January 27, 2009 By Bill Schrier
Today City governments depend upon technology - more than ever - to operate. But, gee, how secure and reliable are these systems, these networks and these communications? Constituents depend upon the Internet, web, e-mail , cell phones to communicate with their government for information and services.
I recently had a non-classified meeting with some fedgov Department of Homeland Security cyber folks, and DHS contractors about potential cyber security tools. I'm a "geek", so I love tools and software. I'm a senior public official, so I also like charts and graphs and statistics . My meeting had plenty of both tools and statistics. But, after hearing about the Internet's vulenerabilities and potential threats, I walked away from the meeting ready to move to a mountain cabin "off the grid" and isolated from the world.
Is cybersecurity really a major issue? What can a municipal government do to improve HomeCity Security?
Is it an issue? I offer the following observations:
o A laptop computer with records of 26.5 million veterans was stolen from the home of a Veteran's Administration employee in May 2006 (later recovered) . But these veterans (including me - I'm a retired Army Officer) received letters notifying us of the problem. The VA also lost records of 1.8 million veterans in February 2007 and covered up other data breaches. They (that's "we" for those of us who pay fedgov income tax) paid for a lot of clean-up and credit monitoring.
o The day after his inauguration, President Obama published a cybersecurity plan and intends - as a top priority - to appoint a national cybersecurity advisor.
o Within the last few months, Heartland Computer Systems may have lost over 45 million consumer credit card numbers
o The nation's electrical grid is allegedly vulnerable to cyberattack (and my City operates the nation's ninth largest municipal electric utility with 300,000 customers)
o Conficker worm may be infecting one million new computers a day
What scares me?
1. Injury to the people who trust the government of the City of Seattle. The people of Seattle entrust their credit card numbers, their phone numbers, their personal information to my government. When they call 911, they expect help. We've had some breaches, for example web-based SQL databases compromised by SQL injection attacks, so any constituent visiting those websites receives computer viruses... from us!
If someone is hurt physically or financially or emotionally because we've failed to keep the telephone network or their personal information cybersecure, I've failed as CTO, and I've failed big-time. I never want to be sending letters like the one I received from the VA.
2. Damage to the City of Seattle's reputation. One reason my government works so well is that the people of Seattle trust us. When they call, we respond. We provide relaible, on-time, services. One clear demonstration of this trust - last November, despite a looming recession, the people of Seattle passed levies to fund more parks, a Pike Place Market renovation, and a $17 billion transit system. A cyber-incident will damage thisspecial relationship of trust.
3. Outage of the City's technology systems. Constituents use technology to report problems and request service from the City. They call 911 or 684-3000 (utility customer service). They send e-mail. They pay bills on the web. And City employees use technology to coordinate our response - radio systems for public safety, telephone and data networks, electronic mail systems, Windows servers and a 24x7 data center. I'm proud of 99%+ uptime on those systems to "make technology work for the City. Cyber incidents endanger those systems.
How can we improve HomeCity Cybersecurity? Here's what I'm doing:
1. Hired a damn fine CISO. My Chief Information Security Officer, Mike Hamilton, is the best. Worked for a long time in private industry, came to Seattle ready to give his expertise in public service. Like all CISO's, he sees bad guys everywhere. (To some extent, I pay him to do that!) Unlike many CISO's, he knows that technology and the Internet are here to stay and we need to take practical measures to make them as secure as possible.
2. Assemble and train a team of cyber-techies and professional cyber-sleuths. We have dedicated, skilled IT security professionals scattered throughout City government. Their departments and agencies spent money to train them, and CISO Hamilton matrix-manages them to patch and secure systems. We use them as a cyber-incident-management team under Hamilton's Deputy - David Matthews - to investigate and get to root cause of any potential cybersecurity incident. They are our best cyber-defense.
3. Test every doggone Internet-facing application. Do penetration testing on our Internet connection. Watch firewall logs. Apply every hi-impact Microsoft or Cisco or (fill-in-the-blank technology company) security patch as soon as you can. No more than five days max from patch release to deployment.
4. Selectively outsource. For example, we've outsourced management of credit card payments to skilled third parties, rather than "storing and managing our own". We can't outsource accountability, but we can share risk.
5. Buy some basic tools. Anti-virus for every computer. Patch distribution software. Vulnerability scanning software. System logging and aggregation software. Web site blocking software. Then use it.
6. Educate, train, harangue and educate again. The weakest link in every cybersecurity defense is employees. Employees who transport data from work to home on thumbdrives, potentially losing the data or introducing a new virus or worm. "Loose lips sink ships" and "Loose laptops sink cyber-security". Employees who surf the Internet and hit questionable websites. We train employees on good security practices, harangue management to enforcement them, and then train again.
I'm not quite as concerned about cyber attacks crippling public safety radio systems or the SCADA systems which control the electrical grid and water supply or traffic signal control. These systems are vulnerable, but we have in-depth layers of defense and employees dedicated to protecting them.
I'm concerned about that single lost portable hard drive with social security numbers. Or that one SQL server database which should be "read only" but is "read-write" and compromised. Or that employee who goes to a web gambling site and downloads a day-zero cyber virus.
Technology is here to stay. Internet use by government and our constituents will only increase. But we're working hard to mitigate the vulnerabilities.
And I still don't sleep very well at night.
January 22, 2009 By Bill Schrier
Microsoft's announcement today of 5,000 job cuts - many of them layoffs here in the Puget Sound Region - will send waves of Fear Uncertainty and Doubt (FUD) throughout the Region and the Industry. While Microsoft sneezes, Government here will catch a cold.
In a word (or three): Uncool. UnMicrosoft. Un-Seattle-like.
Microsoft - like the stock market - always expands, doesn't it? Microsoft dominates any endeavor it undertakes. Web browser leaders Netscape and Mozilla fall to Internet Explorer. VisiCalc and Lotus 1-2-3 wither away in front of Excel. WordPerfect evaporates in favor of Word. Personal computers running Windows - in a very real sense - transformed the very landscape of American society.
In terms of people this is a real psychological shift. Microsoft is THE place to work here in the Seattle area. Young employees, exciting projects, bright futures. Spin-off, start-up and creative companies in our Region bask (almost literally) in the glow of the Microsoft sun. Microsoft Research attracts Ph.D.'s and smart people from around the Globe. But not even Microsoft Research is immune to the cuts.
For local government, tax revenues will plunge further as consumers and businesses rein in their discretionary spending.
We have a regressive tax system, heavily dependent upon sales and property taxes, with no State or City income taxes. While the real amount of money and wages flowing into the Region may not change much as a result of these layoffs, the psychological effects will hurt government.
As people in the region see that even Microsoft is not immune to the present economic troubles, they will rein in their consumer spending. "If it can happen in Redmond, it can happen to me." Property values (and therefore taxes) have suffered a bit here, but not as badly as elsewhere. Those values will drop a more because of this. People will be less willing to buy, more willing to sell.
Right now - today - Washington State has a $6 billion two-year budget deficit and King County an $80 million one. The City of Seattle's general fund budget was basically unchanged - $920 million in 2009 compared to $926 million in 2008. (See page 13 of the budget document here. )
But every one of these government budgets will need re-evaluation in the months to come.
I'm convinced that Microsoft's dominance will continue. The personal computer, Windows servers, netbooks running XP, Windows mobile devices will continue to dominate the industry. (Well, they could drop the Zune just like they dropped floppy disks!)
Computing hardware will continue to get faster and require more powerful and functional software from Microsoft. Technology innovation will continue and Microsoft will be in the forefront. The bloom is off the Rose, but the Rosebush in Redmond still lives and will blossom again.
Until that re-blossoming, however, the effects will be keenly felt here in Seattle.
January 9, 2009 By Bill Schrier
I've blogged in the past about how neighborhood blogs like our own West Seattle Blog may very well displace dead-tree papers simply because they have a massive reporter and photographer base - virtually anyone, anywhere with a cell phone, digital camera and Internet connection - and can report news and events in an "up front" rapid way unmatched by the traditional media.
I enjoy blogging and twittering (see http://twitter.com/billschrier) and social networking via Facebook. I'm helping to drive the City of Seattle to use such new technologies into making City government more efficient and effective - see our latest deployment, a vastly revamped version of "My Neighborhood Map", just unveiled today.
But I mourn the end of old-style newsprint papers such as the PI.
Maybe it's because I'm a bit older than the median age of a Seattlite (although still younger than the AARP median age). Maybe it is a "generation thing", and "younger folks" get their news and information from Twitter and RSS and the Internet. I don't think that's true - there are many twenty-somethings vastly more conservative and less tech saavy than I.
Maybe it's because I've always longed to be a journalist, hence my interest in writing this blog. That might stem from my college English professor, Father Daniel Rogers of Loras College, who said "I think you might be a writer someday".
I've often told my wife, I'd love to own a small-town newspaper and attend/report upon/photograph events in a close-knit small City. She - an award-winning journalism teacher - laughs at that, knowing small-town newspapers are 80 hour weeks for a pittance of salary. And I, in my brain (not my heart), know that "beat reporting" such as the City Hall beat or the Boeing beat is probably a thing of the past.
And I also fear that true investigative reporting may end. Perhaps this sounds odd, coming from a government official. I'm proud of Seattle's City government and I'm proud of public service. But I know there are the Richard Nixons and Dick Cheneys of government. We owe a lot to newspapers and reporters who dug deep inside issues and stories to expose Watergate, for example, as well as hundreds of other serious issues - just look at the Pulitzer Prize finalists/winners for great examples of such reporting.
Without newspapers to fund and support such long-term, labor-intensive investigative journalism, who will do it?
Pardon me, but I'm heading down to the Pike Place Market to get a copy of the Seattle Post-Intelligencer. I hope I can continue to do that ... that copies of the P-I will continue to be there ...
This Digital Communities white paper highlights discussions with IT officials in four counties that have adopted shared services models. Our aim was to learn about the obstacles these governments have faced when it comes to shared services and what it takes to overcome those roadblocks. We also spoke with several members of the IT industry who have thought long and hard about these issues. The paper offers some best practices for shared government-to-government services, but also points out challenges that government and industry still must overcome before this model gains widespread adoption.