GTC East: Web 2.0

Last week, I attended two sharply contrasting GTC East sessions focusing on New York State government use of Web 2.0 technology. (i.e., Web tools and technologies that enable end users to post content online, customize how they receive Web content, and build and sustain online communities. Examples include blogs, social networking sites such as Facebook and MySpace, and RSS feeds.) Now that I’ve had a chance to mull over these presentations, I wanted to say a few things about them.

The first session, “Security: Getting Past ‘No’ -- How to Implement 2.0 without a Security Crisis,” heavily emphasized new life that Web 2.0’s interactive nature has breathed into all manner of old Web security threats: cross-site scripting, cross-site request forgery, widget attacks, SQL injection attacks, XPATH vulnerability, cross-scripting worms, and authentication and authorization vulnerabilities.

One of the panelists (sadly, I didn’t catch his name, which doesn’t appear anywhere on the GTC East 2009 Web site or print program) works for the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC). He noted that CSCIC is currently blocking third-party social networking sites pending analysis of their risks, costs, and benefits but stressed that other agencies needed to answer the following questions for themselves:

• Can your employees safely use these sites?
• Do you trust the creators of these sites to address security vulnerabilities appropriately?
• Do all of the good things that social networking offers outweigh the risks?

These are crucial questions, and I’m glad that CSCIC is helping to ensure that New York State agencies don’t unwittingly wander into security minefields, but it struck me that the overall tenor of this session -- which also featured Ken Kaminski of Cisco Systems -- might feed the sort of “I don’t understand it, so I’m going to ban it” mentality that the “Emerging Technology: Open Source” panelists identified as a recurring problem. I’m really hoping that the agency information security specialists who sat in on this session are of the “assess and manage risk” school, not the “fear and resist change” one.

The other session, “Engaging Citizens Through Web 2.0” emphasized the benefits of Web 2.0. Andrew Hoppin, the CIO of the New York State Senate, highlighted its role in making the Senate more transparent and more participatory. The Senate Web site:

• Uses a collaborative filtering process that highlights the most frequently accessed resources on the site’s home page.
• Gives individual senators and committees complete control over the content that appears on their own pages, their own RSS feeds, and the ability to link to their Facebook pages, Twitter feeds, etc.
• Allows citizens to comment on proposed legislation and upon comments left by other users of the site, which helps to ensure that popular ideas “float to the top. (staff remove hate speech, scatological language, etc., but keep moderation to a minimum, which ensures lots of public input -- check out some of the great comments concerning the Senate’s tumultuous recent past)
• Provides social bookmarks that make it easy for citizens to post items of interest to Facebook, etc.

Hoppin and his colleagues are also popularizing the use of the “@nysenate” Twitter tag so that tweets relating to the Senate can be identified more readily.

After Jim Silvia of Laserfiche discussed how enterprise content management systems can, among other things, help governments create Web 2.0 applications and meet recordkeeping and other requirements relating to all types of government information, there was a lengthy question-and-answer session that focused largely on the Senate’s enthusiastic embrace of Web 2.0. Topics included:

• Building support: The Office of the CIO had to go through a very lengthy consensus-building process governing the posting of content, and has carved out a few narrow areas in which re-use is prohibited; for example, information posted on the site cannot be used for fundraising or other political purposes. Whenever possible, the Office of the CIO “evangelizes” about new possibilities for citizen involvement.

• Coordinated citizen campaigns: comments are tracked by IP address, so a small number of people can’t game the system by posting comments repeatedly or ranking each other’s comments favorably. It is possible for large, organized groups of citizens to deluge the Senate site with comments, but citizen groups have long engaged in letter-writing campaigns, etc., and it’s easy to figure out when a coordinated effort is taking place. Moreover, all citizen input has value.

• Security (my question): The Office of the CIO has determined that third-party social networking sites support the Senate’s core mission of interacting with and soliciting input from citizens. It keeps systems housing restricted data separate from those that offer Web 2.0 capability.

• The digital divide: some citizens lack ready access to or comfort with the Web, and Hoppin and his colleagues are exploring other ways to interact with citizens (e.g., telephone).

I think I’ve seen the future of New York State government’s Web presence -- and it looks a lot like the Senate’s current presence. Sorting out all of the records issues associated with Web 2.0 is going to be a challenge, but it should be kind of fun, too.

GTC East 2009: open source

This afternoon, I attended a great GTC East session, “Emerging Technology: Open Source,” which featured former Pentagon CIO and current Sun Microsystems Federal COO Bill Vass and two State agency CIOs: Robert Vitello of the New York State Department of Labor and Andrew Hoppin of the New York State Senate. It’s always really encouraging to see government IT professionals champion the value of interoperability, collaboration, and novel ways of serving the public.

Bill Vass highlighted the advantages of open source software:

• Better security. The national security community has embraced open source in part because all of the major proprietary vendors have outsourced their programming work to India, China, and Russia. Overseas programmers -- who are as talented as any coders out there -- can thus insert hidden code into commercial products. Proprietary vendors may tout expert certifications, but even experts can examine millions of lines of code. Open source code is fully open and can be reviewed completely by developer communities and others. Security should not be embedded in the code but managed outside of it.

• Reduced procurement time. Procuring proprietary software requires a long lead time. However, with open source software, it’s possible to download the software, verify that it works, then procure support services.

• No vendor lock-in or lock-out. Your data (i.e., your records!) won’t be trapped in a proprietary system, and you can secure support services from multiple vendors.

• Reduced cost. Open source support contracts are sometimes more expensive than proprietary support contracts, but there is no cost of acquisition for open source software. Moreover, it’s often possible to get 90 percent of the functionality of proprietary software (i.e., the most heavily used features) for 10 percent of the cost.

• Increased quality. Owing to the nature of the development process, open source code goes through about 3 times as many quality assurance reviews as proprietary code

Andrew Hoppin discussed how he and his staff use open source software to create a more transparent, more participatory, and, in particular, more efficient Senate. Use of open source results in cost savings, increased speed to deployment, absence of vendor lock-in, recruitment of top talent (the most talented people like to work with open source software), and leveraging of tax dollars and the innovation that comes with community-built software.

The Senate uses open source for server software (Linux, Apache), databases (MySQL), programming languages (PHP, Java), and platforms and applications (Drupal and WordPress for content management, SugarCRM or CiviCRM for relationship management, and RedMine, Trac, OpenAtrium for task management). It makes use of Creative Commons licensing and has developed some of its own open source software; its News 2.0 makes news clips available to the staff and to the public. The Senate also creates legislative data in open formats using open schemas and standards and publishes it as RSS feeds and with an API so that other can reuse it.

Robert Vitello noted that one way to defuse potential objections to use of open source is to note that, in all likelihood, one’s agency is already using it. Open source products are defined as such by their licenses, and many of the commercial products you’re currently using likely contain open source code. Most open source licenses specify that use of the code renders the product open source, but vendors don’t always realize this fact. When procuring software, the Department of Labor forces vendors to expose the licenses for all of the code embedded in their projects, and a lot of vendors were surprised to find that they were selling something that they really couldn’t.

Vitello also debunked a number of potential objections to the use of open source software:

• In most instances, open source products offer functionality sufficient to meet one’s business needs.
• A lot of people like commercial software because of product integration, but the integration isn’t that great, and open source communities can help to integrate software.
• Open source doesn’t require extensive coding and programming knowledge. It depends on how much customization you want to do.

However, he also noted that in some instances, it might be possible but not practical to move from a proprietary product to an open source one; the move might require extensive research, staff training, and other work.

DOL uses Moodle for learning management, wikis, and used GForge to create LaborForge.org, via which it distributes our open source software.

During the question-and-answer period, the panelists made lots of great points:

• Proprietary software is generally built to enterprise scale, but open source software is built to Web scale (e.g., Google uses MySQL) and is thus highly scalable.
• If you’re contemplating an open source solution, assess the size and health of the community that supports and develops it and determine who else is using it. Some communities are too tightly controlled, while others are too disorganized to be effective. Have your developers devote some time to interacting with the community.
• Assess the skill sets of your employees and make your software choices accordingly. Open source tends to be fun, and people who love the technology love it; people who don’t love the technology want to administer contracts. Purchasing third-party support may also be an option.
• Some vendors produce proprietary products that really do meet your needs. There is always a choice, and that choice should be driven by business need and what the payoff will be.
• When submitting RFP’s, encourage open source providers to submit responses and educate you. Ask proprietary providers to do the same.
• Many people respond to “scary” new things by banning them, but have no choice to embrace them hastily once they’ve become too popular to ban. The appropriate approach is to understand new things and to manage them.

I was particularly intrigued by something Robert Vitello discussed: DOL is thinking of using an open source application to create a virtual world on its CareerZone Web site, and could allow other agencies to build onto this virtual world. Virtual State Archives reading room: YES!

GTC East 2009: data security

Yesterday afternoon, I attended the “Security: Protecting All That Data” session, in which Simon Hunt of McAfee outlined how to implement a range of data security initiatives. Although it didn’t focus directly on records issues, it highlighted the overlapping interests of information security officers and records professionals.

Hunt began by furnishing an interesting overview of the current data security climate, which is characterized by increasingly stringent and complicated patchwork of laws specifying how governments and corporations must respond to actual or potential data breaches, proliferation of mobile data devices such as laptops, cell phones, and USB sticks, increasingly sophisticated forms of criminality. People used to write malware because they wanted to have fun and prove their intelligence, but now they do it to make money. There are gangs throughout the world that specialize in data theft, and others that specialize in leveraging stolen data. Moreover, toolkits that enable users to create or modify Trojan horse applications and viruses are now sold online; a good one costs approximately $1000.

Of the major data breaches that have happened in 2009, 31 percent were inadvertent, 50 percent were caused by some sort of outside action, 9 percent were the result of malicious action by staff, 2 percent the result of other staff actions, and 9 percent by unknown factors. Laptops, which were at the center of 17 percent of breaches, are the fattest target for thieves. Other breaches were the result of hacking (12 percent), Web attacks (11 percent), fraud-SE (11 percent), lost media (5 percent), e-mail (4 percent), and viruses (2 percent).

However, what I found most startling was that paper records account for a significant percentage of 2009 data breaches to date. Documents that were not disposed of properly comprise a whopping 11 percent of breaches, “snail mail” 6 percent, and stolen documents 3 percent. Moreover, a quick review of DataLossDB, which provided Hunt with his figures, indicates that 2009 has seen an unusually large percentage of breaches associated with improper disposal; in 2008, improper disposal accounted for only 4 percent of the breaches. My takeaway: archivists, records managers, CIO’s, and information security officers must stress the importance of safeguarding all types of records and information.

Noting that most organizations don’t focus on data security until they suffer some sort of breach and that insider theft increases when times are bad, Hunt emphasized that data security is a lot easier then many people think. He then outlined a series of proactive steps that can improve data security; although he mentioned several McAfee products that might help, most of his remarks seemed generally applicable.

• Understand the risks you face: sit down and think about how data moves within your organization and identify stakeholders, potential allies (like records managers?) and possible barriers. You should figure out what’s valuable and how it might be attacked, and how much time and effort you’re prepared to devote to protecting it. Data at rest (e.g., on desktops, laptops, etc.) is easiest to protect, but data in motion (e.g., Web 2.0, file sharing, blogs) and data in use (e.g., USB sticks, DVDs) also need attention. Remember that data protection must be tightly woven into your business, that technology is not the hard part -- training and policy are the big challenges -- and that data protection is constantly evolving.

• Encrypt your data. Non-encrypted data on laptops is a soft target, and governments and corporations that can’t account for a missing laptop are legally obligated to inform anyone whose information might have been on the laptop that their data has been stolen or exposed. Deploying hard drive encryption on all laptops and desktops is the easy fix. However, you need to manage it and to be able to prove that a lost device was encrypted. Encryption will take care of about 60 percent of the typical organization’s security issues and can be done in 2-4 man-weeks.

• Manage your removable media. Portable media can also be encrypted and policies mandating use of encrypted USB sticks can help. Port control software that limits use of USB media is also an option. Encrypting USB sticks and other portable media will address about 20 percent of the typical organization’s security needs.

• Identify your confidential data. Focus on the risk drivers specific to your organization, define the most critical vectors, and determine stakeholders’ needs. Too many security initiatives fail because people were stopped from doing what they saw as legitimate and necessary actions, so make sure you take their needs into account and provide training.

• Deploy McAfee’s Data Loss Prevention. This software finds data, indexes it, determines who has access, implements prevention techniques (e.g., blocking or monitoring users who try to copy or print sensitive information) as dictated, and monitors the flow and use of data throughout an organization. According to Hunt, DLP will take care of an additional 18 percent of the typical organization’s data security needs.

Nice, succinct presentation. Hunt emphasized solutions more than products. He also drew our attention to an awesome image of a physical security failure, courtesy of FailBlog. I have the feeling that this image is going to make its way into lots of other presentations on security.

GTC East 2009: CIOs of the Year

Every autumn, the GTC East conference comes to Albany. Although it’s geared toward public-sector IT professionals, I’ve always found the sessions useful: they reflect the concerns and priorities of people who develop and maintain electronic records systems and let me to pick up snippets of technical information I might not otherwise obtain.

“Managing Technology in the Public Sector: CIO of the Year” featured three award-winning CIOs: Daniel Chan of the New York State Office of Temporary and Disability Assistance (OTDA), Kim McKinney of Broome County, and Ed Hemminger of Ontario County. They discussed three pressing issues -- workforce development, shared services, and creative partnerships -- and throughout the session discussed how they keep going in tough fiscal times. Many of their comments should resonate with government archivists and records managers.

Workforce development

• Hemminger is reorganizing his unit and working with the New York State Department of Civil Service to reclassify positions. He is also dealing with the challenges of managing an older workforce: his staffers have immense knowledge and skill, but their recollections of old conflicts and slights are sometimes an obstacle.

• McKinney actively recruits younger people, which means that she must examine how they communicate and assess the security and other challenges associated with allowing them to access, e.g., Web 2.0 sites. Some of her younger staff are connected to the open source community, and will periodically seek input from it -- to the county’s benefit. She’s also to create a project management position and focusing on ensuring that project staff transfer essential knowledge to permanent staff before they depart; however, owing to permanent staff shortages, this can be a challenge.

• Chan is also seeking to cultivate new skills: he wants less emphasis on programming and more on thinking about enterprise architecture. He also wants staff to focus on project management and working with customers to identify business requirements; he is working with the Department of Civil Service to create a Business Analyst job title series (and I sure hope these Business Analysts will address records retention and e-discovery issues!) In addition, he’s leveraging open source technologies: financial hardship is forcing OTDA to cast aside its tendency to over-engineer solutions and to be more receptive to open source.

Shared services

• McKinney noted that the Governor’s Office has offered local governments in New York State grant funding that enabled them to develop shared services. Broome County has centralized contract negotiations for several municipalities and is working on electronic payroll services for county and municipalities. The fiscal crisis has made localities a lot more receptive to sharing services; however, finding staffing to support these services is a challenge. McKinney emphasized that shared services and consolidation are different: in the former, one entity takes over everything and assumes all risk, whereas in the latter risk and responsibility are shared.

• Hemminger is spearheading the installation of fiber optic cables that will connect all of Ontario County’s municipalities and which will lay the groundwork for sharing of GIS and other types of data and, possibly, consolidation of IT functions. Most of the county’s towns contract out their IT services, and the current fiscal climate actually provides new opportunities for developing shared services.

• Chan stressed the importance of enterprise-level IT development and service-oriented architecture: the focus should be on developing robust services that multiple agencies can use and getting staff to buy into this model.

Creative partnership

• Chan noted that in private industry, he often took on projects that were so large that no one entity could do them alone. When he moved into State government, he retained his focus on defining core aims and identifying people who could help realize them. He has found partners among vendors and among the other agency CIOs with whom he co-founded the Economic Security and Human Services Advisory Board. He emphasized the importance of having a forum that enables one to explain one’s challenges and seek input and help. No one forced the group into existence; it came together because its founders share common challenges and values.

• Kim McKinney ensures that the vendors with which her unit repeatedly does business are deeply familiar the unit’s business needs and can offer effective solutions. Good vendors know that they need to do this, and they also supply information about what other localities and State agencies are doing. She also partners with the State: State projects are more successful when the localities are involved (which makes sense given that the state’s social service infrastructure is largely county-run and State-supervised). Finally, she draws upon the expertise of fellow members of the New York State Local Government Information Technology Directors Association (NYSLGITDA).

• Ed Hemminger, the current NYSLGITDA president, echoed McKinney’s comments concerning State-local partnerships -- local governments are often the public face of State government application deployment -- and working with well-chosen vendors. He also advised attendees that they should eject from their offices any vendor trying to sell them products -- as opposed to solutions (having interacted with both types of vendors, I heartily concur). In addition, he noted that good partnerships are rooted in relationships: it’s important to know one’s partners and their needs and goals.
  

I was particularly struck by Hemminger’s closing remarks, which targeted IT professionals but are equally applicable to archivists: in times of scarce resources, we cannot afford to reinvent the wheel. Our own attitude as leaders is the only thing that is going to see us through, and we should try to look upon the current fiscal challenge as an opportunity.