Risk Factor

Dr. Brian Randell, Emeritus Professor, and Senior Research Investigator, School of Computing Science, University of Newcastle upon Tyne, was kind enough to let me know that the Journal of Information Technology has just released an issue focused on the UK National Health Service's (NHS) National Program for IT (NPfIT), its electronic health record initiative.

I think you'll find the articles very informative.

Sorry to go off the IS&T trail, but the news that a B-52 was flying around with six unauthorized nuclear weapons made me think fondly (or not so fondly) of my time long ago as an Air Force airborne communications, navigation and electronics warfare technician in Strategic Air Command (SAC).

Say what you will about Gen. Curtis LeMay, he insisted upon and made damn sure that high operating standards were developed, instituted, trained to, and maintained in SAC even after he left - and there was hell to pay if you didn't meet those standards. Maintaining positive control over nuclear weapons was an absolute, non-negotiable; working on an alert bird was always a bit tense as there were these ever present military police with loaded weapons around ready (and I think hoping) to take you out if you violated protocol.

The episode shows how easy it is for risk management even when nuclear weapons are involved to become "routine." The Air Force, of course, says this was an isolated incident ("All evidence seems to point to this being an isolated mistake"), however, it should never have happened. This was supposed to be an "impossible event."

LeMay once supposed said, "I have neither the time nor the inclination to differentiate between the incompetent and the merely unfortunate." In this case, no matter how you slice it, the unfortunate was a matter of incompetence.

The Department of Homeland Security (DHS), after spending $42 million, has shut down its anti-terrorism data-mining tool Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE). Seems that it was being tested with information on real people rather than made-up data, which was against policy and probably the law.

According to the AP story, "ADVISE is not expected to be restarted," DHS spokesman Russ Knocke said. DHS' Science and Technology directorate "determined that new commercial products now offer similar functionality while costing significantly less to maintain than ADVISE."

ADVISE (I wonder how long and how much it cost to come up with that acronym) was supposed to, among other things, report on suspicious people going through customs. In a bit of multiple ironies, the London Guardian disclosed just the day before ADVISE was being closed, that the Metropolitan Police's Special Branch had been spying on George Orwell.

One report from 1942 noted that Orwell was a suspicious character because he dressed "in a bohemian fashion both at his office and in his leisure hours."

Hmm, I wonder if ADVISE was also data mining for people who fit the profile "bohemian fashion," "work hours"and "leisure hours" as a match for "suspicious person." If not, maybe the new, commercial data mining products can be set to be lookout for these characteristics - never know who you might catch.

And just think what Special Branch could have done with ADVISE back then.

One final thing - Orwell was also deemed by those watching him as holding Communist views. Obviously, Animal Farm nor 1984 were high on Special Branch's reading list.

As I wrote a a couple of days ago, the UK seems determined on making 1984 a reality. A senior UK judge, Lord Justice Sedley, in the name of fairness, called for everyone in the UK including visitors to have their DNA captured in a database. He objects that only those who come in contact with the criminal justice system have their DNA captured.

According to the London Guardian, Sedley said that "disproportionate numbers of people from ethnic minorities were on the database. 'It also means that a great many people who are walking the streets, and whose DNA would show them guilty of crimes, go free,' he said."

If George Orwell were alive today and updating 1984, I wonder how IS&T would influence the story line.

The UK Public Accounts Committee (PAC) published its report regarding the The Delays in Administering the 2005 Single Payment Scheme in England. The delays are estimated to cost UK taxpayers some £500 million.

As reported in the London Times, "the Single Farm Payment Scheme, introduced two years ago, aimed to pay farmers for their stewardship of the land rather than the number of animals they reared for meat."

The Times went on to say that Edward Leigh, the Tory MP who chaired the review committee, said the farmers' payment project was â''a masterclass in bad decision-making, poor planning, incomplete testing of IT controls, confused lines of responsibility, scant objective management information and a failure by the management team to face up to the unfolding crisis.â'' Sounds like a classic IT blunder to me.

The PAC report listed some 15 lessons learned, or maybe better put, not learned. As an example, this is from number 14:

"The implementation of the single payment scheme was subject to four Office of Government Commerce Gateway Reviews between May 2004 and February 2006, and three of these Reviews assessed the programme as "red". Development work on the computer system nevertheless continued and no contingency plan was invoked, despite limited confidence that the system would be ready on time. If 'red' reviews are to be taken seriously, departments need to be explicit about the circumstances in which they would lead to fundamental review or termination of a project."

Maybe the first lesson is to teach senior government IT managers that red means stop, green means go. Or maybe better, test them to see if they are color blind.

Last month, malfunctions at the US Custom and Border Protection computer system at LAX caused massive problems for internationally arriving passengers. Today's LA Times reported that the planned overhaul of the computer system is being moved up. According to Ken Ritchhart, assistant commissioner in the Office of Information and Technology with Customs and Border Protection:

By Thanksgiving, or Christmas at the latest, the entire customs system at LAX will be redone, with not only new workstations, network switches, routers and cables, but also a snazzy new satellite backup system that will allow screeners to access network databases should local routers fail.

It bothers me when someone hedges their bets on an IS&T delivery date like that - it says the plan was made in haste - but we won't have to wait long to see whether that "snazzy" new system is put into place by Christmas.

The past few weeks we saw another flood of news about IS&T security lapses. We had Monster.com reporting that 1 million or more of its customers' had their information stolen, and the same hackers broke into the US Office of Personnel Management's website USAJobs.gov and made off with personnel information on 146K more people. Monster provides technical support to the OPM website. Monster admitted that it has been hacked several times, and only recently reported the fact.

Then there was a report that in the state of Connecticut, there was a "theft of a Department of Revenue Services laptop containing sensitive taxpayer information (which) it took eleven days to notify affected citizens of the incident."

At the same time, another report noted that, "A Maryland Department of the Environment laptop computer stolen from an employee's car last weekend held personal information, including Social Security numbers, for 10,000 residents registered with one of four state boards."

Back in Connecticut, there was this report: "Pfizer Inc. has revealed its third data breach in three months, this time affecting the personal information of an estimated 34,000 people... Pfizer said it did not realize sensitive information had been compromised until July 10. Letters to attorneys general around the nation alerting them to the data breach were dated Aug. 23, more than seven weeks after Pfizer became aware of the problem and more than eight months after the information was exposed."

There are others, but you get the idea.

Now, given that corporations and especially government (local, state, federal) are pretty well insulated from any penalties for breaches, it is clear that something else needs to be done.

While I am extremely hesitant of proposing it (I am highly skeptical that government mandates are particularly cost or performance effective), maybe we do need a Sarbanes-Oxley Act for IT security. Let's hold CEO's, CFO's and CIO's or their equivalents in government personally responsible for the security of their organization's IT systems. We can start with the folks in government first this time - after all, fair is fair.

It would be interesting to see how many government CIOs would voluntarily sign a statement that their IT systems posed very low risk of being breached.

AT&T is now offering a Web-based feature called AT&T Smart Limits that will "allow parents to stay in touch with their children while controlling their children's mobile phone use." The service will, according to AT&T's website:

"Set limits for:

* Minutes

* Text and instant messages

* Download purchases

* Time of day or night the phone can be used

* Numbers the phone can call or text (incoming and outgoing)

* Internet content access

Once a limit is reached, the service will be restricted. Calls to and from phone numbers designated as Allowed Numbers and calls to 911 will continue to be allowed, regardless of the limits you set."

All yours for $4.99 a month.

AT&T decided to offer this service, according to the CNN story, because:

Results of a recent AT&T survey revealed that 84 percent of consumers believe parental controls and safety tools are extremely or very important in keeping children safe while they use today's entertainment and communications technologies. Nearly one-third (31 percent) of those adults do not feel that they have adequate knowledge of how to use those tools to protect children from today's threats.

It will be interesting to see how quickly the children of parents who buy the service figure a way around it, or an Internet VOIP company offers a friendly buy-pass, say for, $3.99 a month?

Of course, the next logical step would be for parents to give phone companies permission to have all of their children's voice conversations recorded, and then have them data mined for hints that they are calling numbers or viewing sites that have been banned by their parents. It should be too hard to put in an automatic message announcing at the beginning of every call that this calls may be monitored for quality control purposes.

Maybe AT&T could offer this service for $5.99 a month.

I received an interesting comment from a friend of mine, Dr. Martyn Thomas, on my last post concerning the new FAA air traffic control contract. Martyn wrote,

It's relatively easy to jam satellite signals, because they are so weak. It's very hard to jam radar. Has anyone published a vulnerability study for the proposals for ADS-B?

Interesting question. Anyone (especially from ITT or the FAA) have an answer?

The FAA announced today that the team lead by ITT Corporation has been selected as "the prime contractor for Automatic Dependent Surveillance-Broadcast (ADS-B), the keystone technology to the Next Generation Air Transportation System. The new system promises to significantly reduce delays and enhance safety by using precise signals from the Global Navigation Satellite System instead of those from traditional radar to pinpoint aircraft locations."

"The contract is worth approximately $1.8 billion from 2007 to 2025. ITT Corporation will build the ADS-B ground stations and own and operate the equipment. The FAA will pay subscription charges for ADS-B broadcasts transmitted to properly equipped aircraft and air traffic control facilities."

Hopefully, ITT will be able to implement the ADS-B on time, on budget and to specification, and doesn't end up like the last major air traffic control upgrade effort called the Advanced Automation System (AAS) project.

As described by the GAO in this 1998 testimony, "the AAS which began in the early 1980s, involves FAAâ''s acquisition of modern workstations and computers that process radar and flight data for controllersâ'' use.

Because of severe cost, schedule, and technical problems, FAA restructured the automation program in 1994. The Advanced Automation System (AAS) project, divided into 5 separate segments, was the centerpiece of the program before its 1994 restructuring.

In 1983, FAA estimated the cost to develop AAS to be $2.5 billion and completion was scheduled for 1996. When International Business Machines (IBM) was awarded a development contract in 1988, after a 4-year design competition, FAA estimated the project would cost $4.8 billion and be completed in 1998. By 1994, when FAA restructured the automation program, FAA estimated the cost to develop AAS to be as much as $7.6 billion with completion as late as 2003."

We are currently living in airport hell because of AAS's failure. Yet, if the AAS system hadn't been canceled, and finally completed in 2003, we would have an air traffic system that we would be using for probably the next 30 or more years before being replaced.

Now, it is interesting to speculate about whether we are going to be better off with the ADS-B system using GPS navigation that we hopefully will have up and running by 2015 or the old AAS design that might have been finally completed four years ago using advanced radar technology.

It would make for an interesting cost-benefit analysis - maybe by screwing up 13 years ago, the FAA actually did us all a favor.