Government Technology News
Tue, 23 May 2017 20:36:05 +0200
IT Legislative Lookback: Where Are They Now?
At Government Technology, we talk a fair amount about what is coming around the legislative corner in states around the country. While some of the proposals we focus on succeed and ultimately become law, others wither and die on the vine.
From preparing for the seemingly inevitable onslaught of autonomous vehicles on U.S. roadways to reworking the physical structure of state IT agencies, lawmakers use their proposals to highlight what they see as important priorities.
Looking back at the landscape and taking stock of these successes and failures can be a good indicator of the overall health of a state’s IT environment. In this retrospective piece, you’ll find the status of many of the bills we looked at earlier in 2017.
Autonomous Vehicle Testing on California Roads: California Senate Bill 145 aims to amend the state’s vehicle code to streamline the application process for autonomous vehicle (AV) testing. The bill would eliminate the requirement for the Department of Motor Vehicles to notify the Legislature upon receipt of AV testing application on public roadways. Additionally, the proposal eliminates the 180-day delay of the application prior to approval. As it currently stands, the bill passed, as of May 4, and is being reviewed by the Assembly’s Committee on Transportation, as of May 18. A similar bill in the Assembly, Assembly Bill 87, seems to have lost steam as of March 20.
Like California, lawmakers in Texas have been eyeing AV testing on public roadways throughout the state. On May 20 the House tentatively approved legislation that would allow manufacturers to test driverless vehicles on public roads with the requirement they meet federal and state safety standards and carry liability insurance.
Privacy and Security in Washington: In Washington, House Bill 1421 was proposed as a means to remove sensitive payment information from state data systems. Under the proposal, payment information would need to be handled and retained by a third party. The effort, which was reintroduced via resolution April 24, was returned to the House Rules Committee for a third reading. If successful, agencies currently storing payment data would have until July 1, 2020, to remove applicable data from state systems. The last day of the regular legislative session was April 23; the special session convened April 24.
Alabama IT Gains Autonomy: Senate Bill 219 brought Alabama’s Office of Information Technology (OIT) out from under the umbrella of the state’s Department of Finance. After some coordination between OIT Secretary Joanne Hale and her finance counterparts, the IT agency was granted autonomy May 9 when Gov. Kay Ivey signed the bill into law. While the change doesn’t come with a host of new power, it represents what Hale described to Government Technology as part of the evolution process of state IT. The newly minted law will officially go into effect Oct. 1, 2017, though the agency has already been operating under its new charge for the last several months through an interagency agreement.
Florida IT Agency Escapes Legislative Assault to Autonomy: House Bill 5301 was launched out of a House subcommittee in late March, with the intention of kneecapping and rebranding the Agency for State Technology (AST). The proposal not only would have taken away the IT agency’s authority over the state’s data center, but also would have crippled the enterprise structure, allowing data center customer agencies to unilaterally move to cloud solutions. Though state officials and industry leaders spoke out against the proposal — spearheaded by Rep. Blaise Ingoglia, R-District 35 — it moved along the legislative process tied to the state’s budget. After some negotiation, AST was able to solidify its funding, saving it from the legislative assault. The attempt to restructure and/or defund the agency is just one of a handful of attempts in recent years.
Private-Public Partnerships in Montana: Efforts to codify new rules around public-private partnerships throughout the state fell short after Senate Bill 335 failed on April 28. The proposal would have opened the door to the use of the partnerships as an alternative means to other procurement methods through state and local government. Though the legislation would have allowed public-private partnerships in a number of arenas, it would have also allowed state and local entities to pursue tech-centric projects. The legislation was initially proposed in November 2016. The last day of the legislative session was April 27.
Reduced Barriers for Telemedicine in Texas: A bill reducing the restrictions on telemedicine passed the Texas Legislature May 18. Senate Bill 1107 allows medical professionals to establish the doctor-patient relationship via electronic/audiovisual means, while holding them to the same standards as an in-person encounter. Under the legislation, the requirement that approval is sought before telemedicine services can be reimbursed has been removed, as has the stipulation that a so-called "telepresenter" be present with the patient at the time of the appointment. The governor is expected to sign the legislation.
Getting Tougher on Cybercrime: In Texas, House Bill 9, which would stiffen penalties around malicious disruption of computer networks, is with the Senate awaiting a vote after passing in the House April 13. Under the terms of the proposal, felony sentences could be applied to network disruption and the use of malware or ransomware for profit.
Though similar in overall objective, Vermont’s House Bill 474, has not moved since Feb. 24. Like Texas’ version, the bill aimed to stiffen the penalties associated with cybercrime.
Minnesota’s slightly more focused anti-cybercrime proposal, HB 817, would have applied incremental penalties to hackers interfering with point-of-sale terminals, ATMs and gas pumps. The last action on the legislation was March 9, when amendments were made and it was rereferred to the Committee on Public Safety and Security Policy and Finance for review.
Washington Codifies Biometrics Laws: Gov. Jay Inslee singed two pieces of legislation relating to the biometric identifiers on May 16. Under House Bill 1493, companies must receive consent before being allowed to collect customers' biometric data for commercial purposes. Key examples of biometric data are iris scans or heartbeat identifier data. Similarly, House Bill 1717 requires state agencies to obtain constituent consent before collecting biometric data. The new rule applies to data like iris scans, facial geometry, fingerprints and DNA, though law enforcement agencies are exempt from the collection of fingerprints and DNA and are subject to other guidelines.
Mon, 22 May 2017 04:00:00 PDT
How ShotSpotter's Financials Compare with Previous Gov Tech Companies Pre-IPO
SST, the company behind the gunshot-detecting ShotSpotter technology, is poised to become the next in a small handful of gov tech companies to go public.
The company is in the midst of preparing for an initial public offering, which would see it enter NASDAQ with the ticker symbol SSTI. And as part of the process, it’s making its financial details public through filings with the U.S. Securities and Exchange Commission (SEC).
That means putting its financial information alongside the other gov tech companies that have gone public. Of the six companies on the GovTech 100 list to offer shares to the public, we were able to mine the SEC database for pre-IPO filings from four — Itron and Tyler Technologies both went public in the early 1990s, and their filings did not appear readily available.
Two easy comparisons to make lie in revenue and net income. We pulled those figures for the two years prior to each company’s S-1 filings. SST’s revenue in that timeframe is middling — it recorded $11.8 million in revenue in fiscal year 2015 and $15.5 million in fiscal 2016. That outpaces the revenue from Taser (now Axon), which pulled in $2.2 million and $3.4 million before going public, but falls far short of Maximus’ $51.9 million and $103.1 million postings.
SST’s revenue growth rate in the past two years is the slowest on the list. The company’s revenues advanced 32 percent during that timeframe, compared with 55 percent for Taser and 98 percent for Maximus. NIC’s revenues skyrocketed to the tune of a 2,774 percent increase in the two years before its last filings.
Most companies on the list notched net losses in the two years prior to going public, and SST is no exception. However, the company’s losses of $6.2 million and $6.9 million were greater than almost all the marks set by the others on the list. The only larger net loss came from NIC, which had a $7.9 million red mark the year before its final filing.
GovTech IPO Stats
Create your own infographics
Below are the filings for each company on this list:
Mon, 22 May 2017 02:45:00 PDT
How a Washington County Gets the Most Benefits from Technology Projects
With budget cuts looming in the face of reduced state and federal funding, local governments across the country are looking for ways to stretch their dollars more than ever before.
In 2013, local officials in King County, Wash., began to ask whether their $250 million in current technology investments were truly leading to better services for the public, increased efficiencies and more accountability from its 20 departments and over 13,000 employees at that time.
As the regional government for more than 2 million people living in or around Seattle, the King County Council knew it had to get creative. With dozens of technology projects on the horizon, council members tasked staff with developing an innovative approach to maximizing the benefits of these investments.
Today the council requires that a Benefit Achievement Plan (BAP) be developed for all technology projects prior to being funded. Three years later, county departments are maximizing their technology investments to improve services like never before.
Each of the five steps of the BAP are described below.
Step One: Identify Programmatic Outcomes from Technology Projects
The BAP requires the department proposing a project to describe how the technology investment will improve internal operations, services to customers or cost savings, or reduce the risk of system failures. Most projects have benefits in more than one category. For example, a project that reduces the risk of system failure can also be leveraged to improve operations. Rather than describe all benefits, departments are asked to focus on the high-level benefits.
Tips for Maximizing the Benefits from Technology Projects
1) Engage both the technology and business staff early to identify how the project can improve internal and customer services.
2) Identify a project sponsor who is accountable for achieving the benefits.
3) Describe the benefits in easy-to-understand, non-technical language.
4) Focus on the most valuable benefits, rather than tracking every small improvement.
5) Identify any operational changes necessary to fully achieve benefits from technology projects.
6) Measure outcomes, not the process improvement.
7) Set targets for when benefits will be achieved.
8) Regularly review the project for progress in achieving benefits.
For most departments, reporting on the anticipated project outcomes has required a shift in how they describe the benefits of the project. Early in the process, most departments were describing process improvements and technology changes, not outcomes. Process improvements describe a change in a process, whereas outcomes focus on what happens as a result of the change. For example, if a project will speed up an internal process, whether that efficiency is a process improvement or an actual benefit/outcome depends on how that efficiency is used. The benefit happens when the customer is either getting served faster, or the county is able to do more with the same number of or fewer resources. Similarly, when projects deliver more or better information, the additional information is not necessarily a benefit if that information is not used to improve internal operations or services to the public.
Departments are discouraged from promising benefits that cannot be measured. For example, it would be difficult to measure whether a public health technology investment actually improved public health. However, the department could measure whether medical staff had access to more information and used it to make more informed decisions regarding a patient’s medical care.
To complete the BAP, a department’s business and technology staff need to closely collaborate in order to understand how the technology investment can improve services. This upfront collaboration allows departments to identify any operational barriers early in project planning and structure the project to achieve the benefits. For those projects where it is not possible to identify the expected improvements up front, departments are asked to commit to integrating benefit planning into their project implementation plan and report back as they identify the benefits they are seeking.
Step Two: Identify How to Measure the Improved Outcomes
The next step in the BAP is identifying how the department will measure whether the expected benefits are achieved. Prior to the BAP process, measuring progress was limited to traditional metrics used for capital projects: scope, schedule and budget. There was limited, if any, information on whether the benefits of the project had been achieved.
Following the old adage “you get what you measure,” the council asked departments to measure improvements to programs in the areas of customer service, internal operations, reducing system failures and cost savings. Most departments were able to easily identify how to measure cost savings or a reduction in risk because budget savings can be tracked and risk reduction frequently occurs simply by replacing outdated equipment. However, measuring improvements to internal or external services was more challenging because those improvements can be more difficult to quantify.
As part of the BAP process, departments are encouraged to look for a commonsense way to assess whether service improvements have been achieved. Scientific studies with control groups or expensive measurement efforts are not necessary to determine whether benefits have been achieved. Since the council is looking for programmatic benefits, not technical indicators, it should be program managers who identify metrics. To identify metrics, managers can ask, “How would I know as a manager whether the operational improvements have been achieved?”
Often, seeking information from the users of the systems is sufficient to know if benefits are achieved. For example, one of the stated benefits of a new case management system is to make it easier for prosecutors to manage their cases. Rather than do an in-depth analysis of case outcomes, a simple survey of prosecutors can give the council information on whether case management has improved.
For those projects intending to improve external services, measuring customer satisfaction was critical. By establishing up front that customer satisfaction will be measured, departments are incentivized to actively engage with those stakeholders. For example, the Transit Division plans to survey bus riders on their satisfaction with a new application. So prior to designing the application, the division is more likely to engage those riders to ensure it will meet their needs.
Once measures are identified, departments establish a baseline so that the council knows the degree to which improvements are expected. To determine the baseline, departments often had to learn more about the current status of the service and processes than they had previously done. This baseline information can also be valuable in designing the solution.
Step Three: Set Targets
The next step in the process is for departments to set targets on the level of benefits the project is expected to achieve and when those benefits will be achieved. Target setting provides an opportunity for all stakeholders to agree on the level of benefits expected from the technology investment. When all stakeholders share a common understanding of the benefit of the project, it avoids mismatched expectations between stakeholders.
Examples of expected outcomes:
Measure and Target
Designated Mental Health Professional Tablets
External: More time in the field with clients
Reduce number of times staff return to office to one time in seven days
Systems Management Tools
Internal: Less system outages
Reduce number of major outages by 30 percent
Online Archives Collection Management System
External: Access to online archives
80 percent of customers satisfied with new online tool
Parks Facilities Scheduling System Replacement
External: Online access to scheduling
75 percent of park users are satisfied with new scheduling system
Tablets for Assessor
Internal: Get more inspections done
Increase parcel inspections per appraiser by 5 percent
Sheriff’s Regional Identification Project
Internal: Officers have better information
Officers can receive suspect fingerprint identification from patrol car within two minutes
Step Four: Identify Who Is Responsible for Achieving the Benefit
In the past, accountability for achieving project goals was often assumed to be the responsibility of the project manager. But many times the project manager went on to the next project soon after the technical project implementation, leaving no leadership for achieving the operational and customer benefits that take time to realize.
The project benefits will often require process change beyond the authority and time frame of the technical team. So the council now requires departments to identify a high-level manager or department director who will be accountable for achieving the benefits of the project.
Step Five: Reporting
Previously, the council had no easy way to know whether the investments it had funded achieved the anticipated benefits. Standard “close-out” reports were focused on spending and schedule, which while critical to know, did not reveal whether the benefits of the project had been achieved. Now departments report annually, using the metrics they have identified, on whether the project has achieved its benefits.
Reporting on project benefits can extend beyond the “go-live” date of implementing the technology because it often takes time for the department to realize the operational improvements from the technology. With the BAP process, departments are asked to continue to report annually on the status of the benefits until the benefit has been achieved or the department determines it is not possible to achieve the benefit.
With the implementation of the BAP process for all technology projects, the council now receives the information it needs to evaluate the benefits of a technology project and assess whether those benefits have been achieved. For departments, the BAP process provides a framework for leveraging the technology investment to improve services wherever feasible.
Jennifer Giambattista is a principal legislative analyst with the King County Council. She advises the council on all budget requests for technology projects. She has reviewed over 150 technology projects.
Mon, 22 May 2017 12:30:00 PDT
The Insider Threat: New Report Highlights Problems, Recommendations and Resources
Earlier this month, I was in Washington, D.C., presenting at ISC2’s annual CyberSecureGov Conference, which has become a top-notch federal government cybersecurity event. As I was looking through the agenda after my session, one title grabbed my attention: “Mitigating Insider Threats to our Nation's Critical Infrastructures.”
The presentation, which highlighted new research from The Institute for Critical Infrastructure Technology (ICIT), was groundbreaking in many respects. While the report highlights critical infrastructure sectors, the findings and solutions also apply to state and local governments, and other private-sector companies in numerous ways.
ICIT is a leading cybersecurity think tank that “bridges the gap between the legislative community, federal agencies and critical infrastructure leaders.” They do this with a wide variety of legislative briefs, research reports, events and other materials that offer outstanding insights and action steps. Their extensive list of free legislative briefs and research reports can be found here.
The presenter on insider threats was a respected colleague who I’ve known for several years — Mr. Parham Eftekhari, co-founder and senior fellow at ICIT, who has been working with technology and security leaders in the federal government for more than 15 years.
Describing the insider threat challenges we faced, Mr. Eftekhari said this: “Critical Infrastructure leaders and policy makers are just now beginning to understand the potential for catastrophic digital and cyber-kinetic incidents at the hands of insider threats. As the authors point out, mitigating malicious and non-malicious insiders must be a top priority not only for our government, but for all private-sector organizations. This publication is a powerful asset for any organization looking to build or improve an insider threat mitigation program.”
Insider Threats: A Deep Dive
Starting with definitions, the presentation used a definition by US CERT Common Sense Guide to Mitigating Insider Threats, which states that an insider threat:
Has or had authorized access to an organization’s network, system or data
Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems
Varieties of insider threats include:
Careless or Uninformed Users
Mismanaged Third-Party Contractors
Mismanaged Third-Party Contractors
While none of these definitions is new or surprising, the real examples shown were much more eye-opening. For example, look at these real screen shots from the deep Web:
Hacker for Hire
Self-Proclaimed Insider Threat
W2 Database For Sale on Alphabay
Disgruntled Employee Solicitation
The primary author of the insider threat paper is James Scott, co-founder and senior fellow at ICIT. The new brief is titled: “In 2017, the insider threat epidemic begins.”
On recommendations, Mr. Scott said, “The best protection against insider threat is a basic level of layered security-by-design endpoint protection paired with a combination of solutions that secure data according to its value, according to the principle of least privilege, and according to role-based access controls, as well as other technical controls, and that monitor personnel and users using bleeding-edge artificial intelligence, big data analytics, and solutions that automate cyberhygiene and ensure verifiable accountability trails.”
The solutions offered in the report are vast as well as rather complex. They include these nontechnical controls, such as:
Utilize the Information Security Team
Heed the Information Security Team
Hire Trusted Personnel
Cultivate a Culture of Trust
Train Personnel to Defend the Organization
Policies, procedures and guidelines:
Principles of Least Privilege
Limit Access According to Duties
Segregate Administrative Duties Based on Roles
Address Cybersecurity in SLAs (service level agreements)
COTS (commercial-off-the-shelf software)
Predictive Artificial Intelligence
Security Information and Event Management (SIEM)
User and Entity Behavior Analytics (UEBA)
Identity and Access Management
Data Loss Protection (DLP)
User Activity Monitoring
Other resources include the National Insider Threat Task Force.
Co-Chaired: DNI and U.S. Attorney General
Agencies with Classified Networks are Required to Establish Insider Threat Detection and Prevention Programs Aligned with NITTF
NITTF Provides Assessments, Training, Assistance, Education
Additional Helpful Resources on Insider Threats
This is not the first time, nor will it be the last that this insider threat topic is brought up in the Lohrmann on Cybersecurity & Infrastructure blog. As a reminder, this topic was even hot back in 2010 when I wrote the blog: “Are you an insider threat?” for CSO Magazine.
I also wrote my views on Edward Snowden, which haven’t changed much, touching on insider threat topics as well. Yes — some good has come from Snowden, but the ends do not justify the means, in my opinion.
Other good reports and publications on addressing insider threats are available at:
Harvard Business Review
Regardless of your views on individuals such as Edward Snowden or interest in national defense issues surrounding insider threats, we all face similar insider threat challenges in our workplaces. The many reports and presentations offered for free by ICIT are an outstanding set of resources that I highly recommend your teams take time to review.
I also want to give a shout-out to the ICIT Annual Forum (www.icitforum.org) June 7 in D.C.
The insider threat issues within cybersecurity and physical security are increasing worldwide. Small, medium and large-sized organizations need to take immediate action to address this growing challenge. These materials can show you how.
Sun, 21 May 2017 05:00:00 PDT
Twitter, Uber Plan to Further Evolve Their Civic Engagement Strategies
SAN FRANCISCO — Uber and Twitter are not in the business of elections. But they are involved in U.S. elections, and in the future they are looking to insert themselves further into the process.
At the first-ever Global Election Technology summit held May 17-18 in San Francisco, public policy analysts from both companies spoke about how they’re working to increase civic engagement and participation.
Twitter has found itself pulled more and more into politics in the past several elections. The social site has served as a platform for journalists, elected officials, everyday citizens, activists and, more recently, U.S. presidents. But Tom Tarantino, a senior public policy manager at the social media giant, said the company is more than comfortable with its position in politics.
In fact, it’s embracing it.
In the 2016 election cycle, Twitter livestreamed presidential debates and both major party conventions. In the recent French presidential election, it further refined its tools by hooking up streaming video with user content.
“Imagine watching a debate not just by yourself, but also seeing what people are talking about,” Tarantino said at the event. “You’re watching the video, at the same time you’re watching every reporter that you follow tweet about the debate, you’re watching all your friends talk about it, you’re hearing perspectives from both sides of the aisle that you’d never hear before if you’d been in your little bubble.”
Next year’s U.S. midterm elections — already gathering more attention than the typical midterms — will become a target for Twitter to further evolve its civic engagement strategy. Tarantino said the company is working on several ideas, mostly around the concept of helping to inform voters about the issues and candidates.
“In 2018 we’re gonna see a much more holistic push around the election … everything from ‘I registered’ emojis all the way up to livestreaming and coverage of election events,” Tarantino said. “But also we need to start thinking about how do we develop a more organic political experience inside the Twitter app? There’s sort of a life cycle to someone’s political engagement. You get informed about an issue, you need to connect to other people, other stakeholders on that issue, and then you give them something to do.”
Uber’s foray into the elections-civic engagement continuum is narrower than Twitter’s. At the event, Tarantino spoke about the need for tech companies to stick to what they’re best at and not chase down every whimsy crossing their path.
So Uber is focusing on its core service: transportation. In the last election cycle, the company worked on tools to get drivers and riders to the polls on election day. The company partnered with Google, which had already built tools to help voters find their polling places and become educated about their choices on the ballot.
That effort was simply about helping people get to the polls on their own dime. But there are some at the company, Senior Public Policy Associate Dave Barmore said at the conference, who are interested in exploring a future where Uber pays for those rides.
“There was a very healthy, robust conversation around — could Uber itself look to fund rides to the polls?” Barmore said. “And we had a very long conversation with our legal team, and there are many legal complexities and issues that arise when a company is looking to fund rides. I know that that was a big point of discussion with a lot of folks internally, they wanted to become more involved on that front, and so I think that will continue.”
Meanwhile, there are more certain directions the company is headed in. In the upcoming special election for Georgia’s sixth congressional district, a hotly contested race many have framed as a chance to test whether Democrats can capitalize on the president’s unpopularity, Barmore said at least one “progressive” group is considering paying to help get some voters to the polls.
“We have to be careful as being a corporation that we aren’t taking sides, obviously, in the election,” Barmore said. “So for this instance, we have this political group that is doing this on their own accord. So what they do is they receive this [promotional] code and put their own funds toward it. And then it’s up to this outside party for how they use it. And we make it clear to this outside party that they’re simply utilizing our product and in no way is this an endorsement from Uber, how they disseminate this code.”
Then there’s Uber Central, a new product Barmore said the company is starting to pitch to potential customers. He described Central as a dashboard where companies, political campaigns and other groups can request rides, pre-arrange them, fund them concurrently.
“Gone are the days of — you’re a campaign, and you’re going door to door and you have all the medical boxes checked off, who needs a ride to the poll, if they need a wheelchair-accessible vehicle,” he said. “Gone are the days of getting that large cargo van parked at a certain intersection and then having those rides coordinated through that. Now you have a much more efficient technological means of pre-arranging rides for those who need it.”
Fri, 19 May 2017 01:00:00 PDT