[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips October 2-3, 2003

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
Subject: Clips October 2-3, 2003
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Fri, 03 Oct 2003 14:19:26 -0400

Clips October 2-3, 2003

ARTICLES

Internet Security Is Getting Worse, Symantec Says
DHS cyber division taking shape, despite concerns about waning influence
Report Faults Air Cargo Security
Global music sales slide 11 percent in first half: report
Four plead guilty in national software piracy case
DHS takes over visas from State
Congress keeps DOD tech spending flat
OPM personnel record database goes live
FBI probes bogus bureau site used in scam
Tech officials troubled by lack of skilled federal IT managers
OMB directs agencies to increase privacy protections

*******************************
Tech Web
Internet Security Is Getting Worse, Symantec Says
Thu Oct 2, 3:35 AM ET
Charlene O'Hanlon, CRN

Symantec today released its semiannual Internet Security Threat Report, and the results were not pretty.

In the past six months, web application vulnerabilities increased 12 percent, malicious codes were up 20 percent, and worms and viruses increased 19 percent, according to the report.

To make things worse, the speeds of infection are increasing. The Slammer virus infected systems in about an hour, said Oliver Friedrichs, senior manager for development at Symantec Security Response. He said attackers now have years of knowledge behind them so what used to take days to propagate now takes a matter of hours.

The report also noted a dramatic increase in instant-messaging- and peer-to-peer-based threats. "Of the top 50 malicious codes, 19 were using instant messaging (news - web sites) and peer-to-peer to populate the threat," he said.

In addition, the number of blended threats, which use different combinations of malicious code to begin, transmit and spread attacks, is on the rise. "The nature of blended threats means that once a code is in a network, it can spread using other methods," Friedrichs said.

The report also noted an increase in the number of malicious codes that install "back doors" into a company's network. "This is a gradual increase, but it may become more common as attackers realize how successful it can be," Friedrichs said.

The Internet Security Threat Report is released every six months and is culled from information Symantec gathers from its DeepSight Threat Management System and its Managed Security Service , as well as data from security vendors and end users.

*******************************
Computerworld
DHS cyber division taking shape, despite concerns about waning influence
Amit Yoran will take the helm later this month
Story by Dan Verton

OCTOBER 01, 2003 ( COMPUTERWORLD ) - ANN ARBOR, Mich. -- A principal adviser to the new head of the Department of Homeland Security's National Cyber Security Division (NCSD) has reiterated that the division and its industry outreach program remain key players at the DHS and that it has a direct line to senior officials, including Secretary of Homeland Security Tom Ridge and President Bush.
Speaking here at the Digital Security Conference, Sallie McDonald, the DHS's senior executive responsible for outreach and awareness efforts, said yesterday that the NCSD "is properly placed within the department" and has been described by Ridge as part of the "heartbeat of the agency."

The conference was sponsored by Washtenaw Community College and the Walsh College Information Assurance Center.

McDonald's comments follow recurring criticism from experts and former administration officials who fear that the current cybersecurity leadership has been buried too deep within the DHS bureacracy to be effective. Critics fear that the agency may have lost some of its influence with the departure this year of Richard Clarke, the former chairman of the President's Critical Infrastructure Protection Board and the nation's first de facto cybersecurity czar.

Those critics, including Clarke, have said repeatedly that not having the ear of the president or Ridge could spell the loss of momentum on the public/private cybersecurity partnership agenda.

A spokesman for the DHS said Amit Yoran, whose last day of official employment at Symantec Corp. was yesterday, will take the helm at the NCSD during the last week of this month (see story). McDonald praised Yoran, calling him the right person for the right job at the right time.

McDonald said the NCSD is now focused on reducing vulnerabilities throughout the nation's critical infrastructures, establishing a national response center at the newly formed US-CERT at Carnegie Mellon University (see story), and developing a cybersecurity outreach program targeted at small businesses and home users as well as large companies.

The NCSD is also taking the lead on a cybersituation awareness project that can conduct near-real-time analysis of incident data nationwide, said McDonald. The division is currently working with SRI International, Symantec and Computer Associates International Inc. to develop an automated capability that would enable data to be shared immediately with various private-sector-run Information Sharing and Analysis Centers. The research and development effort includes plans to build a nonproprietary system that would allow any organization in the nation, regardless of IT infrastructure, to feed data into the incident analysis system.

"We will be deploying this in the federal sector starting at the US-CERT first so we can see in real time what is happening across the nation," McDonald said.

She also hinted at a series of "big announcements" the DHS may make in the next few months regarding its work with Internet service providers on possibly offering users free firewalls. That move would be part of an effort to simplify the security procedures for small businesses that don't have large corporate IT staffs.
*******************************
Washington Post
Report Faults Air Cargo Security
Study Recommends U.S. Screen Packages, Identify Shippers
By Sara Kehaulani Goo and Keith L. Alexander
Thursday, October 2, 2003; Page E01

The government is undertaking inadequate measures to prevent terrorists from planting a bomb in the cargo holds of passenger aircraft, according to many pilots, flight attendants, families of victims of terrorist attacks, and one major European airline.

The warning was raised by dissenters in a report issued yesterday by the Aviation Security Advisory Committee, a coalition of aviation groups dominated by the airline and air cargo industries.

The study's key recommendation urged the government to develop ways to better verify the identities of shippers and ensure that they are not on watch lists of known terrorists. The report also proposed that the government allow cargo from unknown recipients to fly on passenger planes if it is screened.

But those proposals weren't enough for many groups, which urged the government to physically inspect all air cargo before it reaches the belly of aircraft, perhaps by deploying screening technology similar to what is used for checked luggage.

The report's recommendations "will not offer substantial improved security on passenger planes" because they fall "short of 100 percent actual inspection," Victims of Pan Am Flight 103 wrote in the study. The report was not made public, but a copy was obtained by The Washington Post.

Cargo security has reentered the spotlight after a man shipped himself from New York to Texas in the belly of an aircraft last month. The incident underscored what government investigators have long known: Despite billions of dollars spent to screen checked luggage aboard an aircraft, air cargo on the same plane is often never inspected.

The airlines, still financially strapped, have lobbied hard against using machines to screen cargo, fearing that a slowdown in processing packages could push customers to cargo-only carriers such as FedEx and United Parcel Service. Cargo accounts for only about 5 percent of airlines' annual revenue, but any drop-off could push a small profit to a loss, according to the Air Transport Association, the U.S. airlines' largest lobbying group.

No recent incident involving a terrorist explosive in a cargo hold has been confirmed. But the Transportation Security Administration has estimated it is 35 to 65 percent likely that terrorists are planning to put a bomb in cargo on a passenger plane, according to an internal government report citing intelligence from 2001.

The TSA plans to spend $85 million on air cargo security this year and said it will focus more of its attention on the issue now that it has made improvements in passenger and luggage security.

Rep. Edward J. Markey (D-Mass.) vowed to reintroduce legislation early next year to require all cargo on passenger planes to be electronically screened for explosives.

Markey blamed the airline and cargo industries and Republican congressional leaders for his recent amendment's failure to be included in a spending bill the president signed yesterday.

"We are going to continue to find ways of dramatizing how vast this loophole is in air-passenger safety," he said.

Current technology is too slow, difficult to adapt and untested to immediately begin screening all air cargo for explosives, technology companies, government officials and government reports said.

InVision Technologies Inc., one of two companies that produce luggage-screening machines that can detect explosives, said that 75 percent of all air cargo could be screened using its luggage equipment but that the remaining cargo is too large for existing machines.

"What is not understood well is the challenge of logistics," said David M. Pillor, a senior vice president of InVision. "We have little experience on the back side of it."

Concerns include "the timing of the cargo arriving to the facility, staffing issues and how many machines would be needed and where should they be," Pillor said.

InVision's competitor, L-3 Communications Holdings Inc., said it plans to test its machines at a U.S. airport soon, but an executive there said it is likely to take three to five years to get equipment tested and certified by the TSA to sell to airports or the government.

Joseph S. Paresi, president of L-3's security and detection systems unit, said the company is moving ahead with testing rather than waiting for the TSA for directions.

The TSA said it needs to strike a balance between security and the free flow of commerce. The agency said yesterday that it plans to propose rules for airlines and air cargo businesses by the end of this year and that it will rely on yesterday's report for suggestions about the new rules.

The TSA does not require physical screening of all shipments on passenger planes because cargo is "a significant revenue base for the passenger carriers," said Elaine Dezenski, director of the agency's maritime, land and cargo policy.

Nearly 30 percent of air cargo is shipped aboard passenger planes, according to the Air Transport Association. Last year, $3.4 billion of the carriers' total $85 billion in revenue came from cargo.

Still, cargo represents only a small portion of the carriers' revenue. Last year, cargo accounted for 2 percent of US Airways' revenue, 3.5 percent of American's revenue and 5 percent of revenue at United Airlines, which filed for bankruptcy last December.

"It's entirely possible that if you take the revenue from cargo out of the mix, you will have some [airlines] that are in Chapter 11 and it's going to make it seriously more difficult for them to come out," said James C. May, president and chief executive of the Air Transport Association. "For those that are outside of Chapter 11, it could put them awfully close to the edge."

As U.S. airlines strive to protect their bottom lines by fighting stringent cargo security measures, British Airways agreed with the call for tighter screening. In a dissenting opinion in the report, the carrier said the efforts to verify the identities of shippers "would not deter terrorist organizations from seeking" to deceive the system.
*******************************
Associated French Press
Global music sales slide 11 percent in first half: report
Wed Oct 1,11:58 AM ET

LONDON (AFP) - Global sales of recorded music such as CDs slumped by about 11 percent in both value and units in the first half of 2003, hit by rising piracy and illegal downloads from the Internet, an industry body said.

Sales of all audio and music video formats were worth 12.7 billion dollars (10.9 million euros) in the first six months of the year, compared with 14.3 billion dollars in the same period of 2002, the International Federation of the Phonographic Industry said in its interim report.

Germany, Japan, the United States and Canada have been particularly hard hit by piracy, seeing the numbers of unauthorised downloads of tracks and copied CDs reach or exceed the levels of legitimate track and CD album sales.

"Despite some healthy signs that a legitimate online music business is now taking hold, the music industry continues to suffer from the unauthorised file-sharing and commercial piracy," said the federation's chairman, Jay Berman.

"We are responding to this decisively, however: on the physical piracy front, seizures of discs rose four-fold last year; on the Internet piracy front, the US industry is leading a highly effective global public awareness drive on the legal risks of file-sharing; and on the new business front, a marked change in the landscape is visible as a number of legitimate online music sites take hold."

One bright spot was sales of digital versatile disc (DVD) music videos, which grew by 46 percent by volumes and 55 percent by value in the first half, taking a five percent shares of global music sales.

The format has proved a big hit with movie watchers and the music industry is hoping to cash in on its popularity to boost flagging revenues.

At the same time the music giants are battling to win a share of the online music market, having initially opposed all forms of online music downloads.

There was a marked increase in the availability of legitimate online music in the first half of this year, with 300,000 tracks now on offer online, the report said.

Europe now has more than 30 sites offering legitimate online music either by pay-per-download or subscription, it said.

The London-based federation comprises a membership of more than 1,500 record companies, including independents and majors, in over 70 countries.
*******************************
Washington Post
Hackers to Face Tougher Sentences
By Brian Krebs
Thursday, October 2, 2003; 4:24 PM

Convicted hackers and virus writers soon will face significantly harsher penalties under new guidelines that dictate how the government punishes computer crimes.

Starting in November, federal judges will begin handing out the expanded penalties, which were developed by the U.S. Sentencing Commission. Congress ordered the changes last year, saying that sentences for convicted computer criminals should reflect the seriousness of their crimes.

"The increases in penalties are a reflection of the fact that these offenses are not just fun and games, that there are real world consequences for potentially devastating computer hacking and virus cases," said John G. Malcolm, deputy assistant attorney general and head of the U.S. Justice Department's computer crimes section. "Thus far, the penalties have not been commensurate with the harm that these hacking cases have caused to real victims."

There are multiple factors that a judge depends on to determine whether to send someone to prison and for how long, but most maximum prison sentences handed down for computer crime range from one year to 10 years. Hackers whose exploits result in injury or death -- if they disable emergency response networks or destroy electronic medical records, for example -- face 20 years to life in prison.

Hackers will face up to a 25 percent increase in their sentences if they hijack e-mail accounts or steal personal data -- including financial and medical records and digital photographs. Convicted virus and worm authors face a 50 percent increase.

Sentences also will increase by 50 percent for hackers who share stolen personal data with anyone. The sentences will double if the information is posted on the Internet. More than half of the sentences handed out under federal computer crime laws would be lengthened by this change alone, according to a Sentencing Commission report released in April.

Jail time also will double for hackers who break into government and military computers or networks tied to the power grid or telecommunications network.

Hackers who electronically break into bank accounts can be sentenced based on how much money is in the account, even if they don't take any of it. Under the new guidelines, however, judges can tack on a 50 percent increase to the sentence if the hacker did steal money.

Prosecutors traditionally had to show that computer criminals caused at least $5,000 in actual losses to win a conviction. The new guidelines let victims tally financial loss based on the costs of restoring data, fixing security holes, conducting damage assessments and lost revenue.

"Some computer crimes are more serious than others, and these new guidelines reflect that critical infrastructures need to be protected and that invasions of privacy need to be treated as seriously as invasions of our pocketbooks," said Mark Rasch, former director of the Justice Department's computer crimes division and chief security counsel for Solutionary Inc., an Internet security company in Tysons Corner, Va.

Kevin Mitnick, a well known former hacker who spent almost six years in prison, said he doubts the increased penalties would deter hackers.

"The person who's carrying out the act doesn't think about the consequences, and certainly doesn't think they're going to get caught," Mitnick said. "I really can't see people researching what the penalties are before they do something."

The new guidelines will not apply to sentences handed out or prosecutions underway before Nov. 1. This includes the high-profile case of Adrian Lamo, the 22-year-old computer hacker who stands accused of infiltrating and damaging the New York Times Co.'s source list and computer network.

In addition, the guidelines generally will not apply to juveniles, who normally are charged in state courts. In one notable exception, the government last week charged a North Carolina youth as an adult for releasing a version of the Blaster worm.

Most computer criminals are well educated, have little or no criminal history, commit their crimes on the job and often are seeking financial gain, according to Sentencing Commission documents. Of the 116 federal computer crime convictions in 2001 and 2002, about half involved disgruntled workers who used their knowledge to steal from or to discredit their former employers.

Jennifer Granick, an attorney who represents one of those criminals, said that they are unfairly singled out for tougher sentences than other white-collar perpetrators.

"In most cases, the use of a computer is the trigger for prosecution or for greater sentencing, because so many upward adjustments apply once a computer is involved in the case," said Granick, director of Stanford Law School's Center for Internet and Society.

Her client is Bret McDanel, a 30-year-old California man sentenced in March to 16 months in prison for revealing sensitive security information about his former employer's computer network. Federal prosecutors said McDanel, who worked as a computer security staffer for the now-defunct Tornado Development Inc., sent the information to Tornado's 5,000 customers in September 2000, crashing the company's server.

McDanel would have faced two years in jail under the new sentencing guidelines, said Granick, who argued that it is difficult to place a real dollar loss on computer crimes so judges typically impose harsher sentences than necessary.

Granick also said prosecutors could manipulate the damage amount to appear much larger than it really is, giving the government an advantage in plea bargaining.

Malcolm, the Justice Department's computer crimes chief, said that the department does not give prosecutors suggestions on determining damage amounts, and that prosecutors pursue plea bargain negotiations on a case-by-case basis.

Internet security expert Rasch said that the number of computer-related prosecutions could rise as federal prosecutors try to tie them into otherwise unrelated crimes. He said this is especially possible in light of a recent memo from Attorney General John Ashcroft urging prosecutors to seek more convictions and stronger sentences based on the most serious charges they can find.

"We could soon end up seeing a greater number of ordinary crimes prosecuted as computer crime in an effort to get more leverage for a plea, just because somehow, somewhere there's a computer involved," Rasch said.

Malcolm said this is unlikely.

"In your run-of-the-mill cases where the computer is only a tangential part of the crime, there are not going to be significant enhancements," he said.

If there is an increase, he added, it is because "whether they're drug dealers, embezzlers, hackers or software pirates... people who commit crimes use computers more than they used to."
*******************************
USA Today
Four plead guilty in national software piracy case
By John Christoffersen, Associated Press

NEW HAVEN, Conn. Four men have pleaded guilty for their roles in an online piracy ring that illegally distributed tens of thousands of copyrighted materials through the Internet, authorities said.
Federal prosecutors said Thursday the guilty pleas are part of a national probe into pirated video games, movies, music files and computer software. Some of the file servers were located at the State University of New York at Albany, authorities said.

The investigation is continuing, and authorities say they expect to charges others in the scheme.

"The magnitude of this problem is serious and can't be underestimated," U.S. Attorney Kevin O'Connor said. "Stealing the intellectual property of others is no different from any other form of thievery."

The defendants three from New York and one from Washington state pleaded guilty this week in New Haven to federal counts of conspiracy to commit criminal copyright infringement.

Prosecutors said three of the defendants were actively involved in the "warez" scene, in which copyright-protected material is "cracked" and made available illegally through the Internet. They face up to five years in prison if convicted.

The fourth defendant helped maintain the SUNY-Albany servers, and if convicted faces a one-year maximum sentence.

The prosecutions stem from Operation Safehaven, a 15-month investigation that in April resulted in the seizure of thousands of pirated CDs and DVDs and dozens of computers and servers.
*******************************
Computerworld
ID theft undermining integrated terror watch lists
Interest in national ID cards could be on the rebound
Story by Dan Verton

OCTOBER 02, 2003 ( COMPUTERWORLD ) - Despite the government's recent efforts to integrate dozens of terrorist watch list databases (see story), terrorists may still be slipping through major cracks in homeland defenses by stealing identities and using computers to create fraudulent travel documents, officials told Congress yesterday.
Testifying before the House Select Committee on Homeland Security, Ronald D. Malfi, director of the General Accounting Office's Office of Special Investigations, said that during the past three years, his staff has successfully created fraudulent identities and documents on home computers that allowed officials to do everything from entering the U.S. from foreign countries to buying firearms and gaining unfettered access to government buildings.

"We created fictitious identities and counterfeit identification documents, such as driver's licenses, birth certificates, and Social Security cards ... using inexpensive computer software and hardware that are readily available to any purchaser," said Malfi. "In March 2002, we breached the security of four federal office buildings in the Atlanta area using counterfeit law enforcement credentials to obtain genuine building passes, which we then counterfeited."

"It's relatively easy for a terrorist to pose as someone else," said Rep. Robert Andrews (D-N.J.). "And the impact is that the integrated terrorist watch list and other databases that the [DHS] is sharing with other agencies is ineffective if we're not identifying [people]."

Delegate Eleanor Holmes Norton (D-District of Columbia), a self-proclaimed "card-carrying civil libertarian," said the nature of the vulnerabilities has led her and others to rethink the issue of national ID cards.

However, Keith Kiser, chairman of the American Association of Motor Vehicle Administrators, said a national ID card is not needed and would probably require additional IT infrastructure currently not in place. Instead, Kiser argued that the IT infrastructure used throughout state motor vehicle departments to verify identities and issue valid driver's licenses should be enhanced and standardized.

Rep. Peter DeFazio (D-Ore.) asked biting questions of experts from the Department of Homeland Security (DHS) and the FBI about why retail workers at many U.S. airports are allowed to enter secure areas of the airport without having to pass the same security screening checkpoints that pilots and passengers must go through. In addition, the only security precautions taken to ensure that those workers are who they say they are is a basic name and Social Security number check, often done using driver's licenses that may or may not have been obtained legally, said DeFazio.

"Today, several hundred thousand people, who we don't know if they are the person they said they are, will file into secure areas of airports in the U.S. without even walking through [security] and without putting what they are carrying on a [scanner]," said DeFazio.

"It's clearly a weakness in the system," said Stewart Verdery, assistant secretary for Border and Transportation Security Policy at the DHS. "But it's one of many caused by the weaknesses in the driver's license system."

Lawmakers and federal homeland security experts argued in favor of wider deployment of biometric technologies and standardization of driver's licenses throughout the country. Currently, 21 states don't require proof of legal residence to get a driver's license. In addition, there are 240 variations of driver's licenses used throughout the 50 states. California and New Mexico also issue valid driver's licenses to noncitizens, and Arizona is debating the issue.

"As long as the government is relying on paper documents, it is problematic," said John Pistole, assistant director of counterterrorism at the FBI. "That's where biometrics come in."

Vendery went on to outline plans by the DHS to eventually ensure that all foreign travel documents issued to foreign visitors from overseas include biometric identifiers. To the extreme dissatisfaction of many lawmakers, however, Vendery was unable to answer questions about DHS policy regarding screening procedures for employees of airport retail shops as well as the threat arising from the inability of border-crossing agents to verify the authenticity of driver's licenses. Such licenses remain one of the key identification documents used by most people -- including potential illegal aliens -- to enter the U.S. from Canada and Mexico.

"I think the states have failed to listen ... and have failed to learn the lessons of 9/11," said Joseph Carico, chief deputy attorney general for the commonwealth of Virginia.

"It is my assumption that biometric technologies have progressed to the point where at least in most cases it would solve the problem" now faced by the integrated terrorist watch list, said Andrews. He asked if anyone disagreed with the basic assumption that biometric technologies should be used in all driver's licenses and major travel documents, and only Kiser from the AMVA dissented.

"I don't disagree that a biometric identifier is a great place to be and we should be trying to get there," said Kiser. "But we [conducted] a two-year study of biometrics and our conclusion at this point is that although biometrics work great on a one-to-one match, it's awfully hard to find a technology that works on a one-to-300 million match, which is what we really need to [have] to have an effective biometric identifier."
*******************************
Federal Computer Week
DHS takes over visas from State
BY Judi Hasson
Sep. 30, 2003

As if Homeland Security Department officials didn't have enough work to do, they were assigned another job Tuesday overseeing visa applications around the world.

Although the State Department will continue to have a major role in dispensing visas, DHS will have a new responsibility to oversee visa applications and determine if an applicant should have a personal interview.

In its new role mandated by Congress, DHS will control visa policy, have final say over State decisions and make sure security requirements are carried out. State will continue to control certain visa decisions that impact foreign policy, such as deciding who can have a visa to travel to the United Nations for diplomatic reasons.

DHS agents already have been to Saudi Arabia to review every visa applicant. All 19 of the Sept. 11, 2001, hijackers obtained U.S. visas in that Middle Eastern country, in some cases without having personal interviews with U.S. embassy personnel.

"In a post [Sept. 11, 2001] world, visa issuance must be a border security job," said Sen. Saxby Chambliss (R-Ga.), chairman of the Senate Judiciary Committee's Immigration and Border Security Subcommittee, which held a hearing today on the new policy.

Asa Hutchinson, undersecretary for the DHS Border and Transportation Security Directorate, testified before the panel that the joint State-DHS partnership would help secure the border from "external threats while ensuring that our doors remain open to legitimate travel."

"We view the visa process as the 'forward-based defense' of the United States against terrorists and criminals who seek to enter the United States with the intention to do harm," Hutchinson said.

U.S. visa policy has hit other snags. State officials decided to delay for a year the requirement for machine-readable passports for 26 countries whose citizens are free to travel to the United States without a visa. Visa waiver countries argued they did not have enough time to issue the new documents.
*******************************
Federal Computer Week
Congress keeps DOD tech spending flat
BY Frank Tiboni and Matthew French
Sept. 29, 2003

Concerned about the Pentagon's oversight of technology spending, the House and Senate agreed last week to cut $200 million from the Defense Department's proposed budget for information technology in fiscal 2004.

The bill would also prohibit DOD from rolling out the Bush administration's controversial competitive sourcing provisions which White House officials have threatened would draw a veto when included in other spending bills.

The roughly $27.7 billion that DOD will receive this year for IT equals the amount appropriated for fiscal 2003.

In February, DOD officials requested an IT budget of about $27.9 billion. Lawmakers initially balked at the figure, saying the department had little control over its IT funds, and recommended deep cuts.

But the cut was not as harsh as it could have been. The House sought a $321 million reduction in July, saying the department had little accountability for how it spent information technology dollars.

The $200 million reduction covered operations and maintenance of IT accounts across DOD. The cuts include:

* Army: $40 million.

* Navy: $60 million.

* Air Force: $60 million.

* Departmentwide: $40 million.

Congress wants DOD and the services to inventory legacy systems before building new ones so they do not duplicate them, said Dan Heinemeier, president of the Government Electronics and IT Association, an industry lobby group based in Arlington, Va.

"We think there was miscommunication, but it causes uncertainty and could lead to program delays," Heinemeier said.

A House and Senate conference committee announced Sept. 18 the $368.2 billion 2004 Defense appropriations bill, a $3.8 billion increase from fiscal 2003. The bill passed the House on Sept. 24 by a vote of 407-15, and the Senate a day later by a vote of 95-0.

The committee appropriated DOD research, development, tests and evaluations $65.2 billion, a $7 billion increase from fiscal 2003. The research and development funding breakdown consisted of:

* Army: $10.3 billion.

* Navy: $15.1 billion.

* Air Force: $20.5 billion.

* Departmentwide: $18.9 billion.

The House and Senate also earmarked $305 million for operational tests and evaluations, which includes joint development among the services.

Key DOD and service IT programs fared well, despite the $200 million cut to their operations and maintenance accounts.

Among those projects:

* DOD's Defense Integrated Military Resource System received $5 million less than requested.

* The controversial Terrorism Information program was cancelled.

* The Army's Future Combat System received the requested $1.7 billion.
*******************************
Government Computer News
OPM personnel record database goes live
By Jason Miller
GCN Staff

Four agencies are testing the new data repository and work force analysis tools the Office of Personnel Management launched this week under the Enterprise Human Resources Integration e-government project.

OPM is the managing partner for the initiative, one of five the agency is leading.

Rhonda Diaz, EHRI project manager, said the departments of Interior, Homeland Security and Treasury, and OPM are analyzing their work force data from the last eight years to spot trends and possible shortfalls. The agencies also are testing the official electronic personnel record, which will replace paper files.

?With the data repository, it is more than a proof of concept,? Diaz said. ?We aggregated data, and agencies can take a purely statistical look at their work force.?

OPM also added a new analysis tool to go with the Workforce Analysis Support System and the Civilian Forecasting System it already modified for the project, Diaz said. Project leaders added business intelligence software from Business Objects Inc. of San Jose, Calif., she said.

The Business Objects tool will let agencies run queries on retirement eligibility and employee demographics, Diaz said.

?We are rolling out these tools slowly to make sure they have the functionality the agencies need,? Diaz said.

OPM plans to add other agencies by February and begin collecting personnel and payroll data in the repository biweekly, Diaz said. Currently, agencies send OPM personnel data each quarter, which makes accurate forecasting and analysis difficult, she said.

The official electronic employee record is more of a test than a functional application, Diaz said. The four agencies are evaluating the electronic form to make sure the data is loaded correctly, that it contains all necessary information and that it works properly in the system, she added.

?The personnel file and the data repository will help us send personnel data between agencies,? Diaz said. ?Right now, we have to send a paper file, and that takes a lot of time. This will streamline the personnel process.?
*******************************
Government Computer News
FBI probes bogus bureau site used in scam
By Wilson P. Dizard III

The FBI yesterday launched an investigation of a Web site, since removed from the Internet, that masqueraded as a federal bureau site and sought to lure consumers to submit private financial information in a fraud technique known as ?phishing.?

The site displayed the FBI seal and U.S. flag, as well as the layout of the FBI site, surrounding text that referred to the ?ministry of protection of the confidential information,? which purportedly was investigating a credit card swindle. It said, in stilted language, ?The Ministry of Finance and the government urgently have decided to collect the information on the disappeared cards and to block cards in the shortest term, differently the economy of America and the owners of the cards will have big losses.?

The site urged users to enter their debit or credit card numbers and PINs, as well as their approximate account balances.

An e-mail appearing to be from the FBI drove Internet users to the FBI?s site and then redirected them to the bogus site.

FBI spokesman Paul Bresson said, ?We are investigating it. It falls right in line with other phishing schemesmany of them direct you to what appear to be commercial sites. This is the first time the FBI site has been used as a lure.?

Bresson said the FBI had been ?able to narrow down where it might be coming from? but that additional investigative work was necessary.

Computer security consultant Richard M. Smith in Brookline Mass., who operates a site called computerbytesman.com, said that the bogus site was hosted by a company called Sago Networks in Tampa, Fla. He added that the ?perp appears to be Russian.?

?I found it amusing because the graphics were good, but the language was atrocious,? Smith said. ?These phishing scams are everywhere,? he said. ?This phishing scam was clever in that it used the FBI name to try to make it look legit, but I don?t think anyone would fall for it.?

Smith explained that phishing scams use e-mails written in HTML. ?For a link you display any text you want,? he said. ?Behind the legitimate text is a misleading HTML link.?

Chris Demain, systems administrator for Sago Networks, said, ?We don?t have any comment on that. We are working with the FBI. In all cases of suspected fraud we work closely with federal and state authorities.?
*******************************
Government Executive
October 1, 2003
Tech officials troubled by lack of skilled federal IT managers
By Amelia Gruber
agruber@xxxxxxxxxxx

When Karen Evans takes over as the Office of Management and Budget?s technology chief this month, she will face a shortage of well-trained federal IT project managers, according to panelists at a technology forum Tuesday.

Evans, scheduled to begin her new job as early as next week, will inherit an IT workforce adept at technological innovation but lacking in business acumen, according to Dan Chenok, branch chief for information policy and technology at OMB. The Bush administration is engaged in a major effort to develop skilled technology managers in-house, he said at a discussion hosted by the National Press Club.

Building a workforce with both scientific and management expertise should be one of the ?defining concerns? of any CIO, said Scott Hasting, chief information officer of the Bureau of Immigration and Customs Enforcement, part of the Homeland Security Department. The government has already made some progress on recruiting MBAs and others with significant business experience to head IT initiatives, he said.

But more progress on developing in-house management talent is needed, according to Kim Nelson, chief information officer for the Environmental Protection Agency. The EPA has some very able IT managers, she said, but in general, the state and federal technology workers under her charge are ill-equipped to handle big-budget projects, she said. As a result, they end up taking too long to complete work and spend more money than planned.

Failure to meet deadlines and overspending can in turn influence OMB?s recommendations for future project funding. When forced to prioritize among various technology initiatives during the budget process, the administration favors projects for which managers present a strong ?business case? and demonstrate that they have met previously agreed upon performance standards, Chenok said.

The Office of Personnel Management is addressing the gap in IT management skills through its e-learning Web siteone of its five e-government projects. A section of the site called the ?IT Workforce Development Roadmap? allows technology specialists to assess their level of management competency, formulate a personal career development plan and find training courses to help them reach their goals.

Privately run programs also offer management courses for federal technology experts. For instance, the Council for Excellence in Government runs a year-long fellows program to prepare mid-managers for senior executive positions. Fellows can specialize in e-government.

In addition, the e-government bill signed into law last December gives agency CIOs the option of sending staff members on exchange programs, where they could temporarily switch positions with private sector technology managers. This type of ?cross-fertilization? would benefit agencies greatly, George Molaski, president and chief executive officer of E-Associates LLC, a technology consulting company in Falls Church, Va., said on Wednesday.

Other issues Evans faces as federal technology chief include information systems security, privacy concerns and a lack of adequate funding for some projects, the panelists said. The federal government will also need to do a better job of coordinating its technology projects with those at the state and local levels, said panelist Jim Flyzik, a security consultant and a former senior adviser to Homeland Security Secretary Tom Ridge.
*******************************
Government Executive
September 30, 2003
OMB directs agencies to increase privacy protections
From National Journal's Technology Daily

The White House Office of Management and Budget on Tuesday ordered government agencies to significantly increase the protection of citizens' personal information collected during the course of daily business, a move hailed by privacy advocates as the most significant privacy guidance to agencies since the Privacy Act took effect in 1975.

The directive requires federal agencies to conduct "privacy-impact assessments" before deploying information technology systems that use or collect personally identifiable information. The directive also would require agencies to update the assessments whenever new risks arise and report to OMB annually on their electronic privacy activities.

Under the new directive, visitors to federal Web sites will be informed of their privacy rights when they are submitting information voluntarily and be told how to give consent to the use of personal data. Government sites also must disclose what type of information they are collecting and for what purpose.
*******************************

Prev by Date: USSN Link 040-03 (October 3, 2003)
Next by Date: ACM TechNews - Friday, October 3, 2003
Previous by thread: USSN Link 040-03 (October 3, 2003)
Next by thread: ACM TechNews - Friday, October 3, 2003
Index(es):
- Date
- Thread