GovernmentExecutive.com

Scientists and engineers at the Jet Propulsion Laboratory are suing NASA and the California Institute of Technology, which manages JPL, over what they say are unwarranted and overly personal background checks under the governmentwide access cards required under Homeland Security Presidential Directive - 12, according to an article by the Associated Press.

The lawsuit was filed by 28 plaintiffs, many of whom “have worked on such projects as the Mars rovers, the Galileo probe to Jupiter and the Cassini mission to Saturn, but none are involved in classified work, according to the suit,” AP reports. “It seeks class-action status to represent similar JPL employees.”

The Department of Commerce also has been named in the suit because the department promulgates federal identification standards. To obtain an identification card, which will give employees access to federal buildings and computers, employees must fill out a form asking them about employment history, past residences and any illegal drug use.

More from the article:

The suit claims the directive was concerned "exclusively with the establishment of a common identification standard" and "contemplates no additional background investigation or suitability determination beyond that already required by law."

But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.

NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.

The suit is structured so that it can become a class action suit. Could this just be the tip of the iceberg?

Wisconsin, which has suffered some high-profile government IT project mishaps (and here and here), is debating whether to elevate its chief information officer to reporting directly to the governor. An independent group called the Task Force on Information Technology Failures spent this year investigating the state's troubled IT management. Among its recommendations in its report released this summer, the task force suggested the state legislature elevate the state CIO (a position now held by Oskar Anderson) to report to the governor. (Right now the state CIO is head of the Division of Enterprise Technology, which is deep within the state's Department of Administration.)

An editorial yesterday in the Wisconsin State Journal argued that elevating the CIO position "should be one of the prime elements in a reform plan responding to a series of costly foul-ups that has plagued efforts to improve the state 's computerized data systems."

Although a good idea, it is not the answer to what ails Wisconsin IT. Plenty of public agencies and private-sector companies have a CIO reporting to the head of the company or agency, but IT projects at these organizations still regularly go off the rails. Wisconsin suffers from project management problems, not how much power the CIO has. (Still, elevating the CIO is a great idea if Wisconsin wants to create the management environment in which IT can become a strategic player in helping state agencies meet mission goals and improving state government performance. But that's a totally different discussion.)

What would help state IT projects become more successful, as the editorial points out, is to re-establish the two groups that oversee IT project management. "The reform should encompass an array of other solutions, including re-establishing two dormant oversight panels -- the Legislature 's Joint Committee on Information Policy and Technology, and the Information Technology Management Board -- and improving technology project specifications and standards," according to the editorial.

But the recommendations are headed no where. The Journal reports that Wisconsin Gov. Jim Doyle (D) is cool to the idea. After all, Doyle killed the cabinet-level IT agency that former Wisconsin Gov. Scott McCallum (R) created and operated from 2001 to 2003. Doyle thought the agency was inefficient.

For about a decade, the Defense Department has pursued the military strategy of network-centric warfare, the idea of using computers to deliver strategic real-time information to the battlefield and commanders in war rooms. The Chinese think this is a soft underbelly that can be exploited to its advantage, according to an article posted yesterday by The International Herald Tribune. From the article:

[U.S. and other foreign military analysts] cite articles and reports in Chinese military journals and magazines that suggest attacks aimed at extracting intelligence from enemy computer networks or disrupting communication and signals processing could deliver a decisive military advantage.

"It is part of China's concept of unlimited war," said Philip Yang, an expert on the Chinese military and professor of international relations at the National Taiwan University.

"The idea of unlimited war means employing all possible means including nontraditional or nonconventional means in the aim of winning the war."

The article goes on to state, "Chinese defense planners also view cyber warfare as a means of undermining the technological edge of American forces," according to a June report from the U.S.-China Economic and Security Review Commission.

This may not come as big news to U.S. Defense strategists, but the recent tensions over allegations that the Chinese military hacked into computer systems operated by the German government has increased worldwide interest in China's interest in cyberwarfare and its intentions.

The Homeland Security Department's huge agencywide IT services contract, the Enterprise Acquisition Gateway for Leading Edge Solutions (EAGLE) contract, seems to be attracting a good amount of business early in its conception, according to an INPUT analysis. One reason, according to Jeremy Potter, a senior analyst at INPUT who covers DHS, is the contract’s assurance to DHS buyers that it will provide a quick turnaround for customers.

EAGLE contracting officers seem to be meeting their goal. For the first 15 task orders issued on the contract, DHS contractors made a contract award in an average of 30 days, according to Potter. That continues a decline in IT contract awards, with the average time to award of 159 days for contracts let between 2000 and 2004, 225 days for contracts let between 1995 and 1999, and 425 days for contracts let between 1990 and 1994, according to INPUT. But Potter says he is not sure if DHS can continue to keep its turnaround for EAGLE task orders to 30 days, if demand for its services increase.

In early flight tests, new radar for the Air Force’s B-2 bomber, which was designed to not interfere with commercial satellite television signals, had technical problems, but the Air Force reports it will solve the problems.

In 2002, the Air Force and B-2 contractor Northrop Grumman started a $900 million program to develop radar that would not interfere with satellites operating in the Ku-frequency band (11.7-12.7 gigahertz) and to upgrade defensive management systems. But the Air Force ran into “technical maturity problems” with the new radar, which could require the B-2 radar to stop using the Ku-band frequencies at a classified “near term” date, according to the House Appropriations Committee report on the 2008 Defense Appropriations bill.

The Air Force is restructuring the radar modernization program, and details will not be finalized until next year, Christopher McGee, a spokesman for the Air Force Aeronautical Systems Center, wrote in an e-mail response to questions. McGee wrote that the design of the radar and the technology it uses is sound.

The Air Force has required Northrop to conduct more development work on the B-2 radar, McGee said, such as developing more capable transmit/receive elements for a relatively large antenna array. Last month, Kenny Linn, Northrop Grumman’s director of business development, said the company is replacing the bomber's mechanically steered radar antenna with an advanced Active Electronically Scanned Array Antenna (AESA). The antenna, under development by Raytheon, consists of 2,000 transmit/receive modules.

Until the new radars go into production and are installed on the aircraft, McGee said the Air Force will continue to operate the legacy B-2 radar on a non–interference basis with primary users throughout the transition.

McGee did not provide a date on when the Air Force expected to complete the radar modernization project.

One of the biggest challenges that the Homeland Security Department has always faced is creating a "DHS identity" among the thousands of employees working at the disparate 22 agencies that make up the department. If DHS' top management can pull that off, they will encourage agencies to work together and share information, which will lead to more efficiencies in IT.

One way to develop that "oneness" is to create a contract from which all DHS components can buy information technology. The Enterprise Acquisition Gateway for Leading Edge Solutions (EAGLE) contract is supposed to be that contract. Consolidating IT contracts departmentwide into EAGLE (which has a $48 billion spending ceiling) is designed to create a "one DHS view," says Jeremy Potter, a senior analyst with the federal marketing research firm INPUT.

Whether DHS can pull that off using EAGLE is still up for debate, although early indications show the contract is attracting large task orders, according to an INPUT analysis. In a webinar for IT vendors held today, Potter said the EAGLE contract has attracted 49 task orders worth $575 million from DHS agencies. Another $1 billion worth of IT task orders are expected to be submitted to EAGLE in the next 12 months, according to INPUT.

But one webinar attendee asked whether DHS may create a new agencywide contract because the attendee had heard that EAGLE was not popular among DHS contracting officers because its fees were too costly and it didn’t provide enough choices. Potter responded that it was still too early to draw any conclusions on EAGLE's success and added that he had not heard any "rumblings" of a new acquisition vehicle at DHS.

The Bureau of Alcohol, Tobacco and Firearms has released data to the public showing where guns, many of which used in violent crimes, come from. Now the public can go to the ATF Firearms Trace Data site to find out what kind of guns were used in what kind of violent crime and from which states those guns came. It takes a bit of clicking through the site to find out which states are the biggest supplier of guns, but it eventually becomes clear: Southern states (namely Texas, Georgia and Virginia) and California.

That information is important to states like New York, according to an editorial in NYDailyNews.com. Of the 6,085 guns traced in New York in 2006, only 29 percent came from a New York gun dealer, according to the ATF gun tracing Web site. The rest of the guns found their way to New York from other states. Those states, in descending order, were: Virginia, Pennsylvania, Georgia, North Carolina, and South Carolina.

ATF is prohibited form releasing the names of the gun dealers in those states, but ATF gives that information to law enforcement agencies -- when they ask for it.

As illustrated by the Daily News editorial, this information could provide the fuel for a hot political fight among states. States that can show guns used in crimes come from other states can begin to demand those states begin cracking down on gun sales.

"By showing where crime guns come from, the figures pinpoint where the authorities must crack down on dealers feeding the flow of illegal weaponry," according to the Daily News editorial. "Past studies determined that 1 percent of dealers account for 55 percent of black-market guns."

That means Virginia and Georgia are going to be the subject of a lot of calls for them to do more to stop illegal gun sales. "According to ATF, weapons sold in Georgia and Virginia were used in crimes in 42 other states last year," according to the Daily News editorial. Virginia may just be getting the message, as an article in the Roanoke [Virginia] Times reveals.

Expect more on this. The gun trade and who's to blame has spilled over into presidential politics, and ATF's online data could only add fuel to the debate.

As an aside, ATF wasn't interested in starting a state feud. According to a Forbes article, ATF Director Michael Sullivan told reporters at ATF headquarters this month when the bureau released the data:

"My biggest concern is we have law enforcement departments out there that believe that they can't get access to [gun] trace information, so they're not even asking for it," Sullivan told reporters at ATF headquarters. "And it's undermining their ability to advance their investigations."

"There's little that I can think of that they've requested that we can't provide to them," Sullivan said.

Much was made of Homeland Security Department Secretary Michael Chertoff's comment last week that residents of states that fail to follow the Real ID Act's requirement to issue more secure driver's licenses will be required to show a passport to gain entry into state parks, to board airplanes, or to enter any federal building. According to a CNN article:

"This is not a mandate," Chertoff said. "A state doesn't have to do this, but if the state doesn't have -- at the end of the day, at the end of the deadline -- Real ID-compliant licenses then the state cannot expect that those licenses will be accepted for federal purposes."

Just how serious DHS is about requiring these residents to show passports, or how much power the department has to make it happen, is highly questionable, points out security expert Bruce Schneier. In his blog last week, Schneier wrote that Chertoff's threat is "a lot of bluster." Schneier explained, "The federal government just can't say that citizens of -- for example -- Georgia (which passed a bill in May authorizing the Governor to delay implementation of REAL ID) can't walk into a federal courthouse without a passport. Or can't board an airplane without a passport -- imagine the lobbying by Delta Airlines here. They just can't."

Seventeen states have passed legislation opposing the law and other states are considering similar bills. Washington, Vermont and Arizona have already found some common ground.

It's one thing to have a hacker stealthily navigate past your firewall, slither by your intrusion detection software, and fiendishly gain access to a database to steal customers' personal information. It's another to have your operations department just send the information out through the mail.

That's exactly what the California Public Employees' Retirement System, better known as CalPERS, did this month when it sent about 400,000 brochures containing members' Social Security numbers clearly visible through the address window. A CalPERS spokesman downplayed the incident, saying the Social Security numbers printed on the brochure did not have hyphens, making it more difficult to identify the string of numbers as a Social Security number.

CalPERS sent a letter to members apologizing for the mistake and is conducting an investigation to find out why the SSNs were printed on the brochures. The organization also is providing privacy security awareness training for employees.

Hat tip: Pensions and Investments

The request by the National Geo-Spatial Intelligence Agency 9NGA) for contractors to move the agency from six locations in the Washington, D.C., area to new digs at Ft. Belvoir, Va., in 2011 has attracted the attention of not only moving and relocation management companies, but also aerospace contractors and systems integrators.

Steve DeLane, business development veep at Alexander's Mobility Services (an Atlas Van Lines affiliate in Baltimore), told me that representatives from Northrop Grumman and Lockheed Martin showed up earlier this month for an informal NGA presentation and walk-through on its requirements for the move.

Delane said the two companies may have been attracted by the requirement that the movers have Top Secret/Special Intelligence/Talent Keyhole clearances, and he wondered if the solicitation was written in such a way as to attract players from outside the moving industry.

If either Northrop Grumman or Lockheed Martin wins the job, they’re going to need a lot of trucks to move 8,500 NGA employees, the contents of their offices and assorted highly classified gadgets and gizmos, Delane said. He estimated it would take about 400 tractor trailer loads to handle the NGA move, which he estimated could take a year and cost about $2 million.

Delane said his company is well positioned to handle the NGA move. Alexander's Mobility Services is currently handling the move of the Army's Military Surface Deployment and Distribution Command from the Washington area to Scott Air Force Base in Illinois. But Delane may be reluctant to bid on the NGA move if a wide range of vendors decide to go after the job.

Katrina Redmond, a spokeswoman for Fox Relocation in Boston, said her company has personnel who can meet NGA’s security requirements, and she added that the agency’s planned move is the kind of work her company does well. However, she didn’t say whether Fox intended to bid on the job.

I have yet to hear back from Northrop Grumman or Lockheed with official word on whether or not they intend to get into the moving business. But after a flurry of calls on this and other stories today, I am convinced I am one of the few people working in the federal space not on vacation this week.

Federal agencies increasingly have been the subject of phish scams this summer, and there seems to be no end to it. Below is an email I received late last night in my Outlook inbox. The email successfully eluded the spam filter.

The IRS confirms that the email is a fraud, making it part of the 161 phishing scams that the IRS has identified this year, an IRS spokeswoman says. The IRS has received 14,000 emails from individuals who have forwarded on suspicious looking emails to phishing@irs.gov, a mailbox the IRS set up last year for individuals to send emails that look like they may be scams.

IRS has issued a number of warnings in the past 18 months warning individuals about fraudulent emails coming form the IRS.

Phishers are also using the Justice Department and Federal Trade Commission to launch attacks designed to trick individuals to give up personal information or to download malware. The agencies report that emails look quite sophisticated. However, this email doesn't look professional enough to come from the IRS, although I would hazard to guess that many individuals would be fooled by the official IRS logo and the screened copyright statement at the bottom.

But I'm not too convinced that the IRS would use phrases such as "the last annual calculations of your fiscal activity," and the pedestrian Courier font gives the email more than a hint of illegitimacy.

Again, sadly, it must be working.

The members of the 9/11 Commission recommended that the intelligence agencies do a better job of sharing intelligence information. The direct quote form the 9/11 Commission Report: "We propose that information be shared horizontally, across new networks that transcend individual agencies."

Is this what the commission had in mind as a new network? Intelligence agencies say they plan to create "A-Space," a private social networking site modeled on the popular social networking sites MySpace and Facebook.

This is how The Federal Times described it in an article posted yesterday:

The move is the latest part of an ongoing effort to transform the analytical business following the failure to detect the 9/11 terrorist attacks or find weapons of mass destruction in Iraq.

Thomas Fingar, the deputy director of national intelligence for analysis, believes the common workspace – a kind of “MySpace for analysts” – will generate better analysis by breaking down firewalls across the traditionally stove-piped intelligence community. He says the technology can also help process increasing amounts of information where the number of analysts is limited.

A-Space should appeal to younger recruits whom intelligence agencies need to attract. After all, the intelligence agencies are relying on younger employees to develop new ways to fight terrorism, as The New York Times Magazine pointed out in a Dec. 3, 2006, cover article:

[T]hroughout the intelligence community, spies are beginning to wonder why their technology has fallen so far behind — and talk among themselves about how to catch up. Some of the country’s most senior intelligence thinkers have joined the discussion, and surprisingly, many of them believe the answer may lie in the interactive tools the world’s teenagers are using to pass around YouTube videos and bicker online about their favorite bands. Billions of dollars’ worth of ultrasecret data networks couldn’t help spies piece together the clues to the worst terrorist plot ever. So perhaps, they argue, it’ s time to try something radically different. Could blogs and wikis prevent the next 9/11?

We'll find out.

As we all know, moving is a painful experience eased by careful planning. The National-Geospatial Intelligence Agency (NGA) seems to be trying to lessen the pain as much as possible.

The NGA kicked off this week the process for moving 8,500 of its employees, and a whole mess of classified gadgets and gizmos, to new digs at Ft. Belvoir, Va., by 2011.

NGA said in the only procurement notice it plans to issue for the move that it needs a contractor that has the “the proven ability to plan, integrate, organize, synchronize and execute a complex sustained, classified move of equipment, materials” and all the NGA personnel and their office stuff from six locations in the Washington, D.C., area to its new 2.4 million-square-foot building.

NGA is looking for more than a bunch of Irish guys with strong backs and a fleet of trucks. The agency says it needs folks to handle the move who are cleared at the Top Secret/Special Intelligence/Talent Keyhole level.

If anyone knows what all the above means, they’re probably a quarter of the way to getting the job.

It isn't much of a secret that the federal government spends a large portion of its information technology budget in the fourth quarter of the federal fiscal year (July through September). But what may not be so evident is that the fourth quarter, known in federal parlance as "the buying season," is becoming more of a buying frenzy, according to a report released today by the federal market research firm INPUT.

From fiscal 1997 to fiscal 2000, the federal government spent 28 percent of its total IT budget in the fourth quarter, with IT spending fairly even for the rest of the year, according to the INPUT report (purchase required). That percentage increased to 31 percent in fiscal 2001 to 2004, and then increased again to 34 percent in the fiscal 2005 and 2006 period. In fiscal 2007, INPUT projects the federal government will spend one-third of its IT budget in the fourth quarter, equaling 2005-06.

What's happening? INPUT gives two reasons. First, agencies have a spend-it-or-lose-it mentality. Agencies are fearful that Congress may reduce their IT budgets if they do not spend the entire budget before the end of the fiscal year. That means money hanging around at the end of the fiscal year, which typically is a fairly large portion of the budget, must be spent -- and spent quickly.

Second, an increase in continuing resolutions (because Congress can’t pass spending bills on time) means more IT budgets are frozen at levels equal to the previous fiscal year. That means IT spending stays flat. It is frequently months into a new fiscal year before Congress passes the budget for that fiscal year. Because the IT budgets typically increase from year to year, this creates a pent-up demand for IT spending for the fourth quarter. (It would be similar to receiving your annual raise five or six months into the year. All of a sudden, you're flush with money.)

"Operating under a CR, if even briefly, limits the ability of these agencies to move forward on their planned IT investments and often stalls them until the second quarter," according to the INPUT report. "In FY 2007 only the Department of Defense and Homeland Security had their appropriations bills passed by Congress – all other agencies are operating under a year-long joint funding resolution that sets their budgets at 2006 levels with a few exceptions. The full impact of this will not come to light until well into 2008. The current round of 2008 appropriations bills is on a rocky road and may fare no better."

The question that INPUT's research now raises is this: Does the spending spree have any effect on agencies' buying judgment and the value these agencies receive from their purchases? In an email, John Slye, manager of INPUT's federal industry analysis, said, “That’s a great question,” and he tried to answer it this way:

It would stand to reason that when people are up against a deadline that they have less time to weigh value options, although there's probably a point where they would balk at an obviously unreasonable option. Off the top of my head I'm unaware of any studies that explore this, but yeah, if the primary objective is to exhaust the resources, then that probably has a negative impact of value pressure. One thing to consider though is that some buyers may have researched their buy in advance, possibly even lining up proposals with the hopes of getting a green light for the purchase at quarter's end. It's probably fair to say that some of these last minute purchases come as agencies look at their "must-haves" and "nice-to-haves" along side what money they have left at the end of the year.

It seems that most federal projects with a lot of zeros in their budget run woefully way behind schedule and way over budget. But the Energy Department’s Sandia National Laboratories proves big projects can come in way under budget and way ahead of schedule.

Sandia said it completed its $516 million Microsystems and Engineering Science Applications (MESA) project $40 million under budget and three years ahead of schedule. Sandia describes MESA as “a major capital construction activity that will create the facilities and equipment required to design, prototype, and fabricate qualified microelectronics and microsystem components for nuclear weapons.”

A Sandia spokesman couldn't -- yet -- offer reasons why the project was completed under budget and ahead of schedule. However, he did say that Sandia bought two old chip wafer machines from Intel for $25 each. The machines were valued at $7 million each.

Sandia plans to dedicate the final building of the project, the Weapons Integration Facility, located on the Sandia campus at Kirtland Air Force Base in Albuquerque, N.M., Aug. 23.

The 400,000 square foot MESA complex – the largest project in the history of Sandia, which started operation in 1945 as an offshoot of nearby Los Alamos National Laboratory – also includes the previously opened Microfabrication Facility and the Microsystems Laboratory.


















MESA Microlab

The Weapons Integration Facility includes laser, electrical, visualization and computer labs and office space for 375 scientists and engineers. Sandia said the MESA complex will produce ”hardened” electronic circuits and computer chips that can withstand high levels of radiation to insure the reliability of nuclear weapons and other capabilities under even the most hazardous of conditions.

Pooh-bahs scheduled to show up for the dedication ceremony this Thursday include Thomas D’Agostino, administrator of the National Nuclear Security Administration, and
New Mexico’s senior senator, Pete Domenici.

If Sandia promises marching band – and how can you open anything without a band – I may show up.

Jared Sandberg, author of the “Cubicle Culture” column in The Wall Street Journal, writes today about how purchasing agents, supply managers or any lower level manager in charge of a process that is elemental to the smooth working of an organization can capriciously exact his or her power to slow down work needlessly.

While the examples in the column are mostly from private-sector firms (although Sandberg offers up one, and a rather funny one at that, from the Navy), one doesn’t need to work too hard to see the parallels to the federal government. What comes quickly to mind are political appointees who hit resistance from career bureaucrats who work with the knowledge that the appointee will be gone in two years anyway, so why change? Also, entrenched IT managers resist consolidating infrastructure and IT processes. The Department of Homeland Security comes to mind as an example.

A quote from the column that is relevant to the government workplace: "'You might have the keys to the kingdom,' human-resources executive Mike Farrell notes, 'but if you don't have the keys to the gate, you're shafted.'"

The Tech Insider comment boxes have been abuzz recently. So you don't miss the latest discussions, we list here a few items that have drawn a lot of attention, along with a choice comment. Click on the link to read more.

Defense Says Bye Bye to EDI

If they're doing one $3,500 contract a year with us, figuring a 5% profit, and they have to spend at least an hour figuring out how to update their CCR registration and another hour or two figuring out how to invoice the thing, pretty soon it's costing them money to sell to us.

The Math Behind VA-Dell PC Deal

Inspite of strong opposition and a cost benifit analyis that clealy showed this was a bad deal, the VA proceeded. One has to ask why?

The Feds Who Edit Wikipedia

Wikipedia reminds me of that old joke about the encyclopedias in the Soviet Union with the loose leaf pages.

EPA: Federal Datacenters Can Cut Energy Use

This is not even on the radar screen of the IT group at EPA.

Finally, Payback Time for Spammers

The authors have failed to give credit when they knew better.

Police departments nationwide continue to push their local jurisdictions to provide more surveillance cameras mounted throughout cities to capture images of crowds and traffic in hopes of solving crimes. The latest request comes from Alameda Co., Calif., where the county seat is Oakland. County police chiefs have asked the Alameda County Congestion Management Agency to begin recording the traffic from about two dozen cameras that stream images of traffic on San Pablo Ave., a major thoroughfare through the county, according to an article in The Oakland Tribune.

The police say if the traffic on the avenue had been recorded (the congestion agency does not store traffic video streams), they could have identified cars used in crimes and then worked from there to identify suspects. Police Chief Scott Kirkland in El Cerrito, Calif., in Alameda Co. says the footage could have helped the police department solve the 2005 killings of a gas station clerk, a customer of a hamburger joint, a teenager, a restaurateur in 2007, and a robbery victim last month.

Ever since cameras in London helped police there identify and arrest in June the suspected plotters of the foiled car bomb attacks, many public policy experts have argued for more cameras in U.S. cities. Here's a recent Tech Insider post on the subject.

But privacy advocates have raised concerns, similar to the objections raised in Alameda Co. Privacy advocates there say that if the county's cameras stored the footage, and if the cameras were upgraded so that license plates and other details of the cars and traffic could be viewed, the police may be tempted to use the information for other purposes that infringe on our right to privacy.

An interesting note about the Oakland Tribune article is that no one in the article made the argument against the privacy advocates' position by saying that drivers and pedestrians who have nothing to hide shouldn't worry about the cameras. I bring up again a recent post about a compelling paper (access to paper here) written on that very subject by George Washington University law professor Daniel J. Solove. The paper, "'I've Got Nothing to Hide' and Other Misunderstandings of Privacy," is worth a read and its arguments are too detailed to go into here. One quick quote, however: "The key misunderstanding is that the 'nothing to hide' argument views privacy in a particular way – as a form of secrecy, as the right to hide things. But there are many other types of harm involved beyond exposing one’s secrets to the government."

To find out what those might be, read the paper.

What is it with computer systems designed to serve the most vulnerable children?

From The Columbus Dispatch, comes another story of a computer system that was poorly developed and puts at-risk kids at even greater risk. The Ohio Department of Job and Family Services last year turned on a new computer system -- the Statewide Automated Child Welfare Information System -- to better track children in foster homes. But when the state began using the system, the foster families who did not have children in their care at the time the system went online were not placed in the foster family database. When children were placed in those families, case workers could not add the family to the computer system. That makes it more difficult to track children put in the care of those families.

As a result, the state runs the risk of losing track of foster children, according to the article. Counties are still being added to the system, but child welfare advocates have called for the state to stop adding counties until the problem can be fixed. The state says an electronic fix is not expected to be available until January, and it doesn't want to stop adding counties to the system because the system already is far behind schedule and over budget. The system has cost $93 million to develop and has had a history of problems and missed deadlines for the past decade, according to the article.

Numerous state and local jurisdictions have been upgrading child welfare systems -- without much success. New York and Philadelphia have reported similar problems with new computer systems developed to better track cases for state child protective services agencies.

Sen. John Kerry, D-Mass., chairman of the Committee on Small Business and
Entrepreneurship, says he is "cautious" about statistics the Small Business Administration released today on how much business federal agencies are giving small businesses.

The SBA today released its "first-ever Small Business Procurement Scorecard," in which half of the agencies it tracked did not meet goals to award a certain percentage of contracts to small business. Out of 24 agencies graded, 12 were given a red score indicating they had not awarded a certain percentage of business to small businesses. See all the scores here.

SBA also said it revised its 2005 statistics for how much government business small businesses received. Small businesses received 23.4 percent of the value of all government contracts in 2005, down from the original reported figure of 25.4 percent, according to an SBA press release.

But the report -- along with the revised numbers -- didn't sit well with Kerry. "Despite the federal contracting budget increasing by at least $20 billion last year, the percentage going to small businesses decreased, and the government still isn't counting the whole pie because of special exemptions and exclusions," Kerry said in a statement. "It's critical that we continue to improve the reporting system and count all contracts in calculations so we know the reality on the ground."

That means small businesses are actually falling behind in securing the increasing amount of government work and the problem could be worse. We just don't know because the procurement statistics the federal government keeps are so suspect. SBA says it will continue to work with agencies through its Goaling Program to improve the reporting process for contracts awarded to small business.

Who is editing most of the entries on Wikipedia, the open online encyclopedia that anyone can edit? For government agencies, NASA wins by a large margin, according to the Web site WikiScanner.

WikiScanner was created by Virgil Griffith, a California Institute of Technology graduate student who is now the talk of the blogging community. Visitors to WikiScanner can search the millions of anonymous Wikipedia edits to find the IP addresses from where the edits originated. You can search by organization name or use a range of IP addresses. You can also search to find the specific edited portion of a Wikipedia entry, but that search function has been disabled for now because the site is experiencing large amounts of traffic.

News articles worldwide have searched the database to show how Wikipedia can be used to edit portions of Wikipedia entries for political purposes and to remove portions of entries that may criticize government programs or policies. Here's one from Toronto's Globe and Mail.

The government agencies that have been cited by WikiScanner for more than 1,000 edits to Wikipedia entries are listed below. The number represents the number of times a computer at that government organization was used to edit an entry on Wikipedia. (What exactly was edited cannot be determined until the WikiScanner edit search function is restored.) Many science-related government agencies make the list, although the departments of Veteran Affairs and Homeland Security and the U.S. House of Representatives rank 2, 3, and 5, respectively.

1. National Aeronautics and Space Administration (nasa.gov) 6,846
2. Department Of Veterans Affairs (va.gov) 4,210
3. Forestry And Fire Protection (ca.gov) 4,148
4. Dept Homeland Security (dhs.gov) 4,081
5. Information Systems U.S. House Of Representatives (house.gov) 3,736
6. National Institutes Of Health (nih.gov) 3,019
7. U.S. Courts (uscourts.gov) 2,869
8. U.S. Dept. Of Agriculture (usda.gov) 2,435
9. City Of New York (nyc.gov) 2,404
10. Salem Public Schools (ct.gov) 2,398
11. U.S. Dept Of Justice (usdoj.gov) 2,189
12. Information Services Division (nd.gov) 2,140
13. U.S. Senate Sergeant At Arms (senate.gov) 1,809
14. Federal Aviation Administration (faa.gov) 1,706
15. NOAA Aircraft Operations Center (noaa.gov) 1,590
16. Dotrspavolpe Center (dot.gov) 1,566
17. Lawrence Livermore Laboratory (llnl.gov) 1,456
18. U.S. Department Of Labor/Employment Standards Admin (dol-esa.gov) 1,449
19. U.S. Environmental Protection Agency (epa.gov) 1,449
20. Internal Revenue Service (irs.gov) 1,290
21. National Park Service (nps.gov) 1,214
22. Library Of Congress Information Technology Services (loc.gov) 1,142
23. Social Security Administration (ssa.gov) 1,134
24. U.S. Patent And Trademark Office (uspto.gov) 1,097
25. Virginia Information Technologies Agency (Vita) (virginia.gov) 1,047

WikiScanner provides "Wired's list of salacious edits" on a stand alone page. The list provides some of the more troublesome edits and from where they originated, including some from government agencies such as "FBI removes aerial images of Guantanamo," according to the salacious edits page.

Some of the edits are written with a pre-pubescent sense of humor, such as one coming from the Defense Network Information Center on the New Orleans Jazz Fest.

Then there are the more serious ones, such as the edit from the Federal Trade Commission on former FTC Chairman Michael Powell, who resigned in 2005. "According to someone at the FCC, they 'Tried to balance the article with a more neutral point-of-view.' You be the judge," according to the salacious page.

Dell Federal said it won a $248 million contract from the Veterans Affairs Department in a deal which names the company as the department’s “exclusive” provider of desktop computers.

Dell said under a three-year lease agreement it will provide the VA with a minimum of 249,000 of its OptiPlex desktop computers and monitors, along with a variety of professional services including deployment, asset management and removal of the PCs – if VA so desires – at the end of the contract.

The math on this deal works out to about $1,000 a box. A quick check of the Dell Web site shows if anyone wanted to buy one OptiPlex PC, the price today runs from $342 to $497 plus another $249 for a monitor and $149 for the Vista operating system.

That puts the total retail price of a Dell OptiPlex PC with software and monitor at $730 at the low end and $995 at the high-end.

I’m sure the number crunchers at the VA view their $1,000 price per box for a three-year lease with professional services thrown in makes for a good deal, but I wonder why they leased instead of buying.

Does VA throw away its computers every three years?

As a side note, Dell's latest customer satisfaction numbers -- as measured by the just-released American Customer Satisfaction Index (and look for the heading "Personal Computers: New Problems for Apple, More Problems for Dell") -- fell "to one of the PC industry's lowest scores with a 74," reported the Austin American-Statesman in Austin, Texas, this week.

The Defense Department plans to stop using commercial electronic data interchange (EDI) systems to process payments and instead will require contactors to use the Department’s Web-based Wide Area Workflow - Receipt and Acceptance system.

Defense wrote in an Aug. 14 Federal Register notice that neither the American National Standards Institute X12 EDI nor the Web Invoicing System cannot process all Defense contract payment requests and cannot be made available to all government offices and organizations.

Wide Area Work Flow is the only system that can process all payment types. According to a fact sheet from the Defense Business Transformation Agency, it uses a virtual folder that contains the three documents required to pay a contractor: the contract, the invoice and the receiving report.

The Wide Are Workflow helps eliminate lots of paper documents, which also can be misplaced, and compresses the contract payment process from weeks to days or minutes, according to the fact sheet.

According to the Federal Register notice, the change in Defense Federal Acquisition Regulations requiring use of Wide Area Workflow will require about 1,000 small businesses to switch to the system – a relatively low number compared with the 20,000 small companies already using it. (Contracting officers can allow the use of other payment systems if they choose.)

Defense said it will take comments on the proposed rule change until Oct. 15. The department said it anticipates that the use of Wide Area Workflow will fully automate its payment process, significantly improve the timeliness of payments and reduce interest charges on late payments.

In 2004, Defense had $206 billion in contract payments subject to the Prompt Payment Act, according to a May 2006 Government Accountability Office report. Out of a pool of some $24 billion in payments the GAO studied, Defense was late in paying an average of 10 percent of the payments to large vendors, while late payments to small vendors ran about 14.5 percent, according to the report.

Since it takes only one hour to learn how to use Wide Area Workflow, according to the the Federal Register notice, it seems the new change in rules will be a boon to small vendors, even though I have yet to encounter any computer program that can be mastered in an hour.

Here's an update on a previous Tech Insider post. This spring, security researcher Joanna Rutkowska said she would show how to break into Microsoft's Vista, a Windows operating system Microsoft claims is its most secure yet.

Rutkowska did just that at the recent Black Hat USA 2007 training conference, showing how it is "possible to bypass security measures in Vista that should prevent unsigned code from running," according to a CNET article. "And in a second part of her talk, Rutkowska explained how it is possible to use virtualization technology to make malicious code undetectable, in the same way a rootkit does."

Vista's security has particular significance for the federal government. In March, the Office of Management and Budget mandated agencies follow a standard Microsoft Windows operating system configuration (which may eventually include Vista) to improve information security across government. How much safer the mandate makes government systems is up for debate, with some arguing it won't and others that it will.

As a followup to her talk at Black Hat, Rutkowska posted an item on her blog at invisiblethings.org dicussing the subject more.

Aviation officials in Los Angeles are pretty steamed at the folks at U.S. Customs and Border Protection.

A computer system used to process international travelers coming into the United States was down for nine hours Saturday, creating a backload of 17,000 travelers looking to enter the United States, according to a Los Angeles Times article. Thousands of travelers were stranded on planes for hours. According to the article, Steve Lott, chief spokesman in North America for the International Air Transport Association, explained the airport’s frustration with U.S. Customs this way: “Although ‘we understand that computer systems are not perfect, the frustration is why customs had no contingency plan.’"

LAX officials may be on to something. In June 2004, the Federal Emergency Management Agency issued the "Federal Preparedness Circular," which was sent to the "heads of federal departments and agencies.” The circular presents guidance on how agencies can set up a Continuity of Operations (COOP) plan. According to the circular (emphasis added):

It is the policy of the United States to have in place a comprehensive and effective program to ensure continuity of essential Federal functions under all circumstances. ... All Federal agencies, regardless of location, shall have in place a viable COOP capability to ensure continued performance of essential functions from alternate operating sites during any emergency or situation that may disrupt normal operations.

It seems as if most agencies didn't follow FEMA's guidance because on May 9 President Bush issued National Security Presidential Directive 51 and Homeland Security Presidential Directive 20. The directives mandate that agencies develop a COOP plan “to ensure that Primary Mission-Essential Functions continue to be performed during a wide range of emergencies, including … technological … emergencies.”

Bush's directive obviously came too late for international travelers coming through LAX Saturday. So maybe now's a good idea for a COOP plan to be at the top of Jayson Ahern’s to-do list at U.S. Customs. It was just last week that Ahern assumed the position of deputy commissioner for U.S. Customs and Border Protection – the No. 2 position at the agency. That's one bad first week on the job.

Last week, the Environmental Protection Agency issued a report listing ways federal datacenters could reduce the amount of electricity they consume, therefore saving money and reducing greenhouse gases.

In a quick analysis of the report, IT research firm Gartner praises the report by saying it "is bursting with good ideas," but quickly adds that EPA ...

should have made this a stronger call to action, with recommendations that would provide incentives for stakeholders to work at getting closer to the best-practice scenario the report outlines. The U.S. is home to more than 40% of the world’s largest data centers, and most server and processor manufacturers are U.S.-based. The EPA thus had a unique opportunity to provide forceful recommendations that would help to set a worldwide agenda.

Many of the recommendations are based on the principle of "lead and they shall follow," which Gartner believes is too optimistic for this subject.

It’s as slow as molasses in Colorado Springs in January. That's a good way to describe the progress of the Air Force Space Command’s $800 million Uniform Communications (Uni-Comm) information technology services contract. The contract – once awarded – will provide a single network for 40,000 personnel at Los Angeles and Vandenberg Air Force bases in California, Malmstrom Air Force Base in Montana, F.E. Warren Air Force Base in Wyoming, and Peterson and Schriever Air Force bases in Colorado. Besides voice, video and data networks, the Uni-Comm contract also calls for operation of base land mobile radio systems.

Uni-Comm was originally hatched in December 2005, with a request for proposals slated for this summer and an award date planned by Oct. 1.

But summer is almost over, and the Colorado Springs-based Space Command said Aug. 10 that it does not anticipate issuing the RFP until early or mid-September. The command gave no deadline for awarding the contract.

The Uni-Comm contract, which some vendors view as a Naval Marine Corps Intranet for Space Command, has attracted interest from a wide pool of bidders, including integrators such as CSC, EDS, Lockheed Martin and communications companies such as the federal business unit of Verizon Business.

They probably hope they do not have to wait another two years for the Air Force to award the contract.

President Bush today plugged the use of information technology in the departments of Defense and Veterans Affairs to better manage the health of wounded soldiers returning from Iraq and Afghanistan.

"There's a lot of amazing things taking place here in this facility," Bush said at the Veterans Affairs Medical Center in Washington, D.C. "For example, we saw information technology, health care records that are being passed seamlessly from the Department of Defense to the VA, to make sure that the care providers here have got up-to-date access for each patient."

Bush was accompanied by former Sen. Bob Dole, R-Kan., and Donna Shalala, former secretary for the Department of Health and Human Services under the Clinton Administration. Dole and Shalala co-chaired the President’s Commission on Care for America’s Returning Wounded Warriors, which was put together after news broke about the poor treatment of wounded soldiers from Iraq and Afghanistan. Much of the mismanagement could be traced back to lost health records and desperate, poorly performing health IT systems at both Defense and VA. The commission recommended improving the IT systems managing soldiers' and veterans' electronic health records.

More money for a better system seems like a lock. Bush urged Congress, which returns from recess next month, to send him a bill that would implement the commission's recommendations. Bush said:

Any time there is any doubt in anybody's mind that our veterans are not getting excellent care, then we in government have a duty to deal with those doubts. I have asked [Defense] Secretary [Robert] Gates and Secretary [James] Nicholson to review their respective departments and the interface of their departments -- the Defense Department and the Veterans Department -- to make sure that any doubt as to whether or not a veteran, or one on active duty, gets the best care, does so.

... When [members of Congress] come back in September, we want to work with Congress to pass that which is necessary to make sure that the Dole-Shalala commission recommendations are fully implemented.

Just a few months ago, there was plenty of doubt about the quality of care at Defense and VA, especially coming from soldiers, their families and those inside the departments.

Look for Defense and VA to quickly hire a contractor to build a Web health portal for the two departments, much like what already exists in the private sector.

The federal government may soon be asked to take a leadership position in reducing the amount of energy that datacenters consume.

According to a report released last week by the Environmental Protection Agency, the federal government, working with the private sector, should develop a standard method to measure how much energy federal datacenters consume; publicly report how much energy each federal datacenter consumes; conduct in two to three years what energy efficient methods can be utilized; and install cost-effective equipment that leads to reduced energy consumption in each datacenter. EPA found that by following certain best practices (including consolidating servers, purchasing energy-efficient servers, installing energy-efficient fans and coolers, and adopting advanced technologies such as “direct liquid cooling), federal data centers could cut up to 80 percent of its electrical demand, producing a savings of $510 million a year.

You may wonder why. It turns out that datacenters and servers are using up an increasing amount of electricity to process, store and manipulate the exploding amount of digital data. And that leads to the emission of more greenhouse gases. Datacenters and servers in the United States accounted for 1.5 percent of all electrical consumption in 2006, double the consumption in 2000, according to the EPA report. If unabated, consumption could double again in the next five years with a cost of $7.4 billion. According to the report:

The peak load on the power grid from these servers and data centers is currently estimated to be approximately 7 gigawatts (GW), equivalent to the output of about 15 baseload power plants. If current trends continue, this demand would rise to 12 GW by 2011, which would require an additional 10 power plants.

No information exists for the number of federal datacenters and servers, but the EPA estimates that the federal government accounts for 10 percent of the national consumption of electricity by all datacenters and servers. Therefore, the report concludes:

These forecasts indicate that unless energy efficiency is improved beyond current trends, the federal government’s electricity cost for servers and data centers could be nearly $740 million annually by 2011, with a peak load of approximately 1.2 GW.

EPA submitted its report to Congress as required by Public Law 109-431, asking the EPA to work with the computer industry to determine if anything can be done to curtail the energy consumption of federal datacenters and servers.

The trend is clear for federal datacenter operators: Expect some new energy requirements coming from the Hill.

The U.S. Defense Department isn't the only military organization that has set strict guidelines on the use of the Internet, particularily for social networking and video sites and for blogging. Britain's Ministry of Defence just issued new guidelines outlining what British soldiers and Defence civilian employees can and cannot do online, according to an article posted by the British telegraph.co.uk. According to the article:

Members of the armed forces are ... no longer able to play multimedia computer games or send text-messages, photographs and audio or video material without authorisation from a superior, if the information they use concerns matters of defence.

The rules, circulated by the Directorate of Communication Planning, severely curtail the extent to which servicemen and women can speak publicly about their service.

The regulations say "all such communication must help to maintain and, where possible, enhance the reputation of defence".

The increase of security threats from the Internet and what to do about them has been a hot topic this month. Cybersecurity expert Seymour Goodman from Georgia Tech was in town this week offering his idea of how to combat cyberthieves and hackers, and researchers at the University of California San Diego plan to give a paper this month on how to counterattack email spam.

Now the Defense Department's Defense Advanced Research Projects Agency (DARPA) has come up with a novel way to monitor malicious activity on the 'net, according to a post in Wired Magazine's Danger Room blog. The problem that Defense faces is it is having a hard time monitoring the increasing Internet traffic for malicious code. And the problem is only getting worse, with Internet traffic doubling nearly every nine months.

So DARPA is turning to what it calls Scalable Network Monitoring, a method of monitoring the Web traffic occurring at any point on a system, rather than scanning all Internet traffic for known malicious codes. The theory is this: If online traffic spikes at any one point, it could indicate that something untoward is occurring and should be investigated.

The theory is based on thermodynamics. An increase in activity in a spot increases temperature. Therefore, an increase in online activity, usually caused by a virus or a larger-than-expected flow of outgoing traffic, say, indicates a "hot spot." The Navy developed the method, which it calls the Therminator.

Wouldn't it be great revenge to hit spammers who fill up your email inbox with those messages touting low-interest mortgage loans and male enhancement drugs right where they live -- on their Web sites?

You can, according to a paper published by researchers at the University of California, San Diego. While thousands of servers deliver those unwanted solicitations and phishing scams to your inbox, only one Web server typically hosts the site that a user is directed to if they respond to the email, the researchers found.

That means, "'a single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign,' write the UCSD computer scientists in their paper accepted for publication at USENIX Security 2007 conference," according to an article posted by USCD.

"'The availability of scam infrastructure is critical to spam profitability. Our findings suggest that the current scam infrastructure is particularly vulnerable to common blocking techniques such as blacklisting,' said Geoff Voelker, a computer science and engineering professor at the UCSD Jacobs School involved in the study."

The researchers found that 94 percent of all email scams advertise through an embedded link that is hosted on a single Web server. "Using their new 'spamscatter' approach, the computer scientists studied over 1 million spam messages from a live feed (all the messages sent, over the course of a week, to any email address at a four-letter top-level domain that has no active email accounts). Spamscatter allows researchers to mine emails, identify URLs in real time and follow these links through any redirection mechanisms and on to the Web page on the destination server," according to the article.

Any reduction in spam not only would make individuals' lives easier to manage, it would help clear the clogged pipes carrying Internet traffic, increasing performance. Studies indicate that 80 percent of all Internet email traffic is spam. Some studies indicate spam traffic accounts for as much as 90 percent of all email traffic.

Determining what, exactly, constitutes a spam site versus someone exercising free commerce and freedom of speech could be the next round. But until then, we can hope this approach can slow down the deluge of email spam.

The researchers will present the peer-reviewed paper Aug. 9 in Boston, at the USENIX Security 2007 conference.

I predict a standing-room-only crowd.

Government Executive has posted items in its Fedblog and Tech Insider blog about the importance of top executives -- even political leaders -- to be at least knowledgeable enough about information technology to know what questions to ask so that IT can help drive agency strategies. The consensus is that executives and political leaders have a long way to go.

But not all political leaders ignore IT. And some are rather tech proficient. Take Georgia Gov. Sonny Perdue (R). In an interview with CIO Magazine, Perdue, who set up a client-server network for his commodities business in the 1970s, talks about the importance of IT to state government and why he hired a CIO with a business background, not a technology background. An excerpt from the interview:

The way I look at [the Georgia Technology Authority, the state's central IT organization] is as somewhat of an IBM Solutions type of agency for the state of Georgia, to help agencies think through their processes, to think through the operations that they need, to help them to define within the context of the state what is the best use of technology.

It's a good bet that Perdue probably uses email, too.

The United States, as well as any other nation hooked into the Internet, is losing the battle against cyberthieves and hackers looking to commit crimes and steal sensitive, and possibly classified, information from networks. And it doesn't look like we will be able to improve the situation much in the near future.

That sobering assessment comes from cybersecurity expert Seymour Goodman, who was in Washington, D.C., yesterday at the Hudson Institute to give a talk on securing the Internet. Goodman, a professor of international affairs and computing at the College of Computing at Georgia Tech, was frank about the extremely difficult path nations face in trying to secure the Internet. In fact he was downright apologetic. An excerpt from Goodman's response to a question about how viable his plan to secure cyberspace really is:

The bottom line, and I hope it doesn't sound too defeatist, and I hope it sounds more realist, is we got to do what we can. We got to fight the battle. We are losing it. ... It seems that the bad guys are more innovative, and they bring their innovations into practice much more effectively than we do, and again despite the fact that all the PhDs are on our side. ... We've just got to fight this battle the best way we can. I don't see any silver bullet solutions out there. The NRC [National Research Council] committee said the same thing. We said something nobody in Congress wants to hear, and that is this is going to be a long, tough battle. ... It is going to be a battle that goes on forever. And if we stop fighting the battle, we are going to be in a deeper hole than we now are. I'm sorry I don't have a better answer for you.

Goodman did offer a model on which to build a process to police the Internet: the International Civil Aviation Organization, the members of which must follow certain safety and security guidelines, among other rules. Goodman says the model could work because it is scalable (just about every United Nations member belongs to the ICAO), because its coverage area has increased over time (from general safety to acts against aircraft to acts against the aviation infrastructure), and because it is focused on prevention. The ICAO also has a proven record, reducing the high number of hijackings that occurred in the 1960s and 1970s to nearly zero today. "This thing sorta works," Goodman says.

But at the end of his talk, Goodman admitted that the model might not be a good analogy for cyberspace because of one huge difference: the civil aviation infrastructure is finite. There are a finite number of airplanes, all of which must land at a finite number of airports, all of which are at a fixed, known location. Cyberspace and the number of computers with access to the Internet are increasing, and cyberspace is ubiquitous. It's everywhere. "So it is easier to organize this [civil aviation] case than it is to organize the cybercase," Goodman admits.

So, is it hopeless to try to make the Internet safe? Goodman's response: "We just can't say the cybercase is hopeless."

In other words, we have to believe, despite the enormous odds facing us.

That's not a real encouraging assessment. But then again, Goodman says he'd rather be a realist.

(C-Span broadcast Goodman's talk in its entirety.)

The Project On Government Oversight (POGO), an independent government watchdog group, claims in a press release that the Energy Department's Los Alamos National Laboratory accidentally released "classified data via email" last week. "The incident, which has been confirmed by the Project On Government Oversight (POGO), is rated among 'the most serious threats to national security,'" according to the press release.

POGO gave no details about the breach or what may have been inadvertently sent in an email.

The Albuquerque Tribune reports that Los Alamos officials acknowledge the breach occurred, but they take exception with POGO's characterization of the seriousness of the breach. "An employee inadvertently sent sensitive information onto a lab network that lab spokesman Kevin Roark described as an internal, password-protected system only accessible by employees," according to the article.

The ball is back in POGO's court. Just what did the group confirm?

Federal law enforcement and intelligence agencies, as well as the Defense Department, are seeking to convince the perceived bad boys of the computer world (hackers) to join their ranks and fight for good.

Representatives from the National Security Agency, Defense and the FBI attended Defcon in Las Vegas, a three-day information security conference that ended Sunday, according to an article by Australia's The Age. (The conference may be an unlikely place for the feds to recruit given that the gathering raises money to support the Electronic Freedom Foundation to promote products and policies to tighten Internet privacy and keep out federal snoops. And you can find conference attendees with names like the conference's founder, Jeff "Dark Tangent" Moss.)

Tony Sager, a vulnerability analysis chief for NSA who delivered a talk at DefCon, said the agency hoped that by sharing information with the public it would convince hackers and other "computer wizards" to join them in combating cyber crimes.

How was Sager received? "I'm not sure I can convince them to trust me," he told The Age.

We received in our email inbox last week an announcement from FEMA about a video it recently produced on its Flood Map Modernization program. The 8-and-a-half-minute video, "made its debut at the Association of State Floodplain Managers (ASFPM) Conference in Norfolk, Virginia on June 6, 2007," according to the email. The email said the video "provides valuable information and resources."

The agency gave no specifics about what kind of valuable information and resources the video provided. But one thing is for sure, the video, a flashy production that includes lost of charts and acronyms, promotes FEMA's IT program to upgrade its computer systems that monitor and predict floods.

Who would be interested in such a video? On FEMA's information resource library site, where you can download the Flood Map Modernization Video, FEMA says the audience for the video includes the general public and homeowners; floodplain managers; state, local and tribal representatives; the insurance industry; mapping professionals; FEMA regions; hazard mitigation officers; contractors and vendors.

That's a lot of people. But one group that that may have been left out is Congress. IT programs are big money for agencies, and Congress obviously holds the purse strings. Videos help sell the projects.

Other agencies producing glitzy, high-paced videos (with thumping soundtracks) for IT programs include the Coast Guard. The guard developed a video for its $24 billion modernization program Deepwater, in which the Coast Guard lays out the reasons it needs to upgrade its fleet with high-tech boats and planes. The Army, which has become the master at using the video medium to recruit and promote itself, has used its videography skills to develop at least four videos, which use real actors, to promote its $70 billion-plus Future Combat System. (A rather maudlin video called "Safehouse" shows an earnest doctor saving sick children in Southeast Asia.)

Army's "Safehouse" video on Future Combat System

Not surprising, NASA, which offers dozens of videos on its Web site, has become quite skilled at the promotional video, too. A video produced by Goddard Space Flight Center doesn't focus on an IT program but rather promotes how numerous NASA technologies have boosted the Maryland economy.

What's the common theme here? Lots of money for IT and, at least for Deepwater and FCS, programs that have been criticized for mismanagement, according to this Government Accountability report and this one, respectively.

Does all this promotion work? It just may, as a recent mark up of the fiscal 2008 spending bill for FCS shows.

It shouldn't be surprising that 60 percent of IRS employees fell for a social engineering test scam, in which the employees gave up sensitive computer information to a caller posing as someone from the help desk, according to a report by the Treasury Inspector General for Tax Administration and reported by The Associated Press. This kind of social engineering "attack" is particularly hard to guard against because 1) someone is contacting you (either by phone or email) who knows your name and other personal information about you and 2) is posing as a representative of a legitimate office in your organization.

The only real way to fight this kind of spoof is through education, as Government Executive magazine reports in the upcoming Aug. 15 issue. Look for the issue in your mailbox soon. In the meantime, here's an excerpt from the article, which appears in the Managing Technology column:

The most effective defense [against social engineering attacks] is education, security experts say. Agencies must train computer users to spot fraudulent e-mails [and phone calls] and resist replying to them. Educating includes “inoculation,” intentionally setting a spear phishing trap by sending out a false e-mail to a group of employees to see who takes the bait, according to Alan Paller, director of research at the SANS Institute of Bethesda, Md., which manages the Internet Storm Center and tracks cyberthreats. IT managers contact employees who replied or opened an attachment and teach them what to look for in a fake e-mail. Mistakes sometimes are the best teachers, Paller says. He estimates that spear phishing attacks on government number only in the low hundreds, but says the threat should not be taken lightly. It takes only one successful attempt to create a lot of damage.

In its report, the Treasury IG office recommends the same course of action:

The Chief, Mission Assurance and Security Services, should continue security awareness activities to remind employees of the potential for social engineering attempts and the need to report these incidents to the IRS computer security organization, conduct internal social engineering tests on a periodic basis to increase employees’ security awareness and the need to protect usernames and passwords, and coordinate with business units to emphasize the need to discipline employees for security violations resulting from negligence or carelessness.

What's disconcerting about this particular approach is that training rarely gets the attention it needs to be effective. It's almost always one of the first line items to be cut from a tight budget, and agency IT budgets are tighter than they ever have been. Training also gets shortchanged when staffing is low, which means employees have little time to take off form regular work to attend training classes or even to read training materials. But training is the only defense. Firewalls and intrusion detection systems don't defend against social engineering attempts.

Do you see any efforts to increase information security training in your agencies?

Investigators with the National Transportation Safety Board will use a video of the collapse of the Interstate 35 bridge in Minneapolis, Minn., and a computer model of the bridge to help determine what possibly caused the bridge to collapse. A "Federal Highway Administration employee had produced an exact computer-software model of the I-35W bridge when he was a Ph.D. candidate at the University of Minnesota," according to a Seattle Times article. "The model will be used in a failure-analysis study to map out every edge and surface of the 1,900-foot structure, with the goal of pinpointing what went wrong, officials said."

Russian President Vladimir Putin all but threatened this summer to restart the Cold War over plans by the United States to install missile interceptors in Poland and radars in the Czech Republic to counter potential missile attacks launched by Iran.

Putin said if the United States goes ahead with its plans to install a missile shield in Eastern Europe, Russia would retaliate by aiming missiles at Europe. “Of course, we will have to get new targets in Europe,” Putin said.

The Russian president followed up with a proposal to add a Russian radar system to the U.S. missile shield when he met in July with President Bush in Kennebunkport, Maine. “In this case there would be no need to place any more facilities in Europe, such as the radar in the Czech Republic and the missile base in Poland,” Putin said.

Bush did not buy that, and the Missile Defense Agency (MDA) is moving forwrd with a five-year, $4 billion project to build a missile interceptor site in Poland and a mid-course radar site in the Czech Republic, according to the report on the House version of the 2008 Defense bill, which the House Appropriations Committee passed last week.

MDA asked for $310 million in funding for the European sites, but the House committee, maybe in a nod to Putin, slashed that by $139 million,“ given the uncertainty surrounding the program of this writing,” according to the report.

The committee also pointed out that the MDA's five-year projected budget ignores other funding issues, including infrastructure costs for barracks, family housing and personnel costs for manning the new facilities.

Hey, when you’re putting together a $4 billion system it’s easy to forget some of the minor details such as personnel and housing.

Not that we need reminding, but a report recently released by the Government Accountability Office on the security of passports and border crossing cards illustrates, yet again, that most security vulnerabilities are not caused by something lacking in the technology. Rather, it's an organization's business processes, such as a lack of training, that pose the gravest threats.

In its report "Border Security: Security of New Passports and Visas Enhanced, but More Needs to Be Done to Prevent Their Fraudulent Use," GAO concludes that the State Department "has added technical features and security techniques to the design and production of [electronic passports, introduced in 2005, and advanced visas, introduced in 2002] that make it much harder to counterfeit or alter new generations of passports and visas."

The threat, GAO reports, comes from government employees. For example, State Department passport acceptance agents, employees who accept the documents needed to apply for a passport or visa, have committed serious errors, such as:

important information missing from documentation, such as evidence of birth certificates an