The Risk Factor

"We have discovered serious problems with the FDCA (Field Data Collection Automation) program and I am personally involved in bringing key issues to the surface and developing a way forward. In short, the current situation is unacceptable. The American people expect and deserve a timely and accurate Decennial Census..."

So testified Carlos M. Gutierrez, Secretary of the U.S. Department of Commerce at a hearing yesterday in front of the U.S. Senate Committee on Homeland Security and Governmental Affairs on the status of the 2010 Census. Gutierrez finally awoke to the fact that the 2010 Census is in deep and very deep kimshe.

So serious is the trouble that in a highly unusual mid-session announcement, the U.S. Government Accountability Office (GAO) yesterday designated the 2010 Census Project as High Risk, which is in my opinion about 2 years late, since the program is already in trouble, not potentially in trouble.

The cause of the problem which the Census has been trying to paper over for quite some time is that it depends on 500,000 handheld computers to replace its paper-based collection system. As is always the case, it looked very easy to do on paper, but proved to be harder to do in reality.

The Census reasoning seems to have been along the lines of: if Fed Ex can use handhelds to track packages, why can we do the same for collecting Census data - should be dead easy, right? The idea in itself wasn't not outrageous, as long as the risks involved were clearly understood and managed. The GAO report makes clear - as the GAO has several times in the past - that they weren't (and from reading the report still aren't) on both accounts.

In Gutierrez's testimony, he goes on to state that the Census discovered late last year a "gap" as he calls it "between the capacity to get the work done and the amount of time remaining. One of the main reasons for this gap was significant miscommunication concerning technical requirements between the Census Bureau and Harris [the prime contractor]. The lack of clarity in defining technical requirements was a serious problem especially with regard to the testing and functionality of the handheld devices in a full Census environment. For example, discrepancies arose over data upload times, screen change speed and data storage capabilities."

So let me get this straight - with a little more than six months to go before a full scale dress rehearsal of the system, it was discovered that there was still major miscommunication between the Census and the contractor about basic performance parameters for the device to be used by hundreds of thousands of census takers? Weren't these parameters weren't spelled out in detail in the contract? Or did Harris follow the contract, and now the Census has figured out that what it specified won't do? Did Harris tell them there were problems, but the Census didn't listen? What the hell happened here?

Interestingly, back in November 2005, the Government Communications Systems Division (GCSD) of Harris achieved "a Capability Maturity Model Integration (CMMI®) Maturity Level 3 rating. The Level 3 rating denotes superior process maturity within the division's program management, engineering, quality assurance, and other disciplines, and achievement of this rating has become a competitive differentiator on many government programs." I wonder if this rating helped Harris win the Census contract?

At the very least, I think the division's CMMI rating may need to be re-evaluated, or maybe better, the US government better start looking at what, if anything, SEI CMMI Level 3 actually means in practice.

Alas, the Census provided Harris with an updated set of requirements in mid-January 2008; hopefully they are the correct and technically feasible ones.

In the testimony yesterday, it came out that it may cost another $2 billion to "ensure" that the 2010 Census actually can succeed, on top of the $11.5 billion already allocated to the Census (of which $3 billion was for the IT portion of the Census). It also appears the probability of completing the Census on time is dropping rapidly unless there is a marked turnaround. The dress rehearsal in May will give better indication of the true risk status of the situation.

Gutierrez' also said yesterday, "There is no question that both the Census Bureau and Harris could have done things differently and better over the past couple of years."

No kidding?

What I really want to know is who in management is going to be held accountable for this excess level of risk mismanagement, incompetent communication, and rank amateurism in program and contract management. Or is it business as usual, with "mistakes were made," "we have learned from this experience," blah, blah, blah.

The folks at Government Executive have been following this slowly unfolding big time blunder in the making closely, and you can read more about it here, here and here.

Government Executive has a story that says that "International Business Machines Corp. and its subsidiaries are suspended from receiving new federal contracts, certain subcontracts and some types of federal assistance and benefits, due to an action taken by the Environmental Protection Agency that extends government-wide, according to federal documents."

"According to the Excluded Parties List System, maintained by the General Services Administration, the EPA took action against IBM on March 27, pursuant to Executive Order 12549, created in 1986 to curb fraud, waste and abuse in federal programs."

The article says that neither the EPA or IBM will say why the suspension happened.

Update:

The AP is reporting that EPA lifted its suspension of IBM today (Friday, 04 April). The suspension resulted from an $84 million EPA contract IBM lost in 2007 and is protesting, and EPA's suspicion that there was some unethical bidding on the part of IBM in relation to the contract (which the company denies). IBM earlier this week said it was blindsided by the suspension.

The U.S. Census Bureau announced yesterday that it was reverting back to paper from its plan of using handheld computers for the 2010 Decennial Census. The reason?

According to Director of the Census Steve H. Murdock's testimony before the United States House Appropriations Subcommittee on Commerce, Justice and Science, "the problem with the FDCA (Field Data Collection Automation) program was due to a lack of communication between the Census Bureau and the prime contractor for FDCA, and to difficulties the contractor had in developing the full scope of the project within our deadlines. From the beginning, we did not effectively convey to the contractor the complexity of census operations, and the detailed requirements that needed to be fulfilled in order to complete the operations that FDCA covers."

In U.S. Secretary of Commerce Carlos M. Gutierrez testimony, he said that, "In 2007, the Address Canvassing dress rehearsal was conducted, at which time development and scoping problems emerged. Reports from the Census Bureau’s field staff, consultants from the non-profit MITRE Corporation working for the Bureau, and the Government Accountability Office confirmed these problems. The department’s Inspector General also raised concerns."

"In late 2007 and early 2008, more than 400 new or clarified technical requirements were identified by the Census Bureau. Upon the realization of the large scope of requirement changes, Census Director Murdock established the 2010 Census FDCA Risk Reduction Task Force, to begin to propose and evaluate options to keep the FDCA program on track. These efforts served to clarify the issues and confirm the urgent need for action."

The action was to punt (and bad mouth the contractor as much as possible even as the Bureau "accepted responsibility").

Gutierrez's testimony, as damning as it is, fails to mention that both technical and management issues with the handhelds were raised well before May of 2007 - all the May 2007 dress rehearsal did is to confirm them. Even as the sirens were going off that major trouble was brewing and that urgent action was required to be taken by July 2007 at the very latest, the Census Bureau and especially Gutierrez himself kept their collective heads in the sand, all the while claiming the project was moving along smartly, and that the critics (like me) were unjustifiably bashing the program.

Guess I wasn't, after all.

So, another $2.2 billion to $3 billion will be spent on top of the $11 billion already allocated to complete the census. What the hell, it's only taxpayer money.

Kudos to the Census Bureau for creating yet another case study on how not to manage a large scale software project in government. A classic IT blunder and debacle all rolled into one.

That said, let's hope that Congress demands a thorough, open and detailed analysis of this project be under taken now - before the files are "lost" - and a plan developed outlining how the Census plans to automate the 2020 census actually using for once the lessons learned.

Want to bet that this won't happen?

The London Times last week reported that the new UK children’s database which is part of the Every Child Matters program "will contain details of relatives with drinking problems and of relationship difficulties between parents. The register is intended to identify and help youngsters felt to have problems holding them back at school. It is not designed for children at risk of harm but for those with any health, learning or general wellbeing problems."

What's more the story says that, "The common assessment scheme will encourage professionals such as teachers and doctors, who have contact with children, to pass on concerns to assessors who will then talk to families about a child’s homelife."

The details that are going to be put into database "include 'family routines', evidence of a 'disorganised/chaotic lifestyle' and 'any serious difficulties in the parents’ 'relationship' " as well as "signs of mental illness or alcohol misuse by relatives, quality of accommodation and 'ways in which the family’s income is used' " according to guidance the UK government is providing.

Is this a recipe for trouble or what? How soon do you think it will be before loads of teenagers, angry after being disciplined by their parents, decide to use this scheme as a way to get back at them?

And exactly what objective standards are going to be used by assessors? For example, how does one measure a disorganized/chaotic lifestyle?

The London Times is reporting that the UK National Health Service (NHS) is looking for two senior executives to take over the job of leading its electronic health record project National Programme for IT (NPfIT). The salary is $400,000 or possibly more, with the "exact package to be negotiated and agreed with the successful candidates."

The two jobs cover the work covered by Richard Granger who resigned as Director-General, NHS IT, last year after five years.

Anyone interested? You have until the 28th of April to apply.

In a bit of good news, Government Computer News reports that a new Internal Revenue Service (IRS) computer program upgrade allowed the taxpayer rebate checks to be sent out a week earlier than expected. The initial schedule called for the checks to be sent this Friday, 2 May, but now they are going out today.

Some 130 million taxpayers are expected to receive a total of $110 billion starting now and running into July. The checks, which will be (depending on income) $600 per taxpayer, $1200 per couple and $300 per child, will be sent out according to the last two numbers of a person's Social Security number.

The IRS is also warning of likely scams in regard to the rebates as well. As noted on the IRS website:

"Some people have received phone calls about the economic stimulus payments, in which the caller impersonates an IRS employee. The caller asks the taxpayer for their Social Security and bank account numbers, claiming that the IRS needs the information to complete the processing of the taxayer's payment. In reality, the IRS uses the information contained on the taxpayer's tax return to process stimulus payments, rather than contacting taxpayers by phone or e-mail."

"An e-mail claiming to come from the IRS about the '2008 Economic Stimulus Refund' tells recipients to click on a link to fill out a form, apparently for direct deposit of the payment into their bank account. This appears to be an identity theft scheme to obtain recipients' personal and financial information so the scammers can clean out their victims' financial accounts. In reality, taxpayers do not have to fill out a separate form to get a stimulus payment or have it directly deposited; all they had to do was file a tax return and provide direct deposit information on the return."

So, spend wisely and avoid the scammers.

And kudos to the IRS.

The US Social Security Administration (SSA) is planning, for the third time, to start reducing its dependence on mainframe systems and COBOL code, according to a story in Federal Computer Week.

Testifying before the US House Ways and Means Committee, SSA Commissioner Michael Astrue said that the SSA would hopefully soon start moving to "a unified information technology system to replace the current 54 separate COBOL-based systems." Those 54 systems consist of some 36 million lines of COBOL.

Assuming that all the stakeholders can agree and resources can be found, this will mark the third such attempt by SSA to try to modernize its systems in the past 25 years. The first attempt began in 1982 as a ten-year, $500 million System Modernization Plan (SMP). It was canceled in 1988 after modest improvements to SSA systems.

In 1992, SSA began another effort called the Engineered Disability System "collapsed" (Astrue's characterization) in 1999 after costing $71 million.

Given that the first "baby boomer" retired last year, and she will soon be followed 80 million more in the next 21 years, SSA better hurry up, and get it right this time.

In a move it said was a "simple matter of transparency and democracy," the Italian Revenue Agency on Wednesday posted without warning the details of the total revenue, income tax paid and other personal information of Italian citizens in 2005, including those of politicians, soccer players and TV personalities. The move was to an attempt to expose tax evasion by Premier Romano Prodi's outgoing government. According to an Italian government report from 2007, the amount of unpaid tax in the country is equivalent to 7% of gross domestic product.

Within hours, Italy's Privacy Authority ordered the tax agency to suspend the posting, saying it presented "clear and serious problems" under the country's privacy rules. However, before the information was removed from the web, much of the information had already been captured and circulated via peer-to-peer file sharing websites.

The Italian tax payers' association is advising people to download forms from its website to help them claim 500 euros in damages each from the tax authority.

Think of the firestorm if something like that happened in the US.

Last December, I wrote about the 219 Internal Revenue Service (IRS) employees disciplined for snooping into taxpayer records last year.

This week, the UK's HM Revenue and Customs (HMRC) which suffered a major data breach last year, announced this week that it had disciplined 600 of its staff over the past three years for inappropriately accessing customer records. There were 238 people disciplined in 2005, 180 in 2006, and 192 in 2007.

I guess the temptation to peek is just too great for many people in these organizations.

There have been rumors of a high-level government laptop breach floating around in last couple of days. The rumor looks confirmed by an AP report this morning that says the US government is investigating whether Commerce Secretary Carlos M. Gutierrez's laptop contents were copied during a recent trip to China and the information captured used to hack into the Department of Commerce's computers.

According to the story, "Surreptitious copying is believed to have occurred when a laptop was left unattended during Gutierrez's trip to Beijing for trade talks in December..."

The story adds that, "In the period after Gutierrez returned from China in December, the U.S. Computer Emergency Readiness Team - known as US-CERT, some of the government's leading computer forensic experts - rushed to the Commerce Department on at least three occasions to respond to serious attempts at data break-ins ..."

The AP story also says, "The Commerce Department break-ins have been so serious that its Bureau of Industry and Security, which regulates exports of sensitive technology that might be used in weapons, effectively unplugged itself from the Internet."

In another, very long story that appeared in Government Executive, Chinese hackers are suspected as causing recent power blackouts in New York and Florida.

As reported in the story, "Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. ...These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected."

{Update: A blog over at Wired throws some cold water on this idea.}

The story goes on to describe the potential threat of a cyber attack, especially on the US banking system.

As an example, "Lawrence Wright of The New Yorker reported earlier this year that [Director of National Intelligence Mike] McConnell told Bush during the 2006 Oval Office meeting, 'If the 9/11 perpetrators had focused on a single U.S. bank through cyberattack and it had been successful, it would have had an order-of-magnitude greater impact on the U.S. economy.' According to Wright, the president was disturbed, and then asked Treasury Secretary Henry Paulson Jr., who was at the meeting, if McConnell was correct; Paulson assured the president that he was."

The story has a nice quote from Gen. William Lord, the provisional commander of the new US Air Force Cyberspace Command, that I think nicely sums up the problem of cyber warfare: "The problem with this kind of warfare is determining who is the enemy, what is their intent, and where are they, and then what can you do about it?"

Tom Shoop's blog at Government Executive magazine (where I also blog occasionally), has an interesting post that I have been meaning to write about. Tom found posts (JOHO the Blog, BoingBoing) about a recent Enterprise 2.0 conference in Boston where two CIA officials gave a presentation called "From the Bottom-Up: Building the 21st Century Intelligence Community" that focused on Intellipedia.

Apparently, during the presentation, the officials referenced the Office of Strategic Services (OSS) 1944 field manual on sabotage techniques. The purpose of the manual was to provide OSS agents with "simple sabotage" methods involving the "human element" that "frequently is responsible for accidents, delays, and general obstructions even under normal circumstances."

The manual goes on to say, "The potential saboteur should discover what types of faulty decisions and non-cooperation are normally found in his kind of work and should then devise his sabotage as to 'enlarge the margin for error.'"

The types of things that the saboteur should look for? (I cribbed this mostly from Tom who copied it verbatim from the manual)

Under section 11, General Interference with Organisations and Production, the OSS manual lists several approaches to consider, such as, for:

(a) Organizations and Conferences

(1) Insist on doing everything through "channels." Never permit short-cuts to be taken in order to expedite decisions.
(2) Make "speeches." Talk as frequently as possible and at great length. Illustrate your "points" by long anecdotes and accounts of personal experiences. Never hesitate to make a few appropriate "patriotic" comments.
(3) When possible, refer all matters to committees, for "further study and consideration." Attempt to make the committees as large as possible — never less than five.
(4) Bring up irrelevant issues as frequently as possible.
(5) Haggle over precise wordings of communications, minutes, resolutions.
(6) Refer back to matters decided upon at the last meeting and attempt to re-open the question of the advisability of that decision.
(7) Advocate "caution." Be "reasonable" and urge your fellow-conferees to be "reasonable" and avoid haste which might result in embarrassments or difficulties later on.
(8) Be worried about the propriety of any decision — raise the question of whether such action as is contemplated lies within the jurisdiction of the group or whether it might conflict with the policy of some higher echelon.

You just have to love government thinking.

The inspector general of Social Security, Patrick P. O'Carroll, released a report this week that called for the removal of Social Security numbers from Medicare cards that are used by more than 40 million Americans. O'Carroll wants the numbers removed because they pose a risk of identity theft.

As quoted in the New York Times, O'Carroll said, "Displaying such information on Medicare cards unnecessarily places millions of individuals at risk for identity theft. We do not believe a federal agency should place more value on convenience than the security of its beneficiaries' personal information."

So how do Medicare officials respond?

It tells the inspector general to go take a hike.

"Charlene M. Frizzera, chief operating officer of the Centers for Medicare and Medicaid Services, played down the risk of identity theft from the misuse of Medicare cards. If the government suddenly issued new Medicare cards or identification numbers, she said, it could startle or alarm beneficiaries. 'We don't want to scare them,' Frizzera said," in the Times story.

I wonder what studies Medicare did investigating "senior fright" when social security numbers are replaced by some other number. Virginia has been removing social security numbers from driver licenses for the past few years - maybe Medicare can conduct a survey of how frightened seniors became when that change-over happened.

The real reason, of course, is that Medicare thinks making the change would be too costly.

According to the story:

Frizzera said that "issuing new Medicare cards would be 'a huge undertaking.' The agency would need three years to plan such a move and eight more years to carry it out, she said."

In addition, "Medicare officials estimate that it would cost $500 million to change their computer systems if they issued new ID numbers to beneficiaries. Doctors, hospitals and other health care providers use those numbers in filing claims with Medicare, which pays a billion claims a year."

Hmm, it would take 11 years to fully make the change? And Medicare is worried that seniors would be "startled" by the "sudden" change?

Given the current life expectancy of many of those currently on Medicare, no doubt many would be dead before they ever saw their numbers change given this project schedule.

And other organizations, like Blue Cross and Blue Shield, who cover 100 million individuals, stopped using Social Security numbers years ago. They didn't need 11 years or $500 million that I know of.

According to the story, only Congress can force Medicare to make the change. Maybe it needs to before the wave of baby boomers like me really begin to retire.

BTW, I for one, promise not to be scared if Medicare makes the change. And I'll even pay a one-time $20 fee towards the conversion when I sign up for Medicare.

Today’s New York Times had a story on the problems the US government is having in attracting young engineers and computer scientists into defense work. As I noted a while ago, engineers and computer scientists would rather work in the commercial sector than in government.

The article interviewed Dr. Paul Kaminski, the former Undersecretary of Defense for Acquisition and Technology from 1994 to 1997, about the brain drain which has become a “big factor in a breakdown in engineering management that has made huge cost overruns and long delays the maddening norm.”

The loss of expertise from the retirement of engineers/computer scientists has coincided with the inability to recruit replacements. As a result, both the engineering and management talent needed in defense programs is lacking.

Kaminski also highlighted in the article the critical deficiency in systems engineering expertise found in defense programs. He recently headed a National Academy study on systems engineering (or better put, the lack thereof) in the US Air Force which resulted in a report published earlier this year titled, “Pre-Milestone A and Early-Phase Systems Engineering: A Retrospective Review and Benefits for Future Air Force Acquisition.”

So what happens when systems engineering expertise is missing?

Kaminski noted a military satellite system, for instance, that was “designed to detect foreign missile launchings that ... [which] was inexplicably designed with two sensors that cannot operate simultaneously on the same spacecraft without extensive, costly shielding to prevent electromagnetic interference generated by one from disabling the other.”

Another? How about “a complex network of communications satellites that the Pentagon started building without a coherent plan for integration with an existing system or a consistent set of requirements to accommodate the needs of the four military services.”

Obviously, when these types of basic elements are missing, program costs and schedules increased dramatically, and the systems don't deliver what was originally promised or expected.

As a side note, I interviewed Dr. Kaminski among many other former and current defense acquisition officials for an upcoming article on defense acquisition which is scheduled for publication in IEEE Spectrum this fall. He is a very fascinating person to talk to as well as one who is universally and very highly respected by his peers in both industry and government.

The San Francisco Chronicle has a fascinating story today on a disgruntled San Francisco city computer engineer who "has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail."

The computer engineer by the name of Terry Childs - who no doubt will be long remembered for this in computer lore - lives in Pittsburg, California and according to the paper has been charged with four counts of computer tampering. He is scheduled to be arraigned today.

The paper says that "Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."

Childs worked for San Francisco for 5 years, and had recently been disciplined for poor job performance. City officials also tried to fire him, apparently without success. Childs supposedly started tampering with the system on 20 June.

City officials are worried that Childs has an accomplice who may try to destroy city documents including e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings.

No motive for the tampering has been given - yet.

I suspect this story will be making the national news very soon.

Update: 23 July 2008

According to a ComputerWorld report, Childs gave the passwords to Mayor Gavin Newsom two nights ago. Childs is still in jail on $5 million bond, and intends to show that what he did was authorized by management, claims his attorney. Watch this space for more details as they emerge.

The Russian news agency ITAR-TASS reported over the weekend that Russia's President Dmitry Medvedev said in a speech in Petrozavodsk that he "threatened to fire the government officials having no command of information technologies."

According to ITAR-Tass, Medvedev said that:

"You either learn it or we say good-bye to you. We don't offer jobs to people who can't read of write, do we? And possession of user skills is just the same thing today."

Tass also reported, "His speech included references to the 'electronic government', which means the use of IT for introducing simpler procedures of interaction between citizens and state bureaucracy. Medvedev believes that a mechanism of this kind is less liable to corruption."

Hmm, Medvedev may later change his mind on that last statement.

It is interesting to contrast Medvedev, who according to TASS, "is known as an advanced user of the Internet and an ardent proponent of computerized and information technologies," with some of the US political leadership.

The UK Ministry of Defense (MoD) has revised its figures late last week on the number of laptops lost or had stolen since 2004 to 747 (658 stolen, 89 lost), double the 347 figure it had said in February. Defence Secretary Des Browne gave out the new numbers after "anomalies in the reporting process" were found.

So far, only 32 laptops have been recovered.

MoD also admitted that 121 USB storage devices have been lost or stolen as well, 87 of which contained classified information including 5 that had secret-level data.

BTW, if you really are keeping count, a 659th stolen laptop was reported last week after the numbers were released.

Given the average of one MoD laptop being lost or stolen every two days, the 750th mark has probably been reached already as well - it just hasn't been reported yet.

Also, there was no break-down regarding how laptops many were lost at airports.

The state of Florida has had to send out $44 million in emergency payments to over 5,600 Medicaid providers who have not been reimbursed for over a month due to computer problems, the Tampa Tribune reports.

It appears that Florida's new $308 million Medicaid computer system (covering its development and operations over 5 years) that went live on the 26th of June continues to reject a significant number of on-line claims for reimbursements, often stating that the provider wasn't authorized for payment. Promises to fix the problems made two weeks ago are still unfulfilled.

According to the Tribune story, "After filling out a claim and trying to submit it on the computer, many were told they didn't have billing authorization or their client wasn't eligible for Medicaid. Often, when the claim was accepted and they tried to open it later, they were told it did not exist. Then, if they tried to resubmit the claim, it was rejected as a duplicate."

One of the major requirements of new system reportedly was to allow for the processing of on-line reimbursement claims.

Initially, Florida Medicaid officials blamed users for the problem, saying that the system was complex and they just didn't know how to use it. However, the officials now acknowledge that there are "coding problems."

So far, Florida officials haven't used the old chestnut, "All systems of this complexity have teething problems" - at least not yet.

The 911 system in Prince Williams County, Virginia has suffered disruptions at least five times in the past two months due at least in part to computer problems, according to a story in the Washington Post that appeared yesterday.

What makes the situation even scarier is that when the system had a problem, 911 operators did not know about it.

According the story, the 911 system went through an upgrade on the 28th of May. On that day, a software problem "caused calls from people reporting a house fire to become 'trapped in the equipment.'"

Then, on the 4th of July, calls couldn't get through because "a newly-installed server rebooted itself, logging off operators without their knowledge."

On the 11th of July, more 911 calls didn't get through on two more incidents, which the county did not know about again until after the fact. County officials said that they had no way to actively detect problems in the current 911 system.

Roger Hixson, technical issues director at the National Emergency Number Association made the point that, "It seems a little curious that you could log anyone off with no indication of that fact. It doesn't seem like a very fail-safe approach."

The problems have all appeared to be now fixed, but only time will really tell if they indeed have been.

The US Senate’s Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security heard testimony yesterday on what its describes as the “Dismal State of Information Technology Planning in the Federal Government.”

And dismal it is.

According to the US Government Accountability Office, "OMB (Office of Management and Budget) and federal agencies have identified approximately 413 IT projects--totaling at least $25.2 billion in expenditures for fiscal year 2008--as being poorly planned, poorly performing, or both. Specifically, through the Management Watch List process, OMB determined that 352 projects (totaling about $23.4 billion) are poorly planned. In addition, agencies reported that 87 of their high risk projects (totaling about $4.8 billion) were poorly performing. Twenty-six projects (totaling about $3 billion) are considered both poorly planned and poorly performing.”

In addition, the GAO noted, that “48 percent of the federal government's major IT projects have been rebaselined for several reasons, including changes in project goals and changes in funding. Of those rebaselined projects, 51 percent were rebaselined at least twice and about 11 percent were rebaselined 4 times or more.”

Rebaselining a project is an old trick to make projects appear in better shape than they really are.

Why the government continues to fund poorly planned and poorly performing projects instead of calling on the IT mercy rule is beyond me.

Government Executive magazine has three stories (here, here and here) on what transpired at the hearing in more detail for those you with a strong stomach.

There is an interesting brouhaha brewing in California. California is facing a massive 15.2 billion budget deficit, and needs to raise taxes, cut services or both to close the gap. These alternatives, of course, have caused massive political infighting over what to do (i.e, whose ox is going to be gored), resulting in the lack of an agreed state budget for the next fiscal year, which started 1 July.

To help force the issue, Republican California Gov. Arnold Schwarzenegger signed an executive order to pay about 180,000 California state workers only the federal minimum wage until a state budget is enacted. Once the budget was enacted, the employees would then be paid their back pay.

No can do, says Democrat California state Controller John Chiang.

Why?

According to the Sacramento Bee, Chiang says "it would take at least six months to reconfigure the state's payroll system to issue blanket checks at the federal minimum wage of $6.55 per hour."

Then Chiang stated that "it would take an additional nine to 10 months to issue back pay to employees when the budget is approved."

You see, the payroll system is an old COBOL-based system that is hard to change. And, according to the Bee, $177 million is needed to upgrade the payroll system into something more modern - an amount California legislators don't want to spend.

As a result, today's LA Times has a story in it about Gov. Schwarzenegger suing Controller Chiang to force compliance with his executive order.

Both sides expect to win in court.

Only in California.

There has been a lot of press about a "cyber war" being waged between Georgia and Russia in conjunction with the real warfare that has been taking place over the past week between the two countries. Both Georgian and Russian governments are accusing each other of trying to shut down their country's websites and other IT infrastructure systems.

While it is clear that hacking of each country's IT systems has been going on, it is unclear whether it is government inspired or nationalistic hackers. It is going to take some time before the electrons clear and the question is resolved, if it can be.

More interesting, there is a story in the Wall Street Journal today that explored once again the question of whether a massive cyberattack on a country constitutes an act of war. No one seems really sure.

As noted in the story, "The Pentagon doesn't have a policy on whether a cyberattack can be an act of war, said Pentagon spokesman Lt. Col. Eric Butterbaugh, adding, 'it's ultimately the perception of the country under attack as to whether an act of war was committed.' The Pentagon has, however, assigned its [USAF] Strategic Command to head up cyberprotection and cybercounter-attack operations.' "

As far as that second statement, Government Executive reported yesterday that the USAF has temporarily halted its plans to be cyber command central. According to the Air Force, this action was planned all along, although it took many people by surprise, since 1 October was the planned start date of Cyber Command operations.

"The Secretary and Chief of Staff of the Air Force have considered delaying currently planned actions on Air Force Cyber Command to allow ample time for a comprehensive assessment of all AFCYBER requirements and to synchronize the AFCYBER mission with other key Air Force initiatives," an Air Force spokesperson said.

The Government Executive story says more likely the other military services (especially the Navy) felt left out, and wanted to slow the Air Force down before it could solidify its position as lead service in the cyber warfare mission.

Ohio Secretary of State Jennifer Brunner announced earlier this week that poll workers won't be able to bring voting machines home for "safekeeping" before November's presidential election, according to news reports.

The practice - which has been standard operating procedure in 24 of Ohio's 88 counties for years - is quaintly called "sleepovers."

In acknowledgment to the blindingly obvious, Brunner said the practice would no longer be allowed because of a fear of voter machine tampering.

I, for one, never heard of such a thing before. Does anyone know of other states that allow such voting machine sleepovers?