[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips October 17, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx, sairy@xxxxxxxxx;
- Subject: Clips October 17, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Fri, 17 Oct 2003 13:57:45 -0400
Clips October 17,
2003
ARTICLES
Database protection bill advances in Congress
VeriSign to Sell Registrar Unit For $100 Million
Senators Press Inquiry on Privacy Issue
Concerns about aviation security fly during hearing
U.K. retailer tests radio ID tags
Agencies to review Common Criteria
GAO questions E-Authentication timetable
Mehan: Cybersecurity should work like a human immune system
OMB considers NIAP for software certifications
OMB?s Evans will focus on leadership
DHS plans network to link its agencies
IG slams FBI?s technology management
White House vows to step up progress on e-gov efforts
*******************************
CNET News.com
Database protection bill advances in Congress
Last modified: October 16, 2003, 5:20 PM PDT
By Reuters
An effort to protect school guides, news archives and other databases
from wholesale copying won the approval of a congressional subcommittee
on Thursday, despite objections of lawmakers who said it is not
necessary.
The House of Representatives intellectual-property subcommittee voted
11-4 to provide a legal umbrella for publishers of factual information,
such as courtroom decisions and professional directories, similar to the
copyright laws that protect music, novels and other creative works.
Database providers have pushed for such protection for years, saying they
have few legal tools to protect themselves from rivals who copy and
resell information that they have painstakingly assembled.
Business, consumer and library groups have blocked passage in previous
sessions of Congress, saying database publishers can protect themselves
through existing laws and terms-of-service agreements.
Lawmakers drafted a more narrowly focused version this year, and the
subcommittee amended it further so research activities at colleges and
universities would not be affected.
But opponents at the subcommittee meeting said they still saw no reason
for it to become law.
"This is the classic solution in search of a problem," said
Virginia Democratic Rep. Rick Boucher.
"When all is said and done, this is an effort to create a property
right in an area that cannot be copywritten," said California
Democratic Rep. Zoe Lofgren.
Bill proponent Rep. Howard Berman, a California Democrat, wondered if
perhaps they had weakened it too much.
"All that hard work has appeared to reduce support for this ball,
rather than reduce its opposition," Berman said.
No similar bill has yet been introduced in the Senate.
Story Copyright © 2003 Reuters Limited. All rights
reserved.
*******************************
Associated Press
Pentagon Restores Unclassified Documents
Thu Oct 16, 4:15 PM ET
By JIM KRANE, AP Technology Writer
The Pentagon (news - web sites) restored Internet access Thursday to
hundreds of unclassified documents that it recently took offline,
including directives on myriad topics, from defining policies on
conscientious objectors to displaying flags at half-staff.
The Associated Press reported Wednesday that TheMemoryHole.org, a Web
site that archives documents and news stories that have disappeared from
the Internet, posted the directives shortly after the Defense Department
removed them earlier this month.
Steven Aftergood, who reported the developments in his Secrecy News
newsletter, said before access was restored that the disappearance was
the latest example of public documents being taken down from government
Web sites after the Sept. 11 attacks.
The directives are freely available in printed form and are used by
contractors, job seekers and people with family members in the military,
said Aftergood. He said his organization, the Federation of American
Scientists, would invoke the federal Freedom of Information Act to
challenge their removal.
"If we want an open and accountable government, we need this type of
information in the public domain," Aftergood said Wednesday.
On Thursday, Aftergood credited the Pentagon with getting the message
after being challenged.
"An optimist would be entitled to conclude that it is still
possible, even under current conditions, to effect change in official
secrecy policy, at least in a modest way," Aftergood wrote in his
newsletter.
A Pentagon spokesman, Lt. Col. Ken McClellan, said he wasn't sure why the
site was taken down or restored, but suggested it may have been part of a
review of the Defense Department's Internet presence.
"After 9/11 there was considerable consternation about what's on the
Web, and about 10,000 documents were pulled behind the firewall and off
the Web," McClellan said. The combined information from those
removed documents were "greater than what we wanted al-Qaida to have
access to."
____
On the Net:
Pentagon directives:
http://www.dtic.mil/whs/directives
Secrecy News: http://www.fas.org/sgp
*******************************
Washington Post
VeriSign to Sell Registrar Unit For $100 Million
By Mike Musgrove
Friday, October 17, 2003; Page E01
VeriSign Inc. announced yesterday that it will sell Network Solutions, the Herndon-based registrar of Internet addresses, for $100 million in a deal that will allow VeriSign to retain exclusive control of the valuable .com and .net database.
VeriSign, which acquired Network Solutions in 2000 for $15 billion in stock, said it agreed with Pivotal Private Equity, an Arizona-based investment firm, to sell the unit by the end of the year. VeriSign will keep a 15 percent stake.
In parting with the subsidiary, VeriSign is selling the lesser of two parts of Network Solutions' original business. The unit, which has 600 employees, is a registrar for online addresses ending in .com and .net. It is one of the largest of more than 100 such companies.
VeriSign will keep its role as the exclusive list-keeper of those Internet addresses. Network Solutions was chosen in 1992 by the Internet Corporation for Assigned Names and Numbers to manage the list. Network Solutions collects $6 for each .com and .net address, regardless of which registrar sells it. The names of about 27 million domains are in the database, according to the company.
VeriSign, which began as an Internet security company, bought Network Solutions just before the dot-com bust. After growing by leaps and bounds throughout the '90s, the number of Web addresses shrank in 2001 and much of 2002.
The sale of the subsidiary means that all of VeriSign's businesses are focused on providing basic back-end services for Internet and telecommunications companies. For example, VeriSign provides an underlying technology to connect phone calls that stretch over the networks of different carriers. The company also manages security for corporate Web sites such as Merrill Lynch & Co.'s.
Robert J. Korzeniewski, executive vice president of corporate development at VeriSign, said yesterday that the sale was made so the company can "focus on what we do best."
"Personally, it's somewhat of a sad day for me because I've been associated with Network Solutions since 1995," he said. "But I think this puts our employees in a good place."
Former Network Solutions chief executive James P. Rutt said the price for the unit was low.
"Whoever bought it got a hell of a good deal," Rutt said. He estimated that the list-keeping part of Network Solutions, also known as the "registry," is worth "north of a billion" dollars.
"As the world has shaken out, it makes sense for VeriSign to focus on the infrastructure side of the business," Rutt said.
Pivotal Private Equity, which was founded last year, is a spinoff of a Phoenix-based real estate investment firm. The company also bought Pacific Crossing Ltd., an undersea fiber-optic network connecting the United Sates and Japan.
J. Jahm Najafi, chief executive of Pivotal Private Equity, said his company plans to add more services to the registrar company's offerings, aimed at helping small- and medium-size businesses build online presence.
"We think the domain-name industry has not yet been tapped," he said. "As broadband becomes more prevalent, we believe the market is going to dramatically increase."
Bob Nelson, former entrepreneur-in-residence at Network Solutions, said the company, under new ownership, could be more free to make acquisitions and partnerships it couldn't have made as part of VeriSign.
"The registrar has long believed they could do a lot more if they were out from under the arm of VeriSign," he said. "It might make for a very, very successful thing," he said.
VeriSign caused controversy recently by directing Web browsers to its online search directory when computer users mistyped ".com" or ".net" addresses. VeriSign stopped doing so this month on ICANN's demand.
*******************************
Associated Press
Do-Not-Spam List Probably Won't Work
Thu Oct 16, 2:50 PM ET
By ANICK JESDANUN, AP Internet Writer
NEW YORK - The premise sounds simple: To cut down on junk e-mail, simply submit your addresses to a "do-not-spam" list that marketers would have to check to avoid fines. With more than 50 million phone numbers already on a federal do-not-call list, many e-mail users are eager for a no-spam counterpart.
But don't hold out much hope, even if one is created. Phone and e-mail systems and the marketers who employ them are fundamentally different.
"It's beyond even an apples-to-oranges comparison," said Nicholas Graham, a spokesman for America Online Inc.
Even supporters say a no-spam list would be no panacea.
"I don't think anyone out there is going to tell you that a do-not-e-mail registry is going to be as effective as a do-not-call registry," said Matthew Prince, co-founder of Unspam LLC, a Chicago startup that developed technology to run such an anti-spam list.
Not that the cautions are stopping the efforts.
Sen. Charles Schumer, D-N.Y., has a bill to create a national do-not-spam list. State senates in Louisiana and Michigan have passed similar legislation, and bills have been introduced in other states. Violators could be fined and in Michigan, even sent to jail.
An industry trade group, the Direct Marketing Association, already keeps a no-spam list of 700,000 e-mail addresses that its members are asked to heed. Also, at least three private companies started their own no-spam lists this year. Two of them charge the public for inclusion.
But these lists have no enforcement power.
"When the do-not-call list hit 30 million names, we just said, `Wow,'" said Tom Jackson, chief executive of Global Removal Inc., which charges $5 per individual e-mail address.
Bryan Hunter, who runs the $9.95-a-year Remove.org, claims lists such as his help marketers better target pitches. "They realize these are people who aren't going to buy their products," he said.
But John Levine, board member of the Coalition Against Unsolicited Commercial Email (CAUCE), dismisses such companies as toothless. Without the legal standing of a government list, such private efforts "range from naively ineffective to complete scams," he said.
Michigan Attorney General Mike Cox has threatened a deceptive-marketing lawsuit against Remove.org. The company has since toned down its Web site, but an investigation is continuing.
Meanwhile, the chairman of the Federal Trade Commission, which runs the do-not-call list, doubts whether a government-run counterpart for spam would work.
E-mail systems are spread out around the globe, and information about the e-mail sender is easy to fake. The phone network is centralized and regulated, tends to follow national boundaries and has fixed circuits that are less prone to spoofing. Together, that makes telemarketers easier than spammers to catch.
People also change e-mail addresses more frequently than phone numbers, making any no-spam list quickly old.
And while telemarketers are largely businesses pitching legitimate products, spammers are more likely to promote deceptive get-rich-quick or get-anatomically enlarged-quick schemes.
If spammers aren't following consumer-protection laws now, they likely won't adhere to any lists, said Bob Wientzen, chief executive of the Direct Marketing Association.
"We're very concerned that the American public might be sold a bill of goods," Wientzen said, acknowledging his group's own list has done little to stop spam.
A no-spam list also raises security issues: Just think of what could happen if a spammer got hold of such a database. Prince and others, however, say such lists can be encrypted.
Critics also say spammers abroad would be difficult to locate and subject to U.S. laws. However, Ray Everett-Church, counsel for CAUCE, is unfazed.
"The server may be in China or Brazil, but the person advertising in that e-mail is most likely either based in the United States or has some jurisdictional tie to the United States," Everett-Church said.
Where no-call and no-spam lists converge is in the debate over their constitutionality.
A federal court in Denver has ruled that the no-call list violates the telemarketing industry's free-speech rights. An appeals court, however, has temporarily blocked the order.
David Sorkin, a John Marshall Law School professor who tracks spam laws, said a no-spam list would likely face similar challenges. But he notes that junk-fax prohibitions have survived such tests.
As for whether it would work, Sorkin is skeptical. He doesn't believe it would do much to stop today's breed of spam, though it could prevent e-mail marketing by legitimate businesses that haven't quite taken advantage of the medium yet.
So after all that, you'll still see your mailbox filled with Nigerian or is it Liberian? investment opportunities. But at least your phone won't ring as often while you hit the delete key.
*******************************
New York Times
Senators Press Inquiry on Privacy Issue
By PHILIP SHENON
Published: October 17, 2003
WASHINGTON, Oct. 16 The leaders of a Senate committee pressed the Pentagon Thursday to explain why an Army contractor collected information on more than a million passengers of JetBlue Airways for an antiterrorism study, an act that the lawmakers said might have been a violation of federal privacy laws.
The lawmakers Susan M. Collins of Maine, Republican chairwoman of the Senate Governmental Affairs Committee, and Joseph I. Lieberman of Connecticut, the panel's ranking Democrat said in a letter to Defense Secretary Donald H. Rumsfeld that the sharing of the passenger information with Torch Concepts raised "disturbing questions about the reliability of safeguards in place at the Defense Department to protect Americans' privacy."
The letter, dated Thursday and also signed by Senator Carl Levin of Michigan, ranking Democrat on the Senate Armed Services Committee, asked Mr. Rumsfeld if the Pentagon was investigating "the possibility that Torch Concepts and the Army violated the Privacy Act," a 1974 law restricting the gathering and distribution of private information by the government.
A Pentagon spokeswoman said that the department had no immediate comment on the letter because it had not been widely distributed within the department.
Last month, JetBlue said that it had violated its own internal privacy rules when it agreed last year to share information on more than a million of its passengers with Torch Concepts, an Army contractor in Huntsville, Ala., for a data-mining study intended to determine whether passenger records could be used to identify potential terrorists.
Torch Concepts did not answer its phone this afternoon, and the company's outside lawyer did not return a phone call that asked for comment. A spokesman for JetBlue, the discount airline based in New York, also did not return phone calls.
Last month, Torch Concepts insisted that it did nothing wrong in gathering the information. Torch has said that it had intended to use the study as a model to determine for the Army whether similar methods could be used to defend military bases from terrorist attack.
Both the Federal Trade Commission and the Department of Homeland Security have already announced inquiries into the sharing of so much private passenger information by JetBlue, saying they were also disturbed by what had happened with the passenger records. The airline has repeatedly apologized to its customers.
In their letter to Mr. Rumsfeld, the senators said that they "support the development of effective new systems and technologies to protect homeland and national security, with appropriate safeguards regarding the privacy of personal information."
"At the same time, we note that many Americans have expressed concern that proposals for new data systems being considered may intrude too far on their personal privacy," they said. "This apparent misuse of JetBlue passenger information only adds to these concerns."
Torch has acknowledged that it matched the JetBlue records from 2001 and 2002 against other databases to determine Social Security numbers, occupations and family size of the airline's passengers in an effort to identify potential terrorists.
Privacy rights groups have expressed outrage over the passenger-screening project, describing the airline's decision to release the data to another private company as a grave violation of consumer privacy rights.
In their letter, the senators asked several detailed questions about the nature of the Army's contract with Torch, and whether the Pentagon or the contractor had shared the passenger information with any other parts of the government.
The letter did not specifically call for an investigation of the issues by the Pentagon's inspector general, but it asked whether Mr. Rumsfeld had made such a request.
*******************************
Government Executive
October 16, 2003
Concerns about aviation security fly during hearing
By Chris Strohm
cstrohm@xxxxxxxxxxx
At a congressional hearing Thursday, the head of the Transportation Security Administration emphasized the progress his agency is making on meeting its mission, but lawmakers expressed frustrationand in some cases outrageover problems that persist with aviation security.
The most likely threat the aviation industry faces is somebody smuggling a weapon or explosive device past airport screeners and onto a plane, TSA Director James Loy said during a hearing of the House Transportation and Infrastructure Subcommittee on Aviation. That threat is greater than somebody infiltrating the outside perimeter of an airport and attempting to sabotage a plane, Loy said.
By the end of this year, all airports in the country are supposed to meet a federal deadline that stipulates they screen every passenger and bag. However, when asked by lawmakers, Loy acknowledged that five airports would not meet the deadline because they do not have adequate electronic screening equipment. He declined to say which airports would miss the deadline, but said TSA has signed a letter of intent with all but one of them to meet the goal as soon as possible.
On top of that, not all employees working at airports today are physically screened, Loy said, adding that TSA is contacting airports to find out why.
Recent reports by the General Accounting Office and the inspector general of the Homeland Security Department criticized TSA?s screening program. The GAO report found inefficiencies when it comes to screening passengers, while the inspector general said the training program for screeners was insufficient.
Ongoing problems with screening passengers and baggage are fueling the frustrations of lawmakers.
?The GAO report clearly shows that the effort made by TSA to provide an acceptable level of passenger screening is unacceptable,? said Rep. William Pascrell, D-N.J. ?The report makes it clear that weapons and explosives can still pass through our screening systems. That is unacceptable. This is dangerous, dangerous business.?
He added that he believes TSA is ?neglecting? other aspects of airport security if workers can pass through checkpoints without being screened.
Loy acknowledged that problems persist with aviation security but said aviation and transportation in general are ?radically more secure? now than before the terrorist attacks of Sept. 11.
?It would be wrong and harmful to conclude that airport security is no better today than before 9/11,? he said.
For example, he said screeners have confiscated about 5 million prohibited items during the last year. He also said TSA will issue data in about six months showing that ?the trend lines are where we want them to be or going in the right direction.?
According to Loy, some of TSA?s main priorities during the next fiscal year, which began Oct. 1, are issuing comprehensive information to airports on whether they should use private screeners or federal workers; developing an adequate information technology system that allows airports to share information; instituting a recurrent training program for screeners; and finding the right balance between part-time and full-time workers.
Loy added that TSA will also put $55 million toward researching and developing technology to screen large cargo trucks. Boston?s Logan International Airport is conducting the only pilot program in the country with a system for scanning cargo trucks.
However, Loy said TSA still does not have enough funding for purchasing electronic screening equipment. TSA was also supposed to start the new fiscal year with 49,600 screeners but only has 48,000. The agency is currently hiring part-time workers to fill its ranks, Loy said.
*******************************
CNET News.com
U.K. retailer tests radio ID tags
Last modified: October 16, 2003, 12:33 PM PDT
By Andy McCue
Special to CNET News.com
Retailer Marks & Spencer has begun a trial of radio frequency identification tags in clothes at one of its U.K. stores this week as part of plans to improve stock accuracy and product availability for customers.
The tags, criticized by privacy advocates and touted by the technology industry as a bar code replacement, are contained within throwaway paper labels called Intelligent Labels attached to, but not embedded in, a selection of men's suits, shirts and ties at the High Wycombe store in the United Kingdom. The trial will last four weeks, the company said.
Other retailers and manufacturers such as Tesco and Gillette have attracted criticism from privacy groups about the potential for data from the radio frequency identification (RFID) tags to be used to track and monitor customers, even after they have left the store.
But Marks & Spencer has gone to great lengths to ensure a transparent approach to its trials and to limit which data is collected and what it will be used for, according to the company.
The tags will only hold the number unique to each garment, the company said. The information associated with this number is held on Marks & Spencer?s secure database and relates only to that product or garment?s details--for example, the size, style and color. The tags also have no power to emit a signal and only release their unique identification number in the presence of a Marks & Spencer scanner, according to the company.
The Intelligent Label is attached to the garment alongside the pricing label and is designed to be cut off and thrown away after purchase. For items such as shirts, which are pre-packed, the tag is stuck onto the transparent shirt bag.
"Irrespective of the method of payment, no association is made between the information on the Intelligent Label and the purchaser," a Marks & Spencer spokeswoman said.
The information will allow Marks & Spencer to check stock deliveries and count stock quickly in stores and depots, the company said.
The retail group will use two scanners for the tags. A portal installed at the distribution center and the loading bay of the store will allow rails of hanging garments and trolleys containing packaged garments to be pushed through and read quickly. A mobile scanner in a shopping trolley with a handheld reader will scan several garments at the same time out on the shop floor, the company said.
"With the ability to read product details on the RFID tags at different points in the supply chain, the information can be used to ensure that the right goods are delivered to the right store at the right time," the spokeswoman said. "Customers will therefore benefit from better availability of the goods they want each time they shop."
The scanners operate at frequencies and power permitted for RFID radio signals in Europe that are around eight times lower than those used in the United States. This means that the maximum accurate read range is around half a meter.
The U.S.-based consumer privacy group Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), which has lobbied fiercely against RFID tags, welcomed Marks & Spencer's approach to its trials.
Katharine Albrecht, founder and director of CASPIAN, said in a statement: "We stand firm in our opposition to item-level RFID tagging of consumer products and encourage consumers not to purchase them. But we do want to recognize Marks & Spencer's responsible attitude toward the trial. Other retailers have simply chosen to ignore the serious privacy and health concerns of their customers."
*******************************
Federal Computer Week
Agencies to review Common Criteria
BY Diane Frank
Oct. 16, 2003
Federal civilian agencies will soon review the potential benefits of an international security standard as a guide for commercial software purchases, according to Karen Evans, the new administrator of the Office of Management and Budget's Office of E-Government and Information Technology.
The Bush administration's National Strategy to Secure Cyberspace includes a plan to review the national security community's use of the Common Criteria Evaluation and Validation Scheme. That review is an important part of determining how to improve IT security in civilian agencies, Evans told the House Government Reform Committee today.
In the United States, the National Institute of Standards and Technology and the National Security Agency's National Infrastructure Assurance Partnership (NIAP) oversee Common Criteria implementation. Products that pass are certified that they will do exactly what the vendor says.
The Defense Department since July 2002 has required Common Criteria certification for all its security-related purchases. OMB's review will look at whether that has improved DOD's cybersecurity. Civilian agencies also need to know if it can help, Evans said.
"The review will consider to what extent, if any, NIAP can address the continuing problem of security flaws in commercial software products," she said.
There have been many questions about Common Criteria's usefulness and effectiveness, and committee Chairman Rep. Tom Davis (R-Va.), said he will keep track of the review.
*******************************
Government Computer News
10/17/03
GAO questions E-Authentication timetable
By Jason Miller
The General Services Administration?s timetable for building a gateway for the E-Authentication project is unrealistic, the General Accounting Office said yesterday.
GSA has reached few of its policy, procurement and technology objectives for E-Authentication, auditors said in the report, Planned E-Authentication Gateway Faces Formidable Development Challenges. ?The modest progress achieved to date calls into question the likelihood that the project can successfully field an operational gateway, even within the revised schedule,? they said.
GSA originally expected to finish the gateway by last month, but the Office of Management and Budget extended the deadline to March 2004. E-Authentication is one of the five Quicksilver e-government projects managed by GSA and underlies plans for all 24 of the other Quicksilver projects.
Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, had asked GAO to examine the project. After seeing the report, he wrote to GSA administrator Stephen Perry requesting a meeting (Click for Oct. 15 GCN story).
The auditors said GSA must:
Establish policies for consistency and interoperability among different authentication systems, and develop technical standards.
Finish defining user authentication requirements for the 24 other e-government projects; GSA said 12 have been finished.
Deal with funding, security and privacy issues.
?We have serious concerns about the progress of the project,? said John de Ferrari, an assistant director in GAO?s Office of Information Management Issues. ?Our biggest concern is with the amount of work that needs to be done to make the gateway really work. The idea of doing it extremely quickly in a matter of months seems to be unrealistic.?
De Ferrari added that GAO does not believe the development work has been mishandled, but the agency should take the time necessary. Developing policy and achieving interoperability are GSA?s main hurdles, he said.
*******************************
Government Computer News
10/17/03
Mehan: Cybersecurity should work like a human immune system
By Mary Mosquera
GCN Staff
Security products should be engineered differently to block more pathways to intrusion by hackers, worms and viruses, the Federal Aviation Administration?s CIO said yesterday.
?We will have to move to an android cyberdefense that mimics human biodefenses,? said FAA CIO Dan Mehan yesterday at an industry event sponsored by National Business Promotions and Conferences in Falls Church, Va.
Mehan compared the ideal intrusion defense with the human immune system?s ability to isolate and target infections. That kind of futuristic security will have to come from research organizations and universities, he said.
FAA has a multilayered security architecture and uses a security certification and authorization program (SCAP) to harden all its systems, Mehan said. Starting early next year, the agency will accelerate the number of SCAPs by applying full-court certification and accreditation to critically important systems with less stringent review for other systems, he said. The Federal Information Security Management Act requires agencies to certify their systems and report on their progress.
FAA is in the first stages of developing what Mehan called an orderly quarantine of viruses, ?but it will take three or four years of research to get more sophisticated,? he said. For example, not all networked systems need data supplied to them in real time. Instead, users could go to a data mart for stored information. If their machines are infected, security screening could disconnect them at the data mart. A targeted quarantine would supply additional protection, he said.
Mehan said developing an enterprise architecture improves systems security because it cuts down on duplicate systems and lines of code.
*******************************
Government Computer News
10/17/03
OMB considers NIAP for software certifications
By Joab Jackson
PostNewsweek Tech Media
The software certification role of National Information Assurance Partnership might expand from defense and national security agencies to all federal agencies, a White House official told Congress Thursday.
Karen Evans, administrator for e-government and IT at the Office of Management and Budget, told the House Government Reform Committee that NIAP could be used to certify the security of commercial software used by civilian agencies.
The expanding role is part of a comprehensive review of the NIAP program, Evans said at a hearing on Internet security.
?One thing they will consider is to what extent, if any, NIAP can address the continuing problem of security flaws in commercial software products,? Evans said. ?This review will include lessons learned from the implementation of the Defense Department?s July 2002 policy requiring the acquisition of products reviewed under the NIAP evaluation process.?
House Government Reform Committee Chairman Tom Davis, a Republican representing Northern Virginia, expressed frustration at the number and scope of vulnerabilities that continue to hamper the Internet and agency networks.
NIAP oversees security-testing standards for military and intelligence agencies. Started in 1997, NIAP is a collaboration between the National Security Agency and the National Institute of Standards and Technology to establish a framework for security testing of commercial software for use on classified military networks.
The testing was required by National Security Directive No. 42, issued by the Defense Department?s National Security Telecommunications and Information Systems Security Committee, now the Committee on National Security Systems.
The policy mandated that all commercial software used in government systems handling national security information be certified by one of several organizations or validation programs, including the NIAP?s Common Criteria Evaluation and Validation Scheme and NIST?s Federal Information Processing Standards Cryptomodule Validation Program.
Common Criteria evaluations for individual software products can range from $500,000 to $1 million per evaluation, according to industry officials. NIAP certifies integrators as well as commercial and government laboratories to test products. Booz Allen Hamilton Inc., Computer Sciences Corp. and Science Applications International Corp. run Common Criteria labs, according to NIAP?s Web site.
*******************************
Government Computer News
10/16/03
OMB?s Evans will focus on leadership
By Jason Miller
Karen Evans, the Office of Management and Budget?s new administrator of e-government and IT, yesterday stepped out of the large shadow of Mark Forman by promising to take a different tack than her predecessor.
Evans, who came to OMB earlier this month after spending 18 months as the CIO of the Energy Department, said she wants to lead agencies in building consensus on the IT management practices Forman instituted.
?I?m not the boss; this is about leadership and partnership, so we can move forward on e-government,? Evans said at a press briefing. ?I understand what the difficulties are in what we are trying to accomplish with e-government and the Federal Enterprise Architecture. And I know the effect these things have on agencies and their leaders.?
Evans said her new position, in some ways, is similar to her role as vice chairwoman of the CIO Council. In that post she had to lead agencies as they worked through issues relevant to the CIOs. She still is doing that, but from a different perspective.
?My plans are to continue to drive toward the e-government goals and continue to work on the Federal Enterprise Architecture and agency EAs,? she said. ?I think the initiatives will pick up momentum because everyone is focused on results.?
Evans outlined how she plans to tackle the ongoing e-government challenges:
Widespread communication about e-government and the Federal Enterprise Architecture to agencies, Congress, state and local governments, and citizens
Getting continued commitment from agency leaders to focus on citizens
Continuing to cooperate with industry.
?The success of the government depends on agencies working as a team across traditional boundaries,? Evans said. ?We need to continue to focus on the citizen rather than the agency?s individual needs.?
Evans said getting each agency to focus on security, privacy and the planning, implementation and evaluation of agency IT investments will remain a priority. She added that finishing the migration of the 25 e-government projects is important.
?The solutions from the e-government projects must become a part of the way the government does business every day,? she said. ?The e-government initiatives developed the framework for how the government will invest in IT in the future.?
One area where OMB must improve is in its communication with Congress about the benefits of e-government and the need for an e-government fund, said Clay Johnson, OMB deputy director for management.
For the third straight year, lawmakers will not fully fund the president?s request for a $45 million e-government account. The Senate allocated $5 million and the House $1 million in the Treasury, Transportation and General Government appropriations bill.
?One of many things Karen will do is communicate more with Congress,? Johnson said. ?We haven?t been persuasive enough, and it hasn?t been a big enough priority for us to fully engage Congress on it.?
Evans said agencies will continue to rely on the pass-the-hat method of funding these projects.
?In fiscal 2003, 94 percent of these projects were funded by cross-agency collaboration,? she said.
*******************************
Government Computer News
10/16/03
DHS plans network to link its agencies
By Wilson P. Dizard III
The Homeland Security Department plans to issue a contract by the end of the year for creating and operating a network for transmitting classified data across its agencies, according to department officials and contractors.
The department will issue a task order for the Homeland Secure Data Network under the General Services Administration?s Millennia governmentwide acquisition contract, said Jim Flyzik, a partner in Guerra, Kiviat, Flyzik and Associates of Oak Hill, Va.
According to Input of Reston, Va., DHS? Border and Transportation Security Directorate ?has a requirement for secure, computer-to-computer connectivity among its intelligence components and field activities for the purpose of moving classified and selective law enforcement sensitive data.? The selected vendor will design, implement, operate and maintain the network, Input said.
The directorate?s Customs and Border Protection Office of IT declined to release information about HSDN because it is ?in the middle of a procurement for this sensitive, mission-critical system,? a department spokeswoman said.
The HSDN project likely will amount to tens of millions of dollars, said vendor sources who spoke on condition of anonymity. They named Computer Sciences Corp., Lockheed Martin Corp., Science Applications International Corp. of San Diego, and SRA International Inc. of Fairfax, Va., as likely leading bidders.
Vendor sources said the department issued a request for proposals early this month and expects to receive bids next month. DHS will invite oral presentations about the proposals later in November and possibly issue the task order in early December.
?What they are doing is reaching out? with the RFP, Flyzik said. ?They are looking for private-sector solutions on how to share classified information among homeland agencies. Customs has been pursuing a similar capability for several years.?
Flyzik said DHS? fiscal 2003 and 2004 budgets include money for HSDN.
According to Input, the procurement had been called the Customs Secure Data Network and has been in the works since October 2002.
Input added that designs for the network will include encryption devices and a scalable infrastructure. It also is to be based on off-the-shelf hardware and software where possible, Input said. The procurement requires vendors to have a top-secret security clearance.
*******************************
Government Computer News
10/16/03
IG slams FBI?s technology management
By Wilson P. Dizard III
The Justice Department inspector general?s audit division reported that the FBI has not yet adopted dozens of needed improvements to its IT infrastructure and management. The bureau still struggles with security problems, obsolescence and other major weaknesses in its systems, the IG said.
The report included a detailed response by the FBI showing its progress in implementing recommendations Justice made previously.
The bureau spends about $606 million on IT annually, and has made improving its systems one of its top 10 priorities, according to the IG report issued Tuesday.
Since 1990, the IG has issued several critical reports about the bureau?s systems, and the General Accounting Office also has called for reforms. But the bureau did not track its response to these recommendations until recently, according to the report, which covered events through April 2003.
The auditors said the bureau?s major IT problems include:
Poor security program management and planning Poor system access controls Faulty software development and change controls that increase the risk of inaccurate and unauthorized software changes Weak segregation of duty controls that expose bureau systems to the entry of faulty or fraudulent data Inadequate service continuity controls Substandard application controls that create the risk of unauthorized transactions.
The auditors found that 30 recommendations that the IG previously had made were repeated in subsequent reports.
The bureau has made some progress in correcting security problems, but 17 of 23 recommendations made in a 2001 report by the Commerce Department?s National Institute of Standards and Technology remain open, according to the report.
The auditors called these ?vulnerabilities a high to moderate risk for the protection of the FBI?s investigative and mainframe systems. ? These vulnerabilities occurred because [Justice] and FBI security management had not enforced compliance with existing security policies, developed a complete set of policies to effectively secure the administrative and investigative mainframes, or held FBI personnel responsible for timely correction of recurring findings,? according to the report.
Report < http://www.usdoj.gov/oig/audit/FBI/0336/final.pdf>
*******************************
Government Executive
October 16, 2003
White House vows to step up progress on e-gov efforts
By Ted Leventhal, National Journal's Technology Daily
Two White House Office of Management and Budget officials briefed reporters Wednesday on the status of OMB's e-government initiatives and hinted at future plans, stating that whether or not Congress centrally funds e-government, the initiatives are moving forward.
The press conference featuring OMB Deputy Director Clay Johnson and e-government administrator Karen Evans was called to introduce Evans, most recently the chief information officer at the Energy Department, to the media and field questions on the e-government initiatives. Earlier this month, Evans replaced Mark Forman in OMB's e-government slot.
Evans said OMB plans to finish implementing the e-government initiatives next year and continue improving security and privacy. OMB also will work to educate state and local governments and the public about the new services available to them through the initiatives, she said.
"The federal government continues to make strides in service while saving taxpayers' dollars," she said.
Evans dismissed the idea that the change of senior leadership at this point in the process would affect the initiatives' deployment. "It's always difficult when there's a change, but I think the momentum will pick up," she said, adding that the government's chief information officers "want to accomplish this mission."
Evans added that about 60 percent of federal agencies will be in compliance with rules for eliminating government paperwork by the Oct. 21 deadline. The law requires the agencies to give individuals or organizations that do business with the government the option to transact business electronically. Further implementation of act will become part of the e-government initiative, Evans said, but agencies will have to determine where it will be "practical" to move forward.
Johnson stated that by questioning the idea of a central appropriations fund for e-government, Congress is not calling the initiatives into question but just wants them funded from the federal government's broader $60 billion information technology budget. He said OMB will do that if necessary and already has done so to a limited extent this year.
"If Congress doesn't fund it, then the beat goes on," he said, adding that Congress opposes the idea of a central fund because OMB "hasn't been effective enough in communicating the idea."
*******************************