Government Technology News
Tue, 25 Apr 2017 10:23:46 +0200
Cybersecurity, Agile Development Top of Mind at 2017 NASCIO Midyear Conference
ARLINGTON, Va. — Virginia is a leader when it comes to cybersecurity; just ask Gov. Terry McAuliffe, who told the audience at the 2017 NASCIO Midyear conference on April 24 that as chair of the National Governors Association, he has “made cybersecurity the No. 1 signature issue for all 50 states.”
McAuliffe also told the more than 530 government and industry attendees, whose discussions revolved around agile development, and top strategies, management processes and solutions, that although cybersecurity is an issue for all levels of government, “Washington has done a very poor job of outlining a national strategy for how we take care of the states. We don’t even have a committee in Congress; we at the states are left to do that ourselves.”
And as a nation, he added, we are only as strong as our weakest link. Though we have made tremendous progress, there is still much to do, as several states have been hacked in the very recent past.
“If something happens in your state and your individual taxpayers’ information is taken from them, you are going to pay a price for that,” McAuliffe said. “And you should pay a price. My most important task as governor is protecting the data that we have in Virginia.”
And his CIO, Nelson Moe, elaborated in a later session, noting that Virginia is the first state to adopt a cyberplatform and move forward with its sharing organization for cyber. “The key in Virginia is to be prepared; Mike [Watson, state chief information security officer] and I work on our incident response plans all the time,” he said, and mentioned that Virginia gets attacked every three seconds. “And the Internet of Things makes a larger attack space and decreases cost for the bad guys; it costs them less to create a problem for us.”
In Michigan, CIO David Behen and his team are working to combine mobile first, big data and cybersecurity with MiPage — what he described as a personal concierge for government services in the state that is personalized and predictive.
“It’s personalized data for you,” he said. “How are we going to use data to fundamentally change how we do customer service? … If you don’t have cybersecurity, how are you going to be sure you're protecting that data?”
Because if there’s a breach, Behen said, constituents’ confidence in your system is gone. And the state intends to solve the problem through public-private partnerships. In fact, in a few weeks the state plans to release an RFP for the Michigan Threat Analytics Center, where predictive analytics will show officials what threats the state will face next. A playbook on the concept will be released simultaneously.
Mississippi CIO Craig Orgeron noted that when it comes to implementing projects and programs, the state utilizes public-private partnerships as well. “We try to do the things that we are good at, and we try to partner where we need to partner, exploit those relationships,” he said.
Also a high priority was agile development, which is making its way into many state-level projects. In California, for instance, Deputy CIO Chris Cruz mentioned the state’s history of developing “these big, monolithic projects” where halfway through, something unforeseen would occur or the budget was already blown. It was these situations that prompted state officials to look at the project delivery process and take a different approach.
And the approach taken for California’s Child Welfare Services-New System project, which Cruz said is the largest in the country, is agile.
Cruz was first introduced to agile in Health and Human Services. “We were taking a waterfall approach to an agile project, so I think that helped us expedite an agile approach,” he said, adding that a great benefit of this approach is that if vendor A is not working out, “we can hire vendor B within a week or two.”
Preliminary results of a NASCIO/Accenture study found that an agile approach helps states achieve more of the results they want. More specifically, 74 percent of respondents found that agile supports increased customer engagement and business ownership, 71 percent found improved customer satisfaction and 68 percent experienced improved quality when using agile development.
For Cruz, one statistic in particular resonated — 65 percent of respondents found that agile supports improved transparency. “A lot of project directors tend to over promise and under deliver; we want to under promise and over deliver, which is doable with agile.”
One thing that Minnesota CIO Tom Baden noted wasn’t included in the preliminary results of the study is that agile removes a lot of the friction between all of those accelerations; small increments are worked through, which he said makes the project less risky and of better quality.
“If we’re a little off course we can adjust quickly; there’s less risk and greater flexibility,” he said. “But if you don’t have great leadership the whole way, you won’t succeed.”
For Accenture’s Keir Buckhurst, there’s not necessarily less risk, “but what you’re risking is a lot smaller. It’s the flexibility that’s what’s most important.”
As for how states are approaching agile, it’s a bit of a mixed bag. “Some states are supporting agencies as they dip their toes in the water, some are more active advocates … while others start a grass-roots effort to grow it across the state,” Buckhurst said. “Then some CIOs have said to me candidly, ‘Waterfall isn’t working, but I haven’t figured out agile yet.'”
One thing to consider for those who’ve not yet gotten their feet wet with agile yet, he said, is to get some assistance.
“It is critical to have an agile coach particularly through the first few initiatives,” Buckhurst noted. “They’ve actually done it in the field and can tell them how to do it.”
Mon, 24 Apr 2017 05:00:00 PDT
How Agile Is Ushering Millennials into IT in Nebraska
ARLINGTON, Va. — At the NASCIO Midyear conference in Arlington, Va., on Monday, April 24, agile development was on the agenda in a big way. Identified as a top 10 priority for 2017 for the organization, the incremental delivery strategy is bringing a pretty significant side benefit to the workforce in the state of Nebraska, according to CIO Ed Toner. Turns out agile is the preferred development strategy for millennials — a demographic CIOs are anxious to incorporate into their workforces.
When Toner needs a little inspiration, he told Government Technology, he visits the team of millennials working on the state's enterprise content management system on the floor below the CIO's office. They've logged 20,000 hours of development time to date, Toner reports, and they're excited about the opportunities working for the state has provided them. So much so that now they circle back to Southeast Community College to encourage others to join them.
Mon, 24 Apr 2017 04:30:00 PDT
Top 25 Doers, Dreamers and Drivers of 2017: An Inspiring Look at What’s Right in Government
We talk a lot in Government Technology about modernizing legacy systems, replacing old technology that has outlived its useful life. Such systems become increasingly difficult to maintain, are tough to integrate with newer technology and don’t offer nearly the functionality of more up-to-date solutions. And then there’s finding the staff to work on them, which becomes a bigger problem as programmers with those skill sets start to hit retirement.
But the April/May issue focuses on the definition of “legacy” with more positive connotations. Our annual Top 25 Doers, Dreamers and Drivers is once again an inspiring look at what’s right in the public sector. The legacy they’ll leave — and thankfully, nearly all have plenty of time to add to it — is one of big ideas, bold thinking and skillful execution on the potential of truly digital government.
As always, the list is peppered with a healthy supply of CIOs in local and state government. You’ll also find public-sector leaders serving in a variety of other roles, whose work impacts the way that technology is used to improve outcomes. Others in the Top 25 are making significant impacts on how government does business in their roles outside of government. Many commonalities run through this year’s honorees.
They think big. In Buffalo, N.Y., Director of Citizen Services and Chief Service Officer Oswaldo Mestre Jr. isn’t constrained by traditional ways of doing things. Among his many accomplishments are standing up a 311 system that not only makes the city more responsive to constituents but has also reshaped city planning. Also in New York, Westchester County CIO John McCaffrey supports a culture where employees are encouraged to challenge convention to improve operations.
They seize opportunity. NIC CEO Harry Herington leads a company that has completely transformed how government services are delivered online. The gov tech market is represented on this list by smart investors who recognized a chance to contribute to better functioning communities. They and many others like them play a critical role in nurturing good ideas into transformative tools for the public sector and the citizens it serves.
They collaborate. The leaders on the pages that follow want the best ideas to rise to the top, even if they come from a neighboring jurisdiction. Indiana CIO Dewand Neely works to make sure other states can benefit from his state’s leading analytics work and wants to help local governments shore up their cybersecurity stances. Travis County, Texas, CIO Tanya Acevedo is dealing with the onslaught of digital evidence by working with neighboring counties on an online case management system accessible to multiple agencies.
As the saying goes, nobody has a monopoly on good ideas. Our 2017 Top 25 Doers, Dreamers and Drivers offer a fresh set of stories that are filled with them.
Wed, 29 Mar 2017 06:00:00 PDT
Atlanta’s Internal Platform Turns Public to Provide Real-Time Commuter Data Following Bridge Collapse
Videos of motorists driving through billowing black smoke were the signature images when a bridge collapsed on Interstate 85 in Atlanta recently, but in that crisis, city officials seized opportunity — going live 12 days later with a dynamic website that uses data in new ways to battle gridlock.
No one was hurt in the dramatic chain of events during evening rush hour on Thursday, March 30. But the fire underneath the elevated highway segment, which is alleged to have been illegally set, spread to plastic conduit being stored underneath by the Georgia Department of Transportation (GDOT) — burning so hot that it brought down the roadway above. I-85 is expected to remain closed in both directions north of downtown until at least June 15.
On Monday, April 17, work on a gas line buckled lanes on Interstate 20, closing it southeast of the city center for nearly two days. In a case of good timing, public and private agencies had debuted CommuteATL.com, their new website optimized for mobile use, the previous week.
Metrics recorded the day of the I-20 shutdown showed more than 6,000 users had already visited the site. By Thursday, April 20, an average of 1,200 views per day had swelled that total to 9,500.
CommuteATL is powered by technology from Redlands, Calif.-based GIS software provider Esri and partner Waze, creator of a real-time, crowdsourced navigation app.
But it incorporates key information, including GDOT 511 camera footage at intersections, and four city data layers: the latest from Waze, real-time Metropolitan Atlanta Rapid Transit Authority (MARTA) train arrival times, Relay Bike Share station locations, and the latest from the 2.7-mile Atlanta Streetcar loop.
It lets drivers and city officials see traffic jams, closed roads, accidents and alerts as they happen. City planners can communicate with Waze about the routes it creates for users and share citizen feedback. Members of the public get a dashboard with live updates on traffic data that let them pick the best path through the city — whether by foot, bicycle, train, streetcar or vehicle.
In a tweet April 14, Atlanta Mayor Kasim Reed called the site “another tool in the tool box to help you better navigate traffic during this very difficult time.”
The website, a collaboration including the mayor, CIO Samir Saini, Chief Resilience Officer Stephanie Stuckey, Deputy Chief Operating Officer and Public Works Commissioner William Johnson, and GIS employees, began as something quite different. It first launched in early April as an internal-facing way for public works and joint operations center workers “to get an understanding of what was happening on the street,” Saini told Government Technology.
“But once we built that out for internal use we started looking at each other [saying], ‘Well this could be really valuable,’” he said. Conversations among members of the mayor’s task force, formed to deal with traffic congestion, helped identify the four main city data layers.
Stuckey contacted Esri’s Disaster Response Program, which offers cities consulting and technical support during disasters. The company's local government account manager, Rob Hathcock, said the process was streamlined by pre-existing contracts Atlanta had with Esri and Waze, which meant the city already had most of the tools it needed to create the platform. One exception, he noted, was amplifying its account with ArcGIS, the company's mapping and analytics platform, to host the services.
“When we first pulled in the disaster response team with the city of Atlanta, we kind of did a little bit of discovery, asking them what they wanted us to provide. They couldn’t mitigate the issue with the bridge. What they could do was show how the city responded to this, ‘What can we show our constituents after the bridge collapsed?’” Hathcock said.
In 2016, Atlanta was accepted into the 100 Resilient Cities network, a $100 million investment by the Rockefeller Foundation to help cities avoid being buffeted by physical, social and economic challenges. It also joined the Waze Connected Citizen Program, a free data-sharing partnership, last year.
Both partnerships helped fast-track the creation of CommuteATL, believed to be the first time a site has sent real-time information two ways: to Atlanta officials on one end and Waze users on the other, then letting City Hall communicate with Waze.
“If that’s true, that’s great,” Saini said. “You only really feel the value of these kinds of partnerships and this data-sharing in times of crisis, or at least it’s empathized a whole lot more. We’re proud of it.”
“What is coming to us is an official source of two buckets of information,” Adam Fried, global partnerships manager at Waze, said, describing the feed from City Hall of planned events like road closures and sporting events, as well as real-time events like weather, disasters and protests that affect transportation.
And there’s more to come from the website, which had start-up costs that were “virtually nil,” Saini said, consisting mainly of the extra staff time needed to stand it up.
He’d like to see CommuteATL become a real app in addition to an optimized website. And at least until I-85 is reopened, officials plan to continue adding data layers regularly while preserving an easy user experience. In the planning stages are ride-share and car-share information, MARTA bus schedules and more Relay Bike Share locations. Last week, the city announced the program’s expansion from 100 bikes at 22 locations to 500 bikes at 65 locations less than a year after its launch.
“We’re not going to pull the plug on it once the bridge is fixed,” Saini said. “We’re probably just going to ask citizens, ‘Where do you want us to take this thing?’”
Mon, 24 Apr 2017 04:20:00 PDT
Analytics, AI and Orchestration are Top New Security Topics
You've probably been asked what you like best about your job. Since I've spent the majority of my career in the public sector, one of my top answers is that I love the challenge of helping organizations with security solutions and enabling new technologies to help the business of government. I also enjoy learning and sharing what works and doesn't work in different enterprise situations.
This sharing works out in various ways such as press interviews, speeches on cyberthreats, moderating panels and leading executive roundtables with public- and private-sector leaders at security and technology events. I often get asked to be a moderator for a few sessions at SecureWorld Expo events, InfraGard Conferences and regional technology forums, such as the upcoming MidWest Technology Leaders event.
During these panel sessions, the participants typically talk about a range of (hopefully intriguing) topics that include top cybercrime trends, cyberthreat intelligence, attracting and retaining cybertalent, big industry security breaches, internal security incidents or the always interesting (but overused question) “what’s keeping you up at night?”
Inevitably, security and technology topics include well known themes such as ransomware, IoT botnets, cloud computing, smart cities, smartphone security, government CISO plans, securing the smart grid, end-user training, etc. Hopefully, we get beyond the problems and spend a few minutes on solutions. Nevertheless, the hopeful emerging technologies are often shortchanged in these panel discussions due to a lack of time.
Hazards on the Horizon Panel at SecureWorld Expo 2017 in Boston
Behind the Curtain
I sometimes learn more in pre-event discussions, one-on-one CISO breakfasts and panel preparation sessions than during the actual conference sessions. There are different reasons for this, but most panelists want to talk about a set number of their company or government talking points that are pre-negotiated. Some CISOs and other tech leaders don’t want to discuss specifics about their company or difficult security situation in public, since stock prices, business reputations, brands and more can be impacted. In addition, as I have explained before, no security or tech leader wants to become an accidental news headline.
Meanwhile, the audience tends to ask questions about breach headlines or recent headline technology outage incidents with major impacts — rather than seeking a deeper dive into emerging new technologies.
So what are the new cybertechnology solution trends being discussed in private? What cross-industry topics are on the minds of CSOs, CTOs and CEOs — besides their own specific enterprise issues?
The three cybersolution topics I hear most about during these pre and post-panel discussions are analytics (including metrics), artificial intelligence (AI) and orchestration. In order to honor the “off the record” aspects of these conversations, I won’t be providing names or companies regarding what I’m hearing.
Analytics, ‘Big Data,’ ‘Little Data’ and Cybermetrics
Without a doubt, the topic that every CISO has near the top of their “must do” project list is to do more with cyberanalytics. That is, do more with the data they collect and sector incident data gained through vendor and Information Sharing & Analysis Center (ISAC) partnerships.
There are many companies that offer solutions in this space. Teradata describes cybersecurity analytics in this way: “Big data and deep analytics provide high-speed, automated analysis for bringing network activity into clear focus to detect and stop threats, and shorten the time to remediation when attacks occur.”
Recently, CIO Magazine ran this article: Feds to battle cybersecurity with analytics. Here’s an excerpt:
“With more real-time information sharing, officials envision cyber defenses moving from 'vaccine' to 'immune system,' a big analytics project that could achieve something like automatic security. …
Security firms offer a bevy of products that can intervene to mitigate the damage from a person clicking on a malicious link, [former deputy undersecretary of cybersecurity at the Department of Homeland Security] Phyllis Schneck said. But she envisions a much larger, global pool of threat data that could be tapped instantly and automatically to keep machines from falling prey to malicious actors, a system that would be aided by "big analytics" capabilities to make sense of the massive trove of data.”
Others think that “big data” is over-hyped, and we need to start thinking in terms of “little data.” Regardless of the approach taken, the discussion always leads to this wider cybermetrics topic with dashboards for management decision-making.
Another article from CSO Online reported that: Predictive analytics can stop ransomware dead in its tracks.” The article describes how Livingston County, Mich., has deployed predictive analytics as a defense against ransomware attacks.
But more than these two examples, I am hearing local, state and federal CISOs tell me that they are planning to do much more in their security operations centers (SOCs) with cyberanalytics products and services. How will this be done? There are numerous different approaches, but one set of solutions takes this topic to the next level with artificial intelligence.
Artificial Intelligence (AI) and Cybersecurity
Another topic that is hot right now is how will artificial intelligence (AI) help our cyberdefense efforts?
This recent article by Nasdaq.com describes how IBM’s AI is being used in the Department of Defense (DoD) because humans can’t keep up with cyberthreats.
In addition, “Aside from partnering Watson with H&R Block to process and analyze 11 million tax returns, the other major development has been the recent commercial release of cyber security by Watson to over 8,000 customers. With growing data sharing arrangements among members of the cyber security intelligence community, Watson was able to digest over 700 terabytes of data from just one partner (that is about 150,000 DVDs worth of data, enough to power Netflix for over 34 years without interruption). More data inputs only further empower the potential for AI in cyber security, allowing machine learning software to automatically detect, diagnose and counter cyber breaches in a more informed manner.”
I really like this article from earlier this year by SecurityWeek.com’s Torsten George on The Role of Artificial Intelligence in Cyber Security. The article describes three use cases for AI in cyber, including: Identification of threats, risk assessments and orchestration of remediation.
Here's an excerpt: “Too often, unsupervised machine learning contributes to an onslaught of false positives and alerts, resulting in alert fatigue and a decrease in attention. For opponents of AI, this outcome provides ammunition they typically use to discredit machine learning in general. Whether we choose to admit it or not, we have reached a tipping point whereby the sheer volume of security data can no longer be handled by humans. This has led to the emergence of so-called human-interactive machine learning, a concept propagated among others by MIT’s Computer Science and Artificial Intelligence Lab.
Human-interactive machine learning systems analyze internal security intelligence, and correlate it with external threat data to point human analysts to the needles in the haystack. …”
What Is Network and Security Orchestration?
The last area I hear quite a bit about from CISOs lately is network and cybersecurity orchestration. Like bringing together different instruments in an orchestra to produce beautiful music in a symphony, orchestration brings together diverse tools, processes and people to improve cyberdefense results and incident response to (hopefully) produce better results.
Security orchestration allows for automation and improved capabilities to navigate the full scope of security operations and incident response activities from the initial alert through remediation. This excellent "Siemplify" article describes three aspects:
Context — understanding of the relationships across alerts, intelligence, and security data into prioritized cases with the complete contextual threat storyline.
Automation — integrating automated capabilities in a flexible manner; from basic playbooks, to semi-automatic workflow, to complete automation of incident response where appropriate. One size fits all doesn’t work with security automation.
Analyst Enablement — giving analysts the proper tools and visibility to effectively intervene throughout the investigation and response process and ultimately ensuring we are curing the disease, not just the symptoms.
In this Network World article by Jon Oltsik from earlier this year, the state of incident response and security orchestration is described in more detail. He covers several vendor products and the outlook for the near future.
You can also learn more about the security orchestration market at this Business Wire article.
Final Thoughts — Telling Your Customer's Story With Data
I am at the National Association of State CIOs (NASCIO) Midyear 2017 meeting (follow at #NASCIO17 on Twitter) this week for learning, discussions and networking with public- and private-sector partners.
One keynote speaker was Jason Ashlock, who spoke on the importance of storytelling with data. His main message was that in our information age, we need to compete by making sense of the data we have. Our customers want to hear how the data fits into their unique business story and problem-solving. "Get the story right and you illuminate decision-making. You drive discovery and revelation. You transform data into knowledge and knowledge into wisdom."
I really liked Jason's comments about how our job as technology and security leaders in the coming decades is to humanize the data and take the actions that machine learning cannot do. We need to be driving innovation by personalizing topics to meet client needs through storytelling through the eyes of the business.
Another breakout session will cover state government examples from my top cybertrend from 2016, namely Hacktivism and how hacktivists - which has been active all over the country.
In a keynote session, Virginia Gov. Terry McAuliffe is scheduled to deliver some remarks, which will no doubt touch on cybersecurity and what is being done by governors through his National Governors Association chair role.
But regardless of whether you will be at any of these security and technology events or not, you can engage your team and vendors into deeper discussions regarding these three relatively new security topics. Analytics, AI and orchestration are already elbowing their way onto enterprise security agendas around the world, and regardless of the security problem — these topics are key pieces of cyberstrategy road maps and security solutions as we head toward 2020.
In conclusion, we started 2017 with many cybersecurity industry predictions regarding online problems, but data analytics, AI and orchestration may have been understated as potential cybersolutions moving forward. Jason Ashlock challenges us to learn as much as we can about the data, and to make meaning for our customers out of this information and data using stories. We need to become translators that demonstrate business opportunities and risks.
So what's your data story?
Sat, 22 Apr 2017 05:00:33 PDT