Nextgov/FCW - Authors - Jill R. Aitoro

Agencies turn to technology for help reducing payment errors

Jill R. Aitoro — Mon, 22 Nov 2010 00:00:00 -0500

In the past few years, 14,000 felons, both fugitive and jailed, raked in $230 million in federal benefits they were not entitled to receive. Twenty thousand dead Americans earned $180 million. In 2009 alone, the federal government made $110 billion in improper payments--that's nearly double the amount taxpayers will end up shelling out for the massive financial bailout, according to the latest estimates from the Congressional Budget Office.

The Office of Management and Budget breaks down the numbers like this: One-third of improper payments can be explained by poor documentation that makes it impossible to verify whether they were accurate, and another third result from failure to confirm individuals are eligible to receive the payments in the first place. The rest boil down to simple program errors, or people duping the system.

"Just as important as the choice of what strategies to pursue is how we pursue them," Jeffrey Zients, federal chief performance officer and now OMB interim director, said in a memo that outlined a series of goals for improving IT performance. "Where efforts are off-track and a team is not making the necessary midcourse corrections, we will work with them to get efforts back on track. Where progress is being made and breakthroughs achieved, we will celebrate success and work to spread best practices for achieving results across government. Where progress toward a goal shared by multiple agencies requires interagency coordination, or where agencies face similar problems that could benefit from cross-agency attention, we will facilitate those efforts."

Among the agencies that likely will fall under the microscope is the Internal Revenue Service. More than a quarter of the $48.1 billion in payments made under the Earned Income Tax Credit for low- to moderate-income workers were incorrect, according to the research firm INPUT. Refunds went to recipients for taxes they didn't owe, even though data on workers' income and tax contributions are readily available on the W-2 forms that employers file.

"Agencies should be able to access more seamlessly information [that would help] prevent these clearly ineligible beneficiaries from receiving payments," says Danny Werfel, controller of OMB's Office of Federal Financial Management. "That requires administrative steps that allow existing data sets to be accessed and linked, and additional data sources created when necessary. We do it, but we need to do it more."

In July, President Obama signed the 2010 Improper Payments Elimination and Recovery Act, saying it would reduce waste and fraud by $50 billion by 2012. The law requires agencies to conduct recovery audits for programs that spend $1 million or more annually, review programs susceptible to significant payment errors every three years, and plan corrective actions for preventing future waste.

The White House also launched PaymentAccuracy.gov, a public website to track progress in reducing improper payments, and established the Do Not Pay List for agencies to verify individuals' or contractors' eligibility before making payments. Agencies were instructed to establish prepayment controls that systematically confirm eligibility of payment beneficiaries with existing databases, including the Social Security Administration's Death Master File and the General Services Administration's Excluded Parties List System that tracks companies barred from receiving federal contracts. At the same time, OMB is leading an initiative to integrate relevant databases into a central portal agencies can check prior to making payments.

"There's an element of cultural change that has to take place," says Frank Blaul, senior vice president of government services at Equifax. The consumer credit reporting agency is among the companies providing input for a white paper OMB is producing in partnership with the industry group TechAmerica. The document will lay out a phased approach to eliminating fraud, waste and abuse in government programs.

"Some agencies have better defined processes than others, but there is no silver bullet," Blaul says. "There needs to be an evaluation of current systems so improvements can be made, implementation of technology to help mitigate errors, and establishment of policy to ensure these programs are monitored."

Technology, Werfel agrees, plays a critical role in enabling access and integration of data, "so agencies can make smart, informed judgments before payment are made." But no single technology solution will address all risk of fraud or waste in federal programs. Agencies will have to customize data mining and analytics software to extract patterns from information and to flag anomalies, he says.

The Health and Human Services Department, whose Medicare program accounted for $24.1 billion in improper payments in 2009, according to a June report from the Government Accountability Office, plans to install data analysis tools to root out fraudulent payments in that program, as well as Medicaid and children's health insurance programs. Under a rule introduced in September, the Centers for Medicare and Medicaid Services will deploy computer applications that alert administrators to suspicious activities in the systems that process requests, including unusual patterns in billing and applying for services.

"The proposed regulations [provide] important new tools to help us move from a 'pay-and-chase' approach," which identifies unscrupulous acts after the government has issued a check, "to one that makes it harder to commit fraud in the first place," CMS Administrator Donald Berwick said during a conference call with reporters in September.

The agency will buy more sophisticated analytical tools to screen applications to enroll in the program and to identify patterns in phone calls to the toll-free Medicare hot line from beneficiaries who flag possible problems in the program. CMS also is seeking public comment on the rule's proposal to collect fingerprints from health care providers and suppliers, which would be checked against law enforcement databases.

Technology solutions depend largely on individual programs, all of which face different challenges in closing loopholes or addressing flaws in their systems. For the Agriculture Department that means finding a way to prevent school employees from ringing up the cost of meals incorrectly, which led to $1.6 billion in improper payments through the School Lunch Program in 2009, INPUT reported. That objective is distinct from HHS identifying individuals attempting to defraud the health insurance system, or the IRS flagging errors taxpayers make in filing their own returns.

"For the most part, these capabilities are developed as situations arise and are tacked onto the systems that are currently in place," says John Reece, an independent IT consultant and former chief information officer at the IRS. "When we did modernization, we did a thorough re-examination of fraud and nonpayment and late payment of taxes. Those modernized systems reflected our best thinking then, but they've been updated since and will be again. The key is to put in place end-to-end systematic controls that can identify [incidents] of fraud within the program that need to be addressed."

The simplest solutions often have the biggest impact. Electronic benefits transfer cards, which replaced paper checks for distributing Food Stamps to low-income people, have reduced improper payments at the Agriculture Department from 38 cents per dollar to 1 cent per dollar since 1999, according to INPUT.

GSA had a markedly different result when it deployed charge cards governmentwide for small and routine purchases. The SmartPay cards were intended to reduce fraud and waste, but they actually did the opposite. The program has been the subject of numerous congressional hearings and Government Accountability Office reports that revealed employees used the cards to purchase personal items.

"The amount of fraud that slipped through as people tried to control cash and reconcile paper forms was one of the many reasons that drove us to use credit cards in the first place," says Alan Balutis, director and distinguished fellow with Cisco Business Solutions Group.

Balutis was chief information officer at the Commerce Department when it first began testing the use of charge cards in the mid-1990s. Software linked to the cards can identify potential fraud and waste--flagging charges for certain vendors or products deemed off limits, for example, or notifying administrators when employees exceed caps on expenditures.

"The problem then and now is the lack of any desire by managers to actually examine the data and take action when the system begins to note certain irregularities," he says. "The failure has never been with the card or the card technology, which has only gotten more powerful and exact over the years; the failure is that no one is paying attention. Do we need some device like the ones in Rube Goldberg cartoons, where smoke bellows out and lights start flashing whenever something abnormal is detected?"

Though automated processes can go a long way in identifying anomalies in financial systems, the human element is crucial to targeting the right data and taking steps to address problems once they're identified.

"We've got terabytes of data coming in, but they're only as power- ful as the intelligence behind the questions that we ask them to answer," Werfel says. "[Agencies] need to take a multidisciplinary approach to formulating these queries that includes the right combination of people who understand how fraudsters might take advantage of the complexities of the program.

That's all about analytics and human intelligence, as much as technology. It's where I see the greatest promise for development."

Technology change breeds operational change, which breeds cultural change, Balutis adds, noting agencies have to consider all three if they want to see any true return on investment.

"Sometimes we turn to technology as if it is going to be the panacea, without taking a look at some of the other aspects of implementation," Balutis says. "How do you deal now with the vast array of information you're going to get, and the speed with which it's going to occur? To some extent, it takes considerable rethinking of processes and operations."

]]>

Effective technology in government depends on executive buy-in, leaders say

Jill R. Aitoro — Thu, 14 Oct 2010 00:00:00 -0400

At its core, enterprise architecture is less about computer applications and more about management. That's why Randy Hite, director of information technology architecture and systems at the Government Accountability Office, says assigning the responsibility to the IT shop is the tail trying to wag the dog.

"Enterprise architecture has to be owned by the executive leadership, the business owners and the CXOs," he says.

In August, GAO released the second version of its Framework for Assessing and Improving Enterprise Architecture Management--first issued in 2003--which included seven hierarchical stages. Stage one, according to the report, is establishing "institutional commitment" to the IT strategy, with recognition from top executives.

"EA is a tool that is going to help the senior executives guide and direct the organization, so it has to be owned by them," Hite says. "There needs to first be an understanding by top executives of what EA is, followed by buy-in of this as a corporate strategic asset."

Defining enterprise architecture, which is somewhat conceptual, is not easy. Many equate it to IT consolidation and standardization: streamlining computer systems and applications so different business units borrow from the same resources. Though not wrong, the definition isn't comprehensive either, Hite says, since it focuses squarely on technology. Viewed properly, enterprise architecture focuses predominantly on the mission and how technology can support it.

"More times than not, the way an enterprise has been organized defines how it delivers services," Hite says. "But the promise behind EA is you suboptimize the parts in order optimize the whole."

This requires cooperation among many disparate entities, which in itself can be a challenge. GAO recommends agencies establish executive committees that include representatives from all business lines--such as acquisition, human resources, finance and information systems--to ensure the architecture is implemented properly and considered in daily operations and project planning.

"Within the federal government, there are different owners for [most] of the individual management disciplines you see. Everyone has developed their own turf, with the strategy being, 'I do my bit, throw it over the transom and move on,' " says Michael Dunham, manager for enterprise transformation services at WBB Consulting and former chief enterprise architect for the Treasury Department. "The enterprise architecture can help inform an organization's strategic plan by defining where an agency wants to go and where the agency currently is in terms of assets. But that dialogue is not as healthy as it could be. EA is just seen as background noise."

The 1996 Information Technology Management Reform Act makes chief information officers responsible for developing and maintaining an agency's enterprise architecture, and each Cabinet-level department has a chief architect to drive its implementation. But most agency initiatives are driven from the program office, and top officials must reinforce requirements for program managers to consider the enterprise architecture during their planning, Dunham says.

"Executive endorsement is there in pockets, but certainly not across the board. Most folks are politicos who will be there for two or three years to perform a specific function; it's few that are coming in and wanting to be really transformational."

Part of the problem is leadership seems to be

waning--at least at the highest levels. President Bush's management agenda assigned agencies color-coded scores for progress on plans that link technology to core missions, but enterprise architecture has barely earned a mention by the Obama administration. Any traces of accountability from the Office of Management and Budget, which declined comment for this article, seem to have disappeared.

"We always knew governance was important. We'd say we needed buy-in--somebody to sprinkle holy water on this approach of EA so everyone would say hallelujah," says Richard Burk, who was chief architect at OMB from 2005 to 2007 and is now an independent consultant. "My observation now from outside government is that it hasn't

been supported during this administration; or if it has been, I don't know where the support has showed up."

Bob Haycock, OMB's first chief architect from 2002 until 2004, also notes lackluster momentum. "I was lucky enough to land in OMB at that point in time when there was a commitment to EA as both a strategy and an approach," he says. "For those couple of years, it was really significant. Since then, it's dropped off the radar."

The emphasis now is on what Haycock calls the "latest flavors of the month," including cloud computing and Web 2.0 collaborative applications.

"Often one approach is pushed aside for what people view as an alternative, but it's really not," he adds. "All these [strategies] still require the structure that is established through an enterprise architecture to understand how services are defined and how they interact. These are all good, effective technologies, but there needs to be some foundation."

That foundation takes time to create, and officials with the Obama administration are more focused on "throwing data out there for people to use as they choose," says one former federal architect who asked to not be named. "EA is structured by nature and won't result in the same kinds of quick wins."

Enterprise architecture does not need to be one massive undertaking that demands excessive allocation of resources and funds, observers say. GAO's latest version of the EA Framework provides guidance for agencies to establish a conceptual model of what their enterprise architecture would look like and then to take a phased approach to introducing changes in operations. The key is to make sure the processes and technology support the "contextual blueprint" laid out by the architecture, Hite says, "so you can reap value without necessarily boiling the entire ocean."

There are hints of progress. In March, federal Chief Architect Kshemendra Paul issued OMB guidance requiring agencies to evaluate the National Information Exchange Model for sharing data across government. The Homeland Security and Justice departments launched NIEM in 2005 to encourage agencies to design processes that enable jurisdictions to share information in emergency situations and day-to-day operations.

To Burk, sharing capabilities across government is a key advantage to EA.

"Sometimes we should ask ourselves whether we need to be in this business," he says, noting those initiatives that perhaps support or enhance agency operations, but might not be central to the mission. "The answer in a lot of cases is a resounding no."

In another step forward, the Defense Department in May approved the second version of its architecture framework, which focuses on "data rather than on developing individual products as described in previous versions," the department stated on its website. In a memo announcing the second version, Defense CIO Dave Wennergren noted plans to develop a virtual platform that will allow for incremental changes to the architecture based on user feedback.

Defense also joined the United Kingdom, Canada and Australia to establish the International Defence Enterprise Architecture Specification Group to explore ways to make defense architectures interoperable and to ease joint

military operations planning. The project is in the initial stages.

"It's clear that the discipline has matured markedly, but now we face the hard part," Dunham says. "This is not just rearranging chairs on the deck of the Titanic. This can lead to some significant transformation if people will just pay attention--where the hell are we, and where we want to go."

]]>

Progress is slow on cybersecurity goals, GAO reports

Jill R. Aitoro — Thu, 07 Oct 2010 00:00:00 -0400

The White House's failure to assign agencies cybersecurity roles and responsibilities has slowed efforts to implement President Obama's plan for protecting computer networks, according to a new report from the Government Accountability Office.

Of 24 recommendations in the president's May 2009 cyber policy review, only two have been fully implemented, GAO said. Those are the appointments of an official to coordinate cybersecurity policies and activities and an official to oversee privacy and civil liberties.

The 22 remaining recommendations have been only partially implemented, according to the report (GAO-11-24). For example, the plan for managing identities in cyberspace, which would help ensure people, organizations and computers are what they claim to be on the Internet, remains in draft form, though the Obama administration expects to finalize it this month. Also, the White House Office of Science and Technology Policy is establishing a framework that defines areas worthy of further research and development, but it's not expected to be complete until 2011.

Officials from key agencies involved in cybersecurity efforts, including the Defense and Homeland Security departments, and the Office of Management and Budget, told GAO a lack of clearly assigned roles and responsibilities is hindering progress.

"Although the policy review report calls for the cybersecurity coordinator to assign roles and responsibilities, agency officials stated they have yet to receive this tasking and attribute this to the fact that the cybersecurity coordinator position was vacant for seven months," David Powner, GAO's director of information technology management issues, said in his report to Congress.

In addition, officials told GAO some recommendations, such as expanded sharing of information about cyberattacks and vulnerabilities, would take several years to implement.

The report also noted agencies largely were unable to provide timelines for completing the goals. Specifically, they could not produce milestones or blueprints for fulfilling 16 of the 22 near- and midterm recommendations.

"Our extensive research and experience at federal agencies have shown that, without clearly and explicitly assigned roles and responsibilities and documented plans, agencies increase the risk that implementing such actions will not fully succeed," Powner said. "Consequently, until roles and responsibilities are made clear, and the schedule and planning shortfalls are adequately addressed, there is increased risk the recommendations will not be successfully completed, which would unnecessarily place the country's cyber infrastructure at risk."

In oral comments on a draft of the report, Office of the National Cybersecurity Coordinator officials generally concurred with GAO's findings, but said they took exception with statements that gave the "general implication and conclusion that progress is not being made."

]]>

More than half of major corporations report politically motivated cyberattacks

Jill R. Aitoro — Wed, 06 Oct 2010 00:00:00 -0400

More than half of the companies worldwide that support critical services such as banks and energy believed they were victims of cyberattacks inspired by political motives, according to a survey a major security software vendor released on Wednesday.

Symantec reported 53 percent of the 1,580 companies it surveyed, including those in the energy, finance, communications, information technology, health care and emergency services sectors, said they suspected, or were fairly confident, they had been the target of a cyberattack motivated by a political goal.

Companies that said they were likely attacked reported being hit 10 times on average in the past five years, and estimated as many as 61 percent of the attacks were somewhat to extremely effective.

Forty-eight percent believed, or were fairly sure, they will be attacked in the future, and 80 percent believed the frequency of attacks is either staying constant or increasing.

An unnamed IT director of a midsize energy company quoted in the survey said management had to take "some dramatic actions" to cut off people attempting to break in and retrieve documentation saved on the network, including industry data shared between oil companies in its digital library.

Respondents also were asked to rate their level of preparedness against common attacks, including attempts to steal electronic information, alter or destroy electronic information, shut down or degrade computer networks, or manipulate physical equipment. While nearly half believed they will experience such attacks in the future, 31 percent felt less than somewhat prepared to defend their systems.

"Major holes exist in our electric Web across the United States, and it wouldn't take much for hackers to get in and shut it down," Symantec quoted an unnamed IT director for a medium-size finance company as saying.

Survey respondents generally supported government involvement to protect critical infrastructure, choosing words to describe their countries' critical infrastructure plans as "accepting," "appreciative" and "enthusiastic." Nearly all reported being engaged with their countries' critical infrastructure protection programs to at least some degree. Two-thirds said they were somewhat to completely willing to cooperate with their government on security efforts.

"Security alone is not enough for critical infrastructure providers of all sizes to withstand today's cyberattacks," Justin Somaini, chief information security officer at Symantec, said in a statement. He pointed to the Stuxnet worm, a highly sophisticated virus that takes control of industrial facilities' networks.

"[These] are the advanced kind of threats that require security, storage and backup solutions, along with authentication and access control processes to [ensure] true network resiliency," he said.

]]>

Supreme Court hears arguments in NASA privacy case

Jill R. Aitoro — Tue, 05 Oct 2010 00:00:00 -0400

The U.S. Supreme Court heard oral arguments on Tuesday morning to determine whether NASA's implementation of a 2004 presidential directive violates contractors' privacy rights by requiring them to submit to extensive background checks for federal identification badges.

The high court will review a 2008 9th Circuit Court of Appeals injunction blocking NASA from probing the backgrounds of scientists at the Jet Propulsion Laboratory in Pasadena, Calif., operated by the California Institute of Technology. The appeals court found the investigations were too intrusive, prompting the Justice Department to petition the Supreme Court in November 2009 to review the injunction.

NASA argued the background checks were necessary to comply with Homeland Security Presidential Directive 12, which established a common identification standard for federal employees and contractors to access government buildings and computers. Under the directive, agencies are responsible for determining the level of background investigations, based on the degree of risk assigned to a position.

"At issue is a NASA demand that employees who don't do classified work undergo unconstrained background investigations into the most intimate details of their private lives," Robert Nelson, lead plaintiff in the case, said in a statement outside the court following oral arguments. "The information being demanded is irrelevant to our ability to perform our jobs. NASA has made this demand without providing justification. NASA has no need to know."

In a conversation with Nextgov after his statement, Nelson said he was "particularly disturbed" by the argument of acting U.S. Solicitor General Neal Kumar Katyal, who "continues to propagate the canard that we do classified work," as an explanation for the in-depth background checks. "The facts are that none of [the employees] even have security clearances," Nelson said. "If he doesn't know that, he is ignorant; if he does, then he's misleading the court."

Katyal argued in a brief filed with the Supreme Court in September that "even low-risk employees have access to the entire facility and can get very close to facilities where sensitive or classified work is conducted. ... Indeed, any individual granted long-term access to JPL has the potential to cause serious damage to its publically funded missions."

Nelson said the court is expected to reach a decision in about three months.

]]>

Results of cyber drill will help shape final version of response plan

Jill R. Aitoro — Wed, 29 Sep 2010 00:00:00 -0400

Lessons learned this week from the Homeland Security Department's third large-scale cybersecurity drill will help refine the National Cyber Incident Response Plan, which will be finalized for release later this year.

Cyber Storm III kicked off on Tuesday to test the plan, which the Obama administration developed to guide agencies and companies that would work together during cyberattacks.

The drill is a tabletop exercise in which narratives describing an attack scenario are e-mailed to participants, who then follow procedures detailed in the response plan. Participants include seven Cabinet-level agencies, 11 state governments and 60 companies representing the information technology, communications, chemical, electrical and transportation sectors.

The two previous drills, conducted in 2007 and 2008, tested government and industry's ability to recover from cyberattacks crippling computer networks and systems. They revealed various shortcomings in information sharing and coordination. Findings from those exercises influenced the draft version of the National Cyber Incident Response Plan, as well as the scenarios posed in Cyber Storm III, which won't be revealed until completion of the exercise.

"The sense of excitement is palpable," said Phil Reitinger, deputy undersecretary for Homeland Security's National Protection and Programs Directorate during a briefing with reporters on Wednesday. "Cybersecurity is beyond the capability of any one agency or one government or one private sector entity. We're looking at how they respond to a number of attacks, but more importantly, how they collaborate."

Results of the exercise will be incorporated into the final version of the plan, a DHS spokesperson confirmed.

"This is the plan we're using now; we want to make sure that it remains a living document," Reitinger said. "You don't write the document so when 'XYZ' happens, we'll do 'PQR.' You have to maintain agility."

Findings from the drill also will guide DHS and other agencies as they upgrade their internal cybersecurity procedures and capabilities.

Whether DHS eventually will test government and industry's ability to respond to known attacks on actual networks remains to be seen.

"Live fire in cybersecurity is hard to do because people don't want their networks shut down," Reitinger said. "But an exercise using a simulated [isolated] network would be interesting."

]]>

State Cybersecurity Budgets Declining

Jill R. Aitoro — Tue, 28 Sep 2010 15:50:23 -0400

Federal agencies maintain a lot of personal information on their computer networks and systems, but it's actually state governments that are the "custodians of the most comprehensive collection of citizens' personally identifiable Information," according to the National Association of State Chief Information Officers. And yet, 79 percent of state cybersecurity chiefs report stagnant or cut budgets, despite an increase in internal and external threats.

NASCIO and Deloitte conducted a survey of states chief information security officers -- 49 of which responded. Here are some of the findings:

Between 2009 and 2010, 46 percent of state CISOs saw budgets decrease; 33 percent said their budgets remained the same.
11 percent of respondents said 0 percent of the department's IT budget is allocated specifically to information security; 50 percent said 1 to 3 percent is.
When asked to identify the major barriers in addressing information security, 88 percent pointed to lack of funding. Fifty-six percent pointed to the increasing cyber threat, and 40 percent to inadequate availability of security professionals.

"Many state CISOs lack the visibility and authority to effectively drive security down to the individual agency level," said Srini Subramanian, director of Deloitte's state government security and privacy services. "At the federal level, the president has recognized the critical nature of the problem and appointed a cybersecurity coordinator to address it. It's imperative that governors and state legislative leaders make cybersecurity a priority."

]]>

Feds' third cybersecurity exercise to attack content and identities

Jill R. Aitoro — Tue, 28 Sep 2010 00:00:00 -0400

The Homeland Security Department kicked off its third large-scale cybersecurity drill on Tuesday to test government's and industry's ability to respond to hackers hijacking Web content and stealing personal identities with the goal of grabbing sensitive information and crippling federal and commercial operations.

The primary goal of Cyber Storm III, which will run through Oct. 1, is to test procedures the Obama administration outlined for how agencies and companies should work together during cyberattacks. The White House established the roles and responsibilities for public and private sector managers in its classified National Cyber Incident Response Plan.

The exercise includes participants from seven Cabinet-level agencies, including the Commerce, Defense, Energy, Homeland Security, Justice, Transportation and Treasury departments, as well as other members of the intelligence and law enforcement community. Eleven state governments and 60 companies also will be participating, along with representatives from the information technology, communications, chemical, electrical and transportation sectors.

Homeland Security Deputy Secretary Jane Holl Lute will act as DHS secretary for the exercise, which will test how news of incidents feed up and down the chain of command. Howard Schmidt, the White House cyber coordinator, will represent himself.

"So much of the cybersecurity space is about collaboration across the entire community" of public and private sector organizations, said Bobbie Stempfley, director of the national cybersecurity division at DHS, during a media briefing on Sept. 24. "Every once in a while you have to kick the tires."

In the first Cyber Storm, DHS simulated cyberattacks to bring down parts of the Internet and to test the abilities of different sectors to recover their networks. In Cyber Storm II exercises, hackers used the Internet to spread malicious software and other threats to computer systems. Cyber Storm III will test participants' ability to respond when the Internet essentially attacks itself, said Brett Lambo, director of the cyber exercises program at DHS.

The simulated attacks will incorporate known technical capabilities the hacker community employs, including the hijacking digital certificates, which verify that content is legitimate and e-mails are actually from the sender listed on the message.

"We hope to understand if we could still do business" when faced with an attack that compromises the integrity of content on the Internet, Lambo said. "It's a matter of prioritizing objectives."

Secret Service headquarters will serve as the "central beehive" for the exercise, where organizers will send narratives that describe scenarios. For example, participants might receive an e-mail stating a piece of malicious code has been detected on a network, or a particular website is down, and they will be expected to respond perhaps by requesting to see an audit log of network activities, redirecting Web traffic from one network port to another, or contacting the Internet service provider and other stakeholders to notify them of the issue.

How a participant responds will influence subsequent narratives sent out from headquarters, Lambo said.

Some participants will be located in the National Cybersecurity and Communications Integration Center in Arlington, Va., which identifies and responds to incidents affecting the nation's network infrastructure, while others participate from their places of employment.

"Cyber Storm offers a window into where we are at that moment in time, in terms of capabilities," Lambo said. "The success of the [simulated attack] is incidental. The point is to break certain things, so we can find out, are we on the right track?"

]]>

Slow development of radio standards frustrates first responders

Jill R. Aitoro — Fri, 24 Sep 2010 00:00:00 -0400

Delays persist in finalizing standards that would make the radios that first responders use interoperable, a problem that frustrates government officials struggling to find communication solutions in the vendor community.

Public safety professionals are developing an open suite of standards, called Project 25 or P25, for manufacturing interoperable two-way wireless communications products. But development of the standards continues, making compliance impossible, according to witnesses who testified before the House Technology and Innovation Subcommittee on Thursday.

"The standard is actually a suite of standards that has hundreds of subelements," said Tom Sorley, deputy director of radio communications technology for Houston. "Most people who are writing specifications to buy a new system do not know enough about the P25 suite of standards to even properly document their requirements. They fail to specify individual elements that must be compliant, and the result is systems are sold as P25-complaint when many parts of the system that could be standards-based remain proprietary."

Sorley is leading Houston's efforts to deploy one of the largest P25 radio systems nationwide. He spent months canvassing vendors to encourage response to a request for proposals. But because of a lack of interoperability, only two manufacturers were qualified to submit bids. "It was a little disheartening," Sorley said. "[A lack of standards] has a big impact on competition."

The Interior Department uses land mobile radios and systems to support law enforcement and firefighting operations across nearly all 50 states and U.S. territories. Interoperability with federal, tribal, state and local agencies is crucial, said Russ Sveda, manager of Interior's radio technical service center.

"Our mission demands not only radio A, B and C interoperate on our local system, but our users' handheld and mobile radios must also work effectively on any system in the country," he said. "The slow pace of the development of the Project 25 standards has created some frustration. We have invested 14 years into this technology, and today we are still not able to design and install a Project 25-compliant system without significant engineering and customization."

Interior will continue testing individual products until the standards are published, and the industry has matured in compliance, Sveda added.

Sorley recommended standards be released in phases that allow for incremental compliance, similar to the various versions of the IEEE 802.11 standard for wireless local area networks.

"The bottom line is P25 has so many moving parts comprised of many different standards . . . that the layperson would have no real way of determining if the products they are buying really conform," he said. "If standards are released in phases, manufacturers can deliver technologies -- as time goes on - [that] evolve to include other features, functions and capabilities. As [customers] upgrade, they won't be locked in or out of any one technology."

]]>

Senate panel tries again to push through data breach bill

Jill R. Aitoro — Thu, 23 Sep 2010 00:00:00 -0400

Members of a Senate subcommittee said they hope the third time is the charm for passing a bill that would require businesses to install information security controls to protect consumers' personal data and notify them when the information has been compromised.

The Senate's Consumer Protection, Product Safety and Insurance Subcommittee on Wednesday held a hearing to consider for the third time the 2010 Data Security and Breach Notification Act. John Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, and Mark Pryor, D-Ark., subcommittee chairman, introduced the bill.

"Both times the Senate has failed to take [the measure] up on the floor. I fully intend to report this bill out of the Commerce committee in next week's markup, and it is my sincere hope that this time -- the third time -- is the charm," Rockefeller said during his opening remarks. The House passed a companion bill by voice vote in December 2009.

The bill would require businesses and nonprofit organizations that maintain large consumer databases to adopt security practices that protect stored information from unauthorized access. It also requires organizations to notify consumers when a security breach results in the possible exposure of their personal information.

Organizations also would be required to inform customers when their data is collected by information brokers for sale to third parties and to give them the opportunity to correct inaccuracies.

Requiring government and businesses to follow reasonable security measures and risk assessments to protect consumer information is essential for mitigating data breaches, most of which are caused by company employees who inadvertently violate policies, Mark Bregman, chief technology officer for security vendor Symantec, said during testimony.

"Other breaches are the result of targeted attacks by organized crime, which are increasingly aimed at stealing information for the purpose of identity theft," he said. "Such attacks are often automated by using malicious code that can penetrate into an organization undetected and export data to remote hacker sites."

Organizations should encrypt sensitive information stored in databases and on hard drives to make it harder to steal, Bregman said.

The Federal Trade Commission supports the bill, but recommended the requirement to notify customers of a security breach not be limited to electronic information, "because the breach of sensitive data stored in paper format can be just as harmful to consumers," Maneesha Mithal, FCC's associate director of the privacy and identity protection division, said during testimony.

According to FCC, the bill also should apply to telecommunications carriers, many of which store large quantities of personal information. Small businesses should be allowed to request a waiver from providing free credit reports or credit monitoring to consumers following a breach, FCC suggested.

Currently, a patchwork of state laws dictate how organizations report disclosure of sensitive information. Forty-seven states, as well as the District of Columbia, New York City and Puerto Rico have laws, which vary widely.

"Consumers get strong protections and aggressive enforcement by states' attorneys general," Rockefeller said. "On the other hand, the bill creates national standards that facilitate interstate commerce, and the Federal Trade Commission is provided with regulatory flexibility to accommodate technical complexities and small business concerns."

]]>

HHS to use data analytics to uncover Medicare, Medicaid fraud

Jill R. Aitoro — Tue, 21 Sep 2010 00:00:00 -0400

In an effort to plug one of the largest sources of fraud and waste in government, the Health and Human Services Department plans to install data analysis tools to root out fraudulent payments in the Medicare, Medicaid and children's health insurance programs, an official said on Monday.

A proposed rule introduced on Thursday requires the Centers for Medicare and Medicaid Services to screen providers and suppliers to find waste and fraud, including reprimanding the organizations. The rule also extends to those participating in the children's health insurance program.

"The proposed regulations [provide] important new tools to help us move from a 'pay-and-chase' approach," which identifies unscrupulous acts after the government has issued a check, "to one that makes it harder to commit fraud in the first place," said CMS Administrator Donald Berwick during a conference call with reporters Monday.

Medicare is the source of some of the largest amounts of improper payments in government. Agency officials estimated the health program for the elderly issued $24.1 billion in improper payments in 2009, according to a report the Government Accountability Office issued in June. That amount is most likely much higher, GAO added, "because some improper payments may not be detected and hence may not be reflected in the improper payment rate."

In all, the government loses about $98 billion a year because of fraud and payment errors, an amount that has raised concerns in the White House. In July, President Obama signed the 2010 Improper Payments Elimination and Recovery Act, saying it would reduce waste and fraud by $50 billion by 2012. The law requires agencies to conduct recovery audits for programs that spend $1 million or more annually. They also must review programs that could be susceptible to significant improper payments every three years and produce corrective action plans for preventing future waste.

CMS will deploy a number of computer applications that weed out potential incidents of fraud by flagging suspicious activities and anomalies in the systems that process requests, including unusual patterns in billing and applying for services. The agency also will buy more sophisticated analytical tools to screen applications to enroll in the program.

"We get 19,000 new applications every month, and most are legitimate," said Peter Budetti, deputy administrator of the Center for Program Integrity at CMS. "But we want to use more advanced technologies to [identify] those who should not be let into the program."

The agency also will analyze more phone calls to the toll-free-Medicare hotline, which provides beneficiaries with direct access to customer service representatives.

"Any beneficiary can call, but we notice quite a few raise suspicions about possible problems in the program," which triggered about 30,000 investigations in 2009, Budetti said. "We're looking now at applying analytic tools at the point of collection of calls [to identify] patterns, so we can then investigate the issue raised by those beneficiaries" that might implicate suppliers and providers in fraudulent behavior.

CMS also is seeking comment on the possibility of collecting fingerprints from providers and suppliers, which would be checked against appropriate law enforcement databases.

]]>

TechAmerica: Just Do It

Jill R. Aitoro — Fri, 17 Sep 2010 13:20:57 -0400

In hopes that Congress will get something of note accomplished before year's end, IT industry association TechAmerica released a statement on Friday encouraging the Senate to pass a vote on several popular cybersecurity reforms before breaking later this month.

"TechAmerica supports the concept of comprehensive cybersecurity reform, but the perfect must not become the enemy of the good," wrote TechAmerica President and Chief Executive Officer Phil Bond in a letter to Senate Majority Leader Harry Reid, D-Nev. "In the event that comprehensive action proves elusive, we would prefer to achieve meaningful victories in the effort to better protect our nation in cyberspace while the opportunity is before us."

Although the number of cybersecurity measures circulating Congress has reached double digits, TechAmerica pointed to two specifically:

--The 2010 Data Security and Breach Notification Act, which establishes a standard for notifying individuals at risk of harm from exposure of their personal information.

--The 2009 Information Technology Investment Oversight Enhancement and Waste Prevention Act, which would increase accountability for cybersecurity within individual agencies, enable greater access to commercial cybersecurity solutions, and expand federal cyber response capabilities.

]]>

IRS still reliant on Social Security numbers to identify taxpayers

Jill R. Aitoro — Fri, 17 Sep 2010 00:00:00 -0400

The Internal Revenue Service has not eliminated Social Security numbers from the majority of computer systems and documents because they still associate correspondence and documents with taxpayer accounts, according to a report from the Treasury Department Inspector General for Tax Administration that was released on Thursday.

During fiscal 2009, the IRS mailed 201 million notices to taxpayers, most of which contained their SSNs, according to the report. In addition, more than 500 computer systems, 6,000 internal and external forms, and 20 categories of individual taxpayer notices could contain the numbers.

"Since the IRS submitted its first release of the SSN [elimination and reduction] plan to the Department of the Treasury in the first quarter of fiscal 2008, it has redacted or truncated taxpayers' Social Security numbers from only a small number of systems, notices and forms," the inspector general stated. The agency has removed Social Security numbers from a document used for transferring taxpayer files among its offices, and from notices and letters that are sent out concerning economic stimulus payments. The IRS also removed numbers from the command code used to verify taxpayer identities in its Integrated Data Retrieval System.

On May 22, 2007, the Office of Management and Budget issued a memo requiring agencies to create a plan to eliminate the unnecessary collection and use of SSNs within 18 months.

The IRS first focused on reducing the number of internal forms that use SSNs, because it has more latitude to change the presentation of the data on a form if it does not leave the agency, according to the report. If it leaves the IRS, then consideration must be given to changes the receiving organization has to make, officials told the inspector general.

In systems and taxpayer correspondence, processes must be analyzed and revised before reducing or eliminating taxpayer SSNs. "This is because Social Security numbers are used to associate correspondence and documents with taxpayer accounts," the inspector general reported. "In addition, before revising forms and notices, the IRS must first analyze the various options for eliminating or reducing the Social Security numbers."

The agency began analyzing costs to update various systems in February 2009. Initial results of the analysis were submitted to the inspector general in November 2009, but not included in the report. Deborah Wolf, director of privacy information protection and data security at the IRS, noted in a written response to the report that the agency recently approved funding for a new initiative to replace the SSNs on notices with 2-D bar codes, which will allow it to encode taxpayer data. A preliminary timeline for the project will be established by Oct. 1.

IRS officials also agreed with recommendations from the inspector general to maintain better documentation of its progress to reduce reliance on SSNs, update milestones to ensure timely progress, and validate data received from business units on progress made.

]]>

CBP wants system to detect ultralights smuggling drugs

Jill R. Aitoro — Thu, 16 Sep 2010 00:00:00 -0400

The Homeland Security Department wants to purchase technology that can detect slow-moving, low-flying aircraft -- typically called ultralights -- that Mexican cartels use to smuggle drugs into the United States, according to a draft request for proposals released last week.

The system will be used to detect ultralights, which are small one-person planes that are typically not much more than a hang glider equipped with an engine. Drug smugglers have been relying more on the small aircraft, which can easily avoid radar detection, to move illegal drugs into the United States.

In May, two Air Force fighter jets intercepted an ultralight that crossed into Arizona, then turned and flew back into Mexico after 30 minutes of being shadowed. In March 2009, law enforcement authorities in San Luis, Ariz., found an ultralight that crashed in a lettuce field. Still strapped into the aircraft was the body of the pilot and more than 100 pounds of marijuana, according to a USA Today article.

"The intent . . . is to acquire a system that is able to use existing sensor technology to detect and track these aircraft," Customs and Border Protection said in a synopsis of the solicitation first posted in June.

CBP officials plan to buy an existing system rather than one in development so they can immediately begin using the technology, according to the latest draft RFP, which was released Sept. 9.

The system must be able to transmit real-time data to the Air and Marine Operations Center in Riverside, Calif., where it will integrate with other networks and provide remote-control capability.

The technology will be deployed at existing CBP facilities and in remote locations where external power or communications infrastructure might not be available, according to the RFP. The system should include its own power and communications package, and be transportable and rugged enough to withstand weather and the steep terrain along the border.

DHS expects to award a firm fixed-price, indefinite delivery-indefinite quantity contract. The RFP did not include a potential cost for the system. Proposals are due by 3 p.m. on Oct. 19.

]]>

Cyber Pays, Commodities Don't

Jill R. Aitoro — Tue, 14 Sep 2010 15:25:50 -0400

HP announced the latest in a string of acquisitions on Monday, with plans to buy security software company ArcSight for $1.5 billion in cash. In the last six months, the PC manufacturer has announced plans to acquire Fortify, 3Com, Palm and 3PAR, to name a few, giving it a larger footprint in networking, mobile computing and -- most notably -- security.

The moves are bold, but not surprising. Not unlike chip manufacturer Intel, which last month announced plans to buy McAfee, HP has long been in the commodity business, which offers thin margins. The best way to compensate is through the buy up of modest-sized companies that play in growth markets (ie, networking, mobile computing, security) and offer substantial growth margins.

Expect more of the same.

]]>

Defense lacks doctrine to guide it through cyberwarfare

Jill R. Aitoro — Mon, 13 Sep 2010 00:00:00 -0400

The Defense Department lacks the doctrine needed to effectively guide cyberwarfare strategies, according to officials with the Government Accountability Office, who expect to release in October an unclassified version of a report detailing the challenges.

More than once, senior military officials claimed in testimony before Congress that current and future adversaries are likely to rely more on a blending of conventional and irregular approaches to conflicts, which they referred to as hybrid warfare. GAO submitted a report to the House Subcommittee on Terrorism, Unconventional Threats and Capabilities on Sept. 10 about how the Defense Department defined the concept and used it in strategic planning documents.

According to the report, hybrid warfare might be used informally to describe the ever-changing complexity and dynamics of the battlefield, but the department has not officially defined the term and has no plans to do so, claiming existing doctrine on traditional and irregular warfare is sufficient to describe the current and future operational environment.

"But if you look at the Defense Department's definition for irregular warfare, it does not include cyber; in fact, cyber is notoriously missing from all doctrine," said Davi D'Agostino, director of defense capabilities and management at GAO.

The Defense Department defines irregular warfare as "favor[ing] indirect and asymmetric approaches, though it may employ the full range of military and other capacities, in order to erode an adversary's power, influence and will."

D'Agostino added, "To the extent that our operational plans actually incorporate a cyber [takeover] for example -- that's all yet to be seen. There needs to be greater acknowledgement of cyber as a tactical component of warfare operations."

Official doctrine would detail how Defense might incorporate military approaches to warfare, including cyber, and provide the handbook, so to speak, for how to "counter the countermeasures, and be more adaptive," said Marc Schwartz, assistant director of defense capabilities and management at GAO.

D'Agostino and Schwartz said they are hopeful the U.S. Cyber Command will establish the doctrine on cyberwarfare.

"One concern that has existed on the Hill for a considerable amount of time, but heightened since the formation of the Cyber Command, has to do with absence of a clear strategy in terms of rules of engagement for cyberspace," said one former intelligence official who asked to not be named. "It's just not there."

Defense , however, is very well-equipped to utilize cyberspace during conflict, said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

"In the cyber realm, they haven't worked out doctrine, rules, authority; and there are questions about how cyber operations can be used during peacetime," he said. "But they've gone far to incorporate cyber into military planning. Can it be refined and improved? Sure. But during war, they know what to do."

]]>

Now That's Ironic

Jill R. Aitoro — Thu, 09 Sep 2010 11:50:13 -0400

Oh the irony: According to a report released Thursday by the DHS inspector general, the very system used by the U.S. Computer Emergency Readiness Team to exchange and access mission-critical data about the security posture of civilian networks was vulnerable to attack.

US-CERT is charged with compiling and analyzing information about cybersecurity incidents happening across civilian agencies, many of which are identified via the intrusion detection system Einstein. The good news is that the audit found the Einstein system , in itself, to be relatively secure, with no high-risk vulnerabilities detected. The bad news is that the system used by US-CERT to access Einstein data, known as the Mission Operating Environment, was not. A scan of the system identified 202 high-risk vulnerabilities -- most of which involved failure to patch the operating system and applications.

So, in a nutshell, a computer system used to keep tabs on the state of cybersecurity across civilian agencies, that provides access to data that would be a goldmine for any would-be hacker, was poised for attack (up until recently, when DHS apparently addressed the weaknesses). Is that the pot calling the kettle black?

]]>

Fed's cybersecurity watchdog found to have security issues

Jill R. Aitoro — Thu, 09 Sep 2010 00:00:00 -0400

The very systems the Homeland Security Department uses to monitor cybersecurity across the federal government were plagued by their own vulnerabilities, which placed the cybersecurity data they maintain at risk, according to an inspector general report.

The inspector general performed an audit on the security of the systems DHS' U.S. Computer Emergency Readiness Team uses to compile and analyze information about cybersecurity incidents that civilian agencies report. According to an August report released on Wednesday, a significant effort is needed to address existing security issues, to "ensure the confidentiality, integrity and availability of its cybersecurity information."

Specifically, adequate security controls have not been included on the mission operating environment, which US-CERT personnel use to access and share data on cyberattacks, system anomalies and other incidents that affect mission-critical networks. The system, which the inspector general defined as "the backbone of US-CERT operations," supports the organization's program functions such as e-mail and user access to the intrusion detection system Einstein.

Auditors used vulnerability scanning software to find security problems in multiple computer systems that support the cybersecurity program. The inspector general classified each security issue as high, medium or low risk based on the severity of the vulnerabilities and damage they could inflict on systems. According to the report, a scan of the mission operating environment identified 540 vulnerabilities, with 202 categorized as high risk. Scans of other systems, including Einstein, identified no significant IT security vulnerabilities.

The majority of the high-risk vulnerabilities involved failure to apply security and software patches. DHS informed the inspector general that patches for the mission operating environment are applied manually, which often results in failure to insert them quickly on all computer systems on a network .

"[Homeland Security's] difficulty and inability to timely deploy patches led to our discovery of a high number of application and operating system vulnerabilities that leave the MOE vulnerable to potential attacks," the IG reported. "Additionally, since US-CERT analysts gain access to Einstein data via the MOE, the vulnerabilities may put sensitive Einstein data at risk."

Identified vulnerabilities could lead to an attacker remotely carrying out commands on a target machine, security controls being bypassed to gain unauthorized access to resources, and denial-of-service attacks, which bombard a system with traffic to force it to shut down.

DHS reported to the inspector general that it had mitigated the vulnerabilities and agreed to provide results of a subsequent scan of the mission operating environment system. The department also said it deployed a software management solution in June that automatically sends out patches and updates for all systems in the mission operating environment.

]]>

DHS to develop single, searchable database of immigration records

Jill R. Aitoro — Wed, 08 Sep 2010 00:00:00 -0400

The Homeland Security Department plans to establish a database of immigration data that will identify fraud in applications for benefits, and provide information to intelligence and law enforcement agencies.

DHS will create a mirror copy of multiple databases the Citizenship and Immigration Services uses to award federal benefits to immigrants and nonimmigrants and develop a single user interface employees use to access the stored information, according to a notice the department published in the Federal Register on Wednesday.

The Citizenship and Immigration Data Repository System of Records, which will include real-time updates and a search engine, will allow officials to vet applications for fraud and national security concerns, detect misuse of immigration information by agency employees for personal gain, and respond to classified requests for information that could assist intelligence and law enforcement investigations. CIDR will sit on the department's classified network.

When CIS responds to requests for information from intelligence and law enforcement agencies, the searches are classified, even if the data sets maintained in the databases are not. DHS determined that creating mirror copies of its unclassified data sets on the classified network would be the best solution, enabling employees to conduct classified searches and maintain audit trails of search activities and results, according to the notice.

"A mirrored system is necessary, because if you have a classified search criteria [that] is used to search on the unclassified network, you have just [committed] a security violation," said DHS spokesman Steve Richards.

Homeland Security also filed a proposed rule-making notice on Wednesday to exempt portions of the system of records from one or more provisions of the 1974 Privacy Act, which prohibits the disclosure of an individual's personally identifiable information without his or her written consent. The law exempts the disclosure of this information for law enforcement purposes.

"We are taking the exemption because we don't want to tell someone the information has been shared with a [law enforcement or intelligence] agency" if an investigation is under way, Richards said. "The fact that the other agency asked for the information would be enough for the individual to know that he may be under investigation, and thus would jeopardize the investigation."

The upgrades for CIDR will be operational by Oct. 8.

]]>

iTunes Social Network Spammed

Jill R. Aitoro — Tue, 07 Sep 2010 14:58:06 -0400

It didn't take very long for Apple's new iTunes social network for music fans, which launched on Sept. 1, to get targeted by spammers.

The service, built into the latest version of iTunes, lets users follow their favorite artists and read and post comments. Only 48 hours after Ping's launch, Apple reported hitting more than 1 million users.

And another 24 hours later, Chester Wisniewski, senior security advisor for antivirus software vendor Sophos,reported that the service was being targeted by spammers posting comments that promised free iPhones to those who filled out bogus surveys. Presumably, when users click the embedded link, malware downloaded to their computers, which then become part of a botnet for spaming other computers on the Internet.

Similar scams hit Facebook and Twitter.

"Cybercriminals have been targeting social networks for quite some time, as it has been proven that by targeting a users social network results in a higher success rate than spamming a large group of people via e-mail," said Bradley Anstis, VP of technology strategy for M86 Security. "The 'Win a Free iPod' scam, documented long ago worked very successfully. It's rather ironic that this very scam has begun to proliferate within Apple's own product."

Anstis recommended that Apple implement some form of automation to strip out links from comments.

]]>

NIST releases cybersecurity guidelines for smart grid

Jill R. Aitoro — Tue, 07 Sep 2010 00:00:00 -0400

The National Institute of Standards and Technology released on Sept. 2 guidelines utilities should follow to secure devices on the nation's developing smart grid, but they do little to ensure integrators consider security when combining devices systemwide, experts said.

The three-volume set of guidelines for smart grid cybersecurity strategies focuses on prevention, detection, response and recovery, according to the NIST Smart Grid Cybersecurity Strategy and Requirements' Internal Report 7628. The guidelines include 189 security criteria that are applicable either to the entire smart grid, or to particular parts of the system that businesses and organizations can use to prevent cyberattacks, infiltration of malicious code, and errors that can spread among suppliers and cause widespread electrical outages.

"I view these [guidelines] as the foundational building blocks for how you secure the smart grid," said Marianne Swanson, head of the Smart Grid Interoperability Panel's cybersecurity working group at NIST. "From a very high level, they set the stage for what you need to think about when building the components. Should I use encryption? How do I authenticate? How do I ensure good password controls?"

The smart grid will use two-way communication systems to better monitor use to lower energy consumption.

The guidelines will assist companies managing the smart grid and building the individual parts of the system, including meter vendors and the software developers, Swanson said. They compliment the NIST Framework and Roadmap for Smart Grid Interoperability Standards, which proposed requirements for developing the smart electric grid.

The guidelines combined standards from NIST's Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations, with standards from the Homeland Security Department and the North American Electric Reliability Corp. on protecting the critical infrastructure from cyberattack.

Although the guidelines are a significant step in securing the smart grid, they don't fully address potential vulnerabilities that can emerge when different vendors integrate their product offerings, said Michael Assante, president and chief executive officer of the National Board of Information Security Examiners.

"The approach is focused on the device level, which is a good starting point for any standard," Assante said. "But where is the guidance for the integrators? How do you speak to an IBM, who eventually will become a big force in the smart grid and is already developing comprehensive solutions? If we're going to do all this, we need key design principles to promote security in holistic solutions."

Alan Paller, director of research at the SANS Institute, said the third report in the series presents bottom-up security analysis, which is the most important element of the volume. It provides recommendations for addressing known vulnerabilities in computer systems. The problem, he said, is the information is buried.

"You have to measure your ability to protect -- that's the place to begin," he said. "But there is so much else in [the report] that might accidentally cause people to not focus on that most important piece.

"When you ask people to do everything, they'll actually do nothing," he added. "If NIST doesn't take responsibility for prioritizing what [organizations need to do to secure the smart grid], they're throwing it over the wall to the people who don't claim to understand."

]]>

DHS to expand cybersecurity program for researchers

Jill R. Aitoro — Fri, 03 Sep 2010 00:00:00 -0400

The Homeland Security Department asked on Wednesday for comments on the latest version of forms that determine who is eligible to access a repository of computer and network data for cybersecurity research and development.

DHS posted a notice in the Federal Register inviting comments on a package of forms it uses to give individuals access to data about cybersecurity incidents that targeted the computer networks of organizations, including academia, industry and nonprofits, that participate in the program.

The forms, which were updated in April, support the Protected Repository for the Defense of Infrastructure Against Cyber Threats program, or PREDICT. Homeland Security's Science and Technology Directorate created the program to make information on real cyberattacks available to researchers and developers so they can test technology solutions. The program's portal, which launched 18 months ago, is managed by the nonprofit research institute RTI, and the data is housed in servers at five different data center sites.

"We provide the marriage between the researcher looking for data and the data provider," said Douglas Maughan, program manager within the command, control and interoperability division of the directorate. "A lot of organizations want to help the research community, because quality research can help them [in return]. But typically that means doing a nondisclosure agreement with each. If we have this system built, they don't have to deal with these researchers one on one."

The onus is on the organization to strip out information that could compromise personal privacy and to ensure providing the cyber data doesn't violate corporate policy, he said. More than 100 data sets are stored in the repository, provided primarily by universities and nonprofit organizations. Only one commercial organization submits information to the program, although DHS hopes to convince more companies to do so.

Among the data sets stored in the repository is network traffic information, including source and destination IP addresses, which researchers can analyze to learn more about denial of service attacks that temporarily block access to a network, for example. Also included is black hole address space data -- network packets destined for unused Web addresses that often are linked to malicious Internet activity.

Phase 2 of the program, which DHS recently started, will incorporate what Maughan called "controversial data sets," which could be more sensitive and include personally identifiable information. DHS officials said their goal is to help researchers create ways to protect data. Maughan said legal and privacy considerations are taken seriously to ensure no data is compromised.

"This has been a crawl, walk, run process, and we're between crawl and walk -- trying to do better marketing to get the word out, and gathering examples from the research community of how they've [utilized data from our program] to show value," he says.

]]>

CBP failed to follow basic security practices to protect financial systems

Jill R. Aitoro — Thu, 02 Sep 2010 00:00:00 -0400

The Customs and Border Patrol bureau failed to properly set computer controls that allow only authorized users to view financial data, and to certify networks complied with security standards, according to an audit released on Wednesday by the Homeland Security Department's inspector general.

A number of problems the inspector general found in 2008 still were not fixed in fiscal 2009, according to the audit, which analyzed CBP's financial systems and was conducted by the accounting firm KPMG.

"Although we noted improvement, CBP still faces challenges related to the merging of numerous IT functions, controls, processes and organizational resource shortages," the report stated.

Specifically, administrators didn't regularly review changes to employees' access rights or enforce stringent password requirements. Also, systems were not configured to refuse a user to log on after failing a predetermined number of times, and the bureau didn't disable accounts after 45 days of inactivity, as required by department policy. CBP officials also failed to restrict what employees could access on the network to the least number of files required to perform their duties.

Auditors said CBP administrators failed to keep an up-to-date inventory of workstations that had access to financial systems and to ensure all computers had the latest antivirus software installed.

Portions of the report's findings were redacted for security reasons.

"Several of the deficiencies were a result of either an inadequate allocation of resources to address prior year findings, or only partial implementation of recommendations," the report noted. "By not addressing the conditions, the risk exists that deficiencies may be exploited, in either a singular fashion, or in combination [that] might affect the availability, confidentiality or integrity of CBP's financial systems and data."

According to a letter responding to the report, CBP officials said it is developing or putting in place actions to address the weaknesses KPMG identified.

]]>

E-file system to flag errors in claims of foreign earned income

Jill R. Aitoro — Wed, 01 Sep 2010 00:00:00 -0400

The Internal Revenue Service will incorporate features into the next version of its electronic tax filing system to prevent taxpayers from erroneously excluding foreign earned income, an oversight that cost the U.S. government $90 million in 2008, according to an audit by the Treasury Inspector General for Tax Administration.

A review found 10 percent of the 231,277 tax returns that claimed exclusions for income earned while living abroad found (a total of $675 million) included errors that totaled $90 million. Mistakes included overstating the amount of income that qualified for the exclusion and individuals not meeting requirements for exemptions. "Over five years, the estimated revenue loss could total more than $450 million," the IG reported.

In 2010, U.S. taxpayers living abroad can exclude up to $91,500 of foreign earned income.

The IG recommended the IRS establish additional reviews to identify false claims, assess whether criteria can be used to identify erroneous claims during tax-return processing, and implement automated controls for both paper and electronically filed returns that have incorrect computations for foreign earned income to be forwarded to the agency's error resolution system. That application resides in the Modernized e-File system, which corrects input submission errors.

The IRS agreed to submit a Unified Work Request to include the latter recommendation in the next release of its Modernized e-File system. While the forms for claiming foreign earned income and the exclusion are not processed by the agency's Modernized e-File system, both are scheduled to be processed by the system's next release, which has a target deployment date of January 2012.

]]>

Agencies use old and new tech to monitor, prepare for Hurricane Earl

Jill R. Aitoro — Tue, 31 Aug 2010 00:00:00 -0400

As Hurricane Earl barrels down on the East Coast of the United States, federal agencies are relying on a combination of new and established technologies to prepare for and to monitor the massive storm, including gadgets that more accurately measure wind speed and social media sites citizens can use to communicate and relay information.

The National Hurricane Center and Federal Emergency Management Agency have worked together to reduce the chance that Earl doesn't catch communities and local governments by surprise.

"We have all kinds of tools, some of which we've had a long time, and others more recent," said James Franklin, branch chief of the hurricane specialist unit at the National Hurricane Center in Miami.

Traditional satellite images are the "single most important" piece of data because they track a storm's movement, but they "are increasingly supplemented by newer tools [arming] aircrafts that help us do our job better," he said.

The National Hurricane Center uses a new instrument called the Stepped Frequency Microwave Radiometer to classify a hurricane's wind force. The equipment picks up the microwave radiation emitted from the foam the hurricane winds create on the ocean's surface. Earl's top winds have been measured at 135 MPH, making the storm a Category 4.

"The windier it is, the more disrupted the sea surface and the greater the amount of foam," creating more radiation, Franklin said. "That's kind of a big deal because until recently we had to estimate the intensity of a storm based on the winds observed by an aircraft," flying at 10,000 feet through the hurricane. "Of course, no one lives at 10,000 feet," he added. "We need to know how strong the winds are at the surface."

For about 10 years the National Hurricane Center has used a device called a dropwindsondes to measure a hurricane's winds. The instrument is loaded with a GPS receiver and a parachute, which opens when dropped from an aircraft. Scientists can measure wind speed based on how fast a dropwindsondes descends. While the center still uses the device, it's less reliable than Stepped Frequency Microwave Radiometers because it measures wind only in a specific location. In addition, dropwindsondes costs $750 each and can't be reused.

"Having continuous readings below where the aircraft is flying allows us to have better estimates of current [storm] intensity, which is the starting point for a forecast," Franklin said. "You can't forecast something unless you know what you're starting from."

Meanwhile, FEMA also is relying on technology to prepare residents for the possibility of Earl. The agency has used social media sites to keep citizens in Puerto Rico, the Virgin Islands and on the East Coast of the United States informed about the storm, which is expected to sweep up the U.S. shoreline starting near Cape Hatteras, N.C.

FEMA's Facebook page provides updates on Earl's intensity and movement in English and Spanish, and directs visitors to Ready.gov, which provides information on preparedness and response to hurricane emergencies, and also refers them to the National Hurricane Center's website for updates on Earl's status.

In addition, FEMA and the National Hurricane Center are offering mobile versions of their sites that are designed for cell phones' small screens and for handheld devices.

"Our most important message is for people to be aware, and make sure they've taken steps to plan for [emergencies] before the storm threatens," said FEMA Administrator Craig Fugate during a media call Tuesday.

]]>