[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips August 4, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips August 4, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Mon, 04 Aug 2003 18:12:26 -0400
Clips August 4, 2003
ARTICLES
Official: National Amber Alert network to be running by next year
End of the road for SMTP?
Malaysia to change divorce-via-cell phone law
Sharing: Easier said than done
TSA tinkers with privacy plan
Senate OKs OMB deputy director
Commission recommends that USPS drop e-commerce
Army begins development of battlefield net
OPM says it won?t reopen Recruitment One-Stop buy
Homeland Security braces to deal with unregistered foreign students
OMB challenges report on Privacy Act compliance
*******************************
USA Today
Official: National Amber Alert network to be running by next year
August 3, 2003
DALLAS (AP) A nationwide network to help find missing children should be in place by this time next year, a Justice Department official said Sunday at a conference on the Amber Alert.
Assistant U.S. Attorney General Deborah Daniels said states have made great strides in their own Amber Alert systems, with 45 states now operating statewide networks. In October 2001, there were only five statewide Amber Alert systems.
The conference is designed to familiarize law officers, broadcasters and highway safety officials from across the country with each other's systems, educate them about the most effective and affordable technology and address problems such as overuse.
Daniels said interstate communication is still lacking, with officials sometimes unsure whom to contact when an Amber Alert needs to be sent out beyond state lines.
"What we need to do is get this into the 21st century," Daniels said.
Amber Alerts are bulletins on abducted children and their captors, quickly sent to law-enforcement agencies and to the public through radio and television broadcasts and electronic highway signs. They are named after Amber Hagerman, a 9-year-old abducted in Arlington and later found murdered.
Since it began, Amber Alert systems have led to the safe return of more than 80 abducted children, Daniels said.
Tamara Brooks, one of two teenage girls abducted at gunpoint last August in California, told the conference the Amber Alert helped save her life.
After 14 hours in captivity, Brooks, now 17, and Jacqueline Marris were rescued 100 miles away from the isolated area where they'd been abducted. Kern County sheriff's deputies closed in on the suspect's car and shot him to death.
"It works. It's as simple as that," the soon-to-be high school senior said. "If something is lost and you don't tell anyone, how can it be found?"
Brooks' case, which marked the first time California had used the alert, provided the nudge many other states needed to begin their programs, said Chris Murray, co-chairman of Oregon's emergency communication committee.
*******************************
CNET News.com
End of the road for SMTP?
By Paul Festa
Staff Writer, CNET News.com
August 1, 2003, 4:00 AM PT
The protocol that has defined e-mail for more than two decades may have a fatal flaw: It trusts you.
Developed when the Internet was used almost exclusively by academics, the Simple Mail Transfer Protocol, or SMTP, assumes that you are who you say you are.
SMTP makes that assumption because it doesn't suspect that you're sending a Trojan horse virus, that you're making fraudulent pleas for money from the relations of deposed African dictators, or that you're hijacking somebody else's computer to send tens of millions of ads for herbal Viagra.
In other words, SMTP trusts too much--and that has spam foes, security mavens and even an original architect of today's e-mail system agitating for an overhaul, if not an outright replacement, of the omnipresent protocol.
"I would suggest they just write a new protocol from the beginning," Suzanne Sluizer, a co-author of SMTP's immediate predecessor and a visiting lecturer at the University of New Mexico, said in an interview.
"In my experience in computers--which at this point, is quite extensive--trying to fix problems in the existing thing is almost always more difficult than just sitting down and thinking about what you want and coming up with something new," she added.
Sluizer co-authored the 1981 Mail Transport Protocol, SMTP's direct predecessor, while she was a technical staffer at the University of Southern California's Information Sciences Institute in Marina del Rey, Calif.--the birthplace of such fundamental Internet protocols as the Transmission Control Protocol/Internet Protocol (TCP/IP).
Having battled the scourge of unsolicited junk e-mail on a catch-as-catch-can basis for years, e-mail experts are at their wits' end as spam load increases day by day with no sign of slowing.
America Online, AOL Time Warner's online unit, said in April that it had blocked 2.4 billion pieces of spam in a single day. Despite that feat, many spam messages probably made it through to AOL's 34 million members. Some estimates put the worldwide proportion of spam to legitimate e-mail at around 50 percent.
The root of spam
Companies, from AOL to small start-ups, are tackling the spam problem by testing out technological fixes. These include collaborative spam-blocking filters and so-called challenge response methods, which require a typed-in response to foil automated registrations of free e-mail accounts. In addition, spam is keeping lawyers, legislators and lobbyists busy, as states and nations criminalize spam and recipients of it go after the senders.
Still, spam keeps coming. That has led technologists to re-examine SMTP as the root of e-mail's evils, just as it has always been lauded as the source of the medium's remarkable power and popularity.
At issue is the protocol's lack of a comprehensive way of verifying an e-mail sender's identity. This makes it easy for people to mask their identities by forging return addresses and taking over victim machines to conduct their activities.
The flaws are so severe, some now believe, that the protocol that gave rise to the most significant explosion in written communication since Gutenberg may no longer be capable of serving its purpose in a world of con artists, pornographers, virus authors and unscrupulous spammers.
"You have to remember the era in which this protocol was designed," said Sluizer, the self-described "grandmother" of SMTP. "Back in the time we were doing this work, we were talking about hundreds or maybe thousands of sites on what was then called the Arpanet. We were looking at connecting with a few in Europe and some smaller networks in the U.S. "It was a trusted situation, and the protocols were developed on the basis of that trust. So it's very surprising to me that we are using the same protocols coming up on 25 years later, because you need different things in a commercial environment than you need in a research environment."
While critics generally agree on what SMTP lacks, debate abounds on how to fix it.
Some who worked on the protocol in its early days argue that it is flexible enough to have successfully evolved over the years--having absorbed numerous revisions and extensions--and that the authentication problem can be partially solved with existing technologies.
"Authentication in SMTP is not that hard," Paul Hoffman, director of the Internet Mail Consortium and author of numerous computer-related books, wrote in an e-mail interview. "There is already a protocol for doing it, namely running SMTP over SSL/TLS. And, yes, I wrote it." (The SMTP over SSL/TLS protocol is available at the Internet Engineering Task Force's Web site.)
The hard part, according to Hoffman and others, is establishing the "trust relationships" required to back up any computer-based authentication scheme--in other words, verifying that a person is who he or she claims to be.
The problem worsens, Hoffman said, when trying to design a system that authenticates mail servers, rather than individuals. In part, this is because a third party would have to determine whether an e-mail server is responsible for sending spam. That kind of responsibility--voluntarily assumed by operators of various spam blacklists--could be onerous and expensive if applied to the Internet as a whole.
"Who is paying this third party for both the time and the legal risk in doing this?" Hoffman asked.
Number crunch
Some say rewriting SMTP from the ground up would be prohibitively difficult because of the protocol's global user base, which is estimated to be in the hundreds of millions.
"The difficulty of changing the transfer technology as a way of managing unsolicited bulk e-mail is the installed base," said Rodney Tillotson, the chair of the Anti-Spam Working Group for the Reseaux IP Europeens (RIPE), a consortium of European Internet service providers.
"There are thousands or millions of SMTP servers transferring and delivering mail, and getting them all changed will take years, during which time the (unsolicited bulk e-mail) problem probably remains unsolved," Tillotson said. "Proposals requiring a change to desktop mail software are even harder to deploy."
Sluizer counters this by suggesting two protocols--SMTP and a new one, with tighter authentication--could easily coexist, with e-mail applications supporting both side by side. In that way, people using one protocol would not be prevented from exchanging mail with those using another.
The RIPE antispam group isn't alone in conducting an online debate about changing fundamental protocols to stem the tide of spam. The Internet Engineering Task Force (IETF) this spring established a research group to come up with ideas on how to attack the problem from the protocol level.
But critics call the IETF's efforts belated and say that efforts to solve the spam crisis can't wait while a standards body deliberates.
"Given that it's taken six-plus years for the IETF to get around to deciding spam is a big enough issue that they should charter a 'research group' to look at it, I just can't bring myself to be hopeful that we'll see the IETF ratifying any major overhauls to SMTP before the decade is out," Ray Everett-Church, chief privacy officer of the ePrivacy Group, said in an e-mail interview.
Paul Judge, chair of the IETF's Anti-Spam Research Group (ASRG) declined to answer questions for this story, citing both the group's desire to maintain "focus" and the quantity of proposals under consideration.
The view that an entirely new e-mail specification should be written isn't making headway within the IETF. Many of the organization's members argue that a practical solution could ride atop the present protocol or at least be backward-compatible with it.
Add, not replace?
Among others arguing for a less-radical fix is the ePrivacy Group, which markets the SpamSquelcher spam-control software for Internet service providers. In April, the group published its Trusted E-mail Open Standard (TEOS). That proposal builds on top of SMTP, rather than replacing it outright.
TEOS, according to is authors, lets people and organizations identify themselves more reliably and include machine-readable descriptions or "assertions" about their e-mail's content. It also establishes an encrypted, spoof-proof "trust stamp" that appears in the body of the message. The ePrivacy Group recommends the formation of an international, cross-industry body to maintain the standard.
Some of those tackling the problem are looking at amending protocols other than SMTP. Microsoft, for example, advocates a change to the domain name system (DNS) that would make it harder for spammers to disguise their identity.
The DNS is a distributed database, maintained by a number of different companies that provide domain names for Web site and e-mail addresses. The problem with the system, spam-fighters say, is that like SMTP, it provides no system for authentication.
"One of the things we want to do is attack this issue of spoofing," said Harry Katz, program manager of Microsoft's Exchange server group. "That's job one, in terms of putting a curb on spam, and we think we can do that (by) making a minor enhancement to the DNS."
The "minor enhancement" Microsoft is preparing to release would let individuals, companies and other organizations publish the identification numbers of their mail servers in the DNS database.
That would let an e-mail recipient compare the message's actual originating address with the address indicated in its header. A difference there could help a spam filter determine that a header is spoofed, increasing the likelihood that the message is spam. Such messages could easily be filtered or rejected.
The IETF's antispam research group has been entertaining a DNS alteration of its own, ever since the group was started this spring.
Conveniently, the DNS is flexible enough to allow for a change without requiring a major revision to the system protocol, but it would require a concerted implementation by various Internet mail companies. Microsoft--with its Hotmail Web mail service, its MSN mail service, and others under its control--could single-handedly give such a system a sizeable implementation boost.
"There are people muttering darkly that it's a lost cause, there's no way that it's fixable and we have to start from scratch," said Katz. "I would disagree with that. Analogies are dangerous, but while we may have legitimate concerns about traffic on the roads, do we have to tear down the interstates in response? The answer is 'no,' and there are things we can do that, over time, will make a significant dent in the problem."
Open to risk
Katz warned that, in the rush to fix e-mail, the industry risks harming the openness that gave rise to the Internet's success in the first place.
For example, a spam solution should not block all unsolicited mail, he said. That could prevent the reunion of long-separated friends and relatives, as described in so many e-mail success stories. Nor should a solution put an end to bulk mailings per se.
Even Microsoft's soon-to-be-proposed DNS modifications will have to tread a fine line to make sure they don't bar third parties from sending out legitimate ads.
"There's a balance that has to be struck," Katz said. "We want to ensure that people can communicate easily and effectively over the Internet. That said, over time you're going to see that the system will be tightened down more than it is today. It just has to be, because of problems like spam and viruses. But you still need to leave the door open for the classic scenario, when your long-lost high school buddy contacts you by e-mail. That's one of the great strengths of the Internet."
*******************************
USA Today
Malaysia to change divorce-via-cell phone law
August 1, 2003
KUALA LUMPUR, Malaysia (AP) Cell phone text messages, e-mails and faxes may be a boon to modern life, but they won't be acceptable ways for Malaysian men to start Islamic divorces.
Reacting to an Islamic court's ruling last week approving a divorce initiated with a husband's text message to his wife, the government said Thursday it will tighten religious laws to bar the use of electronic messages in divorces.
Under Islamic law, a husband can get a divorce by declaring his intention to his wife and then repeating his desire before a religious law judge. The procedure for women is much more difficult.
The issue of using electronic means for notifying wives has arisen in several Muslim countries in recent years, with some religious authorities permitting it and others saying no.
Last week's ruling by an Islamic judge in Malaysia dissolving a marriage after the wife was notified by text message angered women's groups, which said that process is demeaning. Some Islamic scholars and government officials said it tarnished the religion's image.
Prime Minister Mahathir Mohamad said this week that while text messaging is not explicitly illegal under Malaysia's current Islamic laws, "it is not the way to get divorced."
Abdul Hamid Othman, the government's official religious adviser, said Thursday that rules on a wife's notification would be made more strict and explicitly exclude text messaging and other new technology.
"Husbands should not be allowed to freely use SMS (text messaging) and other easy methods such as e-mails, voicemail or even facsimile to begin divorce proceedings," Abdul Hamid told The Associated Press. "We must put a stop to it as it is morally wrong and unacceptable to society."
About two-thirds of Malaysia's 23 million people are Muslims and subject to the country's generally Islamic laws as well as secular laws.
*******************************
Federal Computer Week
Sharing: Easier said than done
Agencies find it difficult to develop necessary relationships
BY Nancy Ferris
Aug. 4, 2003
When Cisco Systems Inc. found a flaw in its software that might have allowed hackers to shut down a substantial portion of the Internet, the company alerted customers and called on educational and research institutions, industry organizations and government agencies to help convey the urgency of the problem.
During the incident, which began July 17, the new National Cyber Security Division of the Homeland Security Department notified federal agencies and industry organizations of the vulnerability. A conference call that included representatives of 22 trade groups was one way the DHS unit communicated the need for fast workarounds and patches to head off denial-of-service attacks.
Andy Purdy, acting deputy director of the DHS division, cited the response to the July incident as an example of successful information sharing for homeland security in his remarks during the recent Government Security Expo and Conference in Washington, D.C.
It was a rare bright spot in an ongoing discussion of the difficulties of using information effectively in the war on terrorism. Few dispute that information sharing may strengthen defenses and improve efficiency. But July's reports, meetings, press conferences and hearings make it clear that progress in developing information-sharing relationships and mechanisms that cross organizational boundaries has been slow.
"We are leaders in technology, yet we seem unable to come to grips with how to share information," said Rep. Jim Turner (D-Texas), ranking member of the House Select Committee on Homeland Security, during a press conference in which the Bush administration's progress on homeland security came under fire.
A joint congressional committee reported that inadequate information sharing was a contributing factor in the terrorists' ability to catch the United States unprepared Sept. 11, 2001.
"Information was not sufficiently shared, not only between different intelligence community agencies but also within individual agencies and between the intelligence and the law enforcement agencies," according to the committee's report.
The tangle of rules that restrict the release of federal agencies' information got part of the blame from one expert at the GovSec conference, J. William Leonard.
Leonard, director of the Information Security Oversight Office in the National Archives and Records Administration, pointed to the creation of the "sensitive but unclassified" category in the 1987 Computer Security Act as a key example of layering new rules on top of old ones and failing to synchronize them.
Not only are there too many rules, but the definitions are unclear, Leonard said. "If you had 100 bureaucrats in a room, you'd get 101 definitions of 'sensitive but unclassified,' " he quipped.
"We have more varieties of classification in the federal government than Heinz's 57 varieties," Leonard said.
The government needs to share information and it needs to protect information, Leonard said, but it has yet to make clear to employees how to distinguish between what should be protected and what should be shared. Few are sure who is authorized to release information, and there should be an appeals mechanism for reviewing those decisions.
"The whole concept of need-to-know needs to be revisited," he said.
Aldona Valicenti, chief information officer for Kentucky, said it has been difficult to get security clearances for state officials who may need access to classified information.
Another barrier she cited is the lack of up-to-date technology in some local law enforcement and public health offices. For a sheriff's office in a small city, she said, "a fax machine is high technology."
Valicenti, former president of the National Association of State CIOs, said the association is developing an information-sharing center for states. She also held out hope that the enterprise architecture efforts under way in the states and the federal government will facilitate information sharing.
Information technology has a major role to play in homeland security, she said, but "it has not always been understood when the technology issues need to be at the table."
Valicenti also said information sharing among homeland security officials at the state and federal levels is improving, but the private sector is insufficiently involved in the information exchanges.
Purdy, Valicenti and others expressed hope that the information sharing and analysis centers being established in key industries with DHS' encouragement will prove to be useful vehicles for information sharing across the boundaries between government and the private sector.
*******************************
Federal Computer Week
TSA tinkers with privacy plan
But critics worry the system could go in new directions
BY Randall Edwards
August 4, 2003
In an effort to alleviate privacy concerns about its preflight screening tool for airline passengers, the Transportation Security Administration last week backed off its plans to store passenger data for as long as 50 years.
At the same time, TSA's updated privacy statement raised new concerns about the scope of the program.
TSA, an agency of the Homeland Security Department, reported in a notice dated July 22 but released July 31 that the Computer Assisted Passenger Prescreening System (CAPPS) II will maintain passenger data for "a certain number of days." This is a reduction from the 50 years cited earlier.
A prior notice published in the Federal Register on Jan. 15 generated controversy over how CAPPS II would collect, use and store passengers' personal information.
Although the revisions address some issues, the recent notice raises fresh concerns about the scope of CAPPS II. DHS listed possible future uses of the system to include identifying individuals with outstanding arrest warrants for violent crimes and pinpointing international terrorist threats by integrating CAPPS II with DHS' planned U.S. Visitor and Immigrant Status Indicator Technology system.
CAPPS II is designed to confirm identities of air travelers and identify those who may be potential terrorist threats. The program uses four key pieces of personal information for each passenger: name, date of birth, home address and home phone number.
The program has been a source of controversy since it was announced, and advocates on both sides eagerly awaited last week's notice. The revisions are part of an effort by DHS officials to alleviate privacy concerns.
In addition to the issue of data storage, TSA officials specified that commercial data providers would not be allowed to retain any passenger information provided for CAPPS II, nor would CAPPS II use bank records, credit ratings or medical records to determine passengers' identities or terrorist risk.
TSA is also establishing a Passenger Advocate Office for people to contact if they believe CAPPS II has inaccurate information about them or if they feel they have been mislabeled as a possible threat.
"The Department of Homeland Security leadership, in concert with Transportation Security Administration officials, has taken today a very positive step toward further redefining the CAPPS II program," said Nuala O'Connor Kelly, DHS' chief privacy officer. "The proposed program increases passenger security and strengthens civil aviation in our country, while respecting the privacy of persons affected by the system."
The revisions met with general approval. However, privacy advocates expressed concern that the CAPPS II program might be overreaching its scope.
"We are pleased that TSA is conducting this in an open process; however, we do have concerns about CAPPS II," said Lara Flint, staff counsel at the Center for Democracy and Technology, a Washington, D.C., public interest group. "The biggest is the problem of mission creep. TSA has expanded the scope of the program beyond what they've been stating."
The concern is that an increase in criminal background checks, including those of international suspects and people with outstanding arrest warrants, will divert resources away from the system's main purpose making airline travel safer.
David Sobel, general counsel for the Electronic Privacy Information Center in Washington, D.C., said that using the system to apprehend passengers with outstanding warrants "seems to be above and beyond the underlying purpose of keeping terrorists off airplanes."
Sobel also expressed concerns that the sources of the commercial data provided to CAPPS II will not be made public.
CAPPS II creates passenger name records based on information collected when passengers make their flight reservations. The system will rely on commercial data providers to verify the passenger's identity.
That data will help officials assign a risk-assessment score to each traveler. A passenger may pose a low, elevated or high security risk. DHS officials believe that most passengers will fall into the low category and will be allowed to board airplanes in a normal fashion.
Those labeled an elevated risk will be subjected to a secondary screening by airport security. Passengers deemed to pose a high security risk will be brought to the attention of law enforcement officials.
"CAPPS II will be a valuable tool in holding down passenger wait times by reducing the number of people who undergo secondary screening or who are misidentified as potential terrorists," said TSA Administrator James Loy.
DHS officials said the agency will continue to evaluate public comments about the system. The notice also said that key technological systems are still being developed and tested.
*******************************
Federal Computer Week
Senate OKs OMB deputy director
BY Judi Hasson
August 1, 2003
The Senate July 31 confirmed Joel David Kaplan as the deputy director of the Office of Management and Budget, rounding out President Bush's new team for the executive office.
Kaplan joins OMB Director Joshua Bolten, who replaced Mitchell Daniels, and Clay Johnson, the deputy director for management.
Bolten and Johnson were confirmed earlier this summer. Kaplan replaces Nancy Dorn as the lead official for the Bush administration's governmentwide management initiatives.
Kaplan had served as the special assistant to the president in the Office of the Chief of Staff, where he helped develop administration policy on international economic affairs, homeland security, energy and transportation.
He is a graduate of Harvard College and Harvard Law School. He served as a law clerk for Justice Antonin Scalia.
*******************************
Government Computer News
Commission recommends that USPS drop e-commerce
By Jason Miller
The Postal Service should drop its e-commerce initiatives and spend its resources strictly on mail delivery, the President?s Commission on the U.S. Postal Service has concluded in a new report.
The commission also suggested the Postal Service consider outsourcing its IT management along with other high-cost functions, such as real estate management and vehicle maintenance.
The report (208-page PDF), released last week, said USPS? e-commerce ventures have produced largely disappointing results and ?drained time and resources that could have been spent improving traditional postal services.?
President Bush created the commission in December through an executive order and asked it to recommend legislative and administrative postal reforms. The White House is studying the findings, as is the Postal Service.
?We will be reviewing the commission?s recommendations and look forward to continuing to work with the administration and Congress as we evaluate the commission?s proposals,? USPS spokesman Mark Saunders said.
The commission found most citizens have no idea that USPS provides e-commerce services, such as electronic bill payment, Internet tax services, money transfers, certified e-mail and online greeting cards. Additionally, USPS should leave these e-commerce services to the many companies that also offer them, said the report, Embracing the Future: Making the Tough Choices to Preserve Universal Mail Service.
Instead, the Postal Service should focus on smart mail services, the report said.
?Intelligent mail can serve a far broader purpose, functioning as the foundation of a truly digital network that links postal facilities, vehicles and employees not only to each other, but also via the Internet to customers and to the individual mail pieces themselves,? the commission said.
It recommended that USPS consider working with the Homeland Security Department on a sender-identification technology for each piece of mail. This technology could include a smart bar code or stamp that contains sender, geographical origin and mail class identification.
USPS also should consider letting citizens personalize their stamps with pictures or business logos that could include sender information, the commission said.
*******************************
Government Computer News
Army begins development of battlefield net
By Dawn S. Onley
The Army has begun the development and demonstration phase of its $10 billion Warfighter Information Network-Tactical project.
Last week, Michael Wynne, acting undersecretary of Defense for acquisition, technology and logistics, gave the Army the green light to proceed beyond the concept phase of WIN-T.
The decision came the day after the Defense Acquisition Board met to review the project, said Donald L. Keller, WIN-T project director.
Through the WIN-T program, the Army plans to build a high-speed, high-capacity network for wired and wireless voice, data and video communications for soldiers on the battlefield.
?The Army had to demonstrate that the requirements are sound, that a system and operational architecture have been developed and that the program is affordable,? Keller said.
In this second phase, the service will spend 27 months working with Lockheed Martin Corp.?s mission systems group and General Dynamics Corp.?s C4 systems division. The trio will design the system, run models and simulations of the communications network, and build equipment prototypes, Keller said.
The Army has awarded $68 million to General Dynamics and $63 million to Lockheed Martin for Phase 2 work.
By 2006, the Army wants to pick one of the two vendors to begin rolling out an operational WIN-T.
*******************************
Government Computer News
07/22/03
OPM says it won?t reopen Recruitment One-Stop buy
By Jason Miller
The Office of Personnel Management will continue to work with Monster Government Solutions to revamp its usajobs.opm.gov after deciding yesterday against following the General Accounting Office?s recommendation that OPM recompete a procurement to upgrade the Web site.
In a letter to GAO, OPM said it would be unwise to reopen the buy for the Recruitment One-Stop Quicksilver project because it would be ?incompatible with the best interest of the federal government.?
OPM said it needed to continue working with TMP Worldwide Government Services of New York, the parent company of Monster Government Solutions, because the agency already has paid TMP $4.8 million for work to reach the e-government project?s first two milestones.
Additionally, OPM said it could have recompeted the integration and maintenance portion of the contract, but that would require access to TMP?s source code. And TMP declined to provide a license, OPM said.
OPM also told GAO that national ?security demands and critical domestic needs underlie the government?s vital need for efficient recruitment and hiring methods.?
GAO now is required under the Competition in Contracting Act to inform the House Appropriations and Government Reform committees and the Senate Appropriations and Governmental Affairs committees of OPM?s determination. That is according to Dan Gordon, GAO?s managing associate general counsel, who last month explained the process following an agency?s refusal to follow GAO?s recommendations in a procurement protest ruling.
Symplicity Corp. of Arlington, Va., a losing bidder for the Recruitment One-Stop contract, protested the award. (Click for May 19, 2003, GCN story http://www.gcn.com/22_11/e_gov/22111-1.html)
GAO ruled that OPM should re-evaluate all bids to determine whether the proposed services are within the scope of the winning company?s schedule contract. GAO also recommended that OPM reopen discussions with all bidders in the competitive range and re-evaluate their revised offers. (Click for May 7, 2003, GCN story http://www.gcn.com/vol1_no1/e_gov/22020-1.html)
OPM in January awarded a five-year contract to TMP. OPM could extend the contract to 2013 through option years. The potential value of the contract is $62 million over 10 years.
*******************************
Government Executive
August 1, 2003
Homeland Security braces to deal with unregistered foreign students
By Shane Harris
sharris@xxxxxxxxxxx
More than 600 U.S. colleges and universities that enroll foreigners have failed to register their students in a government database that monitors their course schedules, disciplinary records and travel habits, according to the Homeland Security Department. The enrollment deadline arrived Friday, meaning that potentially thousands of unregistered students may be denied entry into the United States as they return for the start of the academic year.
To prevent that from happening, Homeland Security is setting up a 24-hour command post at the National Records Center in Missouri to assist unregistered students. Officials at the center will work with schools and inspectors at U.S. points of entry to clear students across the border, said Garrison Courtney, a spokesman for Homeland Security?s Bureau of Immigration and Customs Enforcement.
Bureau officials also will be sent to the eight U.S. airports that account for more than 70 percent of all foreign students entering the country to assist with processing the students.
But while officials are taking steps to ensure students aren?t turned back at the border, the department warned in a memo to a foreign educators association earlier this month that it ?cannot guarantee entry for all students? who haven?t registered with the database, known as the Student Exchange Visitor and Information System (SEVIS). Schools are required to issue incoming students a SEVIS document that proves they?ve been cleared to study in the country.
Nearly 6,000 schools have registered their students in SEVIS. But other schools failed to even start the process until six weeks ago, Courtney said. He gave no reason why the schools had failed to act, even though the SEVIS deadline has been widely publicized for more than a year.
There are no plans to extend the Aug.1 deadline, Courtney said.
In addition to setting up the command center, Homeland Security has sent written guidance to the inspectors at U.S. ports of entry instructing them how to deal with students lacking required paperwork. Officials at the port have been instructed to call the command center with any problems, and workers there will contact schools to confirm students are registered to attend classes, Courtney said.
?Notices have already been sent? to schools across the country, according to a Homeland Security statement, ?outlining the many issues? the government anticipates will arise as students arrive at U.S. ports of entry. Those issues include students having only partial paperwork or not being registered in SEVIS at all.
Schools? efforts to register students in SEVIS have been severely hampered because of technical glitches. The bugs have been so severe that some schools have shut down their foreign student offices for days waiting for repairs to be made.
One of the most widely reported problems, commonly known as ?data bleeding,? led to records from some schools being melded with data from other institutions. In one case, a student advisor at Duke University inadvertently pulled up hundreds of records belonging to students in a foreign exchange program at another school.
Courtney said many of the glitches have been fixed, and that officials are quickly dealing with new ones that crop up. ?The SEVIS system a week ago isn?t the same system it is today,? he said.
Courtney said that some schools might not be using sophisticated enough computers to interface with SEVIS, which is run on the Internet. ?It might be outdated hardware on their side? that?s causing some of the problems, particularly the delays some schools have experienced when trying to log into the system, Courtney said.
SEVIS was established in response to the Sept. 11 terrorist attacks, when it was discovered that two of the men who hijacked commercial airliners that day were in the U.S. on student visas. School administrators have widely criticized the system, saying they resent being forced to police their students? activities.
Supporters of the registration system point to the weaknesses in the student visa issuance system that allowed some of the Sept. 11 hijackers to remain in the country.
*******************************
Government Executive
July 31, 2003
OMB challenges report on Privacy Act compliance
By Amelia Gruber
agruber@xxxxxxxxxxx
Bush administration officials have rebuked the General Accounting Office for concluding in a new report that agencies are not taking adequate steps to protect private records.
Nearly 30 percent of federal agencies are unable to confirm that the personal data they disclose to outside organizations is ?complete, accurate, relevant and timely,? GAO concluded in the report (GAO-03-304), issued Wednesday. Fourteen percent fail to note some instances where they share private records with outsiders, and 18 percent do not check to make sure that outsiders are using disclosed information for its intended purpose, according to GAO.
GAO obtained its statistics by questioning officials at 25 agencies about their efforts to comply with the 1974 Privacy Act, which requires agencies to identify systems containing confidential information, limit access to sensitive data and make certain the data is reliable and used properly.
Survey responses showed a mixed record on compliance with the Privacy Act, GAO said. ?As a result of this uneven compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected,? the report concluded.
?With all due respect, these statements border on the reckless and irresponsible,? said Mark Forman, administrator of OMB?s Office of E-government and Information Technology, and John Graham, administrator of OMB?s Office of Information and Regulatory Affairs, in a letter to GAO responding to the report.
The OMB officials complained that GAO did not have adequate information on which to base its conclusion that the government cannot assure citizens that agencies are fully protecting private data. ?A lack of perfect consistency from one agency to the next should hardly be surprising when one considers that the federal government is composed of dozens of agencies,? they wrote.
The fact that the 25 agencies did not report 100 percent compliance with every facet of the Privacy Act should not have made GAO leap to the conclusion that public information is not protected, Forman and Graham said.
In turn, GAO argued that its survey was ?extremely comprehensive? and was developed over ?many months with assistance from agency privacy officials.? Congress intended the Privacy Act as a ?framework? for protecting personal privacy, GAO officials said. Failure to comply with any component of the law, they argued, jeopardizes privacy.
Agencies cited a lack of clear OMB guidance on protecting personal electronic records as one explanation for failure to comply fully with the Privacy Act, GAO reported. OMB, charged with overseeing agencies? adherence to the law, should work on improving this guidance, the report recommended. About 70 percent of 2,400 record systems managed by the agencies GAO surveyed contained electronic records.
Sen. Joseph Lieberman, D-Conn., who requested the report, said that in light of GAO?s findings, the ?administration needs to act quickly to strengthen privacy protections, by committing more focused leadership and greater resources to [the issue].? He added that the public will ?never feel comfortable interacting with the government? unless personal information is kept secure.
In addition to better OMB guidance on handling electronic records, agencies would benefit from placing a higher priority on privacy issues and providing their employees with more comprehensive training on protecting personal information, GAO suggested.
*******************************