NOWHERETOHIDE.ORG

Cyber-Crime – Cyber-Warfare…you say tomato, I still say tomato…but are we prepared?

War has been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfare has been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”

While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).

While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…

1. More of this type of cyber-crime  is occurring today than the stuff showing up on the front page of any newspaper; and
2. What we mean when we say “Cyber Warfare” is really just the 21st century version of crime; criminals using cyber means.

I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:

1. One of the sessions I participated in was entitled “Why Does the Crime Rate Continue to Decline?” The speaker (a well-respected professor) informed us that crime in America is actually down to the levels it was in 1964—this represents a significant drop. I asked the question “Did crime really drop or have criminals begun to use technology to steal rather than a pistol?” His response was “criminals aren’t smart enough to use computers.” I found this very hard to believe. Criminals have always adapted to stay a step ahead of law enforcement, and I fear that they now have a significant upper-hand, especially if law enforcement feels the way the speaker did and they fail to re-tool their ranks to detect, deter, and dismantle the new cyber-oriented criminal threats.
2. Another session I attended was entitled “A Clear and Present Threat: A Look at Cybercrime.” In this session, one of the speakers spoke of the growing problem of crime in virtual worlds—people with avatars in virtual worlds are stealing other peoples virtual property and assets, and real lawsuits are being tried in real courts by real people. If you don’t believe me, read this article – Virtual add-ons draw real-world lawsuits – that I found in researching this further. I would submit that today’s criminals are more tech/cyber-savvy and have realized that there are safer (cyber) ways to steal money and property without having to physically point a gun at someone’s face.

Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?

Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.

your comments and thoughts welcome…r/Chuck

Utah SIAC Takes Honors: Fusion Core Solution Success Story

On May 4, 2010, e.Republic’s Center for Digital Government and Emergency Management honored first responders demonstrating measurable improvements in the lives of the people and businesses they serve. Among the  recipients of the inaugural Emergency Management Digital Distinction Awards was the Utah Statewide Terrorism and Information Analysis Center (SIAC).  Core to SIAC’s capapbilities is the Microsoft Fusion Core Solution technology platform. Here’s a snippet from the Center’s website:

Best Collaboration and Information Sharing

Fusion Center Empowers Utah’s Crime Stoppers, Utah Department of Public Safety, Statewide Information & Analysis Center

The Utah Statewide Information & Analysis Center (SIAC), managed by the Utah Department of Public Safety, is a public safety partnership collaboration with all of the state’s law enforcement and public safety agencies to collect, analyze and disseminate intelligence appropriately for enhanced protection of Utah’s citizens, communities and critical infrastructure. As the state’s intelligence fusion (terrorism and response) center, SIAC replaced a legacy system that lacked effective data management practices and included manual, duplicative efforts. SIAC implemented a new set of technologies which utilized existing assets, integrated domain-specific applications, and improved business processes for information collection and management, and analysis and information sharing with Utah’s 29 county Sheriff’s Offices, 180 law enforcement agencies, and more than 26 specialized task forces.

Fusion Core Solution is an open and extensible information sharing and analysis product, based on the National Information Exchange Model (NIEM) and Information Sharing Environment-Suspicious Activity Reporting (ISE-SAR) Functional Standard, developed to help municipal, county, regional, state, and federal intelligence and fusion centers improve operations through workflow management, information sharing, and geospatial intelligence technologies. For more information about Fusion Core Solution see http://www.microsoft.com/fusion

Having trouble convincing the boss to spend on Security and Privacy protection? Read on…

The Poneman Institute, considered the pre-eminent research center dedicated to privacy, data protection and information security policy, released its 2009 Ponemon Institute “Cost of a Data Breach” Study on January 29, 2010.

In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

• Direct costs - communications costs, investigations and forensics costs and legal costs
• Indirect costs - lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

• 82% of all breaches involved organizations that had experienced more than one data breach
• 42% of all breaches studied involved errors made by a third party
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck

Data.gov CONOP: Nice document, but fails to address non-technical issues affecting transparency

I just took a look at the OMB Data.Gov Concept of Operations, and while I don’t want to sound like a party pooper, but I am very concerned about the Data.gov effort. We appear to be moving full speed ahead with the technical aspect of making data available on data.gov without really thinking through the policy, politics, resource, and other non-technical aspects of the project that could really hurt what could be a very valuable resource.

A few concerns I have include:

1. None of the Data.gov principles in the CONOP address the “real-world effects” we hope to achieve through data.gov–from an operational programs perspective. All seven principles in the CONOP address “internal” activities (means). We need to address success in terms of what citizens will realize through the Data.gov effort.

2. The entire Data.gov effort appears to be driven out of context from any government performance planning and evaluation process. Shouldn’t the need for data transparency be driven by specific strategic management questions?  Where are the links to the President’s Management Agenda? Agency strategic plans?

3. There are more than 200 Congressional Committees with varying degrees of oversight of over a similar number of agencies in the Executive Branch. How will Data.gov impact Congress’ efforts to monitor (oversee) agency performance? What will happen when there is a disparity between a) what an agency says it’s doing, b) what oversight committee(s) say they are doing, and c) how the public views that agency’s performance based on data posted on Data.gov?

4. Transparency, Participation and Collaboration (TPC) are the buzz words of the month, but what does that really mean?  The opening sentence of the CONOP states “Data.gov is a flagship Administration initiative intended to allow the public to easily find, access, understand, and use data that are generated by the Federal government.” Do we really expect the general public to access and analyze the data at Data.gov? If so, do we really understand how the public will want to see/access the information? More importantly, are we (agencies) fully prepared to digest and respond to received public feedback?

5. Who will pay the agencies to support data transparency? Do we really understand the burden involved in achieving open government? The last thing federal agencies need is another unfunded mandate.

6. Finally, how do we know the data that’s made accessible via Data.gov is good data (correct)? The GPRA required OIG review and certification of agency data published in annual performance reports. What can we expect in the way of quality from near-real-time access to agency performance data? Will we require the same data quality process for data feeds posted on Data.gov? Will agencies be funded to do it right? 

I provide similar commentary on this issue and an analysis of the recent Executive Order in a December 17th blog posting here: http://www.nowheretohide.org/2009/12/17/open-government-directive-another-ambiguous-unfunded-and-edental-mandate/

Don’t get me wrong, I am all for open government, but let’s do it right. Let’s give the techies a couple of days off and let’s take a good hard look at the non-technical issues that could really hurt this effort if they’re not properly addressed.

Your comments and thoughts welcomed.

Thanks…r/Chuck

Microsoft Fusion Core Solution: For pain relief, take two webparts and call me in the morning

I don’t usually plug any specific software, but I felt compelled to tell you about something I have been working with Microsoft on for about  the last eight months–it’s called the Fusion Core Solution (FCS). What’s different about this project is that FCS isn’t just another application, it is an effort by Microsoft to help fusion centers do more with the many applications they currently own or have plans to invest in. First a bit of background.

Whether you like the idea of a fusion center or not, they are here to stay. At last count, there were about 70 of them, and DHS recently spoke of helping to get even more going.  At their core, I believe a fusion center is responsible for doing three basic things: 

1. Accepting and vetting reports of unusual behavior (criminal or terrorism related);
2. Providing intelligence support to major case and tactical law enforcement operations; and
3. Proactively supporting federal, state, and local homeland security and community safety objectives. 

To do this well, the majority of fusion centers in operation today are required to rely on an assortment of manual processes, a patchwork of incompatible software applications, and dozens of disparate information sources. Walk into the typical fusion center today and you’ll probably find that an analyst answering the phone has to enter the request for their services into one application for management purposes, enter the same information into a second application for sharing purposes, then has to manually bring up and login to anywhere from 5-15 different data sources to search for information related to the service request, then has to open up at least one or more applications to write up  and package up the requested response, and then, more than likely, has to either manually fax it to whomever asked for the information or call them back on the telephone to give them the answer–a pretty painful and tedious way to work.

Today though, Microsoft announced release of a project that I have been helping them to develop for quite some time–the Fusion Core Solution.  Microsoft hopes, through use of Office, SharePoint and ESRI’s ArcGIS to help ease the pain described above.  The FCS uses SharePoint as a horizontal integration and workflow management platform to help an analyst go from taking in a fusion center service request, to searching for information, to analyzing that information, to producing the intelligence product without having to leave the SharePoint environment at all.

At a non-technical level, the FCS will enable fusion centers to do a couple of pretty cool things:

1. Provides a common look and feel across multiple analytic tools and business processes.
2. Greatly reduces the number of user names and passwords analyst must remember.
3. Organizes requests for fusion center services, and tracks progress of fusion center work.
4. Helps to better document and comply with 28 CFR Part 23, CUI and PCII requirements.
5. Provides multiple analyst-to-analyst and fusion center-to-fusion center collaboration tools
6. Helps to keep track of fusion center and extended staff capabilities and availability.

From a technical perspective, FCS fully supports NIEM conformant information exchanges and establishes a framework for supporting the service-oriented principles of the Justice Reference Architecture (JRA) as it applies to information and data sharing.

In a nutshell, “Fusion Core Solution is for a Fusion Center what Microsoft Windows is to a personal computer“–you can think of FCS as the “operating system” for a Fusion Center.

For more info, check out the Fusion Core Solution website, or email me.

r/Chuck

Added 8/4/2009: Click HERE to see Joe Rozek, Microsoft’s Executive Director of Homeland Security, and Former Senior Director for Domestic Counterterrorism at The White House Office of Homeland Security talk about Fusion Core Solution

Health Info Sharing Beating LE to the Punch

If you haven’t heard about the Department of Health and Human Services Federal Health Architecure and CONNECT project, I suggest you pop over to this website where documentation for version 2.0 of the software resides:

http://www.connectopensource.org/display/NHINR2/Release+2.0+Home

CONNECT is an open source software gateway that connects public and private health orgaizations to the National Health Information Network.  Think of it like a giant peer-to-peer N-DEx, but with an open source “front-porch” that drops into each agency and extracts the data from back-end systems.

I’ll be doing more investigation into the CONNECT project to see if we can adapt it for law enforcement information sharing use–the closest thing to this on the LEIS side is the FINDER project in orlando, FL.

as always, comments and thoughts welcomed.

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

Information Sharing: When they say it's about the money, it's NOT about the money…

Some who read this may take it as a rant against agencies/providers who say we need more money for implementing law enforcement information sharing (LEIS), but in-fact, this post is really about understanding the landscape and influencing the choices and priorities of state and county policymakers and the affected law enforcement executives.

Let me first layout the agency landscape :

• There are about 14,000 state and local law enforcement agencies;
• In roughly 3,000 counties;
• That make up the 50 states of our great nation.

Now let’s layout the funding landscape:

• For 2008 the Department of Homeland Security (DHS) allocated $3,200,000,000 (billion) for state and local assistance grants;
• In that same year, the Department of Justice (DOJ) made another $2,000,000,000 available;
• For 2008 that’s a total of $4,200,000,000;
• For 2007 that number was $4,500,000,000;
• For 2009, we are hoping that number stays about the same or goes even higher.
• To all these numbers you must add funding from the Department of Defense, Department of Transportation, Department of Health and Human Services, or State funding sources for LEIS.

Finally, let me lay out the cost landscape for LEIS:

• In my eight or so years of experience of building and deploying LEIS, I’ve seen the costs associated with hooking up an agency to vary between $5,000 and $80,000 per record system connection;
• On average though, I feel the safer number is between about $20,000 and $40,000;
• For arguments sake, let’s use the high number of $40,000.

Now comes the fun part…let’s do some math…

• To be realistic, let’s say that 25% of the 14,000 agencies are already sharing information;
• That leaves about 10,000 agencies left to connect;
• At $40,000 an agency, we would need a total of $560,000,000 (Million);
• Divide that by the 3,000 counties, and we will need about $190,000 per county;
• If we do this over three years, that’s only $63,000 per county, per year for three years!

With (on average) every county getting about $1,400,000 every year for law enforcement and public safety (out of the $4.2 Billion allocated annualy), I would like to think that we (collectively) can see the benefits of LEIS enough to spare $63,000  a year for three years to get it done.

Here’s where the issue of choices and priorities comes in.  If we can agree that the money IS there, what we really need to work on are ways to convince the policymakers and law enforcement exectutives in those counties that investing a little in LEIS is a better investment than whatever it is their currently spending their part of the $4,200,000,000 on.  Do you agree?

I’d also like to know what role youthink the IACP, MCC and NSA would play here?

Thoughts and comments invited…and yes, I used a calculator…;-)

r/Chuck Georgo

IJIS Institute Committee Leader Appointed: Chuck Georgo Takes Reins of Security and Privacy Committee

The IJIS Institute announces the appointment of Chuck Georgo, founder of NOWHERETOHIDE.ORG, as the Chairperson of the IJIS Institute’s Security and Privacy Advisory Committee. 

The purpose of the IJIS Institute’s Security and Privacy Advisory Committee is to provide advice and counsel to the Department of Justice’s Office of Justice Programs (OJP), as well as other national organizations, on issues of information system security and privacy as applied to integrated justice and public safety information systems, and to develop materials and seminars to educate industry and government staffs on security and privacy measures, designs, and related issues. 

The Security and Privacy Advisory Committee strives to be vendor agnostic in all activities and work products and to be the authoritative source for establishing effective privacy and security measures throughout the justice, public safety, and homeland security information sharing community. Additionally, the committee’s goals include increasing government and industry awareness and understanding of technical and non-technical privacy and security requirements and improving the privacy and security posture for federal, state, local, and tribal justice information sharing efforts. In order to achieve these goals, the committee performs research, issues white papers, develops and conducts training, participates in advisory working groups, and supports technical assistance projects.

Chuck Georgo, regarding his appointment, noted that, “Successful information sharing requires trust. I believe that to get trust you need two things—honorable motive and reliability. Organizations must know that your motives benefit the social good and that your means to protect shared information from compromise is achievable and durable. While honorable motive is in the hands of law enforcement and justice agency executives, I believe that the IJIS Institute, through the Security and Privacy Advisory Committee, can help government and industry to employ effective ways for achieving the reliable means to protect that information. I look forward to working with my fellow committee members to further advance the cause of information sharing through robust security and privacy principles and practices.” 

Chuck Georgo has nearly 28 years of experience in intelligence, national security, defense, and law enforcement arenas. He has served as a strategic planner, business analyst, and technologist supporting the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, and many other public and private sector organizations. 

# # #

About the IJIS Institute — The IJIS Institute serves as the voice of industry by uniting the private and public sectors to improve mission critical information sharing for those who protect and serve our communities. The IJIS Institute provides training, technical assistance, national scope issue management and program management services to help government fully realize the power of information sharing. Founded in 2001 as a 501(c)(3) non-profit corporation with national headquarters on the George Washington University Virginia Campus in Ashburn, Virginia, the IJIS Institute has grown to more than 240 member and affiliate companies across the United States. For more information visit www.IJIS.org.

About NOWHERETOHIDE.ORG – NOWHERETOHIDE.ORG, LLC, was established to help federal, state, and local law enforcement, justice, and homeland security agencies to better achieve their public safety and national security objectives. As our name implies, we want to help these agencies become so effective that criminal elements have nowhere-to-hide from justice. We offer planning, assessment, and technology consulting services to help law enforcement, justice, and national security agencies identify and resolve the issues that currently stand in the way of achieving high performance standards. For more information visit www.nowheretohide.org.

What Gets Measured Gets Done…Using Evaluation to Drive Law Enforcmement Information Sharing

Tom Peters liked to say “what gets measured gets done.”  The Office of Management and Budget (OMB) took this advice to heart when they started the federal Performance Assessment Rating Tool (PART) (http://www.whitehouse.gov/omb/part/) to assess and improve federal program performance so that the Federal government can achieve better results. PART includes a set of criteria in the form of questions that helps an evaluator to identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.

I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation.  Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned. 

I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:

1. Active Executive Engagement in LEIS Governance and Decision-Making;

2. Robust Privacy and Security Policy and Active Compliance Oversight;

3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;

4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);

5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and

6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.

My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”

I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck

Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org 

Sweet (Information Sharing) Home Alabama

I had the pleasure of attending a briefing today on the Virtual Alabama (VA) Project.  Jim Walker, Director, Alabama Department of Homeland Security, and Chris Johnson, VA Project Manager gave a full blown, real-time demonstration of VA’s capabilities.  While just seeing Google Earth Enterprise technology is cool in itself, what was really astonishing was to see how the project has worked to get access to an amazing number of data sources–they have engaged over 1,100 agencies in implementing information sharing accross the state! 

Driven by specific business needs, the VA project now supports law enforcement, fire, emergency management, business and economic development, property tax assessment, port security, emergency evacuation, and they’re only into the project about 10% (their number).  Other states would do well to take a look at what they’ve done in about 18 months for about $500,000 with a team of four people.  And, don’t focus solely on the specific technology they chose–the real lesson here is what they did to get Alabama agencies to share their data!  This is the true accomplishment.

I hope the project can find time write up and share a white paper to document the various strategies they employed to get access to the data–arm twisting, the shame game, Friday afternoon strategy sessions at local watering holes, etc.

Here’s a YouTube movie about it: Google Earth Enterprise Case Study: Virtual Alabama

Enjoy!…r/Chuck Georgo