Clips September 24, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips September 24,
2003

ARTICLES

California Bans Spam, Sets Fines
Virus hits US State Department
Security Report Puts Blame On Microsoft 
Kazaa Suit Turns Tables on Record Labels, Movie Studios
Sept. 11 Panel Weighs Ideas for Domestic Intelligence
MSN to Limit Chat Service in Most Markets 
Court blocks national do-not-call list 
'Powerful' enterprise architectures take shape 

*******************************
Los Angeles Times
California Bans Spam, Sets Fines
By Carl Ingram
September 24, 2003

SACRAMENTO  Gov. Gray Davis signed into law Tuesday a groundbreaking
bill aimed at banning often offensive "spam" advertisements
from the online mailboxes of millions of California computer
users.

The measure, by state Sen. Kevin Murray (D-Culver City), would make it
illegal for spam marketers and their advertisers to e-mail Californians,
unless the recipient had specifically requested it or had had a prior
business relationship with the advertiser, such as a 
bookseller.

Violators would be subject to a fine of $1,000 for each unsolicited
message and up to $1 million for blitz campaigns in which hundreds of
thousands or even millions of unsolicited sales pitches are sent out
daily.

As Davis signed the bill, SB 186, he announced that he had also signed or
soon would approve other measures in a package aimed at protecting the
privacy of Californians and guarding them from identity theft.

Many states, including California, have enacted laws aimed at cracking
down on unsolicited e-mail, whose topics can include products such as
sexual enhancers, "anti-aging" creams, weight-loss pills and
heavily discounted home loans. But Murray said his bill, effective Jan.
1, would be the first to hold an advertiser liable along with the spam
merchant.

"We think it is going to be the toughest bill in the nation,"
the senator said Tuesday. "The beauty of this is you go after the
advertisers. They are fineable and attachable."

Murray noted that spam has increased astronomically in the last couple of
years and said it costs frustrated businesses and consumers billions of
dollars in wasted time as well as the costs of trying to prevent
it.

The new law will allow state Atty. Gen. Bill Lockyer, Internet service
providers and individual citizens to sue spam marketers and their
advertisers in civil court. Backers of the bill said that feature alone
would discourage spam.

As the bill traveled through the Legislature, lawmakers agreed that it
would be relatively easy for California to win judgments against spam
merchants and their advertisers in state courts. But some considered
actually recovering damages from those outside the state and overseas
problematic.

Currently, the state routinely sues out-of-state and foreign companies
that do business in California for a variety of offenses, such as fraud
and false advertising.

Lockyer spokesman Tom Dresslar said, for example, that a judgment could
be made in favor of the state against a spam merchant in Beijing, but
that it "may be more difficult, depending on distance and the
circumstances, to collect. But that doesn't mean we don't go after the
guy in Beijing."

Dresslar said Lockyer, who is currently prosecuting a spam merchant under
another law, intends to aggressively enforce the anti-spamming
law.

Murray disagreed that fines would be difficult to collect against spam
merchants located beyond the California state line. He said that since
virtually all online transactions involve the use of four internationally
recognized credit card companies based in the U.S., it would be
relatively easy to locate the offender's bank accounts and attach them
for the amount of the fine owed.

Or, Murray said, the plaintiffs could sue a credit card company and
attempt to attach the spam merchant's or advertiser's revenue that
traveled through the company's channels.

"As long as we know where your money is, we can attach it," he
said.

David Kramer, a partner in the Wilson Sonsini law firm in Palo Alto, has
been dealing with efforts to control e-mail spam for seven
years.

He said the only other state to pass a law banning spam is
Delaware.

"It's not working there," said Kramer, "because banning
spam is only half the battle. You actually have to create an effective
enforcement mechanism to make sure the prohibition is
enforced."

In Delaware, the principal enforcer is the attorney general, who is busy
with more serious crimes.

The new law in California "not only gives victims the ability to
seek redress for themselves," Kramer said, "but it also creates
a means of serving the public interest, because those suits create
deterrent and the threat of those suits creates 
deterrent."

He said he hopes that the California law will not be abused as he
believes the right to take private action has been in Utah, where the law
allows a spam recipient to sue for $10 for every e-mail. There, two law
firms have filed 1,500 individual lawsuits seeking $6,500 settlements
with e-mail senders, said Kramer.

The California bill was backed by a variety of consumer advocates, who
had made protection of residents' privacy a leading issue of the recently
concluded legislative session.

Murray said the new law will require recipients to give their consent
before receiving a sales pitch via e-mail, unless the individual and the
entity had previously done business. In that case, the recipient could
demand that no more unsolicited messages be sent.

In a statement, Davis said the California law will signal to the nation
that the "time has come for unscrupulous spammers to stop feeding
our e-mail boxes a daily diet of unwanted e-mail."

Several bills have been proposed this year in Congress that would
restrict the use of commercial e-mail. Sen. Charles E. Schumer (D-N.Y.)
has called for a federal anti-spam registry, similar to the do-not-call
registries for telemarketers. That would enable consumers to prevent
unsolicited commercial e-mail. And Sen. Ron Wyden (D-Ore.) has
co-sponsored a bill that would impose stiff civil penalties on spammers
who failed to include valid links allowing recipients to unsubscribe to
unwanted e-mails.

Davis, however, warned against other federal legislation that threatens
to overturn new privacy measures in California and nullify several
existing identity-theft laws.

One potential target is the heavily contested California law that
requires banks and other financial institutions to first obtain a
consumer's consent before his or her private financial history can be
sold or traded to third parties for marketing purposes. The law also
clamps restrictions on which companies in a business family can and
cannot receive such information without the customer's advance
approval.

Legislation is moving in both houses of Congress that would throw out the
law, written by state Sen. Jackie Speier (D-Hillsborough), on grounds
that state laws cannot be stricter than federal laws.

Instead of wiping out California laws, Davis said in a letter to
congressional leaders, "Congress should consider them as a model for
the rest of the nation."

He said that, if nothing else, the federal legislation should exempt
California.

In the Legislature, the Murray proposal drew surprisingly little
opposition.

But the California Assn. of Realtors expressed fear that the bill would
limit its ability to send electronic notices of trade shows and seminars
to its 130,000 members.

Stan Wieg, an association lobbyist, said it would be hard for local
chapters, often run by volunteers, to keep up on who does and doesn't
want such information.

"You can see how you can be tripped up by that sort of
record-keeping obligation," he said.

The direct-marketing industry, which opposed other privacy bills, did not
fight the Murray proposal. But industry observers warned that the new law
would not touch the most notorious spam merchants, which are based
outside the United States.

"It fails to address the core issue about spam. It totally fails to
be able to reach the offshore criminals who are sending Viagra ads,"
said Ray Schultz, editorial director of Direct, a magazine that covers
the direct-marketing industry. He said the industry would prefer to see a
uniform federal law that supersedes state statutes.

Another bill signed Tuesday by Davis was SB 27, which will require firms
that have divulged a customer's personal financial information to others
to inform the customer, upon request, which third parties received the
information and what it contained.
*******************************
Australian IT
Virus hits US State Department
Ted Bridis
SEPTEMBER 24, 2003  
 
THE US State Department's electronic system for checking every visa
applicant for terrorist or criminal history failed worldwide for several
hours because of a virus. 

The virus crippled the department's Consular Lookout and Support System
(CLASS), which contains more than 12.8 million records from the FBI, the
State Department and US immigration, drug-enforcement and intelligence
agencies. Among the names are those of at least 78,000 suspected
terrorists. 
In an internal message sent late Tuesday to embassies and consular
offices worldwide, officials cautioned that "CLASS is down due to a
virus found in the system." There was no backup system immediately
available, and officials said they could not predict how long the outage
might last. 

Within hours, the system was back up and running. A spokeswoman for the
US embassy in Seoul, Maureen Cormack, said it was a "short
outage" and "not a major problem." She said interviews for
visa applicants continued but any decisions could not be made until the
system was back up. 

In Washington, State Department spokeswoman Joanne Moore said the agency
experienced some computer problems but could not confirm the
visa-checking system was affected. 

"We did have some computer problems," she said. "They're
working on it." 

Every visa applicant is checked against the names in the CLASS database.
The State Department's automated systems are designed to not even print a
visa until such a check is completed. 

It was unclear which computer virus might have affected the system. But a
separate message sent to embassies and consular offices late Tuesday
warned that the "Welchia" virus had been detected in one
facility. Welchia is an aggressive infection unleashed last month that
exploits a software flaw in recent versions of Microsoft's Windows
software. 

Collectively, Welchia and a related virus, "Blaster," have
infected hundreds of thousands of computers worldwide, including
computers at the Federal Reserve in Atlanta, Maryland's motor vehicle
agency and the Minnesota Transportation Department. 

The State Department has invested heavily in the CLASS system since the
September 11 terrorist attacks, more than doubling the number of names
that applicants are checked against. 

One provision of the Patriot Act, passed just weeks after the attacks,
added FBI records, including the bureau's violent gang and terrorist
database. 

The list also includes the names of at least 20,000 people accused of
serious Customs violations and the names of 78,000 suspected terrorists.
*******************************
Washington Post
Security Report Puts Blame On Microsoft 
By Jonathan Krim
Wednesday, September 24, 2003; Page E01 

Viruses, worms and other cyber-attacks that are crippling computers with
increasing frequency cannot be stopped as long as the software of one
company -- Microsoft Corp. -- dominates computing, according to a paper
prepared by corporate technology officers and researchers.

"The security situation is deteriorating," says the report,
which is to be released today. With Microsoft operating systems used on
more than 90 percent of the world's personal computers, the authors
write, most computers are vulnerable to attack and networks are easily
compromised. 

The report, whose authors include prominent critics of Microsoft, comes
at a sensitive time for the company. It is under intense criticism for
security flaws in its software despite repeated pledges from Chairman
Bill Gates and chief executive Steven A. Ballmer to make security the
company's top priority.

"No other company in the world is more committed to providing its
customers with more secure software than is Microsoft," said Sean
Sundwall, a company spokesman. He said he could not comment further until
the paper is released. 

Since the recent spread of the Sobig, Blaster and Slammer worms, federal
and state officials have questioned cybersecurity more critically. Many
technology officers for companies and governments are reconsidering
whether they should diversify the types of products on their
networks.

The paper argues that governments, through their power to decide what
software to buy for their systems, should force Microsoft to reveal more
of its software code to allow development of better security tools, and
to make its software work better with competing products.

Policymakers must "confront the security effects of monopoly and
acknowledge that competition policy is entangled with security policy
from this point forward," the paper says.

The technology industry generally opposes government regulation and
favors allowing the marketplace and technological innovation to create
solutions to problems. Under the free-market theory, if a company's
products are flawed, consumers will buy others that are
superior.

But Microsoft has virtually no competition for PC operating systems, and
people who break into computer systems or write worms and viruses are
more technologically adept than many software manufacturers.

"I don't hold to the theory that technology always beats
policy," said Daniel E. Geer Jr., one of the paper's authors and
chief technology officer for AtStake Inc., a business-security firm in
Massachusetts.

The report is being released by the Computer and Communications Industry
Association, a trade group that is involved in antitrust action against
Microsoft in the United States and Europe. Other authors include Charles
P. Pleeger of Exodus Communications Inc.; John S. Quarterman, founder of
Matrix NetSystems Inc.; Rebecca Bace, chief executive of network security
firm Infidel Inc., and Peter Gutmann, a computer science researcher at
the University of Auckland in New Zealand.

Geer said the paper grew out of his ideas and discussions among security
executives and academics about the increase in security threats and was
not instigated by the association. 

"Nature does not put up with monocultures" because they are too
easy to attack, Geer said. "If everything looks just alike . . . it
will promptly be punished."

Another author of the paper, Bruce Schneier, chief technology officer of
Counterpane Internet Security Inc., is a longtime Microsoft antagonist
who has argued that the company should be held financially liable for its
security flaws.

Computer users generally agree to terms that absolve software makers of
liability, which Microsoft's critics argue gives the company no incentive
to be more vigilant about security.

Schneier said the problem with Microsoft is that it is so intent on being
dominant that it designs its systems primarily to keep out competitors,
not intruders. 

"Their goal is to facilitate lock-in" of Microsoft products, he
said.
*******************************
Los Angeles Times
Kazaa Suit Turns Tables on Record Labels, Movie Studios
The firm that distributes the file-sharing software accuses the companies
of infringing its copyrights.
By Jon Healey

September 24, 2003

Accused by the major record labels and movie studios of enabling rampant
global copyright infringement, the company behind the world's most
popular file-sharing network has sued the labels and studios.

For copyright infringement.

Last year, the labels and studios filed a federal suit alleging that
Sharman Networks Ltd., which distributes the Kazaa file-sharing software
people use to copy billions of songs and movies they haven't paid for,
contributes to and benefits from online piracy.

On Monday, Sharman tried to turn the tables.

Its federal countersuit claims that the entertainment companies, in their
zeal to ferret out pirates, hooked up to the Kazaa network with
unauthorized versions of the free Kazaa software  violating Kazaa's
copyright. The countersuit also revives Sharman's allegation that the
entertainment companies violated antitrust laws by stopping Sharman and
its partner, Altnet Inc. of Woodland Hills, from distributing authorized
copies of music and movies through Kazaa.

U.S. District Judge Stephen V. Wilson rejected the antitrust claims July
2 but last week allowed Sharman to try again.

More detailed than previous filings, the countersuit alleges that
executives at Vivendi Universal's Universal Music Group and AOL Time
Warner Inc.'s Warner Music Group refused to permit their copyrighted
songs to be distributed via Altnet.

Universal and Warner declined to comment.

Based in the South Pacific tax haven of Vanuatu, Sharman has moved
aggressively to enforce its copyrights. For example, it has sent letters
twice in the last six weeks to Google Technology Inc. of Mountain View,
Calif., demanding that the Internet search service stop providing links
to Kazaa Lite and to other downloadable software that allegedly infringes
Sharman's copyrights.

Kazaa Lite is a replica of Sharman's software, minus elements that
display ads  Sharman's chief revenue source.

Monday's counterclaim accuses the entertainment companies of using Kazaa
Lite to get onto the network. It also said that the companies' efforts to
combat piracy on Kazaa, including offering bogus versions of copyrighted
works and sending instant messages to users, violated the terms for using
the network.

A spokesman for the Recording Industry Assn. of America said Sharman's
"newfound admiration for the importance of copyright law is ironic
to say the least.

"Too bad this self-serving respect stops at its headquarters' door
in Vanuatu, and doesn't extend to preventing the rampant piracy on its
networks or lifting a finger to educate its users about the consequences
of illegal file sharing."
*******************************
New York Times
September 24, 2003
Sept. 11 Panel Weighs Ideas for Domestic Intelligence
By PHILIP SHENON

WASHINGTON, Sept. 23  The independent commission investigating the
Sept. 11 terrorist attacks said today that it was weighing proposals for
an overhaul of American intelligence and law enforcement agencies,
including the creation of a special domestic intelligence agency that
would most likely take over some F.B.I. responsibilities.

The bipartisan commission, which was created by Congress over the
opposition of the Bush administration, said in a report issued today that
it was also considering a proposal to create a new post, director of
national intelligence, to oversee domestic intelligence. It suggested
that the new domestic intelligence agency could be an "American
version of Britain's MI-5."

Such recommendations from the 10-member panel, known formally as the
National Commission on Terrorist Attacks Upon the United States, would
most likely meet with fierce resistance from the Bush administration,
which has made clear that it would oppose any further restructuring of
intelligence and law enforcement agencies.

Asked at a news conference if the panel would recommend a fundamental
reorganization of counterterrorism agencies, the chairman, Thomas H.
Kean, former governor of New Jersey, said that while no final decision
had been made, the proposals for an overhaul of intelligence agencies and
the F.B.I. were being seriously debated.

"We will, without question, be making recommendations in that area,
and we've tried to state very boldly the questions that are out there in
this town and elsewhere in the country," said Mr. Kean, a
Republican. "We are, by statute and by mandate, asked to look at
those questions."

The panel's vice chairman, Lee H. Hamilton, a former Democratic House
member from Indiana, said that he expected some of the panel's
recommendations next year to be "controversial," involving
"cutting edge issues," and that panel members would publicly
pursue them long after the commission filed its final report.

"We will not go away the day after we release our report," Mr.
Hamilton said. "We want recommendations that can be implemented,
work in the real world and make a difference."

A call for the creation of a domestic intelligence agency or a domestic
intelligence czar would probably have enthusiastic support from lawmakers
and counterterrorism specialists who have said that the Sept. 11 attacks
demonstrated the need for a wholesale restructuring of the Central
Intelligence Agency, the Federal Bureau of Investigation and other
counterterrorism agencies.

The commission's interim report today offered no revelations about the
events of Sept. 11, 2001, or the government's actions before or after the
attacks.

Instead, the report outlined the commission's plans for its
investigation, including public hearings later this year that will focus
specifically on the performance of the C.I.A., the F.B.I. and other
counterterrorism agencies, and whether they need to be
restructured.

"We will explore questions of organization and leadership," the
report said. "Should we restructure the intelligence community and
create a director of national intelligence? Should we change the way we
prepare and issue warnings of terrorist attacks?"

The report said that later public hearings "will examine reforms by
the F.B.I. and whether we need a new agency to gather intelligence in the
United States  what some have called an American version of
Britain's MI-5. We will look at whether our nation is striking the right
balance of security and liberty."

Elsewhere in its report today, the commission said agencies of the
executive branch had "significantly improved their performance in
responding to our document request" since July, when the panel went
public with criticism that the Pentagon, the Justice Department and other
agencies had been slow to turn over classified documents related to the
Sept. 11 attacks.

"The commission has obtained access to many of the key White House
and National Security Council documents we have sought from this
administration and its predecessor," the report said today.
"The access we already have is on a unique breadth and
scale."

The panel said it was still pressing the White House for a variety of
highly classified documents. "Although we have received certain
assurances, we are still negotiating with the White House," the
report said. "We will inform the public promptly if the commission
does not receive the access it needs."

At the news conference, Mr. Kean praised the administration's stepped-up
cooperation with the panel and said that "at this point, we have
been refused nothing." He said the panel had received 400,000 pages
of government documents, most of them since July, and "it's amazing
to see these documents come in, box after box after
boxload."

But he said he was still disturbed by the insistence of some executive
branch agencies  he did not say which  that their employees be
interviewed by the commission only in the presence of the agency's
lawyers or other "minders."

"Still got minders, still don't like them," Mr. Kean said,
adding, however, that he had been pleased to hear from the commission
staff that "as they've done these interviews, the interviewees are
encouragingly frank, that they by and large have not seemed to be
intimidated in any way in their answers."

Asked if President Bush and former President Bill Clinton would be asked
to testify before the panel, Mr. Kean said that the decision would
probably be made early next year.

"We have been talking with a number of people on levels that aren't
quite as exalted," he said. "We are not going to make that
decision at this time, but we plan to talk to everybody who has
information to offer."
*******************************
Associated Press
MSN to Limit Chat Service in Most Markets 
Wed Sep 24, 6:32 AM ET
By HELEN JUNG, AP Business Writer 

SEATTLE - Microsoft Corp. is shutting down Internet chat services in most
of its markets around the world and limiting the service in the United
States to help reduce criminal solicitations of children through online
discussions. 


The changes also should help Microsoft shed some nonpaying users that
have dragged on profits, said an analyst who follows the software giant.


The changes, which will take effect Oct. 14, were disclosed Tuesday.


In most of its 34 markets in Europe, Latin America and Asia, Microsoft
MSN has chosen to simply shut down the service. However, MSN will
continue to offer chat services to users in the United States, Canada,
Japan and Brazil. 


Eliminating and curtailing the service will help curb inappropriate uses,
MSN spokeswoman Lisa Gurry said, including pornographic spam as well as
pedophiles or other sexual predators. 


"We recognize that it's a common industry wide problem," she
said. "We've taken a look at our service and how can we make efforts
to step up our efforts to provide a safe environment." 


Microsoft officials refused to say how many people use its chat service.


The Redmond, Wash.-based company has about 8.6 million subscribers for
its Internet service. Gurry said the number of MSN chat users has been
declining as people switch to instant messaging (news - web sites)
services from companies such as AOL, Yahoo! and MSN. 


In recent years, authorities have pursued cases in which suspects
allegedly sought out children and others through online chat rooms,
including an incident in July in which a 12-year-old British girl ran off
to meet a former U.S. Marine she had met in a chat room. 


In the United States, MSN will require users of its chat service to
subscribe to at least one other paid MSN service. That way, the company
will have credit card numbers to make it easier to track down users who
violate MSN's terms of use. The sessions will not be moderated, Microsoft
said. 


In Canada and Japan, the company will offer some moderated chat rooms.
Users can also subscribe to an unmoderated service. MSN will offer some
moderated chat discussions in New Zealand and Brazil. 


The move also may help MSN trim the number of free users and help boost
its overall revenue, said Rob Helm, an analyst with Directions on
Microsoft, an independent research firm. 


"I think this change will have welcome side effects, like keeping
spammers out of the chat rooms," he said. "But fundamentally I
believe this is a move to make MSN more profitable. It will allow the
company to get rid of some infrastructure that was supporting chat, and
to make more money on what it leaves in place."
*******************************
Government Computer News
09/24/03 
Court blocks national do-not-call list 
By Patricia Daukantas 

A U.S. district court in Oklahoma City has ruled that the Federal Trade
Commission does not have the authority to run a national
anti-telemarketing list, but the donotcall.gov Web site associated with
the list remained up and running as of this afternoon. 

Federal Judge Lee R. West ruled yesterday that the FTC had no statutory
authority to promulgate a national registry of phone numbers that cannot
receive unsolicited marketing calls. 

In a statement, however, FTC Chairman Timothy J. Muris said that the
commission had ?clear legislative direction? to create the registry.

The Direct Marketing Association Inc. of New York and four telemarketing
companies had filed suit against the FTC over the National Do Not Call
Registry, which opened its virtual doors in late June. The registry is a
joint effort of FTC and the Federal Communications Commission, which was
not named in the suit. 

Last week, FTC announced that more than 50 million households had
registered their phone numbers with the service. The list was supposed to
take effect on Oct. 1. 

In his statement, Muris said that FTC issued the rules that created the
do-not-call registry under the Telemarketing and Consumer Fraud and Abuse
Protection Act. Earlier this year Congress passed and President Bush
signed the Do Not Call Implementation Act to allow the commission to fund
the registry through fees on telemarketers and sellers. 

The Omnibus Appropriations Act of 2003 also contains language authorizing
FTC to ?implement and enforce the do-not-call provisions of the
Telemarketing Sales Rule,? Muris said. 

?This decision is clearly incorrect,? Muris said. ?We will seek every
recourse to give American consumers a choice to stop unwanted
telemarketing calls.? 

In a statement, the DMA expressed gratitude about the decision but said
it still ?acknowledges the wishes of millions of U.S. consumers who have
expressed their preferences not to receive telephone marketing
solicitations.?
*******************************
Government Computer News
'Powerful' enterprise architectures take shape 
By Jason Miller and Thomas R. Temin 

The development of enterprise architectures is ?the most powerful thing
that?s happened in federal IT in the last 20 years,? according to
Veterans Affairs Department acting CIO Ed Meagher. So powerful, in fact,
that at VA it has spawned a monster and a crew of deviants, so to speak.

Meagher, speaking this morning at a breakfast hosted by the Bethesda,
Md., chapter of the Armed Forced Communications and Electronics
Association, quipped that VA secretary Anthony Principi has so fully
bought into the EA concept, ?that we?ve created a monster. [Principi] is
constantly beating us up with it.? 

Meagher said a group known within VA as the Deviantsfor Department of
Veterans Affairs Enterprise Architecture Innovation Teampasses judgment
on each and every IT project anywhere in the agency, down to aggregated
buys of PCs. The group is comprised of CIOs, finance people and deputy
undersecretaries from VA?s three principal agencies. 

The department?s architecture effort, for instance, showed that three
benefits deceased veterans are entitled totransport to funeral homes,
mortuary services and burialeach require survivors to make a separate
application to one of the three bureaus, a situation Meagher said VA will
fix. 

The AFCEA breakfast featured reports on how VA and two other agencies are
advancing their EA plans. 

Environmental Protection Agency CIO Kim Nelson said that all new IT
contracts will include a clause requiring contractors to abide by the
systems blueprint when designing or implementing new applications.

?We were looking for a way to build our architecture into our business
processes and enforce it,? Nelson said. ?Now that we have our target
architecture, we have to educate vendors on where to find it and how to
use it.? 

She said EPA is developing a CD-ROM that will include the architecture,
minus confidential information such as security data, to hand out to
vendors. 

?Vendors need to understand what exists and whether they can reuse it for
future applications,? Nelson said. ?This is a smart thing to do because
it makes sure you align your investments with your architecture.?

While EPA is managing its investments through its EA, the Energy
Department is using its blueprint as a communications tool. 

Karen Evans, Energy CIO and soon-to-be administrator for e-government and
IT for the Office of Management and Budget, said her agency?s enterprise
architecture efforts have given greater visibility to the many ongoing IT
investments in the department. That in turn helps DOE?s investment
steering committee decide which projects are redundant, which can be
consolidated, and which might be vital to a particular mission, Evans
said. 

She said that, through this process, Energy consolidated 22 help desks
down to two because the duplicative systems became obvious after doing an
analysis. 

Energy officials also used the EA to discover the agency has 264 systems
that provide at least some similar enterprise resource planning function.
Evans said the steering committee thereupon froze new acquisitions for
these systems until each can be analyzed more fully. 

Evans added officials will use the enterprise architecture to update its
e-government strategy, with which it plans to evaluate the possibilities
of consolidating 50 networks, 17 Web sites and three grant systems.
*******************************
Government Executive
September 23, 2003 
Government and tech industry release security recommendations 
By Shane Harris
sharris@xxxxxxxxxxx 

Five federal agencies, a nonprofit Internet security group and one of the
nation?s largest software manufacturers have issued recommendations for
making one of the most popular software programs in the government more
secure. The move, announced at a press conference in Washington Tuesday,
marks a watershed between the government and the technology industry,
officials said. 


Oracle Corp., the giant database software maker that counts the federal
government as its largest single customer, has agreed to deliver a new
version of its product to the Energy Department that has more than 250
specific security enhancements. Those modifications have been packaged in
a ?benchmark document? that is being published on the Internet, so that
other federal agencies can take advantage of it.


It?s unclear how many agencies will avail themselves of the security
recommendations, since implementing them could take considerable time and
effort. Karen Evans, Energy?s chief information officer and a driving
force behind the deal with Oracle, noted that the lengthy process of
making security changes to commercial software was one of the reasons her
department sought concessions from the company before the product was
delivered. 


The Energy Department deal conforms to an Office of Management and Budget
mandate to use the federal government?s significant purchasing power to
gain concessions and special arrangements from technology contractors.
The government is the single largest purchaser of information technology
goods and services in the United States. 


The Center for Internet Security, which helped craft Oracle?s
modifications, is also developing an automated tool that will scan a
system and score it on how well it complies with the benchmarks. The tool
is in the final stages of development, and the center will release it
publicly when it is finished. 


Energy and Oracle reached their agreement in the summer, but neither side
had publicly announced the deal or the release of the benchmark document
before. 


Evans will have broader authority over procurement and security strategy
when she takes over the position of e-government and technology chief at
OMB next month. She replaces Mark Forman, the president?s first
e-government administrator, who is taking a job in the private sector.


Oracle is delivering the more secure software as part of a two-phase
licensing agreement with Energy. The first phase will cover the
department?s headquarters in Washington and is valued at $5 million,
Evans said. The second phase, which Evans expects to be implemented in
the next fiscal year, will provide the Oracle software to government and
contract Energy locations across the country, she said. 
*******************************