Archive

Archive for June, 2015

Numbers tell the tale of the #OPMbreach

June 25, 2015 Leave a comment

Some big stories become defined by the people and the emotions connected to them. The earliest news memory burned into my gray cells occurred on November 22, 1963. Emerging from my third grade classroom, I recall the emotions of the clustering Walking home, I remember my mother in tears before our black-and-white RCA console TV, declaring to me and, I guess, heaven, “Someday there will be another Kennedy in the White House!” I’m not certain I have  direct memory of Walter Cronkite pulling off his heavy glasses, having seen the kinescopes of that moment replayed periodically through the years.

We remember other big stories for their remarkable numbers and statistics. Not that it lacks emotional content, but the Bernard Madoff crime is notable for its sheer audacity of size, expressible in lurid statistics: 11 federal felonies, $65 billion in fraudulently stated gains, 150 years in the slammer. Who knows, the word “Madoff” could well replace the word “Ponzi” in the vernacular reference to really big frauds against innocent individuals.

OPM’s data breach, which has spawned its own hashtag — the new form of vernacular among what might kindly be called the vulgate — is a numbers story, leavened by the justifiable frustration and anger of the employees involved. Mike Causey likens this story to The Blob (one of my all-time favorite movies). Here the horror is underscored by numbers:

  • 4.2 million feds and retirees affected
  • 14 million more in another breach that claimed data from SF-86 forms
  • 18 million Social Security Numbers may have been purloined, according to testimony from OPM Administrator Katherine Archuleta.
  • Two hour waits to reach someone on the telephone at contractor CSID
  • 36 hours between OPM hanging out the notice of the credit monitoring services requirement and awarding a contract.
  • $21 million for the credit monitoring services so far.
  • 15 points in the plan OPM came up with for fixing its cybersecurity vulnerabilities
  • 1 direct report cybersecurity advisor working for Archuleta

This is one of those drip-drip stories in which details come out serially, although not all that clearly. From one of the congressional hearings we got a sense of how much more money OPM thinks it will need. In a kind of symmetry, Archuleta says OPM may need still another $21 million in 2016 to button up its systems. The agency has asked for a total of $32 million more for 2016, but is also saying the total cost of the breach could be as hight as $80 million. That figure won’t buy a wing assembly for an F-35, but it’s a significant figure against OPM’s roughly $400 million spending authority.

In business, bad results tend to bring on one of two outcomes. Either your budget gets cut. Or the money becomes available to fix the problem, but you don’t get to spend it because you’re gone.

So where are all the numbers and this story headed? It’s not over yet. We still don’t know the full extent of how many names, Social Security numbers and SF-86 forms were taken. When that many people are affected, it’s hard to make it disappear. We still have yet to learn the motivation of the data thieves, which means millions will be holding their breath for a long time.

As an unseen benefit, every other agency is scrambling to make sure it’s not the next OPM. One departmental CIO told me as much just the other day. Software vendors will have Christmas in the summer as agencies get serious about two-factor authentication, continuous diagnostics and mitigation and the tools that go with them. Homeland Security is scrambling to get Einstein 3A into place. So, some silver linings.

No TV news anchor pulled off his glasses and put them on again to mask emotional turmoil over the OPM breach. But at least the lessons learned, as the government likes to say, will stick this time.

Advertisements

OPM left a sizzling burger on the counter. The dog ate it. Who do you blame?

June 16, 2015 1 comment

Dog trainers like to say there are no bad dogs, only bad owners. I know. We have a now-elderly greyhound. She rules the roost, mostly. But because of her mild personality, she’s never out of control, never pulls on the leash, and has never so much as made a growl at anyone. Mostly she saunters into the middle of the room and lays on her back, her tummy available for anyone who cares to rub it.

But leave a hamburger on the counter, a cold drink on a side table, or an unattended dinner plate of food, and oh boy. Don’t turn your back. She’ll pretty much have it devoured before you can turn around and say, “No!” One time the extended family retired to the living room and family room after Thanksgiving dinner. After putting away some dishes I went into the dining room to pull the tablecloth. There was Lizzie, atop of the dining room table, licking up crumbs and tidbits.

Unlike China, which denies everything when it is caught stealing data, a dog caught stealing food looks at you and says through her eyes, “What did I do? You left it there.”

Dog on table

A young Lizzie cleaning up after Thanksgiving.

This is what I thought of when reading comments former CIA Director Michael Hayden made to a Wall Street Journal conference regarding the awful database breach. The U.S. personnel records were “a legitimate foreign intelligence target,” Hayden said. He added that our intelligence apparatus would do the same thing if it had half a chance. Hayden said he wouldn’t have thought twice about grabbing any Chinese government database the CIA could.

“This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information,” Hayden said.

OPM left a juicy, sizzling hamburger on the counter. The dog snatched it.

Perhaps the U.S. government does do the same thing to rival nations. We don’t know for sure. Let’s hope so, because at the least it would leave things in a rough state of Spy vs Spy equilibrium. Because it is justifiably embarrassed, and because it can’t really do anything about Chinese cyber behavior, the accusations from the administration have been mild and sporadic.

Unfortunately, I see no other recourse other than for OPM Director Katherine Archuleta to resign. I don’t say this with any satisfaction. Not that she was personally responsible for the breach. Not that she’s a bad person. But the warnings were there, she had the knowledge that the hacked systems were behind on their FISMA certifications, and of the string of attacks going back a year. It all happened on her watch and it potentially harmed enough people to fill New York City, Chicago, Baltimore and Dallas. It’s not that she was personally malfeasant, it’s just goes with the territory. Had a rocket landed on the OPM building, that would have been one thing. But an egregious organizational performance lapse of this scale claims the person ultimately responsible.

Recall what happened back in 2012 at the General Services Administration. A conference 18 months earlier on which regional officials spent indiscreetly and contracted criminally came to light. Administrator Martha Johnson resigned before the reason why became known. Veterans Affairs Secretary Eric Shinseki toughed it out for a while, but ultimately had to step down after the drip-drip-drip of bad news from the patient scheduling scandal of last year.

OPM, as Francis Rose points out, has lost its credibility. Now it needs new leadership to restore it.

Fails happen. It’s how agencies react that matters

June 9, 2015 1 comment

An old, familiar shibboleth came up again this week. “Washington is a city of second chances.” That’s what a Washington Post article said about a popular millennial writer who was fired from a popular web site for plagiarism. He popped up at another web site a year later, where he’s boosting its traffic. Dennis Hastert, the former House speaker now enmeshed in a really bad scandal, probably is too old to have a second chance.

Organizations can have second chances, often because they have the wherewithal to buy their way back. I remember the Ford Pinto gas tank scandal (1977), the time Lockheed nearly went bankrupt (1971) save for a federally-backed loan, and the Tylenol poisoning scare (1982), which was a problem not of the company’s making. Today, Ford, Lockheed-Martin and Johnson and Johnson prosper quite nicely.

Can federal agencies have a second chance, I’ve been wondering? Technically no, since they can’t go out of business unless Congress decrees it, which it never does. So when they goof up, there might be temporary hell to pay, but not the threat of going out of business. In fact, serious failures are often rewarded with big budget increases, as in the case of the Veterans Affairs Department. Congress can readily replace money. Reputation and perceived legitimacy — harder to recover.

Yet agencies are obligated to react when things go wrong. Recently two examples occurred I point out as case studies of the right way to react and retain the confidence of the public.

A whistleblower, still anonymous, complained to the FDA about poor practices and fungus contamination at the National Institutes of Health. Specifically, in the Pharmaceutical Development Section of NIH’s Clinical Center. This is where doctors and technicians whip up experimental drug for small groups of patients. Two vials of albumen, a medium for injecting drugs into patients, were found to have the fungus. Patients had been given injections from different vials in the same batch. The FDA investigated the lab, and the NIH suspended sterile production. It won’t resume until at least June 19th.

The NIH went public with the episode, including a mea culpa from the director, Dr. Francis Collins. When I spotted the release, I asked for an interview the next morning with Collins. NIH public affairs people — they are among the best in the government — got me the principal deputy director, Dr. Lawrence Tabak. He said the NIH welcomed the highly irregular incursion by another federal agency. We don’t know what personnel changes will happen with the troubled section, but the speed and forthrightness of the NIH response seemed refreshing and, well, grown up.

Another agency, the relatively small National Highway Transportation Safety Administration published last week the results of a study of how it can function more effectively. The agency launched the review in response to how sluggishly it responded to the General Motors fiasco of the malignant ignition switches and non-deploying airbags. The defects caused at least 100 deaths when people’s cars turned off at highway speeds. This last year’s incident is still in the news, overshadowed though it may be by the explosive Takata airbag situation that’s affected millions and millions of cars by many makers.

Somehow the GM ignition switch-airbag issue went on for a dozen years before the 2014 recall, and the NHTSA blames itself in part. It says it was pushed around by GM, and it lacked the technical understanding staff needed to stay on top of these issues. The NHSTA report says the agency “failed to identify and follow up on trends in its own data sources and investigations.” The upshot: The agency has produced a detailed internal improvement plan, and appointed three outside experts to guide the improvement effort, including a former astronaut.

And what of the Office of Personnel Management, from which vast amounts of personal data on current and former federal employees were stolen? The lag between discovery and disclosure is troubling. More disturbing is the frequency of similar attacks and the seeming ease with which whomever — China, some lunatic insider, maybe a combination of both — is getting into federal data bases. As Jason Miller reported this week, the government has experienced nine incidents in less than a year in which hackers attempted or succeeded in stealing personal information on government and contractor employees.

How did the agency react? OPM did the obligatory offers of credit monitoring. It worked with US-CERT and the FBI, but the US-CERT report is incomplete, and in any case isn’t available at its web site.. The agencies still don’t know how much data was taken, or else they haven’t said. The stain is still spreading. As pointed out in my interview with cyber expert Rodney Joffe of Neustar, the loss of SP-86 data exposes not only employees, but friends, neighbors, and any foreigner they’ve ever done any sort of business with. Plus travel records and passport information. That lost data could pester people for the rest of their lives.

OPM says it’s techies secured remote server access and installed new cyber tools. The White House ordered the acceleration of Einstein 3A monitoring tools, not that the current version worked so well. Lots of sturm und drang, but no clear sense that the government is doing much more than improvising against something it only dimly understands and only feebly deal with.

My hope is that when the scope of the OPM breach is known, the same unflinching, critical and public self analysis exhibited by NIH and NHTSA will occur in the federal cybersecurity apparatus.

Numbers can tell the whole story, or miss it entirely

June 2, 2015 Leave a comment

Several of the Defense Department’s top brass have said it in recent speeches. With the cash it has on hand, Apple could acquire the stock in Lockheed-Martin, Raytheon, Northrop Grumman and General Dynamics outright. I checked the numbers myself. It’s true. This week, the market cap of the four defense contractors was roughly $170 billion. Apple’s cash hoard was just shy of $200 billion. Apple’s own market capitalization is somewhere in the $772 billion range.

Almost in the same  breath, military leaders note that with a market capitalization of around $225 billion, Facebook is more valuable than the same four companies combined.

Air Force chief of staff Gen. Mark Welsh III and former Defense Deputy Secretary Bill Lynn both cited them within the last few weeks because of the scale of research and development going on in consumer and commercial electronics and computer science, versus R&D investments benefitting the defense sector. Unsaid is how surprising hard-headed military leaders must find it, that something as seemingly trivial as Facebook could command such value in comparison to companies that make sophisticated hardware like Patriot Missiles or F-35 fighters or nuclear submarines. The comparisons come in the context of the DOD wanting to re-establish the technology offset that produced so much U.S. military superiority in recent decades.

Numbers startle. They provoke thought. But they only tell part of the story. Apple may be worth three quarters of a trillion dollars, but it can’t build bombers or ships or submarines. It’s entirely capable of building sensor networks and software underpinnings for weapons, but it won’t.  Numbers don’t tell what’s in a company’s DNA.  SpaceX, essentially a start-up with 3,000 employees but no public shares or even statement of revenue, snared $1 billion in private financing in January. And now it’s on the very short list of exactly two companies certified by the Air Force to launch rockets putting military satellites into space. It competes with a partnership of giants Boeing and Lockheed. Boeing built the first modern airliner — in 1933.

Few remember the mini-computer wars of the 1970s and 1980s. But like the PC business in the 90s, the minicomputer business had a large number of fierce competitors — Apollo, Digital Equipment Corp, Data General, Hewlett-Packard, Honeywell, IBM, Nixdorf, Prime, Wang. So fierce was the competition, it spawned the 1981 Pulitzer Prize-winning non-fiction account by Tracy Kidder. Soul of a New Machine chronicled the late Tom West, an engineer at Data General, as he coaxed out an inexperienced team a new 32-bit processor to compete with the mighty DEC.

Nearly all of the companies and people involved in the minicomputer wars are gone, but the title of that book persists. One reason is that so often, objects defined by numbers do take on a sort of soul or presence, because people made them. “Soul” might be a troubling word to some people, connected as it may be to something the deity conferred only on human beings. But the idea that numbers add up to more than numbers — that’s universally valid.

Over the recent Memorial Day weekend the Rolling Thunder rumbled through Washington for its annual Memorial Day observance. My wife was bicycling right by where the motorcyclists were rolling onto the course. She stopped and took a 90-second video of the endlessly varied bikes and riders chugging past. Most rode Harley-Davidson machines. We watched the video over and over. What is a motorcycle but a chassis, a pair of wheels, a V-twin engine, and tear-drop shaped gas tank? (Gold Wing riders, spare me.) Ah, but of course a Harley-Davidson or any motorcycle is more, much more, than the sum of its parts. Gear heads know the meaning of the stoke-bore ratio, horsepower, torque, and the myriad other numerically-expressed specifications that describe motors. But they don’t explain that sound.

Computers, motorcycles, musical instruments, whatever your passion, are more than the sum of their parts and specifications. That’s why automobile junk yards and airplane boneyards look so sad. Or reading about a theatre or defunct church junking its pipe organ.

But what about human endeavors? They, too, are more than the sum of their parts. This came to mind recently when reading an analysis of federal inspectors general based on research at the Brookings Center for Effective Public Management. I also interviewed John Hudak, one of the study’s co-authors along with Grace Wallack. Their research quantifies the work of IGs using a return-on-investment metric. It proceeds from the postulate, correct I believe, that in general IGs return many dollars to the government for every dollar spent operating the IG office, and that this is quantifiable. The authors acknowledge that the pure dollar ROI metric is less useful in agencies where the mission isn’t primarily disbursement of money. So, for example, the IG with the highest ROI is that of the Social Security Administration, where the return is $43.60 for every dollar the office costs. The lowest financial return belongs to the Justice Department, where the IG produces a net cost. It’s ROI is about 43 cents for every dollar spent on the IG operation.

As Hudak points out in the interview, that the ROI looks weak is not a reflection on the Justice IG operation, just that the particular ROI number doesn’t really capture the essence of the office and how it goes about its work. The Justice IG shop is looking at programs mostly. The department doesn’t exist to disburse hundreds of billions of dollars, as Social Security expressly does.

No metric can really capture the essence of any object or program, or the people’s dedication to it.