Lohrmann on Infrastructure

Everyone's talking about Intel's pending acquisition of McAfee for $7.7 billion. The list of questions is long. Did they pay too much - or too little? Is this the beginning of a new trend or a one-off acquisition? What does this say about the security industry and/or about the state of cyber security in general? What will the impact be for government technology professionals? What can we learn from this action? Bottom line, why did Intel do it?

Leslie Fiering, research VP at Gartner, told SC Magazine, "The goal is to collect and develop IP that can go directly to silicon and bring security down to the hardware level. The embedded security will run outside the OS with a broad variety of software developer hooks. It is highly unlikely that Intel will make any of these proprietary or in any way specific to McAfee.... Bringing security down to the hardware level is particularly critical at a time when exploits at the OS level are getting more sophisticated on PCs and mobile OSs are still highly immature in the security arena."

Renee James, Intel's senior vice president of software and services, told USA Today, "It's true in mobile solutions that we will have more enhanced security hardware, It is an accurate assumption that in the mobile devices market we will be doing integration into the chip."

Rich Mogull from Securosis.com had a very interesting perspective. He said that Intel bought McAfee for three reasons:

1)      The name - "Yes, they could have bought some dinky startup or even a mid-sized firm for a fraction of what they paid for McAfee, but no one would know who they were. Within the security world there are a handful or two of household names; but when you span government, business, and consumers the only names are the guys that sell the most cardboard boxes at Costco and Wal-Mart: Synamtec and McAfee...."

2)      Virtualization and Cloud Computing - "There are some very significant long term issues with assuring the security of the hardware/software interface in cloud computing. Q: How can you secure and monitor a hypervisor with other software running on the same hardware? A: You can't. How do you know your VM is even booting within a trusted environment?"

3)      Mobile Computing - "Meaning mobile phones, not laptops. There are billions more of these devices in the world than general purpose computers, and opportunities to embed more security into the platforms."

So what does this mean for government? I'm staying out of the analysis of how this will affect medium-term products, pricing and competition with Symantec, Trend Micro and other security companies. However, it does underline three trends that express the central importance of cyber security for the next decade.

1)       Cyber security is still hot - and getting hotter. This reality may seem obvious, but recent Gartner surveys of priorities from CIOs has seen security drop to the bottom half of the top ten list. A few years back, security was the #1 issue. To illustrate this point, here's another 2010 priority list - from a different source. The same trend can be seen in the 2010 NASCIO list of top State CIO priorities - with security at #6.

However, a deeper look at these lists and the technologies reveal that security is an important component of all the items at the top of these lists - in areas such as virtualization and data center consolidation. The fact is that technology leaders are demanding that security be built-in for these solutions and projects. In many ways, security has evolved into something new.

2)      More specifically, this cyber security trend is heading up and down at the same time. In the second decade of the 21^st century, security will be moving into "the cloud" (or cloud computing) and into mobile devices that are getting smaller and more powerful. It remains to be seen if Intel can be successful with building effective security into their chips in the same way that anti-lock brakes and air-bags are getting safety built into newer cars. It is pretty clear that Intel (and others) want to try and build more security into the chip sets. Security is becoming more of a "must-have" and less of an "optional extra" in order for new technology offerings to succeed.  

3)      Prepare for more acquisitions and an evolving landscape in the security space. Over the past few years, Symantec and McAfee have been buying smaller security companies on a regular basis and filling in holes in their offerings. This trend will continue, but now even bigger companies (like Intel) are buying the largest security companies (like McAfee). Will other large communications and/or technology companies buy security companies? Will the likes of AT&T, Microsoft, Google, IBM, HP, EMC, AMD and/or others keep buying into this space? Probably - in fact this is already happening with smaller security companies. A blog on Symantec's website asked if Symantec would be bought next?    

These are interesting (and exciting) times. I certainly did not see this pending acquisition coming. Nevertheless, it looks like more change is coming. Hold on to your seat belts.

What are your thoughts on this pending Intel purchase of McAfee?

  Are recent announcements of product offerings from Google, Microsoft and others going to fundamentally change government technology service delivery?  Has the long foretold government paradigm shift now begun? Will we look back at 2010 as the pivotal year? Or, is this just another over-hyped tech story?

Lately, I am thinking that the answer may well be yes - we are witnessing a fundamental shift in technology service delivery for government. However, I think the full transformation could take up to a decade (or more) to complete.

In my opinion, the tech giants are starting in the email and office suite space and will succeed in making these commodity purchases for governments over the next few years. Meanwhile, more complex applications and mission-critical data will be moving into "government clouds" which are private and more secure. Bottom line, we have started down this new "yellow brick road" but certainly have a ways to go to arrive at the "Emerald City."    

   There are many people saying that recent announcements are game-changers. Here's a quick rundown on several interesting articles and related research on this cloud topic:

InfoWorld:  Google removes cloud security barrier for government

ZDNet: The federal cloud: Another Microsoft vs. Google battleground

eWeek:  Cloud Computing: Google Apps Leads Microsoft in Federal Cloud Race: 10 Reasons Why It Matters

Government Technology Magazine recently did this story on the Google certifications for government.   I have also written several blogs and other articles on Cloud Computing security issues and offered recommendations to government technology executives on the cloud. A few months back, CIO.gov released the Federal CIO Council's report on the "State of Public Sector Cloud Computing."

Last week, the Digital Daily pointed to recent implementation challenges in LA, in this article Cloud Computing: Good Enough for Government? Microsoft told us back in February that FISMA-compliant cloud offerings are coming this year. I expect to see those offerings over the next few months, which will mean that they will match Google's FISMA-compliant offerings - with a similar price. These offerings also ensure that data is stored in the USA to help us with potential legal issues.

(One side note of caution: true FISMA compliance requires much more that just secure hosting by Google or Microsoft or others. It requires end-to-end security which includes our databases, PCs as well as office environment policies, procedures and even training. I worry a bit that these "compliant answers" are somewhat over-hyped in that government officials who may not know any better will think that they "done" with security if they just use one of these FISMA compliant services.)    

For more technical details on this topic, you can also read this PC Magazine blog entitled: The Changing Cloud Platforms: Amazon, Google, Microsoft, and More

 Meanwhile IBM and smaller companies like Secure-24 are focusing on private cloud offerings. The International Business Times highlighted IBM's offerings, but almost every tech company I speak with now has one or more cloud offerings.  

So what can readers do to learn more? I like these six questions that Accenture recommends IT Executives ask regarding cloud computing. (Click on the recommendations and conclusions boxes when you get to this website.)

My view is that as we see even greater pressure to cut costs in 2011 and beyond, all of us will incorporate elements of these new cloud computing services into our offerings, if you don't already have them implemented. There's is no doubt that government technology execs will also need to improve their contract monitoring and vendor management skills in this new online world.

What are your thoughts on these new, improved "cloud offerings" in government?

"We need your help to stop online thieves."

 This surprising message from many banks to their customer base is becoming more popular as online bank robbers are getting more sophisticated, patient and dangerous. Gone are the days when marketing brochures insisted that online accounts were just as safe as traditional banking with a teller. The new message seems to be: "We're in this battle together, so can you please lend a hand?"

 USA Today's headline entitled: Banks seek customers' help to stop online thieves offered a fairly bleak assessment of current abilities to stop the bad guys - unless we all work together.

"Cyberattacks against individual online accounts have become so sophisticated and pervasive that the American Bankers Association (ABA) is now asking consumers to 'partner' with banks to keep cyberrobbers in check.

The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a "continuous, almost daily, basis," says Doug Johnson, the ABA's vice president of risk-management policy. "

The article goes on to offer a scary story to illustrate the point that this has become the new normal in online banking. With 80% of US households now participating in online banking, this issue is very serious. More than that, this call to share the security load is a 90-degree turn, in my opinion. A decade ago, banks and other financial institutions insisted that the online risks were as low (or lower) than conducting your bank transactions at branch offices - with the convenience of staying at home and not waiting in line. 

So does this issue affect government? Absolutely! Here's how.

Cybersecurity experts in government have been working with our banking partners for years regarding technology and processes for securing online transactions. We attend many of the same meetings and security conferences. We work with the same vendors. The banking industry has generally been leading cybersecurity activities, and they have often offered the way forward for online government. Bottom line, we are all in the same boat as partners. 

 I have seen several respected colleagues go back and forth between these two communities, such as Greg Garcia who went from US Cyber Czar at the Department of Homeland Security (DHS) to a senior executive position at the Bank of America working on identity management and cybersecurity. Other banking colleagues participate on the same panels at security and technology conferences such as RSA and GovTech South Africa.      

Beyond security community interaction, we all know that more government transactions go online every day - involving citizens, businesses and other governments. For efficiency and customer service reasons, e-government has been hot for a decade and continues to get hotter in tough budget times. This trend is only accelerating online as services ranging from tax preparation for businesses to camp ground reservations for families are placed on the Internet. These services offered are the vital backbone for government technology professionals, and the scope of this issue is rapidly expanding.

 So should governments follow the leading of banks? I predict that this will happen over time. In order to ensure the integrity of our online government processes, we will need to work end-to-end to secure online transactions. This means that consumers and providers will need to get involved. [One side note, many governments have offered end-user training for citizens, schools, businesses and more for years - such as Michigan's cybersecurity training.]

How fast will this new trend develop? What will be the next step(s)? How far will the banks go in counting on customers to help? Will government online transactions move to two factor authentication like European banks did years ago?

  I'm not sure, but I think that our colleagues at US banks will continue to show us the way - since they are in the hottest part of this cyber battle. I do think that we'll be hearing more lines like "All Aboard!" when it comes to securing online transactions. So yes, it's back to training our children and neighbors.

What are your thoughts on this topic?

Earlier this week I received an email from an out of state friend and respected colleague who I haven't heard from in a while. He got straight to the point. "I just discovered that I'm only three hops away on LinkedIn from one of the suspected Russian spies. But guess what, you're even closer. You're only two hops away."

 Put in the other terms, my (real life) friend was telling me that I was linked (had a connection which is similar to a "friend" on Facebook) to someone who had an online connection to one of the alleged spies. 

I immediately checked out my friend's facts. It was true. I had accepted an invitation last year to connect to a person who was in one of the security groups that I was also in. At the time, this individual wanted to make me aware of several "hot job openings" for senior executives in my field. That contact never went anywhere, but now I was kind of "guilty by association." I presume that many others are in the same boat, since the recruiter has thousands of LinkedIn connections.

This is not the first time something like this has happened to me. But the previous time, I was a bit more culpable. Once I gave an upbeat LinkedIn recommendation to a colleague that I knew well and liked as a person. This government staff member did good work and had a good reputation - until he committed a crime and went to jail. (It turned out that I didn't know him as well as I thought.) I quickly learned that I could undo (withdrawal) my online recommendation for this person, and I did so.

 As I researched "the good, the bad and the ugly of social networks" further, I found out that many HR professionals and lawyers have suggested that online recommendations are a bad idea in the first place. That is, recommendations are not recommended, for a variety of reasons. Even when there are no negative employee/boss situations that arise, some bloggers suggest that these recommendations can be seriously flawed - due to conflicts of interest. Some managers may even recommend staff so that they are more likely to leave.

So here I am on 4^th of July weekend, wondering if I should stop accepting LinkedIn invitations. Should I change my social networking habits? Should I stop connecting to other professionals online? I meet many people at conferences and often try to establish a connection with them on LinkedIn within the next month. Does this still make sense?

After more research, I've also discovered that LinkedIn has even clamped down on super connected users. Most experts say that quality matters more than quantity. And yet, I have always used LinkedIn as a good substitute for keeping track of business cards which can become out of date. Using LinkedIn, I can easily keep track of friends and colleagues that I worked with in England, back in Maryland and even former State of Michigan employees who move one.  This pattern has served me well, and best of all, my database of contacts updates itself with the latest contact information automatically.

What conclusion did I reach?  Should I fear being "guilty by association" online? Should I encourage others to stop using these social networking tools?  I've decided to march on - with a few minor modifications.

Why? If you're not guilty there is nothing to fear.  I think a consistent "middle of the road" approach still makes sense. As long as we don't go overboard with these tools, they can help us to become more productive, well-informed and (yes) connected.  They can even lead to new opportunities - like joining interesting online groups, speaking at conferences or writing for magazines.

Sure, we need to to keep an eye on how things evolve to protect our professional online reputation and our virtual integrity. But let's not throw the baby out with the bathwater. I say keep using social networking tools like LinkedIn, when supported by company or government policies.

Meanwhile you can ask me to connect online - but I might say no or hit that archive button.

How about you? Have any stories you can share about online "friends" or "connections" gone bad?

In a unanimous decision last week, the US Supreme Court rejected the privacy claims of an employee who was texting using employer-provided equipment.  According to the Washington Times,

"The ruling essentially maintains the status quo of allowing employers to implement policies preventing employees from using company communication equipment for personal use.

But Bart Lazar, an intellectual-property lawyer whose expertise includes privacy and security involving electronic communications, said the narrowness of the ruling leaves open scenarios in which employees could keep private communications made on company equipment."

The ruling was widely covered by both newspapers and technology magazines. Here are a few examples:

LA Times - Supreme Court rules in favor of California police chief who read employee's texts

Southern CA Public Radio - No sexting on the job!: Supreme Court upholds search of text messages at work in City of Ontario v. Quon  

Computerworld - Supreme Court ruling lets employers view worker text messages with reason

USA Today - Justices  uphold  search  of  officer's  texts

Washington Post - Supreme Court rules on employer monitoring of cellphone, computer conversations

For other similar topics and stories, you can visit the Electronic Privacy Information Center (EPIC).

So what does this Supreme Court ruling mean for government technology executives today? In my view, this ruling is very important, since it reconfirms the status quo in a unanimous decision - which is pretty unusual for the Supreme Court. This (admittedly narrow) ruling is unlikely to be overturned anytime soon. So here are a few suggestions:

1)             Go back and check your acceptable use policy. Do you specifically declare that state and/or local employees and contractors have no presumption of privacy when working on government networks (with government - issued technology)?

2)              Is the policy clearly explained and available to all employees? What training is in place?

3)             Do you use a splash screen which lists the policy as employees are logging onto the network?

In Michigan, we are currently updating many of our policies for social networking and other new online situations. However, our acceptable use policy has contained these three basic elements (listed above) since at least 2003. But while we have further to go over the next year in modifying our policies and training, it seems to me that every state and local government needs to reaffirm these basics policy elements right now.  The federal government should do the same as well.

What are your thoughts on this new ruling - which reaffirms the status quo on workplace privacy?

Imagine this:  "A motorist still at the office can use a cell phone to remotely start his car or truck, adjust the temperature, confirm the vehicle is locked, detect an intruder, check the fuel level and make sure the tires are properly inflated.

Later, if the gas tank is running low, a couple of taps on the phone's screen locates a gas station and downloads directions, so the navigation system is programmed and ready when the driver reaches the car parked blocks away."

This is the vision articulated by Delphi Holdings LLP and described in this recent Detroit News article entitled: Key fob morphs into high-tech wonder. The idea: turn that device on your key chain that unlocks your car into a conduit between your smart phone and your car.

 While Bluetooth technology is popular today, consumers want even more integration in the future - allowing internet access and exchange of data to mobile apps.

While expensive cars have similar (or even more advanced) features available now, this new technology may be made available for less expensive cars at a much lower price. 

So what does all of this have to do with government technology? Check out this article on some of the latest advances in RFID asset tracking with key fobs. Here's an excerpt: "This active key fob RFID tag which is well suited for personnel tracking and access control application, vehicle identification, or for use in applications where keys need to be tracked, such as in prisons, hospitals and government offices."

It will certainly be interesting to see how this market develops. What is not in doubt is the power of mobile devices when they interface with smart phones and more. The Bill Gates prediction a few years back, in which everything in the home and work is connected to a network which communicates with our car and more, certainly seems to be coming true.

The question that government technology professionals need to ask is not whether we will be integrating our government apps with key fobs and smart phones, but how will we do it. We need to watching these trends and not building new stovepipe solutions that will be unique islands that won't work with commercial off-the-shelf devices.

So how many government apps will we eventually connect to your personal key fob? I'm not sure yet, but I suspect we'll find our sooner rather than later.

What are your thoughts on smart key fobs?    

 Move over Second Life, a new virtual world is being created for the federal government called vGov. According to Government Computer News: "The vGov virtual world environment is now being built and is expected to go online starting in July. It will be used for employee education, continuity of operations training, cybersecurity education and disaster response..."

 vGov is a joint federal effort with the Department of Agriculture, Department of Homeland Security, Air Force and National Defense University iCollege joining forces to create the vGov virtual world behind a secure firewalls that require authentication to enter. The virtual world will initially be limited to federal employees.

One thing for sure, the technology used to create these virtual worlds is not just a game. Virtual World News described the USDA contract and the technology which is pretty cutting edge. Here's an excerpt:

 "... Like many enterprise-class virtual worlds, Teleplace's is designed for use in training, collaboration, and project management. What sets Teleplace's solution apart is that it allows application sharing across platforms, even through firewalls or cloud computing systems.  Another key component of Teleplace's solution is vPresence, a communications suite that combines VOIP, text chat, and video conferencing features within a single virtual conferencing center...."

I can easily see this virtual world interface taking off, not just in the federal government, but also in the state and local government spaces. I anticipate virtual worlds for training and interaction in a business environment, which is currently limited in popular virtual worlds like Second Life. In my opinion, virtual worlds are currently viewed as games by most professionals, but I see that changing in the coming few years. Here's a good article describing the evolution of virtual worlds and training in global businesses.     

 I also see this trend becoming more widespread in the next few years, and we'll all have avatars within less than a decade in my opinion. In the meantime, bleeding edge adopters of fun workplace training will be busy creating virtual worlds for governments and businesses with appropriate controls, dress and acceptable use provisions. I'm not sure if Second Life will be the ultimate leader or not, but vGoc points the way for all of us.

To learn more about vGov, you can watch this video which describes vGov in detail.

Any thoughts on virtual worlds being used for training? Do you have an avatar? 

The National Association of State CIOs (NASCIO) Midyear Conference for 2010 was held during the last week of April in Baltimore.  The attendance was the highest ever for a NASCIO Midyear Conference, and I was impressed with the content, speakers and overall agenda. This blog briefly covers some of the highlights from my perspective.

On Tuesday afternoon, a pre-conference session on Identity Management was held. We heard updates on ongoing activities in several states, Washington DC and federal agencies, and we discussed the upcoming draft document entitled: The National Strategy for Secure Online Transactions.  If you're looking for more information on this new national strategy, here's another article on this topic. The discussion and break-out sessions were excellent. This issue is sure to be a hot topic in coming months, so stay tuned for more updates on this pivotal aspect of digital government. (I plan to spend more time blogging on this topic later this summer.)

 The Weds afternoon members-only session began with a presentation by Federal CIO Vivek Kundra.  Here's an excerpt from the NASCIO website:

"Kundra challenged the CIOs to identify two areas where states and the federal government can collaborate on addressing challenges in information technology. Federal and state government spends billions a year annually on technology. With limited resources in federal and state government to carry out critical and non-critical services, we must work together in a state-federal IT partnership to find solutions and tools to get the maximum return on investment from information technology."

After Mr. Kundra, we heard from the Director of the US CERT, Randy Vickers. Mr. Vickers, who recently moved from "Acting Director" to become the formal US CERT Director, did a very nice job of articulating the various priorities that DHS is working on right now within the National Cyber Security Division (NCSD) and within a variety of public sector and private sector committees and working groups. The importance of fusion centers, the opportunity for more state CIOs to obtain security clearances, and pilot programs on cyber security, were just a few of the topics Randy mentioned.

The opening session on Thursday morning was perhaps my favorite session. The topic was: "Perspectives from Great Leaders: Visionaries, Role Models and Innovators." The moderator was Peter Harkness, founder and publisher emeritus, Governing. The speakers were Martha Dorris, Deputy Associate Administrator, Office of Citizen Services, US General Services Administration, Phyllis Kahn, Representative, State of Minnesota and Bill Purcell, Lecturer in Public Policy and the Director of the Institute of Politics, Kennedy School of Government, Harvard University.

Here were some interesting topics/comments that were discussed by this excellent panel:

·         Leaders understand where the organization is, where they need to go, and what the gaps are. They execute and deliver results.

·         Leaders act as a "heat shield."

·         Leaders are respected - but less fear used as a technique (than in earlier generations).

·         Leaders are on point and bring everyone home safe.

·         The debt crisis is the most predictable crisis we have ever faced.

·         Great quote: "I have friends on both sides of that issue and I'm with my friends."

·         Unhelpful techniques include concepts like "year of the child." (So next year we won't care about children?)

Other great sessions included Howard Schmidt's lunchtime keynote, new developments in wireless broadband, breakout sessions on topics like cloud computing and discussions on smart strategies with tight budgets.

Overall, I found the mid-year conference to be extremely valuable. The networking with colleagues from around the country was great, and the interaction amongst the states during the working sessions provided a unique opportunity. The federal government sent several high-level executives that clearly want to partner with the states in new and exciting ways.

The upcoming elections this fall have also focused everyone's attention in several ways. CIOs are asking what can be accomplished in the next six months that will show meaningful and lasting results. Many leaders within NASCIO are predicting that we will see many new CIOs by this time next year, so a big focus in the hallways was preparing for fall transitions and for new administrations in state capitals beginning in January. Some speakers predicted that CIO influence will also continue to rise.

If you are a state IT exec and missed the conference and/or you are thinking about the rest of 2010, I urge you to attend the NASCIO Annual Conference this fall. The investment in time and resources is well worth it. In fact, I find that I always get much more out of these NASCIO events than I put in.

If you were in Baltimore, I'd love to hear your thoughts on the NASCIO 2010 Midyear Conference.   Please leave comments below.