Archive for July 2010

Notes from DefCon18 in Las Vegas – hackers, education, and the “Race to the Top”

July 30, 2010

The major theme coming out of the world’s largest hacker conference this year sounds quite benign, considering DefCon’s reputation as a venue for barely legal activity. But many of Friday’s sessions echoed a call for education, lest the world’s most prosperous nation sink under a powerful tide of cybercrime that threatens both our prosperity and our national security.

The Reasonable Reporter has long compared the average American to a little old lady walking down a crowded city street with her purse hanging open.  Most people – even very smart individuals – don’t know and can’t fathom the ways in which they are vulnerable to cybercrime. Consciousness is dawning slowly, as the spotlight has shone on spamming, phishing, and privacy issues related to Facebook. The task of educating consumers has largely belonged to the media.

Business is an even juicier target, having  a higher concentration of cash than individuals, and larger stores of valuable data. (Information assets, in the parlance of the security community.) So who will educate business?  Other businesses, of course, and their experts are present in droves at DefCon.

The highlight today was a contest in which 10 large corporations were targeted for social engineering attacks via telephone.  “Social engineering” is a techie term for a good old-fashioned non-technical scam.  It means one guy induces another guy to give up something valuable before the second guy realizes he’s being hustled.

Each contestant was assigned a company to call. Some posed as potential customers seeking product information, and others as workers from a distant office of the same company, calling to perform an internal audit, or to check the progress of some corporate project. The name of the game was to get employees on the other end of the phone to give up information about the operation of the company.

And it worked, in nearly every case. Employees of target companies coughed up explicit IT specifications that would give a cyberattacker significantly higher odds of success.

This contest was controversial, and had even come to the attention of the FBI when it was announced earlier this year. Large tech companies freaked out when they got wind of it. Some contestants dropped out at the last minute, having been threatened by their employers – mostly tech companies – that they’d be fired if they participated.

The point of the exercise, though, was to educate. The contest sponsors are in the business of security training, and much more will be written about it in the coming days.

The most insidious cyberattacks are network intrusions, and there is a shortage of Americans qualified for the network security arena. Federal agencies send recruiters to DefCon, hoping to grab up young tech talent to work in cybercrime investigation and in national security.  The Air Force has hundreds of openings, and today put on the record its willingness to consider “everyone” at DefCon, including those who “may have stepped over the line” in the past.  You need to have attended DefCon once or twice to grasp the chilling implications of this hiring policy by a branch of the U.S. military.

The talent shortage has prompted a call for education in the classic sense. A DHS official today told an audience that a national science education effort is needed like the one launched under JFK after Sputnik.  A push for math and information technology is needed, and DHS is taking the helm, even reaching down to the high school level. More will be written shortly about this, as well.

Meanwhile, states have been competing for “Race to the Top” money, in the form of federal grants to education.  And little has been revealed about the criteria for success in this quest.  But here in Nevada, where the world’s largest hacker conference is held, we did not win.

The Silver State’s major industry is so tied to technology that it spawned a publicly-traded gaming technology company called IGT.  Microsoft, Intuit, Cisco all have operations in Nevada. Def Con and Black Hat Briefings are both annual events in Las Vegas. Reno is a four-hour drive from Silicon Valley. Maybe Nevada’s real-world Race to the Top could be won with a focus on information sciences, for which there is a concrete and growing demand.

SAGE Commission Recommendation #43 gets a road test (sort of).

July 13, 2010

This space reported two weeks ago that the administration is experimenting with a new approach to the state budget. The result will be, in effect, a hierarchy of citizen needs, as determined by the people who serve them.  Not the elected ones, but a committee of agency heads assigned to evaluate the state’s existing programs, and prioritize them.  The members, one presumes, are right now embroiled in the very difficult conversations elected officials would prefer to skip.

The experiment bears more than a passing resemblance to SAGE Commission Recommendation #43.  It’s not #43 – at least not exactly.  But SAGE (the Governor’s appointed Spending and Government Efficiency Commission) did suggest a priority-based method of budgeting, a key element of the state’s current project. When the work is complete, the programs will fall into three categories.

The top category is comprised of the most critical state services. Or as retired Budget Director Perry Comeaux puts it, “Come hell or high water, we have to do them.”  Comeaux supervised the SAGE team that worked on budgeting issues, and is aware that his successor, current Budget Director Andrew Clinger, is hewing close to SAGE #43.

In a cycle like the one we’re about to enter, the money could be used up as soon as the most critical programs have been funded. But there is a category B, which can be funded next.

Comeaux describes category B as follows: “We really ought to do this if we can. It’s important.  It makes lives better.”

Category C, he says, is the “When pigs learn to fly list. If, miracle of miracles, we end up with the money left over, we’ll do it.”

“The first thing you have to do is have those painful conversations about what’s critical and what isn’t,” said Comeaux.

His SAGE research centered on Arkansas, where they’ve been having those conversations since 1945.   The Arkansas Revenue Stabilization Law is a 55-year old requirement that spells out three priority levels for funding, and is credited with delivering balanced budgets year after year.  In his State of the State speech last year, Arkansas Governor Mike Beebe described the cuts other states were being forced to make, and boasted to the assembled that “we are in an enviable position.  We don’t face those problems.”

Indeed, as the fiscal year dwindled to its final day lat month, Arkansas closed with $23 million in the plus column, Budget Director Mike Stormes told the Reasonable Reporter this morning. Which is not to say that the state has been exempt from falling revenues.  The Revenue Stabilization Law requires immediate cuts if revenues begin to fall below the forecast. Arkansas performed three rounds of cuts during the past year, as its staff economists revised the forecast downward three times, said Stormes.

That brings us to the reason Nevada is not following the Arkansas model.  Such systematic cutting would require a revision to Nevada statute.  An additional feature Nevada can’t emulate is one-year limit on appropriations, with an interim legislative session approved by Arkansas voters, for lawmakers to deal only with  appropriations for the second year of the biennium.

Nevada Budget Director Andrew Clinger has opted instead to follow Washington state’s model. (Washington’s priority-based budgeting picked up an Innovations in American Government Award earlier this decade from the Ash Institute for Democratic Governance and Innovation at Harvard University’s John F. Kennedy School of Government.)

The goal is the same, and the system has passed muster with the Washington’s legislature, according to a written statement by Victor Moore, who was the state’s Director of Financial Management at the inception of POG budgeting (priorities of government).

“While some legislators had feared that the POG was simply a way to camouflage harmful budget cuts, the clear, nonpartisan goals chosen by the governor helped to convince legislators that the POG existed to serve the state’s interests,” Moore wrote.

Whether Nevada legislators embrace priority-based budgeting remains to be seen. The challenge awaiting them in 2011 would seem to suggest they have no choice.  Former Budget Director Comeaux says that’s what he thought in 2009, but the lawmakers found a way around the most painful decisions.

“But the longer this downturn lasts,” he said, “the closer we’ll get to the point where they don’t have any choice.”

There is a five-minute audio file posted here from an interview with Clinger about Nevada’s budget project.

Budget reviews in the spotlight this week. So listen to this if you missed it last week.

July 9, 2010

If you’ve been glued to the dust-up between the governor and the legislature over budget reviews, you will want to listen to the recorded interview with Budget Director Andrew Clinger posted below, in which he discusses a new budgeting process undertaken by the administration.  (Originally posted last week.)

Clinger is overseeing a departure from the usual budgeting process.  A working group of cabinet-level agency directors are conducting a group review of all programs, for the purpose of evaluating and prioritizing them.  The programs will be ranked high, medium or low priority — and will be maintained or cut accordingly. This, as opposed to the conventional method in which each agency head crafts his own budget beginning with the last cycle’s number and working toward a new number for the new cycle.

Here is the Clinger interview (again).  It is just over 5 minutes long, and it begins with Mr. Clinger responding to a question about a small increase in sales tax collections.  His initial point (out of context) is that it’s great to see an increase, but it’s not significant enough to make a big difference.

(If your device does not support Adobe Flash, you can download the file here.)

Fiscal Reality 2011: Part 3

July 2, 2010

A New Approach to Budgeting in Carson City

This space has been devoted for the past two weeks to discussing Nevada’s financial obligations, including a state budget shortfall that’s roughly 50 percent. Beyond that, there’s debt to the federal government for borrowed unemployment benefits – it will push past a billion dollars by the end of next year, and that doesn’t begin to address the interest on the loans.  Then, there are hundreds of millions in mandated spending for increased Medicaid caseload, and expenses related to the federal health care reform.

Most of the attention statewide has been on the state budget. As the 2011 legislative session approaches, the face of state government is about to change – drastically and permanently, according to Lynn Hettrick, Deputy Chief of Staff to Governor Gibbons.  Nevada can’t tax its way out of a $3 billion budget hole, Hettrick says — you can’t raise taxes enough to close it.  You also can’t cut enough spending to eliminate it.

Several weeks ago, the Reasonable Reporter dragged a TV camera and a photographer to Carson City, and spent a whole morning talking about the situation with Hettrick and the governor’s other deputy chief of staff, Stacy Woodbury; with Mike Willden, Director of Nevada’s Department of Health and Human Services; and with Budget Director Andrew Clinger.

A complex series of technical and other problems derailed the TV pieces from being produced.  But some of the audio has been posted here.  Click on the two flash players below and you will hear:

1- A sound bite from Deputy Chief of Staff Lynn Hettrick, offering a grim summary of the reason he says Nevada’s approach to government must change. Read more remarks from Hettrick in last week”s story. The audio file is less than one minute long. (Click on the player below, or if your device does not support Adobe Flash, you can download the file here.)

2-  A piece of Andrew Clinger’s interview, in which he describes a new budgeting process being undertaken in Carson City for the upcoming biennium.

This is five minutes long. You will note the voice of the Reasonable Reporter has been boosted so you can hear the questions — creating an otherworldly effect.  The piece begins as Andrew Clinger responds to an inquiry  about the recently reported increase in sales taxes (this should have said “an increase in sales tax revenue“). Yes, it’s good news, he says, but we shouldn’t overstate its impact. (Click on the player below, or if your device does not support Adobe Flash, you can download the file here.)