Risk Factor iconRisk Factor

US Census 2010: The Current Situation is Unacceptable


"We have discovered serious problems with the FDCA (Field Data Collection Automation) program and I am personally involved in bringing key issues to the surface and developing a way forward. In short, the current situation is unacceptable. The American people expect and deserve a timely and accurate Decennial Census..."

So testified Carlos M. Gutierrez, Secretary of the U.S. Department of Commerce at a hearing yesterday in front of the U.S. Senate Committee on Homeland Security and Governmental Affairs on the status of the 2010 Census. Gutierrez finally awoke to the fact that the 2010 Census is in deep and very deep kimshe.

So serious is the trouble that in a highly unusual mid-session announcement, the U.S. Government Accountability Office (GAO) yesterday designated the 2010 Census Project as High Risk, which is in my opinion about 2 years late, since the program is already in trouble, not potentially in trouble.

The cause of the problem which the Census has been trying to paper over for quite some time is that it depends on 500,000 handheld computers to replace its paper-based collection system. As is always the case, it looked very easy to do on paper, but proved to be harder to do in reality.

The Census reasoning seems to have been along the lines of: if Fed Ex can use handhelds to track packages, why can we do the same for collecting Census data - should be dead easy, right? The idea in itself wasn't not outrageous, as long as the risks involved were clearly understood and managed. The GAO report makes clear - as the GAO has several times in the past - that they weren't (and from reading the report still aren't) on both accounts.

In Gutierrez's testimony, he goes on to state that the Census discovered late last year a "gap" as he calls it "between the capacity to get the work done and the amount of time remaining. One of the main reasons for this gap was significant miscommunication concerning technical requirements between the Census Bureau and Harris [the prime contractor]. The lack of clarity in defining technical requirements was a serious problem especially with regard to the testing and functionality of the handheld devices in a full Census environment. For example, discrepancies arose over data upload times, screen change speed and data storage capabilities."

So let me get this straight - with a little more than six months to go before a full scale dress rehearsal of the system, it was discovered that there was still major miscommunication between the Census and the contractor about basic performance parameters for the device to be used by hundreds of thousands of census takers? Weren't these parameters weren't spelled out in detail in the contract? Or did Harris follow the contract, and now the Census has figured out that what it specified won't do? Did Harris tell them there were problems, but the Census didn't listen? What the hell happened here?

Interestingly, back in November 2005, the Government Communications Systems Division (GCSD) of Harris achieved "a Capability Maturity Model Integration (CMMI®) Maturity Level 3 rating. The Level 3 rating denotes superior process maturity within the division's program management, engineering, quality assurance, and other disciplines, and achievement of this rating has become a competitive differentiator on many government programs." I wonder if this rating helped Harris win the Census contract?

At the very least, I think the division's CMMI rating may need to be re-evaluated, or maybe better, the US government better start looking at what, if anything, SEI CMMI Level 3 actually means in practice.

Alas, the Census provided Harris with an updated set of requirements in mid-January 2008; hopefully they are the correct and technically feasible ones.

In the testimony yesterday, it came out that it may cost another $2 billion to "ensure" that the 2010 Census actually can succeed, on top of the $11.5 billion already allocated to the Census (of which $3 billion was for the IT portion of the Census). It also appears the probability of completing the Census on time is dropping rapidly unless there is a marked turnaround. The dress rehearsal in May will give better indication of the true risk status of the situation.

Gutierrez' also said yesterday, "There is no question that both the Census Bureau and Harris could have done things differently and better over the past couple of years."

No kidding?

What I really want to know is who in management is going to be held accountable for this excess level of risk mismanagement, incompetent communication, and rank amateurism in program and contract management. Or is it business as usual, with "mistakes were made," "we have learned from this experience," blah, blah, blah.

The folks at Government Executive have been following this slowly unfolding big time blunder in the making closely, and you can read more about it here, here and here.

IT Mercy Rule Called: Seasprite Contact Cancelled


The Australian Defence Minister Joel Fitzgibbon decided it was time to invoke the IT mercy rule and announced that he was terminating the ill-fated Super Seasprite avionics upgrade program after 11 years of futility.

The total amount the canceled program will cost Australian taxpayers is estimated to be about AU$1.3 billion, not counting the costs of procuring a new helicopter or the costs/risks associated with Australia's eight ANZAC class frigates not having helicopters providing anti-surface and surveillance capabilities for probably another 5 years.

Nine of the Seasprites have been delivered to the Australian Navy's 805 Squadron based at Nowra, New South Wales, but have been grounded for safety reasons.

Maybe they can be made into nice flower planters in front of the main gate.

Counterfeit Computer Chips Security Risk?

About two weeks ago, it was reported that US and European customs officers seized more than 360,000 counterfeit computer chips and network components bearing more than 40 trademarks in a joint operation last November and December.

Last week, US and Canadian seized 400 counterfeit Cisco network hardware components and labels with an estimated retail value of more than $76 million, the US Justice Department announced. Now ComputerWeekly is reporting that there is a worry that counterfeit Cisco hardware may be on corporate and government networks, and thus possibly posing a security risk.

Computer Weekly also suggests in its story that Cisco may be hesitant to spell out in detail how to spot a fake, since it will let counterfeiters know what to correct.

Cisco, however, has published an internal guide to help spot fakes, which, interestingly enough, is stamped "confidential." More information on uncovering counterfeit Cisco equipment can be found here.

UPDATE: It turns out that IEEE Spectrum had an article on counterfeit chips and electronics in 2006. You can read it here.

Dow Jones Drop Miscalculation


In an under-reported story, it appears that the large New York Stock Exchange (NYSE) drop of 416.02 or 3.29 percent last 27 February 2007 (which was at the time the seventh largest drop in exchange history) was in part related to a bigger than previously admitted to computer problem at Dow Jones.

According to the AP story, "Part of the Dow's drop turned out to be not a decline, but a miscalculation. ... high volume that day overwhelmed a data-checking program on the company's [Dow Jone's] Financial Information Distribution System, a server that delivers real-time trade data used to calculate Dow Jones index levels."

"That meant the readings of the Dow were delayed, and therefore misleading, beginning at about 12:50 p.m., but the discrepancy was not caught until 2:20."

"At 2:56, Dow Jones employees flipped on a backup system, which wasn't running the data-checking program. At 2:59, the Dow's calculation caught up with the previous trades, falling 170 points almost instantaneously."

The NYSE claims that the problem didn't have much effect on the market that day, but I would be surprised that a 170 point instantaneous drop wouldn't have some effect on somebody.

Dow Jones promises that it will be quicker in the future than the 36 minutes it took to switch on the backup system the last time.

Free Cash - Almost

ATM.gif UK-based Nationwide Building Society fessed up to an ATM glitch which led to 7,500 of its Northern Ireland customers not being debited for their cash withdrawals from November 2007 to February 2008.

The story in ComputerWeekly said that it appeared that it was an IT-related fault in the building society's connection to the national Link processing system, most likely related to an upgrade performed last year.

In a related BBC story, the Northern Ireland area coordinator for Nationwide is quoted as saying, "In December, the Link organisation upgraded the ATM system. Unfortunately our system didn't pick that up correctly and we apologise for that."

A total of about £400,000 was not debited from customers as it should have been. The Bank now plans to debit the cash from customer accounts on the 10th of March. Nationwide says that overdrawn customers as a result of this action will not be charged.

Healthcare Costs Soar - EHRs to the Rescue

Elixer-poster.gif The Centers for Medicare and Medicaid Services said recently that by 2017, consumers and taxpayers will spend more than $4 trillion on health care, accounting for 20% of every dollar spent. According to a story in the Boston Globe, in 2006, individuals and the government spent $2.1 trillion on health care, an average of $7,026 a person, while 2017, health spending will cost an estimated $13,101 a person.

In the face of these huge projected costs, President Bush has reiterated his call in newly proposed legislation for a national inter-operable electronic health record (EHR) system and making electronic personal health records (PHR) available to Medicare beneficiaries. The PHR proposed legislation, according to news reports, could be used as a back door approach to force doctors and hospitals to implement EHRs.

The Bush Administration has consistently viewed EHRs as a critical means for controlling Medicare costs (some in administration believe that EHRs will "save" Medicare), as well as other medical costs that the government pays for. However, if your primary design criterion for a national EHR system is to control costs, then do not be surprised that the quality of patient care is likely to come in a distant second place as a result. This risk and others has not been examined in any detail; at least in comparison to the supposed benefits.

The benefits of EHRs are not unsubstantial, but they shouldn't be seen as magic elixirs. There is serious doubt by many (including me) that EHRs will reduce health care costs as much as expected. As one health care economist told me, "As long as demand for health care outstrips supply, costs are going to continue to increase."

And as the US population continues to age, new medical technology emerges that promises new cures and treatments, and legal liabilities stay the same, to name only a few health care cost drivers, demand and the resultant cost for health care will continue spiraling upward.

FAA: Bad Parts A Growing Problem - Will Software Be Next?


The US Department of Transportation's Inspector General released its audit of the Federal Aviation Administration (FAA) oversight of aircraft manufacturersâ'' quality assurance systems for both domestic and foreign suppliers. The audit found that the FAA's risk-based oversight system "does not ensure that manufacturers regularly audit their suppliers," nor does the FAA "perform enough audits of manufacturersâ'' suppliers (i.e., supplier control audits) to test how well manufacturersâ'' quality assurance systems are working."

As a result, substandard processes are being used by some parts suppliers (e.g., at one supplier, "an employee used a piece of paper, scotch-taped to the work surface, as a measuring device for a length of wire on an oil and fuel pressure transmitter") thereby allowing for "substandard parts to enter the aviation supply chain."

The FAA, however, claims that, "There are absolutely no imminent safety issues raised by the report."

If this is true, then I guess the DOT Inspector General is overly worried, correct?

The report made me curious about software-related supply chain issues, but the audit wasn't very forthcoming in this regard. It said that, "In conducting these audits, FAA inspectors review the suppliersâ'' organizational management structure, procedures for product design control, software quality assurance, manufacturing processes, manufacturing controls (including calibration), and supplier control (how well the suppliers oversee the vendors that supply parts to them)."

No other mention of software is in the report, like, how good these software quality assurance processes are.

For those of you in the business who know - a question. How much, if any, is legacy commercial aircraft system software outsourced to and maintained by third-party suppliers? And if it is, are the risks the same, less or more than what is being found with aircraft parts maintenance that is outsourced?

Google's Personal Health Record Plans Unveiled


Yesterday, Google formally announced it plans for creating a personal health record (PHR) service at the Healthcare Information & Management Systems Society conference in Orlando. Google's announcement was three days after Microsoft announced at the same conference a $3 million initiative "designed to empower providers with targeted funding to stimulate the research and development of online tools that improve health" in support of its four-month-old HealthVault PHR offering. Both companies say their objective is "to put you in control of your health information."

Google is currently piloting its system at the Cleveland Clinic, and hopes to have a commercial offering later this year.

Both Microsoft and Google have come under pressure about how secure their PHR systems will be as well as how patient information will be used. For instance, this week the World Privacy Forum (WPF) issued a report and a consumer advisory warning of the risks that PHRs pose.

As the advisory notes, "Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting... Few consumers understand that their health care files are not always protected under HIPAA (Health Insurance Portability and Accountability Act of 1996) when their files are in a PHR."

Neither Google or Microsoft are covered by HIPAA regulations, and so have been very publicly seeking to reassure potential users that their information will be secure and private. However, as the WPF says, I would be very wary of using any PHR service that is not HIPAA compliant (and has been thoroughly and independently audited to show that it is). HIPAA doesn't provide much protection (only 4 people have been criminally convicted of HIPAA violations in the past five years that I know of), but it is better than nothing.

The other problem is how the PHR information is going to be used. Microsoft places medical company advertisements on its HealthVault site but says it won't use any of your health record information unless you give permission. Google says it doesn't plan to advertise right now or use the information either, which makes one wonder how it plans to make money on its service.

I believe that it is only a matter of time before Microsoft and Google, as well as other PHR service providers, start agitating for access to their users' personal health information, though. Right now pharmaceutical companies very profitably data mine doctors' drug prescription information to up-sell them individually, and medical researchers are clamoring to get access to all patient data that a national electronic health record system would create. There is gold in them there records.

I give it a better than a 70-30 chance that Microsoft, Google and other PHR companies quietly lobby members of Congress to allow them legal "peeks" at patient information for "research" purposes within the next five years - if they aren't doing so already.

Ethics 101 for Robots


Government Computer News had a nice little story on the ethics of robot warriors a short time ago. It talked about the work of Georgia Institute of Technologyâ''s Mobile Robot Laboratory professor Ronald Arkin and his attempts to define algorithms to define ethical behavior in machines that can follow norms like the Geneva Convention. This is from the abstract of his paper Governing Lethal Behavior: Embedding Ethics in a Hybrid Deliberative/Reactive Robot:

"This article provides the basis, motivation, theory, and design recommendations for the implementation of an ethical control and reasoning system potentially suitable for constraining lethal actions in an autonomous robotic system so that they fall within the bounds prescribed by the Laws of War and Rules of Engagement."

Dr. Arkin's 117-paper is a bit much to digest in one sitting, but I have taken a quick read and find it interesting in its approach and very thorough, at least from my perspective. In an AFP news story, Dr. Arkin is quoted last month as saying, "Robotics systems may have the potential to out-perform humans from a perspective of the laws of war and the rules of engagement," since with robots "there are no emotions that can cloud judgment, such as anger."

Arkin's work has direct relevance to another robot story in this week's London Telegraph and the aforementioned AFP story about University of Sheffield's Department of Computer Science professor Noel Sharkey's belief that the major powers are "sleepwalking" into an international robot arms race, and predicted "that it is only a matter of time before robots become a standard terrorist weapon, replacing suicide bombers."

This latter theme was reiterated by others at the UK robotics conference titled The Ethics of Autonomous Military Systems where Sharkey spoke. For instance, UK Rear Adm. Chris Parry spoke about the terrorists using remotely piloted planes as weapons such as Hezbollah's use of pilotless aircraft against Israel in 2006.

BTW, I wrote some about the US military's planned use of UAVs for warfare in the November 2007 issue of Spectrum article. As I wrote, "Back in 2001, Congress mandated, as part of the National Defense Authorization Act, that by 2010, one-third of the operating deep-strike aircraft of the Armed Forces are unmanned, and by 2015, one-third of the operational ground combat vehicles are unmanned.â'' Currently, there are approximately 4,000 robots and 1,000 UAVs of varying types being used in Iraq and Afghanistan by US forces.

Terrorist Watch list Grows and Grows


Senior Associate Editor Sam Moore pointed me to an American Civil Liberties Union (ACLU) claim that the US terrorist watch list now exceeds 900,000 if it has continued to grow at a rate of about 20,000 names per month as it has since its start. The ACLU has launched a new watch list "counter" showing the number of new names supposedly added each day to the list, as well as a number of well-known people who have been put on the list.

The Department of Homeland Security (DHS) has said in the past that records or names don't correlate one to one to actual people, but won't say how many people are on the list. Even cutting the number of records by 75% still leaves a couple hundred thousand folks on this list, and getting off after getting on is not easy.

It would be interesting to see how many foreign student pilots on this list. The reason I ask is that on this evening's ABC World News, there was a special report that claims that thousands of foreign citizens have been able to illegally enroll and obtain pilot licenses from U.S. flight schools. One former Federal Aviation Administration (FAA) inspector found that in 2005 alone there were over 8,000 foreign students "in the FAA database who got their pilot licenses without ever being approved by the Transportation Security Administration," as required by law.

The DHS in response to the report claims that "it conducts security threat assessments 'on all non-U.S. citizens seeking flight training,' " and that "We have a high degree of confidence that our layered security measures, both seen and unseen, have raised the level of security in our aviation sector."

If you say so.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More