Public CIO Magazine February 2010


Published on

Public CIO Magazine, Feburary

To connect and collaborate with other CIOs in government, please see the CIO Innovation Center at

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Public CIO Magazine February 2010

  2. 2. MAKE SURE EVERYTHING OLD IS READY FOR ANYTHING NEW. As you respond to demands for change, how do you prepare your infrastructure to deliver new services? CA software empowers you to manage and secure all of your systems—from the desktop to the mainframe to the cloud. We help your infrastructure work harder and smarter so it’s completely ready for any new challenge. Find out if you are ready! Get your complimentary Architecture Assessment from CA at or call 1-866-836-5234 Copyright © 2009 CA. All rights reserved. Software
  3. 3. F E B R UA R Y / M A R C H 2 0 1 0 CONTENT C O V E R S T O R Y 10 C ov e r P h ot o b y T e r e nce B r own In the Spotlight All eyes are on Los Angeles CTO Randi Levin as city deploys cloud-based e-mail. B y M a t t Wi l l i a m s F E A T U R E S additional offices. Postmaster: Send address change to Government Technology’s Public CIO, 100 Blue Ravine Road Folsom, CA 95630 Copyright 2010 by e.Republic, Inc. All Rights Reserved. Government Technology’s Public CIO (ISSN# 1944-3455) is published bimonthly by e.Republic, Inc. 100 Blue Ravine Road Folsom, CA 95630. Periodicals Postage paid at Folsom, CA and SUBSCRIPTIONS: Subscription inquiries should be directed to Government Technology’s Public CIO, Attn: Circulation Director, 100 Blue Ravine Road Folsom, CA 95630. (916) 932-1300. 16 28 Checkup An Urgent Fire in the Big Sky In massive information technology Montana Gov. Brian Schweitzer talks about his ambitious plans for wind transition, U.S. health-care system has power and growing a new generation less than four years to upgrade disease of scientists and engineers. diagnosis code sets. By Ch ad Vand er Veen B y Rus s el l Ni ch ol s 20 IT Fraud Firewalling 30 Voice The New IT fraud in government can be costly. Here are five ways CIOs can of the CIO Insights from the Global Chief Information prevent and control the problem. Officer Study. By A lyssa G. Martin B y L y nn Rey es 24 Paving the Way Technology is laying the groundwork for health reform. By Greg D eBo r and Ro bert W ah
  4. 4. D E P A R T M E N T S 36 Guest Column Cloud Economics 101 41 CIO Central News, Reviews and Careers By Kev in Merritt 38 CTO Strategies Ready for Your Budget Emergency? 42 Security Adviser Is the Policy Window on By D an Lo h rmann Cyber-Security Closing? B y M ark Weat herf ord 40 Straight Talk Remaining Relevant 43 FastGov Too Many Chiefs, Not Enough Agencies? By Liza Lo wery Massey B y Paul W. Tay l or U P F R O N T 6 Introduction 8 Contributors 2007 MAGAZINE OF THE YEAR 2008 Silver Folio: Editorial Excellence Award The inside pages of this publication are printed on 80 percent de-inked recycled fiber. e ONLINE EXCLUSIVES VIDEO Green Tech: Montana Gov. Brian Schweitzer describes his state’s efforts to become a leader in green technology and alternative energy. NEWS Savings: California’s Office of Technology Services reports savings of $100,000 a month after moving part of a major data center to a more modern facility. BLOG Infrastructure: Michigan CTO Dan Lohrmann takes a look at the technology and security preparations under way for the Winter Olympics in Vancouver. NEWS Cloud Computing: Colorado’s Statewide Internet Portal Authority seeks contract with a private cloud computing company to provide hosted services for state and local governments. [4]
  5. 5. Kids think the place is haunted. You suspect it’s not up to code. Getting building inspectors to places all around town takes serious choreography. Good thing there’s Nextel Direct Connect. It uses GPS to help you track ® and manage your team. Letting you instantly locate and connect, whether they’re inspecting new construction or a creepy old manor. Nextel Direct Connect. Only on the Now Network.™ 1-800-NEXTEL-9 ® BlackBerry® Curve™ 8350i smartphone Direct Connect: Nextel and PowerSource devices operate on the Nextel National Network. Other Terms: “Fastest” claim based on initial call setup time. Coverage not available everywhere. The Nextel National Network reaches over 274 million people. ©2009 Sprint. Sprint and the logo are trademarks of Sprint. Other marks are the property of their respective owners.
  6. 6. [ INTRODUCTION ] Parting Words I n the summer of 2002, campaigns for 36 gubernatorial races were beginning to heat up. The economy was on everybody’s mind in the wake of the dot-com bust that had left a the cover. Mark Forman may not have had the title of national CIO, but he was then-President George W. Bush’s point man for the federal government’s $60 billion IT program. Since the first leadership. Today’s CIO not only must understand the complexities of IT, he or she also must be a great communicator, relationship-builder and management guru in order to survive and thrive. string of bankrupt technology firms issue was published in summer 2003, Despite the relatively low pay and and lingering questions about the we managed to put the next two federal occasional political whiplash that comes Internet’s direction and purpose. We CIOs on the cover — Karen Evans and with the job, not to mention the mind- did the math and realized that a large Vivek Kundra — as well as many state numbing budget constraints, the public number of state CIO positions would and local CIOs. CIO community continues to attract be vacant and rookie governors were When we interviewed Forman for the people who want a challenge and want about to begin new agendas at a time first issue of Public CIO, several of to lead in digital government. That’s when public-sector IT needed guid- our questions focused on the leading a good thing. Unfortunately many are ance and leadership. trend: electronic government. It’s hard also leaving the field, making the need With that as background, e.Republic to believe that just eight years ago e-gov, for new leadership paramount. CEO Dennis McKenna decided to as many eventually truncated the term, I’ve had the pleasure of editing this launch a new publication, called Public was so powerful a topic. And as outdated magazine during its first seven years CIO, dedicated to covering and serving as it now seems, I look back with pride of existence and found the work and the public CIO community. Despite the that we also covered some topics, such people I covered always interesting. acute political situation at the state as change management and enterprise Now it’s time to say farewell as I take level, the goal was to reach the entire IT, that were hardly barn-burner stories up a new position with our newly spectrum of CIOs, from those who back then but continue to resonate as acquired publication: Governing. It’s ran IT for gigantic federal agencies issues worth covering for CIOs. been a pleasure serving our readers, down to modest-sized communities, all Today IT is firmly enmeshed in the and I know that the magazine is now in of whom needed critical information fabric of government and the public the very capable hands of my colleague about managing and leading IT opera- CIO’s role and purpose are more impor- Steve Towns. I hope you continue to tions within government. tant than ever. And just as information enjoy and learn from Public CIO for With that somewhat ambitious technology has changed a fair amount years to come. ¨ mission statement, we chose to put since 2002, so too has the significance the nation’s first federal IT leader on and importance of IT management and [6]
  7. 7. [ CONTRIBUTORS ] Publisher: Jon Fyffe GREG DEBOR is a partner at Computer LYNN REYES is a senior managing consultant in IBM’s Institute EDITORIAL Science Corp.’s Global Health Solutions for Business Value. She has more than 10 years of experience in Editor: Tod Newcombe Practice and manages client relation- industry and as a strategy and change consultant. Associate Editors: Steve Towns ships in New England from CSC’s Emily Montandon Waltham, Mass., office. Chad Vander Veen Chief Copy Editor: Miriam Jones Managing Editor: Karen Stewartson Justice and Public Safety Editor: Jim McKay Features Editor: Andy Opsahl Assistant Editor: Matt Williams Copy Editor: Elaine Pittman DAN LOHRMANN is Michigan’s CTO PAUL W. TAYLOR is the chief content Staff Writer: Hilton Collins and was the state’s first chief informa- officer of e.Republic Inc., publisher of Editorial Assistant: Cortney Towns tion security officer. He has more than Public CIO. He previously was the deputy Contributing Editors: Paul Taylor, Wayne Hanson 23 years of worldwide security experi- CIO of Washington state. ence, and has won numerous awards DESIGN for his leadership in the information Creative Director: Kelly Martinelli security field. Senior Designer: Crystal Hopson Graphic Designer: Michelle Hamm Illustrator: Tom McKeith Production Director: Stephan Widmaier Production Manager: Joei Heart ALYSSA G. MARTIN, certified public STEVE TOWNS is the editor accountant, is the Dallas executive part- Government Technology magazine PUBLISHING ner and the firmwide partner in charge and interim editor of Public CIO. Group Publisher: Don Pearson of the Risk Advisory Services group at VP Bus. Development: Tim Karney Weaver and Tidwell, the largest indepen- EAST dent certified public accounting firm in Regional Sales Directors: Leslie Hunter the Southwest. EAST Shelley Ballard WEST, CENTRAL Account Managers: Melissa Cano EAST Erin Gross LIZA LOWERY MASSEY served as CHAD VANDER VEEN is the WEST, CENTRAL a public-sector IT executive for nearly associate editor of Public CIO Business Development Dir.: Glenn Swenson 20 years, including as CIO of and Government Technology. Bus. Dev. Managers: John Enright Los Angeles. She then established Lisa Doughty The CIO Collaborative to provide public- Kevin May sector research, benchmarking and Exec. Coordinator to Publisher: Julie Murphy consulting services. She also teaches Regional Sales at the University of Nevada, Las Vegas. Administrators: Sabrina Shewmake Christine Childs National Sales Admin.: Jennifer Valdez Dir. of Marketing: Andrea Kleinbardt Dir. of Custom Events: Whitney Sweet KEVIN MERRITT is CEO and founder ROBERT WAH, M.D., is the chief Assoc. Dir. Custom Events: Lana Herrera of Socrata Inc. Merritt focuses on medical officer for Computer Science Custom Events enabling national, state and local Corp. and former deputy national Coordinator: Karin Morgan governments to achieve new levels of coordinator for health IT at the U.S. Dir. of Custom Publications: Stacey Toles transparency and citizen participation Department of Health and Human Custom Publications Writer: Jim Meyers while significantly lowering the costs of Services. Dir. of Web Products serving online data. and Services: Vikki Palazzari Web Services Manager: Peter Simek Custom Web Products Manager: Michelle Mrotek Web Advertising Manager: Julie Dedeaux Web Svcs/Proj. Coordinator: Adam Fowler Subscription Coordinator: Gosia Colosimo TOD NEWCOMBE is the former MARK WEATHERFORD is the editor of Government Technology’s director and chief information security Public CIO. He’s now the editor of officer (CISO) of California’s Office of CORPORATE Governing magazine. Information Security. He previously CEO: Dennis McKenna served as Colorado’s CISO. Executive VP: Don Pearson Executive VP: Cathilea Robinett Executive Editor: Steve Towns CAO: Lisa Bernard CFO: Paul Harney VP of Events: Alan Cox Marketing Dir.: Drew Noel Government Technology’s Public CIO is published by e.Republic Inc. RUSSELL NICHOLS is a staff writer MATT WILLIAMS is an associate editor Copyright 2010 by e.Republic Inc. All rights reserved. Opinions expressed by writers are not necessarily those of the publisher or editors. for Public CIO. He has worked for various of Government Technology magazine. Article submissions should be sent to the attention of the Managing Editor. publications including the Boston Globe, He was formerly a sportswriter for Reprints of all articles in this issue and past issues are available (500 minimum). newspapers, and was a researcher Please direct inquiries to the YGS Group: Attn. Mike Shober at (800) 290-5460 where he served as a city reporter. ext.129 or He received his bachelor’s degree in for Sports Illustrated. Subscription Information: Requests for subscriptions may be directed to Circulation journalism from Florida A&M University. Director by phone or fax to the numbers below. You can also subscribe online at Canada Post Publication Mail Agreement 40048640, undeliverables 27496 Bath Road, Mississauga, Ontario L4T 1L2 © A publication of [8] PRINTED IN THE USA
  8. 8. government technology ® Produced by Just Released: This free resource offers a step-by-step evaluation of your existing IT environment and a clear road map to execute your virtualization strategy. Now: Inefficient infrastructure. Next: Virtualization on. Productivity everywhere. Your Road Map to the Virtual Data Center Legacy data center constraints prohibit the computing speed and agility needed to govern with today’s expectations. The time is right to consider the value of virtualization. This must-read resource identifies the four critical stages of your virtual data center transformation. A best-practices virtualization road map will guide your current IT infrastructure towards greater flexibility and efficiency. Download your FREE copies at: EMC2, EMC, and where information lives are registered trademarks of EMC Corporation. All other trademarks used herein are the property of their respective owners. © 2010 EMC Corporation. All rights reserved. 01/10
  9. 9. BY M AT T W I L L I A M S , A S S O C I AT E E D I TO R IN THE SPOTLIGHT THE HIGH-RISE OFFICES of the Los Angeles Information Technology Agency (ITA), which manages the IT systems used by 30,000 city employees, are a model of corporate efficiency — a floor of cubicles ringed by window-facing rooms. Glass doors define a modest-size waiting room, where a flat-screen plays the city government TV channel on loop. A tall trophy case displays the department’s victo- ALL EYES ARE ON LOS ANGELES CTO RANDI LEVIN ries. An organizational chart shows photos of CTO and ITA General Manager Randi Levin and her executive team. AS CITY DEPLOYS It’s all ordinary enough to make one temporarily forget that the iconic L.A. City Hall building, a tower made famous as a scene-setter in CLOUD-BASED well known motion pictures, is across the street. Believe it or not, this Hollywood reference point is tangentially relevant, at least for Levin. E-MAIL. Whether she likes it or not, Levin has become the star of her own story — partly of her own doing, partly due to forces beyond her control. Levin’s front-and-center introduction to the mainstream world came last year, when she led the ITA on a procurement that will replace the city’s aging e-mail system with a new Web-based enterprise solution. At the core, Levin had two simple goals in mind: improve service and save money. [10]
  11. 11. PHOTO BY TERENCE BROWN When the city picked Google’s productivity tools along like many IT departments, Levin was facing the prospect with its popular e-mail service Gmail, what initially of shrinking budgets due to the recession’s lingering effects. was thought to be a run-of-the-mill IT project quickly The problem would only get worse, she thought. On-premises morphed into something bigger and more complex. The e-mail just wasn’t a cost-effective option anymore, in her mind. decision stoked a period of intense lobbying from L.A.’s So the ITA put together an RFP with the option of a existing e-mail provider (Novell) and Google’s biggest software-as-a-service product or a hosted solution. Levin competitor (Microsoft), rivals who likely saw the city’s said the agency received 10 responses, from the likes of decision to adopt Google’s hosted services as something Google, Microsoft and Yahoo. After mulling over the deci- that could potentially crack the state and local govern- sion with an intradepartmental group of IT managers, last ment market’s inertia when it comes to cloud computing. summer officials chose a proposal that would implement Levin was unexpectedly pressured from within, as L.A. Gmail on more than 30,000 desktops, and later adopt the fire and police officials expressed concern that moving Google Apps productivity suite, which includes calendar, their sensitive data onto Google’s off-site servers could word processing, document collaboration, Web site sup- pose a security problem. Levin said she has since quelled port, video and chat capabilities, data archiving, disaster those concerns and the political pressure. recovery and virus protection. The script, if you will, continues to be written. Los The five-year deal, valued at $17 million, made L.A. the Angeles is now slowly marching toward a full implemen- first government of its scale to choose Gmail for the enter- tation of Gmail for the city work force. If successful, the prise — a somewhat surprising bit of information that project could open the floodgates for other governments made approving the project much more complex. that are awaiting a successful test case before entering the “We were under the assumption that Washington, D.C., cloud computing environment. had already fully implemented Google for its e-mail solu- tion, which it had, but not in the way we’re doing it. But A MISSING DATA POINT we didn’t really know that at the time,” Levin said. Ever since Levin began leading the ITA two and a half It turned out that Washington, D.C., was using Gmail years ago, she repeatedly heard from employees who for disaster recovery and giving employees the option to were dissatisfied with the unreliability of the city’s exist- use it as their primary e-mail. During the decision-mak- ing e-mail system, Novell GroupWise. It had too much ing period, Levin didn’t think L.A. would be the first large downtime, and users were frustrated by the lack of fea- government to fully adopt Gmail. “Nor did we think it was tures and the user experience. The product itself wasn’t going to be as political as it turned out to be,” she added. inherently unreliable, Levin said, but the ITA lacked the That knowledge wouldn’t necessarily have changed the necessary money or manpower for its proper upkeep. And city’s decision, Levin said, but it would have given the city [12]
  12. 12. a heads-up that lobbying and outside interest from the public was coming. The lobbying was “extensive,” said L.A City Council President Eric Garcetti, who presided over the Council’s unanimous vote in October 2009 to adopt the plan. As many as five companies made their presence known in the cor- ridors of City Hall, he said, as misinformation reigned and unfounded rumors flourished. Attempts at deal-making continued until minutes before the Council voted. Levin said those temptations were never a factor. “We tried to maintain a very rigorous [procurement] process, and we really wanted the integrity of the process to stay intact.” LO S A N G E L E S C I T Y CO U N C I L PRESIDENT ERIC GARCETTI CRUNCHING THE NUMBERS, SQUEEZING THE BUDGET P R E S I D E D O V E R T H E O C TO B E R The incessant lobbying spurred troublesome misinfor- 2 0 0 9 CO U N C I L V OT E TO A D O P T mation, particularly about the solution’s cost and security, T H E C LO U D CO M P U T I N G P L A N . FLICKR/ERIC GARCETTI Levin said. The cost and potential savings confused outside observ- ers and elected officials because the ITA wanted to accu- rately reflect the city’s deteriorating economic condition, Levin said. That meant the projections were changed more than once. “It became more and more important to focus on cash the difference between ROI and cash savings, she said. By as opposed to a true ROI [return on investment],” she the time the numbers were made clear, some people inac- explained. This changed the numbers. The ITA had, at dif- curately believed Gmail would be more expensive than the ferent times, estimated savings of $8 million to $30 million. existing solution. Although, in a limited sense, that was “From the cash perspective, we looked at what software true because the city will pay for both GroupWise and and hardware would be removed as we went to a new Gmail for one year as the migration occurs. (Ironically the solution — what wouldn’t we have to buy anymore or pay ITA will offset the added cost by using money from a prior maintenance on.” anti-trust settlement with Microsoft.) Levin felt it was important to do an “apples-to-apples” After a few attempts at numbers crunching, the city esti- comparison. Unfortunately some people didn’t understand mated $5.5 million in hard-cost savings from the Google adoption, and an additional $20 million ‘GEECS’ SQUAD savings in soft costs due to factors like better productivity. The ITA expects appli- Prior to the Gmail pilot, a working group from within the Los Angeles Informa- cations like Google Docs will help reduce tion Technology Agency (ITA) began testing the feel and functionality of the solu- some of the redundant paper pushing that tion. The group — nicknamed “L.A. GEECS,” a.k.a. the Google Enterprise E-mail and plagues bureaucracies, and it hopes some- Collaboration System — isn’t short on work. day to utilize Gmail’s mobile functionality There’s a laundry list of new issues that must be addressed, several of them and ease-of-use to drive further savings unique to government usage on the Google platform. The group must hash out through increased collaboration. how to provide enough customizable options for the city’s 44 departments, Moving the city’s data to Gmail will while still maintaining consistency and control. Tasks include: let the ITA reassign and/or cut nine • Writing policies for when chat and video may be turned on and off, employees who were working internally in order to fulfill e-discovery requirements. on the GroupWise system, Levin said, and • Determining how Freedom of Information Act requests will be handled it will eliminate 92 servers from the city’s through Google’s search and archiving capabilities. data center — a sprawling basement-level • Building in customization so that individual departments may allow facility in the ITA building. Those savings their employees to make cosmetic tweaks, like changing the skin of are significant, she said, because as of the Gmail interface. [13]
  13. 13. mid-November the ITA faced the prospect of losing 60 or migration. Google employees who have access to L.A.’s 70 employees to early retirement, as well as additional cuts data will be certified by the state Department of Justice. to the 800-person ITA organization. Google, for its part, is building a segregated “government “We have servers of every shape, size, brand and year cloud” that will house data owned by public-sector cus- here,” Levin said. “And with diminished staffing, we’re try- tomers, like Los Angeles. The government cloud will be on ing to figure out where’s the best use of our resources, and servers located somewhere within the contiguous 48 states, although L.A. won’t know exactly where its data is — the unknown location is part of Google’s security model. “WE’VE WRITTEN [THE CONTRACT] The government cloud will be up and running “sometime AS IRONCLAD AS WE CAN. WE’VE ALSO in 2010,” according to David Mihalchik, business develop- ment executive for Google federal. Crawford said he’s been WRITTEN INTO THE NONDISCLOSURE told the new cloud will be ready by June, in time for L.A.’s THAT THE DATA BELONGS TO US IN full implementation. The company also is in the process of securing Federal Information Security Management Act PERPETUITY; IT WILL OUTLIVE THE (FISMA) certification. CONTRACT ITSELF.” L.A.’s agreement with Google is written so that it’s clear the city owns the data at all times, Crawford said. “That’s a KEVIN CRAWFORD, DEPUTY CTO, LOS ANGELES very big deal for us. We’ve written [the contract] as ironclad as we can. We’ve also written into the nondisclosure that the we think it’s really more in the applications area — in public data belongs to us in perpetuity; it will outlive the contract safety related to their radio systems and some of their other itself,” he said. That means if the city wants to switch to applications, and also for the other departments’ Web sites another vendor after the contract ends, the city will be able — doing a lot in terms of transparency and getting data out to recall its archived data. Officials also negotiated unlimited to the public, and more self-service.” and liquidated damages in the event that there’s a breach of Google’s servers. SECURITY FEARS, RELIABILITY CONCERNS Crawford said the bottom line is that Google’s security Data security was another contentious issue. The public apparatus is far superior to the ITA’s for the simple fact at large continues to debate the security of cloud comput- that the company has the resources to devote many more ing and hosted services, particularly as it relates to putting people to it. In Google-speak, L.A.’s data will be “sharded,” the public’s data — which may well include addresses, meaning it will be shredded into multiple pieces and stored Social Security numbers and other sensitive information on different hard drives — a security encryption method — on servers in unknown locations that are managed by a the ITA can’t do from its in-house data center. Garcetti too corporation. said he’s comfortable with the security of cloud computing: After some officials from the L.A. police and fire depart- “At the end of the day, I trust Google’s security as much as ments expressed worry that their departments’ sensitive any individual city, town or village to protect themselves data would be vulnerable if stored on off-premise servers, because [Google] is that much more experienced.” the ITA worked hard to ensure that the security parameters Of course, reliability is part of security. Crawford said met California Department of Justice requirements, said Gmail had only about 10 percent of the downtime in 2009 as Kevin Crawford, Levin’s deputy in charge of the Gmail the city’s current e-mail. And if disaster strikes — L.A. sits C O N T I N U E D O N P A G E 37 SELLING THE PLAN According to Los Angeles City Council President Eric Garcetti, there was a valuable lesson to be learned from how L.A. presented its Gmail adoption to the public and internal stakeholders: Address human issues as well as technical concerns. “There was an assumption by some of the IT professionals that this would sell itself or that people would trust them because the IT professional is recommending this,” he said. But IT officials shouldn’t be expected to sell change for an integral system like e-mail, Garcetti said. Instead, they should rely upon public communicators, which include the elected members of the City Council, to make the case. “The stakes are high, and people will be lobbying one way or the other,” he said. “But people have to think it through not just from the technology side, but from the human side.” [14]
  14. 14. CLOUD COMPUTING: FOUR QUESTIONS TO ASK YOUR VENDOR Data location, access and security are crucial to cloud computing contracts. BY STEVE TOWNS, EDITOR AS CLOUD COMPUTING INITIATIVES take hold in government, agencies points that are worthwhile to negotiate. It’s very important to have need to consider the contracting implications of this new technology a vendor that can actually respond to a subpoena. They need to pull model. Managing a relationship where government data could reside only the information relevant to the subpoena and not put other on privately owned computing infrastructure located anywhere in cloud-based information at risk.” the world demands that agencies ask some crucial questions of cloud Also, find out how much your vendor intends to charge for vendors before they close the deal. responding to a FOIA or e-discovery request. “That can be a very big Daren Orzechowski, an intellectual property attorney who special- surprise,” he said. “You may even want to prenegotiate the rate for izes in IT and outsourcing issues, said government agencies need that type of work when you do the initial contract.” answers to four fundamental questions before they choose a cloud computing provider. 3 How secure is my data? Cloud vendors need to satisfy two types of security require- 1 Where is my data? Server virtualization technology allows cloud vendors to opti- mize their use of computing hardware and other IT resources. That ments: physical and logical. Your agency may have specific physical security requirements. Background checks, fingerprinting or drug tests may be required for can cut costs, especially as the volume of cloud computing customers staff working in data centers that house your data. Make sure your grows and vendors achieve economies of scale. But virtualization cloud computing vendor understands and can comply with these also has a downside. rules. Luckily vendors are becoming more accustomed to meeting “Your data could be broken up — or the instance of your appli- these requirements, Orzechowski said. cation could be broken up if it’s a platform provider — so your data Large cloud computing providers also are becoming more trans- and software could be in a lot of different places. In the government parent about their logical security processes, and they’re typically space, I think this is particularly important to have a handle on,” subject to regular security audits and penetration testing. Still, said Orzechowski, a partner in the New York City law firm of White cyber-terrorism and hacking represent the biggest threats to cloud & Case. “On one hand, you have to recognize that the provider gets computing, especially in the government space, Orzechowski said. an economic benefit from being able to break up the data and store “As you have more and more customers going to certain cloud it in different places, or virtualize it. At the same time, depending on providers, and those providers become bigger and are housing more the sensitivity of the data, the government needs to know where that data, they’ll become bigger targets for hackers and terrorists,” he said. information is.” “What will happen the first time there’s a real big hit, especially if there’s Keeping your data within the United States should be a key require- government data housed with that vendor? A terrorist or major hacker ment, he said. attack is a test that in the back of everyone’s mind may be coming.” “When you look at what people’s expectations about their rights are, they come at it with a very American-centric view. In a lot of places that are popular for offshoring — like India and China — your rights may not exactly be what you think they are. So there’s a comfort level 4 How portable is my data? The last point to cover during contract negotiations is what happens when the deal is over. How will you get your data out of one with keeping data within the U.S. borders.” vendor’s cloud and into another, or back into your own data center? “There’s been talk among some of the big players on having data 2 How do I access my data? Cloud computing involves accessing remote applications and data through a client interface, typically a Web browser or perhaps a standards for the cloud space. As a consumer, you probably are very interested in that,” Orzechowski said. “You want to have your data in a form that can easily be ported over to a new vendor. It may not mobile device. Government cloud customers should consider nego- always be in your current vendor’s interest to allow for this because tiating service-level agreements for routine access and system they want to keep you captive.” uptime. The key is to avoid being held hostage, he said. In addition, agencies need to understand how their cloud vendor “This is something to think about when you’re negotiating. What is will help them respond to specialized data requests. the template, what are the data sets and how are the fields defined? “What happens if there is litigation?” Orzechowski said. “What Get a sense of this and understand it,” Orzechowski recommended. happens if there is a subpoena? Or since we’re talking about govern- “From there, negotiate for migration assistance. Find out how the ments, it’s very possible you’ll have a FOIA [Freedom of Information vendor will help you move to someone else, and how much they’ll Act] request. How will the vendor pull this data for you? These are charge to do that.” [15]
  15. 15. FIRE IN THE C H A D VA N D E R V E E N A S S O C I AT E E D I TO R MONTANA GOV. BRIAN SCHWEITZER TALKS ABOUT HIS AMBITIOUS PLANS FOR WIND POWER AND GROWING A NEW GENERATION OF SCIENTISTS AND ENGINEERS. W hat’s the biggest problem with alternative energy? The simplest explanation is that burning coal and oil for electricity generation is supported by existing infrastructure, while clean energy sources like wind and solar aren’t. Specifically alternative energy has In Montana, one of the country’s windiest places, Gov. Brian Schweitzer is trying to solve that transmission and storage challenge by adopting the “build it and they will come” approach. Wind farms are popping up across the state, and Schweitzer believes it’s only a matter of time a built-in hurdle — how do you store solar power when the before the technology follows. sun isn’t shining and how do you transmit wind energy Schweitzer is passionate about transforming Montana when the wind isn’t blowing? into a renewable energy leader. In a recent interview, he Some nascent technologies may provide the answer. But discussed this and other issues important to Montana’s by and large, the storage and transmission technology future, such as the Real ID Act and how to foster a new that would make these energy sources more feasible generation of students who are interested in math, science doesn’t exist. and engineering. [16]
  16. 16. YOU WANT MONTANA TO BE A LEADER IN ALTERNATIVE We do need to add to our transmission capacity, and that’s FUELS AND ENERGY SOURCES. HOW DO YOU MAKE THOSE why Montana leads the entire world in digitally cataloging GOALS A REALITY? our wildlife corridors. So when people are deciding where According to recent studies, Montana has the second-best they’re going to build transmission lines, we already know wind energy resources in the country and some of the best on where the antelope, bears and elk need to move — and we the planet. We have 30 percent of the coal in America — 10 build those transmission lines so that we’ll be able to main- percent of the coal on the planet. We’re increasing our oil pro- tain our quality of life and a transmission system that deliv- duction at the fastest rate in the country. We have many energy ers Montana wind power to California cars. resources that can be cleaner and greener. Whether we’re talking about capturing car- YOU’VE ADVOCATED FOR SYNTHETIC FUELS, bon dioxide from existing coal-fired plants IN ADDITION TO WIND AND OTHER ENERGY or creating new kinds of coal-capturing SOURCES. CAN YOU EXPLAIN WHAT SYN- devices for new kinds of plants, we’re excit- THETIC FUELS ARE AND WHY THEY’RE NOT ed about developing our coal. And we’re A LARGER PART OF THE ENERGY MARKET? excited about developing our wind. I’m most excited about crops that pro- The most important thing is we have duce oil for biodiesel — crops like canola to develop storage technology. We actu- and camelina in Montana, and jatropha in ally have an unlimited supply of energy, the tropics. All told, they could be 5 or 10 whether it be tidal, wind or solar. But the percent of our fuel supply. Ethanol is inter- wind isn’t blowing all the time, and the sun esting because most of the ethanol plants isn’t shining all the time. As consumers, we were built in the Midwest and the fuel was demand electricity when we want it, not corn. Most of the future ethanol plants are just when the sun is shining or the wind is likely to be in the West — and the energy blowing. So that means the most important source will be trees. In Montana, we have technology of our time — and for the next about 3 million acres of dead and dying decade — will be storage technology. trees from a pine beetle kill. These are To give an example, if every car, light great sources of energy that can be used to truck and SUV in America had a battery that could get the make ethanol or some kind of biomass to create electricity. So first 40 miles on a charge before it switched to another source you have trees that are dying and they become a fuel source, of energy, we could eliminate two-thirds of the oil we import. either for a liquid fuel or for an electricity supplier. Those cars exist today. What we don’t have is the resolve to buy those cars and put them on the highways. YOU’VE TALKED ABOUT “CLEAN COAL,” A CONCEPT THAT CAN BE DIFFICULT TO UNDERSTAND. WHAT IS CLEAN COAL? WIND FARMS ARE BOOMING IN MONTANA. BUT ISN’T THE COST The first cleanup of coal was to remove the sulfur, mer- OF BUILDING TRANSMISSION LINES ALWAYS BROUGHT UP AS cury and nitrogen. But more recently, we’re concerned with A REASON NOT TO BUILD THEM? HOW DO YOU OVERCOME the CO2. There’s approximately two tons of CO2 produced THAT OBJECTION? for every ton of coal we burn. Many of us believe CO2 is Part of the solution to transmission is storage. We need to contributing to the greenhouses gases that are contributing build more transmission so we can get the electricity to those to climate change. If we can capture a portion of that CO2 who are using it. But understand — we build transmission immediately, it starts to make coal cleaner. And if we use coal for peak demand. For example, in California at 10 a.m. on gasification — plants that are already built around the world, a Tuesday they have peak demand. But by Friday night at including in our region, that capture 100 percent of that CO2 2 a.m., they’re only using half as much electricity. So if we — and then if that CO2 is pumped back into the earth, either could build a transmission system that had storage on the for enhanced oil recovery or for storage geologically in some other end — so that consumers with batteries in their cars deep saline formations, or even to be made into bricks as a could either be buying electricity in the middle of the night fuel source for making more biodiesel, that means we capture or selling it back into the grid at 10:00 in the morning — we the CO2, sulfur and mercury. And if coal is zero emission, would need less transmission. that’s clean coal. [17]
  17. 17. IS COAL GASIFICATION SIMILAR TO PLASMA GASIFICATION, THE And that’s true of most children. We’d like talented young PROCESS OF USING A PLASMA TORCH TO REDUCE WASTE DOWN people to aspire to designing a ball, not hitting a ball; to TO ITS ELEMENTAL STATE? aspire to creating new sound systems, not playing rock ‘n’ It’s very similar. The traditional way of producing ener- roll guitar. If we can get more of these young people to aspire gy from coal is you ignite the coal; it makes a ball of flame, to be engineers and not journalists, we think we can change which you direct onto a water source. That water becomes the world one scientist at a time. steam, which turns a turbine and generates electricity. With coal gasification — think of a Thermos jug, the kind HOW DO YOU MAINTAIN STUDENTS’ INTEREST IN MATH AND SCIENCE? steel workers used to carry. Now think of a Thermos that’s We pound it in. We continually talk about how cool sci- 150 feet high and 40 feet in diameter. The top comes off, ence is. We have Montana science trading cards. Elementary you dump 30 tons of coal into it, and you screw it back school kids can trade these cards that have cool science facts MONTANA’S JUDITH GAP WIND MONTANA GOV. BRIAN SCHWEITZER FARM, WHICH BEGAN OPERATING SAYS GRADE SCHOOL IS THE TIME IN 2005, GENERATES 135 MEGA- TO INTEREST KIDS IN MATH AND WATTSP T I O EMPLOYS 10 PEOPLE. C A AND N SCIENCE. on. Then you heat it. And with high temperature and high about Montana. You have a governor and first lady who pressure, methane gas — or natural gas — and CO2 actu- continually talk about how cool science is, who continue ally comes off the coal. You separate the CO2, pump it back to give accolades to the best science and math teachers into the earth where it came from, and then that natural — those teachers who bring math and science to life — those gas can run your cars, heat your homes or make electricity. are the people we like to reward. That’s coal gasification 101. It’s a controlled environment so there are no emissions. There is no smokestack with LET’S TALK ABOUT THE ROCKY MOUNTAIN SUPERCOMPUTING this process. CENTERS IN BUTTE. IN WHAT WAYS WOULD YOU LIKE TO LEVERAGE THAT TECHNOLOGY? IS YOUR VISION FOR MONTANA AS A HUB FOR ALTERNATIVE Look at the remarkable geology of Montana: God has ENERGY THE REASON YOU WANT TO GET STUDENTS INTERESTED blessed us with some of the best resources for hydrocarbons. IN TECHNOLOGY, SCIENCE AND MATH INITIATIVES? We have the only platinum and palladium in the Western My wife Nancy and I are scientists, and we want more Hemisphere. We have copper, silver and gold. When you young people to study science and math. She and I were are trying to map the earth’s strata, it’s three-dimensional. talking about the channel that sent us into science: It wasn’t Montana is the size of New York, Pennsylvania, Ohio and in college or even high school; it was fourth or fifth grade. three of those other little states combined, so you have a [18]
  18. 18. large area to map geologically. The supercomputer can help and people who had committed no crime, who were sim- us with that. ply German immigrants or who spoke German, or those It can help us when we are injecting CO2 8,000 to 10,000 who were critical of the war effort were rounded up and feet deep into these geologic structures to geologically put in jail. store it so we can measure the pressure at 10,000 feet, 5,000 This card, simply stated, would have allowed the federal feet, 4,000 feet. It can help us as we attract bioengineering government — in a digital way — to follow every place you to Montana. come and go. When you get on a plane, it would have stored Everybody gets an opportunity to rent a little space on that information forever so that everyone would know where that supercomputer. This isn’t just for scientists working you went, how you got there and how you got home. That in a laboratory, but also for applied research and science isn’t the way you treat free citizens — and in Montana we across Montana. It gives an opportunity to the 950,000 value freedom above anything else. GOV. SCHWEITZER AND FIRST LADY NANCY SCHWEITZER BOTH HAVE BACKGROUNDS IN SCIENCE. GOV. BRIAN SCHWEITZER, SHOWN HERE TOURING A MONTANA COAL MINE, ADVOCATES DEVELOPMENT OF CLEAN COAL TECHNOLOGY. people of Montana to share the supercomputer. Businesses A NEW BILL, PASS ID, IS WORKING ITS WAY THROUGH CONGRESS. large and small can rent a space on that computer and help SOME CALL THIS JUST A REBRANDED OR WATERED-DOWN REAL their business grow. ID ACT. WHAT DO YOU THINK? The devil will be in the details. If Pass ID will allow MONTANA WAS AMONG THE FIRST STATES TO OPENLY OPPOSE Montana residents to cross the border into Canada without AND EVENTUALLY OPT OUT OF PARTICIPATION IN THE REAL a passport, that would be OK. If the federal government has ID ACT. WHY? no capability of collecting digital information of private There are several reasons. They told us the reason every- citizens’ travel or how many times they went to a federal one in America has to carry a card that’s standardized is so courthouse, that would be OK. So we’ll wait and see what that we can stop another 9/11 from occurring. But we know the rules are. If it’s helping citizens through a common iden- that virtually every one of those hijackers and the other tification system without infringing on their civil liberties, terrorists we’ve caught would have qualified to have this we can support that. ¨ so-called Real ID. Second, while the federal government isn’t bad, we know it has abused individual civil rights before. We know that during World War I, it passed the Sedition Act, [19]
  19. 19. Firewalling IT Fraud IT fraud in government can be costly. Here are five ways CIOs can prevent and control the problem. BY ALYSSA G. MARTIN | WEAVER AND TIDWELL A water department cashier extracts residents’ personal information from a database and then sells that data. A municipal court employee improperly accesses the system to alter values for citations issued. Everyday reliance on technology makes it possible for so many fraudulent schemes to unfold. The Computer Security Institute (CSI), an educational organization for information security professionals, conducted its 13th Annual Computer Crime and Security Survey in 2008. The survey found that financial fraud ranked as the costliest type of IT incident, with an average reported cost of $500,000 per incident. In its 2008 Report to the Nation on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE), a national society of fraud investigation profession- als, reported that government organizations were the victims in 18 percent of 959 fraud cases its members investigated between February 2006 and January 2008. Technology presents many opportunities for fraud. Fortunately it also offers many capabilities for combating these crimes. In a preventative role, technology enforces defined segregations of duties. It restricts IT access and limits functions individuals may perform. Technology also helps officials more promptly detect and respond to potential inci- dents. The ACFE reports that a typical fraud scheme goes undetected for two years. As a result, much is lost and never recovered. Continuous monitoring technology, however, alerts managers whenever any suspicious IT-related activity occurs, thereby limiting the ensuing damage. [20]
  20. 20. [21]
  21. 21. IT systems deployed in public-sector entities vary monitors provisioning within Windows server systems. immensely, but the following universal concepts aid in AS 400, IBM and other server platforms incorporate simi- addressing and combating technology-related fraud. lar oversight through the distribution of access. When someone attempts to sign on for any IT function, GENERAL FRAUD PREVENTION CONTROLS access is granted or denied, based on the login, password By continually emphasizing the importance of ethical and user provision information in the IT directory. behavior, public officials create an internal culture that values maintaining trust and safeguarding public assets. That culture 2. CHANGE MANAGEMENT sustains all fraud prevention concepts and controls. Public To commit fraud, someone may install unauthorized CIOs can control and prevent IT fraud in the following ways: software or make unapproved changes to an existing net- work component, essentially compromising or disabling 1. LOGICAL SECURITY security settings. How easily can an individual gain unauthorized IT access Sound change management policies must direct any to manipulate or extract data? Logical security measures IT installations or modifications. File integrity agents address that concern. detect all file changes, and not just recent modifica- Firewalls and software for blocking spyware and viruses tions. Regularly comparing those findings to an autho- provide network perimeter security against common rized change log helps administrators more easily detect external attacks. Virtual private networks (VPN) and improper alterations. various whitelist approaches that allow only authorized applications to run on any hardware provide additional 3. DATABASE ADMINISTRATION malware defense. Databases house crucial information that can lead to Within the network, authorization and authentication immense losses when altered or stolen. Database admin- policies that go beyond standard login/password practices istration controls define and enforce individual action, provide greater security for crucial files and applications. object and constraint rights. Passwords and logins should require regularly updated An action includes insert, read, modify or delete alphanumeric and special character combinations that responsibilities. Granting authorization only for work- cannot be easily guessed. required actions could deter a state transportation department’s regional supervisor from inserting a record for a nonexistent vendor. VARIOUS METHODS OF DATA ENCRYPTION ASSURE Object limitations restrict the types of database records THAT CRUCIAL INFORMATION REMAINS IN AN someone can access. With object restrictions, a public hospital administrator, for example, could not access UNUSABLE FORMAT IF ACCESS CONTROLS FAIL. individual patients’ records. Constraint restrictions assign limitations for authorized Personal authentication practices provide an additional actions. Based on assigned constraints, a public utility layer of protection. Authentication measures include chal- employee would face dollar restrictions in crediting a resi- lenge questions, smart cards or portable electronic tokens dent’s account. that store a PIN, digital signatures, fingerprints or other form of unique identification information. That information 4. DATA STORAGE transmits to a desktop PC, laptop or mobile device via a card Where does critical data reside? Is it on a workstation or reader, RFID, USB port or Bluetooth wireless technology. laptop hard drive, a secure or unprotected server, within a User provisions define what IT access rights individu- data warehouse or in an offsite repository? als need to perform work-related duties. Those provisions Data storage considerations must reflect the data’s encompass specific application functions and modules, nature, with more crucial information requiring more and enable organizations to enforce defined segregations secure storage and tighter access restrictions. Police 911 of duties as they relate to IT needs. calls and ambulance response reports should reside on a IT directories maintain employee groupings and IT secure file server in a searchable directory. access levels granted to each individual, based on assigned A register of deeds office may hold thousands of build- user provisions. Microsoft’s Active Directory manages and ing permit files. A secure data warehouse may be the best [22]
  22. 22. location for those records. Data that needs to be archived, Various methods of detecting inappropriate or unexpected such as death certificates from past decades, should reside activity exist. Exception reports identify data anomalies or in an offsite storage repository. Nonpublic information changes to protected data. Data analysis compares data sets that isn’t needed for future purposes should be properly to identify transactions — based on rules — that indicate disposed of to alleviate data security concerns. incongruent or inappropriate activity. 5. DATA ENCRYPTION SEGREGATION OF DUTIES IS A CRUCIAL FRAUD Various methods of data encryption assure that crucial information remains in an unusable format if access con- PREVENTION CONCEPT. A CIO OR CHIEF trols fail. For online transmissions, secure sockets layer INFORMATION SECURITY OFFICER MUST ALIGN (SSL) encryption is commonly used to keep intercepted data from being read. ACCESS RESTRICTIONS WITH SEGREGATED Within the network, data encryption technologies let- WORK ROLES AND RESPONSIBILITIES. managers protect vital information while retaining common file management practices. Data encryption, for example, Newer technologies also incorporate instant detection and secures driver’s license numbers while maintaining the notification capabilities. Database activity monitors (DAM), metadata and existing file system view. for example, continuously oversee all database activity and Such general IT controls provide a first line of defense issue alerts whenever uncommon or improper activity occurs. against fraud and are supplemented by automated detec- Security information and event management (SIEM) sys- tive systems that immediately call out or suspend ques- tems also automatically send notifications whenever unusual tionable IT-related activities. transactions, security infractions or other suspicious activi- ties happen. That SIEM oversight may cover a lone applica- THE POWER OF SEGREGATION tion or numerous programs, as well as other IT components. Segregation of duties is a crucial fraud prevention con- Administrator-defined business rules and standards of cept. A CIO or chief information security officer must normal IT activity determine when DAM or SIEM systems align IT access restrictions with segregated work roles and provide alerts. An alert may occur when someone spends responsibilities. This allows managers to most effectively too much time viewing a read-only file containing stu- deploy application controls and other automated, preventive dents’ Social Security numbers. Managers may also get measures. alerts when the monthly volume of closed traffic citations User provisions provide the foundation for establishing exceeds normal averages, or when a public safety officer’s and enforcing segregation of duties within IT systems. The work shift hours exceed the legally allowed limit. user provision incorporates the least privilege concept, Screenshot files and audit trail features document activity which restricts a person’s IT access rights to components sequences. Some systems also immediately suspend user required for defined, segregated duties. activity whenever suspicious actions unfold. Such imme- IT directories maintain employee groupings and each diate detection eliminates the costly time lags and other individual’s IT granted access levels. When someone logs potential difficulties associated with manually evaluating on to any IT element, access is granted or denied, based on IT logs to detect anomalies or exceptions. login, password and user provision information. In conjunction with the IT directories, user provisions MAINTAINING CONTINUAL VIGILANCE automatically ensure that segregation of duties remains in The public sector faces constant internal change in per- place for all processes requiring IT access. sonnel, processes and the IT systems it uses. Keeping pace with such change and providing optimal fraud protection DAM: GOOD DETECTION requires continual vigilance. Even with the best preventive measures, individuals may Sustaining that vigilance takes money and time, but those still find ways to commit fraud. Preventive IT controls cumulative costs are generally less than the expenses associ- can’t fully protect against collusion. Someone may misuse ated with just one fraud discovery incident. The resources com- granted authorization or share access information, while mitted to preventing and detecting fraud function as a form of another individual may devise means to circumvent pre- insurance, a form of insurance that saves significant potential ventative controls. taxpayer expense and provides immediate peace of mind. ¨ [23]
  24. 24. BY G R E G D E B O R A N D R O B E R T WA H | C S C O ver the next five to seven years, major federal health-care initiatives will offer new and significant industry direc- tion and funding for health IT investment. STATES MUST ACT QUICKLY Providers, the federal government and the states are coming together, in many cases for the first time, as a result of health The American Recovery and Reinvestment Act will pump IT efforts — specifically about health information exchange billions of dollars into health IT through the act’s Health (HIE). The federal Office of the National Coordinator for Information Technology for Electronic and Clinical Health Health Information Technology issued a request for proposals (HITECH) provisions. These provisions offer an estimated in August 2009 for states, territories and nonprofit organiza- $2 billion in seed funding and $45 billion in incentives for tions to participate in the State Health Information Exchange the “meaningful use” Cooperative Agreement Program. All eligible states and ter- of electronic health ritories applied for funds in October 2009 and received pre- WAY records (EHRs), as liminary budget determinations ranging from approximately defined in recent reg- $4 million to $40 million in federal funds over the next four ulations proposed by federal fiscal years (through October 2013). the U.S. Department States will use these funds to plan and implement exchange of Health and Human capabilities designed to enable EHR systems in provider Services, payable organizations, and state and federal agencies, so they are through the Centers for interoperable and share data for specific purposes. HIE funds Medicare and Medicaid are essentially a down payment on providers earning their Services (CMS). portion of the larger CMS incentives. In fact, HIE funding At the same time, represents the first small wave of health IT investment that’s major health-reform legislation at the federal level relies expected over the coming years — to be followed by a larger on health IT to implement payment reforms, new capabili- investment in EHRs and, finally, an even larger wave of invest- ties and cost savings. Although many aspects of the reform ment in a fully wired and reformed health economy that would debate and federal regulations for health IT adoption remain be capable of providing population health analysis, manage- unresolved, there seems to be one issue that all participants ment and decision support. and policymakers — from government to employers, health The new responsibilities require states to have high levels of plans, providers and consumers — tend to agree on: Health organization, expertise and support, but states are currently all IT is a foundational and essential element of health-care over the map in their plans for HIE. Some, like New York, have reform. been investing in their own for years. Others have been plan- ning for investment, but their plans may not be aligned with HISTORIC OPPORTUNITY the federal guidelines detailed in the national coordinator for Guided by this new federal policy push and its associated health IT’s RFP The majority, however, have only begun plan- . funding, health IT investment over the next few years will ning as a result of the RFP and are now crafting an approach , likely have three main focal points: for investment, implementation and operation that takes Health-care providers will use federal impetus and funding into account the five areas of concentration directed by the to move their business plans and agendas forward. Recovery national coordinator for health IT: governance, finance, tech- Act funds are significant, but only available for a short time nical infrastructure, business and technical operations, and and will have the desired effect of getting the private sector to legal/policy. The states are encouraged to incorporate public- begin moving toward adopting health IT. private investment and representation into their plans and to Federal agencies will look to use broader IT capabilities in “leverage existing regional and state level efforts and resources health care to streamline processing and payment of benefits that can advance HIE,” including regional health information — and to track the nation’s health and improve health out- organizations and their Medicaid Management Information comes through programs and policy. Systems infrastructure. States and territories will provide an important multiplier To continue to qualify for HITECH implementation fund- effect for federal efforts and a critical concentration point for ing, states have three to eight months to complete their plans, providers seeking assistance and connection to federal efforts. depending on where they are in the process. They have heavy [25]