The Risk Factor

I received an interesting comment from a friend of mine, Dr. Martyn Thomas, on my last post concerning the new FAA air traffic control contract. Martyn wrote,

It's relatively easy to jam satellite signals, because they are so weak. It's very hard to jam radar. Has anyone published a vulnerability study for the proposals for ADS-B?

Interesting question. Anyone (especially from ITT or the FAA) have an answer?

AT&T is now offering a Web-based feature called AT&T Smart Limits that will "allow parents to stay in touch with their children while controlling their children's mobile phone use." The service will, according to AT&T's website:

"Set limits for:

* Minutes * Text and instant messages * Download purchases * Time of day or night the phone can be used * Numbers the phone can call or text (incoming and outgoing) * Internet content access

Once a limit is reached, the service will be restricted. Calls to and from phone numbers designated as Allowed Numbers and calls to 911 will continue to be allowed, regardless of the limits you set."

All yours for $4.99 a month.

The past few weeks we saw another flood of news about IS&T security lapses. We had Monster.com reporting that 1 million or more of its customers' had their information stolen, and the same hackers broke into the US Office of Personnel Management's website USAJobs.gov and made off with personnel information on 146K more people. Monster provides technical support to the OPM website. Monster admitted that it has been hacked several times, and only recently reported the fact.

Then there was a report that in the state of Connecticut, there was a "theft of a Department of Revenue Services laptop containing sensitive taxpayer information (which) it took eleven days to notify affected citizens of the incident."

At the same time, another report noted that, "A Maryland Department of the Environment laptop computer stolen from an employee's car last weekend held personal information, including Social Security numbers, for 10,000 residents registered with one of four state boards."

Back in Connecticut, there was this report: "Pfizer Inc. has revealed its third data breach in three months, this time affecting the personal information of an estimated 34,000 people... Pfizer said it did not realize sensitive information had been compromised until July 10. Letters to attorneys general around the nation alerting them to the data breach were dated Aug. 23, more than seven weeks after Pfizer became aware of the problem and more than eight months after the information was exposed."

Last month, malfunctions at the US Custom and Border Protection computer system at LAX caused massive problems for internationally arriving passengers. Today's LA Times reported that the planned overhaul of the computer system is being moved up. According to Ken Ritchhart, assistant commissioner in the Office of Information and Technology with Customs and Border Protection:

By Thanksgiving, or Christmas at the latest, the entire customs system at LAX will be redone, with not only new workstations, network switches, routers and cables, but also a snazzy new satellite backup system that will allow screeners to access network databases should local routers fail.

It bothers me when someone hedges their bets on an IS&T delivery date like that - it says the plan was made in haste - but we won't have to wait long to see whether that "snazzy" new system is put into place by Christmas.

The UK Public Accounts Committee (PAC) published its report regarding the The Delays in Administering the 2005 Single Payment Scheme in England. The delays are estimated to cost UK taxpayers some £500 million.

As reported in the London Times, "the Single Farm Payment Scheme, introduced two years ago, aimed to pay farmers for their stewardship of the land rather than the number of animals they reared for meat."

The Times went on to say that Edward Leigh, the Tory MP who chaired the review committee, said the farmers' payment project was “a masterclass in bad decision-making, poor planning, incomplete testing of IT controls, confused lines of responsibility, scant objective management information and a failure by the management team to face up to the unfolding crisis.” Sounds like a classic IT blunder to me.

The PAC report listed some 15 lessons learned, or maybe better put, not learned. As an example, this is from number 14:

"The implementation of the single payment scheme was subject to four Office of Government Commerce Gateway Reviews between May 2004 and February 2006, and three of these Reviews assessed the programme as "red". Development work on the computer system nevertheless continued and no contingency plan was invoked, despite limited confidence that the system would be ready on time. If 'red' reviews are to be taken seriously, departments need to be explicit about the circumstances in which they would lead to fundamental review or termination of a project."

Maybe the first lesson is to teach senior government IT managers that red means stop, green means go. Or maybe better, test them to see if they are color blind.

As I wrote a a couple of days ago, the UK seems determined on making 1984 a reality. A senior UK judge, Lord Justice Sedley, in the name of fairness, called for everyone in the UK including visitors to have their DNA captured in a database. He objects that only those who come in contact with the criminal justice system have their DNA captured.

According to the London Guardian, Sedley said that "disproportionate numbers of people from ethnic minorities were on the database. 'It also means that a great many people who are walking the streets, and whose DNA would show them guilty of crimes, go free,' he said."

If George Orwell were alive today and updating 1984, I wonder how IS&T would influence the story line.

The Department of Homeland Security (DHS), after spending $42 million, has shut down its anti-terrorism data-mining tool Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE). Seems that it was being tested with information on real people rather than made-up data, which was against policy and probably the law.

According to the AP story, "ADVISE is not expected to be restarted," DHS spokesman Russ Knocke said. DHS' Science and Technology directorate "determined that new commercial products now offer similar functionality while costing significantly less to maintain than ADVISE."

ADVISE (I wonder how long and how much it cost to come up with that acronym) was supposed to, among other things, report on suspicious people going through customs. In a bit of multiple ironies, the London Guardian disclosed just the day before ADVISE was being closed, that the Metropolitan Police's Special Branch had been spying on George Orwell.

One report from 1942 noted that Orwell was a suspicious character because he dressed "in a bohemian fashion both at his office and in his leisure hours."

Hmm, I wonder if ADVISE was also data mining for people who fit the profile "bohemian fashion," "work hours"and "leisure hours" as a match for "suspicious person." If not, maybe the new, commercial data mining products can be set to be lookout for these characteristics - never know who you might catch.

And just think what Special Branch could have done with ADVISE back then.

Sorry to go off the IS&T trail, but the news that a B-52 was flying around with six unauthorized nuclear weapons made me think fondly (or not so fondly) of my time long ago as an Air Force airborne communications, navigation and electronics warfare technician in Strategic Air Command (SAC).

Say what you will about Gen. Curtis LeMay, he insisted upon and made damn sure that high operating standards were developed, instituted, trained to, and maintained in SAC even after he left - and there was hell to pay if you didn't meet those standards. Maintaining positive control over nuclear weapons was an absolute, non-negotiable; working on an alert bird was always a bit tense as there were these ever present military police with loaded weapons around ready (and I think hoping) to take you out if you violated protocol.

The episode shows how easy it is for risk management even when nuclear weapons are involved to become "routine." The Air Force, of course, says this was an isolated incident ("All evidence seems to point to this being an isolated mistake"), however, it should never have happened. This was supposed to be an "impossible event."

LeMay once supposed said, "I have neither the time nor the inclination to differentiate between the incompetent and the merely unfortunate." In this case, no matter how you slice it, the unfortunate was a matter of incompetence.

Dr. Brian Randell, Emeritus Professor, and Senior Research Investigator, School of Computing Science, University of Newcastle upon Tyne, was kind enough to let me know that the Journal of Information Technology has just released an issue focused on the UK National Health Service's (NHS) National Program for IT (NPfIT), its electronic health record initiative.

I think you'll find the articles very informative.

In case you missed it, this week was the 25th anniversary of the first personal computer virus. The virus, dubbed, "Elk Cloner" was created for the Apple II by Rich Skrenta, when he as a ninth-grader as a prank.

It is also the fiftieth anniversary of the launch of the Ford Edsel, which became synonymous with the word blunder.

Just thought you'd want to know.

" ... the technology road is bumpy... This is life in the technology lane"

And it is full of pot holes. No, that wasn't in Steve Jobs open letter to early adopters of Apple's iPhone, but it was at least implied.

Mr. Jobs had to issue the apology after thoroughly irritating customers who shelled out $599 a few months ago for their new iPhone only to learn that Apple was cutting its price by $200 to try to gain a strategic if not insurmountable market share during upcoming Christmas season.

Jobs appears to be following former HP Chairman and CEO Lewis Platt's old dictum, “We have to be willing to cannibalize what we’re doing today in order to ensure our leadership in the future. It’s counter to human nature, but you have to kill your business while it is still working.”

Investors didn't take to kindly to Jobs announcement, as they viewed it as Apple cannibalizing its earnings too soon and therefore their investments. Apple also didn't help matter much by announcing a new iPod which appears a lot like an iPhone without the calling features. Apple's stock dropped about 5% in all this week.

Probably more of an issue is that many folks who bought iPhones now think they were not only out $200, but went from being cool to being uncool. Even my local small town newspaper has an article about how much coolness that $200 bought.

Zalmai Azmi, the FBI's CIO, was reported in Federal Computer Week as saying that, "Cultural differences are the biggest obstacle preventing intelligence agencies from starting information-sharing programs."

He reportedly went on to say that, “The introduction of new blood would help do things differently."

Good luck. I thought that too over thirty years ago when I worked as a junior engineer in the Defense Department. I still hold that same thought today.

I wonder if Azmi is hinting that there may be problems behind the scenes with Sentinel, the follow on to the infamous Virtual Case File system. Information-sharing is a critical aspect of Sentinel.

Is Azmi worried that even if Sentinel is built, FBI agents won't be inclined to use it, or they will find ways to keep information from being shared with other agencies?

In today's New York Times, there was a letter referring to the mid-August tragic fire at the Deutsche Bank building in New York City that cost two fire fighters, Joseph Graffagnino and Robert Beddia, their lives. I have been following the fire and its aftermath because of the risk management issues involved.

The letter struck me because it reminded me of what happens in so many IS&T project failures:

Many construction and demolition problems occur because of unrealistically low budgets or severe scheduling restrictions placed by the building’s owners when soliciting bids. Building owners trying to foist low budgets on contractors will generally require the contractor to cut corners.

Time will tell whether these were contributing causes to the eventual fire and loss of life, but if it were an IS&T project failure I was evaluating, experience would say to give it a high probability.

The Conference Board, a leading business thought leadership organization, has released a report on the trend of companies using virtual worlds. As the Conference Board notes in its press release,

Leading companies including Cisco, IBM, and Dell already have a substantial presence in Second Life. Retailers such as Circuit City and Sears also have a presence, and information services providers such as Reuters have built large installations that offer a menu of financial data, including videos of up-to-the-minute news clippings.

The Conference Board report discusses eight questions executives should ask about whether they should create a presence in virtual worlds, ranging from "What is your entry strategy" to "Is your IT department up for the job?"

You can tell that virtual worlds are more than a fad when the Conference Board writes a report on it.

In June, I wrote about the AMA's approval of a policy that at the time was seen as likely increasing the use of implanted chips using RFID technology to record and transmit patient medical history.

The Associated Press has recently released an investigative news story questioning the safety of these chips. Some medical studies indicated that these chip implants appeared to induce malignant tumors in some lab mice and rats. While pointing out that what happened in the lab mice and rats doesn't necessarily mean the same thing will happen in humans, a more compelling question raised in the article was why these studies did not seem to be reviewed by the FDA when it approved the use of chip implants.

As acknowledged by the FDA, there are some risks associated with chip implants, "The potential risks to health associated with the device are adverse tissue reaction, migration of implanted transponder, compromised information security, failure of implanted transponder, failure of inserter, failure of electronic scanner, electromagnetic interference, electrical hazards, magnetic resonance imaging incompatibility, and needle stick."

It is way too early to see if this possible new health risk will slow down further the use of chip implants (VeriChip, the company that has been approved by the FDA to sell chip implants did see its stock drop by more than 10% on the publication of the AP story), but in a related story, the California Senate passed legislation that blocks the mandatory use of ID chip implants in employees. The bill had already been passed by the State Assembly and now awaits action by Gov. Schwarzenegger.

One of the first things one learns as a risk analyst is that you better develop a tough skin. No one wants to hear about potential problems, and some people, as today's story in the Wall Street Journal (subscription required) points out, can get down right nasty about it.

In one example, the CEO of a software company got so angry about a a product continuing to slip its schedule, that he decided to make an example and fired the VP who told him about the latest slip. The CEO wanted to send a message, in other words: "I finally got so exasperated that I let the word go out that I simply did not want to hear any more 'excuses' about why the schedule could not be met".

Low and behold, no one was willing to be the next messenger ("No one ever came forward to tell me the truth about the status of the program for a very long time thereafter") which in the end, he admitted, cost the company even more time and money since no one was making decisions with objective information.

Funny how that CEO was evidently surprised by this - shoot people with bad news, get no more bad news, but reality still bites you in the butt anyway!

One of favorite maxims in relation to risk communication is by the late Nobel Prize winning physicist Richard Feynman who said in the relation to the NASA Challenger disaster and NASA's reluctance to hear bad news, "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled."

Again, you can shoot all the messengers you want (or embrace only those who bring you good news), but what is - is. Live with it.

A nice little column by consumer reporter David Lazarus in the LA Times today on privacy - or the lack thereof - when a person signs up for a bundled subscription package, e.g., voice, video and Internet services, from one company.

According to Lazarus, if you sign up for Time-Warner's package in California, for example, the privacy agreement states that the company can monitor watch you watch on television and who you call, but what sites you surf and things you buy. It also says that Time-Warner is going to keep that information as long as you are a subscriber and up to 15 additional years, supposedly for "tax purposes."

And one more thing - Time-Warner says that it can also monitor what you send in e-mails if you use their service.

Given all this information about what you're doing and thinking, you'd at least think its customer service would be better. Or maybe that is why it is rated poorly.

"We don’t need hackers to break the systems because they’re falling apart by themselves,” said Dr. Peter Neumann in an New York Times article, "Who Needs Hackers?" discussing how IT systems are falling apart. Peter and several others discuss the increasing complexity of IT systems today, and how system design and development haven't been keeping up, often as a matter of convenience more than lack of knowledge (which I also argue in my IEEE Spectrum article on "Why Software Fails.")

Some 19 years ago to almost the day (11 September 1988), the NY Times published a story titled, "In Computer Behavior, Elements of Chaos." In this article, the late Dr. Alan Perlis postulated that the break down in networks that were occurring with greater regularity during the late 1980s, "lies in the inevitable disparity between the real world and the models used to simulate it. Even the finest computer simulation is only an approximation. At some point that cannot be determined in advance, the discrepancies between reality and the computer's simplified world view will lead to a chaotic breakdown."

"The only way we can improve our systems is to be prepared to continually redesign them when they fail - which they almost certainly will."

Some things never seem to change, eh?

You may be able to trust your friends with your secrets, but your PC and telephone will rat you out in a heartbeat.

That's the gist of story in yesterday's New York Times about the ever increasing use of e-mail messages, Web site visits, text messages, and the like in divorce proceedings.

One New York lawyer said that 75% of her cases involve some kind of electronic communication, and that she routinely asks for court orders to seize and copy hard drives. Installing spyware on the family computer or stealing a phone to get at the stored text messages are also described as being common tactics used by one or both spouses looking for evidence of say infidelity.

Different states have different rules for admitting this type of information, but most lawyers interviewed said that if something is stored electronically, if will likely be used.

One more benefit of living in a computerized age.

A ring-leader in the TJX credit card fraud episode has been sentenced to 5 years in prison and fined $600K.

According to news reports, Irving Escobar (aged 19) was one of 10 people who charged over $10 million using the stolen information. However, authorities admit they don't know who actually hacked into the TJX systems, only that Escobar and the others made use of the information.

Stayed tuned.

Homer Simpson: Facts are meaningless. You could use facts to prove anything that's even remotely true!

Last week, Sir Derek Wanless delivered his second review in the past five years on the UK National Health Service's efforts at modernization. According to the London Times, Wanless found that even after spending an additional £43 billion:

The money poured into the NHS has failed to produce a more efficient service, or to reduce unhealthy lifestyles.

As a result, more money will be needed.

The Guardian newspaper reported that Sir Derek's report included, " a warning that slow progress on introducing new IT systems could seriously undermine the productivity gains envisaged in 2002." He recommend that, ".. the £12bn programme run by the NHS agency Connecting for Health should undergo detailed external scrutiny to ensure the benefits will outweigh the costs."

According to a story in the London Telegraph, information from stolen credit cards are selling on the Internet for as little as 25p. Bank account information sells for between £15 and £200 while social security and other identification cards cost less than £5.

The price of stolen credit card information has dropped about 75% over the past six months, as supply seems to outstripping demand. The most valuable information is detailed address and personal information say from MySpace or Facebook, to craft highly targeted phishing schemes.

With the falling prices, now might be a good time for authorities to follow Gresham's Law and deliberately flood the Net with bogus stolen credit information and such to drive the prices down even further, and force hackers to spend energy trying to determine what is real from what is bogus information.

As reported in ComputerWeekly, a UK National Health Service (NHS) primary care trust admitted that some 50 staff members viewed the the electronic records of a celebrity who had been admitted into its care. At least it wasn't like what happened to a baseball player in New York a while ago, who had over 150 hospital staff looking at his records.

It has been been argued by electronic health record advocates that medical records are more secure because you will be able to tell who had access to them, therefore this would provide a deterrent to snoops, but as the report above notes, this may be less effective than proclaimed.

On the same day as this story hit (an interesting coincidence), the non-profit group called the E-Health Vulnerability Reporting Program (EHVRP) released their 15-month study assessing the security risks associated with electronic health record (EHR) systems. Quoting from its executive summary:

• In all cases, evaluated EHR system vulnerabilities could be identified using standard tools and techniques. Subsets of these vulnerabilities were exploited to gain control of the application and access to data to demonstrate the potential consequences.

• EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk or implementing compensating controls.

• No industry organization could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with ehealth systems.

• No industry organization could be identified that has the responsibility, charter or mission to address security vulnerabilities in ehealth systems.

The bottom-line: there is a lot more work to do to ensure EHR security and hence privacy.

"Unfathomable."

That's how Gov. M. Jodi Rell of Connecticut described the incident involving a computer backup tape that was stolen in June from a car in Ohio that contained bank account among other financial data for nearly all Connecticut state agencies as well as sensitive information on 1.3 million Ohio residents, according to an article in the New York Times.

The tape was in a car of an intern working for Accenture, which was hired by both Connecticut and Ohio to develop a computer systems integrating payroll, accounting, personnel and other fiscal functions. According to the Times report, "Rich Harris, a spokesman for Governor Rell, said yesterday that Accenture seemed to have used the program it created for Connecticut as a template for its project in Ohio, 'and it’s our understanding that this is how the data got mixed up' on the tape."

In Allan Holmes's Tech Insider blog over at Government Executive magazine, he quotes part of the testimony of John Glaser, vice president and CIO for Partners Healthcare in Boston given at Senate Committee on Veterans' Affairs regarding how easy it is to share electronic health records (EHRs). When Glaser was asked what the private sector experience was with sharing EHRs at the scale of what the VA and Defense are trying to do, he said:

"A common EHR? That's interesting to me. That's a codeword for, 'You got to be kidding me.'"

This was undoubtedly a splash of cold water on those Senators who think creating inter-operable EHRs is just a matter of a few lines of software code.

Just in case you missed it, by the end of May 2008 paper tickets will virtually be no more. According to the Associated Press, on June 1, the International Air Transport Association that handles ticketing for most major airlines will stop issuing paper tickets. Some small regional or foreign airlines will continue to issue paper tickets, but they will be a small minority of regional carriers.

I can hardly wait for the day when several major airline reservation and ticketing systems like what happened to All Nippon Airways in July have software problems simultaneously, which will no doubt happen on a day where there is bad weather everywhere.

The San Jose Mercury News (subscription may be required) reported that a US Department of Commerce agent used government computers to spy on the travel movements of his ex-girl friend at least 163 times between mid-2003 and mid-2004. He used the Treasury Enforcement Communications System (TECS) to perform his spying.

According to the US Internal Revenue Service website, "TECS is a computerized information system designed to identify individuals and businesses suspected of, or involved in violation of federal law. The TECS is also a communications system permitting message transmittal between Treasury law enforcement offices and other Federal, national, state, and local law enforcement agencies. The TECS provides access to the FBI’s National Crime Information Center (NCIC) and the National Law Enforcement Telecommunication Systems (NLETS) with the capability of communicating directly with state and local enforcement agencies. The NLETS provides direct access to state motor vehicle departments."

The agent faces up to five years in prison, a fine of $250,000 and a three-year term of supervised release. There is no word if his ex-girl friend is going to file stalking charges.