The other IT-related obstacles, impairments and nervous breakdowns of the week included two rail system uffdas—one computer-related, and one apparently mechanical-cum-human error related. The first concerns a service outage on San Francisco’s BART (Bay Area Rapid Transit) system that lasted from late Thursday night into Friday morning. It was apparently caused by a server upgrade Thursday night that didn’t go according to plan. The second rail outage involved a New York City-bound Amtrak train that ended up going to Bala Cynwyd, Pennsylvania (outside Philadelphia) instead.
Finally, Boeing warned the 15 operators of Boeing’s 787 Dreamliner and 747-8 jumbo aircraft equipped with GEnx engines by GE not to fly at high attitude within 50 nautical miles of thunderstorms that may contain ice crystals. Apparently, there’s a risk of engine icing problems. Boeing and GE say that they are looking at a software fix to the engine control system which should be available early next year.
San Francisco’s BART System Goes Down for Several Hours
As a result, the lawsuit states, “Bridgestone has suffered damages in excess of $200,000,000, and continues to suffer damages from injury to its reputation and customer relations.”
The lawsuit, which was filed 29 October, was sealed until recently. While the legal complaint is heavily redacted, in it Bridgestone alleges that IBM engaged in a “pattern of deception, intentional misrepresentation, and concealment” over its capabilities and the actual status of the project risks and problems. For example, Bridgestone states that IBM “assigned individuals, including the chief technical architect for the project, who did not possess the proper knowledge, skill, education, training, experience, technical expertise, and qualifications to perform the services necessary for the successful design and implementation." The lawsuit also says a lot of the work was outsourced to IBM workers in India and China who possessed less than stellar development skills and practices.
Bridgestone’s lawsuit alleges: (1) Fraud in the inducement and contract performance; (2) misrepresentation in business transactions; (3) constructive fraud; (4) violations of the Tennessee Consumer Protection Act; (5) gross negligence, and (6) breach of contract. The company wants a jury trial.
“Bridgestone filed a lawsuit claiming breach of contract and fraud against IBM regarding a recent SAP implementation. These claims against IBM are exaggerated, factually wrong and without merit. From the outset of this project, Bridgestone failed to meet critical commitments upon which the performance of IBM’s obligations were predicated.
Ultimately, Bridgestone’s repeated failures had a significant impact on the project’s cost and schedule, and its decision to prematurely roll-out the implementation across its entire business negatively impacted its operations."
Among the claims IBM made were that:
Bridgestone understood that this would be a challenging project. It had tried several times with other vendors and failed to upgrade its system. IBM was the only vendor to succeed in completing the upgrade to SAP.
Notwithstanding the complexity of the project and its negative history, Bridgestone failed to staff the project with people who sufficiently understood its own legacy systems and could assist IBM in designing and converting them into a new SAP system. Throughout, Bridgestone lacked the necessary leadership to effectively manage the project; it replaced its CIO on six occasions in a 2 year period during the project term.
Bridgestone failed to supply the necessary software, hardware and network infrastructure for the system to operate properly. In many instances, Bridgestone supplied inferior resources or no resources at all.
There is a lot longer laundry list of complaints which you can read in the Business Insider piece, but you get IBM's gist. Bridgestone, when asked to comment on IBM's statement blaming it for all the system's resulting problems, said its only response is contained in the complaint filed with the lawsuit.
A careful reading of Bridgestone’s complaint includes all of IBM’s points above and says why the tire company thinks those points don’t hold any (legal) water. The redacted proprietary parts of the complaint (which due to someone’s poor understanding of how to use redaction in PDF documents, is easily readable) discusses what appears to be the specific promises by IBM regarding its skills and capabilities, as well as how IBM said it would manage the implementation and any problems that would arise.
Bridgestone in its complaint says that it brought the lawsuit after mediation failed. It also indicated that it was during the mediation effort that it found out “that IBM had been engaged in a course of intentional deception, fraud, and misrepresentation throughout the project.” This seems to indicate that some sort of out of court settlement, like what happened when Avantor brought a lawsuit against IBM a year ago for “reckless indifference" on another bungled SAP project, is not likely.
How much of Bridgestone’s lawsuit will stand is anyone’s guess. Some of the specific allegations in the complaint, many of which include IBM’s representations in the redacted bits, could, to my distinctly non-lawyerly eye, be thrown out as IBM merely engaging in puffery over its skills and capabilities. That's what happened when Marin County, Calif., sued Deloitte Consulting for fraud over an SAP project in 2010. Other allegations including IBM's agreement to only use personnel possessing the proper expertise and knowledge to carry out the statement of work may be more promising.
I’ll keep you updated on the progress of both the lawsuit and public brawl.
According to Internet security awareness training firm KnowBe4, the losses attributable to cybercrime total US $113 billion. Take a moment to let that astounding number sink in.
Now here's some more: The fourth annual Cost of Cyber Crime Study conducted by Ponemon Institute and sponsored by HP notes that costs for businesses that are victims of Internet-based attacks has risen 78 percent per year, on average, over the past four years. And from 2010 through this year, the time needed to recover from a breach has increased 130 percent. The losses in terms of personal information, intellectual property, and system damage are staggering enough. But now the average cost of cleaning up after a successful attack has passed the $1-million mark—not counting the cost of customer lawsuits against companies whose systems have been breached.
Meanwhile, Symantec’s just-released 2013 Norton Report notes that although the overall number of victims of online attacks has actually decreased, the average cost per victim has risen by 50 percent. "Today's cybercriminals are using more sophisticated attacks, such as ransomware and spear-phishing, which yield them more money per attack than ever before," said Stephen Trilling, Symantec’s CTO in a press release.
In Other Cybercrime News…
Six were arrested on Monday for participating in a global scheme that used fake payment cards to clean out cash machines to the tune of US $45 million.
The argument over whether or not there is a shortage of qualified STEM workers was replayed once more in a story this past week in a Chronicle of Higher Education article titled, “The STEM Crisis: Reality or Myth.” Unfortunately, you need to be a subscriber to gain full access to the article, but I thought a few quotes from the usual suspects claiming there is a STEM crisis in the United States would be enlightening.
For example, there's Robert D. Atkinson, president of the Information Technology & Innovation Foundation (ITIF), which receives a lot of its funding from high-tech companies. ITIF vehemently insists that the STEM crisis is real and that anyone who says differently is hopelessly misguided and uninformed. Atkinson argued that, among other things, college students need to be channeled towards “more useful” majors.
“We should be making some value judgments on what kind of people we'll need for the nation to move forward...The distribution of degrees right now is entirely up to students. Shouldn't we be steering them into degree types that are of more value to society, such as computer science or engineering? The American tradition is one of hard-core pragmatism. We're at risk of losing that, and we're in trouble now in regards to competitiveness.”
Atkinson goes on to imply that IT workers in the U.S. will just have to get accustomed to lower wages given that, “Companies can go overseas for workers.” Of course, the ITIF is a strong supporter of expanding the H-1B visa program for its high-tech paymasters, which has helped erode STEM wages, especially for engineers. Additionally, Atkinson maintains that, “there will be work in IT for people with the right set of skills…[and] that lower wages probably won't keep them from accepting jobs.”
I would bet, however, it might discourage many potential engineering and computer students from pursuing those careers, as it has in the past.
The Chronicle article goes on to quote Anthony Carnevale, a research professor and director of Georgetown University's Center on Education and the Workforce, who also insists that there is a STEM student/worker shortfall (but who also once in a moment of candor admitted that any college student with math talent would be “crazy to go into STEM”). However, in the Chronicle article, Carnevale reasons that even if there is a glut of STEM graduates moving into the workforce, that’s okay because STEM grads “do better than other types of majors and tend to move into management pretty quickly.”
There's nothing like hedging your bets.
In fact, Carnevale continues:
“Having experience in technical matters helps them [STEM students] land good non-STEM jobs. They might work in places like marketing or medical-device sales, where their technical backgrounds helped them get in.”
Yep, get an EE or CS degree, and you too can strive to get a job shilling medical devices. Sounds to me like a winning slogan for convincing high-school students to pursue engineering or similar STEM majors. Maybe Carnevale can make up posters and send them to all the high schools to put up in their science and math classrooms.
On another related note, last week I had the opportunity to attend a Congressional briefing hosted by IEEE-USA and the AFL-CIO (a federation of trade unions in the United States) on the impact of the H-1B visa program on the economy, innovation, and the workforce. The panel was moderated by Ron Hira, associate professor of public policy at the Rochester Institute of Technology, and included Neeraj Gupta, CEO of Systems in Motion; Karen Panetta, professor of electrical and computer engineering at Tuffs University and editor and chief of IEEE Women in Engineering magazine; and Hal Salzman, professor of public Policy at Rutgers University. The briefing drew a standing-room only crowd of House of Representatives staffers.
Hira provided a quick overview of the current H-1B visa program, and highlighted the fact that no one knows (or tracks) exactly how many H-1B visa holders there are in the U.S. He estimated that the total is around 650 000, with most working in the high tech arena. Hira also reported that the program does not require U.S. companies to actively recruit U.S. workers before seeking out H-1B visa workers, and that company compliance with the H-1B visa requirements is only maintained through whistle blowers such as Jay Palmer, who exposed Indian outsourcing company Infosys’s rampant abuse of the program. Palmer was supposed to attend the briefing to describe his Infosys experience, but unfortunately, his flight was canceled.
Gupta, who came to the United States as a student, was hired under an H-1B, and later became a U.S. citizen, talked (ironically) of the difficulty he faces as the CEO of a growing IT services company competing against H-1B outsourcers. He emphasized that H-1B workers are hired by U.S. companies as well as Indian and other foreign outsourcing companies primarily to lower their labor costs using mostly high-tech workers with average skills. Gupta argued that the H-1B program needs to return to its original purpose, which was to bring the truly best and brightest from across the world, not just primarily India, to work in the United States. This is not likely to happen, since the world's truly “best and brightest” are not likely to sign up to be treated as high-tech “indentured servants” as many H-1B visa holders do.
Salzman spoke of the latest data on STEM graduates and jobs, reiterating that STEM programs turn out at least 50 percent more IT graduates every year than there are U.S. job openings. He also said that if the H-1B program is ramped up to the numbers that are being advocated (up from 85 000 to 185 000), that worker oversupply could possibly increase to the 90 percent mark or more. Salzman called attention to Georgetown University’s report earlier this year that showed recent information system majors had a 14.7 percent unemployment rate, the highest of the majors it tracks. Even contemporary computer science graduates were experiencing an 8.7 percent unemployment rate.
Well, there are always those jobs selling medical devices.
Panetta noted that expansion of the H-1B visa program has had the effect of keeping down the already small numbers of women and minorities getting computer science and computer engineering degrees, since the more visa holders there are, the fewer job opportunities are available for U.S. workers. She also noted that only a small proportion of H-1B visas is given to female STEM graduates, even though 40 percent of the STEM graduates in India are women (this is more than double the U.S. percentage, she said). Panetta also noted how U.S. STEM students are facing school loan debts which are discouraging many to pursue graduate studies, a problem many foreign STEM students don’t have.
Yet, while the ACA ruckus was going on, several other IT-related inconveniences were reported. For example, Pennsylvania home care workers saw their paychecks delayed or lost for months because Pennsylvania's Department of Public Welfare mismanaged an IT program consolidation. There was news that Verizon has agreed to pay $60 million for botching New York City’s Emergency 911 system implementation, and disclosure of plans by major stock exchanges to try to reduce the IT outages that have been striking with increasing regularity over the past few years.
Verizon Agrees to $60 Million Settlement over Emergency 911 System Problems
TD's deputy chief economist Derek Burleton was quoted by CBC News as saying, “Evidence of economy-wide shortages is hard to find. Yes, across regions and occupations, skills mismatches (exist) because you are never going to get a perfect match. So it's not a complete myth, but it's not as extreme as people believe.”
Even in country’s Western provinces, which report the greatest skills shortages, wages have not risen measurably—something that happens when there is a shortage. The TD report says, “The story on the wage data remains curious, as wage gains out West have not increased to the extent that one might have thought given the signs of tightness.”
Until the revelations based on documents leaked by Edward Snowden came to light, the world had to take U.S. intelligence agencies’ word that they were adhering to legal limits on domestic and foreign data gathering. Now that we know better, all of the assurances they’ve made about the nature of their surveillance programs are under scrutiny. One such conceit—that the collection of metadata shouldn’t be viewed as surveillance—is being put to the test by researchers at the Stanford Security Lab at Stanford University. A new project, called Metaphone, will use metadata collected from the cellphones of volunteers to see how much additional information can be discovered when starting with logs of phone calls and text messages.
Meanwhile, the U.S. Senate began debate this week over the Surveillance Transparency Act introduced by Sen. Al Franken (D-Minn.). The bill would require that the U.S. National Security Agency (NSA) make revelations of its own. Among them: how broad a net it is casting in its data collection programs; what proportion of the people having their data collected are U.S. citizens or permanent residents; and whose information was actually reviewed by a government agent. The legislation would also eliminate the gag orders that prevent phone and Internet companies from divulging the number of orders they receive demanding customer data and the number of requests with which they comply.
More On the U.S. Government and Digital Surveillance
The complications with the roll out of the Affordable Care Act (ACA) website continued its unbroken streak of dominating the news cycle related to IT-related snarls, snags and inconveniences. Among the list of IT health issues bedeviling the ACA’s website that cropped up last week are: the admission of a dramatic rise in the number of items on the “punch list,” from dozens to hundreds of problems that require fixing; the lack of interest from those to whom the ACA’s website was specifically targeted; a host of folks, including well-known IT luminaries such as economist Larry Summers, offering what I'm sure is welcomed at the White House, unsolicited advice on how to successfully manage the ACA website development effort; and counsel that if a user finds him or herself on an Obamacare website that seems to actually work, it is more than likely being operated by a scam artist.
But the ACA website was not the only IT system that was reportedly in poor health last week. There was, for example, a Wal-Mart website pricing error that gave new meaning to the company’s slogan, “Always low prices.” A Fox News website called for World Zombie Day, and problems continued for Florida’s new unemployment insurance system website and back office systems.
WalMart Website Glitch Excites and then Disappoints Many with Low, Low Prices
Wednesday morning, as U.S. Health and Human Services (HHS) Secretary Kathleen Sebelius testified about the ongoing problems with healthcare.gov at a Senate Finance Committee hearing, the first head rolled as a result of the Obamacare website debacle. It was announced that Tony Trenkle, the CIO of the Centers for Medicare and Medicaid Services, the HHS entity responsible for creating the healthcare insurance portal, would be leaving his post as of 15 November. According to an e-mail sent to agency employees on Wednesday, Trenkle is “leaving for the private sector”; the agency’s chief operating officer, Michelle Snyder, announced a reshuffling meant to temporarily fill Trenkle’s role.
As for Sebelius, she told senators that, “We’re not where we need to be” with regard to meeting a 30 November deadline set by the administration for making the HealthCare.gov site functional. The HHS secretary revealed that “a couple of hundred functional fixes” would still need be made so the website would not get hung up, display error messages, or make other errors such as displaying blank drop-down boxes. (In this week’s IEEE Spectrum Q&A with risk management expert Robert Charette, he imagined that tackling a punch list containing only 30 items strained credulity.)
By now, everyone with access to a newspaper or an Internet connection knows just how badly the first few weeks have gone for the U.S. healthcare insurance portal HealthCare.gov and some of the independent state-run insurance marketplaces. To say we are experiencing technical difficulties is an understatement. Despite testimony last week from the main contractors for the federal website and from Health and Human Services Secretary Kathleen Sebelius, we still have few details about what precipitated such a colossal failure and why no alarms went off before the site's ill-fated 1 October debut. IEEE Spectrum Assistant Editor Willie D. Jones talks with risk management expert Robert Charette about what likely happened and what we can expect going forward.
Jones: You wrote an article for IEEE Spectrum in 2005 that could have been used as the playbook for the HealthCare.gov debacle. I guess you’re somewhat of a prophet.
Charette: You can go back to the first book I wrote on software systems risk management back in 1989. It’s easy to make any project fail. You just don’t give it enough time, enough money, or requirements that are understandable.
Jones: Last week, Health and Human Services Secretary Kathleen Sebelius assured her inquisitors at a congressional hearing that her department has brought in experts that have a handle on the problems the site is facing. How confident should we be in Sebelius’ assurances?
Charette: Not very. They’re talking about dozens and dozens of items on their punch list—both in terms of functionality and performance issues. They’ve got just over 30 days to get through the list. Let’s just say that there are 30 items on it. What do you think is the actual probability of getting through testing them, making sure that the system works end to end and that there are no security holes all in a single month? How do you expect to get that done, knowing that every time you make a fix, there’s a high probability that you’re going to introduce an error somewhere else?
Jones: Let’s spin this forward a bit. How do you think this next month will actually go?
Charette: They said that they needed five weeks at the minimum to test it, and they’re still making all these changes. Where will that five-week window fit? If they had stopped right then and tested it for five weeks, they wouldn’t have been able to finish on time. And five weeks was probably the absolute minimum they needed, assuming everything worked. They’re patching the system as they go along and as Sebelius admitted, they’re doing very local unit tests (which, by the way, is what got them into this mess in the first place, with each contractor saying, "Well, my stuff works"). If they discover something major, they may have to run the whole system test again.