Langevin's bill takes a stab at measuring actual security results, at least for the Homeland Security Department, and, for what some security experts hope, could be governmentwide. The key to the bill is requiring DHS to test if it can successfully defend its networks against known cyberattacks and to conduct vulnerability testing. The bill would have DHS measure what is actually happening on the ground and defending itself against what are real threats.
]]>Mark Hamilton, the Environmental Protection Agency's senior information management officer, has a lot of ideas about how technology can serve the agency's strategic plan to meet its mission.
First there's nano-technology. Speaking at the Industry Advisory Council’s Executive Session on May 7, Hamilton said the EPA is incorporating the use of technology with its operations teams to better track the status of natural disasters. Hamilton used the example of a recent encounter with an EPA field employee, who was assigned to cover the Port of Long Beach in Los Angeles, Calif. The employee was driving a mobile laboratory van when Hamilton approached him and asked to check out the inside. The employee explained to Hamilton that the EPA was using nano-sensors spread over the water’s surface to detect and isolate oil spills, work that used to be done visually from a helicopter – a practice that is "not too useful at night,” Hamilton said.
]]> As for contractors, Hamilton used the nano-sensors as an example of how the EPA was using technology to further their mission. He said that while the main office in the Washington area was mainly concerned with policy, the 10 regional offices all feature operations teams eager to get their hands on new technology that could help with field response.“There are tremendous business opportunities in supporting those environments at a regional level,” Hamilton said. Regional offices "are all somewhat autonomous and looking for innovative technology, for tools to do their jobs.”
A handheld computer is another. Hamilton talked about was the contamination of fresh water ground wells after Katrina. While trying to coordinate the testing of wells that may have been affected, EPA employees faced difficulty obtaining information regarding where the wells were, how many there were and which had been tested.
“Why can’t we use a handheld with real-time reporting,” to track that progress, asked Hamilton. “We need innovation from the side. That system is not available now; we need industry to provide that information.”
Other examples of technology that Hamilton said he would welcome would be devices that could remotely read a power meter or a real time sensor for water plants that would tell when they had been contaminated.
One of the barriers to progress according to Hamilton is the FedBizOps Web site, where agencies are required to post requests for proposals and other potential business opportunities. “One of our problems is sometimes we don’t know what to ask for,” he said. Hamilton called for more active engagement from industry to propose innovative technology that could be used to formulate requests for proposals. “I don’t have the time or inclination to achieve the rate of innovation the public expects,” Hamilton said, adding that is a viewpoint shared by many others in government.
]]>The recent contamination problems with foreign produce heparin that is believed for the deaths of 81 persons in the US as well as chemical-tainted wheat gluten in pet food have been major drivers for strengthening the FDA's oversight capabilities.
The story goes on to say:
]]> The options include charging industry registration fees to fund more FDA inspections of drug and device plants and requiring the agency to inspect foreign drug firms as often as domestic ones.Those and many of the other provisions are similar to ones proposed by House Energy and Commerce Committee Chairman John Dingell, D-Mich., but unlike Dingell's, one of the Senate options includes giving FDA the power to base its inspections on risk.
At a House hearing on the Dingell proposal last week, Janet Woodcock, FDA's drug center director, stressed the need for the agency to spend its resources as it sees most fit. Some consumer advocates are wary of a risk-based approach, but Woodcock also admitted companies should operate under the impression they will be inspected on a regular basis.
In Woodcock's testimony, she said, "Any legislation should allow FDA to set requirements and priorities based on a strong scientific FDA risk assessment."
That is, I believe, a sensible approach, but as pointed out last November by Bart Stupak, D-Mich., chairman of the Oversight & Investigations Subcommittee, in a hearing on the FDA Foreign Drug Inspection Program, the FDA does not have the requisite data to begin to make good risk assessments.
Stupak pointed out, for instance, that despite more than a decade of warnings from FDA’s own internal reviews, Congress, and the Government Accountability Office, FDA’s IT system is still based on multiple databases which lack integration and contain unreliable information.
In addition, due to these poor IT systems, the FDA cannot obtain reliable data to run their risk models so they can effectively allocate what limited resources it does have for inspections.
Stupak asked a question that I have yet to see completely answered by the FDA: How can anyone have any confidence FDA is truly managing the risk that may come from foreign-made drug products if the FDA does not know the exact number or location of foreign drug manufacturers?
It's nice to say you are going to have a risk-based approach to best allocate your scarce resources, but without the data, the exercise turns into little more than gambling.
]]>Recognition that collaborative efforts can lead to great results is growing in both the public and private sectors. What distinguishes the wiki approach from previous collaborative initiatives is that contributors to the process can be “amateurs” rather than professionals. Anyone can contribute. The contributions of some may be modest, focusing on the correction of spelling and grammatical errors. The contributions of others may be deeper – for example, they may focus on developing and refining foundational ideas. The Wikipedia experience has shown that well-articulated and valuable insights can emerge through this process.
Government agencies are mulling over the wiki phenomenon to determine its value in the public sector. Its value can be seen at three levels of operation:
• Project level: In building new systems, requirements can be harvested through wiki exercises. That is, a primitive statement of system requirements can be posted publicly. Customers and technical people can be asked to build on this primitive statement in order to create a full-blown set of requirements that reflect both customer and technical sensibilities.
• Intra-agency level: When an agency plans to launch a program that will change how it operates, inputs from employees and contractors handled through wiki processes can help the agency to formulate the program architecture more quickly and comprehensively than by setting up a task force to do the job.
• Inter-agency level: Government agencies tend to operate as stove pipes. However, this can lead to poor results, as the 9/11 catastrophe showed us. Because US intelligence agencies did not share their knowledge and insights regarding terrorist activity, the US was unable to anticipate and prevent the 9/11 attack. Government agencies can establish wikis to span organizational boundaries. The intelligence community did this after 9/11 when the created Intellipedia, three wikis that solicit contributions from employees of 16 intelligence agencies. Early results from this effort are encouraging.
There are two basic advantages to a wiki approach. First, because it is carried out in a virtual environment, it can be implemented quickly. There is no need to assemble committees of experts who deliberate indefinitely. Second, because it solicits input from a wide range of contributors spanning organizational boundaries, it has the potential of generating solutions that are both deep and broad.
Government should experiment with cross-boundary collaboration at the project, intra-agency, and inter-agency level. The tendency of bureaucracies to operate inside boxes is well-known, as are the perils – particularly the curse of parochialism. However, in exploring the strengths of collaborative action, government should avoid marching around with the wiki tool in search of applications. First, it should identify situations where collaborative inputs would help it function more effectively. Then it should determine whether a wiki approach is appropriate to engender meaningful collaboration, or whether some other approach is better. Finally, it needs to address the details of implementing a wiki solution – Are we able to establish a wiki platform? Will our organizational culture promote meaningful participation by the intended audience? As wiki solutions to problems emerge, will they be taken seriously by the agency’s management?
The rationale underlying the wiki concept is to post an idea publicly, then to let players add to, adjust, or take away from the idea iteratively. Over time, with input from many players, what starts as a primitive idea can grow into a well-developed statement.
The power of the wiki was demonstrated with the creation of Wikipedia in 2001. In a very short period of time, with input coming from tens of thousands of contributors, Wikipedia evolved into a first-rate encyclopedia. What is interesting is that the encyclopedia emerged without any central organizing force. It has been created by amateurs who organize their efforts independently. No one tells them what to do. They work on what they find interesting. Furthermore, Wikipedia is a work in progress – entries are continually changed to reflect prevailing thinking and actions. It will never be a finished document.
Both public and private sector entities are trying to harness the forces of wiki-like collaboration. The traditional way of getting things done has been to put a job into the hands of experts. For example, in developing a new product, technical people work on technical things, editors work on documentation, marketers develop a market strategy, and so on. The wiki-way is very different. Different players contribute their insights to develop a new product, regardless of their expertise. Technical people can contribute thoughts on marketing strategy, while marketers can suggest technical enhancements.
Interestingly, some of the greatest enthusiasm for collaborative work efforts in government is coming from the intelligence community. The 9/11 disaster highlighted the price the USA had to pay for the absence of a collaborative spirit among intelligence agencies. We now know that all the information needed to stop the 9/11 terrorists was in the hands of American intelligence agencies prior to the attack. However, because the agencies did not share the information they had, no one in the US government was able to anticipate and head off the impending calamity.
One attempt to harness the collective wisdom of employees working at different intelligence agencies has been to establish the wiki Intellipedia, which was set up in 2006. Link Only employees with proper clearances are able to access and contribute to Intellipedia (comprised of three wikis). Already, it has provided the intelligence community with insights into how to deal with terrorist attacks in Iraq. Its strength is that it can quickly leverage the knowledge and thoughts of the entire intelligence community. There is no need to set up a task force and wait six months for results.
In order to make sure that managers within the intelligence agencies take the need for cross-agency collaboration seriously, the Office of the Director of National Intelligence has issued a new directive that will require senior managers at the nation’s sixteen intelligence agencies to be assessed according to a common performance evaluation system Link. A key criterion for evaluation focuses on the extent to which senior managers promote collaboration across agency boundaries. This is a good step.
Intellipedia offers a technical fix to the challenge of cross-agency collaboration. However, given the strong territorial tendencies of the agencies, a number of important questions arise: Are their employees willing to participate in the effort in an effective way? Will they hold back information that they feel their agencies “own”? When looking at the conclusions emerging from a wiki exercise, will they ignore the findings based on not-invented-here feelings?
Ultimately, the success of cross-agency collaboration requires that the players trust the system and want to work together. If these criteria are not met, then technical wiki fixes won’t work.
]]>IARPA is the intelligence version of DARPA, the Defense Advanced Research Projects Agency, where, incidentally, Porter once worked. In the interview, she discusses the new tripartite organization for IARPA. Its three program offices are Smart Collection, Incisive Analysis, and Safe and Secure Operations. The agency lives in the Office of Science and Technology at the Office of the Director of National Intelligence.
IARPA recently announced it will be snooping around the virtual world via a foxy little project called Reynard, a fox who is the hero of Medieval satires about social manners and classes. It's a study of emerging social dynamics in virtual worlds and large-scale online games being conducted by the Incisive Analysis program.
Porter told the magazine that she is looking for people to run projects within the agency's three programs. IARPA is designed to do high-risk, high-payoff advanced intelligence research, so she is looking for "very smart people who understand what it takes not just to technically comprehend a problem but how to bring an idea to reality programmatically," she said.
The IARPA.gov Web site soon will carry instructions and forms for applying to run projects there.
IARPA will cooperate with DARPA and work closely with In-Q-Tel, the intelligence community's venture capital fund, even though In-Q-Tel's focus is near-term, high-risk problems, Porter said.
IARPA's current location -- on the University of Maryland campus, albeit in a fenced and guarded National Security Agency compound -- is intended to signal the agency's openness to academics and others outside the intel world whose ideas and skills could help solve huge problems such as sorting through data, figuring out how to better target and winnow what intel agencies collect and how to keep that information safe in the Web-enabled world.
]]>NASA is offering to add anyone’s name to a database, which will then ride on a microchip inside the Lunar Reconnaissance Orbiter spacecraft. Just go to the designated Web site to sign up and print out a certificate saying you’ll be on board.
The orbiter will create an atlas of Moon features and resources, a first step in creating a U.S. base there to assemble spacecraft to take humans to Mars. LRO will carry six instruments and a technology demonstration project. It’s supposed to send back the most complete dataset ever compiled about our satellite planet, including best landing sites for America’s return now slated for 2020.
The deadline for getting your name on the lunar list is June 27.
You can watch NASA-produced videos about sending your name to the moon here.
The Times ran a story yesterday that said the problem has persisted for years, but it wasn't until April 23 that a new security directive was released "to address those situations where air carriers deny FAMs boarding based on 'no-fly list' names matches."
"Glad" to see that the government takes as long to address the problems of air marshals as the general public.
If this is all true, this is just too dumb for words.
]]>That’s how John Guhl, New Jersey’s Medicaid director, responded when the state’s auditor concluded that New Jersey’s Department of Human Services lacks the security policies and procedures to protect personal information on the computer system it uses to process claims for more than 1 million Medicaid patients, according to an article posted by Newsday.
Here’s an excerpt from Newsday on what Guhl wrote in response to the auditor’s report:
In a written response to the audit, [Guhl] … said all employees take training in federal requirements for personal health information.]]>But he wrote even the best procedures would not guarantee security and said he believes "the current security provisions are adequate."
"As indicated by the auditors, the implementation of this recommendation would require substantial time and effort," Guhl wrote. "This cost would be continuous as resources and time would be needed to monitor and maintain this function."
He told senators during a recent budget hearing that employees cannot access the entire system, only the areas in which they work. He said supervisors know what employees logged into the system and when but not what record was viewed.
"We don't have that level of detail," Guhl said.
In the federal government, rarely does a CIO have such a lofty position in a department, much less the president's cabinet. We'll watch closely to see how successful Takai is.
]]>As expected, privacy experts and techies aren’t too keen on this development.
Hat tip: Slashdot
Forrester Research released its federal government spending forecast for 2008 (including some insights into what 2009 may be like), as Nextgov reported, and it concludes that any new spending will go to consolidate information technology infrastructure and replace or upgrade servers and applications systems. And for more storage. This is real mundane stuff. Important to build new programs on, for sure, but still ho hum.
The wars in Iraq and Afghanistan, and any IT needs there, are sucking up almost all new spending, Forrester reports. During the Bush administration, IT spending has ranged between 1 percent and 7 percent, with the larger increases coming after 9/11 to build IT systems to fight terrorism – many of them controversial for compromising Americans’ privacy. President Bush asked for a 4 percent increase in IT spending for fiscal 2009. But a lot of that will go to support IT on the battlefield and to support health care for veterans. The rest will just keep the lights on, Forrester concludes.
Even a new administration, which Forrester predicts will focus on domestic IT spending, won’t bring bold thinking in 2010. Forrester predicts: “The new administration … will likely include priorities around reducing costs and improving efficiency.” Sounds like more consolidation.
There’s always 2011.
]]>VA Deputy Secretary Gordon Mansfield, however, didn't think there was any attempt to mislead Congress.
In addition, Mansfield and Undersecretary of Defense for Personnel and Readiness David S. C. Chu also tried to place the best spin on the increasing number of suicide attempts. Mansfield said that young people between the ages of 15 and 24 try suicide more than others, and since Defense recruits in that age group, an increasing number of suicides should not be seen as an epidemic.
This is an interesting view given that it appears that veterans between 20 and 24 years old, and the ones most likely to have been in Iraq or Afghanistan, are committing suicide at twice to four times the rate of civilians of the same age.
Chu put an even more positive spin on the situation. “I think the good news is that on an age-adjusted basis, department suicide rates as a whole tend to be a bit below the national norm. And even with the Army’s increase it puts at approximately at the national level.”
So active duty suicide rates are increasing, especially in the Army, but when you average it out, it is about the same as the general population.
Nothing to worry about here, mate, just move along.
If this is what Defense and VA think is good news, I would hate to see what they think is bad news.
]]>The Office of Management and Budget has long touted the value of transparency in government. So explain this:
OMB released a report today on progress in implementation of Homeland Security Presidential Directive 12, or HSPD 12, which requires agencies to issue biometrically enabled credentials to all employees and contractors to replace standard flash badges. In that report, the total number of employees and contractors that will receive the badges were more than double what OMB reported only six months ago. OMB now reports that 4.3 million employees and 1.2 million contractors require new cards, compared to 1.9 million federal employees and 591,358 contractors, as reported in October 2007.
That change likely explains another anomaly. Ninety-seven percent of federal employees and 79 percent of contractors could not have completed the required background checks, as reported in October, because the latest report states that only 59 percent and 42 percent respectively have done so.
What’s the explanation for such a drastic difference? OMB opted not to provide one in a briefing on the latest numbers; in fact, the change in the numbers wasn’t even mentioned. When asked later, a spokeswoman attributed the undercount to faulty data. “We have better and more complete data now than we had previously,” she said.
]]>So how does FedWorld see this topic? With no subtlety at all, of course.
]]> Privacy equals privacy plans, privacy officials, privacy impact statements, and mandatory disclosure of certain security events that might or might not involve personal information – in other words, as a matter of compliance. Because information security is also mostly treated as a compliance matter, few inside FedWorld bother to worry about the distinctions between security and privacy. Privacy officials worry about their compliance requirements; security officials worry about theirs and seldom do the twain meet … except in various Office of Management and Budget compliance reports, where the fundamental flaw in government security thinking (all Gaul is divided into Major Applications and General Support Systems) means that privacy (along with strategic planning, enterprise architecture, and all other compliance-without-substance matters) is shoehorned into the one-size-fits-all world of OMB compliance orthography.As I have opined elsewhere, information about people is just one type of information that deserves protection (and not necessarily the most important for most agencies). Personal information deserves protection against unauthorized or inadvertent disclosure (the concern of most privacy advocates), protection against inaccuracy (data integrity is a security concern but seldom a privacy issue), and protection against unauthorized destruction (conceivably applauded by some with privacy concerns).
The central problem I see with “security vs. privacy” in FedWorld is the focus on computerized official (mission-related) records. Do the guards in your building need to have access to personal information about you and your visitors? How long do the security camera tapes or files that record your coming and going need to be maintained? How do you know the memo you received about your performance was the same as the one in your official personnel file?
If one were to develop a privacy program unfettered by OMB and congressional reporting strictures and FISMA (Federal Information Security Management Act) categories, the result would probably be very like the Internal Revenue Service privacy office, as originally created. I suspect the IRS office has become bogged down with compliance paperwork, but its original focus on protection of taxpayer and employee information from unnecessary or unauthorized disclosure has served us taxpayers well.
]]>