Risk Factor iconRisk Factor

Photograph of a laptop with computer code on the screen, and a gavel and handcuffs on the keyboard.

Georgia’s Intrusive Computer Intrusion Bill

According to Georgia’s Attonery General Chris Carr, the state is only one of three, along with Virginia and Alaska, without a cybersecurity law that makes it illegal for someone to remotely access your computer and search it for sensitive information, and then sell it to a third party. Presently, it is only illegal in Georgia to access a computer to delete or tamper with its contents. However, this will change if Georgia Senate Bill 315: The Computer Intrusion Bill is finally passed into law.

One could be forgiven for thinking, well, it’s about time. However, cybersecurity experts are worried that SB315 as written is so open-ended that it could potentially make a range of legitimate security research and other innocuous activities into criminal offenses. According to the Electronic Frontier Foundation (EFF), a person doing personal work on their business computer could be at risk of being charged, as would security researchers looking for vulnerabilities on corporate or government websites, or others who scrape online information from public websites. The Georgia ACLU calls the bill “draconian,” while others worry that cybersecurity firms will be negatively affected.

Read More
A health service technician aboard the Coast Guard Cutter Healy, measures Petty Officer 2nd Class Robert Martin's heart rate during a physical health assessment

U.S. Coast Guard’s $67 Million EHR Fiasco

In late January, the U.S. House of Representatives’ Subcommittee on Coast Guard and Maritime Transportation held a hearing to review the United States Coast Guard’s $14 million, five-year electronic health record (EHR) system project.

The project, which began in September 2010, ballooned into a $67 million fiasco that the USCG finally ended in September 2015. But the Coast Guard didn’t officially confirm its termination until April 2016.  At the time, the USCG public affairs office vaguely explained that there were concerns about whether the project could be completed in a reasonable time and at a reasonable cost. A spokesperson also opaquely added that, “Various irregularities were uncovered, which are currently being reviewed.” Mention of “irregularities” raised a lot of questions that the Coast Guard refused to answer for the last two years.

Read More
People fill a DMV office in Minnesota

The Costly Fiasco of Minnesota’s Licensing and Registration System

How long should a state take to develop an information system to manage its vehicle and driver services’ transactions? For Minnesota, the wish is that it is only going to be the 11 years it is now scheduled to take.

The Minnesota’s Licensing and Registration System (MNLARS) project was initiated in 2008 when the Minnesota Legislature recognized that the current system that went live in 1982 was on its last legs. There was a slim hope that MNLARS would be operational by 2012 [pdf], but, alas, it was not. In fact, it took until April 2012 for the Minnesota Department of Public Safety’s Driver and Vehicle Services (DVS) to just reach a contractual agreement with Hewlett-Packard to begin developing MNLARS at an agreed cost of $41 million.

Read More
Close up of person typing on computer with data points over the image

2017 Was a Record Year for ID Theft in the U.S.

This will not come as a big shock: an estimated 16.7 million Americans were victims of identity theft last year, according to a survey published by the research and advisory firm Javelin Strategy & Research. And the company says this tops the previous record of 15.4 million compromised identities which occurred, not surprisingly, in 2016.

Javelin notes in its report that cyber thieves have changed tactics over the past year, which has made them more efficient and effective. They are now focusing on targeting cellphones and email accounts to obtain a person’s complete details, such as their name, address, and social security number, instead of trying to access individual pieces of personal information in order to piece together a profile.

This strategy is making it easier for cyber criminals to open fraudulent accounts and to exploit them for a longer period of time before they are discovered. The company estimates that fraud losses last year amounted to some US $16.8 billion.

Read More
Medical Marijuana spilling out of a jar

Cyber Intrusion Creates More Havoc for Washington State’s New Marijuana Tracking System

Licensed marijuana product growers and retailers have been very unhappy with Washington State’s new “seed-to-sale” marijuana tracking system that went live on 1 February.

Buggy software has kept many suppliers from shipping their products because of manifest errors and, equally, retailers from accepting their orders. While Washington’s Liquor and Cannabis Board officials have insisted that the myriad software problems are being fixed or work arounds exist for most of them, it also has disclosed that the tracking system experienced a cyber intrusion.

In a letter to licensees, the Liquor and Cannabis Board stated that on 1 February someone downloaded a copy of the traceability database, which in turn affected key operations of the tracking system in a way the Board refused to disclose. The intruder was able to access information for four days of marijuana deliveries, including delivery-vehicle information together with type, license-plate number and VIN numbers. The Liquor and Cannabis Board said that since the latter information was publicly available and no personal information was accessed, there was no need for anyone to be concerned. Retailers and growers, however, were not exactly comforted by the Board’s reassurances.

Read More
The F125 frigate 'Baden-Wuerttemberg' sails in Cuxhaven, Germany

New German Warship Fails Sea Trials Due to Tech Woes

Reducing the size of a combat ship’s complement through advanced automation has been a goal of the world’s navies for decades [pdf]. However, as the U.S. Navy has already discovered, the German Navy is now finding out that this is easier desired than done.

In December, the German Navy refused to commission the lead ship of its new Baden-Württemberg class Type 125 (F125) frigate after it failed its latest at-sea trials. This was the first time that Germany’s navy has ever refused to commission a ship after delivery. The refusal was due in part to unresolved hardware and software integration problems affecting the Baden-Württemberg’s ATLAS Naval Combat System [pdf] and other ship systems, which have plagued the frigate’s sea trials since it entered them in April 2016.

The persistent problems with the €3 billion F125 program, which is meant to replace Germany’s Bremen F122 class frigates, have delayed the Baden-Württemberg’s planned commissioning from occurring first in 2014, then in 2016, and now to sometime late this year―assuming its problems can be resolved. In addition to the IT troubles, the ship reportedly has issues with its radar and the fireproof coating of its fuel tanks—and it’s overweight. It is critical that the ship’s problems be solved quickly since three other frigates in its class should all be delivered before year’s end.

Read More
Computer with cyber criminal

Healthcare IT Systems: Tempting Targets for Ransomware

Well, there’s no use in waiting, I suppose. Two Thursdays ago, Chicago-based electronic health records provider Allscripts Healthcare Solutions suffered a ransomware attack that paralyzed some of its services. This past Friday, the company announced it had completely recovered from the cyberattack. But not before a class action lawsuit [pdf] was filed against it by an orthopedic non-surgery practice for failing to secure its systems and data from a well-known cybersecurity threat, i.e., a strain of SamSam.

The ransomware attack impaired Allscripts’ data centers in Raleigh and Charlotte, North Carolina, affecting a number of applications, such as its Professional EHR and Electronic Prescriptions for Controlled Substances (EPCS) hosted services, which were mostly restored within five days, according to the company. Other services, like clinical decision support, analytics, data extraction, and regulatory reporting, took the longest to make operational again.

Allscripts tried to play down the impact of the loss of services, saying that only about 1,500 out of the 45,000 physician practices it serves were impacted; “none were hospitals or large independent physician practices”; and no patient data was taken.

Read More
Illustration of computer pointer fingers accusing a group, with most considered guilty.

Michigan’s MiDAS Unemployment System: Algorithm Alchemy Created Lead, Not Gold

Perhaps next month, those 34,000 plus individuals wrongfully accused of unemployment fraud in Michigan from October 2013 to September 2015 will finally hear that they will receive some well-deserved remuneration for the harsh treatment meted out by Michigan Integrated Data Automated System (MiDAS). Michigan legislators have promised to seek at least $20 million in compensation for those falsely accused.

This is miserly, given how many people experienced punishing personal trauma, hired lawyers to defend themselves, saw their credit and reputations ruined, filed for bankruptcy, had their houses foreclosed or were made homeless. A sum closer to $100 million, as some are advocating, is probably warranted.

The fiasco is all too familiar: a government agency wants to replace a legacy IT system to gain cost and operational efficiencies, but alas, the effort goes horribly wrong because of gross risk mismanagement.

This time, it was the Michigan Unemployment Insurance Agency (UIA) which wanted to replace a 25-year-old mainframe system. The objectives of the new system were three-fold and reasonable. First, ensure that unemployment checks were only going to people who deserved them. Second, increase UIA’s efficiency and responsiveness to unemployment claims. And third, through those efficiency gains, reduce UIA’s operational costs by eliminating more than 400 workers, or about one-third of the agency’s staff. After spending $47 million and two years on the effort, the UIA launched MiDAS, and soon proclaimed it a huge success [pdf], coming in under budget and on-time, and discovering previously missed fraudulent unemployment filings.

Read More
Illustration of corporate logos with data information.

Will U.S. Corporations Ever Take Cybersecurity Seriously?

It’s another month, and another major IT-related security problem has been uncovered. The latest, the security flaws discovered in Intel, AMD, and AMR chips that can allow the bypassing of operating system security protections are a bit different than most vulnerabilities. They are hardware rather than software-based, and their impacts are exceptionally widespread, impacting nearly every Intel processor made since the mid-1990s. Billions of chips in total could be affected.

Intel, in conjunction with AMD, ARM, operating system vendors, and others, has been working on software and firmware security updates to close the security holes, with mixed success. There were reports that Intel’s firmware update had a bug that needed fixing itself, and that there were problems with updates on some AMD-based machines. There is also a debate between Intel and Microsoft regarding whether some of the updates would result in a significant slowdown of a patched machine. Intel insists the fixes will likely cause minimal performance impacts for most users, while a Microsoft executive instead seemed to suggest that users might be better off not updating their machines if loss of performance was greater than the security gained.

Intel has not only been downplaying the performance impacts of the fixes, but the financial impacts as well, even going so far as to say the flaws will have no material impact on the company’s finances. That is rather amazing: billions of products sold with two fundamental security flaws that need urgent correction and the result isn’t seen as being material. It leads to the question of what would need to happen for an IT security issue to become material, not only to Intel, but to all U.S. corporations.

Read More
Photo of a keyboard with 2018 on it.

2018’s IT Failures Already Have a Familiar Look

The more things change, the more things seem to stay the same, at least for international travelers arriving in the United States over the New Year’s holiday period. For a second year in succession, the U.S. Customs and Border Protection (CBP) computer systems experienced an outage that left thousands of passengers across the United States waiting in long lines to clear customs. This time, the outage was only for about two hours, while last year’s lasted four hours and affected more than 13,000 passengers on 109 flights, according to a Department of Homeland Security Inspector General report released last November that investigated the disruption. The DHS IG report indicated that the 2017 New Year’s problem was caused by an inadequately tested software change related to CBP’s long-running IT modernization effort.

No official cause or total number of passengers or flights affected has been given for the latest CPB computer hiccup. However, another IT modernization-related issue is a likely culprit given that a September 2017 Homeland Security IG report assessing the state of the Customs Department’s IT systems and infrastructure indicated that the main CPB computer system used to screen international passengers has seen its performance “greatly diminished over the past year as a result of ongoing efforts to modernize (its) underlying system architecture.” Before this latest outage, there were three other service disruptions in 2017, according to the IG report.

The few hours of distress suffered by international travelers, however, is minisucle in comparison to that of the tens of thousands of Canadian federal government workers who are now facing a third year of payroll system torment. In what is quickly moving into contention as one of the worst government-managed IT implementations ever, over half the 290,000 plus civil servants paid through the IBM-developed Phoenix pay system have been underpaid, overpaid, or not paid at all since its rollout began in February of 2016. Government records show that, as of November 2017, there were some 589,000 payroll-related transactions still awaiting processing, meaning many government employees are contending with several pay issues. For instance, in Canada’s Department of National Defense, 63 percent of its workers  had outstanding pay issues as of 1 November 2017, with 15 percent having three or more outstanding problems to contend with. According to Canada’s Auditor General, nearly 50,000 government workers have had to wait over a year to get their pay straightened out.

A major objective of the Phoenix system—which traces its history back to 2009—was to save the government C$70 million per year through reductions in payroll processing overhead and staffing costs.  However, things have not turned out as planned. While the original cost of the project was pegged at C$309.5 million, Public Services and Procurement Minister Carla Qualtrough, who is now in charge of the project, admitted in November that it might cost as much as C$1 billion and three or more additional years to completely fix the system. The added costs include hiring hundreds of new payroll staff—including some of the 2,700 laid off when Phoenix was introduced—to try to sort out the mess.

The pain has been acute for the thousands of public workers who have received less than their correct salary, but those thousands who have been overpaid have not escaped misery, either.  For this latter group, the government delivered a New Year’s surprise: notice that they will have until 31 January 2018 to pay back any overpayments they received. If they don’t, they have been told they will have to pay back not the net salary overpayment after taxes were taken out, but the gross salary overpayment the workers erroneously received.  They then will have to wait to claim the difference back on their personal income tax filings in May, with refunds coming who knows when. To say the least, demanding  money that they did not receive and further complicating their tax returns has not made the affected government employees very happy, given that most have already spent months trying to get their pay straightened out to no avail.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More