FREE eLETTER SIGNUP
Washington Technology Newswatch delivers the latest news to your inbox.
The National Magazine for Government Contractors.
Site Search Quickfind Go
Login | Register
Updated 4:45 PM EST September 5
CURRENT ISSUE About Us
Sprint
HOT TOPICS
Authentication/
Identity Management
Budget/Policy/Legislation
Civilian Agencies
Contract Awards
Defense
Emerging Technology
Financial Markets
Homeland Security
Industry News
Mergers/Acquisitions
Mobile/Wireless
Outsourcing
Procurement
Security
Small Business
State and Local
Telecom/IT Infrastructure
Top 100
RESOURCES
researchstore
SPONSOR SOLUTIONS

More >>

Inside
The Coalition is Forming

Will VISIT Be a Bellwether?

A Homeland Security Solutions Survey

Industry Speaks

Home

Will VISIT Be a Bellwether?

The need to “patch” America’s borders encompasses every lesson learned — and even the ones not learned yet — regarding threat, risk, vulnerability and response.

Expert analysis of the fall 2001 anthrax attack on the United States revealed that a laboratory-equivalent 1 billion human lethal doses of the biological agent was letter-mailed here, with five deaths resulting and a 60 percent success rate achieved by doctors treating victims, according to a report from the Defense department.

Such analysis informs any discussion of homeland security with keys regarding how threat, risk, vulnerability and response work out in the real world. One billion doses, five deaths.

Applying similar yardsticks, analysis of attacks on our economy via IT systems can return opposite results altogether. As former cyber security czar Richard A. Clarke often pointed out, the Code Red and NIMDA attacks earlier this decade resulted in billions of dollars of damage to the economy, and yet in both cases every dollar lost might have been spared had existing patches merely been installed in systems in the first place.

Basically, the equivalent anthrax antidote cipro was already in the IT “health care” chain but too many had failed to simply take it.

Embedded herein is a formula for working threat, risk, vulnerability and response into a security package that relies on science but at some point starts to become art. Just as a medical patient might fear the side-effects of a doctor’s prescription, system managers are wont to toss incoming patches aside for fear they will disrupt apps or email. A billion anthrax deaths work out on paper; whereas, Code Red and NIMDA were innocuous.

A Sharing Gestalt

When we turn to the need to “patch” America’s borders we immediately confront every lesson learned and even the ones not learned yet regarding how threat, risk, vulnerability and response can be formulated to meet a mammoth process in which there are about 500 million “crossings” to manage each year at air, sea and land ports..

The budding U.S. Visitor and Immigrant Status Indication Technology (US-VISIT) entry-exit system represents a technology response-in-the-making and joins systems being developed by the Transportation Security Administration such as CAPPS-II for pre-screening commercial airline passengers, or the DHS Cyber Warning Information Network.

Art
Like other information sharing efforts, US-VISIT will try to transform a single agency effort (under the former INS) into a broader “system of systems.” Immigration, Border, Customs, State Department, Transportation, GSA, CIA, FBI and other law enforcement agencies are invested in the maintenance of VISIT’s “virtual border,” that will first present a hurdle to would-be evildoers applying for a visa overseas and will keeps tabs on all who enter the U.S. thereafter.

The effort to build such a system becomes an information sharing gestalt of sorts, because most of the agencies involved have no real history of sharing. And, in fact, the very act of sharing information about such a system elicits outcries from those who regularly defend pre-9/11 “open borders” policies.

By the end of this year, if the schedule holds, the Bureau of Immigration and Customs Enforcement will begin fingerprinting and photographing visitors and using this biometric data (as well as biographic data) to facilitate what DHS Secretary Tom Ridge calls “an electronic check-in/check-out” system for managing foreign visitor flow.

Tech as Solomon

Just a mild parsing of Asa Hutchinson’s July explanation of US-VISIT is revealing. “The more we are able to identify people and assess them based on their individual traits, the less dependent we are on broad, general categories such as national origin,” the undersecretary for Border and Transportation security said.

The original computer computational routine of examining all possible answers before deciding on the right one is a metaphor for VISIT, which will have to remain politically correct as it sorts through fingerprints. Read, no profiling.

Threat and risk, we begin to understand as we begin to examine VISIT, is in the eye of the beholder. One person fears a repeat of the lapses that brought 19 mass murderers across the border and is willing to risk losing all the pleasantries of loose travel regulations. Another fears the intrusion of an Orwellian state and is willing to risk a possible violent assault for safeguards to privacy.

Technology is asked to perform Solomon’s job of making everyone happy. The agency responsible for it is asked to rip down its own internal borders as it goes about figuring out which network backbone to ride VISIT on, how long it will slow things up to take everyone’s picture and two fingerprints, and of course how to roll it all out “on time and under budget.”

VISIT is perceived by many in DHS as a bellwether system because it will begin to rationalize duplicative assets operated by Immigration, Customs, Border, Transportation, State, and so on. It is being developed as a broader DHS Enterprise Architecture Framework is being developed to guide all departmental IT efforts.

Deadlines hover, including Ridge’s goal to have some of VISIT running by year’s end, all of it contracted to a single integrator by next spring, and DHS CIO Steve Cooper’s target of December 2004 for conversion of DHS IT to a single enterprise network. There is probably more at stake for DHS overall on this one system than there ought to be. That would make it a bellwether for all the programs that will follow.

Super EA to the Rescue?

How does an agency comprised of 22 former major activities of government transition to a cohesive IT entity? Like the ‘S’ on Superman’s shirt, the bold “EA” stamp for Enterprise Architecture is being imprinted by officials across the Homeland Security department on the IT plan.

As part of that plan, DHS recently gave Science Applications International Corporation (SAIC) the job of producing, in three months, a “target enterprise architecture and a transition strategy” for beginning to build the EA from the disparate inventory of systems and programs the department absorbed as it formed. The plan will investigate and report on several overarching categories of endeavor, said Karl Kropp, SAIC’s program manager for DHS EA support.

SAIC began by charting the DHS “as-is” state, which entailed “scoping things out at a fairly high level,” Kropp said. Using information supplied by Mitre Corp., the budding SAIC transition strategy is based on a survey of existing systems and IT assets. Earlier this year, DHS CIO Steve Cooper identified more than 2,000 distinct applications running across the department.

With such basic information in hand, SAIC is working now on a first draft, high level conceptual model for characterizing the integrated agency’s complex mission “in terms of existing legislation, the mandates it faces, deadlines” and other factors, Kropp said.

“The next thing is a target EA, and again it will be a high-level, conceptual product…along with a transition strategy to achieve that target,” he said. Such a strategy must bridge the path between the as-is and the to-be state, the ultimate goal of EA.

Kropp said EA planning starts to become less conceptual and more tactical as the EA effort looks at deadlines and milestones agencies face. “Then, you start looking for the logical sequence of events that must occur to reach those timelines,” he said. “The challenging parts are aligning to the business mission and then implementing the transition plan.”

Organizations attempting to implement EAs usually “look for the big things they have to do first, such as meeting mandates by a certain date,” Kropp said. “This sometimes puts pressure on the transition strategy and results in innovative approaches to solving problems. Of course, you don’t want to develop things you have to throw away later.”

On the other hand, organizations would do well to grab some of the low hanging fruit along the way to quickly demonstrate the EA is worthwhile. This has become easier to do because “development times have really decreased dramatically over the last few years…and it makes it easier to take that low hanging fruit,” Kropp said.

An EA needs to be a “roadmap for an enterprise’s IT system” and give people a firm grasp on “what should be developed, when it should be developed, and how it best aligns with the business,” Kropp said.

Decision-makers need strategic guidance as to what to attack first, infrastructure, networks, desktops, security architectures, “or do you want to attack the more mission-specific applications first. Those are the types of questions a transition strategy or plan would address….We’re just now beginning to get an idea of what DHS wants to do first,” Kropp said in late July.

The ultimate goal of EA is to provide people with a product that will really guide them as they make key IT and business decisions, Kropp said. “Not something that just gets put on a shelf and is never looked at again.”


Home | About | Advertise | Contact | Custom Media | Editorial Calendar | Events
List Rental | Privacy Policy | Reprints/Linking Policy | Subscribe | Site Map

1105 Media, Inc.

© 1996-2008 1105 Media, Inc. All Rights Reserved.