January 2009 Archives

As the financial markets fall, cybercriminals are increasing their Internet attacks to steal personal information.

USA Today ran a featured article describing the new surge in online scams. Here's an excerpt:

"The schemes -- often involving online promotions touting fake computer virus protection, get-rich scams and funny or lurid videos -- already were rising last fall when financial markets took a dive. With consumers around the world panicking, the number of scams on the Web soared.

The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September, coinciding with the sudden collapse of the U.S. financial sector, according to Panda Security, an Internet security firm.

It wasn't a coincidence, says Ryan Sherstobitoff, chief corporate evangelist at Panda."

Meanwhile, as economic problems grow, employers are worrying about disgruntled or laid-off employees. Computerworld points out the risks associated with insiders in a recent article, and declare that security breaches will rise with the downturn in the economy.    

 "In a McAfee Inc.-sponsored worldwide survey of 1,000 IT decision-makers, the company found that 42% of respondents felt that laid-off employees represented the biggest IT security threat caused by the recession. That's more than were worried about outside intruders. And 36% said that they were worried about security problems caused by employees in financial stress.

Crime rates spike during hard times, and with thousands of workers being laid off each week lately, there may be an added incentive for laid-off employees to take intellectual property with them to bolster their chances of getting hired with a competitor, to use with a start-up company of their own, or maybe even to sell."

 What are your thoughts about potential security risks associated with the economy?  

A flurry of articles have appeared recently regarding "tech etiquette," also described as "email etiquette," "computer etiquette," and a bunch of related names. Author Virginia Shea even took the concept a step further and created a new word "Netquette," and offers 10 Core Rules of Netquette."  

Many of the articles offering tips are even more specific, such as "Blackberry etiquette," which typically address texting with cellphones as well.

What caught my attention over the holidays was an article called "25 Rules of Tech Etiquette" from Jon Chase at Switched.com. Take for example, rule #6

"Why should I bother using CC for group e-mails when I can just put everyone in the To: ?

E-mail was partly devised to mimic the old paper trails of office protocols of yesteryear. So, if you want to communicate directly with just one person, send that person an e-mail and CC (carbon copy) anyone else that you think should be notified, but that you don't necessarily expect to reply. If you're starting a conversation among all those people, then you'd put them all in the address bar. If you're sending a party invite to a small group of people, then you might CC your list. But heaven help you if it's more than a half-dozen e-mails. The height of e-mail stupidity is to CC a string of 50 e-mail addresses. That's what BCC (blind carbon copy) is for."

The overall list is pretty interesting, as are all of these various technology etiquette lists. From cell phone use in restaurants to texting in work meetings, they describe when it's ok to be upset with friends, family and co-workers and when it's not. These lists provide some helpful guidance, but be careful - some of the lists also contradict each other.          

 We know our society has a problem when comedians get involved. Check out this YouTube video (at home on your own time of course) from Greg Schwem on tech etiquette to grasp the issues pretty quickly - with a smile.

So what's my point? Besides the many articles on our new President's Blackberry usage and bringing this hot topic to your attention, there are real questions, issues and lessons here for policy makers and technology staff. Some governments and companies around the world have even formally banned blackberries from meetings. Is that the right approach, or do we change the culture at work best through tech etiquette training or do we just leave this topic alone and let the masses figure it out?

 My view: we probably need fewer polices in these areas, but better training for staff on expectations for the use of technology. Several organizations, like Motorola, have even condensed their policies down to far fewer pages so that end users can better understand the do's and don'ts on the net at work. In Michigan, we are re-writing many of our acceptable use policies now to include Web 2.0 and social networking topics. However, it remains to be seen if the policies actually get shorter.

 Nevertheless, I seriously doubt that we'll get to level that Jon Chase does in his 25 rules - nor should we, in my opinion. The central question that governments around the globe need to answer is this: Is a policy required or is this tech ettiquette? We can't have a policy for every situation; we need to rely on common sense, right?

What are your thoughts?

One side note: Starting tomorrow, I will become Michigan's Acting Chief Technology Officer and Director, Infrastructure Services Administration within the Michigan Department of Information Technology (MDIT). Trent Carpenter, will become our Acting Michigan CISO. As mentioned in Government Technology Magazine, I will stop blogging on security and start blogging on infrastructure, integration, and innovation if/when the position becomes permanent. I also plan to write a future blog on the transition of roles in government. Stay tuned and thanks for reading.   

According to Federal Computer Week (FCW), a new cybersecurity bill was introduced on January 7 by Rep. Sheila Jackson Lee (D-Texas). The bill would establish an E-Security Fellows Program to award fellowships to state, local, tribal and private sector officials. The program would be set up by the National Cybersecurity Division (NCSD) within the Department of Homeland Security (DHS) and enable participants to learn more about DHS cyber efforts and build better collaboration between federal, state, local, tribal and private sector efforts.

The bill would also enhance cybersecurity research and training by working with the National Science Foundation (NSF) to establish grant programs to bolster higher education programs in cybersecurity. Similar bills were introduced in the past - H.R. 263 in January 2007 and H.R. 3108 in June 2005.  

As a state government cybersecurity official and someone who has worked closely with DHS over the past several years representing Michigan and the National Association of Chief Information Officers (NASCIO), this type of fellowship program is needed. The reason is that many competing activities pull us in different directions. 

While there have been numerous excellent opportunities to work with NCSD on efforts such as building the National Infrastructure Protection Plan and more specifically the NIPP's IT Sector Plan, the number of groups and sub-groups that hold regular meetings can be overwhelming. Each committee holds in-person meetings, conference calls, and issues action items (such as writing assignments) for active participants. Bottom line, most state IT professionals have very busy "day jobs" that make long-term support to NCSD activities very difficult. I have seen respected state government colleagues drop off of federal-state committees due to the heavy workload or state priorities. 

I think 6-month dedicated fellowships for state/local/tribal IT execs in Washington D.C. could help tremendously. Granted, it will still be difficult for states to part with their best and brightest staff for such a period of time. However, this approach can work if the program is set up properly with the right level of recognition and benefits to the state and local officials who make the commitment.               

With a new adminsitration coming in, I hope this bill passes and gets implemented. This is one practical way to improve communication between the feds and the states on many cybersecurity issues and projects.

What are your thoughts?   

According to the Identity Theft Resource Center (ITRC), a non-profit organization dedicated to the prevention of identity theft, reports of data breaches rose dramatically in 2008.

The ITRC press release reported:

"... Only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection.   It is obvious that the bulk of breached data was unprotected by either encryption or even passwords."

The report received widespread coverage around the country. The Washington Post featured the report on the front page of their website yesterday. Here's an excerpt:

 I agree with the comments made in the press coverage suggesting new trends in monitoring employees as a result of increased insider threats. However, I also think these numbers reflect the fact that more organizations are complying with state and federal laws which require public notice of data breaches. 

What are your thoughts? Are we seeing more stolen information or more organizations "coming clean" on data loss?   

The countdown has begun, the suspense is building, and the stakes are very high. As our nation prepares for inauguration day, millions of Americans flock to Change.gov to hear President-elect Barack Obama's weekly radio address, read blog updates, learn more about the latest announcements, offer their own thoughts and suggestions or tell their story.  

The Washington Post offered an: e-Hail to the Chief which went on to ask how the President-elect will govern using this new online community. No one doubts the power and money that online supporters provided during the campaign, but running the government offers many different challenges.

Here's an excerpt: "With some notable exceptions, federal Washington -- how agencies deal with citizens, the process in which policies and laws are created -- is stuck in the Encyclopaedia Britannica era. A relatively small group of editors and contributors is in charge....

And online social networking is designed to foster a community. For that approach to be effective, WhiteHouse.gov can't just push information out -- it has to pull content in, too. And once it does so, the administration will have to decide whether, when and how to incorporate those voices into its decision-making process." 

Meanwhile, federal PR machines are sure to run into conflicting messages if too many people can speak within the next administration. Even current media rules are not followed, but Web 2.0 offers new channels. Here's another example from the Washington Post:  

"Until the archaic rules were revised this fall, legislators using their official congressional sites were prohibited from linking to YouTube and other commercial sites. (But many did it anyway. Even Pelosi, who has a YouTube channel and a blog called The Gavel, was violating the rules.)

Some items will be easy to change, like placing more schedules and meetings online. However, it will be much more complicated to meet the demands of millions of citizens who all have their own top priorities that they want addressed immediately. There is little doubt that critics will also send in their opinions and stories as well as the supporters.

As a blogger and government employee myself, I find this new approach to be both exciting, empowering and a bit overwhelming. I feel as if we are opening up Pandora's Box. Technology will be front and center - which will likely be a very good development as well as a huge challenge to overcome. Yes, there will be many security and privacy questions to be answered as well. 

What are your thoughts on technology and the President Obama's new approaches?