Risk Factor iconRisk Factor

Supervalu Scammed - Almost

Supervalu, a large US grocer, apparently was scammed out of $10.1 million after wiring money to fraudulent bank accounts. The following is from an AP report:

"Supervalu first began wiring payments due to American Greetings into the wrong account on February 28, making a total of nine payments before catching the error on March 6. During that time, more than $6.5 million was wired to HSBC Bank in Miami Beach, Florida, to accounts opened under the names Society Nights Productions, doing business as Perini."

Some one claiming to represent Frito-Lay also convinced Supervalu to wire another $3.6 million a fraudulent account. However, the $3.6 million looks like it actually was owed Frito-Lay, which suggests an inside job at Supervalu.

"The FBI was able to capture the money before it was whisked away by the scammers, but now American Greetings, Frito-Lay and Supervalu have all laid claim to the money and U.S. District Judge B. Lynn Winmill will decide where it should go."

It will be intriguing to see how this all turns out, especially who the scammers are.

What Really Happened with the FBI's Virtual Case File System?

As I noted yesterday, I was recently in Washington, D.C. attending a breakfast seminar sponsored by Government Executive magazine on the topic, "What Are the Essential Ingredients for a Successful Large IT Project?" The two gentlemen speaking were Randolph (Randy) Hite, Director, IT Architecture and Systems Issues, U.S. Government Accountability Office and Zal Azmi, Chief Information Officer, Federal Bureau of Investigation. My previous post centered on Mr. Hite's comments, today I'll focus on Mr. Azmi's.

Azmi spoke of the current Sentinel project, the follow-on to the infamous Virtual Case File (VCF) system that failed so spectacularly a few years ago. IEEE Spectrum's Senior Associate Editor Harry Goldstein wrote an in depth story on VCF.

According to the FBI, "Sentinel will consolidate and replace the FBI's legacy case management capabilities with an integrated, paperless file management and workflow system," and be implemented in four phases. Phase I recently completed, and Phase II is ready to begin.

Azmi made the statement that Sentinel is not a technical program, but really a political program. He phrased it interestingly: Sentinel is the Bureau and the Bureau is Sentinel. In other words, the FBI's operations will be centered in Sentinel. If Sentinel fails as a program, the Bureau by implication, fails as an organization.

Azmi's went on to say that he briefs FBI Director Robert S. Mueller III every Wednesday at 2 PM on Sentinel's status, the DCI once a month, and Congressional folks once a quarter on the status of the project. I also know that Azmi holds a risk management review meeting once a day with the prime contractor. If Sentinel fails as a program, no one can say they didn't know its status.

Which brings me to something else Azmi discussed, and that is about his early days on the VCF program. Azmi related that he was asked by Mueller in November of 2003 to look into the status of the VCF program. Azmi said that he had a meeting in mid-November attended by 46 people (I assume FBI management and contractors) who assured him that everything was great. He also said that he was also told that only 68% of the test cases had been performed, and that the software problem reports were increasing, not decreasing. Given that this was only six weeks away from delivery, this was a bit disconcerting.

Azmi also was told by the contractor a few weeks later, that a "draft" version of the software was going to be delivered. Azmi related that he had never heard of that term before, which brought a chuckle from the crowd.

All this was already on the public record.

But then, Azmi said something that really got my ears pointed.

He said that in January 2004, he told Mueller that VCF was not going to work. Not that it needed a lot more work to be made whole, or that it could be salvaged; no - it could not be made to work. Azmi said that the contractor has delivered 733,000 lines of code, and if you changed one, you in effect had ripple effects throughout the system. Azmi implied that even then if wasn't a matter of whether the VCF was going to be replaced, but just a matter of when.

Why this got my attention, is the following.

A Washington Post article on VCF says that:

"Within a few days [this was after seeing the system in November 2003], Azmi said, he warned FBI Director Robert S. Mueller III that the $170 million system was in serious trouble."

Now, according to the Post, Azmi told Mueller that VCF was in serious trouble. But in an open forum, Azmi says it won't work and tells Mueller this. Who cares?

Well, in March 2004, Mueller is telling Congress that:

"As you know, during the past year we encountered some setbacks regarding the deployment of Full Site Capability (FSC) and the Virtual Case File, and we are moving quickly to address them. We are working to resolve each issue, and will continue deployment throughout the country.

I believe that we are now on the right track, and we are closing in on the goal of completion. We are being diligent in our efforts to complete this project within the resources available, and I am committed to ensuring the successful completion of this project."

Also, Mueller tells Congress, according to the Post story, that "the FBI had experienced 'a delay with the contractor' but that the problem had been 'righted.' He said he expected that 'the last piece of Virtual Case File would be in by this summer.'"

Now, was this a case of "positive spin" or something a bit more akin, as they say in Washington, D. C., of being "economical with the truth" by Mueller?

Or did Mueller just not believe everyone who was telling him VCF was dead? After all, he assured Congress in May 2004 everything with VCF was still going according to plans, when to everyone else it was a case of dead man walking.

Given what Azmi said on Wednesday, it sure would be interesting to know.

Be Realistic - Yeah, Right

I was in Washington, D.C. yesterday attending a breakfast seminar sponsored by Government Executive magazine on the topic, "What Are the Essential Ingredients for a Successful Large IT Project?" The two gentlemen speaking were Randolph (Randy) Hite, Director, IT Architecture and Systems Issues, U.S. Government Accountability Office and Zal Azmi, Chief Information Officer, Federal Bureau of Investigation. It was an interesting session for a number of reasons. In this post, I'll concentrate on what Mr. Hite had to say.

Hite was asked off the bat whether he thought that IT project management in the Federal government had improved over the past few years. Hite said that be believed that it had. He cited that the number of IT projects on both the Office of Management and Budget watch and high risk lists have been steadily declining.

OMB evaluates IT project plans to see, in Hite's words, "Whether they are well-positioned to execute." The OMB watch list highlights projects that, in OMB's opinion, have "weaknesses" in their capital budget and planning submissions, while those projects on the high risk list are those requiring "special attention" from the highest level of management because they may be very costly or mission critical.

However, Hite also placed a very large caveat on his belief that things have improved: he said that GAO audits have found that many of the IT projects don't have any data to support that their contention that they are "just fine, thank you."

When Hite said this, it was hard not to laugh out loud. What he just said, in effect, was that government program managers have quickly learned to adapt in the face of increased oversight: they now know how to "game" their budget submissions to OMB and hiding potential weaknesses that might gain them more management attention from above. Give credit where credit is due: government IT project managers are good at figuring out how talk a good game.

Hite had more to say.

The conversation eventually turned to IT project success and failure. When asked, Hite said that IT project success needs to be determined on a "project by project basis." Too many times, "Projects commit to unrealistic promises."

This comment just re-inforced my conclusions above. The OMB evaluation of IT project capital budget and planning documents, if it was worth much, would be eliminating a lot of lack of realism.

Hite continued; "There is a reluctance on the part of projects to disclose uncertainty or their risks."

Gee, I wonder why. Is it that if you do, you get on the OMB watch or high risk list? Or maybe the GAO's own High Risk List?

Then, in a bit of a non sequitur, Hite said that "Programs need to be open and honest. They should get rewarded for being realistic." In fact, program managers should get incentives or "be rewarded for disclosing their risks." When he was asked how they should be incentivised or rewarded, Hite didn't really have an answer.

And no wonder. All the incentives are aligned in the other direction.

IT projects, once started, are notoriously hard to terminate, no matter how badly they are managed. In a bit of a jump ahead, Zal Azmi told the audience of mainly government IT project managers that they should "think hard" if you're going to terminate a project; generally recommended against it because it was difficult to do (all that documentation to justify termination is a lot of work and takes a long time), and because it would upset so many people!

Further, even though Hite admitted to the well known reality that projects that do tell the truth about their risks will have a hard if not impossible time getting funding, he says that project managers should just fess up anyway.

Fat chance.

For government IT project managers (as well as for any government project or program managers), it is a reverse prisoner's dilemma model. As a project manager, you want one of your peers to fess up to having risks on their project; that way, you can undermine them and get their funding. The number one goal of any government project manager worth their salt in today's operating environment is to get your project funded. Once that is done, the number one priority is to keep it funded.

The rewards go to the projects that are able to be the most "optimistic" without getting caught; and when they are, nothing material happens anyway. To be canceled, you either have to be a very unimportant project (i.e., no political clout) or so egregiously bad that you're now a political liability.

The only way to change the environment is for OMB to start killing off, say 10 to 15%, of IT projects per year, starting with those that are found out to have been "unrealistic" in capital budget and planning submissions. Then start knocking off projects that are overrunning and behind schedule. Give them 1 year to come clean. After that, in the words of the Daleks, "Exterminate. Exterminate. Exterminate."

A few years of realistic executive leadership on the part of OMB, and the problem will be significantly reduced.

But, unfortunately this will never happen. There is too much power, money, prestige and political power at stake which rewards not telling the truth, as anyone who has tried being truthful will tell you.

Software-Supported Ticket Scalping

Los Angeles Federal Judge Audrey B. Collins issued a preliminary injunction yesterday against RMG Technologies, Inc., of Pittsburgh, Pennsylvania ordering the company "to stop creating, trafficking in, or facilitating the use of computer programs that allow its clients to circumvent the protection systems in the ticketmaster.com web site." Users of RMG software, typically ticket brokers and some ticket scalpers, have used it to flood Ticketmaster to obtain large blocks of tickets, denying consumers an opportunity to buy tickets.

According to a Wall Street Journal article, a recent Hannah Montana concert, the retail price of a ticket was $63, but were being sold for an average of $237. For some shows, according to the New York Times, the show's tickets were sold out in 12 minutes, and then appeared on sale for on the internet up to 10 times their face value. Ticketmaster said that for some shows, software "bots" were responsible for as much as 80% of all ticket requests.

Census Risk

As reported last week in Government Executive, the US Government Accountability Office (GAO) released a report (GAO-08-79) that discusses the four critical US Census Bureau information technology projects needed to support the 2010 census, and the several that are over budget and behind schedule. The GAO report in addition noted that risk management practice on these Census IT projects is weak.

The Census is fast running out of time to fully field test its new approach using hand-held computers instead of paper-and-pencil methods to gather census information. While the Census is confident that its approach will work at the required time, others, such as myself, are less sanguine.

The Census's approach to managing risk as a whole, and the risk management used by Census contractors responsible for the individual Census IT projects, has not, shall we say, been as good as it could have been. Given that the effort was high risk from the very beginning, and that the results of a census have tremendous economic and political import, the risk management practice was woefully short of what it should have been. For US citizens' sake, let's hope the past management decisions taken at the Census don't lead to a major IT blunder.

The Great Storm of 1987

If you asked me where I was last Tuesday, I'd have to think about it for awhile. However, I can tell you where I was 20 years ago today: the Bayswater section of London where I was living at the time. I remember that because today and tomorrow mark the 20th anniversary of England's Great Storm of 1987.

At the time, the storm was considered the worst to hit England since 1703, devastated forests throughout southern England, killed 18 people, and caused over £1 billion in damages. I remember walking around London after the storm hit and being awed by the damage done. I had already seen the aftermath of hurricanes along the US Gulf coast, but this left a greater impression, probably since it was totally unexpected.

The UK Met Office had forecast heavy rains for the overnight of 15 - 16 October, but not the intensely strong winds. Weather forecasters thought a less powerful storm would stay south in the English Channel or hit northern France.

What made the forecasting mistake worse in the public eye was that BBC weatherman Michael Fish said on his 2130 forecast, "Earlier on today apparently a woman rang the BBC and said she'd heard there was a hurricane on the way. Well if you are watching don't worry, there isn't." Fish was actually talking about a different storm, but everyone assumed he was talking about the one that indeed did hit England.

In a Guardian newspaper story, the Met Office's chief meteorologist, Ewen McCallum, said that an analysis of the 1987 storm using modern equipment showed that a column of air descending from 14,000 feet - called a sting jet - caused the intense weather. The sting jet was only 50km wide, too small to be picked up by the weather models in 1987, which only had a resolution of 75km. Today, it would be picked up, since said the current resolution of their weather models is 4km, and, if given the funding, 1 km by 2011.

However, as the recent hurricane Humberto that hit the US Gulf coast shows, that even fine grained weather models may not guarantee that you'll predict everything. Being humble in the face of Mother Nature, no matter how powerful your think your computer models are, is a prudent policy.

A Different Voting Recount in Florida

In November 2006, "Democrat Christine Jennings, lost to her Republican opponent, Vern Buchanan, by just 373 votes out of a total 237,861 cast â'' one of the closest House races in the nation. More than 18,000 voters in Sarasota County, or 13 percent of those who went to the polls Tuesday, did not seem to vote in the Congressional race when they cast ballots, a discrepancy that Kathy Dent, the county elections supervisor, said she could not explain," according to a story in the New York Times.

The uproar was such that this past February, Florida Gov. Charlie Crist announced that Florida would get rid of all of its touch-screen voting machines, and instead use a system whereby voters would cast paper ballots that would be counted by scanning machines. Crist demanded that this new voting system be put into place in time for next year's presidential election.

A recent story in the New York Times discusses Florida's on-going problems with dumping all 25,000 of its e-voting machines, purchased for tens of millions of dollars merely six years ago as a result of the voting problems in the infamous 2000 presidential election. Some Florida counties, like Miami-Dade, is now in the process of throwing out 7,200 touch-screen machines alone, even as the county still owes $15 million on them. Palm Beach county is trying to get rid of 4,900 touch-screens and it still owes $4.8 million. No one, it seems too interested in buying them.

As I noted a few months back, California has placed very severe limits on the use of electronic voting machines. The road to e-voting is a hard one, I guess.

By the way, the voting machines used last year in Sarasota County are sequestered under court order as the investigation into the apparent voting irregularities continues.

Riding the Rails

Last week, a system problem at Tokyo Metro Co., which operates the capital's largest subway network, and East Japan Railway Co., Japan's largest rail operator caused both of their electronic ticket gates to fail for several hours. As a result, several hundred thousand morning commuters rode the rails for free.

Nippon Signal Co., the maker of the gates, has not determined the cause of the malfunction, although a communication problem was suspected as the cause. It was the second time these electronic gates malfunctioned. Last December, the ticket gates wouldn't accept Suica (smart card) commuter passes as payment.

Question of Management

A friend of mine, John Stone, author of Developing Software Applications in a Changing It Environment: Management Strategies and Techniques, recently e-mailed me a question, "After reviewing the IT blunders in your blog, itâ''s clear that although we continue to make substantial progress in technologies, IT management has made halting progress at best â'' with a many projects failing in some way and leaving that their companies and users have to cope as best they can."

"The analogy that comes to mind is the US car industry in the â''60s and â''70s, when the "Big Threeâ'' produced low quality products, leaving their customers to cope however they could. I wonder if we will see a similar exodus in IT â'' to hungry forward-thinking vendors where labor costs are low and education and quality are high?"

"What do you think your readers' would opine?"

Anyone want to answer John?

IT Security Opportunity Costs

Government Computing News (GCN) reported that a "typical government agency or company now spends 20 percent of its information technology budget on security, including product purchases, training, assessments and certification, according to a survey released today by the Computing Technology Industry Association." This up from 12 percent in 2004.

I don't know where the opportunity cost of IT security becomes too great to bear, but I have to believe we are starting to get into the ballpark range.

Most Commented Posts

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones

Newsletter Sign Up

Sign up for the ComputerWise newsletter and get biweekly news and analysis on software, systems, and IT delivered directly to your inbox.

Load More