May 12, 2013 By Bill Schrier
In the face of continuing breaches, what are Governments to Do?
The depressing news made headlines in Washington State and nationwide last week – the Washington State Courts systems had been hacked, and about 160,000 social security numbers and the information from a million driver's licenses was potentially exposed to hackers. This announcement was almost coincident with the news of $45 million stolen from the world’s cash machines, a problem with weak security in several private banks.
Plenty of similar news abounds – South Carolina's Department of Revenue had a data breach which affected 6.4 million businesses and residents and has cost the state $25 million, so far. The State of Utah had the personal information (social security numbers, healthcare information, etc.) of 780,000 residents compromised in 2012. Indeed, 21 million people have had their health records lost or stolen or breached in the last three years, and millions more have been victims of identity theft, loss of credit card or personal financial information, and similar issues. Even law enforcement is not immune, as the Salt Lake City police department itself was hacked and information lost in early 2012, and the Honolulu Police Department revealed a breach this past week as well.
Believe me, these reports are just the tip of the iceberg in terms of lost or breached data in government and the private sector.
What's a government to do?
I have several practical suggestions:
1. Hang together, don't hang separately.
In every government, departments are silos. Each department wants to assert its independence from the others and manage its own data, technology and IT systems. At another level, there are three branches of government - judicial, legislative and executive. For the Federal government these are the federal courts (e.g. U.S. Supreme Court), Congress and the President. Each branch asserts its independence from the others. And, of course, cities are independent of their counties who are independent of their states and everyone mistrusts the Federal government.
When it comes to cybersecurity, this is bullshit.
The "bad guys" are incredibly well-organized. Bad actors could be a criminal syndicate, as in the ATM hack earlier this week, or Anonymous, or even nation-states. Several national governments - China, Israel and the United States – are widely cited as developing cyber weapons.
To respond to these threats, cyber defense teams have to work together, ignoring their organizational silos. There might be separate teams in separate branches or departments, but they need to support each other, probe vulnerabilities in each others' systems, and actively share information. Every government should have cross-agency cyberincident response teams and forensic investigation teams which are activated at a moment’s notice whenever an incident - even a single infected computer - occurs.
2. Actively use private sector resources.
Many private companies will handle credit card processing, perform vulnerability scans, and do risk assessments. They’ll even manage a network on behalf of a government. No government should be doing its own credit card processing or holding/securing citizen credit card information. At the very least governments can contract with private companies to scan their networks and websites for vulnerabilities, do audits of internal systems, and similar work. Private companies will have much more expertise than most governments can hope to hire directly.
3. Consider the "cloud".
Amazon, Microsoft, Google, and a number of other companies offer to store data or manage applications at their data centers and sites, in their "cloud". These companies have teams of information security experts to protect this data. Governments should actively think about using such services. One problem is contractual - most cloud providers want to limit their liability in case a breach occurs. Unfortunately, I'm not aware of contract language with a cloud provider which would satisfy all of a government’s concerns about breaches and loss of personal information, and I encourage your comments about this.
However, another alternative is for one government to create and host cloud services for others, again using joint cyber protection and response teams. Such a technique might also address other concerns such as the need for backgrounding data center employees for CJIS or HIPPA compliance.
4. Use hackers.
Every state has a major university. A friend of mine, CISO at a university, has described the school as having "35,000 potential hackers". Governments could create special relationships with their colleges and universities to employ students and student interns in a wide variety of tasks to manage, monitor and audit/probe their government systems. This technique has the added advantage of helping to train these students – give them practical skills necessary to solve the shortage of information security workers.
There are, undoubtedly, many other protection techniques governments should adopt. A major problem in my experience, however is complacency. "Our techniques are working." "It can't happen here." "We passed a cyber security audit last year." Again, such complacency is bullshit. Cyber attacks, vulnerability discovery and the application software we use changes too rapidly.
This underscores the most important of my suggestions - the first one - working together. Too often we government employees put our department first, or believe we "work for the xxx independent branch of government", not the governor or mayor or legislature or (fill in the blank). Maybe we're afraid of losing our jobs or fear what the results of an audit might disclose.
In the face of the attacks above, this attitude, this culture absolutely must change. We all work for the citizens of our city or our state, who entrust us with their sensitive data. And we absolutely must cooperate much more to safeguard that information.
After all these data breaches, have we learned our lessons?
Sadly, I doubt it. I expect that, over the next 12 months, I’ll be tweeting and reporting further breaches and potential losses of citizen information.
When will we really learn?
(Full disclosure: I now work for the State of Washington. However I have no "inside" knowledge of the breach at the State of Washington Courts.)
April 7, 2013 By Bill Schrier
A long, long time ago in a galaxy – well, actually, a City – far away, I was a police officer - a street cop. I witnessed some of the most horrific episodes of my life as I came upon scenes of automobile collisions with gruesome injuries. I also wrote my share of speeding tickets (and no, I did not have a quota!) and arrested a fair number of drunk drivers.
New technology, however, heralds the potential for an end to automobile collisions, speeding tickets, drunk driving and even most traffic management. Gee, there’s even the possibility that the traffic jam may be relegated to the dustbin of history (along with the dustbin itself, I might add).
A combination of technologies is maturing which foretells such a future.
The first one, of course, is the driverless car. Google has been at the forefront of prototyping that vehicle, to the point where California and Nevada have both passed laws explicitly allowing such vehicles on their roads. Beyond Google, most of the major automobile manufacturersare also testing driverless vehicles. And it’s only a matter of time before such vehicles are regularly driving our roads.
Next, we are seeing the appearance of the “vehicle area network” and “networked vehicles”.
I just purchased a new 2013 Toyota Prius C (and then promptly crashed it in a minor accident – subject matter for a different blog post). When I plugged my iPhone into the Prius to charge it, the Prius recognized the iPhone and linked to it, and offered the ability to use the iPhone’s cellular connection to link the Prius’ own touchscreen display, maps and apps to the wider world. Toyota also has an “entune” appfor this purpose.
We’ll see much more of this in the future – where cars are linked to the Internet. BMW already connects most of its vehicles worldwide to collect performance data via Teleservices. GM’s Onstar has been around for a number of years. Insurance companies are starting to offer discounts for good drivers who consent to put a monitoring devicein their vehicle to sense sudden starts and stops, speeding, and other actions which may be dangerous (or at least insurance companies think are dangerous).
Future vehicles will have networks which link the vehicle to all your personal devices – keys, smart phone, tablets, DVD players and more, to keep you “connected” and in control on the highway.
Furthermore, cars will talk to each other. They could exchange location information, proximity information, directional information and much more. In this fashion cars might be able to avoid each other or allow for smooth lane changes and turns without colliding.
A related development is the instrumentation of the highway.
I had the privilege of working with the Seattle Transportation Department, which was at the forefront of intelligent transportation systems (ITS), when I was City CTO there. Today ITS means, for the most part, traffic sensing and detection devices to time traffic signals, extensive networks of traffic cameras linked with fiber cable, readerboards on streets, and some novel technologies like traffic time estimators and displays. Mobile apps are all the rage, of course, to display traffic conditions. Seattle just launched an amazing mobile app which actually shows live video from traffic cams on your smartphone.
Indeed, the City of Los Angeles just became the first major City worldwide to automate all of its 4,500 traffic signals, synchronizing them. That will reduce travel times somewhat, although our experience with expansion of capacity (e.g. building new freeways or widening them) is just that more traffic is generated.
But sensors and instrumentation can be taken a step further.
Almost everything in the roadway could, of course, be instrumented – sensors in guard rails, school crosswalks, stop signs, bridges. Such sensors might not only collect information but also broadcast it to traffic management centers or, indeed, nearby vehicles.
Your car would know when you are approaching a stop sign and automagically apply the brakes – gee, the “California stop” might become thing of the past. As you approached a school zone during school hours, your car would automatically slow to no faster than the allowable speed. Radars or sensors in the vehicle would detect the presence of children and stop for them – indeed, if every child was somehow sensor-equipped, they might never be struck by cars whose intelligent management systems would automatically avoid them. (And no, I am NOT going to discuss the potential for placing microchips in human beings, although some sort of sensor attached as a smart phone or bracelet or watch DOES have its advantages!)
And you can see where this is leading – as cars become more “intelligent” with their own networks and sensors, and roads become more “intelligent” with their own sensors, networks and computers, the need for human drivers may become irrelevant.
Speeding tickets, collisions, accident investigations, even automobile deaths might become history.
This, of course, has many implications for local and state governments:
I don’t expect to see this traffic "nirvana" anytime soon. But I clearly see it on the horizon. Yes, there will be a lot of disruption and both loss of jobs and creation of new, unknown ones.
But I welcome the day when grandparents are not killed and ripped from their families by drunk drivers. I hope to see over 36,000 Americans saved from needless death and 3.9 million from injury at the hands of automobiles and their drivers.
March 10, 2013 By Bill Schrier
"The Department of No". "The Geeks in the Basement". "Expensive Projects, Always Late".
Increasingly, many IT departments – and their CIOs – are becoming irrelevant to the business of government.
Peter Hinssen is a visiting lecturer at London Business School and a senior industry fellow at the University of California Irvine's School of Business. He recently wrote a provocative article on this subject, focused on CIOs and IT departments in the commercial sector.
But, as I thought about it, many of the same criticisms apply to government CIOs and my own experience as a City CIO.
Perhaps we can really trace IT department irrelevance back to smart phones. I remember when I was approached by Seattle’s Police Chief and Human Services Department director in about 2004 regarding BlackBerrys. As those City business leaders attended conferences, they saw their counterparts doing email on their cell phones. "Bill, why can’t we do the same?"
Luckily I was smart enough to investigate RIM and lucky enough that RIM (now branded BlackBerry) had a robust enterprise solution which catered to my IT department. We quickly put up a BlackBerry Enterprise Server (BES) and at last count more than 1000 BlackBerrys powered by Sprint and Verizon were in use by City of Seattle employees.
I wasn’t unique, of course – most CIOs and IT departments embraced BlackBerrys.
The problem of course, is that danged fruit company, Apple. They launched the iPhone about six years ago and the iPad a couple years later. Apple didn’t give a dang about Enterprises. It's "their way or the BlackBerry way". No management software for IT departments. Most IT departments resisted the iPhone and iPad trend citing security, public records act, and lack of manageability. But City and County employees quickly embraced them.
Suddenly, the IT department was irrelevant. I've blogged about this before, especially when Seattle elected a new Mayor, Mike McGinn, in 2009, and he and his staff brought iPhones to work and said "hook us up". But we see this trend in many other things.
You want a constituent relationship management system? Salesforce can be up in a day for a few thousand bucks (depending on number of users. Installing a CRM in the traditional manner, especially with RFP and customization, takes 18 months and hundreds of thousands of dollars.
You want to share files? You can install and customize sharepoint, which works pretty well, or go with any one of a number of document management systems. Again, 6 to 18 months, hundreds of thousands or millions of dollars. But Dropbox or Box.com can be up and working in minutes.
You need to spin up a few dozen servers and a couple terrabytes of storage quickly to support an election application or another urgent need? You can spend hundreds of thousands of dollars and months buying and installing equipment, then configuring and patching it, or you can go contract platform-as-a-service from Microsoft Azure or Amazon Web services or others.
You need office software like word processing, spreadsheet and an email client? You can spend five million dollars and three years justifying budget, planning, installing and training users (like we did at the City of Seattle), or you can go contract for Microsoft Office 365 in the cloud or Google Apps and have it up in weeks. (In fairness to the City, we did our email/Office project before cloud services for Office products were widely available.)
I talked to a CIO last week who thankfully stopped the deployment of over 10,000 desk telephones in her organization. Desk telephones a tiny little window for displaying information and without video conferencing, presence or most other features found on even low-end cell phones these days.
Traditional IT folks will point to a variety of problems with my examples, of course – the cloud-based systems have security issues and they are not robust (supporting thousands of users). And they are not configurable to the unique requirements of a city, county or state government – although I’m convinced most of the "unique requirements" are actually just job security for those employees rather than true "requirements". That’s the subject for a future blog post.
Ok, I’ve made my point about infrastructure. It's a commodity. It’s easily purchased on the outside. This is one problem. Here’s the greater one: while CIOs and IT departments spend their time on software and services like those above, there are a ton of unmet needs. And, frankly, line-of-business departments are now tech saavy enough (thanks again to smartphones, tablet computers, and downloadable apps or software as a service), that they can go contract to meet these needs directly, by-passing the IT department. Here are a few examples:
Is there a way out of this hell and dead-end of irrelevance for the Government CIO? I think there may be, with the trend we’re seeing for Chief Innovation Officers and Chief Digital Officers. I’ll blog about that in the near future.
In the meantime, I’m going back to configuring my server!
February 4, 2013 By Bill Schrier
The New York Times had the audacity to research and write a story critical of Chinese Prime Minister Wen Jiabao’s family. In return for its journalism, the Chinese government apparently unleashed a four-month long hacker attack against the Times stealing, among other data, every one of its employees’ passwords. This effort was apparently searching for the sources for the story. Ars Technica has a short, frightening, account of the hack.
And, of course, the Chinese government succeeded – would people crticial of the regime dare to talk to the New York Times now, knowing its technology can be hacked?
There are many related and frightening stories – the Wall Street Journal was attacked, a power station in the United States has been offline for three weeks due to an attack based on a USB drive, and, of course, Anonymous (or someone) has been hard at work with denial of service and web defacing attacks on banks and government agencies. Could a City, County or State government be subject to a similar attack?
A few years ago, when I was CIO in Seattle, I would have dismissed the notion out of hand.
A City government does not hold the secrets to making a nuclear weapon in its digital vaults, nor do cities have active networks of foreign spies (with the possible exception of my friends in the Big Apple) whose identity needs to be uncovered by foreign powers.
Today I feel exactly the opposite.
Cyberwar is real. Cyberwar is happening today, even as I’m writing this. And the New York Times attack is only the latest. The evidence is everywhere. Nation-states (and perhaps others) are creating malware with the express purpose of attacking other nations or private company. Stuxnet is one example, as is the malware which fried 30,000 computers at ARAMCO in Saudi Arabia. Many governments have been compromised with malware to steal money from their accounts by stealing finance officers passwords.
Why would anyone – other than a criminal botnet out to hack finances and bank accounts – target a City or County or State government?
The New York Times attack highlights the reasons clearly.
Suppose a Mayor or Governor publicly opposed allow trainloads of coal to pass through their city or state, in order to be loaded onto ships, sent to China, and used to power the Chinese electrical grid. Wouldn’t such opposition essentially constitute economic warfare and potentially provoke a cyber response?
Suppose a Mayor or County Executive, hoping to combat a rash of gun violence, initiates programs for a network of video surveillance cameras and gunshot detection technology (read: microphones) in a City. Could that provoke Anonymous or a similar organization?
Defacing a City or County website is bad. Stealing taxpayer money from government bank accounts is worse. Compromising SCADA systems to shut down a water supply or electric grid is dangerous. But we haven’t yet seen the worst potential attacks, such as bringing down a 911 telephone network or freezing a police or fire computer-aided dispatch system or perhaps crashing a public safety radio network.
And these overt acts pale by comparison to covert actions which may be occurring undetected – systematically compromising and falsifying utility bills, or hacking into and changing criminal and court records. We have no evidence such covert acts have ever occurred, but given the myriad of different levels of government and many repositories for the information, such databases must represent a juicy and lucrative target for criminal networks, Anonymous and even nation states. All these potential threats indicate cities, counties and states cannot be complacent, but rather need active cyber security programs, preferably in cooperation with other agencies.
Yes, Dorothy, a City could be hacked to its knees. Worse yet, it might not be discovered for months or even years after the act.
January 3, 2013 By Bill Schrier
Although Congress continues to put off really dealing with the so-called "Fiscal Cliff", the budget deficit, and a host of related issues (at least as of this writing), in the last week of 2012 both Republicans and Democrats agreed to extend FISA – the "warrantless wiretapping" law. FISA – really the "FISA Amendments Act" - essentially allows the federal government to eavesdrop on email and other communications without a warrant. The Senate even rejected amendments which would require some transparency in the process, such as revealing how many Americans are monitored in this fashion. This same law also gives telecommunications carriers blanket immunity when they turn over records or allow wiretapping of citizens.
On a slightly different issue, the National Rifle Association is reiterating its adamant opposition to the banning of assault weapons or other restrictions on the purchase and ownership of guns, despite the death of 20 young children to gunfire in Newtown. The NRA supports, however, a national registry of the mentally ill. And, of course, the Gun Control Act of 1968 prohibits gun sales to individuals who have been committed to a mental institution or "adjudicated as a mental defective." Because individual states have a wide variety of laws (or lack of them) which implement this provision, it has few teeth, hence the NRA’s call for the registry.
Recent advances in technology promise unprecedented ability to further monitor and pry into the private lives of citizens. The law is still murky about the GPS information in your cell phone, but some courts have ruled a warrant is not required for law enforcement to obtain it. Congress also approved a new law in 2012 which allows commercial pilotless aerial vehicles ("drones") to populate our skies. And technology is being developed to allow your TV to monitor your viewing habits, perhaps even via a camera which watches YOU and is embedded in the TV. This information could be reported back to advertisers and others for further targeting you as a consumer. Given the FISA extension (which protects telecommunications carriers who turn over information to the government), such data might also be available to government authorities. (More detail on drones, phones and TV monitoring here.)
Let’s add these new technologies to many which already exist – a proliferation of video surveillance cameras in both private and public hands for example, as well as a massive library of video and still images collected on sites such as Flikr, Facebook, Pinterest and YouTube. Most such sites encourage "tagging" of individuals by name in the images. Many private companies are developing facial recognition technology to allow these "tags" to proliferate to images across the Internet. Governments are also building facial recognition technologies and applying them at least to mug shot databases of criminals or suspects. License plate recognition (LPR) is now widely used by transportation and law enforcement. Indeed, between LPR and facial recognition, there might very well be a time when anonymity is essentially dead – whenever you leave your house your whereabouts will be known, tracked and entered into either a public or private database.
Add to all this the explosion of "big data" and "data analytics" such as the Domain Awareness System (DAS) developed by Microsoft for the New York City police department. DAS and similar technologies promise an unprecedented ability to analyze a vast variety of information about criminals – and citizens – to build a profile of each and every individual in the nation.
Now let’s circle back to the NRA.
At first thought, the idea of a national database of the mentally ill – who would then be prevented from at least purchasing and, perhaps, owning, weapons – seems an attractive thought. Clearly anyone who would brutally kill 20 first-graders – or murder a dozen theater-goers in Aurora – is mentally ill. Yet neither Adam Lanza or James Holmes were diagnosed prior to their acts. In retrospect, almost all perpetrators of large-scale massacres show signs of mental illness, but are rarely diagnosed before the crime. Some would argue that most cold-blooded murderers (as opposed to those who commit murder in a fit of passion or rage, or under the influence of a drug), are mentally ill.
How do we determine who is mentally ill, and therefore goes into the national database, and is then prevented from buying or owning guns? Ultra conservative groups like the NRA, who would never support government officials registering weapons, are, apparently, more than willing to allow deep violations of privacy to determine if a person is mentally ill. Do we need to build that nationwide profile of every single person living in United States (or perhaps the world), looking for those tell-tale signs of a killer? Do we need to put those cameras on every TV in every house? Do we need to wiretap and analyze every telephone or Skype conversation? And do we then use our business intelligence and big data analytics to create those profiles?
What’s amazing is not the potential for building such a database, but how far we’ve already allowed it in law, with FISA and the FISA Amendments Act and the Patriot Act and the use of our present technology. Even more amazing, is the ability of the far right and the far left, the liberals and conservatives, Obama and Boehner, Republicans and Democrats, all to sign on and support it.
We go willingly into this deep, dark night.
This Digital Communities white paper highlights discussions with IT officials in four counties that have adopted shared services models. Our aim was to learn about the obstacles these governments have faced when it comes to shared services and what it takes to overcome those roadblocks. We also spoke with several members of the IT industry who have thought long and hard about these issues. The paper offers some best practices for shared government-to-government services, but also points out challenges that government and industry still must overcome before this model gains widespread adoption.