In a press event in Utah yesterday, Governor Gary R. Herbert detailed the state’s response to the breach including a full-scale independent audit of technology security systems and the appointment of a new technology director. Local law enforcement is also conducting a separate investigation.

The security audit will be conducted by Deloitte.

“The State of Utah must restore the trust placed in it,” the Governor said. “Cyber-security is the modern battlefront and we are all enlisted—you, me, our state agencies, the Legislature—all of us have a critical role to play,” he added.

The Governor made a public apology to citizens effected by the breach including 500,000 individuals who had less sensitive information stored on the compromised server.

“The compromise of even one person’s private information is a completely unacceptable breach of trust,” said the Governor. “The people of Utah rightly believe that their government will protect them, their families and their personal data. As a state government, we failed to honor that commitment. For that, as your Governor and as a Utahn, I am deeply sorry.”

According to law enforcement authorities, cyber attacks on public information systems have increased 600% this year, resulting in nearly a million attempts daily by cyber terrorists or hackers to infiltrate the State IT network.

The Governor is appointing Sheila Walsh-McDonald as the new Health Data Security Ombudsman. She will oversee individual case management, credit counseling and public outreach.

The Governor also announced the resignation of Stephen Fletcher, executive director of the Dept. of Technology Services (DTS), and the subsequent appointment of 28-year IT veteran Mark Van Orden as acting director of DTS.

Intergraph Government Solutions was recently honored at the GovSec 2012 Conference for its middleware solution for critical infrastructure – EdgeFrontier. Billed as the “ultimate Swiss army knife” for creating interfaces by integrating various types of data, events, and control functions, EdgeFrontier can be added to networks or embedded into the company’s infrastructure options as part of the product suite.

EdgeFrontier was originally developed by West Virginia-based, company Augusta Systems which was acquired by Intergraph last year. EdgeFrontier is set up to work as a data integrator, compiling reports from all of the areas where it is used and displaying them back to officials in a single view. The middleware can also be configured remotely, supporting data normalization across scenarios – cutting costs and saving bandwidth.

“We’ve had a lot of interest from systems integrators as well as the government security market,” says Ken Dickerman, Senior Manager, Integraph in an interview with CivSource.

According to Dickerman, EdgeFrontier started gaining attention from security professionals when it was used to provide live grounds monitoring when the Olympics were held in Canada a few years ago. Since then, it has been steadily drawing new clients including the city of Richmond, Virginia which uses EdgeFrontier to provide integration between municipal and federal homeland security and first responder networks.

Now, when an alert happens that needs state level response the system converts it to all required formats for both state and federal networks and then broadcasts the alert out to other state systems. “Using EdgeFrontier allows us to manage those configurations without recoding anything. All of the work is done through configurations and XML,” Dickerman said.

The system was a joint effort between the Arkansas State Police, the Arkansas Crim Information Center (ACIC) and Arkansas.gov. The partnership choice NIC Inc, an eGovernment solutions provider to complete the portal. Before the system was in place, background checks requested by employers or other authorized groups often took weeks to complete. Now, in most cases the state response is instantaneous.

The system also provides access to FBI fingerprint check results within a week to ten days. Agencies that request numerous checks per month are also able to pay the background check fees on a monthly rather than per-use basis. The service was one of the first of a larger effort to improve government service delivery.

“By running our background checks online we have been able to greatly streamline our hiring process,” said Renee Bearfield, hiring manager at Parkway Health Center, one of the first state employers to start using the system in 2004.

Captain Long is working building a customer relationship management (CRM) platform for the Sheriffs Department that will allow managers and supervisors to process citizen complaints and handle incident management. Currently, the department maintains a personal history index for officers in the field. This index provides a variety of data points on a given officer including use of force, car accidents, disciplinary actions and complaints. However, in order to assemble the index, supervisors must pull individual data points from several areas.

The new platform will compile all of this information into a single location and allow supervisors to establish ranges of acceptable behaviors. Managers will then be able to monitor officer activity and identify potential patterns or poor performance in order to mitigate risk.

The Department has chosen Microsoft Dynamics xRM/CRM to serve as the basis for the platform.

“Right now, we’re monitoring what happens in the department, but it is a time consuming process. The new platform will give us better data for decision making,” Captain Long explains. “This will give us a one page snapshot on each employee and allow us to take a preventative approach to risk management.”

The new platform will also process citizen complaints more quickly. “If someone makes a complaint now, the complaint goes to internal affairs, and we start an investigation. Nine months later we get to the interview stage and say ‘were you rude to this person nine months ago?’, and the person who made the complaint is left waiting,” Long says.

Now, when a complaint comes in, a letter acknowledging receipt will go out and supervisors will have all of the data they need to make decisions quickly.

The CRM system for Orange County is currently in a prototype stage with roll out expected in April. The initial outlay for the project was just under $400,000.

As CivSource has reported, analytics like those offered by the CRM platform are gaining traction with law enforcement officials throughout the country. Customer relationship management, resource planning and predictive analytics are all helping officials gain a faster understanding of increasingly larger and more complex jurisdictions.

“Everyone in law enforcement has a goal of proactive risk management, its just a question of getting the tools in place. CRM has huge potential for our systems and law enforcement in general,” Long says.

On March 1, Google ushered in a new privacy policy for its consumer applications including services like Gmail, Google Search, YouTube and Google Plus. Even before it was fully introduced the new policy raised a variety of concerns in both consumer and public sector circles as individuals reconcile what privacy really looks like on the internet. I spoke with Google spokesmen Tom Sarris and Tim Drinan of Google Enterprise about the new privacy policy and what it will mean for government users.

“The thing that many people don’t understand is that the policy isn’t completely new, its a consolidation of our previous policies across all of these disparate areas into a plain English version that is more readable. We aren’t capturing anything new,” Drinan explains. “For our enterprise and government customers, any contracts they have with us that were made separately will supersede the consumer privacy policy.”

He points to an existing agreement with Google Apps for Government client – the General Services Administration (GSA). According to Drinan, the GSA maintains a separate privacy contract with Google that complies with federal security regulations. Regulations which would prohibit much of the data collection practices contained in the current consumer version of the privacy policy.

A claim which is backed up by a statement from the GSA – “The recent changes announced by Google pertain only to their free, publicly available services. These changes do not apply to Google Apps for Government, which is the version used by GSA. Our usage of the Google Apps solution is governed by contractual agreement with Google and our prime contractor, Unisys. The solution is compliant with all federal regulations and requirements, including those regarding privacy and data protection.”

Despite that, some concerns remain about the overall process of using Google Apps in a public sector setting. Users who use Google services for both personal and public sector use are in essence subject to two privacy policies depending on how they are logged in.

If an individual is logged into their government account, they’ll be protected under the contract governing their agency. If an individual logs in on their personal account they’ll be governed by the consumer policy. Drinan notes that no data will be shared between the two accounts.

Although these nuances may not be immediately clear to an individual user. Google is in a unique position, being a government service provider that is also the custodian of the retail consumer internet experience. A position which may not be fully understood by individuals.

Drinan explains that Google Apps for Government account administrators may open or block access to other sites and services like YouTube, although most clients maintain blocks on many of these areas.  However, once a user logs in from a device that is not behind a wall like that, now they are governed by both policies depending on how they are logged in – conditions which can be risky in the era of mobile access, telework and multiple workflows.

I asked Drinan if there is a warning process or some kind of education that comes from Google about how these worlds work together or when users are switching between them. He notes that they leave the education component largely up to the clients themselves. He also also pointed me to a two blog posts that the company has put up to help clear up any questions about the two policies.

“We went through an extensive notification process before the policy took effect for Google users. It was one of the largest notification efforts we’ve undertaken,” He says.

On March 1, Google ushered in a new set of privacy policies that make it nearly impossible to keep web use data private. Even in cases where an individual disables their own history, that data is still tracked. Users of Google and its auxiliary services like YouTube, or Google Plus cannot opt out of these terms. For private individuals, the new terms should raise significant red flags. For public sector individuals using Google services for government work, the policies may be a dealbreaker.

According to Gould and Miller, recent incidents suggest that Google does not exercise adequate control over certain aspects of its technology which may compromise the security of government information in Google cloud services. The two have issued a call on SafeGov.org asking the company to become more responsive to the realities of doing business in the public sector.

“With many of these offerings, there are no boundaries between how they are used by someone acting in the private sector and public sector. Individuals get no warning when they are switching between the two spheres and indeed the data, even if sensitive, is universally kept,” Miller explains.

He notes that while Google claims that it makes special arrangements for its government and enterprise users, referring links typically go back to the global policy which gives Google carte blanche use of user data and content. To that end, they are calling on Google to create and publish an audit program to ensure that  government-specific privacy policies are effectively implemented by Google’s cloud products and service delivery organization.

If crafted and utilized, an audit program could provide Congressional oversight and the American taxpayers with the information they need to ensure that they are meeting the terms and conditions of their federal government contracts.

Miller and Gould note that there are other concerns, specifically that Google has made no assurances that it is not monitoring or using government data without explicit consent. Questions about Google’s practices through its Apps for Government offering have been cropping up throughout state governments as well. The company’s high profile failure to comply with law enforcement security requirements in Los Angeles being one of the more troubling examples.

For private consumers of the internet, Google now has primacy as the custodian of that experience – a position which carries over as public sector workers use Google services of their own accord. However, the experts note, when it comes to paid use of these services through a government contract adjustments must be made.

“Google’s market share in this space is 1% if they want to get to 10% they’re going to have to make some adjustments. There are many other providers with more experience working with sensitive government data that have made those adjustments,” Gould says.

Editor’s Note: In addition to their work with SafeGov.org both Gould and Miller currently act as government IT consultants. Mr. Gould has consulting relationships with several IT service providers including Microsoft. Mr. Miller also consults for service providers including HP, and Microsoft.

The center is modeled after Dell’s Social Media Listening Command Center which uses Dell technology to track communication and engagement on social networking sites. The Red Cross digital operations center will be located in their national disaster operations center in Washington D.C.

The Red Cross hopes to expand its reach to the public during emergencies in order to provide information and determine where to position workers on the ground during an event. They will also leverage tools like heat maps to visualize spikes and prevalent themes in social conversations.

“Our goal is to become a social liaison for people, families and communities to support one another before, during and after disasters,” said Gail J. McGovern, president and CEO of the Red Cross.

A Red Cross survey revealed that the Internet now is the third most commonly used way for people to get emergency-related information. The Red Cross Digital Operations Center will be staffed when the Red Cross Disaster Operation Center is activated during major disasters. The American Red Cross responds to more than 200 disasters on an average day, from house fires to major events.

Dell is providing funding for the project. Dell’s involvement is part of the company’s larger commitment to the Red Cross, which includes additional general funding, technology and employee engagement to support disaster relief programs.

Looking back on the conference and Secretary Ridge’s keynote, there were several important takeaways for state and local leaders:

• It is vital that risk assessment and risk remediation be an integral part of any leader’s management plans and program.
• Continuing to improve our information sharing capabilities should be a high priority across federal, state and local levels of government.
• Issues of technology interoperability and expanded bandwidth support for communication should also be a high priority.
• There are significant opportunities to take advantage of available data analytic capabilities to facilitate risk assessment and risk management in various areas of risk.
• Finally, the importance of well-thought, public-private partnering is also a clear imperative and a number of successes and leading practices were evident at the conference.

I recently spent some time with an outstanding leader, former White House Homeland Security Advisor Fran Townsend. In the course of our discussion, we shared our mutual view that risk management and risk assessment should not only be a high priority to the federal, state, and local leaders in the U.S., but to corporate boards as well. I’m pleased that Deloitte is taking a leadership role in developing tools, methods and provocative points of view on improving our public and commercial risk assessment and risk management capabilities.

One additional thought: It was good to be back in New Orleans and to see the level of progress that has been made since Hurricane Katrina. I had the good fortune of spending a considerable amount of time in Louisiana in the early 1990s. Although signs of the devastation are still evident in certain areas, state leadership in partnership with the federal government has made progress in rebuilding the city and rebuilding the economy. It was truly good to see.

As always, I would value your perspective and comments, and hope 2012 is shaping up to be a wonderful year for you.

Mr. Robert N. Campbell III is Vice Chairman, Principal, Deloitte LLP and is the U.S. State Government Leader, based in Austin, TX

The Gallery is a forum for ideas and examination of matters facing state and local government. Readers, members of the media, academics or the business community are invited to submit guest columns to bailey{at}civsourceonline{dot}com. Member of the public sector? We’re interested in hearing from you too. CivSource does not endorse the views presented in The Gallery, but offers them in an effort to present more diverse coverage. CivSource will review all submissions but does not guarantee publication of all works submitted.

The new center will be called the National Cyber Security Center of Excellence and will be located in Montgomery County. Funding for the center is coming from NIST which will allocate $10 million from it’s budget for the center. NIST said in a statement that the goals of the center are to improve the security and trust in US technology and telecommunications systems.

To that end, NIST will be creating teams of researchers, users and private sector vendors to use and test cybersecurity products to find best practices, and improve offerings. NIST aims to support more widespread adoption of integrated cybersecurity tools in both the public and private sectors through this research. NIST will begin by placing a computer lab in an existing building close to NIST’s campus in Gaithersburg. The initiative will generate 23 new jobs in Montgomery County and is expected to help expand the e-commerce workforce.

Maryland Senator Barbara Mikulski commended the partnership calling cyber attacks a “new enduring war,” and emphasized a national need for this kind of research in order to protect national interests.

The partnership is the latest in several technology based initiatives in Maryland. Governor O’Malley has made technology a key part of his administration’s agenda pushing for new economic development in the sector and supporting technology improvements in state government.

In Rochester, the Rochester Police department will use advanced analytics software from IBM to mine, share and extract intelligence from critical data in order to improve police investigative and prevention programs. Law enforcement will then be able to identify local “hot spots,” and allocate resources in advance.

The application, IBM InfoSphere Identity Insight, provides users with specific data from existing law enforcement and public safety databases to aid in investigations and prevention. “The technology will allow law enforcement officials to see broad patterns about activity in their city and focus on prevention,” Cleverley explains.

In Las Vegas, police there will use IBM’s COPLINK crime analytics software, a product already in place in more than 3,000 law enforcement agencies nationwide. COPLINK allows officers to accelerate their investigations by enabling them to make non-obvious connections based on information that was previously spread across the department. COPLINK will also allow the Las Vegas Metropolitan Police Department to forge information sharing agreements with other law enforcement agencies that already use COPLINK inside and outside Nevada.

Las Vegas police were already using parts of the i2 crime analytics software from IBM – the broader suite which includes COPLINK, giving the department a more comprehensive crime analytics platform.

IBM is working to provide a broad spectrum of analytics solutions for cities Cleverley said. Last year, CivSource reported on another predictive analytics solution used by the Memphis police department. “All of these tools fit along the spectrum of analytics capabilities,” Cleverley said. “You can leverage analytics in a variety of different ways depending on the desired data and outcomes. Each city is using the tools in slightly different ways based on what makes sense for them.”

Cleverley noted that these types of applications can also help make the case for projects like the Public Safety Broadband Network. By giving law enforcement the infrastructure to handle data transfer, and communications at higher speeds throughout more locations officials will also see an improved user experience with applications like COPLINK.

“These tools can really help with the investigation process. For example, witnesses often recant in the hours after reporting a crime. What if law enforcement officials could replay a 911 call for the witness at the first visit, or show them some of the information they already have? It could save time, and strengthen the overall investigation process,” Cleverley said.

IBM has put together a YouTube video that demonstrates COPLINK’s capabilities here.