Government Executive - Authors - Heather Greenfield

Technology associations move to merge operations

Heather Greenfield — Tue, 22 Jan 2008 00:00:00 -0500

Two technology trade associations are taking steps to consolidate their membership rolls, programs and offices after a merger was approved by their boards of directors.

The boards of the Information Technology Association of America and the Government Electronics and Information Technology Association approved the merger Friday afternoon after months of talks.

The staffs of both groups, including the CEOs and the boards, will be consolidated as an initial step before all the paperwork is complete April 1. GEIA Chief Executive Dan Heinemeier said he does not expect to "see much in the way of layoffs."

ITAA has 14 board members, and GEIA has 70. GEIA's 11-member executive committee and three additional board members will join with ITAA's 14 existing board members for a new 28-member board.

Heinemeier will become executive vice president and chief operating officer of ITAA and still lead the annual Standards and Market Forecasting report. ITAA Chief Executive Phil Bond will be CEO of the new group.

"It will be a good balance of both our strengths," Heinemeier said. "Phil is an outstanding CEO and I've been running tech associations for years." Before GEIA, which Heinemeier has led since 1999, he was vice president of the Electronic Industries Alliance.

GEIA has 110 members and ITAA has 300. When the overlap in firms is subtracted, the new group will represent nearly 400 companies.

"Our industry is very excited," Heinemeier said. "What we're trying to do is build an industry association that has much more weight in Washington, hopefully more influence in town than the two of us had separately."

ITAA has been active in government procurement, cyber security and software assurance. GEIA has been a voice on the research and development tax credit and export controls, and is known for its annual forecast report that takes a 10-year look at the government defense budget and five-year look at the federal information technology budget.

Bond said that as ITAA works on its mission to represent members from the state to the national and international levels, with GEIA as a partner, the forecasting reports now could be expanded to the state level.

He said overall the merger fits ITAA's mission of representing tech companies from the grassroots to globally. "This dramatically increases our position in the national space," Bond said.

As for the logistical issues like office space, GEIA will move from its Arlington, Va., office to ITAA's nearby headquarters in the city. ITAA has been renting its extra space, while GEIA has been leasing space in the building it used to own as a member of EIA.

EIA sold that building late last month for about $30 million. GEIA will split the proceeds of that sale with four other tech associations that were founding members of EIA.

Bond, who has long advocated more consolidation of tech groups in Washington, said the merger helps "show the government where to go in terms of getting industry input."

"The industry would benefit from more consolidation and I believe there will be more," he added.

]]>

National labs need vision and money, official says

Heather Greenfield — Tue, 15 Jan 2008 00:00:00 -0500

Scientists at national laboratories will be critical to post-Cold War national security solutions, but they need a clearer vision and financial commitment from the government, according to the director of the Los Alamos National Laboratory.

Lab Director Michael Anastasio spoke Tuesday to scientists and reporters at the Woodrow Wilson Center about the security challenges of the 21st century.

Anastasio said more than a half-century ago, Los Alamos headed the president's call to make sure the United States had a safe, reliable nuclear deterrent. Since then, research at national labs on pathogens like anthrax led to the understanding to build anthrax detectors, which Anastasio said were deployed when anthrax was discovered in a letter delivered to Congress.

He said other technology that national scientists were developing was deployed after the Sept. 11, 2001, terrorist attacks, but he did not offer specifics.

Anastasio said the security challenges today, as the nation becomes more dependent on information, include information technology and cyber security, and scientists have a role to play in combating cyber terrorism. But he cautioned that waning leadership and financial commitment to the national labs is a problem.

In response to a question, Anastasio said the scientists no will longer work on the Reliable Replacement Warhead program, as Congress zeroed out funding in recent budget negotiations. "We don't have a consensus on what we're doing and where we're trying to go, so unfortunately a decision by an Appropriations Committee is setting policy," he said.

Anastasio said government investment in physical sciences as a percentage of gross domestic product is "barely half what it was 30 years ago." "We can't continually eat our seed corn and reap the benefits of past investments."

He offered a prescription to rebuild the partnership between government policymakers and the science community that first asked for a vision from the highest levels of government on what the priorities are. Next, he said a structure must be in place to implement that vision.

Anastasio asked if scientists should tackle the issue of dependence on foreign oil, terrorists attacking the United States or a combination, for example.

Finally, a sustained investment in science, especially longer-term, higher-risk projects, is needed. "It's got to be an investment that spans discovery to applied science," he said. In non-scientific terms, that means funding that would not stop before a useful product is actually developed.

When pressed for details on how the government and scientific community should develop a science security plan for the next century, he said it should neither be a top-down dictate from an administration nor a "bottoms-up" approach from committees of scientists.

Anastasio advocated a model akin to the Cold War era, where policymakers would decide security goals and then trust and fund scientists to develop solutions to meet those goals.

"If policymakers, government and the science and technology community come together and meet this challenge," he said, "they can meet the national security needs now and in the future."

]]>

Government urged to standardize data encryption standards

Heather Greenfield — Fri, 11 Jan 2008 00:00:00 -0500

Some people are hoping the new year brings a new level of agreement on encryption standards used by federal agencies. Vendors are awaiting a request for proposals from the Homeland Security Department on encryption standards.

Encryption is seen by many as a way federal agencies can better protect sensitive data, but the existence of so many types of encryption and services has meant that the purpose and ability to read them can easily get lost.

"It's like one hand clapping," said Jim Russell with Symantec's public-sector education department. "We need one single encryption tool that incorporates multiple vendors."

He will be both advocating and applauding any movement toward encryption standards, but it could be a slow process.

Chief information officers, including Vance Hitch at the Justice Department, have said complying with directives by the White House Office and Management and Budget to encrypt all sensitive data leaving his department is a challenge because of differences among federal agencies, which currently use competing software and vendors.

At security conferences last fall, federal CIOs said the problem is that when employees see encryption or other security steps as too slow or too much of an obstacle to doing their jobs, they become more likely to break the rules.

The Government Accountability Office repeatedly has criticized federal entities, including the Internal Revenue Service in a report this week, for not following their own rules that require sensitive data to be encrypted.

GAO praised the IRS for better controlling user IDs on critical servers, building security into new applications and encrypting data. But the watchdog also found that the agency didn't always enforce password management or encrypt sensitive data.

A main reason that about 70 percent of the cyber-security upgrades remain undone is that the IRS is part way through implementing an agency-wide security program, according to the report. The fiscal 2008 budget provides $267 million for the upgrades.

On another security front, GAO has recommended Homeland Security do a better job securing online electric-control systems and sharing vulnerabilities of the systems. Additional steps may be around the corner for that.

Because private companies control the power grid, Homeland Security has been relying on the Federal Energy Regulatory Commission to recommend how to better protect the power grid from cyber attacks. FERC in turn has relied on voluntary standards developed by the Northern American Electric Reliability Corporation.

NAERC issued a report on its latest guidelines this week and is requesting comments. But at a hearing last fall, Rep. Al Green, D-Texas, wanted something with teeth. He has asked FERC's new director, Joseph McClelland, to determine whether FERC needs Congress to grant legal authority to mandate that electric companies implement best cyber-security practices.

McClelland told the House Homeland Security cyber-security panel that he does not think FERC has any enforcement authority over private companies on the matter.

]]>

New rules curb but don't end R&D earmarks

Heather Greenfield — Tue, 08 Jan 2008 00:00:00 -0500

While new transparency rules passed by Congress nearly a year ago make it easier than ever to track earmarks in the budget bills Congress passed before leaving town last month, they didn't end the practice.

The numbers show $939 million in research and development earmarks in the fiscal 2008 omnibus budget bill, which did not include defense spending. Earmarks are defined as money an agency or department didn't request that is reserved by a member of Congress for a particular project, typically in his or her district.

While fiscal 2007 saw a virtual moratorium on earmarks because Congress cleared a stopgap budget rather than traditional spending bills, the fiscal 2008 numbers show Congress did live up to its promise to curb R&D earmarks.

The number had climbed to $1.5 billion in fiscal 2006 for federal budgets excluding the Defense Department. The Defense Department had the most earmarks for fiscal 2008, $3.5 billion of the $77.8 billion in R&D funding that passed as part of a separate budget bill. In the measure covering the other departments and agencies, the biggest R&D earmarks were found in the Agriculture and Energy departments.

Energy's science office made it through the appropriations process with a 5 percent R&D spending increase. Of that, 2.6 percent was earmarked.

Kei Koizumi, a researcher with the American Association for the Advancement of Science, said it is difficult to pinpoint the impact of scientific earmarks because it is unknown what projects may have received funding in a competitive grant process.

But he said it's not unreasonable to deduce that if earmarks were curbed, several key projects including ITER, an international fusion energy project, could have been funded as promised. The International Linear Collider, seen as the centerpiece of high-energy physics and key to radiation in cancer treatment, was another victim of budget cuts.

Mike Lubell of the American Physical Society said his group has been trying to alert Congress that cuts in funding for those projects and reductions in money for labs researching synchrotron light sources will result in both industry and scientists moving more R&D overseas. He said the damages could be mitigated with $300 million in funding that could have been shaved from overall R&D earmarks.

"I cannot fault members of Congress," Lubell said. "The [academic] community itself is the culprit. Members do what they're asked to do."

There have been rumors for years that R&D earmarks were growing out of control, so Koizumi did what any scientist would do -- quantify it with charts and graphs. They have shown a steady rise in earmarks from fiscal 2002 to fiscal 2006.

New this year, thanks to the disclosure rules, is a state-by-state breakdown of which congressional districts are receiving the earmarks. The leading states with R&D earmarks are California, Mississippi, Pennsylvania, Hawaii and Florida.

"It's always been the case that the most populous states and those with key appropriations cardinals would get the most earmarks," Koizumi said, referring to the lawmakers who head the Appropriations subcommittees. Only now there is more consistent data to illustrate the theory.

"It's been an interesting exercise," he said. "The policy implications are still unclear."

]]>

High-tech visa debate comes to Congress via 'blue cards'

Heather Greenfield — Mon, 03 Dec 2007 00:00:00 -0500

To highlight the problems that high--tech workers face getting green cards, all members of Congress now have "blue cards." The Compete America coalition has been distributing the cards to lawmakers during meetings, one of several industry lobbying efforts on competitiveness issues in the last few weeks of the year.

On one side, the cards highlight Europe's blue-card immigration provisions, which allow highly educated workers to apply for renewable two-year visas. The European visas take just one or two months to process.

On the flip side, lawmakers are given a summary of the U.S. green-card system that the European Union is targeting to lure high-tech workers. The lobbying cards note that there are not enough green cards for highly skilled workers who want to work in the United States, and the wait time is five to 10 years.

"The highly educated will just have to wait," the cards say.

Robert Hoffman, a co-chairman of Compete America and a lobbyist for Oracle, said the hope is that lawmakers can easily share the information on the cards with their colleagues. So far, the feedback has been good, with sympathetic lawmakers saying the cards help make the case.

Compete America also sent a letter to House and Senate leaders, urging them to address H-1B visas and green cards for highly skilled workers this year. "At a time when other nations are aggressively taking steps to improve their own competitive position, the United States is failing to do so by sustaining a highly-skilled visa system that turns away future innovators," they wrote.

Broad immigration legislation stalled in the Senate earlier this year, but there is fairly widespread support on Capitol Hill among Democrats and Republicans for a visa fix for highly skilled workers. Republicans in the high-tech caucus sent a letter to House Speaker Nancy Pelosi, D-Calif., advocating a list of competitiveness provisions they want to help pass this year. Green cards for highly skilled workers and H-1Bs are on the list.

Hoffman said there is growing recognition that human capital is a major driver of the economy, and that idea is being cited by presidential candidates like Democrat Barack Obama and Republican Mitt Romney. Even former Federal Reserve Board chief Alan Greenspan mentioned the issue in the opening chapter of his recent biography.

With immigration a controversial issue on Capitol Hill, there are lawmakers who would like to separate H-1B visas and green cards for highly skilled workers. The problem is that is only one of several short-term fixes like visas for agriculture workers that are being discussed.

Hoffman said the challenge is drafting a bill that addresses all the issues up for short-term fixes that still maintains bipartisan support, and then finding a legislative vehicle to move it.

"As long as Congress is in session and they're talking to us," Hoffman said, he sees reason to remain optimistic about action on green cards this year.

]]>

DHS driver’s license rules may come sooner than required

Heather Greenfield — Thu, 29 Nov 2007 00:00:00 -0500

Darrell Williams said OMB officially received the rules Tuesday and has 90 days to respond and another 60 days before the rules could be implemented.

Williams said Homeland Security has worked closely with OMB to show the changes made in response to 21,000 comments from states. He said because the department essentially did a lot of the homework, OMB may finish its review in less than 90 days.

Williams said the 21,000 comments from states included substantive complaints about the cost of implementing the program in less than four years.

Marshall Rickert, a former leader of the American Association of Motor Vehicle Administrators, said the problem is that most of the adult U.S. population would have to visit state Department of Motor Vehicle offices to get new licenses within three-and-a-half years, and the infrastructure to handle that does not exist.

The normal cycle to replace a driver's license in person varies among states from five to 10 years. Rickert said motor-vehicle administrators have heard that the new deadlines "will be linked to the regular cycles, so the biggest cost-driver is gone."

Rickert said original estimates of state costs to comply with the largely unfunded federal REAL ID mandate were as high as $11.5 billion, with driver's license fees for customers as high as $150. He said the biggest cost would be building offices to accommodate customers.

"We really took the comments seriously and then looked at the latitude DHS had to make changes," Williams said. But he declined to confirm what the final rule would be on that issue.

He did answer some questions that technology executives had over how and when the states would be looking to contractors to help implement REAL ID.

Williams said Homeland Security compliance audits likely would be done by outside contractors, and Rickert added that innovators could help states regain productivity lost by offices having to deal with customers in person instead of online.

In 2006, Congress approved $40 million to help offset state costs for REAL ID, and more funding is up for a vote this year. So far, $7 million has been allocated to a pilot project in Kentucky that electronically verifies vital records.

Williams said he is working with OMB "to detach release of funding to release of the bill." He said if that happens, he expects states would have access to funds before Christmas. He did caution that there are groups lobbying Congress to remove the $50 million for REAL ID now attached to a military operations appropriations bill.

]]>

Public, private sectors differ on 'green' efforts

Heather Greenfield — Tue, 20 Nov 2007 00:00:00 -0500

Information technology workers and managers in the public sector place a slightly higher priority on switching to environmentally friendly data centers than the private sector but face more obstacles taking action, according to a new survey.

The online survey by Symantec also found that government managers have more knowledge of the concept of energy-efficient data centers. Eighty-two percent were very or somewhat familiar with the concept, compared with 75 percent of private-sector managers.

"The U.S. public sector largely does not have green polices, but we did find they are knowledgeable about what's happening," said Sean Derrington, director of storage management for Symantec.

Some 59 percent of public-sector organizations told Symantec they do not have "green" policies, and neither do 37 percent of private-sector organizations.

Money is a factor because while government managers may have the same average of 14 to 15 data centers as their private-sector counterparts, they say their overall budgets average $59 million, compared with $70 million in the private sector.

The survey found that 45 percent of government managers said switching to more energy-efficient data centers is a high priority. Eight percent called it a critical priority, and 23 percent rated it a moderate priority.

The biggest reason to switch to green data centers for those in the public sector is increasing energy efficiency. Fifty-three percent cited that reason, compared with 27 percent who said reducing hazardous chemicals is the motivation.

The numbers were slightly different than for the private sector. There, 50 percent said energy efficiency is the chief reason, and 36 percent cited hazardous chemicals.

But priorities and reasons aside, Derrington said the biggest difference between the public and private sectors is implementation. The survey found that 4 percent of public-sector organizations are implementing green data centers, and another 6 percent have just begun the process. Private-sector organizations report that 12 percent are switching to green data centers, and another 14 percent are just beginning to do it.

In the public sector, 45 percent are discussing the switch, but 37 percent said it is not being considered. "There's a difference in planning and discussing and actually doing something about that," Derrington said.

Derrington said the public sector may have a harder time justifying the investment.

Ways to go green include server consolidation and server virtualization, which means running multiple applications on a single platform.

The survey showed that government data-center managers are taking various approaches, but server consolidation is the most popular, with 71 percent identifying that as what they are trying. Server virtualization is next, used by 69 percent of those surveyed, and replacing old equipment with more energy-efficient models is the strategy for 57 percent.

Derrington said sometimes it is tough for organizations to consider server consolidation depending on how they depreciate the equipment for accounting purposes.

]]>

IT security officials share concerns

Heather Greenfield — Tue, 30 Oct 2007 00:00:00 -0400

Patrick Howard, CISO for the Housing and Urban Development Department, said as more improvements are made to secure the perimeters of systems, he worries about more attacks through applications -- especially Web applications.

"That concerns me mainly because of the push to e-government," Howard said. "Applications give a ready avenue to our data." He said in the rush to make information out, holes are built in and there is inadequate testing.

"You can't just patch this; this is custom code we're talking about," Howard said.

Both Joe Gerrity, CISO for the Securities and Exchange Commission, and Michael Castagna, CISO for the Commerce Department, mentioned that the increasing need to share information electronically has created additional security issues.

"The need to know has shifted to the need to share," Gerrity said. "We tend to trust everyone on the inside and no one on the outside."

He said mechanisms are needed to better evaluate outside risks. He also is worried about people inside sharing information with those who seem like they are part of the data-sharing group.

Castagna said risks increase as organizational boundary lines get blurred. He said attackers would find an easy target by attacking at that blurred line as responsibility is blurred, too.

Patricia Titus, the Transportation Security Administration's CISO, said she is concerned about quantum computing that could "break encryption and all the things we're doing now protect data."

Later she noted obstacles to security because of the need to interact with outside entities and contractors, saying it is not realistic to issue government laptops to all of them. "I'd love it if corporations followed FISMA [the Federal Information Security Management Act] like we do," Titus said.

Treasury Department CISO Edward Roback said the threats to privacy and data that exist because of the declining cost of storage is a growing problem that makes his list.

He also is concerned about security impact of "outsourcing and outshoring" jobs. "It's continuing. It's accelerating," Roback said. "It's buried in software and in hardware customer service."

But his biggest worry, he said, is "the internal competency of people" He said it is a challenge to ensure that employees maintain competency in a world of outsourcing.

CISOs also shared ideas for how to get funding from their agencies to make security improvements. Roback said the good part of data-security breaches is they "focus the attention of senior management.

Titus advised others to present security investments to their bosses in terms of the cost of recovery from security breaches. "You really have to take your tech security hat off and put your business hat on," Titus said.

Howard said it helps to build cyber-security improvements into existing modernization efforts -- rather than a stand-alone budget item.

]]>

White House official explains climate change edits

Heather Greenfield — Mon, 29 Oct 2007 00:00:00 -0400

The explanation to the media comes before Monday evening's deadline to deliver the original testimony and an explanation to the House Science Committee, which is investigating examples of scientists being censored.

White House Office of Science and Technology Policy Director John Marburger said he decided to explain changes to the testimony of CDC Director Julie Gerberding because of recent "reports and press statements that have alleged or insinuated that OSTP acted inappropriately."

"The OSTP comments did not seek to redact sections of the report, but instead made a number of substantive and constructive comments and suggestions to ensure the testimony accurately represented the state of climate science," Marburger said. He added that his office takes its role in evaluating the scientific accuracy of administration documents seriously.

Gerberding was supposed to testify on the impact that climate change could have on human health. Marburger said the OSTP climate science experts who reviewed the draft testimony thought "there was an overall lack of precision" in details about "the specific nature of some climate change impacts on human health."

Marburger said that based on a report by the U.N. Intergovernmental Panel on Climate Change, his scientists felt it was not possible to offer testimony on some points because those studies were global rather than on the specific geographic area of the United States.

A spokeswoman for the House Science Committee, Alisha Prather, declined to say how investigators learned the testimony underwent some heavy editing. But she said scientific integrity has been an issue that House Science and Technology Committee Chairman Bart Gordon, D-Tenn., has been investigating for several years now.

Sen. Barbara Boxer, D-Calif., who chairs the Senate Environment and Public Works Committee, said OSTP cut the testimony from 12 to six pages, and examples of climate change impacts on health were mostly deleted.

Marburger acknowledged that references to food-supply shortages, mental health challenges, and frequent hurricanes and other weather extremes as a result of climate change were altered. He said the U.N. report just links global warming to more severe hurricanes, not more frequent ones.

"When Congress calls a witness to testify, we expect the witness to testify based on the truth as the witness knows it, not what a higher-up tells the witness is true," said North Carolina Democrat Brad Miller, who chairs the House Science Investigations and Oversight Subcommittee "My advice to any administration witness is if you're convicted of contempt of Congress, obstruction of justice or perjury, Dr. Marburger will not serve your sentence for you."

Gordon said what he is seeing makes him inclined to reintroduce his legislation aimed at ensuring scientific integrity.

Rep. James Sensenbrenner of Wisconsin, the top Republican on Miller's subcommittee, criticized Miller and Gordon for investigating the matter, saying Gerberding was happy with the testimony.

]]>

Survey finds gap between perceived and actual IT security

Heather Greenfield — Mon, 01 Oct 2007 00:00:00 -0400

A McAfee survey found that 93 percent of people surveyed believe they have virus protection on their computers, but 48 percent have expired anti-virus programs. Another 61 percent think they have protection against unsolicited commercial e-mails, and computer checks showed that 21 percent did. Just 12 percent had software to combat "phishing" scams that use phony e-mails and Web sites, even though 27 percent thought they did.

"What we learned from the study is we've done a good job increasing awareness," said Bari Abdul, the vice president of consumer marketing for McAfee. But he said consumers need to better understand their real levels of protection and the threats their computers face.

Panelists at a national security awareness summit on Monday said the issue is important because weak security -- whether it's a person, business or government agency -- can affect everyone. Greg Garcia, the cyber security "czar" for the Homeland Security Department, said each person must take "reasonable precautions" to protect their corner of cyberspace.

A survey of business leaders released by the Business Roundtable showed that the private sector, which controls 80 percent of the nation's critical infrastructure, is not fully prepared for cyber threats, either. Tom Lehner, a security policy director at the group, said businesses are not fully aware of their dependence on the Internet, and they could use better real-time information on threats and analysis on trends that could grow into bigger threats.

The U.S. Computer Emergency Readiness Team had 37,000 reports of security incidents last year, compared with 24,000 the year before. Michael Witt, the deputy director of CERT, said 1 million users are now receiving CERT alerts as they are released. He also warned executives that their corporations are "highly likely" to be involved in some type of incident.

Witt said one problem is how little some businesses spend on security. He also said in some cases equipment is so old that data patches are not available for security fixes.

Garcia said the jump in security incidents for CERT shows an increase in both attacks and reporting, and the numbers will not grow smaller. He added that better cyber security is "something we can't afford not to do."

"It's vital to national security, public safety and economic prosperity," Garcia said.

Richard Pethia, the director of CERT's software engineering institute at Carnegie Mellon University, said CERT offers 400,000 hours in online security training in bite-sized packages. He said cyber crime is growing because the Internet has boosted productivity for the bad guys, too. "It makes them more efficient," Pethia said.

He said another big problem is that the Justice Department does not have enough online forensic investigators to bring charges against cyber criminals. "A lot of cases are being thrown out of court because the government can't do the investigation fast enough," Pethia said.

]]>

MoveOn raises money for ads as furor continues

Heather Greenfield — Mon, 24 Sep 2007 00:00:00 -0400

The ad focuses on last week's vote on the amendment from Sen. James Webb, D-Va. The ad says Republicans "turned their backs" on soldiers fighting the Iraq war and accuses Senate Minority Leader Mitch McConnell of Kentucky and other Republicans of betraying soldiers.

In an e-mail to supporters, MoveOn Executive Director Eli Pariser offered members a link to the ad, which will air on CNN and in Kentucky.

The TV ads on the theme of betrayal are just the latest in a controversy that started this month when MoveOn ran a full-page New York Times ad the day Army Gen. David Petraeus, the U.S. commander in Iraq, gave Congress an update on the war's progress.

That ad has generated headlines for two weeks, and on Sunday, MoveOn announced that is has sent the Times a check for nearly $80,000 after the Times' ombudsman said the group was inadvertently given a steeply discounted ad rate. MoveOn called on Republican presidential candidate Rudy Giuliani, who ran a rebuttal ad and received the same discount, to pay up, too.

Last week, President Bush called the headline of MoveOn's ad in the Times "disgusting." It suggested that Petraeus has betrayed the country by not providing a true assessment on the situation in Iraq. The Senate also denounced MoveOn's ad in a 72-25 vote.

The ad, however, has been a financial boon to MoveOn. Pariser said the same day that Bush made his statement, MoveOn raised $500,000 to expand its ad buy.

But Republicans may have gained some political capital by dividing Democrats. Liberal bloggers say the fallout for Democrats who condemned MoveOn is not over. "The simple fact is that we were just stomped on and thrown under the bus," said Mike Stark, a diarist at Daily Kos.

Stark has proposed a donation strike against Democrats who turn against liberal policies. He has registered the domain names NotOneRedCent.com and WeAreYourBase.com to drive progressive dollars away from the general Democratic Party and toward his sites or BlogPac, an organization that raises funds for liberal causes. Stark is the activist director of BlogPac.

Democratic presidential candidates are facing criticism for their responses to the MoveOn ad. Sen. Barack Obama of Illinois voted for a competing Democratic resolution that condemns personal attacks but does not specifically mention MoveOn. He declined to vote an hour later on the GOP-backed resolution against MoveOn.

"Obama ducked the vote," said Ian Welch of The Huffington Post. "Frankly that's exactly what I expect from Obama. He doesn't like making hard choices or fighting."

Sen. Hillary Clinton of New York initially drew praise for voting "no" on the MoveOn resolution. But in a later television appearance, Clinton emphasized that she voted for the Democratic resolution, which she saw as a condemnation of MoveOn's ad and others like it.

]]>

OMB technology official defends new security requirements

Heather Greenfield — Thu, 20 Sep 2007 00:00:00 -0400

Karen Evans, the e-government chief at the White House Office of Management and Budget said: "What we have today is utter chaos. We're not very secure."

She said the goal of the so-called Security Content Automation Protocol is for the Agriculture Department to use the same IT configuration as the Justice Department, for example, and for federal entities to be able to verify security claims made by vendors.

"If a vendor has chosen not to do this, you are not supposed to buy that software," Evans said. But she said she realized there would be a transition period and there would need to be a way to grant deviations by completing waivers.

Evans said federal information security officers need to know the baselines of current systems and constantly evaluate them so that when new hardware or software arrives, they know whether it works. She said another goal is to force IT departments to methodically ask whether it is necessary to run each software package or whether it is just convenient.

Evans said part of the reason federal computer systems are so vulnerable is that they have "allowed 1,000 flowers to bloom."

"We've drawn a line in the sand," Evans said, adding that if the Defense Department can make changes anyone can.

She denied that the new security requirements are geared toward cutting anyone out of any business or requiring all departments to convert to Microsoft operating systems.

Matt Barrett, a computer scientist at NIST, said there are 135 different configurations in federal IT systems now.

Evans said she has heard the argument that federal agencies would be more vulnerable to security attacks under just one system because everyone, including the bad guys, knows what the configuration is and OMB has been transparent about it. She said that argument and the one that systems would be more secure with one configuration are like "two religious camps."

She said her beliefs tend toward one system because with the chaos she sees in the current system, it is difficult for information security officers to easily know how many Internet access points they have. "Those are the vulnerabilities and the risks that when we're all interconnected we have to know," Evans said.

Evans said some people think mandating one system is an unfunded mandate from OMB and that the minute systems switch to meet the requirements, there will be breakdowns. She acknowledged both points.

But she further argued that because citizens have to give federal agencies lots of personal information, "we owe it to them" to get a better handle on security vulnerabilities.

She also offered an incentive, saying that departments will be able to keep any cost savings from greater efficiency to put into other programs like security or tracking the use of personally identifiable information.

]]>

Quiet end to technology agency lamented

Heather Greenfield — Mon, 17 Sep 2007 00:00:00 -0400

The law does not specifically outline the closing of the Technology Administration as of Sept. 30, so it passed under the radar of many people who closely follow competitiveness issues. Clues can be found in language transferring some issues from the undersecretary leading TA back to the Commerce secretary, and in a section creating the President's Council on Competitiveness, which was mentioned in the president's budget as a replacement to TA.

Since the 1980s, TA has served as one-stop shopping for tech companies dealing with federal agencies on competitiveness issues. The first assistant secretary was Deborah Wince-Smith, who served from 1989-1993. She helped shape the department into the place to understand emerging trends, implications for the high-tech industry and how to make the most of them.

Wince-Smith, who now leads the Council on Competitiveness, said the issues of competing with Japan when she led the agency exist today, but now the competition is from countries like China or India. "I'm very sorry to see the Technology Administration being phased out," she said. "I think it's a mistake."

Phil Bond, the CEO of the Information Technology Association of America, and Kelly Carnes, CEO of TechVision 21, previously headed TA and lobbied to save it. In a letter to the Senate Commerce Committee in January, they said it does not make sense to cut funding in this area as other countries gain competitive ground.

Commerce Undersecretary Robert Cresanti, who now leads TA, said there was a perception that TA's mission overlapped into other programs. He took the job leading the embattled institution in March 2006 when the agency already been targeted for elimination.

Still, he set to work launching a study on barriers to nanotechnology innovation, encouraging Europe not to regulate radio-frequency identification technology beyond existing privacy laws, advocating businesses to pay more attention to security as a resiliency issue, and serving on the president's identity-theft task force.

Cresanti calls it "an interesting and exciting time" and hopes to publish a joint study with the Patent and Trademark Office before he leaves TA at the end of September. The study will map patent activity geographically in particular fields as an indicator of the next technology boom.

Cresanti knew the TA's days were likely numbered but did not anticipate how quickly the president would sign the legislation closing the office and creating the council.

"They made the best decision they could with the budget constraints," Cresanti said in an interview with Technology Daily. "We got a lot of really great work done. I'm hopeful it will be a legacy for the folks that take over afterward."

He will spend the next few weeks transferring projects to other sections of the Commerce Department and doing all he can to make the council "the best it can be."

]]>

Bush signs lobbying, ethics reform package

Heather Greenfield — Fri, 14 Sep 2007 00:00:00 -0400

The legislation, S. 1, aims to shed light on some practices by requiring online disclosure. Lobbyists who bundle campaign contributions for candidates and senators who request earmarks would be disclosed in an online database.

It was the first measure the Democrats debated when they took congressional power in January, and the Senate passed the final legislation 83-14 just before leaving town in August.

"A great day it is indeed," House Speaker Nancy Pelosi said. "Democrats in Washington are draining the swamp to make this the most honest Congress in history."

There was some concern that Bush might "pocket veto" the measure by simply not signing it during the August break because he wants stronger earmark reforms, so Congress delayed sending the bill to Bush. Congress passed the measure by wide margins and could have overridden a traditional veto. They sent the measure to the president Sept. 4.

Some observers, including Citizens Against Government Waste, complained that the bill was softened over the summer. The original Senate-passed version would have prevented the House and Senate from going to conference on bills without advance disclosure of all earmarks.

CAGW said the final version would require a searchable database of earmarks only "if practicable," and the Senate majority leader and certain committee chairmen would decide if the requirement has been met. The group further said lawmakers could benefit financially themselves from earmarks -- as long as they can show others in their districts would benefit, too.

Sen. Russ Feingold, D-Wis., defended the bill, telling critics that the changes really would make it "landmark legislation."

"This is a very strong and very comprehensive bill," Feingold said. "It makes significant changes and will make a big difference."

Feingold and Sen. Barack Obama, D-Ill., co-sponsored legislation to require disclosure by bundlers who raise more than $10,000 for candidates. The bill Bush signed requires the online disclosure of bundlers raising more than $15,000.

Obama called it the "most sweeping reform since Watergate."

Fred Wertheimer, the president of Democracy 21, which calls attention to the role of money in politics, called the earmark disclosures an improvement and joined Democrats at a news conference Friday to celebrate the signing of the legislation.

]]>

Technology agency's leader resigns, agency to close

Heather Greenfield — Thu, 13 Sep 2007 00:00:00 -0400

In a letter to colleagues, Cresanti said he was grateful for the opportunity to serve "while pursuing some of my life's great passions -- including nanotechnology, intellectual property, [radio-frequency identification] and my chief privacy officer's duties -- while helping make America the place for technology companies to spawn, grow and thrive."

A government aide who did not wish to be identified said the Technology Administration, which Congress launched in 1980, is closing Sept. 30.

There have been efforts in recent years, both on Capitol Hill and in the Bush administration, to eliminate TA, the only office whose sole job is to advocate for innovation-friendly policies.

In his latest budget request, President Bush proposed to "modernize" TA by dramatically cutting its budget from $6 million to $1.6 million and then essentially eliminating it. Instead, of a standalone Technology Administration, there would be a senior adviser in the Commerce Department's office of policy and strategic planning who would chair a department-wide council to coordinate tech policy activities across the Commerce Department.

That change already seems to be reflected in Cresanti's e-mail, which he signed "senior technology policy adviser," not undersecretary.

The move comes despite some efforts by the former head of the Technology Administration, Information Technology Association of America CEO Phil Bond, and others to save the agency.

Bond was among seven former officials who had the job before Cresanti. They sent a letter to the Senate Commerce Committee earlier this year, asking Congress to reject the president's budget request and keep the agency, which they argued had done much to boost U.S. competitiveness.

"At a time when competitiveness has rocketed to the forefront of the national agenda, TA's mission has never been more important," said the seven former officials who led the agency under both the Clinton and Bush administrations.

Neither Cresanti nor a TA official could be reached for comment Thursday.

]]>

MoveOn ad against Gen. Petraeus triggers outcry

Heather Greenfield — Mon, 10 Sep 2007 00:00:00 -0400

The New York Times.

The liberal group with 3.2 million members ran a full-page ad under the headline "General Petraeus or General Betray Us?" The ad accuses Petraeus of being "a military man constantly at war with the facts" and of cooking the books on war statistics to make it look like the recent U.S. troop surge in Iraq is working.

Part of the ad strategy could be to pressure Democrats in Congress to declare a position on troop withdrawal. Republican leaders responded with their own push to get Democratic leaders to denounce what they call a personal attack on a military general.

"Democratic leaders must make a choice today: Either embrace the character-assassination tactics Moveon.org has leveled against the four-star general leading our troops in the fight against al Qaeda or denounce it as disgraceful," said House Minority Leader John Boehner, R-Ohio. Minority Whip, Roy Blunt, R-Mo., also e-mailed reporters a statement condemning MoveOn.

"It is bad enough that MoveOn.org has been trying to bully members of Congress into a course of action that most experts believe would lead to catastrophe in Iraq and the death of tens of thousands in a regional sectarian war," National Republican Congressional Committee Chairman Tom Cole said. "But comparing an American general, who has spent his life serving and defending our country, to traitors ... goes too far."

In addition to urging House Speaker Nancy Pelosi, D-Calif., to respond, the NRCC singled out Rep. Nick Lampson. The Texas Democrat won the seat of former Rep. Tom DeLay last year and received donations from MoveOn.

Jennifer Crider a former spokeswoman for Pelosi now at the Democratic Congressional Campaign Committee noted that "MoveOn is an independent organization." "The Republicans will use any tactic to distract from the issue, which is that the American people support Democrats' efforts to end the war," Crider said.

"It's unfortunate that they're concentrating on the headlines instead of the facts in the ad," said Nita Chaudhary, MoveOn's spokeswoman. "We stand by every single fact [in the ad], and we challenge Boehner ... and any other politician to refute those facts."

Some conservative bloggers also responded to MoveOn's ad by trying to pressure moderate Democrats. RedState listed 30 Democratic members of Congress on Monday and urged readers to call them to ask if they support the MoveOn ad.

At Townhall.com, conservative blogger Amanda Carpenter wrote about the MoveOn ad, which drew criticism in the comments, including a few by self-declared liberals.

The MoveOn ad is part of a broader $12 million, anti-war campaign, which includes TV ads targeted to run in four states represented by senators who support the war. The ads ask whether America should "start training our children now" for war if Republicans do not end it.

MoveOn also e-mailed members last week to ask about adding another battlefront to their war on the war by targeting Democrats who support it. The e-mail criticized DINOs -- "Democrats in name only" -- and asked whether MoveOn should get involved in primary challenges to them.

]]>

Lawmakers back energy-friendly light bulbs at federal facilities

Heather Greenfield — Tue, 04 Sep 2007 00:00:00 -0400

Rep. Bob Inglis, R-S.C., authored an amendment to a fiscal 2008 appropriations bill, H.R. 2829, that would prohibit the purchase of light bulbs that are not labeled energy efficient by either Energy Star or the Federal Energy Management Program. The House adopted the amendment by voice vote.

The language could have a fairly big impact, as the bill covers the Treasury Department, the judiciary, the District of Columbia, the General Services Administration, Small Business Administration, National Archives and executive office of the president, among others.

Inglis said high-efficiency bulbs like compact fluorescent light bulbs and halogen bulbs consume 75 percent less electricity than the incandescent bulbs. In March, he introduced separate legislation that would have required GSA to replace incandescent bulbs with energy-efficient ones in its 1,800 federal buildings.

Inglis estimated that those 1,800 buildings involve 3 million light bulbs and would save $222 million over the life of the light bulbs. "This is an easy way to reduce our dependence on fossil fuel," Inglis said. "As a conservative, I'm into conserving energy."

In an interview with Technology Daily, Inglis said he didn't anticipate any controversy in winning Senate passage of the language. "It'll be easier over there because they'll act on our bill."

In addition to the more innovative light bulbs, the spending bill would provide $58 million for the National Archives to develop electronic archives. The White House Office of Management and Budget had asked the archives to make sure it is preserving critical electronic information as it does other national records.

The House also voted to give slightly more than President Bush wanted to the Election Assistance Commission, which helps with grants to buy better voting machines, among other things. The House designated $750,000 for college elections to use real e-voting machines in an effort to train the future electorate on the technology.

Another $3.5 million would be transferred to the National Institute for Standards and Technology for technical assistance developing voluntary state voting systems guidelines.

"The funding for NIST to work on standards is definitely needed," said David Dill of Verified Voting. "A lot of our current security problems come from inadequate standards, and NIST is the agency charged with providing the technical skills to get them right for the EAC."

The House also added a minor increase -- $5 million over what Bush requested -- for the Counterdrug Technology Assessment Center. It would receive $226 million. Congress started that program in 1998 to offer technology and training to law enforcement agencies.

Bush had proposed saving $5 million by cutting funding for the program that transfers government-funded technology research to the private sector.

]]>

An eye toward a future with electronic passports

Heather Greenfield — Mon, 20 Aug 2007 00:00:00 -0400

Frank Moss, the former deputy assistant secretary for passport services at the State Department who oversaw the transition to e-passports, said as chips become faster and more reliable, it may be possible to issue visas electronically five years down the road.

"These first-generation chips are good, but they can certainly be better," Moss said. He looks forward to technical improvements to make it faster to write data to the electronic chips imbedded in the passports, faster to read the chips and easier to scan the passports in the readers.

Moss, who now has his own consulting firm, Identity Matters, with clients like Texas Instruments, said another possibility is that entry and exit stamps on passports could become electronic as well. He said if a visa expires, it would be more easily caught.

"An electronic record has an advantage over a guard," Moss said.

For the State Department, however, production speed rather than chip speed has been the challenge lately. It used to take four to six weeks to get a U.S. passport and now takes about 12.

In congressional hearings this summer, the department blamed an unforeseen increase in demand. The agency issued 7 million passports in 2003 and is expected to issue 17 million this year.

"This increase in requests -- over and beyond even the enormous demand we anticipated -- has resulted in longer than expected processing times for passport applications," Maura Harty, assistant secretary for consular affairs, explained in a video now posted on State's Web site.

Harty announced in June that those who have applied for passports, but not received them, could still travel to Bermuda, Canada, the Caribbean and Mexico through Sept. 30 by showing proof they applied for passports.

Moss said he didn't anticipate the spike in demand and attributes the biggest reason to the Western Hemisphere Travel Initiative, which would have required those traveling to Bermuda, Canada, the Caribbean and Mexico to have passports starting Jan. 23, 2007.

Moss said the new technology with an RFID chip probably does add some production time for passports, but mostly the lag is simply a matter of overwhelming demand.

State announced this week that it would take $20 instead of $6 out of passport fees, which are typically $97, to boost efforts to produce passports more quickly.

Moss predicts that as more people use the chip-based passports, privacy concerns will decrease. He said the United States is the only country to use three different identity protection measures -- anti-skimming material to block interception of the information, encrypted communication between chip and readers, and chips with ID numbers that change every time they are read.

]]>

Energy agency to focus on cutting-edge research

Heather Greenfield — Wed, 08 Aug 2007 00:00:00 -0400

Just before leaving for their August break, the House and Senate approved H.R. 2272, competitiveness legislation that would authorize $300 million to start up the Advanced Research Projects Agency -- Energy. President Bush is scheduled to sign the bill Thursday despite the White House's initial concerns with the bill.

ARPA-E would be charged with investigating "high risk, high reward" energy technology.

"If we're really going to become energy independent, it's going to take a bump in technology, so this may be the most important energy bill that we will pass," said House Science and Technology Committee Chairman Bart Gordon, D-Tenn., who led House negotiations to reconcile the bill with a Senate measure, S. 761.

ARPA-E was not in S. 761, but Sen. Lamar Alexander, R-Tenn., who represented Senate Republicans in talks with the House, said the pentagon's Defense Advanced Research Projects Agency, known as DARPA, was "so successful at DoD that we thought it was worth the risk." DARPA created Arpanet, which has evolved into the Internet.

"If we can do the same thing with energy, it will be well worth it," Alexander said.

The ranking Republican on the House Science and Technology Committee, Ralph Hall, of Texas, agreed. Speaking on the House floor just before the vote, Hall said ARPA-E is "a good program" and he fought for it despite the Energy Department's concerns.

Gordon said he believes lawmakers addressed Energy Department concerns that it would compete with its existing science office, which also does basic research. Gordon said the Bush administration wanted to ensure ARPA-E "wouldn't poach funds out of DOE Science." He said they fixed the legislation to ensure they wouldn't be competing agencies.

The structure of ARPA-E as independent from DOE is seen as key to its success in tackling the more cutting-edge, long-term alternative energy ideas. Scientists and others credit DARPA's independence and management for its success.

"The DARPA model is very attractive," said Kei Koizumi, a researcher at the American Association for the Advancement of Science. "But execution is key."

He said the Homeland Security Department's Advanced Research Projects Agency "has not turned out to be a DARPA because they haven't used the program manager model of autonomy to pursue long-term goals."

Koizumi said this time Congress specified the program manager model in the legislation authorizing ARPA-E, which makes him optimistic about the agency's prospects.

A congressional aide said the goal now is to ensure that the $300 million authorized for the first year is actually appropriated to pay for the research projects and to attract the level of program managers and scientists able to tackle "outside-the-box, not-afraid-to-fail" research.

Koizumi said it will be telling later to see whether lawmakers, who want workable energy alternatives as soon as possible, have the patience for long-term research.

]]>

House OKs ethics bill that emphasizes transparency

Heather Greenfield — Tue, 31 Jul 2007 00:00:00 -0400

House Speaker Nancy Pelosi, D-Calif., is touting the accomplishment as the fulfillment of an election promise to voters to clean up Congress. "Democrats are following through on our promise to change the way business is done in Washington," she said.

The bill, S. 1, would create greater transparency, with campaigns being required to disclose contribution "bundling" operations of more than $15,000. Corporate travel and parties paid for by lobbyists also would be limited, and lobbyists would have to disclose their activities twice a year in a searchable online database. House members would have to file personal financial disclosures and travel reports in a similar database.

The legislation further includes disclosure requirements for the first time on earmarks, money reserved for lawmakers' pet projects that usually are added in conference or committee reports rather than legislative language.

Bill Allison, a senior fellow at the Sunlight Foundation, said the current practice has made it difficult if not impossible to learn which members requested specific earmarks, the names of the project, the recipients and the amounts.

"We've never had that before," Allison said. "We just don't have it as easily searchable and transparent as we would like."

The earmarks would have to be disclosed online within 48 hours before Senate votes on the legislation. But the bill would not require the information to be disclosed in a searchable format. Conference reports would be available online to the public 48 hours before votes.

While the Sunlight Foundation is pleased with the "unprecedented disclosure" in the bill, Allison and other advocates of greater online transparency, like the online group Porkbusters, complain that the earmark disclosure provisions were watered down from the version of the measure the House passed in May before closed-door negotiations with the Senate.

Another less stringent feature of the compromise bill would allow the Senate majority leader, rather than the parliamentarian, to determine whether a conference report meets earmark disclosure rules. Sen. Tom Coburn, R-Okla., called that change "ludicrous."

The Senate is expected to vote on the final measure as early as Thursday.

Sen. Jim DeMint, R-S.C., is promising to seek an amendment to have the parliamentarian oversee earmark disclosures. "The culture of earmarks is what drives the culture of corruption, and if we don't fix the earmark rules in this bill, we will continue to have business as usual in Washington," DeMint said in a statement.

Conservative blogger Ed Morrissey of Captain's Quarters agreed, calling the allegations that led to the FBI and IRS raid of the home of Commerce Committee Chairman Stevens, R-Alaska, the "wages of pork."

Contractors have told a grand jury that oil company executives from Veco oversaw the remodeling of Stevens' home. He is under investigation for connections to Veco, which has received tens of millions of dollars in federal contracts.

]]>

Mobility of federal workers hinders data security

Heather Greenfield — Thu, 19 Jul 2007 00:00:00 -0400

Vance Hitch spoke Thursday to information technology contractors at a government symposium organized by Symantec. "Thumb drives are everywhere, and we have to encrypt them," Hitch said. "We're supposed to figure out how to have the data on them expire after 90 days."

Hitch said a recent White House Office of Management and Budget directive will require encryption of all sensitive data leaving his department, whether the information is being used or is at rest. "This creates challenges with how to do encryption-sharing across agencies," Hitch said.

He said part of the challenge is that agencies and departments have different encryption software and vendors. Another challenge is how to extract data and control who can make copies of data.

Hitch said some CIOs complain about the costs of compliance with the Federal Information Security Management Act, which established standards and guidelines for cyber security at government agencies. He said some say that after spending money on compliance, they no longer can afford actual security measures like penetration, testing and scanning for their systems.

"But overall I think FISMA has been good," Hitch said. "It has increased focus on IT security."

He also noted recent breaches like the theft of a Veterans Affairs Department laptop containing personal data on 26.5 million veterans have helped raise the profile of security needs.

"One thing the VA [data loss] did do is get senior management's attention," Hitch said.

He said that while CIOs certainly have "differences" with OMB, he agrees with the agency on one point: "If you can afford to build it, you can afford to build it right."

Hitch said security needs to be built in, and federal agencies must be more proactive in demanding that from vendors. "We need defensive security including things like situational awareness," he said. "Whether it's Oracle, Symantec or Brand 'X', we're going to look for hardened systems that are easier to lock down."

Noting that agencies "spend so much money afterward" fixing vulnerabilities, Hitch said security needs to be addressed "earlier in the supply chain." It requires monitoring what vendors and contractors are building to make sure it is secure, he added.

]]>

Privacy officials discuss government data breaches

Heather Greenfield — Wed, 18 Jul 2007 00:00:00 -0400

Hugo Teufel, chief privacy officer at the Homeland Security Department, said whenever humans are involved, accidents can happen. TSA, which is part of Homeland Security, is investigating why a missing computer drive containing payroll data was not protected with encryption.

Teufel said TSA has moved quickly to implement better security. "How TSA management handles that should be a model for action," he said.

"We could have the greatest plans in place, but unless our employees, staff and contractors know about them, we are still at risk," said Marc Groman, chief privacy officer at the FTC.

Groman shared slides of an internal FTC advertising campaign likening personal data to an egg and showing what steps an employee must take if that egg gets broken. Later he said the agency had all its 1,200 employees sign pledges to protect personal data and inform a supervisor if any personal data is lost or stolen.

Teufel said he issued an internal memorandum Tuesday on how Homeland Security needs to respond to a White House Office of Management and Budget directive issued this week that asks agencies to inventory by Sept. 22 the personal data they are storing.

"When you look at policy and guidance, it looks oh so simple until you look at your mission and how your network is put together," said Mischel Kwon, chief security technologist at the Justice Department.

Kwon said earlier federal directives to decrease the use of Social Security numbers linked to other personal data will be a challenge, as will a requirement that agencies notify the U.S. Computer Emergency Readiness Team within one hour of a data breach.

"The one-hour notification definitely needs to be revisited," Kwon said. She said with more than two dozen departments and a chain of command to forward information to, that can be "a hard tap dance to do in one hour." She also said having some amount of time to evaluate and investigate a potential breach to determine whether it is meaningful might be more useful than lots of notifications about potential breaches.

Federal privacy and security officers also said the challenge of protecting data is changing as the workforce becomes more mobile with laptop computers and BlackBerry handheld devices. They said restricting telework and what data can be removed do not entirely solve the problem because many employees still need to travel.

Kwon said evolving technology changes how agencies need to address OMB directives.

She also noted that one solution often proposed does not solve all problems. "Full disc encryption [of data] only works when your computer is off," Kwon said. "That's important to understand. Encryption could become your highest vulnerability."

]]>

Standards body drafts guide on preventing data breaches

Heather Greenfield — Mon, 11 Jun 2007 00:00:00 -0400

The 387-page guide is designed to help agency technical teams evaluate whether the security controls they have actually work as intended to protect information systems from being compromised.

It is designed as a companion to an earlier publication on minimum security controls for federal information systems. That guide, according to lead author Ron Ross, defines the different security controls required by the federal government -- including encryption, identification and authentication of users, access control to systems, personnel security and physical security.

The latest publication lists the different security measures and explains how to test them. For example, for continuity of operation requirements, the report outlines how to determine if an agency really has developed a plan, if people understand it and if it has been distributed to the right people within the organization.

The 2002 Federal Information Security Management Act instructs NIST to prepare minimum computer-security requirements for all systems other than those connected to national security, which have separate rules.

"The assessment requirements presented in this latest draft are intended to make compliance with FISMA easier, more efficient, and ultimately to produce better computer and information security for the federal government," said Ross, who is the FISMA implementation project leader at NIST.

Ross said the report is the last in a series since 2003 and is designed o make security procedures more cost-effective and easier to implement. NIST is asking for comments through the end of next month. The guidelines could help federal agencies, which received a grade of C-minus for FISMA compliance for 2006.

Sen. Norm Coleman, R-Minn., has introduced legislation that would amend FISMA rules to broaden the definition of sensitive personal data and direct the White House Office of Management and Budget to establish policies that agencies should follow after data breaches.

In addition to names, Social Security numbers, birth dates and places, mother's maiden names, and biometric records, the bill would include education, criminal, medical and employment history. The measure, S. 1558, also would give agency chief information officers more power to enforce compliance with security rules.

"In the wake of data breaches at the Departments of Veterans Affairs, Commerce, Agriculture, the [Transportation Security Administration] and IRS, we must ensure that federal agencies are taking the necessary preventative security measures to protect our citizens' personal information," Coleman said. "In addition to establishing a new protocol, this legislation will also create a system for notifying victims in the event of a security breach."

The Senate bill is designed as a companion to a House bill, H.R. 2124. Unlike broader data-protection measures drafted or being drafted by other committees, the bills would apply to just personal data stored by the federal government.

]]>

A year after major breach, data-security bills stalled

Heather Greenfield — Tue, 22 May 2007 00:00:00 -0400

Larry Clinton, director of the Internet Security Alliance, said he is encouraged that recent security breaches have made lawmakers aware of cyber-security problems but lamented the limited activity to correct the problems.

"I find it a little bit disheartening the approaches [to improve security] haven't been implemented and a little disappointed the approaches don't seem to grasp the problem we're dealing with here," Clinton said.

The Senate has been active in recent weeks, with the Judiciary Committee approving a bill, S. 495, that would boost punishment for cyber crime, require notification to victims of data breaches, and require businesses to take steps to minimize risks. In the bill, the committee said it found that 9.3 million Americans were victims of identity theft last year.

The Senate Commerce Committee also has approved a measure, S. 1178. It has breach-notification provisions, too, and a provision allowing victims to freeze credit reports.

On the Senate Banking Committee, Robert Bennett, R-Utah, and Thomas Carper, D-Del., have submitted legislation, S. 1260, similar to theirs from last year and have added a provision to the Commerce bill to extend the requirements to government agencies.

Senate Majority Leader Harry Reid, D-Nev., has been pushing committee chairmen to reach a consensus.

The House may face a tougher battle, as the legislation touches on the jurisdiction of the Energy and Commerce, Judiciary, Financial Services, and Oversight and Government Reform panels.

Virginia's Tom Davis, the ranking Republican on the Oversight and Government Reform Committee, has introduced a bill, H.R. 2124, that would provide notification requirements for federal agencies. The other committees are still working on their bills.

"The reason we didn't get good data-security legislation last year was the jurisdictional lines -- not a lack of consensus on ideas," Clinton said.

"There are lots of different approaches to breach legislation and lots of committees of jurisdiction, so this isn't going to be easy," said Shannon Kellogg, the director of information security policy at EMC, which recently merged with RSA. "We're hopeful a reasonable federal bill can move this year."

By reasonable, he said he means a bill with a national standard for breach notification that is based on some link to the risk of harm, plus a national standard for safeguards that uses incentives rather than picking technology standards and imposing penalties for not adopting them.

Kevin Richards, a lobbyist for Symantec, agreed that the battle has been jurisdictional but said, "Leadership realizes this is an issue that resonates with voters, and they want to move forward." He expects that still can happen this year.

Clinton and Kellogg are hopeful but consider the odds a "toss up."

]]>

Report on smart tags includes security, privacy warnings

Heather Greenfield — Tue, 01 May 2007 00:00:00 -0400

RFID devices send or receive audio signals, transmitting information like serial numbers of products within warehouses.

"RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries," Technology Administration chief Robert Cresanti said.

"This important report lays the foundation for addressing important RFID security risks so a thoughtful enterprise can launch a smart-tag program with confidence." The 154-page report outlines inherent risks to data security and privacy and how to mitigate them.

For example, if a warehouse uses only RFID tags to track inventory, an attack on the technology could crash order-processing. A competitor also could hack into the information generated by RFIDs. In another scenario, someone could use an RFID reader to locate a box of expensive electronic equipment to steal it.

On the privacy side, the report discusses risks as RFIDs become more prevalent. It said that as more data is stored, organizations could combine and correlate to infer identities or locations and build profiles of people for other purposes.

The report also noted that privacy and business objectives sometimes could conflict. For example, if it is too easy for customers to disable RFID tags after sales, it also may be easy for adversaries to disable them before sales.

The report outlines existing privacy rules like the 1974 Privacy Act, which allows people to know what's being collected, get a copy, opt out of such collection and prevents data from being used for other purposes. The 2002 E-Government Act requires privacy impact assessments for devices.

"The goal of our report," according to lead author Tom Karygiannis of NIST, "is to give organizations practical ways in a structured format with checklists and specific recommendations to address potential RFID security risks."

The recommendations include: installing firewalls to separate organizations' RFID databases from other databases; encrypting the radio signals; authenticating approved RFID users; shielding tags to prevent unauthorized access; adopting audit procedures to detect security breaches; recycling or destroying tags so sensitive data is permanently destroyed; and minimizing sensitive data stored on the tags.

Another section shows how grounded metal fencing can be used as a shield to protect against eavesdropping or radiation. It said reducing transmitting power also can help prevent the interception of information and reduce electromagnetic radiation risks.

The report also weighs issues like encrypting data when it is at rest and having a remote "kill" feature to disable tags.

The report focused on security controls available on the market now while acknowledging that more security solutions are planned.

]]>