GovWin
 
 
Hackers Slide Through DHS’s Network Defense; Now its Time to Play the Blame Game

Roughly three weeks after reports surfaced of a Pentagon IT system being hacked, allegedly by the Chinese, DHS is reporting that it too is the victim of an unauthorized network intrusion that allowed the hacker(s) to copy and transfer files to an outside Chinese language Website. The hacks in question accrued over three-month period during 2006.

As reported by the Washington Post, on September 24, 2007, DHS is claiming its vendor failed to install the contracted number of intrusion detection systems, which allowed the network break-in. Moreover, once it was discovered that an intrusion had occurred the severity of the breach was dramatically downplayed.

The process now is centered on determining fault, and truth be told both parties are to blame. Perhaps the contractor did not meet the terms of the contract for intrusion detection services. But, the fact DHS was even unaware that its vendor was not meeting its contract obligations is a problem inherent to fact that DHS, and most federal agencies, lack adequate program management; especially in regards to IT security.

Since its inception, DHS's problems areas have run the gauntlet from the integration of its various network systems to the management of its procurement process. The fact that DHS seems to not know what happened with its own systems is emblematic of an agency that has struggled to blend the remnants of 22 different organizations and failed to provide enough vendor oversight along the way.

It's foolish to believe that such an event could only happen in DHS as a shortage of procurement officials and security program managers exists government-wide. This one event will most likely not prompt other agencies to be more vigilant in auditing their vendor supplied security systems, however one has to wonder how severe of an attack will finally have to occur before agencies get serious about IT security.

Read Washington Post Article "Contractor Blamed in DHS Data Breaches"

Broadband Roundtable Town-Hall Meeting at COVITS

The 2007 COVITS (Commonwealth of Virginia Innovative Technology Symposium), hosted by Virginia Secretary of Technology Aneesh P. Chopra, took place September 17th-18th at the Westfields Marriott & Conference Center. In its ninth year and first visit to Northern Virginia, COVITS attracted senior-level executives and decision makers in technology from state and local government, business, and education. This year's conference also served as the venue for a "town-hall" style meeting for the recently announced Broadband Roundtable. The Broadband Roundtable, which is co-chaired by Mark Warner, Former Governor of Virginia, and Secretary Chopra, is divided into sub-committees (Broadband Adoption Measurement, Technology Blueprint, Innovative Applications, Business Models, and Community Outreach) and consists of what most would agree, is a true all-star cast of the public and private sectors. Arguably, the most notable members of the Roundtable are Dr. Raj Singh and Dr. Bob Kahn. The former is a humble billionaire and pioneer of the wireless industry. The latter is widely regarded as one of the founders of the internet. Dr. Ted Rappaport, founder of TSR Technologies, Inc. and Wireless Valley Communications, Inc., and electrical engineering professor at the University of Texas will be the staff advisor to the Broadband Roundtable.

Dr. Rappaport was also present at this Town-Hall Meeting, along with other members of the Roundtable that were there to showcase each of the sub-committee's current efforts and future plans of action, as well as engage all attendees in a discussion about the lack of broadband access in Virginia. During these discussions, the digital divide in the Commonwealth became painfully obvious and very real; as even members of the Roundtable made it known that they found themselves without access to high-speed internet at home. Fortunately, the Roundtable is taking it back to basics, and has charged the Broadband Adoption Measurement sub-committee with first defining the key metrics of which technologies and speeds constitute broadband, for Virginia. According to the Federal Communications Commission (FCC), broadband service is generally defined as "data transmission speeds exceeding 200 kilobits per second (Kbps), or 200,000 bits per second, in at least one direction."

The FCC's definition has been heavily criticized by customer advocacy groups as being "ridiculously low", especially in comparison to other nations of the world. For instance, The National Broadband Task Force of Canada described broadband in its June 2001 report as: "... a high-capacity, two-way link between end user and access network suppliers capable of supporting full-motion interactive video applications" with a "minimum symmetrical speed of 1.5 megabits per second per individual user. It should be no surprise that the United States is ranked 15th in the world in broadband subscribers per 100 inhabitants, according to the December 2006 Broadband Statistics Report from the OECD. In the United States, Georgia is currently leading the way in broadband, with Alaska in the #2 spot (which jumped from 50th in 2002). Still, the Commonwealth of Virginia, which ranks 13th in the nation, remains ambitious in its broadband efforts. In fact, Governor Tim Kaine calls for 20% of eligible Virginia state workers to telework by 2009, and that all businesses in Virginia have access to broadband by 2010.

GovWin's take:

The Broadband Roundtable's ongoing efforts may require future vendor assistance, as they evaluate and empower local partnerships through the Public-Private Educational Facilities Infrastructure Act (PPEA) to meet the Governor's goals and initiatives for high-speed internet in the Commonwealth.

The $215 to $300 Billion Dollar Problem

On September 20, 2007 Washington Technology held a half-day event focused on "Moving Forward with Government Health IT". The keynote speaker, Dr. Kevin Stephens, Director, City of New Orleans, gave an engaging speech based on the government perspective of health IT and the need for an electronic patient-centric system. He provided compelling evidence for the need to implement new technologies, such as electronic health records (EHR), through personalized stories of the impact Hurricane Katrina had on the health care delivery system in New Orleans.

The remainder of the event was dedicated to a panel discussion by vendor industry experts, which included Alan Boucher, Director, Healthcare Platform Architecture, Intel Digital Health Group; Mike Cowan, MD, Chief Medical Officer, BearingPoint; Jack Varga, MD, Medical Director, EHR Center for Excellence, EDS; and Robert Wah, MD, Chief Medical Officer, CSC. Each individual presented their take on the health IT market, challenges and next steps. Alan Boucher emphasized how "huge" the health IT market is, commenting that health IT is a "$215 to $300 billion dollar problem". The panel agreed that sluggish at best changes within the system are due to two chief problems, the lack of public policy and opposition from physicians. Physicians are concerned over malpractice, liability issues, costs and sharing information with other physicians they do not know or trust. Mike Cowan highlighted the need to provide incentives to motivate physicians, such as tax credits for software and hardware applications. Several members repeatedly stated that software is not the problem, the problem is inefficient networks. Discussions were wrapped up with talk of states like New York, Florida and California, which are beginning to take a leadership role to provide funding and expedite the process; other states may follow suit.

GovWin's Take:

  • States are well-positioned to influence HIT adoption and need to take advantage of their front-seat role in moving forward with attempts at collaborative electronic health information exchange

  • States may set aside funding for the adoption of statewide EHR systems

  • Public policies, especially the activities of AHIC 2.0, will be crucial to getting all stakeholders on boar

GAO finds Information Technology at Veterans Affairs is Still Far from Secure

In a review of the progress the Veterans Affairs has made in improving its Information Security, the General Accounting Office (GAO) released a report; Sustained Management Commitment and Oversight are Vital to Resolving Longstanding Weaknesses at the Department of Veterans Affairs. The report concludes that despite efforts to implement initiatives to strengthen its IT security VA remains vulnerable.

As far back as 2005, VA began restructuring its management organization in order to provide better oversight and financial controls when purchasing IT systems. Other improvement efforts include developing an information protection program, improving the agency's incident management ability, and the establishment of an office for IT oversight and compliance. Following the theft of a VA laptop from an employee's home that included personal information on over 26 million active military and retired personnel, VA began an agency-wide effort to add encryption software to required laptops across the agency. However, efforts to secure its IT security have fallen short in many regards and as a result, VA's IT security remains vulnerable.

According to GAO, areas of concern that continue to stall the improvement of security across the VA include the fact that:

  • since June 2006, the position of chief information security officer has remained empty. This has left IT security initiatives without an internal advocate making it more difficult to push some initiatives through;

  • despite the restructuring of the IT office that has taken place the responsibility for managing and implementing security programs remains decentralized. Additionally, the process guiding coordination of security between VA's officials has never been formally documented;

  • VA's Office of IT Oversight and Compliance does not possess an established criteria on which it performs its examinations, thus facilities across the VA may be evaluated with different standards;

  • even though VA has been advocating the use of encrypted thumb drives and adding encryption software to laptops, the agency has not established a policy to define which devices require encryption; and

  • within its procedures for incident response, VA has not defined the manner in which it facilities can seek advice from other agencies in handling incidents.

From Hacker to Hacked; China Claims Massive Network Intrusions, or is it Crying Wolf?

Never one to sit idly by while being accused of unethical practices, China is now pointing its finger at the US, claiming that its computers containing political military and scientific secrets were infiltrated by outside sources. In this instance, Chinese officials are claiming that a majority of the computers used in the intrusion were based in the US.

While it is certainly possible that the US simply was "caught with its hand in the cookie jar," another plausible scenario is that China is simply trying to cover its tracks by itself appearing as a victim. After all, intrusions into high-level government computers have also been reported in London, Berlin, France, and New Zealand and while no county has officially accused them, all eyes have initially pointed at the Chinese government.

Realistically, the fact that such attempts at espionage are taking place should not be a surprise to anyone. Since the Internet became such a prominent piece of everyday life, the idea of cyber warfare has been part of military strategy to the point that most developed nations have created distinct commands dedicated to the protection and infiltration of Information systems, such as the creation of the Air Force Cyber Command (AFCC). However, with the advancements in detection technology the ability to track where attacks originate from has significantly improved providing the ability to more easily identify aggressors than was previously the case.

The problem lies in the fact that while the originating country of attack can typically be identified, officials must be careful in making accusations because the technology is not specific enough to identify if the attack originated from government computers, or not. It is becoming more common for vigilante hacking by private citizens and corporations to take place on behalf of governments. Thus, future responses will most likely be dictated by the sensitivity of what, if anything was actually taken and if the origin of the attack can be determined with certainty.

The number of reported instances will only increase globally because despite the fact that sources of attacks can be traced to specific countries, governments have a benefit of deniability by simply claiming the attacks did not originate from government computers. Without the ability to prove otherwise, opposing government leaders will have to temper their response, publicly at least, until there is emphatic proof the intrusion was a case of sponsored espionage.

As technology evolves so too will the face of cyber warfare. It is only a matter of time before an attack of significance happens and based on the current state of IT security in the U.S. federal government, the best the targeted agency can hope to do is detect the intrusion early enough to prevent any significant damage from occurring.

$170 million in failed IT projects – Seeking efficiency and accountability

Wisconsin Assembly Speaker, Mike Huebsh (R) created the Speaker's Task Force on State Information Technology Failures, charged with investigating more than $170 million in recent failed/troubled state IT projects. However, the Task Force's final recommendations have gained mixed reviews regarding what should be the leading factor of a reform plan for the state.

Despite conflicting arguments, the recommendations echo positive attempts to effectively and efficiently improve all steps involved in a state IT project lifecycle. Nearly all Task Force members support long-term improvements in project development, procurement and oversight. Acclaimed suggestions include a statewide implementation of uniform IT procedures for projects over $1 million; clear-cut project requirements; smaller project sizes to best manage scope and identify problems earlier; use of off-the-shelf systems when possible; project completion in time and within budget; revision of the procurement process to ensure sucessful project delivery; and partnership with other states to share information and techniques on IT projects.

With $170 million in failed IT projects, the Task Force recommends the creation of an Executive CIO having oversight, accountability and enforcement powers. Enforcement is a daunting task for all states but, as seen in the case of Arkansas, it does not appear to be effective if solely rested under the power of a CIO. If we think of CIO's sitting in a three-legged enterprise IT stool, where enforcement often has the shortest leg, Arkansas CIO sat on a "wobbly stool" until it consolidated and centralized its IT enterprise by eliminating its Executive CIO. Wisconsin could sit on a balanced stool if instead of creating an Executive CIO it only directs oversight and enforcement of IT standards to its Department of Administration and develops long-term improvements in project development, management and oversight.

GovWin's Take

  • Over the next couple of weeks, the Wisconsin Legislative Council will develop a report largely reflecting the Task Force recommendations. The report will serve to draft future legislation.
  • Vendors should watch closely developments in both reform plans implemented by Arkansas and Wisconsin, which at this point, appear to be taking different approaches to effectively use tax-payer's money.

Niche technologies to play a big part in Real ID

With all of the discussion about Real ID, there's one major thing that drivers are thinking about – painfully long lines at their local DMV office. As currently proposed, every citizen will need to bring a "photo identity document," which documents their birth date, address, and Social Security number. U.S. citizens will have to prove their status and foreigners will have to show a valid visa. State DMVs will have to verify that these identity documents are legitimate, digitize them, and store them permanently. In addition, Social Security numbers must be verified with the Social Security Administration -- a process that can add several minutes to each transaction.

The good news? Technology is poised to save the day (or at least part of it) by reducing some of the wait time.

Currently, citizens wait in line at the front desk, tell the clerk the type of transaction they need to make, receive a number, and proceed to waiting areas. When the next available clerk is able to handle that specific type of transaction, the customer's number is displayed or the citizens named shouted across the waiting room.

With the new, more technologically-advanced queuing systems, much of this process changes. Many citizens can avoid the front desk clerk and use kiosks to identify their transaction type. With additional efficiencies built into today's queuing systems, including backend reporting, reduced wait times are a reality. And queuing systems are just one of many technologies available to the DMV.

Other solutions include the ability to schedule an appointment time for your DMV business using a web-based scheduling application. Some DMVs recently started allowing customers of some large insurance companies to renew their vehicle registrations online. Voice recognition phone systems that tell customers how long they might expect to wait in line are being tested.

Some states that are currently studying ways to improve DMV technology, business processes, and Real ID compliance include:

GovWin's Take

As Real ID becomes, well, more real – expect to see the demand for technologies to decrease customer wait times. Many states have decided not to ignore Real ID requirements and they'll want to gain back some of the customer service improvements they've made over the last several years.

Health IT: Will IT Vendors Be Eligible for Membership in AHIC 2.0?

The September 5, 2007 American Health Information Community (AHIC) technical meeting had a more structured and informative agenda than its predecessor, which was held on August 17, 2007. The central theme revolved around the proposed public-private collaboration, also known as AHIC 2.0. AHIC 2.0 will be the successor of AHIC, the current health information technology (IT) federal advisory committee.

The primary speaker, Robert M. Kolodner, M.D., the National Health IT Coordinator, delved into the AHIC 2.0 vision, membership criteria, eligibility, board member selection, voting rights and the grant process. Attendees and internet-based viewers were presented with visual aids, such as models and diagrams to assist in comprehending the proposed organizational structure and strategic objectives. A sizable portion of the meeting was spent reviewing the various sectors of the health IT community, such as physicians, consumers, and employers, that will be represented via membership in the collaboration. Noticeably absent from the list of potential sectors was the IT vendor community.

During the question and answer period, an individual asked Kolodner the rationale behind the decision to exclude the vendor community. The response was that IT vendors were consciously left out due to their potential to benefit from the activities of AHIC 2.0. However, Kolodner noted that this issue may be reconsidered when the planning board meets to finalize plans and by-laws of AHIC 2.0. Kolodner went on to add that vendors may have the ability to participate on an individual basis as part of the consumer sector or possibly in the employer sector.

The Department of Health and Human Services (HHS) has allocated a $13 million dollar grant to fund AHIC 2.0 over the next two years and an award is expected in November. HHS representatives indicated that the agency is not seeking a technology vendor to lead the effort. The estimated timeline is broken down into two stages; stage one is a 4 month design and establishment period and stage two is the operational, self-sustaining period.

GovWin's Take:

Since the planning of AHIC 2.0 is still in the early stages there is a potential for the planning board to reverse the decision to exclude IT vendors. However, there is no guarantee that such a transaction will take place. In the meantime, invested vendors should continue to follow the AHIC 2.0 activities to determine where they might fit into the grand scheme, whether it is as consumers, employers or directly as vendors. IT vendors are at the forefront of the latest technologies, perform implementation tasks and experience system successes and failures firsthand; so their GovWin could be very valuable to AHIC 2.0.

AHIC will continue to accept public questions and comments until September 10, 2007; interested parties are encouraged to submit.

Texas leverages technology and planning to foster fair competitions while eyeing best value

The Texas Department of Information Resources (DIR) recently accepted 26 responses to a Request for Information (RFI) issued for their TexasOnline Re-Procurement project. That is a wealth of information for DIR to weigh in the design of the TexasOnline RFO anticipated for release in March 2008.

Perhaps more impressive is the success DIR saw with the use of webcasts and text chats during the RFI process. Three such meetings were held and one was a webcast whereby participants could see John Miri, Denny Ross and Allan Martin in a room accepting and answering questions submitted online. 154 companies were represented in the July 19 webcast. John Miri, the Director of E-Government and Web Resources, had the following to say about the TexasOnline RFI:

"Our innovative online events really increased vendor competition, and we're well on our way to delivering new services to Texans at even better prices. While the number and diversity of firms is outstanding, the most interesting thing is that 47% of online participants were company executives. These were CEOs, company presidents, and senior executives – and I am excited that people at that level see our project as a flagship opportunity."

Here are the state's major statistics from the July 19th interactive procurement webcast:

  • 183 individual viewers representing 154 companies participated in the Web-cast.
  • 47% of viewers were company executives
  • 67% of vendors represented were from outside of the City of Austin including participants from Canada and India

DIR estimates that vendors collectively saved $108,000 in travel costs for the online event. Additionally, by shifting from an in person meeting to online, the carbon footprint of such an event almost disappears. Another opportunity for green purchasing!

GovWin's take:

  • Look for more and more states to open the procurement process through transparent planning and use of the RFI process in attempts to enable more vendors and ultimately achieve best value for the state

  • Look for leverage of communications technology through remote Pre-Proposal Conferences to further expand and level the S&L Government market

[SD1]Link to opportunity