Back in May I discussed the potential misuse of a powerful mapping tool like Google Earth. Today, the New York Times reports that international governments are afraid of the potential for misuse of this technology. Since the New York Times will eventually make the link to their article obsolete (unless you pay for a subscription), I felt compelled to include some of the more interesting tidbits…

From the Dec 20, 2005 edition of the New York Times, “Governments Tremble at Google’s Bird’s-Eye View”

“Lt. Gen. Leonid Sazhin, an analyst for the Federal Security Service, the Russian security agency that succeeded the K.G.B., was quoted by Itar-Tass as saying: “Terrorists don’t need to reconnoiter their target. Now an American company is working for them.”
…
“India, whose laws sharply restrict satellite and aerial photography, has been particularly outspoken. “It could severely compromise a country’s security,” V. S. Ramamurthy, secretary in India’s federal Department of Science and Technology, said of Google Earth. And India’s surveyor general, Maj. Gen. M. Gopal Rao, said, “They ought to have asked us.”
…
“Andrew McLaughlin, a senior policy counsel at Google, said the company had entered discussions with several countries over the last few months, including Thailand, South Korea and, most recently, India.”
…
“When you have multiple eyes in the sky, what you’re doing is creating a transparent globe where anyone can get basic information about anyone else,” said Mr. Gupta, the Sandia analyst. His recommendation to the Indian government, he said, would be to accept the new reality: “Times are changing, and the best thing to do is adapt to the advances in technology.”

Tags: [memory maps, Google Earth, satellite, security, information security, national security, terrorism, map, gps]

“The practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords.”

Notice the email I received. It looks authentic, doesn’t it? However, when I click on any of the three links in the message, the address that displays does not match the address in the email. Instead, it links me to a very different address.

PayPal must go through incredible pains to fight off these malicious people. They have a great “protect yourself” page that offers some good advice for users.

This social engineering almost suckered me, and I would consider myself rather savvy. This type of scam is generally successful because it played on my fears that someone had broken into my account. I react with feeling before I think it through. Fortunately, once I got to the page that asked for my personal financial details, I realized that I better slow down. That’s when I looked at the web site address and noticed that it was not, in fact, PayPal.

It may not be PayPal. It might be an email from a bank, or some other seemingly reputable establishment. Or it might be the great African money laundering too-good-to-be-true scenario I’m sure you’ve seen. If you haven’t yet been the fortunate recipient of these emails, here’s the scenario as described by my buddy here and here.

Be vigilant, my friends, and sorry to say, but we must be skeptical and distrustful in this Internet age.

Scam Home Page

Notice the address line. Also, notice under “what’s new” that these malicious persons have a link for “PayPal introduces new homepage” to cover their tails in case the real PayPal site were to change their look and feel. You can type any made up username and password to move to the next “verification” screen…

They Want Your Credit Card and Bank Information!

Update

A worthwhile video shows the scam in action.

Tags: [phishing, PayPal, scam, security, fraud]

My father-in-law and I recently purchased a small video camera (iSight) that can be mounted onto the top of our Apple computers. The purpose of the camera is so that we can both see and hear each other remotely using a combination of the camera and “instant messenger” chatting software that most of us have already used. We had a great time – both video and audio were really good – not choppy like I anticipated it might be. The video was a little fuzzy, but only when I had it fill the entire screen. Nonetheless, it was amazing! I felt like we were sitting across the table from each other. In fact, during another “chat” I put the camera on my laptop, and leveraging the wireless connection in my home, I was able to take my laptop around the house so my father-in-law could see home improvements, etc. from his home hundreds of miles away. Amazing!

Anyway, I was hoping to lure friends and family into getting one of these. There are a few hurdles – you need a high speed internet connection (no dialup) and your computer must be relatively new (you do not have to have an Apple Macintosh). Think of all the long distance costs you will save because chatting this way is free – only the cost of the high speed internet service (and the camera)!

This has been done in the business community for a while now for holding remote conference calls. For instance, CNN recently decided to use Apple’s technology to aid them in their efforts for real time remote reporting.

The psychotherapy profession should really start embracing the use of this technology in order to provide alternative services. For instance, what if a psychotherapist needs to see a family, yet one of the parents happens to be away for business during a planned session. Typically, the appointment would either be cancelled or it might be missing an important viewpoint if the psychotherapist decided to see the reminder of the family anyway. A certain number of counselors already do therapy by telephone or by email, but I think there are 2 limitations with these laternatives. First, doing email “therapy” tends to lend itself more to helping one individual, not many at once. Second, it is common knowledge that a majority of communication occurs nonverbally, so much is lost using the mediums I mentioned. However, using relatively inexpensive webcam technology could be something the profession needs to consider. The major concerns would involve the legal (insurance), confidentiality, security, and archiving issues, but I think these could be reasonably resolved.

Tags: [iChat, Apple, iSight, webcam, im, instant messaging, security, counseling, aamft, psychotherapy, marriage therapy, family therapy]

Azmi [FBI CIO] is aware of the mountain that faces him—not to mention the consequences if he fails to deliver the support systems the agents need to fight against high-tech crime and terrorism. “Looking at the mission of the FBI and how critical it is, I will tell you that we are at war,” he says. “And the best tool we have is information, and if information doesn’t get to agents on the street in time, then we haven’t done our job properly.”

Last year I wrote a paper entitled, “Effective Culture Change.” The paper was written as part of a graduate school team experience for the Department of Justice’s Library Services division. Although the paper was targeted to a specific audience within the DoJ‘s Justice Management Division, I feel the paper could be used to address some of the culture problems within the FBI and the DoJ as a whole.

First, let me define organizational culture. Claver, et al. (2001, p.248) define organizational culture as:

“A set of values, symbols and rituals shared by the members of a specific firm, which describes the way things are done in an organization in order to solve both internal management problems and those related to customers, suppliers and the environment.”

This culture manifests itself at both a visible level (age, ethnicity, gender, dress, organizational structure, symbols, slogans, etc.) and an invisible level (time, motivation, stability vs. change, orientation towards work, individualism vs. collaboration, control, how management views IT, etc.).

I believe the primary reason for failed IT projects and a revolving door of CIOs at the FBI is primarily due to the agency’s culture, not failed technologies or poor CIO leadership. Let me elaborate…

New IBM employees receive a laptop computer when they start working for this technology company. Right from the get-go, these employees receive the cultural message that, “We are a company that relies on information access and information sharing.” What if federal employees in agencies such as the FBI could receive this cultural message too by receiving their very own laptop? Unfortunately, according to the Washington Post,

“Nearly 60 percent of federal employees are over age 45, compared with about 31 percent of the nation’s workforce. More than half of all federal workers will be eligible for retirement or early retirement within five years.”

Could part of this technology resistance be related to the average age of federal employees, including FBI employees? I find it abominable that former FBI Director Lois Freeh didn’t even have a computer at his desk! The CIO Magazine article goes on to state

“The FBI’s dismissive attitude toward IT was embodied by former FBI Director Freeh, who ran the Bureau from 1993 to just before 9/11. “[Freeh] was not an IT person,” says a former DoJ IT manager familiar with the FBI IT culture. He and the businesspeople around him were uncomfortable within technology.”

The CIO Magazine article implies that the culture still hasn’t changed, even after FBI Director Robert Mueller started his post in September 2001. What’s particularly interesting about this is that under Attorney General Ashcroft’s leadership, the 2002 DoJ Information Technology Plan stated:

Establish an Environment That is Conducive to Change

“There will be a large number of changes introduced so DoJ should take steps to increase its capacity to successfully adopt to change. The culture must embrace and reward change attributes, such as flexibility, adaptability, innovation, and resiliency.” (USDOJ-JMD, 2002, p.31)

That “success factor” was documented in a 2002 publication. So, how successful is the FBI? What about the DoJ? So, is it the responsibility of FBI CIO Zalmal Azmi to effectively change the agency’s culture? Here are some of my recommendations:

Leadership

Leadership should clearly and openly communicate (and model) to employees the value of the desired change. Culture change doesn’t occur simply by implementing a new technology or Director Mueller giving Azmi authority over the IT budget. Leadership means ALL leadership – extended to Director Mueller all the way to the Attorney General. Azmi cannot do it on his own – he must have true support from top-most leadership. The previously mentioned “success factor” stresses a need for change, but have leaders implemented specific policies and reward systems (versus technology solutions) that communicate a support for risk taking and change and provide tolerance for employee mistakes?

Training and Organizational Development

Training is vital for an organization that desires effective culture change. A few suggestions might include:

• Team-building activities involving cross-functional, or even cross-divisional teams, may foster greater trust and provide better opportunities for information sharing.
• Large group interventions are organizational development activities that involve representative stakeholders meeting at length to discuss problems and create plans for change.
• Survey-feedback activities allow leadership to conduct a cultural analysis to determine where the organization stands on these desired dimensions.
• Initiate a mentorship program like that offered by Fannie Mae [no longer available - scanned hardcopy to PDF - 12.2 MB]

Structure

The Department of Justice has a traditionally divisional structure. This structure works well when adapting to the needs of its environment, but this structure (in addition to the needed levels of information security) often leads to poor levels of communication and coordination among divisions. I am not convinced that the Department can abandon its divisional groupings because of its sheer size. However, by implementing a horizontal structure within each division, boundaries would more likely be broken within the DoJ, promoting collaboration for learning and change, which requires changes in employee empowerment, information sharing, and culture. One radical idea might be to look from a macro level to see if the DoJ organizational structure could be combined under an umbrella consisting of the following groupings:

• Policy;
• Investigation/enforcement;
• Litigation; and
• Administration.

Collaboration

Fostering a collaborative culture in the DoJ and the FBI will affect the likelihood of successfully implementing a technical solution. Damodaran (1996, p. 304) lists the following benefits of user involvement:

1. Improved quality of the system arising from more accurate user requirements.
2. Avoiding costly system features that the user did not want or cannot use.
3. Improved levels of acceptance of the system.
4. Greater understanding of the system by the user resulting in more effective use.
5. Increased participation in decision-making in the organization.

Learning from Success Stories

The FBI is not the only federal agency that struggles to change its culture so that it embraces information sharing. The Department of Defense provides the best example of how a federal Department can change, and it seems that the FBI can look to these kinds of success stories to see how it might become more of a learning organization. After the fall of the Berlin Wall in the late 1980s, the Army realized that they would need to focus their energies on more complex threats. Leadership determined that there needed to be an abundance of tools to provide all personnel with the information needed at any given time. The Army required training and education programs that rewarded the sharing of “Lessons Learned” and “Best Practices.” In addition, they implemented a number of sophisticated knowledge management systems, including Army Knowledge Online – that provides a wealth of timely information to all personnel. Future plans within the DoD include integrating this system with knowledge management systems from the other defense branches.

Conclusion

Many people are not willing to change unless they perceive a problem or crisis. Resistance to change is often a result of self-interest (fear of loss of power, prestige, pay, benefits), lack of understanding and trust, uncertainty, or differing assessments and goals. The DoJ and the FBI has been accused of having problems with effective information sharing, including the accusation that the Department fosters a culture that resists this activity. The DoJ and the FBI must effectively address these issues and identify strategies for becoming an organization that embraces change attributes and the importance of effective information access and sharing.

When efforts to implement change fail, a common cause is insufficient attention to the people side of change. Too many times CIOs are really CTOs, brought in to implement these cultural and stretegic changes. Unfortunately, their expertise might be more concentrated on implementing technologies, not changing people. I would urge leadership to treat information as a resource (on par with human resources, financial resources, physical resources) and consider how they can change the organization’s information culture first through the people-side of change.

Tags: [culture, IT, technology, FBI, DOJ, Information Management, Information Sharing, Project Management, CIO]

Internet and software-savvy persons (e.g., social software users, open source software developers) tend to advocate information sharing. Indeed, an information sharing culture often breeds knowledge and innovation. Nonetheless, some people refuse to share information, for one reason or another. Some people feel that their job security rests on being seen as an expert. If the information they possess is shared, then perhaps their job won’t be seen as necessary.

Although I understand the validity of both the need for information security and information sharing, I feel we need to be ever so careful with how we use the proliferation of social software that has grown in the last few years.

For example, I absolutely love the Flickr service. I use it mostly to share pictures with friends and family. However, if I so choose, I can share pictures with virtual strangers from all over the world. Consider the following picture:

U.S. Secret Service Training Facility, MD

There’s been a recent fascination with Memory Mapping, the process of identifying satellite photos of places one is familiar with, and then identifying specific landmarks with notations.

What makes this photo interesting is that it is a screen capture of a U.S. Secret Service training facility in Maryland. I used a publically available satellite imaging service, in this case Google Maps (see also Terraserver & Microsoft Terraserver USA), to locate the site I was familiar with.

I assume that if the images are provided by the USGS, then they can be used freely by anyone. However, now that GPS devices are readily available and image services offer coordinates for specific locations, how much easier might it be for armchair vigilantes to perform malicious acts? I’m sure some of the images are sanitized or scrubbed, but what if some classified locations are missed?

Information sharing is the cornerstone of the social software scene and is essential in open source development. However, these persons who follow the “information sharing” credo must be careful to understand the local and federal laws they abide by, and understand that sharing isn’t always a good thing.

Tags: [memory maps, Google maps, satellite, security, information security, social software, Flickr]

So, the question is, why does this federal site, which has the authority for consolidating the business of grant funding among a majority of federal agencies, have the authority to mandate a technology that can only be used by users of one operating system? There are federal mandates such as Section 508 that provide for equal access to web applications for handicapped individuals. Shouldn’t there be an equal access technology policy too?

Back in 2003, the Computer & Communications Industry Association (CCIA) issued a report [PDF - 880 KB] in response to the Department of Homeland Security’s naming of Microsoft as the Department’s “primary security provider.” An August 28, 2003 ComputerWorld article states

The contract, awarded June 27, named Microsoft as the “primary technology provider” to the Department of Homeland Security, supplying desktop and server software critical for the agency.

In a letter yesterday to Tom Ridge, the secretary of the DHS, Ed Black, the CEO and president of the Washington-based CCIA, asked the agency to “reconsider” its decision to use Microsoft software inside an agency with critical security needs (download PDF).

From an economic and efficiency standpoint, it would be much easier for the federal government to adopt Microsoft as the defacto standard computing platform. Unfortunately, there are a few problems with this stance:

1. Security - Much like when one invests in the stock market, diversity is the key. One shouldn’t invest 100% in international stocks. Although these stocks might have a chance for a high return, if they tank you are out of luck. When investing, advisors make sure your portfolio is diversified, as a way to protect yourself if the event that stocks plummet in one part of your portfolio. Similarly, if a corporation or federal agency diversifies its technology portfolio, then it is less likely to experience a fatal security breach.
2. Innovation – Look at the innovators right now – Apple Computer, Amazon, Google, etc. These companies do not rely on one technology from one company. They innovate, in part, from using diverse technologies (hard and soft).

The federal government needs to seriously look at the technology policies it implements. I think I agree with a recent CIO article calling for a Federal Technology Czar. To combat technology and cybersecurity issues, the government should institute policies that promote technology diversity and should allow citizens to conduct business with the government using any technology available to them.

Tags: [federal government, Microsoft, Apple, CCIA, pureedge, Grants.gov, Section 508, cybersecurity, FDP, eRA]