, didn't think there was any attempt to mislead Congress.

In addition, Mansfield and Undersecretary of Defense for Personnel and Readiness David S. C. Chu also tried to place the best spin on the increasing number of suicide attempts. Mansfield said that young people between the ages of 15 and 24 try suicide more than others, and since Defense recruits in that age group, an increasing number of suicides should not be seen as an epidemic.

This is an interesting view given that it appears that veterans between 20 and 24 years old, and the ones most likely to have been in Iraq or Afghanistan, are committing suicide at twice to four times the rate of civilians of the same age.

Chu put an even more positive spin on the situation. “I think the good news is that on an age-adjusted basis, department suicide rates as a whole tend to be a bit below the national norm. And even with the Army’s increase it puts at approximately at the national level.”

So active duty suicide rates are increasing, especially in the Army, but when you average it out, it is about the same as the general population.

Nothing to worry about here, mate, just move along.

If this is what Defense and VA think is good news, I would hate to see what they think is bad news.

The following item was posted by Jill R. Aitoro.

The Office of Management and Budget has long touted the value of transparency in government. So explain this:

OMB released a report today on progress in implementation of Homeland Security Presidential Directive 12, or HSPD 12, which requires agencies to issue biometrically enabled credentials to all employees and contractors to replace standard flash badges. In that report, the total number of employees and contractors that will receive the badges were more than double what OMB reported only six months ago. OMB now reports that 4.3 million employees and 1.2 million contractors require new cards, compared to 1.9 million federal employees and 591,358 contractors, as reported in October 2007.

That change likely explains another anomaly. Ninety-seven percent of federal employees and 79 percent of contractors could not have completed the required background checks, as reported in October, because the latest report states that only 59 percent and 42 percent respectively have done so.

What’s the explanation for such a drastic difference? OMB opted not to provide one in a briefing on the latest numbers; in fact, the change in the numbers wasn’t even mentioned. When asked later, a spokeswoman attributed the undercount to faulty data. “We have better and more complete data now than we had previously,” she said.

Bruce Schneier recently wrote a wonderful explanation of why the dichotomy between security and privacy is artificial. I recommend it to the privacy officials who must confront security as the rationale for poor privacy practices and to security officials who must find ways to integrate privacy into their thinking and program planning.

So how does FedWorld see this topic? With no subtlety at all, of course.

The following item was posted by Jill R. Aitoro.

A discussion board recently posted an unclassified PowerPoint presentation from the Federal Bureau of Investigation, which provides an in-depth look at the criminal investigation into the selling of counterfeit Cisco networking equipment to federal agencies.

The presentation reports a spike in the total number of seizures of products that violate intellectual property rights from 8,022 in 2005, valued at more than $93 million, to 14,675 in 2006, valued at more than $155 million.

Counterfeit Cisco equipment – including routers, switches, and other hardware components -- finds its way into federal networks because of weaknesses in government procurement and problems with Cisco’s own sales practices, according to the presentation. In the case of the former, agencies purchase from uncertified suppliers using government credit cards or from subcontractors that are two or three levels separated from the manufacturer and allow “blind drop” or “drop ship” methods of fulfillment that limit the possibility of quality assurance checks within the contracting community by delivering the products directly to the agency from the supplier.

For Cisco’s part, reliance on distributors and resellers for the sale of products, combined with a lack of coordination between the company’s brand protection and sales teams perpetuates the problem, according to the presentation. Furthermore, it notes a lack of any vetting of companies selling equipment to government, beyond standard background checks, by either Cisco or the General Services Administration.

The presentation highlights a number of cases where counterfeit Cisco equipment managed to infiltrate federal agencies, including one that involved a top tier partner sourcing equipment from China, that eventually landed in a secure Navy facility.

Last week, Delta and Northwest Airlines announced their plan to merge. Before they can, the Justice Department has to consider anti-trust issues before approving the deal.

If it does, maybe the Justice Department can make it contingent on both airlines obeying certain laws of physics, like two objects can't occupy the same space at the same time, when developing their departure schedules.

For example, according to Transportation Department Inspector General Calvin Scovel III, "Northwest has scheduled 56 departures in one 15-minute window at Minneapolis-St. Paul airport, nearly three times the airport's departure capacity for that window."

Considering that other airlines are considering mergers as well, the benefits of such an approach could be significant.

Last week at the RSA Security Conference, several interesting workshops explored aspects of criminal hacking. One of them, conducted by Charlie Miller, examined the incentives for finding and disclosing vulnerabilities in enterprise software.

Imagine you are a Romanian software engineer with time on your hands, and you are able to find an unpatched vulnerability in an enterprise software program. The good news is that you can sell the information about the vulnerability for several times your monthly salary.

The bad news, for almost everyone else, is that you can get much more for it on the black market than from the two other legitimate buyers. Neither the manufacturer nor legitimate firms such as iDefense and Tipping Point, who package vulnerabilities for testing use by corporate computer security departments, will pay as much.

Tipping Point's Zero Day Initiative encourages vendors to patch their software via transparency. One of the pages, Upcoming Advisories, provides a list of known, unpatched vulnerabilities from major vendors. The vendors have been notified but have not issued a patch.

A recent look showed 34 "high severity" vulnerabilites that have been pending for over 8 months on average since Tipping Point notified the vendors. Obviously, room for improvement! We'll talk more about why vendors are slow in a later post.

If you needed reminding that information technology isn't always the answer to efficiency, you may want to check out New York Times technology reviewer David Pogue's recent pieces on the modernization of the air traffic control system. Last week he wrote about the automatic dependent surveillance - broadcast system (ADS-B), a GPS-based system that gives pilots a view of the air traffic around them. The idea is that with that kind of control (and not having to depend on air traffic controllers so much), planes could fly closer together and relieve some of the congestion that has led to record delays this past year.

But wait.

An article in InfoWorld today quotes IPv6 experts calling for organizations to adopt the next generation Internet protocol, which will provide more Internet addresses and with it the promise for new applications. From the article:

The telecommunications industry is going through "a period of grief" over the end of IPv4 (IP version 4), said Tony Hain, IPv6 technical leader for Cisco Systems. "Most people in the world are still in a state of denial" about upgrading to IPv6. "No one will ask for IPv6 until they run out of IPv4 addresses," he said.

Agencies are facing a June deadline – a mandate issued by the Office of Management and Budget – to make their network backbones IPv6 compliant. It looks like most will meet the deadline, but whether agencies will develop applications that take advantage of IPv6 is the question.

No problem can be solved from the same level of consciousness that created it.
~Albert Einstein~

We hear a lot about consciousness these days. This attention to a new level of awareness has increasing numbers of people checking their egos, performing acts of kindness and attempting to inject a greater level of civility into our daily discourse. All of which is welcome indeed, but it is less clear how the expansion of consciousness will have any impact on the very serious issues we all face in the world of politics, business and the economy. Einstein’s quotation gives us a hint.

Regardless of whether we protested or agreed, we have all lived in a political and social context over the recent years that operated on two fundamental principals: We could have war without cost and profit without value. On their face, these principals make no sense. We all knew they made no sense. Now we are beginning to experience the reality that they make no sense and the potential consequences from an economic perspective look worse every day. Just when the latest mortgage backed securities write-offs by UBS were supposed to mark the end of that crisis, we discover that the financial turmoil has seriously impacted GE, a stalwart performer whose stock price dropped nearly 15 percent last week. So much for the theory that the credit crisis would only affect the financial services sector of the economy.

As noted in a long article in Sunday's Washington Post, critics are accusing Housing and Urban Development Secretary Alphonso Jackson, who is resigning in less than glorious circumstances, of being grossly inattentive to the looming housing crisis.

They contend, "Jackson ignored warnings from within his agency, … whose inspector general told Congress that some of the secretary's efforts were 'ill-advised policy' and likely to put more families at risk of losing their homes."

Of course, HUD denies this.

However, during Jackson's era, the story said, "... foreclosures for loans insured by HUD's Federal Housing Administration have risen and default rates have hit a record high."

As also noted in the Post article, FHA Commissioner Brian Montgomery, a former White House political aide with no previous housing experience, said, "It is beyond outrageous for anyone to suggest we would do anything to put FHA at unnecessary risk."

This must mean, I guess, that the increased risk of families losing their homes was a necessary HUD & FHA risk.

That's OK then.

In fact, it must be OK since Montgomery recently won the "annual Lenders One Hero for Housing Award for his efforts on behalf of American homeowners at a challenging time in the housing market."

Of course, one might ask if the award was really on behalf of American homeowners or the 100 plus mortgage bankers that make up Lenders One?

Okay, I totally concur that American Airlines was at fault for not following the airworthiness directive to the letter, which I assume was backed up by a rigorous risk assessment that showed that one-inch spacing of wire bundle straps poses the least amount of risk to the safety of flight, and that anything more than that - like a quarter inch - poses such a risk.

I, for one, can hardly wait to see that risk assessment, along with all the experimental and field data showing that any deviation from the one-inch spec could cause wire chafing and bring down an MD-80 aircraft.

I trust, given the unprecedented disruption of flights, that the FAA will be posting on its Web site in the near future this risk assessment showing why the one-inch spacing was so risk critical.

The FAA also may want to post a detailed discussion about the American Airlines situation to clear up the safety paradox it has created in the minds of the flying public, or at least in the 250,000 passengers who saw their flights canceled last week.

On one hand, the FAA allowed American 18 months to comply with the directive, which I assume meant the bundles weren't secured very well and therefore prone to chafing. On the other hand, after American secured the bundles a few weeks ago, the FAA now felt that the wire bundles, even though secured by straps, being off by a small amount now meant that the airplanes were no longer safe to fly.

Was the risk of chafing associated with misplaced tie-down straps or with the bundles being free to move about?

This whole episode has served to create an overall impression of risk confusion, not competent risk management.

For whatever reason, there seems to be a curse attached to many of the winners of the Malcolm Baldrige Quality Award. You win it, and something bad seems to happen.

Appears the curse hit again.

Last November, the Armament Research, Development and Engineering Center (ARDEC), which also is known as Picatinny Arsenal in New Jersey, became the first Department of Defense organization in history selected to receive the Baldrige Award.

Last week, a 2-pound metal fragment from a routine munition test traveled over a mile instead of the predicted 1,300 feet, crash landed onto a two-story house off the base, ended up landing in a child's bed and critically injuring the cat that was lying there. The cat had to be put asleep.

The Army is investigating what happened and why, suspended further tests and has apologized to the family.

The only good news about this, if you can call it that, is at least the event didn't happen the week before when ARDEC's technical director was giving a keynote speech at the North Jersey American Society for Quality Spring Quality Conference 2008 on winning the Baldrige Award.

With Tuesday being "Taxdueday," I hope all you Army employees have made that extra effort to file your taxes. In case you didn't get the word, the IRS sent a letter to Army Secretary Pete Geren asking him for assistance in getting Army personnel to comply with tax filing requirements.

It seems that the average tax delinquency rate (i.e., balances owed and/or an unfiled tax return) averages 4.68 percent for Army personnel, while for the rest of government it is only 3.8 percent.

The IRS told Geren, "Our system of taxation relies on voluntary compliance. If the public perceives that the federal employees do not maintain the highest level of tax compliance, public confidence in government will suffer."

So, if you would, the IRS asks Geren, please remind your employees through "memorandum, publication, pay statement insert or through your local area network" to voluntarily comply.

And, if they don't, the IRS told Geren to expect "this issue to generate congressional and media interest during the tax filing season."

So, for the good of public confidence in government that rests on Army employee shoulders, won't you please file your taxes?

I want to draw your attention to my colleague's, Tom Shoop's, FedBlog item "Zero Tolerance for Charge Card Abuse." The item refers to a report on the abuse of government purchase cards. In just a couple of hours, the item received, at last count, more than a dozen comments. "Why do we keep hearing these excesses?" asks James Boyd. "The cards have controls that can be programmed into them." And more.

Join the discussion here, or the one already talking place on FedBlog.

Last week Commerce Department Secretary Carlos Gutierrez told a House panel that the Census Bureau was dropping plans to use newly developed handheld computers to collect information from Americans who did not mail in census forms for the 2010 census. In his testimony, he said the handhelds were part of a larger plan to make the census "better, faster, and simpler."

The plan, Gutierrez said, was to address the increasing problems that the bureau is facing that threaten the accuracy of the census, including a larger population, the changing shape and diversity of American families, and a decreased response rate to the census because of a growing distrust of government and because of privacy concerns. These problems have led to lower productivity of the temporary workers the bureau hires to go door to door to count Americans, which requires hiring even more temporary workers to make up for the lost work. Gutierrez said the bureau developed the GPS enabled handhelds to collect more accurate address locations to make it easier for the workers to find residences.

About a year or so ago a poster designed by Milton Glazer began appearing on the sides of telephone booths in Manhattan. It featured a hand, the fingers of which displayed the colors of the world’s races. The title of the poster was "We are all African." The brilliance of its design evoked the factual knowledge that we all have evolved from the African continent and the emotional truth that we are all our brother’s keeper. Its intent was to encourage people to become involved in fighting world poverty.

But there is now another way that “we are all Africans,” and it is one that is increasingly uncomfortable and increasingly impossible to ignore. It is the story of interest rates and the management of risk.

Many of us in the information technology world have worked hard to achieve the state of affairs in which we find ourselves. We are now much freer to transact business in an un-tethered fashion, enabling us to contribute more and more of our otherwise non-productive personal time to more gainful activities.

However, nagging and unintended consequences that threaten further progress are dogging us. We confront headlines about the proliferation of our most personal information throughout cyberspace. Our ages, physical characteristics (at least the ones we record), yearbook pictures, traffic violations, credit histories, failed relationships all seem to be readily available, and subject to violation by a growing number of predators, some benign, others felonious. Cyber outlaws are capturing our identities, compromising our finances, and promulgating false information about us.

News that hospital workers viewed more than 60 patients' health records at the University of California, Los Angeles, Medical Center is another reminder that employees and contractors pose the greatest security threats to personal information, as security experts point out. Last month, the State Department announced that the passport files of the three presidential hopefuls had been accessed by contractors working for the department but who did not have authorization to access the files. State acknowledged that the files had been breached after a reporter contacted the department inquiring about a possible breach.

In the Medical Center's case, hospital officials did not realize the files had been accessed until lawyers for actress Farrah Fawcett, who had been treated at the center, contacted hospital officials after an article appeared in The National Enquirer about the recurrence of Fawcett's cancer. After an investigation, the hospital found that 61 patient records -- about half celebrities and politicians -- had been opened by one unauthorized user.

Stories like this may explain why information technology managers have put identity management, the ability to control who accesses what data, at the top of their to-do lists, according to an annual information security survey conducted by CIO Magazine. The survey also notes that for the first time in its five year history, IT managers say that employees were more likely the source of a security incident than hackers. In fact, the switch was dramatic, from 51 percent of IT managers saying employees were the source of cyberattacks in 2006 (while 54 percent said attacks came from hackers) to 64 percent in 2007 (with 41 percent saying attacks came from hackers).

Government Executive recently published an article on the importance of ID management.

Today, there is a looming crisis in the federal acquisition arena that overshadows specific actions to reform the system: Roughly half the federal acquisition community is eligible to retire from government service within the next eight years. This gives rise to two threatening scenarios. First, an already burdened contracting and procurement system will find itself further shorthanded. With the outflow of experienced professionals, Congress is worried that there will not be enough people to handle the program management, contracting and procurement needs of government.

Second, the federal acquisition professionals who will be left behind lack the experience of those who have departed. Congress has expressed concern that a substantial portion of government’s institutional memory will be lost in the next few years. As a consequence, we will face a situation where we have fewer acquisition professionals serving government, and these people will have lower skills levels than the old guard.

Congress recently received testimony from three key acquisition management institutional players: the Federal Acquisition Institute (FAI), the Defense Acquisition University (DAU), and the Office of Federal Procurement Policy (OFPP). Leaders of these government organizations were asked what they were doing to stem the flow of experienced acquisition professionals. The response: We are instituting inducements to keep experienced professionals from bailing out, we are strengthening training of existing professionals, and we are actively recruiting fresh blood to fill the ranks.

These are good answers to Congress’ question. However, it is not clear that Congress asked the right question. In view of the fact that the acquisition process has struggled over the past several decades, do we really want to take extraordinary efforts to retain the institutional memory associated with a problem-filled acquisition process?

A better question that Congress should raise is: With the exodus of the current acquisition workforce, what are the DAU, FAI and OFPP doing to change the mindset of acquisition professionals so that we have a new generation of professionals who understand that effective acquisition management requires good business sense and goes beyond the mindless implementation of the Federal Acquisition Regulations?

Federal News Radio reported yesterday that they had uncovered a spreadsheet with social security numbers of 25 active service members on the Army Web site hidden only through the "hidden columns" feature of Excel. Supposedly, the Army had been told about the page months ago.

Aside from the probable violation of the Privacy Act and the clear violation of the recent OMB memo urging an end to unnecessary uses of SSNs, the most shocking thing to me is how easily this problem could have been fixed months ago simply by saving the document as a pdf rather than posting a spreadsheet in Excel.

Am I missing something?

All 50 states have some form of requirement for automobile insurance. But when you get in your car to go somewhere, how many of us think about our insurance policy? In that moment do we know what the deductibles are, what the maximum amount of coverage we have for liability or collision? Probably not.

We are interested in getting from where we are to where we want to go. We pay attention to those things that will enable that process. We check the gas, we check the mirrors. During the drive we comply with traffic laws and watch out for other drivers who may not be as aware or who might be impaired. We manage the risks of getting from where we are to where we want to go. The insurance policy stays in the desk drawer unless or until something bad happens. And when that bad thing happens, that accident, even if we have an excellent policy with a company that actually pays the full cost of repairs, we now own a car that has been damaged and its trade-in value is lower than it would have been.

According to an Associated Press story on the Government Executive website, "Christopher De Rosa, a top scientist at the Centers for Disease Control and Prevention's toxic substances agency, said his bosses told him that his warnings of a 'pending public health catastrophe' could be misinterpreted if publicly released." De Rosa was told to keep quiet about the high levels of formaldehyde gas found in FEMA trailers that Katrina victims were given.

"Misinterpreted," eh?

What, those poor folks living in trailers filled with formaldehyde gas and the public at large might actually think that the trailers were dangerous, when they weren't? Or was it that the trailers were dangerous, but neither the CDC or FEMA wanted anyone to know about the risks because it would be politically embarrassing?

Let's refresh some memories, shall we?

The new partnership between IBM and virtual-world-builder Forterra Systems Inc. won't be affected by IBM's suspension from federal contracting, according to Forterra's Vice President for Marketing, Chris Badger.

"Nothing has changed with Forterra's plan to partner with IBM around the Babel Bridge program," he said April 1 via email. "This program starts development this quarter with two releases planned for this year- one later this summer and the second one by end of year. I am sure that IBM will have cleared up the temporary debarment for federal contracts by the time our releases are available later this year."

The plan is for IBM to incorporate Forterra in its Unified Communications and Collaboration platform to help solve the problems created by interoperability among intelligence agency communications systems. The enhanced product will meld Forterra’s On-Line Interactive Virtual Environment 3-D platform with IBM’s Lotus Notes calendar Sametime.

Babel Bridge will allow agencies to instantly share information and interact in a synthetic world to plan operations and take real-time action in the real world, according to the companies.

Badger said the project has been going great guns since it was announced March 20. "We have received very strong interest outside the government market, particularly in the corporate and healthcare markets," he said. "This broader interest beyond the government markets is actually reinforcing the need to invest in near term, robust product development and marketing plans."

IBM is a leading large-industry player in virtual worlds, as well. The company was represented at last year's inaugural conference of the Federal Consortium for Virtual Worlds. It's unclear whether or how the suspension would affect and fledgling agency efforts in virtual world Second Life or elsewhere in the metaverse.

The following are quotes from experts in the federal information technology community about the suspension of International Business Machines Corp. from any new federal contract.

"You don't see this very often, particularly for large companies. This happens with small companies more frequently. But IBM -- wow."
Ray Bjorklund, senior vice president and chief knowledge officer for FedSources, quoted by Nextgov.

"We are going to cooperate with investigators but we are also going to take all appropriate actions to challenge the scope of this action."
Fred McNeese, IBM spokesman, in a telephone interview with Reuters.

"It is rare for entire companies to be suspended. Suspending operating units of large companies is less rare and for smaller companies where all operations in one place we see an entire company suspended more often. I am hoping there was a lot of communication between EPA and IBM. I have the impression that there was not which would be unusual."
Alan Chvotkin, executive vice president and general counsel for the Professional Services Council, quoted by Federal News Radio.

"A suspension is normally not assessed unless there is a very serious infraction that has been not only alleged but documented. The EPA move is "very unusual" and "it has enormous ramifications."
Stan Soloway, who heads the Professional Services Council, a trade group representing IBM and other government contractors, quoted by the Associated Press.

"The U.S. government contributes only 2 percent of IBM’s total revenue, roughly half of which comes from existing multi-year contracts that are not expected to be affected by the suspension, according to Citigroup analyst Richard Gardner."
FP Trading Post article.

"Just 0.2 percent [of the companies debarred from government contracting] share IBM's 'Suspension by any federal agency pursuant to Executive Order 12549 and the agency implementing regulations based on an indictment or other adequate evidence (a) to suspect the commission of an offense that is a cause for debarment or (b) that other causes for debarment under the agency regulations may exist.'"
Melissa Smith, INPUT blog

More details are coming out on the suspension of International Business Machines Corp. from receiving new federal contract. Reuters reports that the contract in question involves the modernization of the Environmental Protection Agency's financial management system. In 2006, IBM bid $80 million on the contract, which EPA has yet to award.

Reuters reports: "'What we are saying is that the case stems from information provided by an EPA employee to IBM employees,' [IBM spokesman Fred] McNeese said. 'Prior to Friday, there was not a hint that there were any type of issues with this contract.'"