Government Executive - Authors - Franklin S. Reeder

Looking the Wrong Way

Franklin S. Reeder — Wed, 21 Dec 2011 00:00:00 -0500

Agency inspectors general and auditors at the Government Accountability Office go to great lengths to promote efficiency in federal operations by detecting fraud, waste and mismanagement. Their findings are among the most power-ful catalysts for bringing about change for the good in government. But when they are wrong, that power to enable rapid action becomes in itself a source of waste and mismanagement. All too often, audit reports punish innovators because they are based on guidelines and checklists that fail to distinguish between the important and the trivial. As a result, these assessments can compel agencies to spend scarce resources on the wrong things.

This problem is especially common in addressing cybersecurity, an area of rapid change and complexity. Misguided audit reports can be the root cause of agencies' failure to implement important controls for computer network defense. Worse yet, they can prompt agencies to divert limited cybersecurity resources from real threats to less important work.

Such assessments miss the point of innovation. "It's like complaining about somebody who discovered a cure for cancer because it's not also a cure for the common cold." That is how Fred Schneider, a computer science professor at Cornell University and a member of the Information Security and Privacy Advisory Board for the National Institute of Standards and Technology, characterized a 2010 State Department IG report that concluded the agency's program for continuous monitoring of cyber threats was deficient.

The State Department initiative has received Senate and White House recognition as a model for other agencies, yet in July, GAO released an evaluation that echoes the 2010 inspector general report. GAO was deeply critical of the program, prompting government officials to question State's shift from triennial paper reporting on cybersecurity controls to continuous monitoring. GAO's report was seriously flawed and mischaracterized the security problem federal agencies face. Agencies and other auditors that rely on GAO's assessment of State's continuous monitoring program are sure to be misled about prioritization of controls for securing federal systems. The title of the report, "Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain," seems innocuous, but the practical effect is likely to weaken, not strengthen, the nation's cyber defenses.

Perhaps the report's most egregious oversight is that it failed to evaluate State's innovative system against the triennial reporting that most other agencies continue to rely on. Instead, GAO looked for gaps in the program's coverage and methodology, ignoring the enormous and unparalleled breakthrough it provided. Even if one accepts the accuracy of GAO's findings, its conclusions and recommendations to rein in continuous monitoring are inexplicable.

Strong evidence shows that the State Department has been far more effective at reducing risk and responding quickly to new threats than agencies that rely on the triennial process. And the department has spent less money on continuous monitoring than on the paper reports.

"One wasteful and ineffective area that [the Office of Management and Budget] and agencies can target is what is known as the certification and accreditation process-essentially a process whereby agencies evaluate every three years what defensive security protections are in place . . . The process costs tax-payers about $1.3 billion . . . on paperwork that ends up stored in binders in some clutter-filled room," Sen. Tom Carper, D-Del., said at a hearing in 2009. Carper, chairman of the Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, requested the GAO study to determine whether the continuous monitoring system should replace triennial reports.

At a 2010 House hearing, then- federal Chief Information Officer Vivek Kundra admitted that the OMB-led "culture of compliance" needed to shift to a performance-based posture using continuous monitoring. "For too long, federal agencies have focused on reporting on security rather than gaining meaningful insight into their security postures," he said. "A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information."

The GAO report ignored the central question posed by Sen. Carper-whether continuous monitoring should immediately replace the triennial reporting system. GAO's failure to compare its effectiveness against what it is replacing is troublesome and misleading. Continuous monitoring is a key element of the Risk Management Framework published by NIST.

Since that framework was created, the complexity and persistence of attacks and attackers have forced continuous monitoring to the fore as the first and most important element of an effective risk management strategy.

Every working day, more than $1 million is wasted on triennial reports and other static security assessments. While it is not GAO's intent, its findings are being used as a delay tactic by people who like the status quo and others who exploit the system to rake in millions of dollars. If GAO adheres to its mission, then it will move quickly to correct its report and stop the waste and abuse it is fostering.

Franklin S. Reeder is a former Office of Management and Budget official and co-founder of the Center for Internet Security. He teaches and writes about information technology and policy.

]]>

Looking the Wrong Way

Franklin S. Reeder — Thu, 01 Dec 2011 00:00:00 -0500

When agency watchdogs miss the point, they stifle innovation, increase risk and perpetuate waste.

Franklin S. Reeder is a former Office of Management and Budget official and co-founder of the Center for Internet Security. He teaches and writes about information technology and policy.

]]>

Staying on Message

Franklin S. Reeder — Mon, 01 Dec 2008 00:00:00 -0500

The barrage of e-mail scams and phony claims in the office tests critical thinking skills.

During the recent presidential campaign, Americans found themselves bombarded via the Internet with all sorts of "revelations" about the candidates. In democratizing access to the media, anyone can now set up a Web site or blog or flood e-mail anonymously with all sorts of mis- and disinformation.

The American public receives much of its information unfiltered by intermediaries, like the media or interest groups that help us validate and interpret what is coming in. When dealing with traditional sources, we have a pretty good idea of where they are coming from and a sense of their reliability. Does anybody really believe the blaring headlines on the tabloids at the supermarket checkout counter?

In the workplace, we face similar challenges learning how to deal with information from sources whose motives or competence we cannot always evaluate. Whether it is done to create large-scale disruptions, or to extort money, or to indulge some misguided persons sense of whimsy, we see a barrage of traffic ranging from:

Apparently benign messages that offer us products we don't want.
Messages that warn us of dangers that don't exist (bookmark www.snopes.com and check it out if you're tempted to forward such messages).
Deliberate disinformation about public figures.
Phishing messages that look like they are from a known or trusted source and are designed to get you to provide personal information by linking to a site controlled by the sender or replying to the message.

Lowering the barrier into the communications world is not entirely bad. The resultant diversity of voices allows us to hear perspectives that might not be in the mainstream. Across media, we are seeing niche players who address the needs and interests of small segments.

This phenomenon is called disintermediation. It's defined as the elimination of an intermediary in a transaction between two parties, and it places a greater burden on the recipient. Without an intermediary whose competence, authenticity and perspectives we understand and can verify, we must be far more discerning. A piece by M.E. Kabay of Norwich University in Northfield, Vt., offers a simple prescription applying critical thinking principles to protect yourself:

Question the authenticity of the "From" line of an e-mail message (which might not correctly identify the source).
Question the technical competence of the sender to evaluate the quality of the content or attachment (which might not correlate with how loveable and friendly Aunt Gladys is).
Question the authenticity of the labeling of the information (which might not really be a document at all but could be an executable program).
Question the safety of any attachment.

Critical thinking is the best defense. Even if you are under an avalanche of e-mail in the office, question everything you read. If it sounds wrong, check it out. If it is wrong, let the sender know-don't pass it on.

Franklin S. Reeder teaches, writes and consults on public information policy and technology issues after a career in public service that spanned more than 35 years.

]]>

Always On

Franklin S. Reeder — Thu, 01 Dec 2005 00:00:00 -0500

24/7 availability is not such a good idea for executives.

Much has been written about the revolution that has made services available, both in the public and private sectors, seven days a week, 24 hours a day. The Internet and sophisticated voice response systems are among the technologies that have fueled the trend and made it possible to shift call-center work to wherever the sun is shining and workers are awake. More often than not, the public doesn't need to worry about communicating with government offices during business hours.

A corollary revolution has occurred with less notice. The Internet and the growing array of wireless devices mean that people are available 24/7. Every self-respecting executive or wannabe carries at least one wireless device. The upshot is that the trend toward 24/7 government using always-on technology has perversely morphed into an expectation that people, especially important people, always will be available.

Should we rejoice that these important (or perhaps self-important) people can deal with issues as they occur? The answer is no, for the following reasons:

Always on means never off. The boundaries of work in terms of time and place are disappearing. Important people, or IPs, are expected to be accessible wherever they are or whatever they are doing. IPs have little private time or space.
We are losing the ability to be in the moment. One of the characteristics of effective leaders is the ability to focus, even if only for a short time, on what is in front of them. In every meeting, it seems, at least one person tunes out to answer some device. And that means having to repeat what was said to ensure an informed, intelligent response. Despite our casual use of the term, humans do not "multitask," at least not at a conscious level. People who are reading e-mail during a meeting are missing what is happening in the room.
The immediate and the important are becoming indistinguishable, thus violating a basic precept of time management. Our time is controlled by those who have our number, and with the current generation of devices, everyone does. We are becoming interruption-driven, which wastes time.
We risk making stupid decisions, and we deny opportunities to potential IPs. Naval vessels have a long-standing tradition of standing watch. The captain isn't always on the bridge and isn't even consulted on routine matters. The captain is expected to rest when he can. This also creates an opportunity for junior officers to exercise their skills and judgment. Lessons often are learned not only from what people did on watch but also from whether or not they sought help. We are burning out our leaders and limiting opportunities for others to practice taking charge.

So what are the answers?

Turn off your always-on device for longer periods. Practice by ignoring phone calls and other electronic attention-seekers at meals.
Tell your colleagues that you measure their effectiveness and your own by how infrequently they need to interrupt you and how they exercise judgment in deciding when they need to call you.
Tell your bosses that you trust your staff to handle matters in your absence and are prepared to be accountable for their actions.
Get into the habit of reading e-mail once or twice a day or, at most, hourly rather than as it comes in.
Declare meetings to be "device free."

Before you think I am a troglodyte, I was an early adopter of cell phones and have every imaginable piece of technology in my home and car. But I occasionally turn them off. Too many of us have allowed the fact that we can be available 24/7 to become an expectation. That is organizationally dysfunctional and personally unhealthy.

At a meeting with an IP who really is an IP, I asked him about his recent vacation. He said: "It was wonderful. My cell phone didn't work on the island." Guess what? The world did not come to an end while he was gone.

]]>

Seal of approval

Franklin S. Reeder — Tue, 12 Aug 2003 00:00:00 -0400

Would you undergo serious surgery without checking the credentials of the surgeon? Of course not. Would you board an airplane without some assurance that skilled people maintain and fly that plane? Probably not. The same logic applies to the protection of important information at government agencies.

A professional certificate doesn't guarantee that a practitioner can perform a particular task or isn't impaired in some way. But it provides some assurance that the person has met certain requirements, subscribes to some professional and ethical standards, and risks disbarment by violating those standards. For someone who wants a haircut, a certificate on the wall probably is proof enough of a stylist's skills. But for risky procedures, such as surgery, people probably would look beyond the surgeon's professional certification at references or track records. Still, credentials are an important first cut in protecting consumers.

Many people in the critical role of assuring that the nation's information infrastructure is safe have little, if any, training. Their work ranges from operating systems that process sensitive medical records for veterans to supporting the sophisticated communications systems on which the nation's warfighting ability depends. All too often, under-trained security workers are flying by the seat of their pants-a risk agencies can no longer afford because systems are far more complex than ever. Test after test conducted by the General Accounting Office shows that the government's systems are vulnerable, monitoring tools are insufficient, and response systems are inadequate.

Much is being done to make the technology less vulnerable. Organizations such as the Center for Internet Security, with which I am associated, and vendors such as Dell are developing safer technology right out of the box. The Federal Trade Commission says the government should buy products in which security is "baked in"-a notion that promises to gain currency in the months ahead. Buying products that are already hardened eliminates the expensive and time-consuming process of retrofitting those systems.

Even if every new piece of software and hardware were perfectly secure, the government relies on a cadre of security professionals who help configure the systems, monitor them and respond to incidents. Updating the government's hundreds of thousands of old systems-which could be defined as anything purchased last month-continues to pose a formidable challenge that can only be met by skilled cybersecurity professionals.

Chief information officers have the right to insist that their system administrators have the requisite credentials. Indeed, it's their duty. Various organizations offer professional certifications in security, including Security+ (from the Computing Technology Industry Association), the Certified Information System Security Professional (from the International Information Systems Security Certification Consortium), the Certified Information Systems Auditor (from the Information Systems Audit and Control Association) and the Global Information Assurance Certification (from the SANS Institute). And the number is growing.

The cost of these certifications is trivial compared with computer security expenditures or an organization's total investment in information infrastructure. Costs range from hundreds of dollars for the tests to the low thousands for basic training. If CIOs aren't ready to invest that kind of money in protecting their systems, then they have more serious problems.

Several large companies have adopted certification requirements for their system administration employees and are providing them the support they need to get certified. Those who don't meet the requirements lose privileged access to systems. Several federal agencies, including the Defense, Energy and Veterans Affairs departments are considering similar policies. At first, employees might feel that their competence is being questioned. But when it becomes apparent that the objective is to upgrade their skills, not weed them out, strong support generally will follow.

Operating a complex information infrastructure without insisting that systems professionals with security responsibility be properly certified is like running a hospital without checking the credentials of the doctors and nurses. It is nothing less than malpractice.

]]>

Information Security Takes Skill

Franklin S. Reeder — Fri, 01 Aug 2003 00:00:00 -0400

The government's information security workforce is largely uncertified.

ould you undergo serious surgery without checking the credentials of the surgeon? Of course not. Would you board an airplane without some assurance that skilled people maintain and fly that plane? Probably not. The same logic applies to the protection of important information at government agencies.

Franklin S. Reeder is a public management and information technology consultant. He chairs the Federal Information Security and Privacy Advisory Board (http://csrc.nist.gov/csspab) and the Center for Internet Security (www.cisecurity.com), which help organizations protect their information infrastructures.

]]>

Computer Security is No Quick Fix

Franklin S. Reeder — Tue, 01 May 2001 00:00:00 -0400

Unfortunately, securing our technology and the information it carries isn't going to be quite that easy. The war metaphor depends on two premises:

The crisis must have a clear end date by which we would know whether we have won or lost.
Public and political concern must be galvanized by a potential cataclysm. Widespread infrastructure failure due to the millennium bug was viewed as unacceptable, so a "win at all costs" attitude prevailed.

Assuring the integrity of our information systems is not a problem that can be solved once and for all. It requires continuing vigilance to emerging threats. An appropriate metaphor would be more akin to maintaining the peace or protecting public health than to winning a war or even battling a disease. While we may overcome a particular invader, the security threat constantly is changing.

Notwithstanding almost weekly reminders of the fragility of our information infrastructure, those who must pay the bills should it be harmed-Congress in the case of the federal government and corporate boards in the case of the private sector-have failed to evince the sense of urgency that the threat warrants. Officials in the Defense and financial sectors, where the consequences of security breaches are real and measurable, have stepped up their efforts, but even they aren't yet on emergency alert.

Witness the recent theft by a group based in Russia and the Ukraine of more than a million credit card numbers from more than 40 electronic commerce and electronic banking Web sites. The FBI went public about the case because the perpetrators were exploiting vulnerabilities in the companies' operating systems that were well known and for which patches had been available for years. The enterprises that came under attack failed to take action despite the fact that their very existence depends on protecting their data. A response to this problem may be found on the Web site of the Center for Internet Security (www.cisecurity.org/patchwork.html). This nonprofit cooperative group seeks to reduce the risk of significant disruptions of electronic commerce and business operations due to technical failures or deliberate attacks. The site contains a downloadable program called Patchwork that will determine whether a Windows NT system has the same vulnerabilities exploited by the Russians and whether the system has been compromised. If any vulnerabilities are found, Patchwork will point users directly to the Microsoft patches and will verify that they were installed correctly.

The Y2K response may not be applicable to the security crisis, but it contains useful lessons. Two stand out:

As demonstrated by the Russia/Ukraine credit card incident, the problem often is not in finding new remedies but in making sure that information on good practices is widely shared. Promoting a culture of information sharing, as Koskinen did so successfully for Y2K, will go a long way toward helping the people protecting against attacks even the odds with the attackers. Among organizations working to improve information sharing is the Computer System Security and Privacy Advisory Board (http://csrc.nist.gov/csspab), which reports to the Commerce Department, Office of Management and Budget, National Security Agency and appropriate congressional committees.
No substitute exists for frequent, meaningful measurements to assess progress toward meeting some shared goal. Congressman Steve Horn, R-Calif., chair of the House Government Reform Committee's Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, took an important first step in focusing public attention last fall by issuing report cards on federal agency computer security. Unlike Y2K, computer security is not static; a well-protected system today could be cracked tomorrow if system managers fail to keep up with the latest patches.

Federal managers must insist that their information technology staffs provide clear measures of security status and support broader efforts to share best practices.

Franklin S. Reeder teaches, writes, and consults on public management and information technology issues. He serves as chairman of the Center for Internet Security and the Computer System Security and Privacy Advisory Board. ]]>

Walking the Transition Tightrope

Franklin S. Reeder — Fri, 01 Sep 2000 00:00:00 -0400

freeder@govexec.com

nyone who asserts that elections don't make a difference ought to watch what happens in the next six to nine months. As you read this, virtually every think tank and public interest group in Washington is looking to the upcoming presidential transition as an opportunity to advance its policy agenda, improve the operation of government, or both. Whether George W. Bush or Al Gore has his hand on the Bible on Jan. 20, a new President and, more important, a new team will soon be poised to take the reins of government. They will be full of energy and determined to leave their mark.

The focus on new policy directions, however, overlooks an important group-senior career officials, military and civilian, who will continue to serve regardless of which candidate wins. They will be called upon to provide continuity, to educate the incoming team, to be the instruments of new policy directions and, in many cases, to fill a temporary leadership void. The transition will find many officials ill-prepared. It has been eight years since the last true transition, and substantial turnover in the senior ranks has occurred in the interim. Thus, few managers will have experienced firsthand what it is like to greet a whole new political team, let alone sit around for weeks or months waiting for one to show up.

A small cadre of feds has been at work for more than a year worrying about the transition. They range from General Services Administration employees who must find office space for the transition team; to the Military District of Washington, which is in charge of the inaugural parade; to the congressional staffers who sweat the logistics of the swearing-in ceremony; to the National Archives and Records Administration, which has to take over the outgoing President's papers. Their jobs are highly sensitive and visible but also well understood and time-bounded.

For everyone else swept up in the transition, it is not that straightforward. Every senior career official, by this stage, should be well along in planning for the transition. Here is a checklist.

Think defense first. The first thing your new boss will need to know, whether or not he or she knows it, is where the potential threats are. What hearings are coming up? Is anything cooking that is likely to boil over into the newspapers? Will any decisions on controversial issues be required in the first 90 days?
Nothing builds confidence in the quality and professionalism of the career staff more than a well-crafted briefing paper on some hot issue before it hits the news. A technique that works well is a calendar of upcoming events and issues projecting out 90 to 180 days.
Sweat the details. In most agencies, the new team will arrive with a broad agenda but will be short on details. Read everything the candidates are saying now about your program and begin to think about how you might help them implement their plans. The new appointees may not welcome your articulation of how the President-elect's program should run-they may have their own plans-but they will be grateful for a laundry list of ideas that advance the new administration's agenda.
A word of caution: Nobody elected you. Don't expect the incoming team to trust you just because you are there. Even if this transition doesn't represent a party change, new appointees will arrive suspicious of the senior staff's loyalties. You will build confidence by the quality of your work. Don't turn political. Even if you are an avid supporter of the incoming team, be studiously nonpartisan. Speaking of the administration in the first person plural is reserved for the President and his appointees. They expect your best professional and technical support.
Be careful of how you say "no." The popular perception of the bureaucrat is someone who has a dozen reasons why an idea won't work. Beware of reinforcing that view. Embrace change, even if it could mean a change in your job. Nevertheless, sometimes your professional duty will be to advise your new boss that some proposal he or she is advancing with great passion is seriously flawed. To deal with this situation, be analytical and factual. Reactions like "We've tried that before" won't carry the day. Rather, dispassionately point out what you know about the likely consequences of the proposals. Your boss wants to change the world; that's what elections are all about. If the proposal on the table is likely to fail, help find alternatives more likely to achieve the new team's vision.
Be ready to lead. Those who serve in agencies and subagencies where there is a long interregnum before appointees arrive face the greatest challenge. Cabinet-level appointees tend to be confirmed quickly. But at the next level and in the independent agencies, senior officials may find themselves filling political slots for extended periods. Career executives who fill in are expected to provide vigorous leadership without stepping over the boundary between career officials and political appointees.

Despite the public cynicism about presidential campaigns, the quadrennial ritual is an important renewal of our democratic institutions. Those in the senior career ranks play an important role and have a wonderful vantage point in that process. Enjoy the view.

Franklin S. Reeder teaches, writes and consults on public management and information technology issues. He spent more than 35 years in federal service in political and career positions. While at the Office of Management and Budget, he survived five presidential transitions.

]]>

The Privacy Act Needs an Overhaul

Franklin S. Reeder — Mon, 01 May 2000 00:00:00 -0400

freeder@govexec.com

ost in the flurry of the Y2K problem late last year was an important date-the 25th anniversary of the Privacy Act signed by President Ford in December 1974. Before the law took effect in September 1975, agencies scurried to comply with the first comprehensive statute controlling federal use of personal information. But even as one who takes pride in the law we created 25 years ago, I believe it is time to reopen the issue.

The law came on the heels of the seminal report "Records, Computers and the Rights of Citizens," issued in July 1973 by a task force appointed by then-Health Education and Welfare chief Caspar Weinberger.

The Ware report, nicknamed for task force chair Willis Ware of the Rand Corp., proposed a federal "Code of Fair Information Practice" for automated personal data systems based on five principles:

Eliminate secret personal data systems.
Enable individuals to find out what information about them is being maintained and how it is used.
Prevent information collected for one purpose from being used for other purposes without the individual's consent.
Devise a way for individuals to correct information about themselves.
Take reasonable steps in maintaining personal information to assure the reliability of that data for its intended use and prevent its misuse.

At the height of the Cold War, when tyranny of the state was seen as a real and growing threat, consensus emerged that action on the privacy issue was needed. Much work had already been done on Capitol Hill. Sponsors ranging from Ed Koch of New York to Barry Goldwater Jr. of California introduced several bills. Despite the broad base of congressional support, executive branch opposition kept legislation from moving-the classic "support in principle but find lots of flaws in the details" ploy. Then, after allegations of dirty tricks and misuse of tax information, President Nixon made protecting personal privacy a priority in his 1974 State of the Union address.

So the administration came to the table and hammered out the Privacy Act. Civil libertarians talked to spies, law enforcement types, the military and computer jocks, and what emerged closely resembled the blueprint in the Ware report. Federal agencies were required to notify the public of the existence of personal data systems called "systems of records." They also were directed to set up published procedures for granting access to and challenging the accuracy of information in those systems, and to establish restrictions on disclosure. In many ways, the Privacy Act was as much a "sunshine" law requiring public disclosure of agency practices, as it was a secrecy law. In fact, it shares the public information section of the U.S. Code with the Freedom of Information Act and the Government in the Sunshine Act.

However, lots of compromises were made, including exemptions for certain types of records, especially in the areas of criminal law enforcement, national security and intelligence-gathering. The Privacy Act also reflects the technology of its era. The notion of records was paper-based, and automated data systems were largely still electronic emulations of paper-based systems. A blanket "routine use" authorization for information was devised to deal with the problem of inundating record subjects with consent requests.

Twenty-five years later, privacy is still a hot issue-in many ways hotter than it was in 1974. The Health and Human Services Department is working on regulations that would protect individual privacy regarding medical records, and concern is growing over the power and potential for abuse of personal information being collected on the Internet. We read about Internet vendors profiling potential customers and drug stores selling records. For the most part, the stories and concerns are about private, not governmental, use of personal data.

One might therefore conclude that the 1974 law addressed the federal privacy problem once and for all, but that's not true. Thanks to the Privacy Act, federal use of information is not as pressing a problem, but it is there. The definitions of "record" and "system" do not work in an Internet world. The forms of notice and consent are antiquated at best and ineffective at worst.

OMB's new Privacy Office has provided some needed leadership in requiring privacy policy for agency Web sites, but it cannot provide the kind of creativity that a serious re-examination of the Privacy Act requires. Peter Swire, OMB's chief counselor for privacy, and his colleagues can run political interference for good ideas, but it is unreasonable to expect them to start the debate. As in the 1970s, the intellectual leadership must come from information professionals, academics and consumers to create a new privacy agenda and push the policy debate. The prospect of a new administration taking office in 2001 may present some interesting opportunities.

Franklin S. Reeder teaches, writes and consults on public management and information technology issues. As an OMB staff member, he helped draft and implement the 1974 Privacy Act, and he now serves on the National Institute of Standards and Technology's Computer Systems Security and Privacy Advisory Board.

]]>

Who's Watching the Store?

Franklin S. Reeder and Alan Paller — Sat, 01 Apr 2000 00:00:00 -0500

letters@govexec.com

very sector is becoming increasingly dependent on information technology, especially the Internet, to conduct business and to stay competitive. That dependence has been accompanied by a growing threat from those who seek to disrupt Internet activities for personal gain or mischief.

Look at some recent stories:

High-visibility Web sites at Yahoo and CNN were blasted off the Internet through "denial of service" attacks.
Fourteen computers at the Agriculture Department were put out of service for several weeks because of an intrusion.
The State Department Web site that supports political operations around the world was compromised, its information altered and backdoors installed twice in less than eight months.
The federally sponsored Internet2 Site at the University of Minnesota was brought down for nearly two days by 232 infected computers at other sites being used to attack it. At four other commercial and academic sites, more than 1,400 computers were infected. The FBI issued a warning that potential attacks from infected computers put the Internet at risk.
Navy and NASA computers have been infected in the same way.

Computer security breaches no longer are someone else's problem. Protecting valuable computer and telecommunications resources requires trained professionals who understand the latest techniques for protecting against, detecting and recovering from intrusions.

Agency managers who allow their systems to be compromised can expect to find themselves squarely in the sights of congressional watchdogs and others who believe that private information should be kept private or that federal systems should not be compromised. More importantly, these managers risk undermining public confidence in government and the Internet. And, even worse, they may be closed down. That's what happened to the Environmental Protection Agency's Web site recently, as a result of congressional pressure that suggested the risk of compromise was so high that all public access should be denied.

Finding Trained Professionals

Technology managers have no way to determine whether people claiming to be computer security professionals know what they are doing. But the challenge of finding trained professionals does have analogs.

When we engage in high-risk or high-stakes activities such as flying in airplanes, obtaining medical services or assuring the financial integrity of our operations, well-understood and widely accepted credentialing processes give us confidence that we are relying on competent professionals. Those processes have five elements in common:

1. Individuals must have completed a formal training program accredited by an independent professional organization.

2. They must have demonstrated their ability to apply the concepts they learned through managed apprenticeship programs. Medical doctors have to complete internships and pilots have to fly airplanes.

3. They must pass a rigorous examination that includes both theory and practice administered by an independent professional organization.

4. To retain their professional credentials they must meet continuing education requirements.

5. Practitioners must subscribe to a professional code of ethics.

Potential employers and/or consumers then can have reasonable assurance that the professional with whom they are dealing is properly trained. For some fields, such as accounting, successful completion of an accredited training program may be sufficient. But for most jobs, all five components are required before an individual is entrusted with a critical task.

Casting Credentials

The information technology profession has long struggled with the concept of professional certification, dating back to the certified data processor (CDP) created by the Data Processing Management Association. Many educational organizations have created certification programs in sub-specialties, such as project management, but none has all the components of a professional certification outlined above. And most seek, as their primary objective, to promote a particular training curriculum.

Software and hardware vendors have established certification programs to ensure clients know how to use their products, but these programs have been damaged by promises of certification without much work. Today, few employers are even aware of certification programs and even fewer make them a requirement when hiring a job candidate or a consultant.

Since 1978, the Information Systems Audit and Control Association (ISACA) (www.isaca.org) has issued the certified information system auditor (CISA) credential to those who pass its exam, have the requisite experience, subscribe to its code of professional ethics and meet continuing education requirements. The International Information System Security Certification Consortium (ISC2 ) (www.isc2.org) developed a certification for professionals with at least three years of experience who pass its exam and subscribe to its code of professional ethics. Recertification every three years is based on a continuing education requirement. The Information Systems Security Association (ISSA) Web site (www.issa-intl.org/certification.htm) lists other professional certificate programs. Even the federal government, under the leadership of the National Security Agency, has developed standards for measuring mastery of various security skills.

Programs like those sponsored by ISACA and ISC2 are valuable for auditors and security managers. Unfortunately, they do not measure whether people can handle the technical tasks required to keep systems secure: intrusion detection, firewall tuning, incident handling, and Cisco, NT and Unix security, for example. For that, a new level of education and certification is required.

What Is Missing

Like flying airplanes, practicing medicine or handling large financial assets, running computer systems is inherently a high-risk activity requiring trained professionals. Passing a rigorous exam and having substantial experience, at least on paper, are important but not sufficient. There is no substitute for completing a thorough, independently accredited education program and demonstrating skills in simulated and actual conditions.

Requiring completion of an accredited training program reduces the risk that unqualified individuals will obtain the credential and enhances the credibility of the professional certification. These programs also help employers determine which job candidates are prepared for junior or entry-level positions.

It is time for the IT security profession to develop a scheme for accrediting training programs both at colleges and universities and at training institutes. Professional associations, such as ISC2 and ISSA, and groups of system and network administrators-the ultimate beneficiaries of the education-must be involved.

Until accredited programs and skills-based certifications are in place, the only path available to agency managers is to hire outside reviewers to test their systems for security vulnerabilities. But that is often expensive and incomplete. A recent General Accounting Offfice-sponsored test of NASA's information security by the National Security Agency audited only a tiny fraction of the computers managed by NASA.

On Jan. 7, the President announced an initiative to fund security education. Some of us are old enough to remember the questionable programs that sprang up in the 1940s and 1950s under the GI Bill, offering training in everything from electronics to flying airplanes. Do we really want the products of similar programs securing our computers?

Alan Paller is director of research for the SANS Institute, an organization of technical security professionals

Franklin S. Reeder teaches, writes, and consults on public management and information technology issues. He headed OMB's information policy staff.

]]>

The 'Cover Up and Blame' Game

Franklin S. Reeder — Mon, 01 Nov 1999 00:00:00 -0500

freeder@govexec.com

veryone who has an e-mail account has received at least one message about the Darwin Awards. They are "given usually posthumously, to the individual(s) who remove themselves from the gene pool in the most spectacular fashion," according to one of several Web sites that post the winners (www.darwinawards.com). Admit it. You've read them and laughed.

For the three of you who have never read about a Darwin Award winner, here, by way of illustration, is one of the few citations suitable for this publication. It's credited to the Fort Worth Star-Telegram in January 1996:

CALCUTTA, India-A tiger killed one man and mauled another at the Calcutta zoo yesterday when they tried to put a marigold garland around its neck in a New Year's greeting. Prakesh Tiwari, the dead man, and Suresh Rai had been drinking before they bought the floral garlands and crossed the moat around the tiger's enclosure, authorities said.

Federal managers certainly are not exempt from flaws and foibles. Events over the past few years from the President's various missteps to the colossal failure of the Agency for International Development's new management system serve as a reminder that public officials continue to suffer from self-inflicted wounds. The wounds are seldom fatal, but they often damage careers. The Darwin Award rules state that "if said individual does not die, however does render him/her self incapable of producing any children-they [sic] may be eligible for the dubious honor of receiving the award while still alive." If we create a new classification for rendering oneself politically impotent, I think we have some real contenders.

Let's start with a basic premise. Bad stuff happens. As a result of acts of nature, unforeseeable events, technical glitches, lack of training or just plain bad judgment, public officials and their organizations make mistakes or disappoint their customers in some important way every day. Bad stuff even happens in the vaunted private sector. Remember the poisoned Tylenol incident? How about New Coke? Projects and systems fail all the time. While many of us devote many waking hours to avoiding project failure or computer security violations, they continue to happen. And even with the best controls in place, humans have weaknesses-except for thee and me, of course.

We need to keep investing in measures that prevent failure, whether that means strong project management, computer security, financial controls or good training (especially in ethics). What distinguishes the effective organization or executive from those whose names will always be associated with scandal or failure is not that they never made a mistake. It is what they do after the mistake is made.

Here is a sure-fire recipe for disaster-one that public officials follow every day:

Deny. Pretend the incident never happened.
Cover up. If denial doesn't work, make sure that any evidence of your association with the event is wiped out.
Blame someone else. If denial and cover-up both fail, then put all your energies into blaming someone, anyone, other than yourself.

We've all heard about the manager who, upon taking a new job, was given three envelopes by his predecessor with instructions to open them in sequence as each new crisis arose. Sure enough, a major scandal erupted and, despite initial skepticism, she opened the first envelope to find the instruction: "Blame your predecessor." It worked, so when the inevitable second crisis arose, she eagerly opened the second envelope, which advised her to "form a committee." Flush with success after a second near-miss, when a third disaster befell her agency, she opened the third envelope, which said: "Make up three envelopes."

Do these approaches really work? I would submit that each so-called scandal or report of agency incompetence or wrongdoing can be traced not to the initial act but to what the principal(s) did or did not do once the act had occurred. Was Richard Nixon forced to resign because of a "third-rate burglary?" Did Gary Hart's presidential prospects plummet because he had an affair? I think not. And, regrettably, President Clinton devoted the greater part of a year, not to apologizing for his personal life, but to explaining why he failed to be truthful when first confronted.

Let me suggest an alternative approach:

Admit the Problem

If you messed up, admit it. If the project was not as promising in reality as it seemed to be, acknowledge it. This is pretty easy to do if you are not the person who caused the problem, but even if the failure was yours, fess up to the problem. Recent history tells us the public is forgiving of individuals who make almost any mistake short of taking a human life. Admit it and try to make amends. If you keep repeating the same mistake, people eventually will catch on, but in most games you are allowed at least one strike.

Fix the Immediate Problem

When the makers of Tylenol learned in 1982 that contaminated bottles of their product had been found in Chicago-area stores, they pulled the product from all stores. They concluded quickly that no amount of protesting that the problem was probably isolated and not a manufacturing defect would restore customer confidence. Removing the product did. When Coca-Cola saw that their new cola product was being rejected by loyal customers, they moved quickly to re-release their old product (renamed Classic Coke to save face) and moved on.

If the project no longer makes sense or is out of control, kill it. If your customers are unhappy, deal immediately with their pain. This is not the time to look for causes or excuses.

Look for Causes

Find the causes only after you've done 1 and 2. This is not the same as fixing blame. It is possible that someone did something malicious and should be held accountable, but the emphasis should be on finding causes and possible preventative measures, not finding a scapegoat.

Even if you did not cause the problem, ask yourself and your organization how similar problems might be prevented in the future. The makers of Tylenol set about developing a tamper-resistant packaging that has since become an industry norm. They reaped a public relations bonanza. And I'll bet Coca-Cola has revised its new product testing and release process.

Learn from your mistakes. "Older and wiser" is just a euphemism for "been around long enough to make lots of mistakes but smart enough to learn from them." You can, if you prefer, continue to play the old "deny, cover up and blame" game. We will be looking for you in a new version of the Darwin Awards.

Franklin S. Reeder teaches, writes, and consults on public management and information technology issues.

]]>

Back to Basics in Eastern Europe

Franklin S. Reeder — Wed, 01 Sep 1999 00:00:00 -0400

n June, I taught a course in public management at the Georgian Institute of Public Administration--that's Joe Stalin's Georgia, not Jimmy Carter's. It was my fourth trip to the former Eastern bloc countries.

When I first met the leaders of the emerging democracies in the early 1990s, two things impressed me. They were people of enormous quality, intellect and courage who were entering public service at great sacrifice and even potential risk. Their understanding of the essential elements of democratic governance sometimes put ours to shame.

In the West, when we speak of government reform, we are redecorating. Eastern European countries, on the other hand, are building whole new structures and even creating new traditions. A few countries in the region can faintly remember democratic forms that fell to the Soviets in 1945. Many must reach back to 1917 or the early 1920s to remember, and a few have never lived under what we would call a democratic regime. These countries have been forced to address some of the basic principles and functions that underlie democratic governments.

Some of us in the redecorating business have lost sight of the basic structures on which we are building. If the United States is to help Eastern European countries build stable democratic institutions, we too have to get back to basics. Only a fool believes that democratic forms as they have evolved in the United States--or in any other country--are directly exportable to Eastern Europe.

My recent Georgian experience has only reinforced my first impressions. Some of the key features of democratic governance are hard to see when one is on the inside.

What, then, are some of these basic forms and principles? My list is certainly incomplete--colleagues who have spent more time in democracy-building than I would doubtless add to it. I offer it as a way of suggesting that those of us who tinker at the edge of government management reform periodically ought to get back to basics.

Neutrality and Ethics

Good public service begins with good people--and it takes more than intelligence. We in the United States figured that out in the late 19th century with the enactment of the Pendleton Act and the creation of the merit system. We do not require civil servants to give up their partisan personas--especially in light of recent Hatch Act amendments--but we do not permit their personal politics to influence official actions. Except for elected officials and a small cadre of appointees, we do not require a particular political affiliation in order to hold public office. We hire based on merit, which helps ensure competence and fairness as well as continuity when party control changes.

Political neutrality and a merit system are not the only important features of democratic civil service systems. They all share a commitment to ethical discharge of public duties. Perhaps the single most frequent criticism of civil servants in Eastern Europe and the former Soviet Union is that they are corrupt. More is at stake here than some abstract notion of the relationship between ethical behavior and fairness. Businesses are less inclined to invest in a country where rules are not enforced and one's survival depends on the whims of corrupt officials. A tax system that does not collect a reasonable percentage of taxes due means that government will lack the resources to provide even basic services. Lack of investment weakens the economy and potentially threatens political stability.

On a visit to Tbilisi, I noticed the police flagging down cars at random. When I asked my hosts what was going on, they told me matter-of-factly that some of them were extorting money from motorists to buy food. Police are paid the equivalent of about $40 a month and have not been paid for several months. Imagine: a new way to streamline government; no costly tax collection or payroll system required. By adopting this approach, the United States could eliminate most of the Treasury Department.

Viewed through my Western lenses, this looked like a simple question of moral fortitude and enforcement of ethical codes. Then, on a visit to Warsaw, I got a different perspective. There, a senior government official told me that his government saw adequate pay for civil servants as a critical factor in eliminating bribery. Beyond merely providing a subsistence wage, the Polish government understands that pay comparability and respect are important to ensuring ethical behavior. I have strong reservations about the particular processes set up by the Federal Employees' Pay Comparability Act, but pay comparability matters.

Non-Governmental Groups

While we tend to use the simple rhetoric of the government and the private sector, democratic governance depends on the existence of a third sector--nonprofits, or non-governmental organizations. These groups serve three important roles:

They aggregate and mediate public opinion for formulating public policy. Typically, it is not Joe Citizen or Jane Businessperson who lobbies Congress; it is organizations such as Public Citizen, the AFL-CIO, Chambers of Commerce, the National Federation of Independent Business, and our political parties.
They inform the public and often serve as an instrument of policy implementation--many older Americans learn about the latest changes in Medicare or Social Security by reading American Association of Retired Persons publications, for example.
They independently fund and deliver services, such as Salvation Army assistance to the needy and church-run schools.

Western models vary. The United States, with its Jeffersonian suspicion of large governments, has an especially strong non-governmental sector. Australians, in contrast, find our use of the voluntary sector instead of the state to deliver social services peculiar. In France, the church has historically predominated in the social services business, especially health and education. If we did not have NGOs, we would have to invent mechanisms and institutions to perform the roles they play for us. And that is what is happening in Eastern Europe.

Building NGOs long has been one of the priorities of the Agency for International Development and other donors concerned with democracy and governance in this part of the world. Organizations that had similar names to Western NGOs existed during the Soviet era, but that actually complicates the problem. Labor unions were state-controlled committees used as an adjunct to the formal organization. The notion of free labor unions is relatively new to the region. There was, of course a political party, but it was an instrument of the state, not a diverse set of organizations established to influence and even disagree with official policies.

The region has no lack of NGOs. Indeed, new ones spring up every day. Still, financing is a huge problem. The people of this region are extraordinarily generous, even by American standards. Locals rarely pass a beggar without reaching into their pockets, but there is not much money here. There are no large indigenous foundations, and government support is virtually nonexistent. Foreign support, both from governments and foundations, has been their lifeline.

Power to the People

Democracy is more than just a way of allocating political power. It defines the way we operate all sorts of institutions. Leadership and strategies originate from the top, but workers who are respected and encouraged to take initiative are usually far happier and more productive. Self-directed teams and quality circles have changed the landscape of both public and private organizations. Diversity of people and ideas and a participatory management style generate better answers than one person could produce.

Fundamental notions of worker empowerment and diversity of approaches were hardly part of the Soviet culture. The Soviet system placed enormous emphasis on education, especially scientific and technical studies, and produced a labor pool of highly educated individuals. Government leaders and academics in this region generally acknowledge that one of the most important and potentially toxic management legacies of the former Soviet Union was a hierarchical, top-down style of thinking. Considering alternatives, open, adaptive decision-making, managing risk, and questioning authority are foreign to the management culture. The problem is exacerbated by widespread unemployment, so those who have jobs are easily intimidated by managers.

Access to Information

The free flow of information to and from government is essential to democratic governance. In a controlled society, it was not important that the public know the laws and regulations, especially those under consideration; a public official could always tell you when you were in violation.

It did not take the citizens of Georgia or other countries in the region long to figure this out. The Parliament's proceedings are now televised and, with AID assistance, a public law database was created. Also, most government agencies are accessible via the Internet. It would be an overstatement to say that there is a robust information strategy and program, but things are happening.

Two years ago, offices had fewer than one computer per 10 staffers and virtually no Internet access. With a few exceptions, the first priority of everyone I spoke to this year was for more Internet access so that they could get information about how other governments and organizations were dealing with issues facing Georgia. If only that were the first priority of our own public officials. We can learn something here as well.

I have learned more from the Georgians and others in this region than they have from me. Democracy faces formidable challenges--economic and political--but I have every confidence that eventually, robust democratic governments will emerge. Moving to market democracy is not easy. The pensioner or wage-earner whose income has gone away may understandably long for the good old days. But most of the people I speak to tell me that they have tasted living in an open society and there is no going back.

Franklin S. Reeder, head of The Reeder Group in Washington, writes, teaches and consults on information technology and public policy matters. From 1992 through 1995, he served as the U.S. delegate to the Public Management Committee of the Organization for Economic Cooperation and Development.

]]>

Still Asleep at the Wheel?

Franklin S. Reeder — Thu, 01 Jul 1999 00:00:00 -0400

ne good outcome of the Y2K fiasco might be that senior managers will understand the importance of paying attention to information technology management and the risks of failing to do so, says the president's Y2K czar, John Koskinen, the original "make lemonade when someone gives you lemons" guy.

Koskinen's message was hopeful at Government Executive's second annual Government Technology Leadership Institute (www.govexec.com/tech/leader) last December, which was devoted to planning for and reacting to crises. An expert in management disaster recovery, Koskinen shared lessons learned from his long, successful career as a corporate rescue artist and, more recently, as deputy director for management at the Office of Management and Budget.

Thanks to folks like Koskinen, the Y2K problem has captured management attention. It has demonstrated vividly how dependent our processes are on sophisticated information technology-from banking to medical care to air traffic control. It has shown how vulnerable we are to failures in those systems and how dire the potential consequences if we are unprepared.

But a couple of other lessons may be lost entirely. While not diminishing the potential harm from hackers, Y2K shows us what happens when we rely on technicians to make management decisions and we slip into denial as soon as a problem arises. The result is an expensive crash effort to solve it. Most IT managers will admit that at this stage, not only is remediation expensive, it is often too late to update and reengineer systems. That sure meets the definition of managerial incompetence.

Not every potential problem is preventable or even foreseeable, but early detection and prompt action can often mitigate the damage. Y2K planners are teaching us the importance of contingency planning such as keeping paper copies of records before Dec. 31, 1999. The Federal Reserve plans to put more cash into the system, in case nervous citizens rush to withdraw their money. Responsible publications like
Consumer Reports are telling us that stockpiling a little bit of food and water and getting fresh batteries for our flashlights is not a bad idea.

Despite these clear lessons, there is little evidence that senior managers will not retreat into their traditional avoidance behavior when confronted with IT issues. "Get good people and give them the resources and discretion to get the job done," you might argue. Besides, can senior managers really be expected to get into the kind of detail that would allow them to detect Y2K problems?

The newspapers in recent weeks have been replete with examples of why continuing inattention to computer security borders on management malpractice. You need only ask the senior managers at the Department of Energy's Los Alamos laboratory or those who were hit by the Melissa computer virus or the agencies that have been hit with denial of service attacks by forces protesting NATO actions in Yugoslavia. Yet, we continue to be afflicted with a "can't happen here" attitude. Major computer incidents happen to someone else.

As a first step, getting good people and giving them as much latitude as possible is vital. But how do you know they're good? When you hire an accountant or chief financial officer, you examine applicants' credentials, check references and use techniques such as intuition to make a selection. Then you monitor the employee's performance. You engage an independent authority, in this case usually a CPA firm, to evaluate your accounting systems, and you invest in training. Are your technology resources so much less important than your financial resources that they don't deserve similar vigilance?

Can you personally assure that the seeds of the next Y2K problem are not being sown? Probably not, but through auditing and training you can expose your staff to experts who will find the next vulnerability long before it becomes a crisis.

Here's what can you do:

Hire real experts, and make security a full-time job.
Insist that they periodically use one of the many commercially available scanning tools to evaluate your network and report to you what they found. If they found nothing, have them try another tool.
Make sure your systems are audited periodically by an outsider.
Invest in training. No professional can stay current without guidance. The hackers are learning new tricks every day.
Subscribe to a security information clearinghouse like Carnegie Mellon University's Computer Emergency Response Team (www.cert.org) or a government CERTs.
Don't overlook internal threats. Y2K was not the evil plot of some outsider.
Develop a recovery plan. The question is not whether you will have an incident but when.
Most important, nothing is more effective than periodic requests for briefings on the state of your systems. Ask where the vulnerabilities are. If you are told that you have nothing to worry about-worry.

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm, after more than 35 years in government. Contact him at freeder@govexec.com.

]]>

Managing Technology

Franklin S. Reeder and Nancy Ferris — Thu, 01 Apr 1999 00:00:00 -0500

nferris@govexec.com

t a meeting early in 1998, federal agencies' senior telecommunications man- agers are discussing how to wring more concessions out of their long-distance telephone service providers. Can they ask FTS 2001 contractors to provide a certain feature that's not yet standard in the industry?

A woman has the floor. "If they won't give it to us," she says, "we'll cram it down their throats!"

From the rear of the room, a man shouts: "You go, girl!" Cheers erupt.

Washington attorney Henry D. Levine, a telecommunications consultant to the General Services Administration and the nation's largest companies, recalls this as a defining moment in the planning for FTS 2001, the pair of contracts awarded in December and January. "The government has caught the wave" of ruthless, corporate-style business dealings, he says, and "the result has been billions of dollars of savings."

In fact, by 2007, you could be paying less for a one-minute transcontinental phone call from your office than for a one-minute local call. The FTS 2001 contracts will drive agencies' long-distance telephone bills down to less than 1 cent per minute on average at the end of their eight-year terms.

On top of the great prices, Levine says, the government got excellent terms and conditions of service from the FTS 2001 contractors. But there is no gain without pain. With unprecedented flexibility to pick and choose among long-distance providers, agencies will have to make difficult choices and exercise telecommunications management skills they seldom needed before now.

In the bidding for the contracts, incumbent Sprint Corp. hung onto a share of the federal long-distance business and MCI WorldCom Inc. ousted AT&T Corp. from the other slot. GSA officials predict the combined value of the two contracts will exceed $5 billion, but neither company is guaranteed more than $750 million.

Unlike previous FTS contracts, the 2001 program does not obligate federal agencies to use its services. As of Oct. 1, agencies can buy long-haul telecommunications from any supplier, without having to go through GSA. Nor are individual agencies assigned to one FTS 2001 contractor or the other, as they have been in the past. That means they can select Sprint or MCI WorldCom--or perhaps a company not taking part in the program, such as AT&T.

Agencies also can engage in Chinese-menu ordering. An agency could decide, for example, to get regular voice service from MCI WorldCom, certain data services from Sprint and international services from a third company. And they can change providers during the course of the contract.

The companies are free to reduce their prices at any time. "These FTS 2001 prices are ceilings," says Dennis J. Fischer, commissioner of GSA's Federal Technology Service.

GSA plans to enrich this already-heady brew of competition by allowing its local phone service providers in the largest metropolitan areas to take part in the long-distance program, to the extent permitted by telecommunications regulations. MCI WorldCom and Sprint will be allowed to offer local phone services to federal facilities in those areas. So there will be even more competitive pressure in the months to come. Fischer describes the procurement environment as continuous competition.

Breakthrough Prices

"The government in this case is the leader, not the follower," Levine says. He is among those who predict that the breakthrough prices GSA achieved in the FTS 2001 procurement will drive prices down for other long-distance users--big corporations first, then smaller ones and eventually individual households.

Implementation of the new contracts is expected to begin in April and continue through 2000. Agencies have considerable latitude in making their transitions from FTS 2000 to FTS 2001. They can move their offices all at once or gradually. They can move ordinary voice lines now and hold off on other services.

Even for Sprint customers who decide not to change providers and who want essentially the same services, the transition will not be automatic. Billing arrangements, software and other aspects of their service must be modified.

"The transition is a big, big deal," GSA's Fischer says. "It will be the largest such undertaking in U.S. telecommunications history and is larger than the effort required to transition some nations," according to an FTS report. Under the current FTS 2000 contracts, agencies are using 272,000 circuits to connect more than 20,000 locations in 5,000 cities.

Those numbers will swell under the new contracts as services are added. For example, FTS 2001 encompasses international calling services and Internet access, which the FTS organization until now has obtained on agencies' behalf through separate contracts.

Data communications services will be expanded as well, and this is likely to be a major growth area for FTS 2001. Under the predecessor contracts, data links were not priced quite as competitively as voice lines. But Fischer says that in FTS 2001, data services will be substantially less expensive than what agencies are using now.

The new program also allows the contractors to add services much more easily than they could in the past. This was a necessity for a technology contract that will last for eight years. "A year in telecommunications is forever," quips Jim Payne, the assistant vice president in charge of FTS 2001 for Sprint's Government Services Division.

Sprint plans to offer a new service late this year. Through FTS 2001, agencies can acquire Sprint's Ion, or integrated on-demand network, services. Ion delivers local and long-distance voice, data, Internet and video communications over one high-speed network backbone.

Starting Over

Even before such integrated services become widely available, agencies should be taking the opportunity to reengineer their networks. Since last year, Federal Technology Service officials have been urging agencies to prepare for the FTS transition by taking inventory of their long-haul circuits and assessing the potential for eliminating and consolidating lines and switches.

"Initial studies of service and access optimization in large metropolitan areas indicate the possibility of saving over 24 percent, almost $2 million per month," GSA's transition strategy document says. This is likely to mean shutdowns of certain federal network centers.

GSA and the FTS 2001 contractors are supposed to be helping agencies review their options. But even Federal Technology Service officials acknowledge the potential pitfalls. "During the course of optimization discussions with the new service provider," their strategy document says, "agencies should be prepared to differentiate between valid recommendations that use new services to optimize existing services and a pure sales pitch."

Agencies may have trouble making that distinction. Some still maintain separate staffs to manage data and voice communications, making it difficult to see the big picture. Even where data and voice are managed by the same organization, few managers have much experience in weighing competing sales pitches, because of the lack of choice in previous FTS programs.

GSA has selected eight technical services companies to help with transition activities. The Technical and Management Support (TMS) contractors can supply analytical, engineering, IT and other services on a task-order basis. GSA will dole out about $14 million to help agencies.

Through this year, agencies will be focusing on year 2000 readiness, and some will defer changes in their telecommunications services until they are confident of a smooth systems changeover to the new century. Agencies also have internal scheduling considerations. For example, the Internal Revenue Service has an annual business cycle that builds up to the peak tax filing season from about Jan. 15 to April 15. The agency avoids making major changes in its systems during the peak months. When scheduling switchovers, GSA is promising to give priority to the most complex FTS transitions and the most time-sensitive, such as the IRS situation.

The timing of transitions may have an impact on budgets. Agencies' FTS 2000 rates are determined partly by the volume of calls. As some large agencies move to the new program, rates for the remaining ones may rise noticeably, giving them an incentive to become FTS 2001 customers faster than they might have wished.

Paralysis by Analysis

Agencies also could spend months evaluating competing proposals and ways to reconfigure networks. To avoid paralysis by analysis, the Interior Department speeded up its evaluation. In early February, four weeks after GSA chose MCI WorldCom as the second FTS 2001 provider, Interior selected the FTS newcomer, becoming the first agency aboard the FTS 2001 bus.

James Dolezal, the department's telecommunications chief, said Interior would move its voice and data services from FTS 2000 provider Sprint to MCI as soon as possible and consider adding other services later. The flexibility of the new contract vehicle makes Interior's approach possible, he said.

Dolezal's management team was briefed by AT&T on the company's intention to stay in the federal market. John Doherty, AT&T's vice president for government markets, told Government Executive the company is confident it can compete.

In the view of Ron Hack, chairman of the interagency telecommunications council, the situation couldn't be better. "We have three world-class vendors offering unprecedented low prices," says Hack, a longtime Commerce Department manager who this year became administrator for computer and telecommunications operations at the Patent and Trademark Office. AT&T's continuing presence will help keep the FTS 2001 contractors on their best behavior, he adds.

Most federal offices won't even notice the FTS 2001 transition. Employees still will dial 1 for a long-distance line. But at an operational level, transition time is nail-biting time. The switchover usually is done during off-hours. There's always the danger that it won't be done fast enough and that long-distance services will be disrupted during normal business hours. If system inventories are inaccurate or user needs are misunderstood, extra installation costs and delays can ensue.

The transition will bring rewards, as well as headaches, for telecom managers. They'll get Web-based management reporting and service orders, new billing options and more up-to-date cost information. The combination of upgraded service and a two-thirds cut in prices has GSA's Fischer beaming. "We figured out how to leverage the buying power of the federal government," he says.

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm he founded after more than 35 years in government. His e-mail address is reeder@erols.com.

]]>

Managing Technology

Franklin S. Reeder — Thu, 01 Apr 1999 00:00:00 -0500

ears ago, I read a column by Norman Cousins in the Saturday Review in which he wrote: "The things that I find most profound are those that cause me to say: 'Of course! I knew that! But until I read it here, I never really thought about it.' "

I had several of those revelations over the past 18 months as I traveled to widely dispersed places around the globe to study the use of information technology in public management reform. The premise is simple. A system works only if it solves a problem for the user. And the systems that work best are built around those problems.

Let me make that a bit less abstract. People are not interested in government services per se; but they are interested in using government to help them cope with the challenges in their daily lives. The international public management community is using a wonderful term-"life situations." A life situation may be starting a business, getting married, having a child, moving across the street or across the country, buying a car, taking a trip overseas or dealing with the death of a loved one.

All of these situations involve dealing with the government and may be as simple as filing a change of address form with the post office or as complicated as dealing with three different levels of government to start a business. The goal is to solve a problem or achieve an objective, but, in each case, at least one governmental process is involved.

The Big Picture

In my travels, I have seen a growing recognition that a full-service government means more than one-stop shops, 24-hour phone service or Web sites. It means integrating governmental transactions into larger life situations. One example is the Australian visa system I described in Government
Executive's January issue ("If It's Overseas, It's Overlooked,"). Under that system, travelers often don't even know that a visa permitting them to visit Australia has been issued. It all happens as part of booking an airline ticket.

The concept of integrating a government service with a life event is not new. States figured out a long time ago that allowing car dealers to handle motor vehicle registration made sense in terms of compliance and convenience. For as long as I can recall, both the Social Security Administration and the Veterans Affairs Department have allowed funeral directors to file death benefit claims for surviving relatives. The funeral directors have every incentive to get death benefit claims processed so that funeral costs can be paid faster. Beneficiaries avoid having to report to a government office, and the government gets notified more promptly that a person who may have been receiving pension checks is now deceased.

In recent years, the Social Security Administration-an agency that really understands how to deal with the public-has worked with hospitals to get Social Security number applications into the hands of new parents when they are filling out all the other paperwork incident to having a baby.

Easing the Load

Often governmental transactions cannot be made virtually transparent or effortless, but it is still possible to move toward integrating service delivery with other related services. The problem can be attacked at several levels:

The gold standard is to achieve complete transparency, as in Australia's electronic visa system, which remains my favorite.
If that is not possible, try to piggyback a related transaction. Motor vehicle registration or death benefit applications, while still requiring some governmental paperwork, impose minimal burdens on applicants and are done as a natural adjunct to another transaction.

Don't overlook the possibility that service providers in some other sectors (e.g., retailing and banking) may be more than happy to adapt their delivery systems to integrate a governmental service. In some cases they may even be willing to bear the cost because of the good will it will engender for them. The cost of being a secondary user of someone else's system may be far less than maintaining a stand-alone delivery system.

A number of governments are using the Internet to develop pre-packaged searches, so that people in a particular life situation can get lists of and links to all government agencies they may need to deal with. Finland offers the Citizens Guide, and the Norwegians have developed a sophisticated system that reviews government Web sites and monitors traffic to create a thesaurus of life-event terms.

The power of information technology, especially the Internet, makes this kind of integration increasingly possible. Perhaps if I were setting up my business a few years from now instead of last year, a friendlier government would walk me through the various processes required by the IRS, state corporation and revenue commissions, and local licensing and taxing authorities.

Franklin S. Reeder's report, "Information Technology as an Instrument of Public Management Reform: A Study of Five OECD Countries," can be found online.

]]>

IF It's Overseas, It's Overlooked

Franklin S. Reeder — Fri, 01 Jan 1999 00:00:00 -0500

reeder@erols.com

recently completed a study of the use of information technology in public management reform in several countries for the Organization for Economic Cooperation and Development. As I visited with colleagues in capitals around the world, I gained a renewed appreciation for just how much we have to learn from them. Yet we are so closed to those opportunities.

In country after country, I found innovations that were fundamentally transforming how governments and people interact. In Australia, for example, immigration is a particular challenge, because the nation spans a water-bound continent with few official points of entry. In this era of long-range jumbo jets, Australia has experienced a dramatic growth in passenger arrivals--7.3 million in 1996 and 1997, up from 3.3 million in 1986 and 1987. The nation expects another dramatic increase during the 2000 Summer Olympic Games. The prospect is daunting, since Australia requires visas for all non-citizens entering the country.

To meet the increasing demand, Australia's Department of Immigration and Multicultural Affairs had already instituted administrative measures to reduce processing time to 50 seconds per passenger. But anticipating even more strain on limited facilities, it has set out to further reduce processing time for incoming passengers to 20 seconds per person.

A key element of the strategy is a system known as electronic travel authority, under which passengers are cleared for entry prior to landing in Australia, instead of after they arrive. Passengers can apply for an electronic visa by providing passport, citizenship and other information to their travel agent or airline when booking passage to Australia. Airlines can issue passengers entry cards with relevant information preprinted and encoded onto a magnetic strip. With one swipe, an immigration officer can clear an arriving passenger in 0.5 seconds.

The challenge in the United States is different. We have large land borders and a different philosophy about immigration. Nonetheless, aspects of the system are exciting.

We can learn a great deal from what other countries are doing, but as a nation, we suffer from a heavy case of arrogance. We think that either the U.S. situation is unique or that our foreign counterparts are not as big or clever or modern as we are. We have adopted the concept of benchmarking, but we seldom benchmark against other governments.

When I served on an OECD committee in the early and mid-1990s, I was taken aback at how eager my European, North American and Pacific Rim colleagues were to learn about what other countries were doing. Within their own governments, it was important to be able to compare themselves against OECD norms.

I was hard-pressed to recall any federal government information technology project review that included a discussion of best or innovative practices from other governments. The only exceptions are the direct interconnection between our systems and those of other nations, such as intellectual property (patents and copyrights) and spectrum management.

In the U.S. government, foreign travel is considered suspect. The words "boondoggle" and "junket" come to mind. Over the course of my government career, I entertained hundreds of foreign delegations here to learn the latest about U.S. practices. But U.S. delegations are too rarely sent overseas to visit with their counterparts. To its credit, the General Accounting Office sent a delegation to Australia in the early 1990s to look at performance management, and we are still benefiting from that work.

Although it entails fighting against political tides and long-held prejudices and traditions, here are some innovative ways you can approach challenges in your organization:

Insist that the analysis of options presented to you answers the question: "What are other countries doing?" If someone tells you, "We are unique," you've got a problem.
Tap into existing networks, electronic and otherwise. Good sources for information are Frank McDonough, General Services Administration deputy assistant administrator for intergovernmental solutions, and Jonathan Breul, senior adviser to the Office of Management and Budget's deputy director and U.S. representative to the OECD's Public Management Committee. Find out who represents the United States at major multinational meetings. If you cannot be there, make sure your concerns are on the agenda. Give those who are going lists of people to seek out and information to get.
The Internet has made finding people easier and has certainly allowed for at least limited exchange of information. Use it.
Ultimately, there is no substitute for on-site, bilateral exchanges. Putting out descriptive material about their systems is not, and should not be, most government agencies' highest priority. And even though English is widely used, much of the best information on the Web is often not in English. International travel is not cheap, but it can save you lots of money if you can learn from the mistakes and accomplishments of other nations.

Franklin S. Reeder consults, writes and teaches on information policy and technology issues. ]]>

Investing in Human Capital

Franklin S. Reeder — Tue, 01 Dec 1998 00:00:00 -0500

reeder@erols.com

ight budgets and continuing pressure to reduce or at least limit the growth of the federal workforce make it more critical than ever for managers to invest in developing and enhancing the skills of their staffs. As of the end of fiscal 1997, federal employment was at its lowest level since 1961, and the trend continues downward.

Fiscal pressures will continue to require productivity increases that only more creative use of technology can bring. Despite real differences in the recent bitter budget debate, neither party was arguing for increases in the federal workforce. At the same time, the public expects the kind of user-friendly, around-the-clock service they get from other service providers, from catalog stores to banks. For the public sector manager--or any manager for that matter--decreasing staff resources and growing customer expectations translate into acquiring and keeping a workforce that is far more flexible and can respond to ever-changing technology.

A virtual certainty about the workplace of the future is that the tools will change at an ever-increasing rate. Those who are not constantly refreshing their skills risk becoming obsolete and unemployed. And there is no reason to believe that the leading-edge user of technology will be able to survive without frequent retraining. Indeed, the half-life of each succeeding generation of technology and of the skill sets needed to use it can be expected to continue to decrease.

For the information technology workforce, the challenge is even greater. An IT executive who does not understand the potential (and pitfalls) of the Internet and intranets is of limited value. But for the year 2000 problem, programmers who write COBOL are as useful as coopers and blacksmiths. While there is still a limited market for their services, few organizations can afford to pay for their labor-intensive art.

Funds available for training continue to shrink. Fortunately, the same technology that is creating pressure for more training is also a potential source of training. Technology can help multiply the effects of limited training dollars and help ensure that information your staff gets is current. Technology-based training tools fall into two general categories.

Distance learning. State governments are in the forefront of figuring out how to deliver training to widely scattered populations. Rich, diverse curricula are fairly easy to deliver in densely populated areas, less so in rural, remote areas. Traditional approaches were quite simple--bring the student to the teacher or the teacher to the student. Both are expensive and time-consuming. Today, states are using two-way video to unite geographically dispersed teachers and students. They are creating virtual universities on the Internet to give students access to a range of courses from multiple learning institutions. California, for example,offers an online catalog of 1,700 distance learning courses and 106 electronic academic programs. (See "Government Technology Leadership Awards" on page 39, for more about the California Virtual University.)

The Defense Department, with its widely scattered workforce, has been among the leaders in providing distance learning on the federal level. The Army National Guard has used two-way audiovisual systems to link U.S. based instructors with troops in Europe.

Other agencies have begun long-distance training, as well. The Energy Department's Safeguards and Security Central Training Academy in Albuquerque, N.M., uses satellite-based interactive television to deliver programming to 22 Energy sites and more than 100 sites at other agencies. In December 1996, the Housing and Urban Development Department opened a Washington-based distance learning center for staff and contractors at 56 sites.

Computer-based instruction. For several decades, the education industry has promised us the benefits of programmed instruction--self-paced, computer-based courses. Those promises are finally coming to fruition. The need to retrain and upgrade staff to handle every new software upgrade has forced both software vendors and training technologists to create more sophisticated tools. Virtually every software package now includes a help function and tutorials. A new industry has developed that produces training products that go beyond software-vendor tutorials.

Agencies too are developing computer-based instructional tools and decision-support systems keyed to their unique applications.

Ultimately, today's government executives and managers must make investing in human capital a part of the regular process of managing. That means figuring out what knowledge and skills the organization's employees need or will need, evaluating the current skill sets of the existing workforce and those being recruited, and devising an orderly plan for continually upgrading staff skills. Employee development cannot be a box a manager checks off as part of the annual performance appraisal and then ignores the rest of the year. Worse yet, it must not take the form of rewarding employees by sending them to training conferences if money is left over at the end of the year. Instead, employee development must become an organic part of day-to-day management and strategic planning. A comprehensive, economical development plan cannot ignore the benefits offered by the nontraditional training tools now available.

Franklin S. Reeder consults, writes and teaches on information technology and public management. He has taught at the University of Maryland and The George Washington University and next spring will teach at Syracuse University and the Georgian-American Institute of Public Administration.

]]>

Overseas Overlooked

Franklin S. Reeder — Sun, 01 Nov 1998 00:00:00 -0500

reeder@erols.com

recently completed a study of the use of information technology in public management reform in several countries for the Organization for Economic Cooperation and Development. The findings and conclusions from that work will be the subject of future columns after the report is published, but one thought simply can't wait. As I visited with colleagues in capitals around the world, I gained a renewed appreciation for just how much we have to learn from them. Yet we are so closed to those opportunities.

In country after country, I found exciting, innovative applications of information technology that were fundamentally transforming how governments and people interact. In Australia, for example, immigration is a particular challenge to a nation that spans a water-bound continent with few official points of entry. In this era of long-range jumbo jets, Australia has experienced a dramatic growth in passenger arrivals-7.3 million in 1996 and 1997, up from 3.3 million in 1986 and 1987. The nation expects another dramatic increase during the 2000 Summer Olympic Games and the subsequent rise in tourism. The prospect is daunting, since Australia requires visas for all non-citizens entering the country.

To meet the increasing demand, Australia's Department of Immigration and Multicultural Affairs has already instituted administrative measures to reduce processing time to 50 seconds per passenger. But anticipating even more strain on limited facilities, it has set out to reduce processing time for incoming passengers to 20 seconds per person.

A key element of the strategy is an electronic visa, called an electronic travel authority. The system clears passengers for entry prior to landing in Australia, instead of after they arrive. Passengers can apply for a visa by providing passport, citizenship and other information to their travel agent or airline when booking passage to Australia. Linked to travel agent and airline computers, the Immigration Department can issue an electronic travel authority within seconds.

Before passengers even depart for Australia, airlines can issue passengers entry cards with relevant information preprinted and encoded onto a magnetic strip. With one swipe, an immigration officer can clear an arriving passenger in 0.5 seconds.

Share and Share Alike

Our challenge is different; we have large land borders and a different philosophy about immigration. Nonetheless, features of the system, such as engaging air carriers in the clearance process, are exciting. I trust that the State Department and INS are talking to the Aussies and others, but I do not see evidence of widespread international consultation between U.S. agencies and their foreign counterparts.

As a nation, we suffer from a heavy case of arrogance. We think that either the U.S. situation is unique or that our foreign counterparts are not as big or clever or modern as we are. Therefore, their experiences seem irrelevant.We have adopted the concept of benchmarking, but we seldom benchmark against other governments.

When I served on one of the Organization for Economic Cooperation and Development committees in the early and mid-1990s, I was taken aback at how eager my European, North American and Pacific Rim colleagues were to learn about what each member country was doing. I was hard-pressed to recall any U.S. government information technology project review that included a discussion of best or innovative practices from other governments. The only exceptions are the direct interconnection between our systems and those of other nations, such as intellectual property (patents and copyrights) and spectrum management.

In the U.S. government, foreign travel is considered suspect-the words "boondoggle" and "junket" come to mind. Over the course of my government career, I entertained hundreds of foreign delegations here to learn the latest about U.S. practices. But the thought of sending a U.S. delegation overseas to visit with their counterparts is all too rare. To its credit, the General Accounting Office sent a delegation to Australia in the early 1990s to look at performance management, and we are still benefiting from that work. We grudgingly send people to international meetings, such as those hosted by the OECD, but it is no substitute for visiting countries to learn the realities of their problems. The Europeans and the Japanese figured that out long ago.

It is telling that the U.S. representative to this year's annual 37-nation International Council for Information Technology in Government Administration (ICA) conference in Helsinki, is a non-government organization-the Federation of Government Information Processing Councils. GSA's Office of Governmentwide Policy has tried to gather support for government participation in the ICA and the Government Online project, an initiative by G-8 nations to promote dialogue on the use of information technology in government. But U.S. involvement remains uneven at best.

Break the Boundaries

Although it entails fighting against political tides and long-held prejudices and traditions, here are some innovative ways you can approach challenges in your organization:

Most importantly, insist that the analysis of options presented to you answers the question: "What are other countries doing?"
Tap into existing networks, electronic and otherwise. Good sources for information are Frank McDonough, GSA's deputy assistant administrator of intergovernmental solutions, and Jonathan Breul, senior adviser to the Office of Management and Budget's deputy director and U.S. representative to the OECD's Public Management Committee. Find out who represents the United States at major multinational meetings and how to get your concerns on the agenda.
Ultimately, there is no substitute for on-site, bilateral exchanges. Putting out descriptive material about their systems is not, and should not be, most government agencies' highest priority. International travel is not cheap, but it can save you lots of money if you can learn from the mistakes and accomplishments of other nations.

Franklin S. Reeder consults, writes and teaches on information policy and technology issues. His recent study of "Information Technology as an Instrument of Public Management Reform: A study of five OECD countries" is to be released later this year.

]]>

Watching Big Brother

Franklin S. Reeder — Thu, 01 Oct 1998 00:00:00 -0400

reeder@erols.com

colleague recently recommended a new book, The Transparent Society (Perseus Press), by renowned science fiction author David Brin. The book's thesis is that, as technology gives government the tools to be more intrusive, the best way to protect individual freedom may be to ensure that the same technology is used to give the public access to information about how government operates.

Brin argues that preventing the capturing of information may be akin to trying to put the genie back into the bottle. Instead, he suggests, we should consider using the same kinds of surveillance cameras that are increasingly being used in high-crime areas and busy intersections to observe how government is using such capabilities. He asks: Who's watching what the people behind the cameras are watching?

As a longtime privacy advocate, I find Brin's proposition both jarring and provocative. Brin's work seems to suggest a new way of thinking about the intrusiveness of information technology. Actually it revives and updates basic notions like the concepts of "due process" and the ban on "star chamber" proceedings built into our Constitution.

Government Accountability

The privacy discussion is part of larger debate about how to ensure that government remains accessible and accountable in the electronic age. Although a bit of a cliché, it is worth noting that information technology has the potential both to increase government's capacity to collect information and to make it available to the public. The latter is not, I would contend, an inevitable outcome of the former. Absent concerted action by government policy officials and program managers, it is not obvious that the flow of information will improve as a natural consequence of the existence of the technology.

Despite some policy activity to deal with these issues, the consensus seems to be that ensuring broad, fair access to government information is an unresolved problem. By the time you read this, Congress may be well on the way to enacting the Wendell H. Ford Publications Reform Act (S 2288). The bill would rename the Government Printing Office as the Government Publications Office, would redefine "publication" to include electronic forms of dissemination and give the new GPO broad powers to require that federal government publications be available through the depository library system.

Guiding Principles

As a federal manager, you might ask what this has to do with you. There are at least three reasons why you should pay attention:

1) For the most part, you will be more effective if your constituency understands what you do and how you do it.

2) It is more efficient to have an affirmative dissemination policy than to respond ad hoc to individual inquiries.

3) As a public servant, you have an affirmative obligation to be accountable.

While policymakers formulate their solutions, I suggest some principles that should guide you as you develop your own information strategies.

Equity of access. As you become more creative in the use of technology as an information dissemination tool, beware of disenfranchising those who may not have access to the latest, jazziest technology.
Accessibility. A public official noted for his ability to handle sometimes-adversarial congressional hearings was accused of trying to overwhelm his critics with data. It was said that getting information from him was "like trying to get a drink of water from a fire hydrant." Without the tools to use the information that you make available, more may truly be less.
Privacy vs. openness. Resolving the tension between protecting the rights of individuals and the legitimate interest of society in knowing what its government is doing is not getting easier. The answer in your case will entail some combination of curbing what you collect, limiting what you release and making sure that the subjects of information you collect know and have a say in how information about them is used. You are at greatest risk if you do not consider these issues up front.
Recognizing the role of intermediaries. It may not come as a great surprise that few Americans read the Congressional Record or Federal Register every morning or even visit agency Web sites. The public is more likely to use agency information obtained through secondary sources such as newspapers and journals. Consult intermediaries as you devise your information strategy.
Thinking from the outside in. Put yourself into the role of those who want to know what you know, and think how best to meet their needs. You might even want to set up some formal consultations.

Several years ago, when developing what became the "Commonly Requested Federal Services" on the White House Web site a team from the Vice President's National Performance Review (now the National Partnership for Reinventing Government) visited a shopping mall outside Baltimore to demonstrate the prototype and get reactions. One of the comments they heard most frequently was that individuals were shocked that anyone in government cared enough about their opinions to ask.

Go out and shock people!

Franklin S. Reeder consults on government information technology management and policy issues. He is working on a study on access to governmental information for the Bauman Foundation.

]]>

Who's Hiding Behind that PC?

Franklin S. Reeder — Tue, 01 Sep 1998 00:00:00 -0400

reeder@erols.com

s agencies increasingly use the Internet to offer services and provide personalized information, they face a new challenge: How to ensure that the person at the other end of the transaction is who he or she claims to be. Or to paraphrase that often-cited New Yorker cartoon showing a dog sitting at a PC: "The nice thing about the Internet is that no one knows you're a dog."

Let me betray a strong bias at the outset. The real potential power of the World Wide Web is in its use to deliver services. Users can do real work from their PCs; they're not just one-way outlets for delivering general information like television sets. To realize this potential, agencies must develop truly interactive systems that allow people to get information about themselves and/or submit sometimes sensitive data. As the Social Security Administration learned from its painful experience with public electronic access to the Personal Benefits and Earnings Estimate Statement (See "Ideas for Better Service Worth the Risk," July 1997), two things are required to transmit sensitive data:

The agency must reasonably ensure (note the use of the word "reasonably") that the person to whom sensitive information is disclosed is authorized to receive it.
The public must be confident that using the new technology does not jeopardize personal rights.

Technologists are all over this problem. They have devised some nifty techniques such as digital signatures to identify people and public key encryption to keep information confidential. The system requires several components. At a minimum, there has to be an entity, usually called a certificate authority (CA), that issues electronic ID cards. Think of it as the credit card system. When consumers want to use their credit cards, merchants can check with the credit card companies to make sure the cards are still valid and the holders have not exceeded their credit lines. In the digital signature game, the certificate authority verifies that you are who you claim to be. All of this can happen electronically.

Several models can make this work. Each agency could issue its own certificate. Remember when you had to have a separate credit account with every store in town? This is costly to the service provider, which must set up the entire validation infrastructure, and a real nuisance to the consumer who may have only occasional transactions with an agency. A popular option is to use third parties as certification and authentication authorities, much like the large credit card systems for Visa and MasterCard. Organizations such as banks, telecommunications companies and even the U.S. Postal Service already have infrastructure in place that would make this a logical adjunct to their current business.

The third-party model could use a single authority or a multiple-provider model. Imagine the power of a certificate authority if you had only one ID card and the authority knew every time you engaged in an electronic transaction.

Breaking New Ground

To address the operational need, several agencies have jumped into the fray. Most prominent is ACES (Access Certificates for Electronic Services), a General Services Administration effort to set up a series of contracts with certificate authorities that all federal agencies could use. The consumer probably would not pay for the ID, but the agencies would pay each time they asked for authentication. A key aspect of ACES is multiple certificate authorities, and an individual could have multiple IDs or digital signatures. GSA officials understand that their agency is breaking new ground and, to their credit, have been consulting with interested parties to ensure they fully understand the policy consequences. GSA plans to release a request for proposals in the fall.

The Next Step

Given the turmoil and uncertainty of electronic access and authentication, what is a manager to do?

Keep pushing the envelope. The public expects and deserves a government that is more accessible, and electronic service delivery is a critical component of a more accessible government.
Set up reasonable safeguards. Protect personal privacy and consult with your constituencies to ensure they are comfortable with what you are doing. There are no absolutely secure systems. Safeguards need to be commensurate with the risk and consequent harm of someone's misusing the system. A public that understands the opportunities and risks will be a supportive partner in your endeavor.
Offer choices. Not everyone will have the necessary access to or feel comfortable with using electronic access and digital signatures. Do not inadvertently disenfranchise or disadvantage those who prefer another way of doing business with you. And give customers the choice of having multiple signatures.
Honor anonymity. Not every transaction requires you to know who is asking. A request for a form, for example, should not entail identity verification or any tracking. The existence of identity verification technology does not give you license to demand an electronic strip search of everyone who visits your agency Web site.

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm he founded after more than 35 years in government. ]]>

Time for a Desktop Upgrade?

Franklin S. Reeder — Sat, 01 Aug 1998 00:00:00 -0400

reeder@erols.com

very day, managers are confronted by advertisements showing machines more powerful than those on the office desktop at cheaper prices and by users who want to know why their machines in the office are slower than their kids' machines at home. Besides, your information technology folks will want to have the latest and best on everyone's desk.

But how does a manager know when it's really time to upgrade desktop technology?

Over the years, federal agencies have struggled with ways to streamline the acquisition of desktop computers. Some buy them piecemeal or on schedule contracts negotiated by the General Services Administration. For large buyers, the right solution often was large contracts that turn computers into commodities, like the Air Force Desktop contracts.

More recently, agencies have followed industry's lead and are buying what has become known as "seat management," contracting for the hardware, software and support from a single vendor. (See "1001 Ways to Buy PCs," Government Executive, July.) This method of acquisition may help you get a better a deal at purchase time, but it will not answer the technology upgrade question.

As the July article notes, product life cycles are becoming ever shorter. Obsolescence is inevitable. Unless you are prepared to swap out machines several times a year, you will almost always have a machine on your desk that is less capable and was more expensive than you can find today at the local Wal-Mart or Radio Shack.

So how do you decide on the right upgrade cycle for your organization? To demystify the problem, here are some basic principles that apply:

Seat management. If you enter into a seat management contract, you are typically leasing the equipment and buying a bundle of support services that are like a maintenance contract. If you specify a two-year term, the lessor has to recover the purchase price plus interest (minus residual value) in two years. If you can live with a longer replacement cycle, your costs will go down. So while seat management can help smooth the budget bumps by allowing you to pay a fixed, predictable amount each month, it does not answer the upgrade question.
Sunk cost. The fact that new and cheaper technology is available is not in and of itself a reason to replace what you already own. There are only three reasons for replacing a piece of equipment:
1. Functionality-the machine can no longer do the work that needs to be done.

2. Maintainability/reliability-the machine breaks down frequently, and/or support is not available, making the machine unreliable.

3. Economics-the cost of operating the equipment (e.g., maintenance, power, space) or the need to enhance users' productivity justify replacement.
Varying levels of capability. In most organizations, there is no "one size fits all." You likely have high-end users who need fast machines to run complicated models or technology-hungry display software. At the other end, you may even have a few machines available for overflow work that are not connected to your network.
Do not assume that more senior and technical staff should always have first claim to the most sophisticated technology you own. The data entry clerk who spends long hours in front of the VDT may have more need for a larger video screen.
Phased upgrading. That old 100 MHz Pentium machine just replaced on the engineer's desk by a 400 MHz will seem like a screamer to the clerk still laboring with a 386. But running an environment with different levels of technology poses problems.
Configuration management. Especially if you have multiple levels of technology in your office, it is critical to understand the concepts of configuration management. That means, among other things, keeping careful records of, and control over, what is contained on each machine or class of machines and, as appropriate, establishing some notion of version control over both hardware and software. The more models or versions you have, the more complicated it gets.
Lowest common denominator. Running an environment with multiple levels of technology means controlling software releases as well. If every employee is connected to the network and needs access to e-mail and the organization's intranet, then you cannot use software for mail or information dissemination that does not run or runs intolerably slowly on the network's low-end machines. Higher-end users will run more sophisticated stuff, but don't forget the low end.
Budgeting for technology upgrades. It is prudent to build phased replacement of a portion of your desktop technology hardware and software (don't forget software upgrades) into your annual funding plan. That avoids the peaks and valleys that budgeteers and appropriators tend not to like.

Finally, remember that, however frequently you upgrade, the initial capital investment in that $1,000 desktop computer will be small compared to the cost of maintaining and supporting the customer's desktop needs.

So keep looking at the latest turbo-charged, shiny new model in the showroom, but then ask yourself whether you really need all that it has to offer.

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm he founded after more than 35 years in government.

]]>

Eighteen Months and Counting

Franklin S. Reeder — Wed, 01 Jul 1998 00:00:00 -0400

reeder@erols.com

e are quite confident that all of our systems are Year 2000 compliant. However, we have more than a two-year backlog of Year 2000 compliance forms to fill out, so according to our scheduling database, you should hear back from us in June 1900."

The quote posted recently on a commercial World Wide Web site as a spoof is cute, but the Y2K issue is no laughing matter. Managers around the world face a serious challenge in preparing for the so-called millennium bug, when systems that have only two digits to designate the year hit 2000 and think it's 1900.

The press is full of articles on the Y2K problem (see "Tick, Tick, Tick" in Government Executive, January), and a growing array of resources is available to help. One particularly useful source is the General Services Administration's "U.S. Federal Government Gateway for Year 2000 Information Directories".

The problem is that managers will relegate this one, like so many other information technology-related issues, to the information technologists, for a number of reasons. It is complicated. And worse yet, if you are successful, nothing happens. You will be noticed only if you fail.

John Koskinen, now assistant to the President for Y2K matters, faces the formidable task of educating a group of people who are essentially in denial-managers. They acknowledge there is a potential problem but don't see it as theirs. Having survived the challenges of being the government "shutdown czar," now Koskinen gets to be the "Y2K czar." But if anyone can carry this off, he can.

Retiree Recall

Most of the publicity has focused on fixing large software systems. Hundreds, perhaps thousands, of retired COBOL programmers are being rousted from retirement in sunnier climes and lured back to the workforce for large sums of money. The Office of Personnel Management even has waived dual compensation restrictions to allow retirees critical to the Y2K solution to be paid federal salaries without losing their pensions.

Agencies are scurrying to identify their mission-critical systems, examine whether they are Y2K compliant and fix them if they are not. This is important work, but in the vernacular of the logician, all of this is necessary but not sufficient to prevent serious problems on Jan. 1, 2000.

The Y2K solution isn't just about hiring old COBOL programmers to rewrite their code, although that is a part of it. In fact, there are some ways to avoid having to employ some of those old programmers.

First, there still may be time to discard some of those systems and replace rather than rewrite them. After your staff has shown you an inventory of systems that need to be modified, ask first which can be scrapped entirely or replaced by a commercial package.

Next, ask whether the staff has explored commercial software products that can dramatically simplify the task of fixing software you cannot replace. When you ask programmers how to fix a problem, they will almost always recommend programming solutions. In the words of the epistemologist Abraham Kaplan: "Give a small boy a hammer, and you will find that everything he encounters needs pounding."

No System Is an Island

If your system shares information with other organizations, your ability to perform 18 months from now will depend on more than just having fixed the programs that run on your computers. Fixes can be of two types: either making sure that your partners are Y2K compliant, or else building filters into your systems, so that when your systems receive an electronic transaction with a date of 1/1/00, they don't tilt.

For federal managers, the issue goes well beyond systems they operate. Many have regulatory or oversight responsibilities for large segments of our economy-banking and credit, energy, transportation, health, manufacturing and trade. While the operation of information systems in those sectors is often (and should be) the responsibility of private industry, federal managers can play an important role in convening the relevant players, sensitizing them to the issues and working on a compliance strategy.

As if your headache were not already acute, the problem goes beyond identifying and replacing non-Y2K-compliant software in systems you or even your partners have built. Over the last two decades, billions of computer chips have been installed in everything from process control systems (like aircraft electronics) to consumer devices such as wristwatches, VCRs and microwave ovens. Some use dates including the year to make important calculations.

Have a plan for dealing with reality when things go wrong. A basic precept of computer security is the notion of prevention, detection and recovery. It is always best to avoid a disaster. But absolute prevention is a myth. So make sure you have early warning systems. They will give you time to react when something goes awry. Also have a recovery strategy to sort out the important from the trivial and train staff to deal with critical cases. Think triage.

We have fewer than 550 days until Y2K day. Do you know where your systems are?

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm he founded after more than 35 years in government. His e-mail address is reeder@erols.com.

]]>

IT Managers Missing Their Cue

Franklin S. Reeder — Fri, 01 May 1998 00:00:00 -0400

reeder@erols.com

or years, the information technology community, like Rodney Dangerfield, got no respect. "Get us to the table, and we will show the world what we can do," IT managers pleaded. "Write a law requiring that each agency have a designated senior information resources management official, and things will get better." But the world changed little after enactment of the 1980 Paperwork Reduction Act and the cries continued.

Well, be careful what you wish for. Today, the 1996 Information Technology Management Reform Act, known as the Clinger-Cohen Act, is standing the IT world on its head. It replaced a statutory and regulatory regime based on managing the process of buying and using computers and maximizing competition with a management process based on making a business case for acquiring IT. The law requires agencies to appoint chief information officers and is forcing a capital budgeting view of information technology.

This focus was reinforced by an executive order setting up the CIO Council and by the Office of Management and Budget's Raines Rules, a new set of principles for evaluating IT investments. A new generation of political leadership-most notably, Charles O. Rossotti, the recently appointed IRS commissioner-comes from a background where technology is used as a strategic management tool.

As if the outside pressures weren't enough, the IT community managed to create its own crisis, the year 2000 problem. Because programmers saved computer memory by writing programs that allow only two digits to designate the year, the year 2000 (00 in the computer) will be indistinguishable from 1900. Everything from the banking and credit system to air traffic control could be disrupted unless the computer code is fixed or replaced. (See "Tick, Tick, Tick," January.)

Investing Wisely

Much has been written about the need for more careful scrutiny of information technology investments, and many of us have ideas on how senior managers can do a better job of investing in it wisely-or at least cutting their losses. What is often overlooked in this discussion is the billions of dollars (yes, I said billions) being spent and misspent on IT operations.

According to OMB, the 1998 budget calls for spending $27 billion on IT, or about 6.4 percent of the federal operating budget-up from 4.4 percent in 1988. While there are no reliable numbers on what portion of this money is for new investments, the bulk of it is spent to run the huge information technology apparatus we have built over the last 40 years-everything from the tax system to logistics and payroll.

Clinger-Cohen addresses performance- and results-based management of IT. It requires agencies to benchmark their operations against comparable public- and private-sector processes and organizations. The rhetoric is, not coincidentally, similar to the thrust of the 1993 Government Performance and Results Act.

IT managers will get to the table and senior program managers will have real control if, and only if, they speak the language of the business they are in. ITMRA got it right. Everyone understands the year 2000 problem not as a technical issue but because it could have serious consequences for agencies' ability to deliver needed services. That means IT managers must overcome their fascination with the technology and show how new projects and existing operating budgets contribute to organizational effectiveness. Also, they must focus on the total IT effort, not just the glamorous new systems but also the billions spent annually to keep the existing infrastructure going.

A Ways to Go

I recently had a chance to look at the IT operations at several agencies. Most had sound strategic plans, and their executive summaries said all the right things about the relationship between IT and the agencies' missions. But when you dug into the details, the proposals were simply about technology (e.g. replace the mainframe or upgrade the phones). Worse yet, the budgets were presented in such a way that no manager could figure out the connection between what was being spent and the organization's lines of business. No one in the organizations asked how the spending related to organizational outcomes or how costs compared to other comparable organizations.

Try this test: Ask your CIO the unit cost of anything-processing a payroll, issuing a check, handling a claim. Then ask what other comparable organizations are paying for the same thing. When we asked, we were typically unable to get an answer to the first question-or someone argued that nothing was comparable. That is bogus. There may be good reasons for differences, but you still have to ask the question. What happened in the organizations we surveyed was that the IT folks got what they asked for because senior managers didn't understand and thus were afraid to question or cut.

Clinger-Cohen, GPRA, and the Raines Rules all pose the right questions if managers have the courage and persistence to use them. Even as the fiscal pressures ease ever so slightly, they can't afford not to.

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm. He taught project management at the University of Maryland's University College and served as program committee chair for the Government Technology Leadership Institute.

]]>

The Art of Project Management

Franklin S. Reeder — Wed, 01 Apr 1998 00:00:00 -0500

he New Zealand government recently did a study of why large information technology projects fall down. The report reminds us that ours is not the only government struggling with how to deploy technology. Still, despite the concerted efforts of great minds, public and private, we continue to read about large-scale projects that are years late, dramatically over budget and even scuttled after billions of dollars have been spent.

The problem of managing project budgets is so large-by some estimates, as much as a third of our information technology investments is wasted-it has drawn the attention of many experts. While no single article or book has all the answers, there seems to be consensus on several points.

Projects vs. Production

By definition, a project is a one-time effort to build or modify a system, physical or procedural, that often redefines what an organization does every day. Thus, it diverts or competes for resources and management attention normally devoted to producing whatever the organization is set up to do, whether it's building widgets or processing claims.

The skills and tools used to manage operations and production are different from those needed to manage a project. One does not use PERT or GANTT charts to manage a production process, and the concepts of unit cost or production quality control techniques have less application to managing a project. For many executives and organizations, a large project is a once- or twice-in-a-lifetime undertaking that is unfamiliar. Sometimes operations management and project management look similar, but they are fundamentally different. Building 100 identical tract houses is a production process, but building a custom house is a project.

Because a project involves building or modifying a system, something the organization has not done before, it means taking risks. In theory, one can break most projects into tasks that have been done before independently, and then estimate the total cost or time involved. But even if each of the pieces at the smallest level is knowable, what happens when you put them together is not. Managing risk means:

Understanding the probability of an unexpected result.
Putting in place controls that will alert management to problems early.
Having a plan and the will or courage to deal with that contingency.

Maybe the design has to be changed or the objectives redefined or, perish the thought, the project has to be scuttled. This is not as hard as it sounds. Gopal Kapur, head of the Center for Project Management and author of the Seven Deadly Sins of Project Management, describes an elegantly simple technique. At the beginning of a project, devise a system for measuring costs against stages of completion. For example, at week 10, the plan may call for having 45 percent of the resources spent and having 25 percent of the work completed. Then set limits. If variances from the plan at any point exceed those limits, bells and whistles go off and the project stops. In this example, if at week 10 you have spent 55 percent of the money and completed only 15 percent of the work, someone should care.

Rep. Steve Horn, R-Calif., chairman of the Government Reform and Oversight subcommittee on government management, information and technology, has asked why government's $4 billion or $5 billion failures could not have been $4 million or even $400 million. The answers are complex, but key among them are executives who aren't paying attention or are afraid to admit there is a problem. The challenge, if the project is going to fail, is to fail early.

Technology Isn't the Culprit

Few agency problems entail untested technical concepts. The challenge is more often the organizational or physical setting in which the technology is deployed. Many experts agree that most large system failures are due to management's inability to plan and direct resources, including people, toward some organizational objective.

A pitfall of large information technology projects is looking at problems as technology-related rather than management-related, prompting executives to stay away and then rely too heavily on the judgment of technicians. Even when problems are technical, Kapur says, many technical staff believe so strongly in the power of the technology that, like river boat gamblers down to their last chips, they are convinced that the roll of the dice will bring salvation.

However, just because a problem isn't technical doesn't mean it isn't complicated. One size rarely fits all.

Now that federal agencies have gotten past merely automating known processes within existing organizational boundaries for the sake of speed and efficiency, the challenges get harder. Large projects often entail new inter-organizational relationships and profoundly affect the customers.

The concept of socks is universal, but one size or style won't cover the range of feet or weather conditions. The concepts of project management are similarly universal, but the tools and techniques vary depending on size and complexity. Robert Alloway, a member of Horn's staff, says an organization that slavishly follows a standard project management manual is likely to get into big trouble. At a minimum, projects with organizational complexity require substantially more executive direction. Many of the decisions are political, not technical.

One way to size up a project is to rank its size and technical complexity on one axis and the number and range of interested or affected parties on the other. Kapur and Alloway have developed tools to help managers measure complexity. If a project is high on both the substantive and organizational complexity scales, Alloway suggests breaking it up into separate pieces.

Kapur surveyed participants at the Government Technology Leadership Institute, produced late last year by the Brookings Institution, the George Washington University, the National Performance Review, the Senior Executives Association and Government Executive, to measure the level of project management skill and executive support in their organizations. The results were startling. Only 17 percent of those surveyed said IT projects in their organizations had support from and consistent involvement by an executive outside the IT organization; 10 percent said they had none at all. Just 16 percent said their organizations had well-designed project manager skills development programs. Kapur says those percentages are well below what he sees from similar audiences in the private sector.

Kapur says he believes it is tougher to let a project get out of control in the private sector. One reason is that performance measurement information is more readily available and part of the culture. If an investment cannot be shown contributing to sales or production or other set measures, the executive in charge is willing to walk away from the project. The 1993 Government Performance and Results Act holds the hope of creating a measurement culture that will give federal managers the metrics they need to make such hard decisions. Another reason private sector projects are kept in check is keen competition for scarce investment money, Kapur says. If a project is not panning out, other managers are eager to claim the resources for higher return projects.

Less stigma is attached to trying and failing in the private sector, unless one does so repeatedly. I wonder whether the executive who pulled the plug on "New Coke" would have done so had it been a public sector project and he faced an ugly congressional hearing.

Wake-Up Call for Executives

The strong message from Kapur is that large projects most often fail because the responsible senior executive relegates the hard day-to-day work of managing to others. Executives often think that once they have approved a concept and a budget, the project can become someone else's problem. When they see the project officer in the hall, they may ask, "How's it going?" But they really don't want to know.

Managing an IT project is tough, especially in the early stages, which are fraught with bad news or at least uncertainty. That is precisely when senior management attention and support are most needed.

If you see yourself in this picture, you need to get out. There is lots of help out there, but only if you are prepared to invest the time and intellectual energy.

]]>

High-Tech Workplace Hits Home

Franklin S. Reeder — Sun, 01 Mar 1998 00:00:00 -0500

Reeder@erols.com orking from home cuts commuting time, energy costs and pollution. It reduces employer overhead and, perhaps most important, it allows employees greater flexibility in an era when the phrase "family-friendly" is very much in vogue. It has been estimated that as much as 25 percent of the workforce will be working at home at least some of the time by the end of the decade.

In a July 1994 memo to agency heads, President Clinton directed the heads of the Office of Personnel Management and the General Services Administration to "take all necessary steps to support and encourage the expanded implementation of flexible work arrangements," including telecommuting.

Following up two years later, Clinton directed agencies to expand opportunities for telecommuting wherever possible to achieve the goal of 60,000 telecommmuters by 1998 as set by the President's Management Council. This includes telecommuting from home and from satellite locations.

Telecommuting sure sounds like the answer to many of society's challenges, from reducing congestion on overcrowded highways to restoring the quality of family life. But is it? First, let's define terms. Telecommuting refers to everything from working at home full time, to working out of a mobile field office or specially established telecommuting center, to the occasional day spent at home to escape office phones and other interruptions.

The benefits can be substantial. Just think about the long-term implications if commuter traffic were to level off or even diminish in the next century. Technology now gives many workers at home access to virtually all the tools they have at the office. When you are on the other end of a fax, phone or e-mail line, no one needs to know what you are wearing or even where in the world you are.

The range of jobs that can be done outside traditional offices grows almost by the hour.

Perhaps most important, offering employees increased opportunities to be with their families may be essential to competing in the labor market. Especially in the high-tech job market, there is increasing evidence that quality-of-life considerations are as important as pay.

Face to Face

Sounds great so far. But a few words of caution are in order:

Work at home is not always humane and family-friendly. The spouse of the programmer who is constantly getting middle-of-the-night calls may start to wonder whether work at home is really such a good idea. The remedy is fairly simple. Managers need to establish explicit ground rules on what is expected, including work hours and on-call availability.

Not all jobs are suitable for telecommuting. Some jobs require face-to-face contact with customers or colleagues. These positions generally fall into two categories: those where customers require a fixed location for support and those where group interaction is still the most effective way to achieve a result. Electronic mail and voice mail do not communicate nuances and subtleties well. In both cases, technology is coming up with innovations every day, such as inexpensive two-way video. Managers need to reevaluate periodically whether telecommuting has become a viable option.

Telecommuting also raises issues of fairness. In some offices, the jobs most suitable to telecommuting are those done by individuals who work independently. That tends to leave lower-level support staff at the office holding down the fort, which can lead to resentment. There are no simple solutions, but care must be taken not to polarize the workforce.

Building and maintaining office culture and values is more difficult. Those who work at home often complain that they miss the conversation around the coffee pot at the office. This is a metaphor for a problem larger than social isolation.

Teams are built not just through formal communications and interactions but through daily, casual contact. That is lost when the workforce is fragmented. Managers need to devise substitutes for the support and communications systems that daily contact in the office now provides.

Watching Results, Not the Clock

New management tools and styles are needed. The old techniques of management by surveillance no longer work. Telecommuting forces us to think about managing performance by results, not by the clock. Sounds a bit like the gospel of the Government Performance and Results Act. In some cases it is easy. For field inspectors or computer programmers, we already have well-established metrics for assessing performance.

Even when results are easily measured, it is often a matter of changing the mind-set of managers who grew up in a world of regimented command-and-control management. Despite a sincere commitment to change, they are uncomfortable leading an invisible workforce. Telecommuting forces a different conversation about performance that does not begin (and often end) with whether you showed up for work on time.

That a growing portion of the workforce will work outside the traditional office setting is both inevitable and desirable. Making that happen sensibly will require care.

Franklin S. Reeder heads The Reeder Group, a Washington-based consulting firm he founded after more than 35 years in government.

]]>