Government Executive - Authors - Joshua Dean

Wireless Wonders

Shane Harris and Joshua Dean — Sat, 01 Jun 2002 00:00:00 -0400

-Joshua Dean

DEPTH STAR

AG Neovo Technology Corp., a computer display manufacturer based in San Jose, Calif., has introduced a line of snazzy, flat-panel monitors that have extraordinary depth and clarity.

A special layer of glass added to the standard liquid crystal display intensifies the screen image. The S-series includes the S-18, with an 18.1-inch screen, and the 19-inch S-19. They can be mounted on a wall and used as televisions. Moreover, the monitors can be attached to adjustable, pneumatic arms made by AG Neovo, thus providing the ultimate in adjustability.-Joshua Dean

TABLET TIME

Electronic tablets could be the next big thing. And if ViewSonic Corp., a hardware manufacturer in Walnut, Calif., has anything to say about it, everyone will soon own a ViewPad. The ViewPad series comes in two flavors: The ViewPad 1000 is a full-featured PC in tablet form, while the ViewPad 100 is a supercharged personal digital assistant (a small, handheld computer).

The ViewPad 100 is powered by a 206 MHz StrongARM processor made by Intel Corp. and uses the Windows CE 3.0 operating system from Microsoft Corp. The unit's 10-inch, full-color liquid crystal display is touch-sensitive, enabling users to use their fingers or a pen instead of a mouse. At just 2.5 pounds, the ViewPad 100 has a built-in mouse and comes with a cradle for recharging the batteries or connecting to the Internet via a standard Ethernet port.

If you are looking for wireless connectivity to the Internet, the ViewPad 1000 is for you. The unit is equipped with a wireless transmitter, an Ethernet port and a 56K modem. At 4.3 pounds, the machine hums along using an 800 MHz Mobile Celeron processor from Intel and is packed with 128M of memory. The 10.4-inch touch display offers portrait and landscape views. The ViewPad 1000 comes standard with a built-in digital camera and a wireless keyboard. -Joshua Dean

OFFICE TO GO

New applications for personal data assistants (PDAs) are making it easier to manage your work in the palm of your hand-literally. AvantGo, a Hayward, Calif., designer of mobile infrastructure software, is touting its latest PDA product as a way for agencies to put mission-critical systems into handhelds such as the Palm and the Blackberry, so they can be used outside the office. AvantGo 4.0 gives users access to databases, lets them send and receive e-mail and allows system administrators to tailor information to specific users. And now, PDA users also can load a variety of forms into their handhelds. FedSoft, an e-forms maker, has developed a package called FedForms, which consists of travel and expense forms, vacation trackers and performance evaluation sheets that can be downloaded into mobile computers. -Shane Harris

BETTER THAN PAC-MAN

If that cramp in your hand makes you think carpal tunnel's setting in, maybe it's time to get a new mouse. 3M, the inventor of the desk-cluttering Post-it Note, is selling a new cursor controller that looks like a joystick. The Renaissance Mouse is especially popular among younger users who are accustomed to using joysticks with video games, according to a 3M spokesman. The mouse, which consists of an upright handle that users wrap their hand around to control, rolls freely on a pad, but users squeeze triggers, rather than clicking on the traditional flat buttons, to execute commands. -Shane Harris

WALLET SIZE

Nikon is making digital cameras affordable with its new Coolpix 2500. The camera weighs just less than 6 ounces and comes with a lens that can magnify subjects up to three times. The lens adjusts internally instead of protruding outward, making it less prone to damage. Early independent reviews of the camera say its sleek design makes it easy to carry in a coat pocket or in a handbag. The camera retails for less than $400. -Shane Harris ]]>

Financing Defense

Joshua Dean — Sat, 01 Jun 2002 00:00:00 -0400

The Defense Department is getting its finances in order.

o CEO worth his or her salt is going to make a strategic decision without good financial information," Defense Department Comptroller Dov Zakheim told reporters at a recent Pentagon briefing. But that's just what managers at Defense have been doing for years. The reason? Financial systems that barely communicate with each other-if they communicate at all. In fact, Defense is so massive that officials aren't even sure how many financial-related computer systems they have. "We're in the region of 1,100 systems," Zakheim said. "That is huge. It is untenable."

But that will change-and soon, Zakheim said. Defense is launching a new, five-year project to update and consolidate the department's financial environment. In fact, Zakheim said the effort to modernize Defense's financial systems is a key component of Defense Secretary Donald Rumsfeld's overall Defense transformation initiative. "[In] general, transformation has been viewed as new weapons systems or communications, or even culture," Zakheim said. "And those are all important and accurate and key elements of transformation. But there's another one too, and that's transforming the way we do business in this place."

A team of contractors led by IBM Corp. will first create a transformation blueprint. Anne Altman, the managing director of IBM's federal division, says IBM's own financial turnaround in the mid-1990s was one of the reasons it got the job. IBM had been saddled with 145 financial systems worldwide, but it quickly got rid of 90 of them, cutting operating costs by 38 percent. IBM also closed 59 of the data centers that supported these systems, leaving just eight in place.

IBM will be helped by Accenture, American Management Systems Inc., DynCorp, KPMG LLP and Science Applications International Corp. The team will help identify the essential pieces of financial information Defense workers need to do their jobs, says Roger Scearce, AMS' vice president for Defense Department financial management solutions. Scearce, a former deputy director of the Defense Finance and Accounting Service, is a consolidation veteran, having served on the team that won praise for revamping that agency's financial systems. And his experience should come in handy, considering the challenge. As Zakheim pointed out, Defense's financial systems all use different kinds of software. "We've got to get every Defense component, agency, field activity . . . to identify and use data the same way," he said.

The review will identify the systems Defense needs to preserve and others that will have to be redesigned or eliminated altogether. In some cases, the team may implement commercial, off-the-shelf technology from one or more companies, while, in other cases, it may choose to leave "damn good" legacy systems in place, Scearce says.

"These are individual systems," Zakheim said. "They relate not just to dollars and finances per se. They relate to health [and] medical [information]. They relate to supply. They relate to other elements of personnel." He said these "feeder systems . . . obviously affect the cash flow of this department and are critical if you're going to come up with financial statements that make any sense."

Defense's inventory of financial systems is still growing. Zakheim said he hoped to cut the number of systems by 90 percent. "This means Defense is not going to have one super system that deals with every transaction," he said.

Zakheim has created a program office with a staff of 21 to manage the project. The real weight will fall on the shoulders of Tina Jonas, Defense's first deputy undersecretary for financial management. Jonas will work closely with IBM to ensure the department gets what it pays for. The transformation should be complete in five years, Zakheim said. After IBM delivers its blueprint in March, the contractors and the department will begin buying software to support the plan. From April 2004 to May 2005, the software will be tested and prepared for a Defense-wide installation slated for completion in 2007.

The 1990 Chief Financial Officers Act is a major force behind the Defense effort. "The federal government believes financial statements should be produced for every agency in the executive branch so taxpayers can see how the government is using and managing their dollars," Scearce says. "Right now, I don't believe we do that very well."

When pressed about whether Defense would continue to have problems producing clean audits until 2007 or 2008, Zakheim said the department's inability to account for all its money would persist as long as the majority of Defense commands have trouble with their books. More importantly, he said, Defense needs to focus on building the "basic substructure that yields up a clean audit." "I think Rumsfeld has a vision of not only battlefield and situational awareness, but also business and management awareness," Scearce says. "It all comes down to everything being accounted for. Everything we do affects accounting."

]]>

The Supply Chain’s Demands

Joshua Dean — Wed, 01 May 2002 00:00:00 -0400

The Navy's new supply-chain management system meets demand without the inventory.

verwhelming air superiority has been a key part of the United States' strategy against terrorist forces in Afghanistan. Navy jets have played a central role, flying more than 9,000 sorties over the war zone as of mid-March. The Navy operates 24 kinds of jets for combat and support missions, and requires elaborate supply chains to support them. After all, the absence of a $500 tire can ground a $20 million fighter.

The way the Navy deals with the tire issue is an example of how federal agencies are revolutionizing their approach to supply-chain management. The service has a 15-year contract worth an estimated $260 million with French tire maker Michelin to supply jet tires to Navy units worldwide. But under the contract, Michelin sticks to what it does best-manufacturing. It relies on a partner, Lockheed Martin Naval Electronics and Surveillance Systems, a unit of Bethesda, Md.-based Lockheed Martin Corp., to manage the supply chain by which the tires are distributed. This approach, known as "performance-based logistics contracting" or "prime vendor support" is "a revolutionary way of doing business," says Doug Nevins, a contracting officer at the Naval Inventory Control Point Philadelphia, the contracting authority for jet tires.

Michelin and Lockheed must meet performance targets to get paid under the contract. For example, all tires destined for locations within the continental United States must be delivered within two days of being ordered. Tires must be delivered anywhere else in the world within four days. Lockheed is required to meet these standards 95 percent of the time. As of mid-March, the company was beating the mark, delivering tires before the deadline 97 percent of the time. The Navy has ordered 25,000 tires since the contract was issued in July 2001. "The success has been stunning," Nevins says.

The secret to that success is the technology behind Lockheed's supply-chain management efforts. Under the new system, the Navy, Lockheed and Michelin are connected by a computer network that enables sailors and contractors to communicate their needs, products and services in real time.

The Navy isn't the only federal operation giving its supply chain management efforts a jolt of new technology. Agencies from the Postal Service to the Defense Logistics Agency are hoping to streamline their processes by implementing the latest in supply-chain technology-Web-based communication, demand planning, electronic procurement and order tracking-to improve efficiency and trim expenses.

PLANNING AND PURCHASING

Paul Litvak, director of supply chain solutions for Oracle Corp.'s federal division and a former supply executive at DLA and the Navy, says supply chains have three parts: planning, procurement and fulfillment. Each segment uses different kinds of technology. Supply experts say Defense agencies have traditionally excelled at planning. Defense logistics gurus understand supply cycles and have contingency plans for times when demand surges during military buildups. Yet critics say the military's procurement and fulfillment processes still rely too heavily on processing paper and warehousing goods. As part of the tire contract, the Navy turned 60,000 tires stored in its warehouses over to Lockheed. Now it's Lockheed's job to manage the inventory and make sure tires are available when the Navy needs them. When this stock is exhausted, Michelin will fill orders with new tires.

The supply-chain system Lockheed uses to serve the Navy relies on automated demand planning and forecasting tools created by Xelus Inc., a Rochester, N.Y., developer of "enterprise service management software," and ViryaNet Ltd., a Southboro, Mass., developer of tracking products. The Xelus software enables Lockheed to look at the Navy's past and present tire requirements and predict future needs. This means the company can keep inventories to a minimum and let Michelin know exactly how many tires it needs to manufacture to keep up with demand.

For the Navy, the jet tire procurement process is now as easy as pushing a button. Sailors on ships or at shore installations simply fill out an online requisition form, which is sent via the inventory control center in Philadelphia to Lockheed. The company fills the order immediately.

The Navy has an advantage in this process because it can buy tires under an existing contract. Not all agencies have this luxury. Furthermore, not all items lend themselves to the sophisticated prime vendor support system the Navy uses. Nevertheless, technology is improving the procurement phase of the process by connecting buyers to sellers more quickly and easily through virtual malls, such as GSA Advantage! and the DLA E-Mall.

The E-Mall gives Defense and civilian agency buyers quick, inexpensive and efficient online access to 17 million items. A purchase on the E-Mall costs DLA a little over $11 to process, while orders placed by hand cost $146, on average. E-Mall purchases cost less to process than orders placed with government-issued purchase cards, which include processing fees of $25 an order, on average. "The E-Mall is an emerging piece of the supply chain," says Donald O'Brien, who manages the E-Mall program. "It is useful when a customer needs to interact with the supply system to either find exactly what they need or get faster delivery."

That may explain why the E-Mall is growing rapidly. In 2001, the E-Mall processed 45,000 transactions accounting for $7 million in purchases. So far this year, it is averaging $1 million in sales a month.

SEEKING FULFILLMENT

Whether agencies use a customized approach, such as the Navy's jet tire supply system, or make purchases at a virtual mall, their orders must be fulfilled. In the Navy's case, Lockheed uses software from ViryaNet to manage order fulfillment and tracking. The software enables sailors to find the status and location of their orders online at any time.

With the nation on war footing, experts say fulfillment is more important than ever. The Defense Department alone has supply lines that run to Afghanistan, the former Soviet state of Georgia, the Philippines and Yemen. Since the Sept. 11 attacks, agencies have been relying on new technology to ensure their supply lines aren't interrupted.

The Postal Service's job is all about fulfillment. In the aftermath of Sept. 11, the grounding of all commercial aircraft hit the agency hard: 25 to 35 percent of all First Class mail travels by air. The Postal Service was able to bounce back quickly as a result of a number of well-developed plans to continue delivering the mail. "We had a contingency plan for the complete shutdown of the airline industry," says Paul Vogel, the Postal Service's vice president of network operations. "I never thought we'd ever use it, though." Building on its relationship with the ground transportation firms it relies on to meet temporary increases in demand, the Postal Service quickly called on 6,000 to 7,000 trucking companies to keep the mail moving. "Every organization with a supply chain should have contingency plans that help deal with demand surges and interruptions," says John Rapp, the agency's senior vice president of operations. Vogel says the Postal Service is constantly seeking to improve its contingency plans and is evaluating new supply chain technologies as a result.

The Navy is well aware of demand surges, because it must always be ready for war. The Navy's tire contract requires Lockheed and Michelin to be capable of satisfying twice the service's normal level of tire purchases. The Navy has already relied on the surge capability to help fight the war in Afghanistan, says Nevins. So far, the two firms have met higher-than-expected demand, helping to ensure that naval aviators are prepared for battle.

]]>

Despite lack of new funding, e-gov projects to move forward

Joshua Dean — Tue, 30 Apr 2002 00:00:00 -0400

OMB has marshaled a total of $6 billion to support its 24 e-gov projects, allowing each project to move forward this year, Mark Forman, OMB's associate director for information technology and e-government, said Monday at the launch of GovBenefits.gov, the first of OMB's 24 e-gov projects to debut.

The $6 billion figure is not new funding. Rather, it includes staffing, reprogrammed funding, IT support and related office support. Last week, OMB handed out most of the $5 million in its e-gov fund to five projects. Only three of the funded projects were included on the original list of 24 projects the administration said it would pursue when it launched a roadmap for its e-gov initiative in February.

"All 24 e-government initiatives are proceeding," a statement from OMB said. "That some initiatives did not receive initial support from the e-government fund does not place them in a different status. The realignment of the large amount of redundant spending on activities related to the 24 e-government initiatives has enabled these initiatives to continue moving forward. The projects that received initial support from the e-government fund were components of the initiatives that could not be addressed by redirecting redundant funding."

Forman said recent expenditures from the $5 million fund were focused solely on projects that integrated information across several agencies, such as GovBenefits, FirstGov.gov and the Small Business Administration's BusinessLaw.gov Web site. Also included in the recent round of funding was the General Services Administration's e-authentication initiative, which is working to create a federal public key infrastructure.

A brief survey of the projects shows a variety of initiatives at different stages of development and funding:

SBA received $740,000 from the e-gov fund for BusinessLaw.gov. The site helps small businesses determine whether they are in compliance with federal, state and local regulations. "Our success is measured in terms of our ability to answer five questions for the businesses," said Jim Van Wert, SBA's senior adviser for policy, planning and e-government. "These are: What laws pertain to where I live? Where do I find these laws and how do I understand them? Do I comply with these laws in my current state? If not, how do I learn to comply? And if complying requires some action such as a registration, license or permit, how do I do it online?" Van Wert said the project requires considerable teamwork across all levels of government.
The Office of Personnel Management is moving ahead with its five e-gov projects, though officials aren't sure where the funding is going to come from yet. Some money may come from OMB, some from OPM funds and some from other agencies, said OPM Chief Information Officer Janet Barnes. The five projects are an electronic training portal, a one-stop federal recruitment site, an online security clearance process for federal workers, a human resources data standardization project and a payroll consolidation project. OPM has completed preliminary business cases for the first four projects and expects to complete the payroll project's business case by the end of the month.
Interior's two projects are Web portals aimed at breaking down barriers between federal, state and local agencies, and both will draw funding from participating agencies. The first is the Recreation One-Stop, a $4.1 million, five-year project to turn the existing Recreation.gov site, which currently has information about outdoor recreation opportunities on federal lands, into a compendium of information on recreation sites on federal, state and local lands, and maybe even privately owned sites.
Interior is also trying to develop working groups with state and local governments on its second e-gov project, the Geospatial One-Stop site. The $20 million, seven-year project will draw its funding from participating agencies and aims to create a portal for online mapping tools that people can use to analyze a host of issues, ranging from overpopulation to housing to water resources. Interior also wants to develop common standards for mapping data.

Shane Harris and Brian Friel contributed to this report.

]]>

IRS sets the standard for protecting privacy

Joshua Dean — Mon, 29 Apr 2002 00:00:00 -0400

In an interview with Government Executive, Peggy Irving, the IRS' privacy advocate, said the era of electronic records has people more concerned about privacy than ever before. "The public is more concerned about electronic records than paper records," she said, "especially because they can be sent globally in an instant."

Irving said it is important to ask who has access to sensitive information and to identify whether controls are in place to uphold privacy policies, especially when numerous databases are connected with one another across agency boundaries as a result of new initiatives to share information.

Since taking over the position in 1999, Irving has created a privacy impact assessment (PIA), which the IRS uses to help design new information systems under its massive Business Systems Modernization program. "The IRS uses the PIA to ultimately review what information should be collected and why it should be collected," Irving said. "It also asks if the information is relevant and from the most timely and accurate source."

The PIA asks a series of questions designed to ensure privacy protection is designed into new information systems and to ensure that only the least amount of personal information is collected. "Identity theft has become an issue," Irving said. "We analyze every IRS form and scrub them to make sure the agency is only asking for the information we absolutely need."

Irving's work at the IRS has not gone unnoticed. The federal Chief Information Officer's Council has called the PIA a best practice. Other federal agencies have come to the IRS for advice on privacy standards and assessments, as have businesses and foreign governments.

Irving is not hesitant to share the PIA. She has met with representatives from the FBI, the Coast Guard and the Navy to discuss the best practices embodied by the tool. "The FBI immediately saw the rightness of the PIA…[the agency] really does want to assure the public and encourage cooperation," she said.

In 1993, the IRS became the first federal agency to have a privacy advocate. Irving took over the position in 1999 after working on privacy and disclosure issues at the Justice Department for more than 20 years. She said the Department of Health and Human Services was the next agency to create the position, since Americans are as concerned about the privacy of their medical information as they are about their financial information.

The positions of privacy advocate and chief privacy officer have since become more prevalent in both the public and private sectors. To date, such companies as Hewlett-Packard Co., IBM Corp. and Proctor & Gamble Co. have created privacy advocate positions. Agencies including the Justice Department and the Postal Service have also appointed privacy advocates. Irving's office has grown from a staff of three to a staff of 12, reflecting the premium the IRS puts on privacy, she said.

]]>

GovBenefits debut marks Bush administration’s first e-gov success

Joshua Dean — Mon, 29 Apr 2002 00:00:00 -0400

The site, GovBenefits.gov is the first of the Office of Management and Budget's 24 electronic government projects to go live and marks the initial success of the administration's e-government agenda as championed by Mark Forman, OMB's associate director for information technology and electronic government.

"This site helps citizens break down the artificial barriers in our government," Cameron Findlay, Labor's deputy secretary said when he unveiled the site. "Today it is way too complicated for a citizen to find the information they need in the federal government. It's unfair to ask a citizen to dissect the government."

Findlay said the designers of GovBenefits used the mantra of another federal Web portal, Firstgov.gov, as a model for the site. The mantra, "three clicks to service," means citizens can access the information they need with only three mouse clicks.

GovBenefits classifies users under 15 categories of government beneficiaries, such as parents, veterans, disaster victims and the unemployed. Once a citizen selects a category, the site asks a series of easily understandable "yes/no" questions such as, "Are you unemployed?" and "Were you dependent on the income of another family member but are no longer supported by that income?" After tabulating the responses to the questions, the site creates a list of programs for which the citizen may be eligible.

Ed Hugler, Labor's deputy assistant secretary for administration and management, said the site has an 80 percent success rate when it suggests which government benefits users may be eligible for. The site also provides contact information and Web links to the benefit programs.

The site aggregates the sources of a total of $1 trillion in government benefits. Currently the site pulls information on 55 government benefits programs. Administrators will add 30 to 40 new programs a month for a total of 300 programs.

Each of the administration's 24 e-government projects is coordinated by a single agency acting as a "managing partner." The Labor Department was GovBenefits' managing partner. The project also got help from the Agriculture, Education, Energy, Health and Human Services, Housing and Urban Development, Labor, State and Veterans Affairs departments, the Federal Emergency Management Agency and the Social Security Administration. Labor's partners contributed staff, financing and a variety of information technology-related capabilities for the project. OMB contributed $800,000 to fund the project, but the total cost is unknown.

"We've been very focused on succeeding and set an extremely tight time frame for completing this project," Hugler said. "We said we'd do it on a private sector model, which means do it quick and continue to build and perfect it over time."

]]>

Navy medical personnel worldwide use software to collaborate

Joshua Dean — Thu, 25 Apr 2002 00:00:00 -0400

Vice Adm. Michael Cowan, surgeon general of the Navy and the chief of BUMED, wanted the bureau's senior leaders, who travel frequently, to be able to make decisions no matter where they are, said Navy Lt. Mike Whitecar, head of e-business services for BUMED.

So, the agency decided to use software that would allow bureau leaders to collaborate online. The agency bought eRoom 6.0 software from eRoom Technology Inc., a Cambridge, Mass.-based software developer. The company counts the Defense Advanced Research Projects Agency, the Energy Department, the Federal Aviation Administration and the State Department among its customers. Now, BUMED operates 15 different collaboration Web sites and more than 500 employees use the software.

One of the largest sites is CIO Today, which debuted in January and is used by 80 BUMED chief information officers worldwide. In the past, the CIOs met just one time a year at a conference and collaborated on common issues and problems in an informal manner, Whitecar said. Now, the CIOs gather online daily and work through budget strategies and other issues. And, senior and junior officers can meet online for mentoring purposes.

Knowledge that used to be locked in officers' heads is now held within the Web site, and officers anywhere can search the knowledge base for solutions to their problems. "This is a first," Whitecar said. "It's a real big step for us."

The CIOs also use the site's online polling feature to make decisions. "This is a major time saver," Whitecar said. All CIOs access a central Web site, which resides behind a firewall. Transmissions are secured by secure sockets layer technology, which encrypts data as it flows back and forth from the server and user.

BUMED also uses the technology to route service members' medical claims through a lengthy approval process. According to Whitecar, this alone is saving BUMED thousands of dollars a week.

Jake Sorofman, senior product marketing manager at eRoom, said the software is designed for project managers and organizations with personnel located in numerous time zones. "The software provides the ability for teams to come together on an ad hoc basis," he said. It also provides a central site for communities of interest and practice, key fixtures for organizations that have embraced knowledge management.

]]>

Top Dog

Joshua Dean — Mon, 01 Apr 2002 00:00:00 -0500

What it takes to be a champion CIO.

n the past, federal chief information officers were treated like stray hounds nosing in for scraps at the head management table. Those days are over. The Bush administration is keenly aware of technology's promise, grooming CIOs of a different breed. Some have even become top dogs with power and influence.

The federal CIO position was created by the 1996 Clinger-Cohen Act to gain control of the government's massive spending on information technology. Since 1996, the IT budget has grown. In fiscal 2002, the federal IT budget was roughly $45 billion. That figure has jumped 15.5 percent to $52 billion for fiscal 2003.

The Office of Management and Budget has tried to institutionalize IT management even further by making electronic government one of the five priorities in the president's management agenda. The Information Technology Association of America's 12th annual survey of federal CIOs reveals a singular focus on e-government. According to the survey, federal CIOs are committed to strengthening cybersecurity, crossing agency and organizational boundaries to share information, sanitizing federal Web sites to thwart terrorists who might use them, and building faster and more reliable telecommunications infrastructures. CIOs find themselves pulled in different directions as they work to fix the cybersecurity problems exposed by the 2000 Government Information Security Reform Act (which requires agencies and their inspectors general to audit information security practices) and comply with the 1998 Government Paperwork Elimination Act (which requires agencies to move paper processes to the Web by October 2003).

"Being a CIO is a really big job," says Dave Wennergren, the Navy's deputy CIO for enterprise integration and security. "In the 21st century, technology is very complex and is everywhere." As the job has grown, the demands have stretched the talents of even the best CIOs. To turn the popular axiom on its head, old dogs not only can learn new tricks-they must. With the complex initiatives set out in the Bush administration's mammoth fiscal 2003 IT budget, even veteran CIOs need to brush up on their management skills. "The CIO is a very high profile job right now," says Chris Hoenig, director for strategic issues at the General Accounting Office. He says President Bush and the American people expect technology to be the key to winning the war on terror. All this lands on CIOs and their organizations, right on the heels of having to adjust to the shift in administrations.

Many experts note a sea change in Washington. They say the Bush administration has brought in a savvy group of political appointees who are accustomed to working with CIOs in the private sector, where the position has real power and influence. Air Force CIO John Gilligan says Bush's appointees have clear expectations of what the CIO's role should be-expectations he finds refreshing. "I am quite pleased and surprised," he says.

The question is: Are federal CIOs prepared to deliver the goods to executives at a time when the nation's focus on security involves technology at every level of government and the private sector? "Now there's no excuse," says Alan Balutis, former deputy CIO at the Commerce Department. He now heads the Federation of Government Information Processing Councils and is executive director of its Industry Advisory Council. "Most CIOs will tell you they relish this opportunity," he says. So, to help these top dogs make the most of their opportunity, Government Executive has compiled 10 tips on how to become a champion CIO.

Communication The current crop of agency heads expect their CIOs to be business leaders, experts say, not those surly technologists of the past with bulging pocket protectors. They must be visionaries who can communicate with their superiors and underlings.

"To be good a communicator, you have to be a teacher and educator," says George Molaski, former CIO at the Transportation Department. "Typically, your peer group is not as knowledgeable about technology as you are, and you have to be able to teach them without overwhelming them. As a leader you create a vision not only for the CIO's office, but also for the whole organization. This requires the CIO to build consensus and get people to buy into that vision."

Business Acumen

The days of technology for technology's sake are over. So too are the days of CIOs who single-handedly shoved unwanted IT solutions down their agencies' throats. "To be successful, CIOs have to use a combination of business acumen and technology awareness," says Greg Pellegrino, a partner and global e-government leader with Deloitte Consulting in Boston. So in addition to being stalwart visionaries, CIOs must be good listeners.

Good CIOs immerse themselves in every nuance of how their agencies run. "A CIO must understand every aspect of the enterprise," says Wennergren. He says CIOs must comprehend current and forthcoming technologies and recognize how they can be used in their organizations.

Power From Above

CIOs must be able to win over key constituents, from Cabinet secretaries down to middle managers.

"The first and single most important asset for a CIO is to have the support of the boss," says Roger Baker, former CIO at Commerce and now executive vice president for telecommunications and information assurance at CACI International Inc., a systems integrator in Arlington, Va. "The most important part of the job is being a key part of the secretary's team."

But there's a twist. By becoming a servant to their leaders' vision and a trusted adviser, CIOs can derive their power from above. CIOs have to remember they are acting on behalf of the head of the agency, says Air Force CIO John Gilligan. "Whatever a CIO does has to be in sync with where leadership wants to go," he says. Then a CIO can effectively communicate that vision to mid-level executives and staffers.

Outside Help

A valuable CIO can work across organizational boundaries.

Because the Sept. 11 attacks exposed deficiencies in how agencies share information, the Bush administration is requiring executives to look outside their fiefdoms to see who they can help and who can help them. Data is power, and sharing it is difficult in government. CIOs must be the bridges to sources of vital information.

"These days, CIOs have to be able to get things done across boundaries," Hoenig says, adding that CIOs might have to produce results from workers outside their agencies, possibly in the private sector. Hoenig calls this industry leadership.

That is the case for Ron Miller, who recently became CIO at the Federal Emergency Management Agency. Miller says the agency had been focused on internal issues as it developed the groundbreaking National Emergency Management Information System. But new homeland security responsibilities have forced FEMA to look outside its organization to meet its mission, Miller says. His role, as CIO, is to facilitate that process with the right mix of leadership and technology.

If Mark Forman, OMB's associate director for information technology and e-government, gets his way, the federal government will build more systems that many agencies can use at once-eliminating fiefdoms and forcing agencies to share and share alike.

Cultural Change

A good CIO understands how technology breeds change.

New technology changes how organizations operate. Simple changes can have profound effects on the average worker, so it is not hard to imagine the stress massive new software systems can put on an entire organization. CIOs must remember that resistance to change can be their downfall.

"As CIO, your primary job is leading change," Wennergren says. But, he says, so much of change is cultural. "Ten percent of change is about technology while 90 percent is about culture."

This comes back to communication and expressing the will of senior leaders. Effective CIOs must be people of action who can get measurable results, not passive bystanders, Pellegrino says. Successful CIOs in the private sector have become major transformational figures by changing the way their companies do business, Balutis notes. They are tacticians, deliverers and relationship-builders, he says.

One of the classic examples of technology enabling change in the federal government is the transformation of the U.S. Mint. CIO Jackie Fletcher and John Mitchell, the Mint's deputy director, improved operations and generated enthusiasm among employees by launching an online superstore to sell the agency's products.

Vision

A first-rate CIO is a strategist, a forward thinker, a seer.

Experts say strategy is the main job of most federal CIOs. Following day-to-day IT operations is typically the domain of the deputy CIO. But now, with so much budget authority, CIOs must keep one eye on business and another on the future. One way is to fit all short- and long-range IT projects into an overall plan, or enterprise architecture.

"Capital planning and building enterprise architectures are the classic jobs that every CIO should know how to do," Hoenig says. CIOs must justify each investment in technology by ensuring it fits into the agency's long-term IT plan. Jan Popkin, CEO of Popkin Software, a New York-based software developer that creates the technology CIOs use to track IT investments, says the Treasury and Defense departments have the most fully developed enterprise architectures.

Still, thousands of IT systems get implemented every year that aren't well-designed and don't fit into agencies' long-term plans, Hoenig says. A CIO who lacks the skills required to build a strategy for IT activities should hire a chief architect who can rationalize all the agency's IT systems and plan for new ones, Hoenig says. Such a position can quickly become one of the most important in a CIO's organization.

Capital Planning

The fiscal 2003 budget hands CIOs more authority than ever.

By tying capital planning to the budget process, OMB has demonstrated that IT projects without strong business cases will not be funded. "Most of these CIOs have been saying for years in their own agencies that they need controls that link budget decisions to sound business cases," Balutis says. "They've said the federal government needs better performance metrics and an overall architecture."

The budget process now holds senior executives' feet to the fire when it comes to requesting money for technology purchases. With Mark Forman, Balutis says, CIOs have an official at OMB who is forcing secretaries and deputy secretaries to pay attention to capital planning, long-term IT strategy and information security if they are to get the funds they request. And because these three elements are at the core of a CIO's job, Balutis says OMB has "greatly strengthened the hand of CIOs."

Security Sense

Cybersecurity and information sharing are key concerns for every CIO.

In years past, organizations have been slow to secure their IT systems and networks because of funding shortfalls and the sheer difficulty of the task. Information sharing is inhibited mainly by closed cultures at agencies and a segregated appropriations process that only nominally acknowledges the value of interagency issues.

The president has made cybersecurity and information sharing top priorities in the homeland security effort. "What's different is that CIOs are being given the authority, the backing and, in many cases, the funding to actually accomplish these missions," Balutis says. CIOs should designate certain employees to manage a core unit of cybersecurity professionals to monitor security tools and conduct continual vulnerability assessments. Systems administrators have too big a job fighting the day-to-day fires that flare up within every enterprise to adequately address cybersecurity.

By focusing on relationships with executives at other agencies, CIOs can go a long way toward fusing information from numerous organizations facing common challenges.

Best Practices

CIOs must be willing to look to the private sector for answers and inspiration. Public sector CIOs view the private sector with fascination. They look at how company CIOs operate without the binding rules of bureaucracy and wonder, "Could that work in my shop?" Navy Deputy CIO Dave Wennergren spends a good amount of time talking with private sector CIOs to find out what is important to them. From them he learns how the newest technologies fit into smooth-running organizations, and gets a sense of how the Navy can innovate.

Passion

Performance and measurable results are the ultimate yardstick for good CIOs. Leading organizations "strive to understand and measure what drives and affects their businesses and how best to evaluate results," according to GAO's management tome, "Maximizing the Success of Chief Information Officers." Good CIOs use this information to improve efficiency and rationalize new initiatives.

But sometimes it is not easy being a supercharged CIO working in a slow-moving bureaucracy that is shackled by congressional legislation. To be effective in this environment, top CIOs must be fueled by a passion for government and technology.

"As a CIO, you've got to have passion for public service, good government and technology," Molaski says. "If you don't have the passion for bringing those three things together and aren't committed to helping government perform more effectively, then you are in there for the wrong reason."

]]>

Security agency’s CIO outlines transformation plans

Joshua Dean — Wed, 27 Mar 2002 00:00:00 -0500

NSA CIO Richard Turner outlined the agency's transformation goals at a breakfast meeting sponsored by FSI, a McLean, Va.-based IT market research and consulting firm. Turner has been NSA's CIO for eight months. Previously, he was CIO at the Federal Trade Commission and NASA.

The war on terrorism has complicated one of the agency's missions: to protect all classified and sensitive information stored in or sent through federal government systems, Turner said. NSA is reevaluating the way it does business in light of the Bush administration's focus on information sharing, he said. The agency is now working with agencies whose IT systems are not secure enough to handle NSA's classified information.

"Information sharing is a work in progress," Turner said.

Since Sept. 11, NSA offices around the world have been working 24 -hours a day, seven days a week. While the around-the-clock schedule has strained NSA's IT workforce, the staff is so dedicated, Turner sometimes can't get workers to go home, he told the group.

"I became a wartime CIO very quickly," he said.

Even though NSA's mission is very different from that of other federal agencies, its IT challenges are surprisingly similar, Turner said. In his short tenure as CIO, Turner has focused on bringing strong IT management practices to NSA and on building a capital planning and IT investment review process at the agency. Once projects have been vetted under this process they will be monitored under new performance measures, he said.

NSA has also committed to outsourcing its IT infrastructure. The agency awarded Project Groundbreaker-an IT outsourcing contract worth between $2 billion and $5 billion-to a contracting team led by Computer Sciences Corp. in July 2001. Turner said NSA is also spending more than before on IT and plans to increase its dependence on commercial, off-the-shelf hardware and software-a major shift for an agency that usually builds its own IT systems.

Turner has also created a new program office within his organization to focus on contingency planning, business continuity and disaster recovery. He hired a senior executive away from NASA who "lives and breathes" business continuity to head the office.

For security reasons, NSA doesn't advertise its contracts in the federal government's normal procurement circles. Turner encouraged small businesses in particular to take advantage of procurement orientation sessions held every two weeks at NSA headquarters in Ft. Meade, Md. "There are a lot of good ideas out there we need to know about," he said.

]]>

Presidential board asks for feedback on cybersecurity

Joshua Dean — Fri, 22 Mar 2002 00:00:00 -0500

The board, which is headed by Dick Clarke, the president's special adviser on cyberspace security, was created in October by an executive order entitled "Critical Infrastructure Protection in the Information Age." One of the board's primary functions is to draft a national strategy to protect cyber space. It has put together a 53-question survey that offers a preview of what the national strategy will look like.

The questions focus on all sectors of society in an effort to determine how deeply cybersecurity is integrated into the everyday operations of businesses, private citizens and governments.

The questionnaire shows that the board is looking at the cybersecurity concerns of home users, small businesses, large corporate enterprises, federal agencies and international governments. The board is also investigating how to enhance the security of the nation's transportation, communications, finance, power and water systems.

The questions include:

What steps should be taken to impress upon home and small business computer users the depth of their cybersecurity responsibilities? Furthermore, should Internet service providers provide more cybersecurity options to their customers?
What is the most effective way to institutionalize cybersecurity within corporations and various government bodies?
What cybersecurity events--such as hacks and viral infections--should be reported? To whom should they be reported?
Is the federal government sufficiently funded for computer security. Should cybersecurity be funded similarly to the federal Year 2000 remediation effort?
How can critical systems that are connected to the Internet be protected?

The board is also concerned about threats posed by company or government insiders. A question on the survey asks, "How can a balance be struck between preventing insiders from damaging the enterprise by misusing its IT systems, and respecting the legitimate privacy concerns of employees?"

The questionnaire is posted on the System Administration, Networking and Security Institute Web site. SANS, a technology research and education group based in Bethesda, Md., will collect the answers for the board. Responses to the questionnaire are due by April 20, 2002.

Those who want to help create this national stragegy must submit their responses in a proscribed format. Guidelines on how to submit responses are online here.

]]>

Senator urges FBI not to eliminate computer security center

Joshua Dean — Thu, 21 Mar 2002 00:00:00 -0500

Government Executive.

According to the letter, which Sen. Charles Grassley, R-Iowa, sent to Mueller Tuesday, the FBI director outlined a proposal to dismantle NIPC during a February meeting with the senator. Grassley wrote that Mueller is considering placing one part of NIPC in the FBI's criminal division and another in its counterterrorism/counterintelligence division.

In a Presidential Decision Directive issued in 1998, President Clinton formalized NIPC's role, saying it should "provide a national focal point for gathering information threats to infrastructures. The directive gives NIPC the authority to coordinate the federal government's response to attacks on elements of the nation's critical infrastructure.

Grassley said that splitting the center's national security and law enforcement roles would detract from current information-sharing initiatives. Moving NIPC's functions primarily into the criminal division, which investigates criminal acts after they occur, "will only increase the problems NIPC had in the past with quickly analyzing threat information and issuing timely and accurate warnings," Grassley wrote.

NIPC now gets information from a number of fledgling private sector organizations called information sharing and analysis centers (ISACs). This feedback is important because 90 percent of the nation's critical infrastructure resides in the private sector.

Private sector sources told Government Executive that they have been wary of working with a federal organization that is part of the FBI. "People don't like to be asked questions by the FBI," said one source who wished to remain anonymous. Furthermore, the sources said NIPC takes information from the ISACs but rarely provides them with legitimate warnings or analysis in return.

Grassley said in his letter that Mueller's plan "would destroy the fragile trust between NIPC and the private sector ….The broken trust would in turn curtail, if not end, the flow of information from the private sector to the FBI, leaving the bureau essentially blind about threats to critical infrastructure."

Grassley wrote that his staff has tried for two weeks to get updates about the plan but has received no response. Mueller could make his decision by next week. If he decides to dismantle NIPC, Grassley threatened to introduce legislation that would remove NIPC from the FBI.

Rumors that the Bush administration has been considering moving NIPC out of the FBI have been circulating for about a year, the sources said. But simply moving NIPC out of the FBI won't solve its information sharing and communication problems. "It's like talking to a brick wall up there," one source said.

In his letter, Grassley said he "and others in Congress would view implementation of this plan as a classic example of FBI jurisdictional encroachment: diverting funds and personnel from one unit with a clear mission to other units with a very different mission, and laying primary claim to a crime issue that is high profile, second only to terrorism, that many other agencies handle as well," Grassley wrote. "If you feel the FBI needs more resources to investigate computer and Internet crimes you should make your case to Congress."

According to an FBI spokesman, the agency will respond to Grassley by March 22, as he requested in his letter.

"What is under consideration is how the FBI can best coordinate its many cyber functions and how we can maximize our support for NIPC," the FBI said in a statement issued Thursday. The FBI confirmed Mueller met with Grassley and others to discuss NIPC's destiny and said the bureau "will have further discussions before making any final decisions." Furthermore, the FBI said "NIPC has become a vital part of the overall cyber effort, especially with its many ties to the private sector and other agencies."

]]>

Expert speaks out against federalizing nuclear security workforce

Joshua Dean — Tue, 12 Mar 2002 00:00:00 -0500

Like airports, the security of nuclear power plants has been closely scrutinized since the attacks of Sept. 11, and some members of Congress have called for strengthening the nation's nuclear security by federalizing its workforce, much as they federalized airport security.

But airport security workers and nuclear security officers couldn't be more different, according to Mark Paul Findlay, a former Secret Service agent and current director of security for the Nuclear Management Co., a nuclear power company that owns and operates six nuclear plants in the Midwest.

At a briefing held by the Nuclear Energy Institute, an association that represents the interests of the nuclear power industry, Findlay noted that most nuclear security employees are professional security officers, with either military or law enforcement backgrounds. Nuclear security officers have a 10 percent yearly turnover rate, and most who leave return to their former law enforcement careers, he said.

"There is nothing in common between an airport screener and a nuclear security officer," he said, adding, "We don't get the rejects from McDonald's."

Low pay and high job turnover rates were major factors in the government's decision to federalize airport security workers. Now, to join the federal airport screening force, an applicant must be a U.S. citizen, fluent in English and hold a high school diploma or equivalency certificate or a year of relevant work experience. In addition, pay scales have been boosted to create more of a career path for federal airport security workers.

Sen. Harry Reid, D-Nev., has sponsored a bill--the 2001 Nuclear Security Act, (S. 1746)--that would federalize nuclear security workers. According to a December 2001 report by the Nuclear Energy Institute, there are more than 5,000 nuclear security officers nationwide. The bill would shift these workers to the Nuclear Regulatory Commission, a move NRC Chairman Richard Meserve opposes. The bill is currently in committee, according to a spokeswoman for the Senate Environment and Public Works Committee.

Findlay said the bill would create dual power structures at nuclear plants, which would be inefficient and unwieldy.

The nuclear power industry has been on high alert since Sept. 11 and is waiting for the results of the NRC's top-to-bottom security review. The NRC regulates and evaluates security at nuclear power plants. The companies that own and operate the plants are responsible for providing a security force and are required to meet a set of minimum security standards outlined by the agency.

"Nuclear power plants are safe and secure," Findlay said. "The nuclear power industry had a very robust security program before [Sept. 11] consisting of motivated, dedicated and highly trained paramilitary organizations." Findlay said his security force includes former U.S. special forces operatives and military snipers who train for the eventuality of terror attacks as part of their jobs. Findlay downplayed the risk of terrorists flying a jumbo jet into a nuclear power plant, a threat widely reported in the wake of the Sept. 11 attacks.

"Nuclear power plants are designed to withstand tremendous trauma," said Donald Long, an independent consultant who is the former security manager for the Oyster Creek Nuclear Generating Station in Lacey Township, N.J., and the Pilgrim Nuclear Power Station in Plymouth, Mass. "The best way to prevent an air strike on a nuclear power plant is to prevent terrorists from ever gaining control of a large airliner."

Long said the public should be reassured that nuclear plants are built to withstand attacks and that nuclear plant operators are well informed of threats. The CIA, the Defense Department and the FBI provide a steady analysis of potential threats every day to the NRC and nuclear plant operators, he said.

Nuclear plant operators are also mindful of the potential for cyberattacks. While Findlay said plants do not use "land-line" telephone lines, they are connected to the Internet. Plant operators get information about potential cyberattacks from the FBI. They also report all cyberattacks to the FBI.

]]>

Study says federal Web sites need to be easier to use

Joshua Dean — Fri, 08 Mar 2002 00:00:00 -0500

The Experience Design Group of Andersen's Office of Government Services, a Washington based consulting firm, tested 25 federal Web sites during November and December 2001 for usability. Andersen chose federal Web sites that had been singled out as "best in class" in e-government studies and awards programs to demonstrate that usability is an area that is often ignored. The sites of most major agencies were surveyed, including those of the Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Justice, Labor, Transportation and Treasury departments. For the study, "A Usability Analysis of Selected Federal Government Web Sites," Andersen analyzed the Web sites in four categories: branding, navigation, content and feedback. Branding, which includes visual design and editorial voice, was judged on how well the site's purpose was communicated. A site's contextual cues and other means to access information were judged under the navigation category. Content was judged on how well it was organized for the user, and feedback scores were based on the speed of confirmation and the format of responses. Agencies did well at posting clearly visible logos and other branding insignia, but got low scores on consistent application of branding across their sites. In fact, 68 percent of the sites studied had branding inconsistencies, the report found. For example, Labor Department Web pages displayed at least three separate logos, which could confuse users about the source of the information they are viewing, the report said. Similarly, 80 percent of sites scored poorly on navigation consistency. Forty-four percent did not have consistent global navigation, meaning home page navigation often disappeared or changed on the sites' secondary pages. The report also said that Web page site maps weren't helpful, with the worst site maps simply displaying an alphabetical listing of topics covered by the site. In addition, 72 percent of the search engines produced search results that did not contain meaningful document titles or clear summaries, and 60 percent of the Web sites studied did not organize their content with the user in mind, "making it difficult for visitors to find information." The report noted that the federal sector has unique factors that contribute to usability problems, such as complicated government regulations and contracting practices and shifting priorities that are based on political mandates. "The focus of Web sites has revolved not around satisfying user needs--which is why sites are built in the first place--but satisfying organizational and political mandates," the report said. In addition, many Internet consultants don't have government contracts because they're so hard to get. "The contracting process often takes so long to muddle through that the time available for effective usability analysis and correction borders on ridiculous," the report said. Furthermore, "portal mania," as the report called it, has contributed to usability problems in the government. "A slick front-end portal that provides cover for underlying sub-sites with poor usability does little to provide users with a better experience," the report noted. "As soon as a user digs one or two levels deep, usability problems surface." The report says Web sites can improve if senior executives understand the impact of poor usability on citizens and employees and develop a consistent Web strategy, which includes standard design elements. The report also urged agencies to be wary of portals. "Avoid them, concentrating instead on solving the underlying problems," the report said. Web site usability was the focus of a forum held this week by the Federal Consulting Group, a fee-for-service consulting unit of the Treasury Department. On Thursday, representatives from across government learned ways to measure and improve customer satisfaction with Web sites from usability experts at the Labor Department's Bureau of Labor Statistics.

Labor Department experts use several techniques to measure usability, including a usability lab that is open to other federal agencies. The lab features a one-way mirror and videotaping equipment that allows researchers to study a user's movements and actions as they perform predetermined Web site tasks. By watching users stumble or speed through tasks, researchers can learn what is and isn't easy to do on their Web sites. Those who attended also had a chance to see a demonstration of a new product from ForeSee Results that uses the methodology of the American Customer Satisfaction Index to measure Web site usability and customer satisfaction. Last year, the federal government got its highest score ever on the index, which grades business and agencies on customer expectations, perceived quality and perceived value. Katy Saldarini contributed to this report.

]]>

Bill would reform cybersecurity management

Joshua Dean — Wed, 06 Mar 2002 00:00:00 -0500

The Federal Information Security Management Act, H.R. 3844, would make the 2000 Government Information Security Reform Act permanent. GISRA required agencies and their inspectors general to conduct program reviews and audits of information security practices and to submit their results to OMB. OMB sent its overview of the security gaps agencies reported to Congress on Feb.13. OMB is now working with agencies to ensure that the weaknesses exposed in the reports are fixed. FISMA would make this a yearly process.

FISMA also increases NIST's role in creating cybersecurity standards for the federal government. A spokesman for Davis said the 1987 Computer Security Act and GISRA allow agencies to obtain waivers, effectively freeing them from following NIST's recommendations. FISMA would require agencies to follow NIST's cybersecurity guidance without exception.

In testimony before the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental relations Wednesday, Davis stressed that governmentwide IT initiatives such as electronic procurement, telecommuting, information sharing and e-government are all vulnerable to cybersecurity threats. Since these initiatives are vital to strengthening the federal government's performance, cybersecurity protections must become institutionalized, he said.

"[My] concerns regarding the pervasive and persistent weaknesses in federal information security management, infrastructure and accountability remain strong," he said.

]]>

Uncommon Access

Joshua Dean — Fri, 01 Mar 2002 00:00:00 -0500

The Common Access Card - a key, an ID, a password, and a signature all in one - unlocks the door to a whole new way of doing business.

hile the debate intensifies about whether the country needs a national identification card, the Defense Department is proceeding with an ambitious plan to put high-tech IDs in the hands of its 4 million employees. Soon, all soldiers, sailors, airmen and civilians will access computers, sign out weapons, purchase food, requisition supplies and identify themselves with the simple swipe of a card.

The Common Access Card, known as the CAC, is equipped with its own memory and a microchip that processes data. Initially, the CAC will replace the current generation of photo ID cards. Members of the armed services have long had official IDs. But now, for the first time, all active duty service members, reservists, Defense civilians and contractors will be issued a standard card. "This is a big change," says Al Edmonds, president of EDS Government Solutions, one of the information technology contractors working on the program. "DoD has always kept military and civilian identification systems very separate."

In addition to functioning as a photo ID, the CAC works with building access systems. A magnetic stripe on the back of the card holds information about where the holder is allowed to go in military buildings. Most importantly, the CAC carries a set of coded credentials; when it's inserted into a smart card reader, it replaces the computer password, which Defense officials now see as a security risk.

"There is so much potential in how one uses the Common Access Card," says Mary Dixon, director of the Access Card Office at the Defense Manpower Data Center, the organization that oversees departmentwide personnel programs. Dixon's office is managing deployment of the CACs. She says 163,000 cards have already been issued and that by the middle of 2003, every employee eligible to receive the CAC will have one. Each card costs the department $7.

Getting millions of cards into the hands of personnel stationed all over the world is no easy task. Defense already has an elaborate system for doling out ID cards. This system-in place at more than 900 installations worldwide-has been updated to issue the new cards and ensure that they are impossible to duplicate and distribute illicitly.

But there is more to the CAC program than just the cards. The military services must purchase smart card readers and the computer software needed to use the cards. The Navy, for instance, included smart card readers as a basic requirement in the Navy Marine Corps Intranet IT outsourcing contract. Now, as the card readers are deployed, the CAC will open doors to another far-reaching Defense IT effort: the department-wide public key infrastructure (PKI). This is a system for authenticating the identities of computer users, producing electronic signatures and protecting data from prying eyes while in transit over a computer network.

New Applications

Not all smart cards are created equal, says Ant Allan, a research director at the Gartner Group, a market-research firm based in Stamford, Conn. The term "smart card" is used to refer to two distinct kinds of technology, he says. The first is a simple memory card, which contains a chip on which data can be written and overwritten. The second is a more advanced card that features, in addition to its own memory, a microchip that processes data without help from a personal computer or a smart card reader. This onboard processing is vital for the Defense PKI, which requires users to have a set of special, randomly generated credentials, known as "private keys" and "digital certificates," that are stored on the CAC and never transferred off it. "You never want anyone to have access to the private key," says Dave Wennergren, the Navy's deputy chief information officer and the chair of Defense's smart card senior coordinating group. "Using smart cards to carry digital certificates was a marriage made in heaven."

When the CAC is issued, a certificate is stored in the card's memory. And because the certificate is tied to the cardholder's identity, CAC issuers demand to see all personnel in person and require multiple forms of identification before creating a new ID card. Gatekeeper computer systems then use the public key certificates to determine which systems the cardholder is allowed to access. For the system to realize its potential, "you have to have applications in place that are able to consume a certificate," says R. Michael Green, director of the Defense PKI Program Management Office and an employee of the National Security Agency. For example, Defense is working to fuse its PKI and its e-mail systems so that e-mails sent from one person can only be opened by the designated recipient. The long-delayed Defense Travel System will be one of the first Defense-wide applications to depend on the PKI. Service members will be able to electronically sign their travel vouchers using the integrated systems, eliminating the need for paper-based signatures. The department "has moved from paper to plastic," Wennergren says.

Card Smart

Dixon says at least five applications already implemented by the Air Force and the Navy use earlier generations of smart cards.They are being updated to use the CAC and will be models for future smart card uses. One of these is the Standard Asset Tracking (SATS) program, currently in use at 40 Air Force bases worldwide. SATS, which was deployed in 1996, is a paperless supply system created by the Air Force to streamline the aircraft parts requisitioning process.

"Once the SATS application was supported by the Common Access Card program, there was no need for a stand-alone smart card," says Peter Langworthy, director of the Automatic Identification Technology Center at Northrop Grumman Information Technology, based in Herndon, Va. Northrop Grumman IT built the initial SATS system and is working to replace the custom smart cards with the CAC.

SATS has already shown the benefits of smart-card technology. Before the system was implemented, Air Force supply clerks were handed a bundle of forms with every delivery of parts. Now, the clerk simply brings along a bar code scanner that doubles as a smart card reader. After the clerk scans a bar code on the product, the requisitioner presents the clerk with a smart card containing information about what supplies he or she is authorized to receive. Finally, the person receiving the supplies must type in a password proving it is their smart card that is being read. This step also serves as an electronic signature.

Langworthy says recent studies show the SATS system has led to a 96 percent reduction in paperwork. He also says SATS has virtually eliminated supply fraud and prevented certain supplies from being delivered to unauthorized airmen. Finally, the system has cut the time it takes to issue supplies by 81 percent, Air Force officials say.

As the CAC is used for additional applications, Dixon is looking forward to adding new features. Defense plans to issue cards loaded with biometric data-fingerprints, palm prints, iris scans or facial features. With this extra data, Dixon hopes to double the amount of memory on a CAC from 32 kilobytes to 64 kilobytes.

Dixon also expects Defense to move beyond magnetic strip-based building access systems. She says the goal is to install systems that communicate with the CAC from a distance, via radio waves. Such a solution is six months away from being chosen, she says, and three to five years away from full implementation.

Because each CAC has a life span of only three years, Dixon says that in all the projects her team takes on, they must make sure that what they do "tomorrow will not make what was done yesterday obsolete."

]]>

E-government hits the mainstream, survey says

Joshua Dean — Tue, 26 Feb 2002 00:00:00 -0500

online here. ]]>

Newly identified security gaps threaten Internet

Joshua Dean — Fri, 15 Feb 2002 00:00:00 -0500

Computer Emergency Response Team Coordination Center at Carnegie Mellon University in Pittsburgh warned that programming errors within the Simple Network Management Protocol (SNMP) "may allow unauthorized privileged access [to network hardware], denial-of-service attacks, or cause unstable [network] behavior." SNMP is the most popular protocol in use to manage network devices, such as routers, switches and hubs. "Many of the affected products provide key services to the Internet infrastructure," warned the coordination center. "Large-scale outages of these devices could disable significant portions of the global network." Information concerning these security gaps has already surfaced within hacker communities, the coordination center warned. The FBI's National Infrastructure Protection Center issued a warning Tuesday alerting system administrators to the possibility of cyberattacks that take advantage of the newly discovered programming errors. While there have been no confirmed exploitations of the security gaps yet, "action may be required to prevent the possibility of criminal exploitation by malicious hackers," the alert said. To correct the problems, administrators "will have to make changes to many dissimilar devices located throughout their networks," the Computer Emergency Response Team Coordination Center alert said. To this end, the System Administration, Networking and Security Institute announced Thursday it is offering administrators a free SNMP "self-testing tool." According to SANS, nearly "every organization must take action to avoid the widespread vulnerability."

System administrators can obtain the tool by e-mailing SANS at snmptool@sans.org. As a stopgap measure, system administrators can prevent attacks by turning off SNMP. Or, if SNMP is a required service, administrators should download software security patches developed by software and hardware vendors. SNMP has long been known to be vulnerable to cyberattacks. SANS, the federal Chief Information Officers Council and the National Infrastructure Protection Center included information about a previous set of SNMP vulnerabilities in their second annual list of the 20 most critical internet security vulnerabilities released last October. The SNMP vulnerabilities were discovered by the Secure Programming Group at Oulu University in Oulu, Finland.

]]>

Report stresses management’s role in boosting cybersecurity

Joshua Dean — Thu, 14 Feb 2002 00:00:00 -0500

report released Wednesday by the Office of Management and Budget. The release of the report ends the first round of reporting under the 2000 Government Information Security and Reform Act, which required program reviews and audits of information security practices by agency inspectors general. The first internal reviews were due to OMB by October 2001. OMB sent its overview of the security gaps reported by agencies to Congress Wednesday. According to the report, agencies have a long way to go in fixing their cybersecurity weaknesses. The report emphasized that security is an "essential management function." Therefore, it said, program officials-not just security officers and chief information officers-are "primarily responsible for ensuring that security is integrated and funded within their programs and tied to program goals." OMB found six main deficiencies in agency cybersecurity efforts, most of which focus on management rather than technology:

Senior managers do not currently view cybersecurity as a priority. "[Security] is a management function, which must be embraced by each federal agency and agency head," the report said.
Program officials are not being evaluated on how well they integrate security into their systems. "Virtually every agency response regarding performance implies that there has been inadequate accountability for job and program performance related to IT security," the report said.
Agencies are doing a poor job of educating their employees about the importance of cybersecurity. "Some agencies and large bureaus reported virtually no security training," the report said.
Agencies are still working to integrate security into the budget and planning process. "[Agency] officials must ensure [security] is built into and funded within each system and program through effective capital planning and investment control," the report said.
Agencies are not including adequate security requirements in IT contracts. "Given that most federal IT projects are developed and many operated by contractors, IT contracts need to include adequate security requirements," the report said.
Security incidents and intrusions are not being detected or reported to interagency security groups. "Far too many agencies have virtually no meaningful system to test or monitor system activity and therefore are unable to detect intrusions, suspected intrusions or virus infections," the report said.

OMB used the GISRA findings to justify an increase of approximately $1.5 billion in the federal cybersecurity budget. In fiscal 2002, agencies spent $2.7 billion on cybersecurity. According to the president's fiscal 2003 budget, which was released last week, agencies are expected to spend about $4.2 billion on cybersecurity in the next fiscal year. In fiscal 2002, the majority of federal agencies reported spending between 2.1 percent and 5.6 percent of their total IT budget on security. Of the 24 largest federal departments and agencies, five reported spending between 7.3 percent and 17 percent of their total IT budget on security. Another five reported spending just 1 percent to 2 percent of their total IT budget on security. For an overview of federal agencies' fiscal 2002 IT spending, click here. Beyond increased funding, OMB has included cybersecurity as a key component to successful e-government in its management scorecard, a series of grades in grades in five key categories of management included in the budget. In addition, OMB has sent letters to department and agency heads about making cybersecurity a management priority and a key responsibility for employees beyond the IT staff. "Security is the responsibility of every employee in the agency," the report stated. "There must be consequences for inadequate performance." In response to the October 2001 reports, OMB is now requiring agencies to submit plans to correct every cybersecurity weakness reported by the agency, its IG and GAO. Furthermore, OMB is now requiring all large agencies to conduct a "Project Matrix" review. Project Matrix is a program developed by the White House's Critical Infrastructure Assurance Office to help with governmentwide disaster recovery planning. The program includes a template to help agencies identify their assets that are critical to the nation's economic and physical security and their dependencies on key services such as power and communications. ]]>

National infrastructures key to military strategy, Defense official says

Joshua Dean — Mon, 11 Feb 2002 00:00:00 -0500

Unrestricted Warfare, which was translated by the Central Intelligence Agency's Foreign Broadcast Information Service. The book sets out a scenario in which the nation's financial, telecommunications, electrical and transportation systems are targeted--a strategy commonly termed "asymmetric warfare." It states:

"[If] the attacking side secretly musters large amounts of capital without the enemy nation being aware…and launches a sneak attack against its financial markets, then after causing a financial crisis, buries a computer virus…in the opponent's computer system…while at the same time carrying out a network attack against the enemy so that the civilian electricity network, traffic dispatch network, financial transaction network, telephone communications network and mass media network are completely paralyzed, this will cause the enemy nation to fall into a social panic, street riots and a political crisis."

Speaking before a room of technology vendors in northern Virginia, Gaynor said the nation's critical infrastructure needs to be protected, but more importantly, needs to be able to withstand attacks. "Things are going to get hit," he said. "And people are going to make mistakes. Infrastructures need to be able to take a lickin' and keep on tickin'." Gaynor asked the audience to return to their companies and identify ways to protect "critical nodes," physical locations where numerous services coincide and whose destruction would disrupt national and economic security. "Do it now," he implored. Gaynor said the Defense Department is represented on four of the newly formed Critical Infrastructure Protection Board's 11 subcommittees: physical, national security systems, incident response and emergency preparedness. The White House created the board by executive order in October. Defense also pays attention to the research and development and outreach subcommittees as well, he said, and there are more policy coordinating committees under Homeland Security Director Tom Ridge. "A total of 33 groups are working on these issues," Gaynor said. ]]>

Navy appoints single leader to manage multibillion intranet project

Joshua Dean — Thu, 07 Feb 2002 00:00:00 -0500

OMB coaches technology vendors on how to sell to the government

Joshua Dean — Wed, 06 Feb 2002 00:00:00 -0500

IT budget invests heavily in homeland security, e-government

Joshua Dean — Mon, 04 Feb 2002 00:00:00 -0500

fiscal 2003 budget will focus much of its proposed $52 billion in information technology spending on homeland security and electronic government. "[The] federal government is likely one of the few organizations planning double-digit percentage IT spending increases in the next year," the budget said. The budget earmarks a total of $38 billion for homeland security. Of that, $21 billion is set aside for five major homeland security goals: supporting "first responders" to emergencies, defending against biological attacks, protecting the nation's borders, improving information sharing among federal agencies and protecting critical infrastructures. The budget would support first responders-fire and police departments and other emergency workers-by designating funds to upgrade emergency communications systems nationwide, "enabling more first responders and their agencies to talk with one another in 'real time,'" the budget says. The Bush administration also wants to build a defense against biological attacks. It has included $591 million to upgrade hospitals with new communications systems and decontamination facilities. Another $392 million would be spent to strengthen the nation's ability to detect and react quickly to a biological attack. This includes $202 million "to create a national information management system that links emergency medical responders with public health officials, enables early warning information to be distributed quickly and permits emergency medical care and public health care providers to share diagnostic and treatment information and facilities." Another $157 million will be funneled to public health providers in states and localities to purchase "hardware and assistance to access this information." The administration would spend $380 million "to establish a reliable system to track the entry and exit of immigrants." Finally, the budget recognizes information-sharing and other IT projects as vital to homeland security. It includes $722 million for "improvements to information-sharing within the federal government and between the federal government and other jurisdictions." The administration will buy IT systems that link federal agencies with homeland security responsibilities to information about threats. The budget also proposes creating new systems for providing state and local officials with timely homeland security information. To prepare for cyberattacks, the budget seeks to "unify federal government security and critical infrastructure protection initiatives." To this end, the administration has requested money to hire "approximately 150 FBI special agents and investigative staff to the task of protecting [the nation's] banking, finance, energy, transportation, and other critical systems from disruption by terrorists, including by cyber attack." The budget provides the FBI and the Immigration and Naturalization Service with $155 million to "improve their intelligence-gathering and dissemination capabilities." The budget singles out the FBI for a massive technology upgrade, handing out $186 million for personal computer networks, databases and information-sharing initiatives. The FBI's outdated computer systems have been a longstanding managerial problem at the Justice Department. On the e-government front, the administration has chosen to invest in 24 projects aimed at eliminating redundant IT systems across the federal government. By concentrating on IT systems that can be built once and used by many agencies, the Bush administration is trying to "focus federal investments in technology to free up billions of dollars of wasteful federal spending, reduce government's burden on citizens and businesses and improve government operations," the budget states. The e-government projects include streamlining tax filing and providing access to the federal government's geographic information maps from one place. Furthermore, the budget asks the Office of Personnel Management to create a one-stop recruiting site, a single human resources system and a single electronic payroll system for the federal government. ]]>

Systems Failure

Joshua Dean — Fri, 01 Feb 2002 00:00:00 -0500

The Bush Administration has intensified its efforts to protect the nation's critical infrastructure-its transportation, communications, finance, power and water systems.

small cadre of administration officials has been working feverishly since Sept. 11 to prevent cataclysmic attacks on America's water, power, transportation, financial and communications systems-the nation's critical infrastructure. Government agencies and industries that provide these key services have intensified efforts to protect the physical components of critical infrastructure-bridges, ports, pipes and power lines. But many observers fear the computers controlling infrastructure remain as vulnerable as ever. They say a new digital arms race has begun.

The nation's infrastructure is at once so vast, yet so much a part of everyday life, that Americans typically take it for granted. Yet the country depends on the pipes, treatment plants and reservoirs that provide water to homes and businesses; the power plants and wires of the electrical grid; the roads, bridges, signals and vehicles of the transportation system; and the worldwide web of information technology that delivers telecommunications services and permits funds to flow freely among financial institutions. The infrastructure also includes the computer systems that drive these functions.

"The term 'critical infrastructure' covers just about everything of value in our country," said Sen. Max Cleland, D-Ga., at an Oct. 4 hearing of the Senate Governmental Affairs Committee. What's more, he noted, this array of industries is relying more and more on computer networks, thus opening it to attack from anywhere in the world.

Politicians and policy-makers fear that a well-coordinated series of cyber and physical attacks directed at the nation's key infrastructure could result in death, destruction and economic disaster. The effects of the Sept. 11 attacks on the telecommunications, financial and transportation industries made clear to the Bush administration and to the nation that protecting critical infrastructure is vital to economic and national security. Fortunately, the administration inherited a federal infrastructure protection architecture that has been around since 1998 and is being integrated into the new homeland security campaign.

Digital Nervous System

The nation increasingly depends on a digital nervous system, says John Tritak, director of the Commerce Department's Critical Infrastructure Assurance Office (CIAO), which works to increase security in the public and private sectors. As we rely more on technology to support our basic needs, our vulnerability increases, he says.

Tritak views the Sept. 11 attacks as assaults on the national infrastructure. When two jetliners crashed into the World Trade Center towers in New York, water and electric systems in lower Manhattan were disrupted. Verizon Communications lost a main switch that handled 200,000 phone lines and 3 million data circuits. Trading was halted on the nation's securities markets for four business days. The terrorists' use of four commercial airliners to conduct their attacks left the aviation industry crippled. All this helped push the economy deeper into recession.

In the months after the attacks, officials feared the nation's 103 nuclear power plants and other components of the nation's physical infrastructure would become terrorist targets. For a time, it seemed those fears were being realized. In October, a drunken man shot the Trans-Alaska Oil Pipeline with a large-caliber hunting rifle, spilling 285,000 gallons of oil onto the Alaskan tundra. In early November, California Gov. Gray Davis warned of a terrorist plot, later disproved, to destroy San Francisco's historic Golden Gate Bridge and other suspension bridges throughout the state. Later that month, the FBI tipped off oil, gas and pipeline companies that could be vulnerable to attack if al Qaeda leader Osama bin Laden or Taliban head Mullah Mohammed Omar were killed or captured by U.S. forces in Afghanistan. Industries responded to such threats by tightening security and posting more guards.

Although infrastructure remains vulnerable to physical attacks, CIAO's Tritak is most concerned about attacks emanating from cyberspace. Tritak is not worried about the legions of so-called "script kiddies" who deface Web sites. He fears attacks designed to manipulate or cripple infrastructures. A criminal case investigated by the FBI shows just how vulnerable elements of critical infrastructure are to cyberattack. On March 10, 1997, a teen-age boy disabled the Federal Aviation Administration's control tower at the Worcester Regional Airport in Worcester, Mass., for six hours by hacking into a telephone company computer. The same day, the hacker shut down a regional telephone system, which the Justice Department says caused financial damage and threatened public health and safety. At a recent conference on cybersecurity, Martha Stansell-Gamm, chief of the Justice Department's Computer Crime and Intellectual Property Section, revealed that the boy had cracked the telecommunications computer with just seven keystrokes.

Tritak points out that America's increasing reliance on the Internet to conduct business guarantees a cyberattack would have fearsome results. "Going online is no longer an option," Tritak says. "It's a market imperative." Thus even poorly conceived but extraordinarily destructive e-mail viruses such as ILOVEYOU-which clogged networks and overwrote important computer files in May 2000-can have a withering effect on the economy. The virus caused $6.5 billion in damages in just five days.

The mounting number of attacks and efforts to break into or disrupt important computer networks and control systems in recent years bolsters the case for stronger cyber defenses. The onslaught of security problems has the ironic effect of preventing systems administrators from plugging holes-they just don't have time. Hackers clearly are taking advantage of systems administrators' inability to keep up. The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, which tracks and responds to cyberthreats, reports that in 1988, there were six cyber incidents in the United States, including viruses, worms or cyberattacks. In 1989, that number jumped to 132. In 2000, there were 21,756. In 2001, 52,658 incidents were reported. It is generally accepted that most such incidents never are reported to authorities, so the true numbers are much larger.

Using software flaws and other means, foreign enemies, terrorists, criminals and even mischievous computer aficionados could destroy or incapacitate the computer systems that operate components of critical infrastructure and debilitate the nation, according to Frank Cilluffo, who testified at the October hearing. Cilluffo is special assistant to the President and adviser for external affairs to the Office of Homeland Security.

Infrastructure interdependency is another simmering danger. Paula Scalingi, former head of the Energy Department's Office of Critical Infrastructure Protection, says it is hard to tell where one infrastructure ends and another starts. Computers are the linchpin. Electric power companies, for example, depend on telecommunications networks to run their supervisory control and data acquisition systems, which manage and monitor power plants and other key systems, she says. Power companies depend on the Internet, where they buy and sell electric power in real time.

Interdependence extends well beyond the Internet, however. For example, telecommunications companies can't run their operations unless the electrical grid is healthy. Power, gas, oil and telecommunications companies need water to cool their equipment. All industries rely on transportation to move goods and services. Without electric power, switches, lights, trains, stoplights and many other components of the transportation system couldn't function. In addition, many industries mingle their assets. Power lines and fiber optic cable share the same public rights-of-way. Telecommunications companies install fiber optic lines inside water pipes. Cables and pipes run across bridges.

"If we have a major physical or cyber disruption-a disruption can take the form of a cyber or physical attack, a systems failure or human error-there is the potential to have a cascading or domino effect," Scalingi warns.

Thinking Ahead

In 1997, two years after the bombing of the Murrah Federal Building in Oklahoma City, Okla., members of the President's Commission on Critical Infrastructure Protection wrote that while "a satchel of dynamite and a truckload of fertilizer and diesel fuel are known terrorist tools, today, the right command sent over a network to a power generating station's control computer could be just as devastating." What's more, the commissioners found, "the perpetrator would be more difficult to identify and apprehend."

Brenton Greene, who was a member of that commission, now manages the National Communications System, which ensures that the national telecommunications infrastructure is prepared for emergencies. It was created during the Kennedy administration to guarantee the communications network would survive a nuclear attack. Greene points to the Oklahoma City bombing, which killed 168 people and wounded hundreds more, and the Aum Shinrikyo religious cult's 1995 sarin gas attack in Tokyo's subway system, which killed 12 people and sickened nearly 5,000 others, as events that helped convince the Clinton administration the nation was vulnerable to terrorist attacks. Hoping to preempt future attacks, President Clinton created the infrastructure protection commission in 1996, bringing together veteran defense experts, such as Greene, and representatives from the private sector to investigate how the nation could protect its assets. The commission was the first of its kind and brought together people who had been working on the same issues for years. The commissioners decided to focus on cyberthreats.

The commission's recommendations helped guide the creation of Presidential Decision Directive 63, signed by Clinton in May 1998. The directive called for a national critical infrastructure protection plan to be implemented by 2003. It assigned federal agencies to protect various infrastructures. The Environmental Protection Agency, for example, drew the task of ensuring the water system is protected, while the Energy Department is the lead on electric power, oil and gas production and storage. Clinton's directive also created two interagency offices, the National Infrastructure Protection Center (NIPC) and the Commerce's Infrastructure Assurance Office (CIAO). NIPC, housed at the FBI, coordinates investigations of computer attacks and warns companies and agencies of new cyber risks. The CIAO coordinates public and private sector cyber protection.

Both offices have suffered from lack of trust and resources, their executives told senators in October. Turf battles between NIPC, CIAO and agencies seeking control of infrastructure protection have been endless. The Clinton directive failed to provide any additional funding, so its implementation has been weak. During the hearing, Sen. Susan Collins, R-Maine, called infrastructure protection " a poorly coordinated program across the breadth of the federal government." She also asserted that the Bush administration's efforts to protect the nation's key industries don't match the risks they face. Jamie Gorelick, a former official at the Defense and Justice Departments who played a significant role in focusing the Clinton administration on critical infrastructure vulnerabilities, testified that the offices charged with protecting critical infrastructure are dwarfed by the size of the problem. There is "no relation between the job and the resources," added Gorelick, now vice chairwoman of Fannie Mae, a federally chartered company that finances home mortgages.

A case in point: When Scalingi was hired to lead Energy's infrastructure protection effort, she was told to expect a staff of 70 and $30 million to $35 million in funding each year. The office opened with a skeleton crew and has received less than $3 million each year for the last two years. Even so, Scalingi says, Energy was lucky. Other agencies didn't get any money at all to pay for their infrastructure protection work.

Jeffrey Hunker, the CIAO's first director and now dean of the H. John Heinz III School of Public Policy and Management at Carnegie Mellon University, says that in 1998, the federal government spent less than $1 billion on critical infrastructure protection. In 2001, that figure more than doubled to $2.1 billion. Hunker admits that getting funds from Congress has been difficult, especially because infrastructure-protection spending requests go to each of the 13 appropriations committees. Hunker says Congress members don't understand why so many agencies request funds for what appears to be the same purpose.

Who's in Charge?

In the wake of the Sept. 11 attacks, the nation's vulnerabilities went under the microscope. As Cleland and his committee colleagues struggled to understand the widely dispersed infrastructure protection efforts within the public and private sectors, it became obvious that one key person was missing from the proceedings: Richard Clarke. Clarke, who has been in charge of infrastructure protection under two Presidents, first under Clinton and now under Bush, was a National Security Council staffer who, until recently, coordinated the nation's counterterrorism and cybersecurity efforts.

Within days of the hearing, Clarke was named special adviser to the President on cyberspace security. Bush created the position in an October Executive Order, "Critical Infrastructure Protection in the Information Age," which tightly integrates infrastructure protection with the administration's homeland security efforts. The order builds on the structures created by Clinton in Presidential Decision Directive 63 and clearly places Clarke in charge of infrastructure protection. The order created the Critical Infrastructure Protection Board, which Clarke now heads, to coordinate public and private sector protection efforts. Clarke reports to Homeland Security Director Tom Ridge on all domestic matters. When events take an international turn, Clarke reports to Condoleezza Rice, Bush's national security adviser. NIPC Director Ron Dick and the CIAO's Tritak, who now take their marching orders from Clarke, are on the committee.

Many observers say Clarke, long reputed to be a bureaucratic infighter, is not the most effective person to lead infrastructure protection. Still, these same sources agree Clarke is intelligent, driven and intent on getting things done, not making life easier for other people.

Much of the heartburn about Clarke centers on what critics say is his obsession with cyberspace. Sources say Clarke repeatedly has pushed for critical infrastructure protection efforts to focus solely on computer systems at the expense of physical threats and the vulnerability created by infrastructure interdependence. Clarke says the Bush administration's critical infrastructure protection effort is 98 percent focused on cyberspace and 2 percent on physical structures that support cyber networks. "If you cut a fiber network with a backhoe, you've done as much damage as a distributed denial of service attack," he says. Clarke also warns of the vulnerability of "critical nodes," physical locations where numerous services coincide and whose destruction would disrupt national and economic security.

The Defense Information Systems Agency's compound in Arlington, Va., is a critical node. Many of Defense's networks are operated and protected at the location, which also houses the National Communications System, responsible for emergency operation of telephone and data systems, and the Defense's Joint Task Force-Computer Network Operations, dedicated to protecting Defense's computer networks and developing information war plans. Soon after the Sept. 11 attacks, the compound's perimeter was lined with orange shipping containers to lessen the effect of a bomb blast. "There are physical locations that have to be hardened and protected," Clarke says. A subcommittee of the Critical Infrastructure Protection Board is working on the problem.

Clarke's supporters say cyberspace is the nation's weakest front and that physical threats, while dangerous, are well understood. The dissenters worry that an overemphasis on cybersecurity at the expense of protecting physical infrastructure could enable terrorists to succeed in mounting additional, devastating attacks.

A Publicly Private Problem

Private firms control 90 percent of the U.S. infrastructure, so securing it and the computers that control it requires significant private-public cooperation. Because of this, PDD-63 directed private firms to beef up their protection of infrastructure and computer resources and to share information about vulnerabilities, interdependencies and attacks with their com- petitors and the federal government.

One long-standing public-private infrastructure partnership, the National Security Telecommunications Advisory Committee, brings together chief executive officers from the largest telecommunications companies and works with the National Communications System. It also advises the President on telecommunications issues. With that committee in mind, the Clinton directive assigned to industries the task of creating information sharing and analysis centers (ISACs), through which companies could share information about attacks, threats and vulnerabilities. ISACs also are intended to be the FBI's Infrastructure Protection Center's contact for warning industries about potential threats. ISACs now exist for railroad, electric, energy, financial services and information technology companies. In addition to footing the bill for these councils, companies involved have had to be willing to overcome reticence about their own vulnerabilities in order to share information needed to protect national infrastructure.

Phillip Lacombe, former staff director of the critical infrastructure commission and now president of Veridian Information and Infrastructure Protection, a division of Veridian, an Arlington, Va., information technology company, says the private sector understands cybersecurity better than the federal government does. Industry learned painful lessons from losses sustained as a result of the ILOVEYOU virus, the February 2000 distributed denial of service attacks that crippled online businesses such as Yahoo!, e-Bay, E-Trade and CNN.com offline, and this summer's Code Red worm, which has been estimated by the FBI to have cost businesses $2.5 billion. Lacombe says businesses took the attacks as a cue to shore up their defenses and have done so at a much faster rate than the federal government has. The attacks also drove many companies previously unwilling to participate in ISACs to the centers. The FBI reports that participation in its InfraGard program, an information sharing organization made up of businesses, academic institutions and state and local governments, has risen by 600 percent since January 2001.

Still, information sharing hasn't come easily within the councils. Companies are naturally reluctant to reveal sensitive information to their competitors. They also shy from revealing their secrets to Uncle Sam for fear the data could be subject to Freedom of Information Act (FOIA) requests and fall into competitors' hands. Senators Robert Bennett, R-Utah, and Jon Kyl, R-Ariz., have introduced the Critical Infrastructure Information Security Act, which would shield companies that share information on information security and attacks from FOIA requests. Clarke fully supports the legislation. The bill is now in committee.

Lacombe says ISACs were intended to be a mechanism for logging cyber events and physical threats within and across sectors. But government has no way to pull that information together and comb it for connections to attacks that appear unrelated, he says. At least a structure now exists for sharing information where none existed a few years ago, he says. In addition, the agencies responsible for coordinating protection efforts with industry are raising awareness, suggesting protection methods and identifying vulnerabilities.

Electronic Pearl Harbor

Some information security and counterterrorism experts worry about a so-called "electronic Pearl Harbor," a series of cyberattacks designed to cripple the nation's economy or increase the chaos and damage associated with a major physical attack. Brenton Greene points to a diagram in the report issued by the President's Commission on Critical Infrastructure Protection. It outlines a real world, nightmare scenario. In 1996, a man sitting at his home in Goteburg, Sweden, disabled most of southern Florida's 911 emergency response systems. Within weeks of the Swede's attack, two bridges collapsed, a municipal water supply was contaminated and FBI agents were frustrated to find their phones jammed. In addition, two regional Internet service providers were crippled, an undersea communications cable was severed and fuel transfer in a pipeline was disrupted. To make matters worse, an entire state lost its phone service, an oil refinery exploded, sending clouds of toxic smoke into the air, and bomb threats forced the evacuation of two office buildings. Was the nation under attack? Greene says officials weren't sure at the time. These days, he says, officials would be just as baffled because the government does not possess a system that can analyze and synthesize seemingly innocuous events to provide proof of coordinated attacks. This means an Osama bin Laden could launch a campaign of physical and cyberattacks without national leaders knowing the incidents were related.

Does bin Laden have the capability to conduct a cyberwar? Probably not, but, his al Qaeda terrorist network does use the Internet to communicate. Al Qaeda members are said to hide messages within e-mails or attached pictures. NIPC has warned that anti-U.S. "hacktivists" could pose a threat. Such cyber protesters are not directly affiliated with al Qaeda, but they have become increasingly opportunistic and dangerous.

And the experts don't just worry about terrorists, says James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. Foreign states and organized crime also pose cyberthreats, he says. Sources say those planning attacks on U.S. critical infrastructure and its information systems are limited only by their imaginations. Some argue the nation already has been at war for years with terrorists.

Information warfare expert Stephen Northcutt says hackers from Eastern Europe and former Soviet-bloc countries-particularly Russia and Bulgaria-are especially dangerous and active. Formerly with the Navy and the Ballistic Missile Defense Organization, Northcutt heads the Global Incident Analysis Center at the System Administration, Networking and Security Institute, a research and education organization based in Bethesda, Md. The FBI has nabbed numerous hackers from that region involved in defrauding banks, credit card companies and American consumers. Freelancers and cyber mercenaries, who can do far more damage than just defacing Web sites, are reputed to be up for hire.

Iraq has quietly been developing a cyber arsenal called Iraq Net since the mid-1990s, according to Yonah Alexander, a senior fellow at the Potomac Institute for Policy Studies, an Arlington, Va., think tank. Alexander, who believes cyberterrorism is a real threat, says Iraq Net consists of more than 100 Web sites located in domains throughout the world. Iraq Net is designed to overwhelm cyber-based infrastructures by distributed denial-of-service and other cyberattacks. "Saddam Hussein would not hesitate to use the cyber tool he has," Alexander says.

"Bits, bytes, bugs and gas will never replace bullets and bombs as the terrorist weapon of choice," Cilluffo, the homeland security adviser, told Congress in October. But, "while bin Laden may have his finger on the trigger, his grandson may have his finger on the mouse."

]]>

E-Sign on the Dotted Line

Joshua Dean — Fri, 01 Feb 2002 00:00:00 -0500

Historically, the financial aid process started with a thick packet of papers called the Free Application for Student Aid, or the FAFSA. Loan applicants filled out the complicated forms and sent them to the Education Department's Office of Student Financial Assistance (SFA). The agency processed the forms and then sent the applicant a promissory note. After signing those loan papers, students received their money and got on with the vagaries of college life. When they finished college, they began to repay their loans.

This entire process was paper-based until 1996. That year, SFA introduced the application online, a move that is increasingly popular with a generation of students accustomed to surfing the World Wide Web. The process improved even more in June 2001, when SFA introduced a system enabling students to electronically sign their loan documents without ever touching a sheet of paper. The entire process is cheaper, quicker and easier, Education officials say. And electronic signatures have made the entire revolution possible.

Signed, Sealed, Delivered

Loan applications on the Web have proved exceedingly popular. In 2000, 690,000 applications were filed online compared with 1.3 million in just the first six months of 2001. To apply for a loan online, a student must register for a personal identification number, or PIN. A simple Web form asks for the student's vital statistics, such as name, date of birth, Social Security number, street address and e-mail address. SFA uses the identification numbers to verify whether students are who they say they are online. The agency has issued more than 13 million PINs.

After SFA processes a loan request and verifies that a student has enrolled in a college, the office posts on its Web site an electronic, PIN-protected promissory note addressed to that student. Once online, students can type in their PINs. Then, in a 10-step process, they click through each page of loan information, confirming that they have read the digital document and understand their commitment to pay back the loan. The documents are recorded with date and time stamps. At the end of their digital documents, the students type in their PINs once more, to confirm their electronic signatures.

The SFA then checks the students' PINs and their electronic promissory notes against a new authentication service, the Student Authentication Network (STAN), which functions as an electronic notary. In need of such a service, SFA convinced the loan industry to create the network, which was developed by NCS Pearson Inc., an education software developer based in Eden Prairie, Minn. Launched in June 2001, STAN processed almost 6,000 e-authentications in its first week in operation. SFA pays NCS Pearson 25 cents for each PIN verification.

Power of the E-Pen

Greg Woods, SFA's chief operating officer, says the agency reengineered the electronic promissory note system in just nine months. "We reengineered the entire system from front to back to be a paperless process," he says. "We knew how to do e-signatures technically. But first, we had to secure a commitment from our lawyers to back up and enforce these electronic processes. We had to be sure we could take an electronic record and convince a judge that in fact the money had been borrowed."

SFA had to work hand in hand with Education's Office of the General Counsel. "We wanted to be sure the loans would be enforceable and satisfy applicable legal requirements," says an Education lawyer who asked not to be named. Two key laws, the 2000 Electronic Signatures in Global and National Commerce Act, or E-Sign, and the 1998 Government Paperwork Elimination Act, gave electronic signatures legal grounding, the lawyer says.

E-Sign makes the electronic form of signatures, contracts and other official records legally equivalent to those written on paper. The Office of Management and Budget's guidance for implementing E-Sign says the law "promotes the use of electronic contract formation, signatures and record keeping in private commerce."

The paperwork elimination law not only calls for the federal government to automate its key processes by 2003, but also to use electronic signatures when possible. And where E-Sign is specific in creating equivalency between the written and electronic worlds, the paperwork law is vague about how agencies should implement electronic signatures. OMB's guidance on the paperwork law affirms that numerous techniques for electronic signatures exist but leaves implementation decisions to the agencies. The key, OMB officials say, is to match the electronic signature mechanism to the level of security and authentication needed. The guidance distinguishes among three types of mechanisms, which "offer varying levels of assurance."

Shared secrets, at the lowest level of security, consist of PINs and passwords. This is not to suggest PINs and passwords are insecure. Shared secrets are the least technical and most inexpensive of all electronic signature options.

Biometric technology includes fingerprint, face, palm and retinal scans as well as voice recognition. Where PINs and passwords can be stolen or cracked, it is nearly impossible to replicate human characteristics such as a thumbprint.

Cryptographic digital signatures, or public key infrastructure (PKI), are at the highest level of security. PKI technology is used to encode data while in transit on a network and depends on digital certificates-electronic identifiers-unique to specific users. A PKI-equipped network can transform basic e-mail into official correspondence. For instance, the National Institute of Standards and Technology uses a PKI to sign and transmit everyday forms such as expense reports and requisitions. The Patent and Trademark Office uses the technology to accept patent applications online from registered patent attorneys.

Combinations of electronic signature technologies "may provide even higher levels of assurance than single approaches," OMB's guidance states. For instance, biometric devices such as smart cards, which contain microchips that store electronic data to identify their users, also can hold digital certificates used in a PKI.

E-Sign of the Times

The distinction between using these technologies solely for authentication as opposed to signing official documents online is an important one, says Arabella Hallawell, a senior analyst with the Gartner Group, a Stamford, Conn., market research firm. Authentication verifies one's identity, she says, while e-signatures record and file a person's acceptance of a contract's terms-such as SFA's digital document.

SFA investigated all the electronic signature options available on the market when building the electronic promissory note. "We looked at smart cards, digital signatures, biometrics," Coleman says. "The bottom line is that a lot of the infrastructure required for those technologies is not there yet. We decided to build on our already existing PIN infrastructure."

Coleman says it is vital for a project as sweeping as electronic signatures to include an agency's operational, legal and technology staffs. SFA is already beginning to see the benefits of moving so many of its processes online. "In the paper world you have mailing costs, storage costs and retrieval costs," he says. "In the electronic world, once SFA has recaptured the cost of its initial investment, we are betting unit costs will start to go down."

SFA already is developing a system that will allow graduates to make their monthly loan payments online. Woods wagers that in a year and a half, SFA will have completely automated the student loan process. "Soon, we'll have a process where the student makes first contact, applies, registers at a university, gets their loan package, goes through school and repays their loan with never ever having touched a piece of paper," he says. "I'm not sure [the Government Paperwork Elimination Act] even dreams about that."

]]>

President calls for major technology spending increase

Shane Harris and Joshua Dean — Fri, 01 Feb 2002 00:00:00 -0500

Forman said the $52 billion budget request doesn't include funding for intelligence agencies or block grants to state and local governments to help them buy technologies for domestic security. He also said the budget might not fully reflect agencies' spending on technology services, the fastest growing area of federal technology spending.

The budget will fund more than 900 "major projects" costing a total of $18 billion and more than 2,000 "significant projects" totaling $11.5 billion. In what Forman called an "unprecedented review of the major information systems of the federal government," agencies will receive scores of red, yellow and green to indicate how well they are managing their technology projects.

Forman also reported that the administration will redesign the FirstGov Web portal as part of its e-government strategy this month. The aim of the redesign is to ensure visitors get to the services they need in only three mouse clicks. FirstGov will become a "one-stop point of service," he said, and will no longer serve as a mere search engine.

Forman said a significant portion of the IT budget's increase is related to cybersecurity-though, as of Friday, the exact amount of the increase was still unknown.

In November Forman said the federal government spends $2.7 billion on cybersecurity and related critical infrastructure protection activities each year. The cybersecurity increase is intended to support Office of Homeland Security Director Tom Ridge's efforts to ensure national security as well as Richard Clarke's critical infrastructure protection efforts. Clarke is the president's special adviser on cyberspace security and heads federal efforts to secure the computers that control the nation's communications, finance, power, transportation and water systems.

Forman also attributed the increase in the cybersecurity budget to the stringent reporting requirements of the 2000 Government Information Security and Reform Act, which required agencies to assess and report information about their cybersecurity efforts to OMB. Forman said every IT business case submitted to OMB must provide measures for security. Business cases lacking security plans were returned to agencies for more work.

Even though the president is asking for more money for cybersecurity, increased funding is not the solution to the government's pervasive security problems, Forman said.

"When we did a statistical analysis we found that the level of spending is not statistically relative to the quality of a security program," Forman said. "That doesn't mean we need to spend less." Better management leads to security improvements, he said. "We're not going to spend our way out of the computer security problem. The emphasis on security clearly has to be at the management level."

]]>