Podcast and Slideshare by Andy Blumenthal on Mobility Solutions

Click here for the audio of my speech at the Adobe Government Assembly on Wednesday, November 3, 2010 in Washington, DC. (Subscribe to all my podcasts on iTunes here.)

Andy blumenthal talks about mobility solutions 20101104

View more presentations from Andy Blumenthal.

Podcast and Slideshare by Andy Blumenthal on Mobility Solutions

5 Lessons For Implementing Mobility Solutions

[Pictured from Left Kevin Brownstein, McAfee; Andy Blumenthal, ATF; John Landwehr, Adobe; Jack Holt, DoD]

Today, I participated on behalf of my agency at the Adobe Government Assembly: Engage America on a panel for mobility solutions.

I shared the lessons learned from our experience and pilot of mobile devices, including:

1) Be prepared to give the end users as many apps as possible—they want it all just like on their desktops.

2) In mobile devices, size and resolution matters. Although people like miniaturized devices, they want the display of the information and graphics to be clear and visible.

3) Users did not like using a stylus for navigation.

4) Users in the field don’t have time or patience to decipher complicated instruction guides—it’s got to be intuitive!

5) While security is critical, usability is key and it’s a balancing act.

5 Lessons For Implementing Mobility Solutions

Now The Computer War Games Are Real

The Associated Press is reporting that the Iranian Bushehr Nuclear Plant has been hit with a sophisticated computer worm called Stuxnet.

The Iranian nuclear program hit has been claimed for civil nuclear power but has long been suspected of being a cover for making weapons, and Iran has been unabashedly vocal about its hostile intent to many nations, even going so far as to openly threaten some, especially Israel, with complete “annihilation.”

The technical aspects of Stuxnet as a weapon are fascinating, for this is the first computer program “specifically created to take over industrial control systems.” Another article in U.K.’s The Guardian quotes another source as saying it is “one of the most refined pieces of malware ever discovered.”

This worm works by exploiting Windows operating systems security holes and taking over critical infrastructure SCADA systems (AKA Supervisory Control And Data Acquisitions systems or industrial control systems).

What is maybe even more amazing than the technical feat of Stuxnet, is that for months or years, everyone has been focused on and hypothesizing about when a traditional military strike was going to occur to the ever menacing Iranian nuclear threat. However, instead of conventional planes and bombs making a big bang (remember “shock and awe”), we get a silent but “very sophisticated” cyber worm that no one seems to have expected.

So times have certainly changed and with it warfare. Prior military engagements occurred on land, sea, and air with kinetic “bang/boom” weapons. Today they have a new domain in cyberspace with bits and bytes that are just as impactful. But I think what hasn’t really hit home with most people is that cyber war is not just virtual, like playing a video game (like the SIMS) or acting out in virtual reality (like Second Life); cyberwarfare starts online but has real physical ramifications as we see with the Stuxnet worm. Industrial systems like nuclear plants or hosts of other critical infrastructure (in manufacturing, energy, telecommunications, etc.) can be taken out with cyber bombs just like with real bombs maybe even better, faster, cheaper, and cleaner (less collateral damage).

We had all better be prepared for the fight in this new realm as the potential damage is as real as any we have ever seen before.

Now The Computer War Games Are Real

The Printer’s Dilemma

There is a lot of interest these days in managed print solutions (MPS)—sharing printers and managing these centrally—for many reasons.

Some of the benefits are: higher printer use rates; reduction in printing; cost saving; and various environmental benefits.

Government Computer News (5 April 2010) has an article called “Printing Money” that states: managed printing is an obvious but overlooked way to cut costs, improve efficiency, and bolster security.”

But there are also a number of questions to consider:

- What’s the business model? Why are “printing companies” telling us to buy less printers and to print less? Do car companies tell us to buy less cars and drive less (maybe drive more fuel efficient vehicles, but drive less or buy less?) or do food companies advise us to buy less food or eat less (maybe eat healthier food, but less food)? To some vendors, the business model is simple, if we use their printers and cartridges—rather than a competitor’s—then even if we use less overall, the managed print vendor is getting more business, so for them, the business model makes sense.

- What's the cost model? Analysts claim agencies by moving to managed print solutions “could save at least 25 percent of their printing expenses” and vendors claim hundreds of thousands, if not millions in savings, and that is attractive. However, the cost of commodity printers, even the multifunction ones with fax/copy/scan functions, has come way down, and so has the print cartridges—although they are still too high priced—and we change them not all that often (I just changed one and I can barely remember the last time that I did). As an offset to cost savings, do we need to consider the potential impact to productivity and effectiveness as well as morale—even if the latter is just the “annoyance factor”?

- What’s the consumer market doing? When we look at the consumer market, which has in many analyst and consumer opinions jumped ahead of where we are technologically in the office environment, most people have a printer sitting right next to them in their home office—don’t you? I’d venture to say that many people even have separate printers for other family members with their own computers set ups, because cost and convenience (functional)-wise, it just makes sense.

- What’s the cultural/technological trend? Culturally and technologically, we are in the “information age,” most people in this country are “information workers,” and we are a fast-paced (and what’s becoming a faster and faster-paced) society where things like turn around time and convenience (e.g. “Just In Time inventory, overnight delivery, microwave dinners, etc.) are really important. Moreover, I ask myself is Generation Y, that is texting and Tweeting and Facebooking—here, there, and everywhere—going to be moving toward giving up there printers or in fact, wanting to print from wherever they are (using the cloud or other services) and get to their documents and information immediately?

- What’s the security impact? Understanding that printing to central printers is secure especially with access cards or pin numbers to get your print jobs, I ask whether in an age, where security and privacy of information (including corporate theft and identity theft) are huge issues, does having a printer close by make sense, especially when dealing with sensitive information like corporate strategy or “trade secrets,” mission security, personnel issues, or acquisition sensitive matters, and so on. Additionally, we can we still achieve the other security benefits of MPS—managing (securing, patching etc.) and monitoring printers and print jobs in a more decentralized model through the same or similar network management functions that we use for our other end user-devices (computers, servers, storage, etc.)

- What’s the environmental impact? There are lots of statistics about the carbon footprint from printing—and most I believe is from the paper, not the printers. So perhaps we can print smarter, not only with reducing printers, but also with ongoing education and sensitivity to our environment and the needs of future generations. It goes without saying, that we can and should cut down (significantly) on what and how much we print (and drive, and generally consume, etc.) in a resource constrained environment—planet Earth.

In the end, there are a lot of considerations in moving to managed print solutions and certainly, there is a valid and compelling case to moving to MPS, especially in terms of the potential cost-saving to the organization (and this is particularly important in tough economic environments, like now), but we should also weight others considerations, such as productivity offsets, cultural and technological trends, and overall security and environmental impacts, and come up with what’s best for our organizations.

The Printer’s Dilemma

Enterprise Architecture Panel - Snowmaggedon and the End of the (Desktop) World: The Mobile Workforce

[Pictured (Left to Right): Andy Blumenthal, Chief Technology Officer, Bureau of Alcohol, Tobacco, Firearms and Explosives; Ms. Doreen Cox, Chief Enterprise Architect, U.S. Customs and Border Protection; Mr. Rod Turk, Chief Information Security Officer, U.S. Patent and Trademark Office.]

Introduction:

Good afternoon. I'm Andy Blumenthal, the Chief Technology Officer at the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). It's a great honor for me to be here with you today to talk about telework and how EA is shaping it's adoption.

Just coming out of the blazing hot summer, the blizzard this past February seems like ages ago. Yet this storm brought the federal workforce in D.C. to a halt for 6 days, costing more than $100 million in lost productivity per day. This was offset only by the 1/3 of the federal workforce which was teleworking.

Just in case you don't remember take a look at this:

I still remember Snowmaggedon because that was when we shoveled out the wrong car because the snow was so high we couldn't see which was ours.

More seriously though, telework benefits federal agencies in many ways:

1. Increases productivity
2. Enhances work-life balance and morale
3. Helps the environment by keeping cars off the road
4. Can save the taxpayer money by reducing the agency's footprint

Data from the Telework Research Network indicate that telework could save agencies and participants as much as $11 billion annually (on such things as real estate, electricity, absenteeism, and employee turnover) and that if eligible employees telecommuted just one day every other week, agencies would increase productivity by more than $2.3 billion per year (driven by employee wellness, quality of life, and morale).

According to OPM telework adoption is growing. As of 2008, telework increased 9% over the previous year and now slightly more than 5% of the federal workforce are teleworking.

Telework got a boost when the House and the Senate passed similar bills--in May and July respectively--to expand telework opportunities. The two chambers now must reconcile their versions before a final bill heads to President Obama for approval. The Telework Enhancement Act would make employees presumptively eligible and require that agencies establish telework policies, designate a telework managing officer, and incorporate telework into agency's continuity of operations plans.

Five years ago nobody would've thought that EA would inform the discussion on telework. EA was still primarily a compliance only mechanism and didn't have a real seat at the decision table. Now thanks to the efforts of all of you, it's strategic benefit is recognized, and EA is playing a vital role in planning and governing strategic IT decisions such as in investing and implementing telework solutions for our agencies.

Our distinguished panelists here today will discuss how EA is informing the discussion of telework from both the policy, systems, and security perspectives.

Enterprise Architecture Panel - Snowmaggedon and the End of the (Desktop) World: The Mobile Workforce

What’s Lurking In The Update?

In defense, it is a well-known principle that you determine your critical infrastructure, and then harden those defenses—to protect it.

This is also called risk-based management, because you determine your high impact assets and the probability that they will be “hit” and deem those the high risks ones that need to be most protected.

In buttressing the defenses of our critical infrastructure, we make sure to only let in trusted agents. That’s what firewalls, anti-virus, spyware, and intrusion prevention systems are all about.

In so-called “social engineering” scams, we have become familiar with phony e-mails that contain links to devastating computer viruses. And we are on the lookout for whether these e-mails are coming from trusted agents or people we don’t know and are just trying to scam us.

What happens though when like the Trojan Horse in Greek times, the malware comes in from one of the very trusted agents that you know and rely on, for example, like from a software vendor sending you updates for your regular operating system or antivirus software?

ComputerWorld, 10 May 2010, reports that a “faulty update, released on April 21, [by McAfee] had corporate IT administrators scrambling when the new signatures [from a faulty antivirus update] quarantined a critical Windows systems file, causing some computers running Windows XP Service Pack 3 to crash and reboot repeatedly.”

While this particular flawed security file wasn’t the result of an action by a cyber-criminal, terrorist or hostile nation state, but rather a “failure of their quality control process,” it begs the question what if it was malicious rather than accidental?

The ultimate Trojan Horse for our corporate and personal computer systems are the regular updates we get from the vendors to “patch” or upgrade or systems. The doors of our systems are flung open to these updates. And the strategic placement of a virus into these updates that have open rein to our core systems could cause unbelievable havoc.

Statistics show that the greatest vulnerability to systems is by the “insider threat”—a disgruntled employee, a disturbed worker, or perhaps someone unscrupulous that has somehow circumvented or deceived their way past the security clearance process (or not) on employees and contractors and now has access from the inside.

Any well-placed “insider” in any of our major software providers could potentially place that Trojan Horse in the very updates that we embrace to keep our organizations secure.

Amrit Williams, the CTO of BIGFIX Inc. stated with regards to the faulty McAfee update last month, “You’re not talking about some obscure file from a random third party; you’re talking about a critical Windows file. The fact that it wasn’t found is extremely troubling.”

I too find this scenario unnerving and believe that our trusted software vendors must increase their quality assurance and security controls to ensure that we are not laid bare like the ancient city of Troy.

Additionally, we assume that the profit motive of our software vendors themselves will keep them as organizations “honest” and collaborative, but what if the “payoff” from crippling our systems is somehow greater than our annual license fees to them (e.g., terrorism)?

For those familiar with the science fiction television series BattleStar Galactica, what if there is a “Baltar” out there ready and willing to bring down our defenses to some lurking computer virus—whether for some distorted ideological reason, a fanatical drive to revenge, or a belief in some magnanimous payoff.

“Trust but verify” seems the operative principle for us all when it comes to the safety and security of our people, country and way of life—and this applies even to our software vendors who send us the updates we rely on.

Ideally, we need to get to the point where we have the time and resources to test the updates that we get prior to deploying them throughout our organizations.

What’s Lurking In The Update?

A Turning Point for the Government Cloud

Los Angeles is moving to the cloud, according to Public CIO Magazine March 2010, and “they are the first government of its scale to chose Gmail for the enterprise.”

“It turned out that Washington D.C., was using Gmail for disaster recovery and giving employees the option to use it as their primary e-mail.” But LA is implementing Gmail for more than 30,000 city employees (including police and fire departments) as well as planning to move to Google Apps productivity suite for everything from “calendar, word processing, document collaboration, Web site support, video and chat capabilities, data archiving, disaster recovery and virus protection. “

CTO Randi Levin is leading the charge on the move to cloud computing, and is taking on concerns about cost, data rights, and security.

• On Cost: “The city estimated $5.5 million in hard savings form the Google adoption, and an additional $20 million savings in soft costs due to factors like better productivity.”
• On Data Rights: Nondisclosure agreement with Google includes that the data belong to the city “in perpetuity,” so “if the city wants to switch to another vendor after the contract ends, the city will be able to recall its archived data.”
• On Security: “Google is building a segregated ‘government cloud,” which will be located on the continental U.S. and the exact location will remain unknown to those outside Google. The data will be “sharded”—“shredded into multiple pieces and stored on different servers. Finally, Google will be responsible for “unlimited” damages if there’s a breach of their servers.

LA conducted an request for proposal for software-as-a-service (SaaS) or a hosted solution and received responses for 10 vendors including Google, Microsoft, and Yahoo. Google was selected by an Intradepartmental group of IT managers and a five year contract issued for $17 million.

Currently (since January), LA is conducting a Gmail pilot with about 10% of its city employees, and implementation for the city is slated for mid-June.

Additionally, LA is looking into the possibility of either outsourcing or putting under public-private partnership the city’s servers.

And the interest in government cloud isn’t limited to LA; it is catching on with Google Apps pilots or implementations in places like Orlando, Florida and within 12 federal agencies.

Everyone is afraid to be the first in with a major cloud computing implementation, but LA is moving out and setting the standard that we will all soon be following. It’s not about Google per se, but about realizing the efficiencies and productivity enhancement that cloud computing provides.

A Turning Point for the Government Cloud

Overcoming the Obstacles to Cyber Security

There continues to be a significant shortfall in our cyber security capabilities, and this is something that needs our determined efforts to rectify.

Often I hear a refrain from IT specialists that we can’t wait with security until the end of a project, but rather we need to “bake it into it” from the beginning. And while this is good advice, it is not enough to address the second-class status that we hold for IT security versus other IT disciplines such as applications development or IT infrastructure provision. Cyber Security must be elevated to safeguard our national security interests.

Here are some recent statements from some our most respected leaders in our defense establishment demonstrating the dire strait of our IT security posture:

· “We’re the most vulnerable, we’re the most connected, we have the most to lose, so if we went to war today in a cyber war, we would lose.”- Retired Vice Admiral Mike Mullen (Federal Computer Week 24 February 2010)

· The United States is "under cyber-attack virtually all the time, every day” - Defense Secretary Robert Gates: (CBS, 21 April 2009)

· “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.” (White House CyberSpace Policy Review, 2009)

Further, the number of attacks is increasing; for example, SC Magazine 20 November 2009 reported that the number of cyber attacks against the Department of Defense was increasing year-over-year 2009 to 2008 by some 60%!

And the penetration of our critical systems spans our industrial, civilian, and defense establishment and even crosses international boundaries. Most recently reported, these included the following:

· F-35 Joint Strike Fighter $300B program at Lockheed Martin,

· The Space Shuttle designs at NASA

· The joint U.S. South Korean defense strategy

· The Predator feeds from Iraq and Afghanistan and more.

Thankfully, these events have not translated down en-masse and with great pain to the individuals in the public domain. However this is a double-edged sword, because on one had, as citizens we are not yet really “feeling the pain” from these cyber attacks. On the other hand, the issue is not taking center stage to prevent further and future damage.

This past week, I had the honor to hear Mr. James Gossler, a security expert from Sandia National Labs speak about the significant cyber security threats that we face at MeriTalk Innovation Nation 2010 on the Edge Computing panel that I was moderating.

For example, Mr. Gossler spoke about how our adversaries were circumventing our efforts to secure our critical cyber security infrastructure by being adept and agile at:

· Playing strength to weakness

· Developing surprising partners (in crime/terror)

· Changing the rules (“of the game”)

· Attacking against our defenses that are “naïve or challenged”

In short, Mr. Gossler stated that “the current state-of-the-art in information assurance [today] is significantly outmatched” by our adversaries.

And with all the capabilities that we have riding on and depending on the Internet now a days from financial services to health and transportation to defense, we do not want to be outgunned by cyber criminals, terrorists, or hostile nation states threatening and acting in ways to send us back to the proverbial “stone-age.”

Unfortunately, as a nation we are not moving quickly enough to address these concerns as retired Navy vice admiral Mike McConnell was quoted in Federal Computer Week: “We’re not going to do what we need to do; we’re going to have a catastrophic event [and] the government’s role is going to change dramatically and then we’re going to go to a new infrastructure.”

Why wait for a cyber Pearl Harbor to act? We stand forewarned by our experts, so let us act now as a nation to defend cyber space as a free and safe domain for us to live and thrive in.

There are a number of critical obstacles that we need to overcome:

1) Culture of CYA—we wait for disaster, because no one wants to come out first—it’s too difficult to justify.

2) Security is seen as an impediment, rather than a facilitator—security is often viewed by some as annoying and expensive with a undefined payback, and that it “gets in our way” of delivering for our customers, rather than as a necessity for our system to work

3) We’ve become immune from being in a state of perpetual bombardment—similar to after 9-11, we tire as human beings to living in a state of fear and maintaining a constant state of vigilance.

Moreover, to increase our cyber security capabilities, we need to elevate the role of cyber security by increasing our commitment to it, funding for it, staffing of it, training in it, tools to support it, and establishing aggressive, but achievable goals to advance our capabilities and conducting ongoing performance measurement on our initiatives to drive results.

Overcoming the Obstacles to Cyber Security

How $26 Can Buy You A Billion-Dollar Surveillance System

If $26 software can give our enemies on the ground access to our drone feeds and cyber warfare can inflict indefinite havoc on our critical infrastructure, we need to rethink what technological superiority means and how we keep it.

No defense system is foolproof. That’s why we build redundancy into the system and layer our defenses with “defense in depth,” so that just because the enemy infiltrates one layer, doesn’t mean that our defenses are laid bare.

When in fact, we become aware that our systems have been compromised, it is only responsible for us to re-secure them, bolster them with additional defenses, or take those systems out of commission.

It was shocking to learn this week in multiple reports in the Wall Street Journal that our UAV drones and their surveillance systems that have been so critical in our fight against terror in Iraq and Afghanistan were compromised, and the feeds intercepted by $25.95 software sold over the Internet. These feeds were found on the laptops of the very militants we were fighting against. Reportedly, we knew about this vulnerability ever since the war in Bosnia.

It is incredible to imagine our massive multi-billion dollar defense investments and technological know-how being upended by some commercial-off-the-shelf software bought online for the price of a family dinner at McDonalds. But what makes it even worse is that we knew for nearly two decades that the enemy had compromised our systems, yet we did not fix the problem.

A number of reasons have been circulated about why the necessary encryption was not added to the drones, as follows:

- It would have resulted in an increase in cost to the development and deployment of the systems.

- There would be a detriment to our being able to quickly share surveillance information within the U.S. military and with allies.

- There was immediate battlefield need for the drones because of the immediate concern about roadside bombs and therefore there was apparently no time to address this issue.

Based on the above, one may possibly be able to understand why the Joint Chiefs “largely dismissed” the need to repair the drones’ security flaw. However, it also seems that they were overconfident. For any “Are You Smarter Than A Fifth Grader” contestant can tell you that if the enemy can see and hear what we see and hear, then they can take action to subvert our military and intelligence resources, and the critical element of surprise is gone—the mission is compromised.

Of course as civilians we are not privy to all the information that our leaders have. And one can say that if all you have are compromised drones, then those are what you must use. Nevertheless, officials interviewed by the Journal point to the hubris that influenced the decision in this situation – as the report states:

“The Pentagon assumed that local adversaries [in Iraq and Afghanistan] wouldn’t know how to exploit” the vulnerability. So, the result was that we kept building and deploying the same vulnerable systems, over a long period of time!

This is not the first time that we have both been overconfident in our technological superiority and underestimated competitors and opponents in foreign countries—with disastrous results. There are the human tragedies of Pearl Harbor and 9/11, to name just two. And then there are the economic challenges of global competition, such as in the automobile industry and overseas manufacturing in general.

And if some terrorist cells on the run can so clearly compromise our technical know-how, shouldn’t we be even more concerned about established nations who are well financed and determined to undermine our security? For example, just this week, a group calling itself the “Iranian Cyber Army” hacked and defaced Twitter and we were helpless to prevent it. Also noteworthy is that this same week, it was reported that our defense plans with respect to South Korea, including operational details, were hacked into and stolen by North Korea.

Unfortunately, however, we do not even seem to take threats from other nations as seriously as we should: As the Journal reported, “senior U.S. military officers working for the Joint Chiefs of Staff discussed the danger of Russia and China intercepting and doctoring video from the drone aircraft in 2004, but the Pentagon didn’t begin securing signals until this year.”

I am deeply respectful of our military and the men and women who put their lives on the line for our nation. It is because of that deep respect that I reach out with concern about our overconfidence that we are technologically superior, and about our dismissal and underestimation of the resolve of our enemies.

How $26 Can Buy You A Billion-Dollar Surveillance System

Let's Not Understate the Cyber Threat

Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:

“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”

While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.

Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”

Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.

The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.

Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.

While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.

Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?

While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.

Rep. Lamar Smith, R-Texas said "Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”

Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.

This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.

The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:

“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”

We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:

“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”

Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation's central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”

On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.

Let's Not Understate the Cyber Threat

Personal Technology Trumps Work IT

The pendulum has definitely swung—our personal and home technology is now often better than what we are using in the office.

It wasn’t always that way. Early on, technology was mysterious to those not professionally engaged as system engineers or IT professionals. Technology was expensive and made sense for business purposes, but not for home use. IT was a professional enabler to get the job done, but consumer applications were scarce and not intuitive for anything but the office.

The world has turned upside down. Now as consumers, we are using the latest and greatest computers, smart phones, gaming devices, and software applications, including everything social media and e-Commerce, while in the office, we are running old operating systems, have nerdy phones, locked down computers, applications that aren’t web-enabled, and social media that is often blocked.

The Wall Street Journal (16 November 2009) summed up the situation this way:

“At the office, you’ve got a sluggish computer running aging software, and the email system routinely badgers you to delete message after you blow through the storage limits set by your IT department. Searching your company’s internal website feels like being transported back to the pre-Google era of irrelevant results…This is the double life many people lead: yesterday’s technology for work, today’s technology for everything else…The past decade has brought awesome innovations to the marketplace--Internet search, the iPhone, Twitter, and so on, but consumers, not companies, embrace them first and with the most gusto.”

What gives and why are we somehow loosing our technical edge in the workplace?

Rapid Pace of Change—We have been on technological tear for the last 20 years now; virtually nothing is the same—from the Internet to cloud computing, from cell phones and pagers to smart phones and iPhones, from email to social media, and so much more. From a consumer perspective, we are enamored with the latest gadgets and capabilities to make our life easier and more enjoyable though technology. But at work, executives are tiring from the pace of technological change and the large IT budgets that are needed to keep up with the Jones. This is especially the case, as financial markets have seized in the last few years, credit has tightened, revenue and profitability has been under extreme pressure, and many companies have laid off employees and others have even gone kaput.

Magnificent Technology Failures—Along with the rapid pace of change, has come huge IT project failure rates. The Standish group reported this year that 82% of IT projects are failing or seriously challenged. Why in the world would corporate executives want to invest more money, when their past and present IT investments have been flushed down the toilet? Executives have lost faith in IT’s ability to upgrade their legacy systems and fulfill the promises behind the slew of IT investments already made. Related to this is the question of true cost-benefit and total cost of ownership of all the new technologies and their associated investments—if we haven’t been able to achieve or show the return on investment on all the prior investments, why should we continue investing and investing? Is the payoff really there? Perhaps, we are better off putting the dollars into meeting core mission requirements and not overhead, like IT?

Security Risks Abound—With all the technology has come a whole new organizational risk set in terms of IT security. Organizations are hostage to cyber criminals, terrorists, and hostile nation states who can with a few keyboard strokes or mouse clicks disable the company transaction capability, wipe out its memory, steal its information, or otherwise neutralize it from functioning. And the more technology we add, the more the risk level seems to increase. For example, the thinking goes that we were safer when we ran everything in a locked down, tightly controlled, mainframe environment. The more we push the envelope on this and have moved to client server, the web, and now to even more transparency, information sharing, and collaboration—through social media, cloud computing, and World 2.0—the thinking is that we are potentially more open to local and global threats than ever before. Further, with the nation under virtually constant cyberattack and our capabilities to slow or stop these attacks seemingly not existent at this time, executives are reluctant to open up the technology vulnerability spigot any further.

While there are many other reasons slowing or impeding our technology adoption at work, we cannot stop our march of IT advancement and progress.

We are in a global competitive marketplace and the world waits for no one. The problems resulting from the speed and cost of change, the high IT project failure-rate, and the cybersecurity danger/challenges cannot be allowed to inhibit us from progress. We must address these issues head on: We have got to achieve efficiencies from technological advancement and plow the cost-savings into next generation technologies. We have got to drastically improve our IT project success rate though mature implementations of enterprise architecture, IT governance, project management, customer relationship management, and performance measurement (Reference: The CIO Support Services Framework). And we must invest heavily in IT security—with money, people, policy, training, new technology safeguards, and more.

Innovation, technological prowess, and information superiority is what gives us our edge—it is tip of our spear. So yes, we must carefully plan/architect, wisely invest, execute well, and secure our IT. But no, we cannot dismiss the evolving technologies outright nor jump in without proper controls. We must move rationally, but determined into the future.

Personal Technology Trumps Work IT

Cloud Computing, The Next Evolution

On November 4-5 2009, I attended a good CSC Leading Edge Forum on Cloud Computing.

The kickoff by W. Brain Arthur was a highlight for me (he is the author of The Nature of Technology). He provided an excellent conceptualization of cloud and it’s place in overall technology advancement and body of world innovation. Essentially, he sees cloud in the 2000’s as the next evolution from the Internet in the 1990s. As such, the cloud is computational power in the “virtual world,” providing a host of benefits including easy access, connectivity, and cost efficiency. He sees the cloud coming out of the initial frenzy and into a industry sort-out that will result in a stable build out.

Another great speaker was David Moschelle from CSC who talked about the myriad benefits of moving to cloud such as scalability, self-service, pay as you go, agility, and ability to assemble and disassemble needed components virtually on the fly. With the cloud, we no longer have to own the computing means of production.

Of course, we also talked about the challenges, particularly security. Another speaker also spoke about the latency issues on the WAN with cloud, which currently limits some usability for transactional processing.

Over the course of the forum numerous examples of success were given including Bechtel achieving a 90% cost advantage by moving storage to the cloud. Others, such as Amazon were able to put up new web sites in 3 weeks versus 4-6 months previously. Also, Educational Testing Service as another example is using cloud bursting, since they tend to run data center at known cyclical peaks.

Others connected cloud with social computing: “the future of business is collaboration, the future of collaboration is in the cloud.”

In terms of the major types of cloud, I thought the relationship between responsibility and control was interesting. For example:

• Software as a Service -- more “freedom” from responsibility for service, but less freedom to change service (i.e. less control)
• Platform as a Service – (Hybrid)
• Infrastructure as a Service – less freedom from responsibility for actual end-user services, more freedom to change service provision (i.e. more control)

In all cases, the examples demonstrated that organizations do not have a lot of leeway with SLAs with cloud providers. It’s pretty much a take it or leave it proposition. With liability to the vendor for an outage being limited to basically the cost of the service, not the cost of lost business or organizational downtime. However, it was noted that these mega-vendors providing cloud services probably have a better availability and security than it’s customers could have on their own. In other words, an outage or security breach will either way cost, and where is there a greater chance of this happening?

Sort of a good summary was this: “Leading companies are moving development/test and disaster recovery to the cloud,” but then this will reverse and companies will actually move their production in the cloud and provide mainly a back up and recovery capability in house. This is similar to how we handle energy now, were we get our electricity from the utilities, but have a back-up generator should the lights go dark.

Cloud Computing, The Next Evolution

Privacy vs. Exhibitionism

We are a nation torn between on one hand wanting our privacy safeguarded and on the other hand wanting to share ourselves openly and often on the Internet—through Social Media, e-Commerce, e-mail, and so forth.

These days, we have more information about ourselves available to others than at any time in history. We are information exhibitionists—essentially an open book—sharing virtually everything about ourselves to everybody.

Online, we have our personal profile, photos, videos, likes and dislikes, birth date, addresses, email and phone contacts, employer, resume, friends and family connections, banking information, real estate transactions, legal proceedings, tax returns, and more. We have become an open book to the world. In a sense we have become an exhibitionistic nation.

While we continue to friend, blog, tweet, and post our thoughts, feelings, and personal information online, we are shocked and dismayed when there is a violation of our privacy.

How did we get to this point—here are some major milestones on privacy (in part from MIT Technology Review--July/August 2009):

1787—“Privacy” does not appear in Constitution, but the concept is embedded in protections such as “restrictions of quartering soldiers in private homes (Third Amendment), prohibition against unreasonable search and seizure (Fourth Amendment), prohibition against forcing a person to be a witness against himself (Fifth Amendment).

1794—Telegraph invented

1876—Telephone invented

1890—Boston Lawyers Samuel Warren and Louis Brandeis wrote in Harvard Law Review of “the right to be let alone” and warned that invasive technologies threatened to take “what was whispered in the closet” and have it “proclaimed from the house-tops.”

1914—Federal Trade Commission Act prohibits businesses from engaging in “unfair or deceptive acts or practices”; has been extended to require companies to write privacy policies describing what they do with personal information they collect from customers and to honor these policies.

1934—Federal Communications Act limits government wiretapping

1969—ARPANet (precursor to Internet) went live

1970—Fair Credit Reporting Act regulates collections, dissemination, and use of consumer information, including credit information

1971—First e-mail sent.

1973—Code of Fair Information Practices limits secret data banks, requires that organizations ensure they are reliable and protected from unauthorized access, provides for individuals to be able to view their records and correct errors.

1974—Privacy Act prohibits disclosure of personally identifiable information from federal agency.

1988—Video Privacy Protection Act protects against disclosure of video rentals and sales.

1996—Health Insurance Portability and Accountability Act (HIPPA) protects against disclosures by health care providers.

1999—Scott McNealy, CEO of Sun Microsystems states: “You have zero privacy anyway. Get over it.”

2000—Children’s Online Privacy Protection Act prohibits intentional collections of information from children 12 or younger

2001—USA Patriot Act expands government’s power to investigate suspected terrorism acts

2003—Do Not Call Implementation Act limits telemarketing calls

2006—Google Docs release for creating and editing docs online

2009—Facebook 4^th most popular website in the world

As anyone can see, there is quite a lot of history to protecting privacy. Obviously, we want to be protected. We need to feel secure. We fear our information being misused, exploited, or otherwise getting out of our control.

Yet, as technology progresses, the power of information sharing, collaboration, and online access is endlessly enticing as it is useful, convenient, and entertaining. We love to go online and communicate with people near and far, conduct e-commence for any product near seamlessly, and work more and more productively and creatively.

The dichotomy between privacy and exhibitionism is strong and disturbing. How do we ensure privacy when we insist on openness?

First, let me say that I believe the issue here is greater than the somewhat simplistic answers that are currently out there. Obviously, we must rely on common sense + technology.

From a common sense perspective, we need to personally safeguard truly private information—social security numbers and mother’s maiden name are just the obvious. We need not only be concerned about distinct pieces of information, but information in the aggregate. In other words, individual pieces of information may not be easily exploitable, but when aggregated together with other publically available information—you may now be truly exposed.

In terms of technology, we need to invest more time, money, and effort into securing our systems and networks. Unfortunately, businesses are more concerned with quarterly revenue and profit targets than with securing our personal information. We have got to incentivize every business, organization, and government entity to put security and privacy first. Just like we teach our children, “safety first”, we need to change our adult priorities as well or risk serious harm to ourselves and our nation from cyber criminals, terrorisms, and hostile nation states.

But the real issue is, why do we continue to treat technology as if it is more secure and private than it truly is? In a sense, we shut our eyes to the dangers that we know are lurking, and tell ourselves “it only happens to somebody else.” How do we curb our enthusiasm for technological progress with a realism of recognizing the very real dangers that persist?

Privacy vs. Exhibitionism