Risk Factor iconRisk Factor

UK Government Wastes Nearly £2 billion on Abandoned IT Projects Since 2000


The London Guardian today published an analysis which found over £1,865bn has been spent on UK government IT projects that have been abandoned since 2000. As the newspaper notes, its "survey of abandoned projects is not exhaustive and the total of £1,865bn is likely to be a considerable underestimate of the actual cost to taxpayers because neither Whitehall nor the National Audit Office, parliament's financial watchdog, keep definitive lists of which schemes go wrong."

To say that it is an underestimate is itself an understatement, if Joe Harley, chief information officer at the Department for Work and Pensions (and former ICI Paints global chief information officer) is to believed. In May 2007, he said at the Turning the Tide Government UK IT Summit 2007 that, "Today only 30%, we estimate, of our projects and programmes are successful. It is not sustainable for us as a government to continue to spend at these levels. We need to up the quality of what we do at a reduced cost of doing so."

Given that the UK has spent nearly £100bn on IT since 2000, and 70% are not considered successful, I seriously doubt that only about 3% of those unsuccessful IT programs (no matter how you define success) were abandoned.

The UK government has gone on record as saying it wants a 90% plus IT success rate - meaning on time, on budget and to specification - by 2010/11.

To "Turn the IT Tide," assuming a uniform improvement rate of 15% and using the end of 2011 as the target date, then by the end of 2008, we can expect something like 45% of UK government IT programs to be successful. I'll be watching.

Does This Story Sound Familiar?

The Minneapolis Star Tribune reported earlier this week that a scheme by the Minneapolis' convention bureau to make money developing and selling software for booking and managing conventions has gone slightly awry.

According to the paper, the Minneapolis City Council lent the convention bureau $2.5 million in 2004 to create the convention booking software with the idea that it would help pay for the costs of marketing the city to tourists. In fact, the bureau told the City Council that it only expected to use $1.5 million of the $2.5 million loan to develop the software.

But "a series of unexpected setbacks involving the technical work of developing the software" in 2005 led the the bureau to asked for (and get) another $2.5 million in loans to complete it.

But then in 2006, the bureau said it needed to borrow up to another $5 million to complete the software and market it. Surprisingly - or maybe not - the convention bureau got its loans because it was able to convince the City Council that the opportunity was both "tremendous" and the software was nearly finished (95% complete?). Council Member Paul Ostrow declared at the time: "We're quite confident that this is relatively low-risk."

Well, fast forward to the end of 2007, and so far, the bureau has spent $9.1 million and sales of the software, while now apparently complete (it is called the Internet Destination Sales System (IDSS)), hasn't yet turned a profit. At least $1.7 million in sales per annum are needed to just break even.

In addition, the financial resources devoted to the effort has taken money away from marketing Minneapolis to tourists - a bit ironic to say the least.

The City Council finally wised up and stopped approving any more money to the project. In addition, the person who originally sold the idea to the City Council has also decided to "move on."

According to one current City Council member, "The customers who have the product are very pleased with it. As are we. From that standpoint, it's turned out to be a great product. Time will tell how the business model is going to work." The story didn't say how many customers are using the software, but I suspect the sales price is considerably higher and the potential market size is much smaller than forecast back in 2004.

The convention bureau thinks it can make a profit on selling the software this year, while others think 2009 at the earliest. I'll keep an eye on this story and let you know how it turns out.

Sad News

Tully.gif I just found out today that Middlesex University Emeritus Professor Colin Tully, an influential British computer scientist and a long-time friend, passed away on the 26th of December.

Colin and I first met over twenty years ago when I used to live in the UK, and we had many a lively discussion on information systems and technology risks and their management over the intervening years. Our latest conversations, the last of which was just a few weeks ago, have been about the risks surrounding the NHS National Program for IT (NPfIT), which Colin was deeply concerned about.

Colin will be missed in the software engineering community.

Census Program in Serious Trouble?


In a story released this morning, Government Executive magazine reports that a MITRE Corporation talking paper implies that the Census Bureau's hand-held computer project (Field Data Collection Automation) on which the 2010 Census depends is in serious trouble. The talking paper states that the project is quickly running out of time, and that end-to-end system testing might be seriously affected.

In response the the issues raised by the MITRE paper, the Census seems to be taking a "failure is not an option" approach, although given what is in the talking paper, I definitely think it is a possibility.

Software Problems Ring In the New Year on Schedule

fireworks.gif A bad computer file forced the New Year's Eve fireworks display in Seattle to be launched manually, resulting in a show that was out of sync with its choreographed music, according to a report in ComputerWorld.

Then, right after midnight, a software problem affected the Verizon wireless network in the Washington, DC area into early New Year's day, reports the Washington Post.

Next Intuit had to announce yesterday that the "permanent patch" for a bug in QuickBooks on the Mac that erased files from users' hard drives that was released on 31 December, does not in fact completely fix the flaw, reports ComputerWorld.

Finally, some Seminole County Florida residents opened their water bills for December 2007 and found bills for both December 2007 and 2006. As the Orlando Sentinel explains, "billing information from December 2006 was not purged from the [county's automated computer-billing] computer memory, so the system generated a bill based on that information."

Glad to see that 2008 is looking a lot like 2007 in the IS&T department, or as The Who would say, "Meet the new boss, same as the old boss."

UK Doctors Don't Trust NPfIT Security


The London Times reported over the weekend that a poll it conducted sowed that more than three quarters of National Health Service (NHS) doctors, "are either 'not confident' that [patient] data will be safe or 'very worried' that data will leak once the £20 billion National Programme for IT (NPfIT) is running. Asked how well they thought that local NHS organisations would be able to maintain the privacy of data, only 4 per cent said very well. The majority, 57 per cent, said quite or very poorly."

Interestingly, the more experienced the doctor in IT, the less confident they are that the benefits of the NHS electronic health record system out weigh the risks to patient privacy.

In the London Telegraph, there are also two stories about the NHS changing how it plans to do business. The first is about a plan for millions of people suffering from "arthritis, asthma and even heart failure will be urged to treat themselves," as a means to save money. Some patients will be encouraged to report "medical information to doctors remotely by telephone or computer," which I assume will mean a big change to what will need to be captured in the NPfIT electronic health record.

The second story is also about Prime Minister Gordon Brown's desire to make people responsible for their own health, by denying medical treatment to patients that are deemed not to be taking care of themselves. The story says that, "Patients could be required to stop smoking, take exercise or lose weight before they can be treated."

Hmm, once the NPfIT is all in place, this should be easy to do. The government will be able to set up filters based on a person's medical history, and deny them access to treatments.

Brown says that, "I believe these are steps vital to securing the health of the NHS for the next 60 years."

"They will require a broadening and a deepening of reform to ensure that the NHS as a whole attaches the same priority to a personal and ­preventative service as many of you already reflect in your own day-to-day decisions."

In other words, the NHS will be there to treat you as long as you are already healthy.

I think UK doctors' might want to worry about patient privacy a bit more.

Checking Grades On-line


The Chicago Tribune had a story on the increasing use of electronic grade books by Chicago area schools that both students and parents can access on-line. These accessible grade books started in the high schools, but are now migrating to middle and elementary schools. The idea is to create a tighter link between schools and the home, but some teens view it as an intrusion.

As a parent, I have mixed feelings. I know growing up I would not have been thrilled about my parents having access to every grade I received on every assignment each day, but as a parent I am interested in knowing where my children are having difficulties as well as excelling. Our school district doesn't have electronic grading yet, and so I see my children's homework once a week when they bring home a large folder with all of it stuffed in there.

The story doesn't talk about it, but I suspect that some teachers aren't thrilled to death about electronic grade books either, as I am sure many parents let the teacher know when they think their child's grade is too low. The helicopter parent problem can't be helped by it.

In one way, I am glad our school district doesn't have electronic grading, since I would also would want to know not only the grade but the assignment. This would inevitably lead to trouble, since whenever I found that an instructors made an error (like when one teacher was trying to teach my daughter that copper is naturally magnetic since a "copper fastener" was attracted to a magnet) I would have a hard time letting it slip.

2007 Bad Year for Privacy: 2008 Worse?

The Washington Post had two stories on data security and privacy today. The first concerns a report by the Identity Theft Resource Center that more than 79 million records were reportedly compromised in the United States through December 18th, compared with nearly 20 million records reported in all of 2006.

The story also reported that Attrition.org estimates that more than 162 million records were compromised worldwide through December 21, compared with 49 million last year.

The number of data breaches has grown because there are more legal requirements on companies and governments to report them, but the number reported is also low since not everyone is required to or reports data breaches even when they should. As I have written about earlier, the UK government is just now owning up to a large number of data breaches that occurred months ago.

The other Post story concerns how easy it is to find a person's social security number on the web because local and state governments routinely post public records containing them. The Federal government has banned the publication of sensitive personal information like social security numbers since 2001. More recently states like Virginia and Maryland have also banned their publication as well. However, the law does not cover the hundreds of thousands of documents already published that contain social security numbers and that are accessible on-line. In Virginia, the law also doesn't seem to cover current arrest warrants or court summons.

So, as we begin this new year, anyone care to speculate on the date of the first major (let's say 1 million or more records) of the year in the US? Elsewhere in the world? And how long it takes from breach to disclosure of the breach?

Patriot Missile Software Flaws Long Known By Army


In response to a $20 million lawsuit stemming from the friendly-fire shoot down in Iraq of a Navy F-18 and the loss of its pilot in 2003 by a Patriot air-defense missile, Raytheon, who builds the Patriot, said in court documents that the Patriot had at the time difficulty distinguishing between friendly and enemy aircraft which the US Army knew all about, the Boston Globe reports.

"The Army was aware that there had been documented instances in which the Patriot System in training, test and/or combat, failed to perform to operational requirements, including specifically its misidentification of friendly vehicles as enemy targets."

However, the Army believed that the benefits of deploying the system were greater than the risks posed.

Both the Army and Raytheon say that improvements to the system have been made, but they won't say whether Patriot can yet distinguish between friendly and enemy aircraft.

Cheating Websites Proliferate

A story in this week's Boston Globe details that proliferation of websites dedicated to selling the answers to hundreds of professional exams, from computer technician to heavy crane operator to pharmacist.

This follows a previous story that the Globe published earlier in December on tens of thousands of US Army personnel getting answers to their professional skills exams - many of which are required to be passed to become eligible for promotion. In this case, the Army has known about the cheating for over 8 years, and has done nothing about it. The problem is now so large, that the Army can't possibly bring everyone to task.

So, I guess cheaters do prosper.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More