Risk Factor iconRisk Factor

Illustration of the state of Maine made up of people, on a computer with a pointer arrow.

Maine’s New Unemployment System Frustrates the Public and State Workers Alike

Problems with unemployment insurance IT systems and rollouts are common, as exemplified by the difficulties experienced by Pennsylvania, Florida, and California, to name a few. In an attempt to reduce the frequency and cost of failure, several states, with encouragement and funding from the U.S. Department of Labor [pdf], have formed consortiums aimed at creating a core UI system that can then be minimally tailored to meet each state’s unique requirements.

One of the more noteworthy systems is ReEmployUSA, which was formed by Mississippi, Maine, Rhode Island, and Connecticut. The consortium was the brainchild of the Mississippi Department of Employment Security (MDES), which in 2012 finalized the modernization [pdf] of its UI system called Access Mississippi (Access MS). Mississippi offered Access MS to other states as a way to share development and support costs.

Eleven states initially expressed interest [pdf] in Mississippi’s proposal, with Maine and Rhode Island committing to the idea first, followed by Connecticut. The U.S. Labor Department provided $90 million to the consortium to use Access MS as a baseline to be reengineered into a common, cloud-based system that would allow all four states to use it with only 20 to 25 percent tailoring needed.

Read More
Photograph of a laptop with computer code on the screen, and a gavel and handcuffs on the keyboard.

Georgia’s Intrusive Computer Intrusion Bill

According to Georgia’s Attonery General Chris Carr, the state is only one of three, along with Virginia and Alaska, without a cybersecurity law that makes it illegal for someone to remotely access your computer and search it for sensitive information, and then sell it to a third party. Presently, it is only illegal in Georgia to access a computer to delete or tamper with its contents. However, this will change if Georgia Senate Bill 315: The Computer Intrusion Bill is finally passed into law.

One could be forgiven for thinking, well, it’s about time. However, cybersecurity experts are worried that SB315 as written is so open-ended that it could potentially make a range of legitimate security research and other innocuous activities into criminal offenses. According to the Electronic Frontier Foundation (EFF), a person doing personal work on their business computer could be at risk of being charged, as would security researchers looking for vulnerabilities on corporate or government websites, or others who scrape online information from public websites. The Georgia ACLU calls the bill “draconian,” while others worry that cybersecurity firms will be negatively affected.

Read More
A health service technician aboard the Coast Guard Cutter Healy, measures Petty Officer 2nd Class Robert Martin's heart rate during a physical health assessment

U.S. Coast Guard’s $67 Million EHR Fiasco

In late January, the U.S. House of Representatives’ Subcommittee on Coast Guard and Maritime Transportation held a hearing to review the United States Coast Guard’s $14 million, five-year electronic health record (EHR) system project.

The project, which began in September 2010, ballooned into a $67 million fiasco that the USCG finally ended in September 2015. But the Coast Guard didn’t officially confirm its termination until April 2016.  At the time, the USCG public affairs office vaguely explained that there were concerns about whether the project could be completed in a reasonable time and at a reasonable cost. A spokesperson also opaquely added that, “Various irregularities were uncovered, which are currently being reviewed.” Mention of “irregularities” raised a lot of questions that the Coast Guard refused to answer for the last two years.

Read More
People fill a DMV office in Minnesota

The Costly Fiasco of Minnesota’s Licensing and Registration System

How long should a state take to develop an information system to manage its vehicle and driver services’ transactions? For Minnesota, the wish is that it is only going to be the 11 years it is now scheduled to take.

The Minnesota’s Licensing and Registration System (MNLARS) project was initiated in 2008 when the Minnesota Legislature recognized that the current system that went live in 1982 was on its last legs. There was a slim hope that MNLARS would be operational by 2012 [pdf], but, alas, it was not. In fact, it took until April 2012 for the Minnesota Department of Public Safety’s Driver and Vehicle Services (DVS) to just reach a contractual agreement with Hewlett-Packard to begin developing MNLARS at an agreed cost of $41 million.

Read More
Close up of person typing on computer with data points over the image

2017 Was a Record Year for ID Theft in the U.S.

This will not come as a big shock: an estimated 16.7 million Americans were victims of identity theft last year, according to a survey published by the research and advisory firm Javelin Strategy & Research. And the company says this tops the previous record of 15.4 million compromised identities which occurred, not surprisingly, in 2016.

Javelin notes in its report that cyber thieves have changed tactics over the past year, which has made them more efficient and effective. They are now focusing on targeting cellphones and email accounts to obtain a person’s complete details, such as their name, address, and social security number, instead of trying to access individual pieces of personal information in order to piece together a profile.

This strategy is making it easier for cyber criminals to open fraudulent accounts and to exploit them for a longer period of time before they are discovered. The company estimates that fraud losses last year amounted to some US $16.8 billion.

Read More
Medical Marijuana spilling out of a jar

Cyber Intrusion Creates More Havoc for Washington State’s New Marijuana Tracking System

Licensed marijuana product growers and retailers have been very unhappy with Washington State’s new “seed-to-sale” marijuana tracking system that went live on 1 February.

Buggy software has kept many suppliers from shipping their products because of manifest errors and, equally, retailers from accepting their orders. While Washington’s Liquor and Cannabis Board officials have insisted that the myriad software problems are being fixed or work arounds exist for most of them, it also has disclosed that the tracking system experienced a cyber intrusion.

In a letter to licensees, the Liquor and Cannabis Board stated that on 1 February someone downloaded a copy of the traceability database, which in turn affected key operations of the tracking system in a way the Board refused to disclose. The intruder was able to access information for four days of marijuana deliveries, including delivery-vehicle information together with type, license-plate number and VIN numbers. The Liquor and Cannabis Board said that since the latter information was publicly available and no personal information was accessed, there was no need for anyone to be concerned. Retailers and growers, however, were not exactly comforted by the Board’s reassurances.

Read More
The F125 frigate 'Baden-Wuerttemberg' sails in Cuxhaven, Germany

New German Warship Fails Sea Trials Due to Tech Woes

Reducing the size of a combat ship’s complement through advanced automation has been a goal of the world’s navies for decades [pdf]. However, as the U.S. Navy has already discovered, the German Navy is now finding out that this is easier desired than done.

In December, the German Navy refused to commission the lead ship of its new Baden-Württemberg class Type 125 (F125) frigate after it failed its latest at-sea trials. This was the first time that Germany’s navy has ever refused to commission a ship after delivery. The refusal was due in part to unresolved hardware and software integration problems affecting the Baden-Württemberg’s ATLAS Naval Combat System [pdf] and other ship systems, which have plagued the frigate’s sea trials since it entered them in April 2016.

The persistent problems with the €3 billion F125 program, which is meant to replace Germany’s Bremen F122 class frigates, have delayed the Baden-Württemberg’s planned commissioning from occurring first in 2014, then in 2016, and now to sometime late this year―assuming its problems can be resolved. In addition to the IT troubles, the ship reportedly has issues with its radar and the fireproof coating of its fuel tanks—and it’s overweight. It is critical that the ship’s problems be solved quickly since three other frigates in its class should all be delivered before year’s end.

Read More
Computer with cyber criminal

Healthcare IT Systems: Tempting Targets for Ransomware

Well, there’s no use in waiting, I suppose. Two Thursdays ago, Chicago-based electronic health records provider Allscripts Healthcare Solutions suffered a ransomware attack that paralyzed some of its services. This past Friday, the company announced it had completely recovered from the cyberattack. But not before a class action lawsuit [pdf] was filed against it by an orthopedic non-surgery practice for failing to secure its systems and data from a well-known cybersecurity threat, i.e., a strain of SamSam.

The ransomware attack impaired Allscripts’ data centers in Raleigh and Charlotte, North Carolina, affecting a number of applications, such as its Professional EHR and Electronic Prescriptions for Controlled Substances (EPCS) hosted services, which were mostly restored within five days, according to the company. Other services, like clinical decision support, analytics, data extraction, and regulatory reporting, took the longest to make operational again.

Allscripts tried to play down the impact of the loss of services, saying that only about 1,500 out of the 45,000 physician practices it serves were impacted; “none were hospitals or large independent physician practices”; and no patient data was taken.

Read More
Illustration of computer pointer fingers accusing a group, with most considered guilty.

Michigan’s MiDAS Unemployment System: Algorithm Alchemy Created Lead, Not Gold

Perhaps next month, those 34,000 plus individuals wrongfully accused of unemployment fraud in Michigan from October 2013 to September 2015 will finally hear that they will receive some well-deserved remuneration for the harsh treatment meted out by Michigan Integrated Data Automated System (MiDAS). Michigan legislators have promised to seek at least $20 million in compensation for those falsely accused.

This is miserly, given how many people experienced punishing personal trauma, hired lawyers to defend themselves, saw their credit and reputations ruined, filed for bankruptcy, had their houses foreclosed or were made homeless. A sum closer to $100 million, as some are advocating, is probably warranted.

The fiasco is all too familiar: a government agency wants to replace a legacy IT system to gain cost and operational efficiencies, but alas, the effort goes horribly wrong because of gross risk mismanagement.

This time, it was the Michigan Unemployment Insurance Agency (UIA) which wanted to replace a 25-year-old mainframe system. The objectives of the new system were three-fold and reasonable. First, ensure that unemployment checks were only going to people who deserved them. Second, increase UIA’s efficiency and responsiveness to unemployment claims. And third, through those efficiency gains, reduce UIA’s operational costs by eliminating more than 400 workers, or about one-third of the agency’s staff. After spending $47 million and two years on the effort, the UIA launched MiDAS, and soon proclaimed it a huge success [pdf], coming in under budget and on-time, and discovering previously missed fraudulent unemployment filings.

Read More
Illustration of corporate logos with data information.

Will U.S. Corporations Ever Take Cybersecurity Seriously?

It’s another month, and another major IT-related security problem has been uncovered. The latest, the security flaws discovered in Intel, AMD, and AMR chips that can allow the bypassing of operating system security protections are a bit different than most vulnerabilities. They are hardware rather than software-based, and their impacts are exceptionally widespread, impacting nearly every Intel processor made since the mid-1990s. Billions of chips in total could be affected.

Intel, in conjunction with AMD, ARM, operating system vendors, and others, has been working on software and firmware security updates to close the security holes, with mixed success. There were reports that Intel’s firmware update had a bug that needed fixing itself, and that there were problems with updates on some AMD-based machines. There is also a debate between Intel and Microsoft regarding whether some of the updates would result in a significant slowdown of a patched machine. Intel insists the fixes will likely cause minimal performance impacts for most users, while a Microsoft executive instead seemed to suggest that users might be better off not updating their machines if loss of performance was greater than the security gained.

Intel has not only been downplaying the performance impacts of the fixes, but the financial impacts as well, even going so far as to say the flaws will have no material impact on the company’s finances. That is rather amazing: billions of products sold with two fundamental security flaws that need urgent correction and the result isn’t seen as being material. It leads to the question of what would need to happen for an IT security issue to become material, not only to Intel, but to all U.S. corporations.

Read More

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More