« May 01, 2003 | Main | May 06, 2003 »
May 05, 2003
50 States of the CIO
I was interviewed for an article in Washingtonpost.com last week. The article appeared today and is entitled 50 States of the CIO. The gist of the article is that state CIOs face tight budgets, barriers within Government to accomplishing their mission, and a steep learning curve. I think the last one is often overlooked. I've written my Public Service Tips tongue in cheek, but these are real lessons that anyone coming to the public sector from the private sector will have to learn. Often you learn them too late.
01:06 PM | Recommend This | Print This
Public Network Vulnerabilities
Sean Gorman is with the School of Public Policy at George Mason University. He's speaking of vulnerabilities in the physical layer of networks used by the Federal government. They map logical networks onto physical networks and then perform statistical analyses of which cuts where do the most damage. The results are interesting for anyone planning on using the Internet for public safety and homeland security related efforts. Technological and market forces have reduced the number of redundant paths available on the Internet rather than increased them. This is yet one more reason for local and state governments to promote regional and local peering.
Another topic he mentions is targeted strategies for protecting networks from virus and trojan horse attacks. Their research shows that in a network of 12,000 nodes, you can get effective containment by protecting only the 2.5% most well-connected nodes (largest address books, most email processed, etc.). This is interesting from a cost-effectiveness standpoint. If you can identify these nodes, you could buy about 3% of the virus protection tools you buy now. That's a significant savings for a large organization. Of course, most users are more interested in their files being protected than they are in just containing the attack. More interesting, perhaps is the fact that the failure of your protection mechanism on certain nodes can be intensely damaging to containment efforts. That's where IT management ought to be putting administration effort.
12:01 PM | Recommend This | Print This
SBU: Sensitive But Unclassified
The next panel is on "Sensitive but Unclassified (SBU): Agency Network Partnerships" by Miles Matthews (DoJ) and Leonard Starling (DISA). The Global Justice Information Sharing Initiative has buy-in from eight Cabinet members and brings together four separate non-classified information systems using by law enforcement agencies at the Federal, state, and local level. The technology is simple: VPNs and closed networks. The goal is to have single sign-on and a common encryption system. The applications are similarly simple: email, chat, mailing lists, newsgroups (NNTP), and websites. Governance is through a set of cross-certification agreements.
The system connects LEO, RISS.NET, OSIS, and OpenNet along with two other smaller, non-IP networks. LEO (Law Enforcement Online) is the FBI system. RISS.NET is a local and state system. OSIS is the Open Source Information System, an intelligence community VPN. I think "open source" in this context refers to access to unclassified information. OpenNet is a State Department system for SBU information. One of the neat features is a 50 million record database of visa application data. The only requirement for connectivity is Internet connectivity and access to the VPN. The network allows anyone on the network to create newsgroups for specific topics. The groups might be long-lived or event-centered.
In the integrated system. Filing a query to RISS.NET, for example, will return pointers to other resources on all four systems that are relevant. Single sign-on allows the user to use resources on all four system to gather intelligence, communicate with other interested parties, and create special interest groups about an investigation.
This is a great example of how single sign-on can facilitate cooperative data exchange and increase an individual's reach. The primary means of integration in this system was to integrate the user databases for the four system so that the users are linked in email, chat, mailing lists, and newsgroups. The other component was a means of telling users about resources available to them on other systems. This isn't done with a general purpose web page, but in a personalized way as the result set for specific queries.
07:49 AM | Recommend This | Print This
Enterprise Architecture
The opening panel this morning is "Getting Buy-In for Enterprise Architecture." The moderator is Melissa Chapman (CIO, HHS). The panelists are Steve Perkins (SVP, Oracle), Felix Rausch (FEAC Institute), Carla von Bernewitz (Dir. of Enterprise Integration Office, US Army), and Barry West (CIO National Wwather Service).
Enterprise architecture is, at its heart about sharing resources, data, etc. Barry says that the first thing to come out of enterprise architecture at NWS is a comprehensive inventory of their IT assets. This has allowed NWS to make better business decisions and not just about IT. Many agencies have concentrated on integrating business systems over the integration of mission or program systems. I think that's because the former is much harder to get done. If you plan right, program system will integrate as they are replaced, but business systems are in a constant state of being replaced, a little at a time. If you don't have a program to integrate business systems, it can't happen through incremental purchasing.
IT Managers seeking to create an enterprise architecture can't succeed unless they have on-going, regular executive involvement. One sign that this is happening is organizational change. If the organization isn't changing then your enterprise architecture isn't taking hold. This creates a challenge for many organizations who are afraid of organizational change. People should be moved into new roles, old roles should be deleted. This implies that training is an important component of and enterprise architecture.
Data standardization, as part of the enterprise architecture, hasn't gotten much traction. Felix says that no one's going to get money to do data architectures so it has to be dressed up in programs. Steve says you have to start with the data (he's from Oracle, what do you expect?). Melissa says the problem is too many data standards. That exactly the point, I think. Data architecture isn't just about creating standards. Data architecture is about data modeling.
Steve Carlton (CIO, GSA) says that enterprise architecture is perceived by the business side as just another planning tool in an environment where there are many planning methods. Carla says that it needs to be integrated into the business side, not just the planning, but the programming and budgeting side as well. If it happens bottom-up, you'll get what you always got. Enterprise architecture needs to be driven top-down. Felix says "if the CIO isn't in bed with the CFO, you're not accomplishing." Taking that further, the entire executive team needs to be aligned. Barry says that NWS took the enterprise architecture process out of the CIO's office and put it in their institutional planning office.
Steve uses GE as an example of driving integration by using a process to choose which system should be shared and standardized and which operational system need to be unique. Of course this can backfire. We had a long series of meetings in Utah in 2001 to try to reach some understanding about this. In the end, the only system people could agree should be consolidated was email and even that failed to happen because in the end people were unwilling to give up even that little bit of control.
06:45 AM | Recommend This | Print This
Federal CIO Summit
I'm in Savannah Georgia for the Government CIO Summit, sponsored by FCW Media Group. This conference tends to be more oriented toward Federal CIOs but I've already run into a few old friends from State CIO activities. I'm speaking tomorrow afternoon on using Web services.