Government Technology Top News
ATLANTA – South Bend, Ind., a city of slightly more than 100,000 residents where blighted buildings have long been a struggle, has deployed a smart sewer system that could save $500 million in government costs related to overflows. And at the MetroLab Network Annual Summit at Georgia Tech Dec. 13, Mayor Pete Buttigieg pointed to the project as an example of what cities have to gain from collaborating with academia.
South Bend’s sewer system now generates 16 million data points, making it “the most densely sensored sewer system in the world,” said Buttigieg, noting that info from the sensors helped reduce overflows by 70 percent. The $500 million in potential savings would be massive for any city, but is especially significant for a town like South Bend where per capita income is less than $20,000.
South Bend made this happen in large part by collaborating with the University of Notre Dame and other local institutions to attract talented young technologists and foster a culture of innovation in its city hall.
This sort of work is foundational to MetroLab and its summit. The network of dozens of cities and universities nationwide was started in 2015 as part of the White House’s Smart Cities Initiative. It works to pair city policymakers with academic resources in order to foster projects that can be deployed to improve infrastructure, public service and environmental sustainability. Day one of the MetroLab Summit saw key policymakers involved with the network discuss the past, present and future of civic innovation’s relationship with higher ed.
In addition to Buttigieg’s keynote speech about innovation blossoming in South Bend, the first half of the two-day event also included a panel that featured Buttigieg, former Baltimore mayor and Maryland Gov. Martin O’Malley, and Stephen Goldsmith, former mayor of Indianapolis, deputy mayor of New York City and current director of the Innovations in American Government Program at Harvard’s Kennedy School of Government.
Throughout Buttigieg’s speech and the subsequent panel, a three-tiered picture of the relationship between college towns and universities within them emerged — College Town 1.0, 2.0 and 3.0.
College Town 1.0, they said, was essentially limited to a city and school working together on relatively basic things like sponsorships and practical questions about neighborhoods. College Town 2.0 seeks to accelerate cooperation and ensure towns are better for having universities in them and universities are better for being located in the towns.
College Town 3.0, O’Malley said, means reaching a point “where the university and city are integrated into a very inclusive, repeatable process for innovation.” To do this, mayors must regularly convene those involved, he continued, giving internal context and meaning to the work. Productive relationships between mayors and university presidents, or representatives of the two, are also vital.
Goldsmith emphasized the importance of taking a broader view of relationships between cities and institutions, one that supersedes arbitrary obstacles such as geography. He noted that during his time as deputy mayor of New York City, there was a problem with child welfare in his jurisdiction, but a foremost researcher on the subject was doing his work in Chicago and the issues there. Coincidence presents another challenge.
“Too often these relationships have been dominated by the coincidence of whether the research agenda of the university professor matches the priorities of the mayor,” Goldsmith said. Moving forward, Goldsmith suggested that better organization of urban challenges and the academic research related to them would benefit both cities and researchers.
Another obstacle discussed by the panel was creating innovation programs that can survive politics, entrenching them in government so they aren’t later disowned when a new administration sweeps into city hall or the state house and supports only the initiatives and programs created under its watch. The speakers agreed that transparency with the public can demonstrate value in a way that embeds innovation in culture, creating public expectations for it to continue that ultimately protect it from the fickle winds of politics.
When asked how cities without access to prestigious universities like Notre Dame could follow suit, Buttigieg noted that basically every city in the country has a community college system nearby, and that those schools are perhaps just as important as academic powerhouses because they provide access to underserved students. These students, he explained, often have firsthand experience with problems academia and government technologists are trying to address from afar. This knowledge leads to more nuanced, deeper and authentic perspectives, as well as urgency to solve challenges.
Working with students at those schools, Buttigieg said, also ties into a larger benefit of these sort of collaborations — specifically the recruitment aspect. It directs talented people into gov tech who likely would not otherwise find their ways into the sector. Once there, they can do meaningful work that benefits the community and gives them a sense of purpose. There is, Buttigieg said, a larger existential crisis that could potentially be lessened.
“Even more than the crisis of politics,” Buttigieg said, “I think we can offer something when it comes to the current American crisis of purpose.”
Roughly five years after Oklahoma began to unify information technology (IT), that process is largely finished and has saved the state hundreds of millions of dollars, officials told Government Technology.
By centralizing IT under the auspices of the chief information officer, the state has saved more than $350 million in reduced “IT spend and cost avoidance,” Oklahoma Chief Operations and Accountability Officer Matt Singleton said, noting that number is based on the state’s new, final quarterly reports.
Since beginning IT consolidation, Singleton said Oklahoma technology officials have successfully completed unification at 77 of 78 agencies identified; and an additional 33 agencies that effectively volunteered.
As for the 78th agency identified, Singleton said: “We’re working with them,” but pronounced unification otherwise “substantially complete.”
During unification the state completed 1,171 agency-specific and statewide projects focused on IT and enhancing the client experience, Singleton told GT, during a conversation that included CIO James “Bo” Reese and Chief Information Security Officer Mark Gower. But additional updates continue, including for public safety agencies.
IT officials discovered public safety had “had some pretty unique needs around CJIS compliance,” Gower said, referring to federal Criminal Justice Information Service standards agencies are required to meet.
The CISO said that instead of bearing the cost to make the entire state data center CJIS-compliant and meeting partner needs as well, the state decided to expand and further securitize an existing data center at the Oklahoma State Bureau of Investigation facility.
“We … expanded that facility so we could unify what I believe is going to be 14 of our existing public safety agencies,” Gower said. “As we go about not only moving them into this new facility, we also are going to be undertaking a significant modernization of some of the systems that public safety uses.”
Reese, who has been state CIO since November 2014, was named president of the National Association of State Chief Information Officers (NASCIO) executive committee in October. Among the state-level IT best practices and innovations that he may advocate for as president is cybersecurity, which Reese said is “extremely important” for his state.
Unification, Reese said, actually facilitated the improvement of state-level cybersecurity in Oklahoma as by definition, it reduced siloing by the individual agencies.
“Being that we were siloed, we were very much responsible for our security network technology within the individual agencies. It was very duplicative and it wasn’t secure,” Reese said. “Being able to create a single pane of glass through our consolidation really gave Mark and his team the visibility across the state that we’d never had before.”
Gower described the protection of Oklahomans and their data as “pretty paramount to everything that we do here,” and noted the state has offered security awareness and training that began piloting in 2014 and went live last year.
Currently, the CISO said, employees in about 60 percent of state agencies have been educated through the hourlong training, available online through a vendor over the course of a calendar year — and as a result, the state’s cybercommand has received more reports of potential cyberincidents.
“That’s the measure you want to go for. The net results for the state: citizens may not see it but I hope they can feel it,” Gower said, calling it “no coincidence” that security topped the list of “State CIO Top Ten Policy and Technology Priorities for 2018” for the fourth consecutive year.
“Having a trained workforce for Oklahoma is paramount,” he added.
Unification, Reese added, has also facilitated data-driven decision-making and data governance — both of which are important state-level best practices as well.
In June, Reese testified to the Senate Homeland Security and Governmental Affairs Committee. He called for greater collaboration and participation from federal agencies, and highlighted federal cybersecurity regulations that pose obstacles to state IT unification and risk-based cybersecurity investment.
Since ascending to lead NASCIO’s executive committee, Reese said the organization has formed a working group to hear from states about federal regulations they’d like to see harmonized.
That includes, the CIO said, “mapping those regulatory environments, finding out where they’re different, where they’re the same and coming up with what we consider the gold standard,” and opening a dialogue with the federal sector.
“We have such a short amount of time to make a positive impact in our citizens lives and I think this is an opportunity,” Reese said. “If we look at it as … a partnership we can truly make a difference on a national scale in what we do how we do it and how we invest in cybersecurity and get a return.”
The 2018 edition of NASCIO’s Top 10 CIO priorities included shared services and digital government, but not legacy modernization, which ranked fifth on the 2017 list. Singleton said that signals to him “more of a focus on how to accomplish things.”
“Shared services is a model. Agile is a model. To me, I think that signals a shift in mindset in state CIOs. We’re not spending the next year talking about it,” Singleton said.
But he and Reese have discussed using NASCIO’s reach and grasp to assist CIOs and their organizations nationwide.
“One of the things he keeps talking to me about is this playbook idea, where every state encounters the same types of challenges. The real power of NASCIO is the connections that it enables and facilitates across that space. And so, a playbook of IT unification would really be of great value to states,” Reese said.
“That is exactly what we have been talking about picking up,” he added.
Elsewhere in the tech landscape, officials recently launched Innovate Oklahoma, an opportunity for residents to submit challenges and agencies to make their needs known via the state’s innovation portal and for developers to offer solutions.
Participants have provided solutions to three challenges focused in health and human services and child welfare. These solutions are about to be available for leadership approval, Singleton said, describing officials as “really excited about where this is headed.” Simultaneously, officials have held discussions about technology with citizen groups around the state, and Innovate Oklahoma has been a central topic.
ATLANTA — Four gov tech professionals spoke during the MetroLab Annual Summit at Georgia Tech Dec. 13. Some were from the private sector and some were public servants, but they all had their own criticisms about government procurement process.
Ben Levine, MetroLab Network’s executive director, started the discussion where most panels end by asking for audience questions. As most anyone who has attended a public event would attest, calls for questions usually result in a brief pause. Not this one. The panel was Procuring Tech & Innovation, and one got the sense that the audience – a group made up of almost entirely gov tech stakeholders — was thrilled to have a chance to shout their issues about government procurement.
Who owns the work when it’s done? How do you scale across cities in the same metro area? What defines successful pilots and how do you convert them later into something you can use? And so on.
While the 45-minute panel, of course, could not solve all of those complex questions, discussion did stem from the concerns. Sandra Baer, chief marketing officer for CIVIQ Smartscapes, started off by asking for a show of hands from everyone who thinks government procurement processes are broken.
“I’m not so sure they’re broken,” Baer said as nearly every hand went up, “but I’m certain they’re outdated.”
Procurement being outdated was largely the idea that shaped subsequent discussion. While government procurement processes might work for buying traditional products, or even with tech products that offer clearly defined and specific outcomes, innovation carries a heavy risk factor and an inherent likelihood of failure. With that in mind, long-standing procurement desperately need an update.
Kate Garman, current smart city coordinator for Seattle and former innovation policy advisor for Kansas City, Mo., said she’s seen the unique problems of two different cities, as well as a common group of solutions they’ve had to use to try and solve them.
“Cities have to strike a really careful balance in inviting innovation, because these new innovative ideas probably aren’t really proven,” Garman said. “Even if it’s from a big company that says it has a new solution, it’s probably not well-tested. Cities are having to investigate these questions in pilots.”
To this end, it benefits projects to fail fast, so cities can learn from them, move on and procure another solution. Julia Richman, chief innovation and analytics officer of Boulder, Colo., said her jurisdiction has been having incremental conversations about procurement changes, one of which has been centered around how the city should own its source data, even if it’s collected by vendors.
While the central thrust of the MetroLab Network and its summit is collaborations between academia and government, this panel naturally raised questions about public-private partnerships, often referred to as P3s. Garman said there was a major need for an honest conversation about P3s, including issues such as who owns the data. Government protecting assets during the procurement process can, she said, lead to tensions at times with vendors.
When it comes to coordinating with academia, however, this tension is largely absent, given that academics are generally interested in furthering research careers, rather than creating marketable products that can be brought to scale.
The fourth panelist, Cam McLay, a senior advisor with PwC, was police chief of Pittsburgh until leaving for the private sector in December 2016. He described data as vital to police departments in order to determine what’s actually happening on the streets and whether police are making the city a better and safer place, otherwise the departments function as closed systems without feedback loops, totally unable to hold themselves accountable.
A lawman since 1979, McLay talked about his long-time unfamiliarity with the value of data.
“It was only sitting in the context in the role of a chief executive of a law enforcement agency in a major city that I came to understand how important data was to me,” McLay said. “I needed meaningful data to understand what was true.”
Pittsburgh, which struggles with funding as many cities do, didn’t have the resources needed to get McLay the data he needed. However, academic collaboration proved to be another avenue. In fact, researchers from Carnegie Mellon University came to him, saying, as he remembers it, “Chief, we don’t want your money. We just want your problems.”
These were experts willing to collect the information for free so they could incorporate the data into their work. So, while academic relationships likely won’t rebuild government procurement processes from the ground up, they can provide valuable opportunities to learn more about what works and what doesn’t, which city governments can then reference before deciding to procure related products.
Three driverless shuttles are planned to take to the streets of Gainesville, Fla., in the coming months for a three-year pilot project known endearingly as GAToRS. The undertaking, a joint effort by the city, University of Florida and the Florida Department of Transportation, is part of Gainesville’s smart city efforts, said Assistant City Manager Dan Hoffman. “This will be for use with the general public and we see it as a real-world pilot,” he said. The battery-electric powered buses will be supplied by EasyMile, a French company. They move at slow speeds, topping out at about 25 miles per hour. However, Hoffman does not anticipate them traveling that fast in the “planned environment.” The city’s primary aim with GAToRS is introducing the technology to the public and perfecting it. No fares will be charged, and the small 12-passenger buses will travel a set route from downtown to the University of Florida campus, arriving at stops every 10 minutes during peak hours and every 20 minutes during other times. The AV shuttle pilot follows others around the country as developers and transit officials work to develop the technology for more widespread applications. “Deployments will progress depending on the requirements of each state,” said Randy Iwasaki, executive director of the Contra Costa Transportation Authority in Walnut Creek, Calif., where EasyMile has been involved with testing its shuttles within the 600-acre Bishop Ranch business park. “We are still working with (the California) DMV. Some of the requirements are on point such as testing plans, emergency response plans which we have sent to the DMV.” Many cities, particularly outlying suburban areas, have “first-mile, last-mile” issues to deal with, said Iwasaki, referring to the struggle of getting transit users from their home to a transit stop in as hassle-free an effort as possible. “The technology in the past has not been able to adequately address the problem. We thought, and still think, we found the right technology,” he added. Small shuttles like these could help to fill new niches of transit, as an economical answer to serving short, quick trips, said Thomas Bamonte, senior program manager for the automated vehicles department within the North Central Texas Council of Governments (NCTCOG), which helps to guide funding and public policy along a range of transportation initiatives in the Dallas-Fort Worth (DFW) metropolitan area. “There have been multiple new deployments of low-speed automated vehicles (LSAV),” said Bamonte last week, adding new providers are coming on the scene. “By now, there are at least a dozen such manufacturers.” “Why? Roughly one-third of our trips are two miles or shorter,” he offered. “This transportation segment is something that LSAVs might serve in relatively dense areas, ranging from entertainment districts to downtowns.” A driverless shuttle test project in Las Vegas recently grabbed headlines last month when it was involved in a minor accident. The shuttles for that program are produced by Navya. The pilot is set to run for one year. Other states are picking up on the autonomous shuttle movement. Colorado Gov. John Hickenlooper declared Dec. 4 as “Connected and Autonomous Vehicle Day” following the successful rollout of a connected vehicle partnership initiative between Panasonic and the Colorado Department of Transportation. EasyMile just opened its North American headquarters in the Panasonic building in Denver. “Colorado’s reputation as a hub for advanced technologies takes a significant step forward today with Easy Mile’s opening of their North American headquarters and aligning with the state’s partner Panasonic,” said Hickenlooper, in a statement last week. In Dallas, transit officials have earmarked $500,000 to support pilot deployments of low-speed automated vehicles in the DFW region, said Bamonte. “Some of the funds will be directed to Arlington’s next phase of its LSAV test program and the rest to support a second pilot program in the region,” said Bamonte.
Nextdoor, the social networking platform for neighbors, has reportedly raised a $75 million Series G round.
The round, first reported by The Information, is easily one of the largest private investments in a gov tech company this year. In addition to serving as a social media site, Nextdoor has community engagement, law enforcement and polling functions for local governments to use.
According to The Information, the round appears to have Nextdoor valued at about $1.5 billion — up from $1.1 billion in 2015. An extra $75 million would put the company’s total fundraising at more than $285 million since the company launched in 2010. Its backers in the past have included Kleiner Perkins Caulfield & Byers, Greylock Partners and Benchmark.
Boulder already had a university, a lot of business accelerators and an ecosystem of tech startups. Now, the city’s chief innovation and analytics officer hopes to bring those things in line so they can help the municipal government.
The city is one of 12 that will participate in the 2018 Startup in Residence (STiR) cohort as part of the program’s first national expansion.
Julia Richman was hired by Boulder in early 2017 after nearly a decade with Deloitte Consulting, coming aboard in part to help the local government there leverage the skills of the entrepreneurial community in order to improve the services it provides citizens. At that time, STiR was still limited to Northern California, as it had been since it began in San Francisco in 2014. However, when Richman became aware of national expansion plans soon after going to work for Boulder, she found STiR immediately enticing. It was directly in line with her new position’s goals and objectives, she said.
“We had been endeavoring into this concept out of the STiR program in anticipation that it was going to be made available to external participants this fall,” Richman said. “This kind of work is really a core part of our innovation architecture.”
STiR’s goal is outwardly simple: Facilitate mutually beneficial relationships between tech startups and local governments, thereby helping the companies to get a foothold in a relatively undertapped gov tech market while at the same time giving government access to new tools it needs to overcome old challenges. To accomplish that, STiR plays matchmaker and embeds tech startups within public agencies.
It’s not as simple as it sounds. Many American cities seek to do a better job helping startups break into gov tech by overcoming near-universal obstacles such as a lengthy and complex procurement process, legacy systems and shrinking budgets. Some cities, like Boulder, have a wealth of homegrown startup talent, and all they need is a bridge to get them into government work.
One of Richman’s chief hopes for participating is that STiR will be this bridge for Boulder, which has a thriving startup ecosystem, complete with academic resources from the University of Colorado Boulder, as well as a whopping 18 accelerators and incubators. While San Antonio shied away from STiR out of concern that its startup culture was not yet robust enough to truly benefit, Boulder does not have this hang-up. Richman also said she expects Boulder’s size, economy and geography to be enticing for entrepreneurs.
“We have a ton of different assets,” Richman said. “We have a lot of people and we have data, buses, roads, you name it. For a startup looking for a data test site or to get a plug into bigger infrastructure than the little test environment they’ve built in someone’s garage, we can enable that and help them understand the use of their own tool.”
In addition to Boulder, this new class of national participants includes Houston, Miami-Dade County, Fla.; Richmond, Va.; and Washington, D.C. It also includes six jurisdictions in California — San Francisco, Santa Cruz County, Santa Monica, Vallejo, Walnut Creek and West Sacramento — and one public agency, the San Francisco region’s Municipal Transportation Commission. Companies can apply to the program until Jan. 1.
Aside from the tangible tech results, Richman also hopes that infusing the local government with startup ethos will enable experimentation and a culture shift toward flexibility — that it’s okay if a project doesn’t turn out exactly as planned.
“The notion that governments are ever going to be leading edge is just kind of a false narrative,” Richman said. “But the concept that governments can be prepared to be adapters of technology and keep pace with technology is where I think startups can help.”
Mike Wons, Illinois’ chief technology officer (CTO) and a key architect of its ongoing tech modernization, is stepping down, he confirmed to Government Technology Dec. 11.
He is the state's second leading technology official to resign in three months, following the departure of Chief Information Officer Hardik Bhatt, who joined a public-sector-facing team at Amazon, Sept. 14.
In an email, the CTO said he will join SAI Global — a private-equity-backed global risk, compliance and cybersecurity company — at the beginning of 2018 as its chief technology and product officer. But he indicated that he intends to remain involved in goverment IT.
"The integrated risk management and compliance space is critical to governments across the globe," Wons said via email.
Wons came to the state in 2015 after six years as the CEO of CellTrak Technologies Inc., a provider of software-as-a-service mobile solutions to home health-care, hospice and private markets in the U.S. and Canada.
Department of Innovation & Technology (DoIT) Acting Secretary Kirk Lonbom praised his work on the state's “early digital transformation efforts” and his progress “in the strategic and operational areas of our new agency," in a Dec. 6 memo informing staff of Wons' departure.
“As CTO, Mike led many transformation efforts including the Going Mobile in Illinois program, bringing mobility to citizen engagement points,” Lonbom said, noting mobility rose “from minimal” to nearly 50 percent agencywide in less than 18 months.
In a March 2016 piece for Government Technology, Wons noted that various agencies had been building mobile responsive sites and “developing mobile apps.” But he identified a “lack of strategy and direction” at the state.
“The long-term vision is for all state of Illinois applications to be 'MobileFIRST' and to be accessible on all mobile form factors, and for the state to use mobility as a strategy to solve critical business problems,” he wrote, citing mobile responsive design and apps created by the Department of Children and Family Services and other agencies.
Illinois, Wons wrote, expects mobile-enabled interactions to rise to 45 percent by the end of 2017 and to 80 percent by the end of 2019.
Wons also discussed the Illinois Fast, Innovative, Responsive, Smarter, and Technology strategy (FIRST) strategy and creating one IT voice enterprisewide. It was, he explained, a method to “create a unique ecosystem” improving agency operations and bringing the state closer to residents and businesses “with minimal overhead and maximum reach.”
Key deliverables, he said, include service delivery management — including establishing service-level agreements for the state for the first time; continued transformation of major agencies through infrastructure modernization; expansion of the security operation center; and continued a focus under Lonbom of forging an enterprise culture "known as OneDoIT."
"The state needs to continue to invest and head down the path of implementing the remaining six planned sprints to complete the statewide transformation effort," Wons said in the email.
Lonbom also praised Wons’ work as a founding member of the Illinois Blockchain Initiative, bringing “Illinois’ involvement in the emerging technology to international recognition.”
The state had six blockchain pilots underway in September, including a birth registry that would document births via blockchain; and a self-sovereign, digital identity controlled by its owner but quickly verifiable by authorities.
In the memo, Lonbom characterized the departing executive as “a valuable member of DoIT’s leadership team.”
After three years of user research, networking and good old-fashioned bootstrapping, a Georgia startup focused on helping people successfully return from prison to society has its first venture capital funding.
That’s not always how it goes in the world of tech startups. Many young outfits shoot for investment money on aggressive timetables, or build products and start signing up customers quickly with plans to build out better functionality later.
Acivilate isn’t most startups. After co-founding the company in 2014, Chief Executive Officer Louise Wasilewski spent time interviewing the people who would be using the company’s flagship product — returning citizens, nonprofits, court administrators, corrections workers — in Maryland, Ga., and Washington, D.C. They wanted to make sure those people would use the product once they built it.
“We spent a long time making sure we were headed in the right direction before hiring developers,” Wasilewski said.
Now the company has wrapped up a $3 million seed round, led by Atlanta-based BIP Capital with participation from the public-private venture firm GRA Ventures. That is to say, a venture firm with capital from the state of Georgia itself is putting resources behind Acivilate. That helps, Wasilewski said, because it can be hard for companies outside tech hot spots to attract investors.
“There are great ideas outside New York and Silicon Valley that may lack capital,” she said.
There might be more money on the way — the seed round has a “rolling close,” meaning certain other investors will have a chance to jump in before the end of the year.
The seed round’s first close actually follows a grant GRA gave to a Kennesaw State University researcher in early 2017 in order to measure the effectiveness of Acivilate’s product, called Pokket. It’s signed up three jurisdictions, including about 130 people in Gwinnett County, Ga., and will run metrics on things like recidivism rates as people use the tool more.
“Human services, corrections — everyone is interested now in having interventions be evidence-based,” Wasilewski said.
Pokket is, in so many words, a case management system designed with departments of corrections and other government agencies in mind as customers. But it’s a CMS for an exceedingly tricky and involved area of government work. As a person in prison transitions back to regular life, they might be working with an employment agency, a housing agency, a parole officer and other government points of contact. But those people all tend to work separately.
Acivilate’s software brings a person’s information into one place.
“There’s no way to see how those things fit together to identify if these agencies are actually requiring a person to be in two different places at the same time on Tuesday afternoon each week,” she said.
Even more than that, she said, Pokket lets returning citizens see their own data more easily. Most CMS software is designed for the case worker, but Wasilewski wants to make Acivilate’s software work just as well for the people whose names are in those case files.
“It is a way to gradually empower and gradually transfer responsibility to an individual who has been institutionalized,” she said. “The sort of behaviors that make you successful in prison — be quiet and do what you’re told — are the opposite in some ways from what it takes to be successful on the outside.”
Now that the company has investment capital, Wasilewski said it will hire more customer support staff and more developers. One piece of functionality it wants to add to Pokket is the ability to write resumés. Whereas many people wait until they leave prison to start searching for jobs, Wasilewski thinks she can help them apply before they get out.
“Having a resumé when you walk out the door will make a huge difference,” she said. “If you’re not really ready to look for work until 30 days after you’re released, you’re already behind.”
Government contractors are scrambling to meet an end-of-the-year cybersecurity deadline for the Department of Defense (DoD).
And perhaps other public and private sector organizations should be paying attention as well.
The reason is that the Defense Federal Acquisition Regulation Supplement (see below for details) requires contractors to provide new protections for covered defense information, including unclassified information, that resides on or passes through, the contractor’s information system or network. The new mandate requires contractors to implement NIST SP 800-171 “as soon as practical” and not later than December 31, 2017.
In addition, starting in 2018, DoD contractors must report if a cyber incident affects the contractor’s information systems on which covered defense information resides or if the incident affects the contractor’s ability to provide operationally critical support requirements identified in the contract. Prime contractors must also flow down the same clauses (requirements) to subcontractors.
What Is NIST SP 800-171?
The National Institute for Standards & Technology (NIST) is known for creating meaningful guidance on a wide variety of cybersecurity and data management topics. Last month, I wrote this overview on NIST SP 800-184 guidance on recovering from cyber incidents. As stated in that blog, implementation of the specific actions listed in SP 800-184 is varied across government agencies.
However, since NIST SP 800-171 is required for DoD contractors and some others, the policy, process and configuration requirements are even more urgent right now.
According to CSO Online: “These requirements entail determining what the company policy should be (e.g., what should be the interval between required password changes) and then configuring the IT system to implement the policy. Some requirements require security-related software (such as anti-virus) or additional hardware (e.g., firewall). NIST SP 800-171 by itself does not provide prescriptive information on how the requirements should be met but additional guidance is provided by looking at relevant security controls that are specified in NIST SP 800-53, ‘Security and Privacy Controls for Federal Information Systems and Organizations.’ The security requirements are organized into 14 groups or control families with a total of 109 specific security requirements. …”
Exclusive Interview with Tom Jones from Bay Dynamics
To cover this topic in more details, as well as gain some insights from insiders who work with federal contractors and the DoD on a daily basis, I turned to Thomas (Tom) Jones.
Tom Jones Federal Systems Engineer at Bay Dynamics
Thomas Jones is a Federal Systems Engineer at Bay Dynamics, an analytics company that enables enterprises and agencies to continuously quantify the financial impact of cyber-risk based on actual conditions detected dynamically in their environment. With more than 25 years of experience in information technology, Thomas has held roles as a federal contractor, sales engineer, solutions architect, system engineer, network engineer, and senior consultant working with the federal government. Tom spends large portions of his work week in the trenches with IT professionals working to ensure cybersecurity and availability for the federal government.
Dan Lohrmann (DL): What are the main components of 800-171, and why is it being mandated?
Tom Jones (TJ): NIST 800-171 covers the protection of Controlled Unclassified Information (CUI), ensuring all systems that process, store or transmit CUI information are secured and hardened. Federal contractors typically handle this type of data and in 2015 when the Department of Defense mandate was issued there had been several server incidences associated with data breaches of contractors and services providers. To force contractors and service providers to do a better job of protecting the data the DoD issued a memorandum — the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
To give the effected parties time to put in place the security controls, the DoD set the required compliance date two years out on Dec. 31, 2017. The DFARS memorandum mandated that federal contractors implement NIST 800-171. There are 14 categories of security requirements that must be met. Some of them include access control, risk assessment, system and information integrity, identification and authentication, configuration management and more. A full list can be found here: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
Some of the highlights include that contractors must implement an insider threat program, patch critical vulnerabilities on high risk systems within 90 days, encrypt high level data that’s at rest and in motion, monitor user behavior, implement an access control policy, and perform configuration checks and risk assessments.
DL: Where is this mandate posted (government website with any guidance)?
TJ: See link above, also: https://www.insidegovernmentcontracts.com/2017/02/dod-clarifies-dfars-cybersecurity-requirements/, as well as the link to DFARS Clause 252.204-7012 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm
DL: What percentage of federal contractors who must comply do you think will comply? What's holding the others back?
TJ: I suspect most contractors will comply to one degree or another. If a contractor fails to be in compliance by Dec 31 2017 they must report how they are out of compliance. Given they have had nearly two years to fulfill the requirements, most of the larger contractors and service providers should already be in compliance or at least closing in on compliance. The interesting use cases are going to be the smaller contractors and the contractors that aren’t primarily federally focused. Also, the largest contractors are likely to be in a state of “check list compliance” where validating compliance is very manual, based on a snapshot in time (i.e. out of date data), done on a contract by contract basis, and would require something of a herculean effort to pull together anything like a current enterprise view of compliance.
Most contractors, both large and small, are already meeting many of the individual requirements (like encrypting data) for certain data assets however challenges do exist even there. Most of these assets and security technologies sit in siloes within organizations and because of the need to protect the information itself, the organizations have no easy way of knowing where protected data is stored and if they are meeting the security requirements. They don’t have any mechanism to bring the siloed information together into a consolidated view so they can easily see, for example, that an application that contains sensitive information has tight access control restrictions, and that users who access the application are being monitored and flagged for anomalous behavior. For a large contractor that has more than 250,000 employees and thousands of active contracts, manually connecting the dots between where their most valuable data assets reside, who is accessing it, how they are interacting with it, and whether they are meeting the NIST 800-171 requirements is a daunting task that could take years to complete.
DL: How can contractors show compliance? What is needed?
TJ: Contractors should start by gaining an understanding of their assets, and then identify and tag those that are highly valuable. They should perform a risk assessment to see gaps that put those assets at risk, and implement protections that not only enable compliance with the NIST mandate, but more importantly continuously protect those crowned jewels. For example, they should use user and entity behavior analytics to monitor and detect when an employee accesses a highly sensitive application that he normally would not access, and verify if the behavior is business justified or indeed unusual. If it is not business justified, that alert should be sent to investigators as a high priority alert for investigation. They should have data loss prevention technology and multi-factor authentication in place, integrated with user and entity behavior analytics, to ensure their most valuable data assets stay in the hands of only those who are given access, and doesn’t leave the organization. They should make sure their most valuable information is encrypted at all times and that their security technologies are configured properly.
This strategy is a risk based approach to security. It focuses first and foremost on protecting organizations’ most valued assets, those that if compromised, would damage the mission the most. By adopting a risk based approach, contractors are putting security first, making compliance inherent.
DL: What recommendations do you have to help?
TJ: In addition to the recommendations above, contractors should look into technologies that automate and consolidate data collection, analysis, communication and reporting so that they can see at any point in time gaps in NIST compliance and are able to quickly understand their compliance status as well as show their status to auditors.
DL: Anything else you'd like to add?
TJ: DFARS Clause 252.204-7012 and 800-171 are really about making sure those that we trust with access to some of our nation’s most valuable data are maintaining a base level of security. After almost two years and numerous guidance, I don’t think it is too much to ask.
DL: I’d like to thank Tom for taking the time to answer these questions and for helping others achieve the DoD goal of implementing NIST SP 800-171 by the end of 2017.
In addition, I encourage readers to examine this CSO Magazine article which highlights how FedRAMP can help achieve NIST SP 800-171 compliance by utilizing cloud providers who have been accredited. I like this quote from the article:
“Luckily, over the past few years the U.S. federal gGovernment has implemented the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP program accredits cloud service providers with strong security and compliance practices that comply with NIST specifications. Given that these cloud services have been accredited, they are viable options for contractors and sub-contractors looking for expedient and cost competitive solutions to meet DFARS and NIST SP 800-171 requirements.”
On Dec. 5, NIST has also announced a new version of the Cybersecurity Framework Draft Version 1.1 is out for review. You can view those latest NIST draft documents here.
I also think all government organizations can benefit from NIST SP 800-171, even if they are not mandated to comply. It will be interesting to see if these mandates eventually extend beyond the DoD contractor community and start to show up in mandates for all government contracts.
My personal opinion is that more such mandates are coming in 2018 and beyond — and mandates will also start to cover new areas like the Internet of Things (IoT) devices being connected to federal networks.
Next week, I will be looking back at 2017 cybersecurity and technology infrastructure topics in review and naming my top cybertrends for the year.
A study on the effects of body-worn cameras shows a significant reduction in complaints of police misconduct and use of force, as well as some cost savings.
The study, conducted by Virginia-based CNA Corporation, in cooperation with the Las Vegas Metropolitan Police Department (LVMPD) and the University of Las Vegas' Center for Crime and Justice Policy, found a 37 percent reduction in the number of officers involved in use-of-force incidents and a 30 percent decrease in the number of officers with at least one complaint filed against them. Among the control group, officers not equipped with a camera, use-of-force increased 4 percent.
Researchers assigned 400 LVMPD officers body cams, while another 400 served as a control group.
In a new twist on this type of study, the Las Vegas survey also found that body-worn cameras can generate considerable cost savings for police by simplifying the complaint resolution process.
Capt. Daniel Zehnder, Communications Bureau commander for LVMPD, said the 2014 study deserves attention because of the cost savings. The department saved between $828 and $1,097 per user or approximately $4,000 per user, per year when misconduct complaints and investigations were considered.
“The cost-benefit analysis was a bit limited,” he said. “I think there could be more savings.”
For example, he said, footage might help officers later write better reports.
The positive results of the Las Vegas pilot contrasted with several other studies from police departments in Washington, D.C. (2017), Phoenix (2014), and Edmonton, Canada (2011-2014) that found body cameras did not affect police misconduct.
A randomized, controlled trial at the Metropolitan Police Department in Washington, D.C., showed no statistically significant effect on officer uses of force or civilian complaints this past fall. With more than 2,200 officers involved, this study is one of the largest and more rigorous on this issue to date. This study was rolled out in multiple patrol districts during the course of 18 months, although the findings are based only on the first seven months of camera implementation.
The fact that the body-worn cameras did not affect behavior may be the result of a department that is already at a high level (of policing) and does not have much room for improvement, explained Seth Stoughton, an assistant professor at the University of South Carolina School of Law and a former police officer.
In addition to differences in police departments and communities, he said study design may influence the outcome.
The LVMPD decided to purchase and use body-worn cameras because it had run into issues with officer-involved shootings and a use-of-force incident that ended in the death of the subject. According to Zehnder, because of these adverse events between 2010 and 2012, the department turned to the U.S. Department of Justice to work with that agency to solve the problem. The DOJ recommended the police force consider using the technology and asked the department to participate in a study to determine effectiveness.
The department sought community input to policies that govern the technology. He said the body cameras have helped the department become more transparent and embrace public accountability when it comes to use of force. He said the police chief now stands up in front of the press and plays back the video from a police incident.
“We also post them immediately to our YouTube.com channel,” he said.
Researchers at UNLV said that when used well, the technology can enhance the department's ability to be accountable for their behavior.
"Body-worn cameras demonstrate a police agency’s commitment to transparency and accountability," said study co-author William Sousa, director of UNLV's Center for Crime and Justice Policy. "The results of this study suggest that the cameras also have benefits in terms of reductions in police use of force and complaints of officer misconduct."
The National Institute of Justice provided a $107,000 grant for the researchers conducting the study.
How can a major international corporation benefit from partnering with an urban university? In this installment of the Innovation of the Month series, we’ll explore how a partnership between UPS and Georgetown University created a new learning experience for future urban planners to explore one facet of today’s urban environment: how to effectively and efficiently deliver packages and develop solutions for tomorrow’s smart cities.
MetroLab’s Executive Director Ben Levine sat down with Uwe Brandes, associate professor of Practice in Urban and Regional Planning at Georgetown University, and Thomas Madrecki, Director of Urban Innovation and Mobility at UPS, to discuss the collaboration.
Ben Levine: Could you please describe what the New Urban Technologies Studio Class is? Who is involved in this project?
Uwe Brandes: This class was a cross-listed class between our Urban and Regional Planning and Systems Engineering master’s programs. It was structured as a studio class where students spend the semester responding to a real-world client and a challenge. We have a lot of these classes in the urban planning program, but this was the first time we brought students from both programs together to focus on a digital, data-enabled urban problem.
Levine: What business need motivated this collaboration?
Thomas Madrecki: In a nutshell, traffic congestion, urbanization, the rise of e-commerce and the need to improve quality of life in cities, with more sustainable and efficient movement of goods, services and people. We want to work collaboratively with cities like Washington, D.C., and academic partners like Georgetown to address future challenges and to develop proactive, win-win solutions that work for both cities and businesses at the intersection of logistics operation, urban planning and policy, and applied data science.
Levine: Can you describe the project?
Brandes: The focus of the studio was to explore how e-commerce is impacting traffic congestion in individual neighborhoods in Washington, D.C., and to look at what new operational and policy solutions might be put in place to mitigate congestion related to package delivery.
Madrecki: What I loved about this class is how it took a practical, real-world approach, bringing the conversation out of the classroom and immersing students in real problems facing UPS and Washington, D.C., every day. That meant students could engage with real data and use that information to research operational and policy-based solutions to mitigate congestion, increase operational efficiency or improve the way deliveries are made in urban environments.
Georgetown University students meet with UPS delivery personnel in Washington, D.C., to learn about daily route-planning as part of the New Urban Technologies Studio Class. Image courtesy of Georgetown University.
Levine: What were some of the advantages of a partnership that involved graduate students?
Brandes: There are so many! For the students, this class required "design-thinking," which required them to work together and collaborate to find new value propositions for UPS and for the city. Students are remarkably unencumbered, and there is enormous value generated by looking at urban problems in new ways. In this case, it was entirely unclear where future public value would be generated and by whom, so I think that all of the studio participants got something out of it.
Levine: What were your major takeaways from the process?
Madrecki: One of the most inspiring things was how much the students were able to do with limited resources and a modicum of background information about UPS’ business model. These students weren’t experts by any means, but they came up with some really fascinating proposals that warrant additional research and scrutiny. And that kind of creativity and desire to put forth new ideas and solutions is frankly refreshing. We need more of that to inspire innovation.
Brandes: A few things. One, there is a wide spectrum of creative solutions available to us if we think expansively about these urban logistics challenges. A single delivery company or a single public agency is not going to "fix the problem" in isolation. Second, traffic and logistics do not reside in a vacuum. Some of the best solutions might be to shape the behavioral demand for deliveries or re-imagining our zoning and building codes. These are not obvious solutions. Third, we need to create new ways of convening stakeholders (and their data), which allows for creative problem-solving. The role of universities is critical in this respect. In this project, we demonstrated that the university is a safe harbor where creative inquiry can occur in a non-threatening way and outside of the political process. We were able to welcome all stakeholders into the dialog.
Levine: Where will this project go from here?
Brandes: We are so happy with the outcome that we have institutionalized this course in our curriculum. The word is out and other students are chomping at the bit to engage in the next class. I believe universities have a special role to play as honest brokers between government and industry, and this class showed how to generate co-benefits for everyone involved. Clearly, we live in an era where urban challenges need to be addressed in new ways, and with that comes the need to rethink professional education and the definitions of the professions themselves.
Madrecki: I’m leading our urban delivery and mobility initiatives and want to incorporate this research and student thinking to push forward the development of new best practices and potential collaborations with cities around the world. For example, we will be testing a number of urban delivery solutions in Washington, D.C., over the coming year and that pilot project will be informed by this research, which will, in turn, generate future ideas for other cities. Where possible, we want to elevate this research internally and externally because some of the ideas are spot-on in terms of where urban delivery is heading and how cities will need to approach congestion issues.
You can read more about this project here.
About MetroLab: MetroLab Network introduces a new model for bringing data, analytics,and innovation to local government: a network of institutionalized, cross-disciplinary partnerships between cities/counties and their universities. Its membership includes more than 35 such partnerships in the United States, ranging from mid-size cities to global metropolises. These city-university partnerships focus on research, development and deployment of projects that offer technologically and analytically based solutions to challenges facing urban areas, including: inequality in income, health, mobility, security and opportunity; aging infrastructure; and environmental sustainability and resiliency. MetroLab was launched as part of the White House’s 2015 Smart Cities Initiative. Learn more at www.metrolabnetwork.org or on Twitter @metrolabnetwork.
After roughly two years without a designated chief information officer, Kentucky has tapped a recently retired U.S. Army veteran with federal-level information technology (IT) experience as its top tech official.
In a Dec. 8 announcement, Finance and Administration Secretary William Landrum III revealed that Charles Grindle, a colonel with a 29-year U.S. Army career, will serve as Kentucky’s new CIO. He will head the Commonwealth Office of Technology and will be a member of Gov. Matt Bevin’s executive cabinet.
Grindle served as an Army IT and field artillery officer during his active military service, and completed a broad range of tactical, operational and strategic assignments during peace and wartime.
Immediately prior to becoming CIO, he was an associate professor at the U.S. Army War College in Carlisle, Pa., where he's served in various capacities since June 2012 according to his LinkedIn profile.
His Army career dates to 1988; and during active service, Grindle was deployed to Camp Arifjan, Kuwait, where he was lead IT officer for the 3rd Army (FWD). Upon returning, he served as CIO for the U.S. Military Academy.
Landrum said in a statement he is “extremely pleased” at Grindle’s elevation to the position of CIO, which was previously occupied by acting CIO and Deputy Commissioner Jim Barnhart. Barnhart replaced CIO Jim Fowler, who resigned in December 2015 after Bevin’s election in the previous month.
“His breadth of experience and depth of knowledge will be instrumental as we continue transitioning to enterprisewide technology platforms, as opposed to the prior practice of state government developing agency-specific applications,” Landrum said. “This created far too many silos in the executive branch, with agencies working entirely independent of each other."
Grindle said he is excited to join the Office of Technology.
“I feel confident we can build upon the work already being done while also challenging our IT team to embrace new thinking, deploy new technologies and improve the commonwealth’s technology platforms to make state government more accessible to citizens,” the new CIO said in a statement.
The retired colonel has long focused on IT. He earned both a master’s and doctorate degree in information science at the University of Pittsburgh. Grindle also holds a second master’s degree from the U.S. Army War College.
He has also taught academic courses on topics including contemporary security issues, cyber operations and U.S. national security policy.
He is married with two daughters and retired from the Army earlier this year.
Gilbert, Ariz., has launched an open data portal. And to guide its residents in using this new platform, it also created Alex, a chatbot designed to humanize the site and its features by giving tours of its content, helping users search for information and also smiling and waving in avatar form on its homepage.
Gilbert built the portal over the past 10 months as part of its engagement with Bloomberg Philanthropies’ What Works Cities initiative, which also helped the city establish an open data policy. The portal is designed to host data sets from a wide range of municipal departments, including community safety, growth and development, recreation and culture, finance and operations and transportation and facilities. Establishing an open data portal to host this sort of information is becoming increasingly prevalent.
What sets Gilbert’s platform apart, however, is Alex. A character that city officials said in a press released “will help connect the dots on how to use our data on your own websites, applications or research.” Alex was named after the Library of Alexandria, one of the largest libraries in the ancient world. Alex is designed to assist with both searches for and use of data.
Gilbert also noted in its launch announcement that the portal is an extension of the public records department, and will usher in the proactive release of more data aimed at increasing transparency of government and ease of informational use for residents, local business and public staff.
Philadelphia’s fire department looks to hire a senior lead GIS analyst for an analytics team
Philadelphia’s fire department is hiring a senior lead GIS analyst to help create an analytics team, noting in the job posting that the department “is moving toward increasing its use of data in day-to-day operations, and GIS and analytics will be a large part of this initiative.”
It stands to be a small team — one to two lead or associate analysts within the fire department — with grand ambitions. In fact, the posting stresses that the ideal candidate will be one who can handle daily and special projects related to GIS, while also helping the Philadelphia Fire Department grow and expand its GIS and analytics team “to become a model for all fire departments to follow.”
The use of gov tech to help fire departments protect citizenry seems to be a growing segment of the industry. The private company BuildingEye has launched a map of San Francisco that can be used to look up fire information about structures dating back to 1963. The New York City Fire Department has been using a risk-based inspection system to better anticipate when fires might start, and New Orleans has developed a data-intensive predictive fire risk model that draws from U.S. Census Bureau data to identify households that are the least likely to have a fire alarm.
It’s always difficult to say when something is a first in gov tech, but Philadelphia’s push to develop a data and analytics team operated by its fire department certainly seems to be a pioneering move that could soon take hold in other cities.
Facebook civic hackathon participants share winning ideas with Seattle city staffers
In October, Facebook held a civic hackathon at its engineering hub in Seattle, inviting its employees and those with other local tech companies, such as Amazon, to develop projects using the city’s vast open data sets to solve municipal challenges through machine learning.
Two projects were picked as winners, and the responsible teams presented the concepts at a monthly city breakfast that includes more than 40 municipal staffers who act as open data champions across all city departments. Detailing the event in a recent blog, staffers wrote “the aim was to spur new ideas for future uses of machine learning within the city and for the relevant departments to connect directly with winning teams.”
The blog also emphasized that these presentations led to questions and discussions between public servants and winning teams, taking the projects from abstract ideas to tangible applications that the open data champions could see were ripe for quick development.
The first project was dubbed Find ‘n Park, and, acknowledging that Seattle is one of the hardest places to find parking relative to other major U.S. cities, it used deep learning vision models to quickly show users how many cars were parked in a given lot, displaying the real-time availability of spaces. The other winner, Contractor 5, estimated prices within $5,000 for residential construction and remodeling projects by using open data about permitting along with natural language processing that compared similar projects.
Platteville, Colo., adopts use of nonprofit’s video archive software
Platteville, Colo., a town of 2,600 people about 45 minutes north of Denver by car, has adopted use of the Open Media Foundation’s video archiving software without notifying the nonprofit organization, which is the exact sort of low fanfare use the developers were hoping for when they built it, according to a local news report.
This program will allow the municipal government in Platteville to post videos of town board meetings online with minimal cost to taxpayers. The Open Media Foundation, the nonprofit in question, actually offers this software free to the governments of jurisdictions with fewer than 5,000 residents. The software also stands to benefit residents, creating an easier way for them to search the town’s video archives by using keywords that apply to agenda items as well as speeches given during the meetings.
Previously, Platteville’s meetings had been televised via a local access channel, but that service was recently discontinued. The move to online video archiving stands to cut costs, and while it doesn’t include a livestreaming capability, it does allow for access to the content in perpetuity. Platteville is the first city to start using the software without contacting the Open Media Foundation, which is exactly what leadership of that groups says it wants: small towns who can set it up on their own and break down any misconceptions that you have to be a tech wizard to use it.
Minnesota IT launches new employee intranet with blog series detailing its creation
Minnesota IT has built and launched a new employee intranet, subsequently sharing a blog series to let staff know the best practices that went into this and the lessons leadership learned along the way.
Part one and part two of the series have been online for a little while, with the former detailing the project management aspects of the work and the latter delving into how developers took inventory, migrated content and got to know the audience for whom they were designing the intranet. Part three — which tackles information architecture, design, development and how to add content — went live this week, and part four is scheduled to come next week, promising a look at how leadership communicated changes to the system with its employees.
This blog series is essentially a start-to-finish account of the work, which involved creating a new system to replace an existing intranet, a dense and cumbersome project by any metric. The posts are woven throughout with insights into the decision-making process that stand to benefit other states undertaking similar work, as well as best practices for designers and developers involved in similar undertakings.
More than 30 states and territories have already opted in to FirstNet, the dedicated nationwide network for public safety and first responders — but on Thursday, Dec. 7, New Hampshire Gov. Chris Sununu announced his state will be the first to officially opt out and pursue an alternate plan.
Like other key states including California, Colorado, Florida and New York, New Hampshire has devoted considerable time to the question of whether or not to join the FirstNet coalition.
The state went so far as to issue an RFP to explore the issue in 2016, and awarded a no-cost, no-obligation contract to telecommunications company Rivada Networks LLC later that year — indicating that if the state chose to opt out, Rivada would be its contractor.
Following a unanimous opt-out recommendation from New Hampshire’s Statewide Interoperability Executive Committee, and a financial and regulatory due diligence report from its FirstNet Opt-Out Review Committee, Sununu made his decision.
In an announcement, Sununu said the committee determined that from a technical perspective, opting out was unquestionably the best course of action for the state to take.
“After reviewing the report from the FirstNet Opt-Out Review Committee, it is clear that while an opt-out decision comes with regulatory and financial risks, those risks can be mitigated through the safeguards and contractual provisions that the committee has recommended,” Sununu said in the statement, praising the Opt-Out Review Committee for its work on the due diligence evaluation.
New Hampshire will work with Rivada on a high-speed, wireless, broadband network for first responders, the governor said, praising the company’s plan, which he said includes “unparalleled public safety infrastructure investments” that will lead to “unmatched and near universal coverage.”
Its advantages will include free service for first responders, increased physical assets Rivada has committed to providing as well as the ability to monetize excess spectrum and use those benefits for investment back in the network, John Formella, Gov. Sununu’s legal counsel, said in an interview.
New Hampshire and Rivada will begin further negotiations later this year and will likely reach a final plan and sign a contract during the first quarter of 2018, Formella said.
Colorado is another potential Rivada client, should Gov. John Hickenlooper decide his state will join New Hampshire in opting out.
On Nov. 17, the Colorado Governor’s Office of Information Technology (OIT) made a conditional award to Rivada Networks and Australian financial services provider Macquarie Group — conditional on the FirstNet Colorado Governing Body ultimately making the recommendation to opt out and reaching a contractual agreement based on the two companies’ joint proposal of a FirstNet alternative for the state.
States have had roughly 90 days to reach decisions on whether or not to join FirstNet and their deadline, Dec. 28, is looming.
Coverage, local control and the potential for penalties should states fail to opt out and later have to join the network, have been issues for New Hampshire and other states. But Sununu struck an optimistic tone in his remarks, particularly on the issue of state oversight.
“If we successfully navigate the opt-out path, New Hampshire will retain a level of control that it would not have enjoyed in an opt-in scenario,” Sununu said, adding that he was “pleased” the state has the chance to pursue a plan he said “will provide the maximum benefit to our public safety community and all of our citizens.”
Formella said opting out does carry risks.
The state has 240 days from Dec. 28 to sign a contract with Rivada, submit plans and have them approved by the Federal Communications Commission (FCC) and the National Telecommunications and Information Adminstration (NTIA).
The state, the legal counsel said, would hope to achieve build-out of the network within three years of getting that final approval.
If New Hampshire is unable to finalize its plans and submit them during those 240 days, it would revert to opting in to FirstNet, and not be penalized.
But should the state's opt out be denied, it could face potential penalties in the form of termination fees ranging from $10 million to $608 million.
“But what FirstNet has assured us is that the $608 million is just a worst case scenario,” Formella said, characterizing it as a number reflecting FirstNet’s costs if it should have to later build a network for New Hampshire “from scratch” and operate it for 25 years “without any revenue.”
“Even FirstNet has said it is extremely unlikely that any penalties would come close to approaching that amount,” Formella added.
In an interview late last month, New Hampshire’s Statewide Interoperability Coordinator John Stevens, the state's single point of contact for FirstNet, said both options — opting in or out — presented positive opportunities, but the possibilities with Rivada are greater.
“We are a firm believer in FirstNet. We want it to be successful here but the state of New Hampshire has done its due diligence here. We want to assess what is the best path,” Stevens said.
“We feel that there will be a robust network here with the alternate plan and we feel that there would be an increase of connectivity with the FirstNet/AT&T plan, but not to the extent that we will be able to produce in the alternate plan,” he added.
The state’s geography and settled areas present some unique challenges and opportunities, Stevens said, pointing out that the state’s southern part is “really considered metropolitan Boston”; while elsewhere, the eighth of 13 original colonies has significant rural territory including the highest peak east of the Mississippi.
Concerns about FirstNet being able to adequately cover remote areas and serve the entire nation remain, Stevens said, noting that while the Federal Communications Commission raised $7 billion to fund the network in a spectrum auction more than two years ago, the U.S. Government Accountability Office estimated in April 2015 that actual construction and operation costs could run from $12 billion to $47 billion during its first 10 years.
“The option that FirstNet and AT&T present is that there would be an opportunity to enhance the network that is currently already in states. With the alternate plan that we have created here in New Hampshire, the construction of that infrastructure would also be at no cost to the state,” Stevens said.
In a follow-up conversation, Stevens said he believes the terms of the final agreement “could be very favorable to New Hampshire,” and the financial risk of failure during the eventual contract's 25-year term will be offset by performance assurity bonds.
In a statement, Chris Sambar, senior vice president at AT&T, underscored that to date, 35 states and territories have opted in, “reflecting a belief across the nation that it is the best option for the public safety community and the residents they serve.”
“We remain hopeful New Hampshire will continue to assess the substantial risks associated with an opt-out proposal of an unproven vendor,” Sambar said. FirstNet intends to complete its core network in March 2018 and be available across 56 states and territories, with a full build-out of network infrastructure around 2020.
Its migration to the cloud had been planned for years, and when state staffers flipped the proverbial switch at 8 a.m. Eastern Standard Time on Wed., Dec. 6, Maine’s new unemployment claims website went live on schedule.
Maine’s go-live event after about five days offline is likely the state’s most visible step toward joining ReEmployUSA, a four-state unemployment insurance (UI) consortium in the cloud that’s spearheaded by Mississippi and includes Connecticut and Rhode Island.
The consortium’s origins are not entirely recent, as it began with the Mississippi Department of Employment Security’s (MDES) development of Access Mississippi (Access MS), the state’s online UI portal, which it supported from 2004 to 2013.
But Mississippi officials said earlier this fall that they believe the four-state partnering is the nation’s first multi-tenant UI system in the cloud. And it's on time.
Officials in Maine are pleased with the deployment, achieved through partnering with Mississippi staffers onsite; Tata Consultancy Services, which handled architecture and coding on Access MS and on ReEmployUSA; and Quality Technology Services, which provided cloud services.
“It’s here. We flipped the switch and the lights came on. In the system, we generally have a little over 300 active users every 15 minutes and it looks like sessions are generally about 20 minutes. And that’s what we thought it would take for people to sign in anyway,” said Laura Hudson, director of communications at the Maine Department of Labor (MDOL).
Those numbers, derived from internal updates every 15 minutes on numbers of users, drop rates, bounce rates and session rates, are partially reflective of the fact that all users are being asked to create new accounts, Hudson said. MDOL will likely issue a news release next week with further data.
In an email, John Feeney, director of the Bureau of Unemployment Compensation for MDOL, described the launch as "very positive" overall, overcoming a "minor issue" with a U.S. Bank interface on Wednesday to send out 1,327 payments totalling $415,345 by close of business.
During its first day live, 3,166 claimants registered for new accounts as required by the new system. The state completed 383 initial claims; certified 3,519 weekly claims; and mailed out 1,239 pieces of correspondence.
The director said the state expects moving UI to the cloud to help it reduce cost, improve security and assist with business continuity and disaster recovery.
The consortium meets Federal Risk and Authorization Management Program (FedRAMP) compliance standards as well as those set by individual states and the Internal Revenue Service.
Feeney and Patricia O’Brien, deputy bureau director for MDOL, said Maine also expects the new system to provide a more user-friendly experience for residents and staff, some of whom needed six to eight months to become trained on the legacy system.
“We really think that the new system is much more user-friendly, and it really walks people through step by step. We realize that initially, there’s going to be a learning curve, and we’re going to have to get over the learning curve, but ultimately, it’s going to streamline the process because both sides are seeing essentially the same system,” Feeney said in an interview.
O’Brien said Maine’s 25-year-old UI legacy system, which still relied partially on COBOL, had reached retirement age, like many who were familiar with the 1950s-era computer programming language. She said joining ReEmployUSA was an attractive alternative to spending an estimated $80 million to $100 million on a state-specific replacement.
“We got to the point where the IT staff to maintain them, we were facing both very expensive infrastructure costs; and, quite frankly, the state staff skillset was essentially aging out of the workforce with the technology we had,” O’Brien said.
Mohammed Jalaluddin, director of the MDES Office of Technology Support and Innovation, said Maine’s new system should establish, validate and maintain most claims in real time.
“There are a few exceptions where the system will establish the claim offline, but 80 percent, 90 percent of the time they will be able to establish the claim immediately,” he said.
Dale Smith, MDES deputy executive director, said he expects Maine’s new system to go beyond merely improving efficiency to helping identify issues or situations with claims that the state should further investigate.
“One of the things that Mississippi learned when we went to this system back in 2007 was that because we became more consistent, the computer was looking at some of these issues,” said Smith.
Funded by a combined $90 million consortium development grant through the U.S. Department of Labor as well as an additional $10 million for Maine, the state formally began its migration project in January 2013.
The four partners in ReEmployUSA aren’t the only states contemplating a consortium solution to modernize UI, Scott Sanders, executive director of the National Association of State Workforce Agencies, said earlier this year.
The Southeast Consortium Unemployment Insurance Benefits Initiative connects labor departments in North Carolina and South Carolina; MW partners Maryland and West Virginia; and Vermont will take part in Idaho’s Internet Unemployment System.
But there’s more to come from ReEmployUSA.
Mississippi deployed its state’s UI benefits on Aug. 30; upgraded its UI tax component in September, then worked closely with Maine ahead of Wednesday’s deployment. In 2018, officials plan to go live with the tax side of Maine’s UI system in August; then migrate Rhode Island to the cloud in 2019 followed by Connecticut in 2020 and 2021.
In Louisville, Ky., the thinking is that innovating on a daily basis can be intimidating for a public servant who isn't already in the mindset to do so. So the city is trying out some new things to change that.
This week, the city announced Louisville Metro Badges, an incentive program similar to the one used by the Girl Scouts, except instead of earning badges for designing board games or going camping, Louisville employees get theirs for acts of “breakthrough innovation, continuous improvement and daily work.” This initiative fits into a broader effort at all levels of Louisville to spread what the city calls institutionalized innovation, meaning that innovation work is being done by all departments, not just the tech folks. In addition to the badges program, this year Louisville began variations of the hackathon concept to lessen barriers and foster cross-agency buy-in for tech and innovation work too.
The badge program, however, is the newest of these efforts. There are 25 badges total, covering a wide swath of municipal tech and innovation landscape. Examples of these badges include Voice Activated, which can be earned by participating in a project that uses voice skills through Amazon Echo, Google Home, or other such platforms; Digital Inclusion, which is earned by participating in a low-cost Internet sign-up, a computer refurbishment, digital skills training, or other related task; and Business Intelligence, which is earned by answering a business question with data. There are two tracks — one dubbed Data Scouts and the other Innovation Pioneers — and completion of each earns a total of 10 badges. Getting these badges requires submitting simple evidence of completed tasks, such as screenshots, reports or testimonials.
Michael Schnuerle, Louisville’s chief data officer, described the program as “a way to get people to do more of the sort of things we wanted them to do in a way that was fun and that they could be awarded for.”
Badge recipients can then add their accomplishments to their email signatures or LinkedIn profiles, or if they prefer a more tangible gauge, they can add stickers to plastic cards about the size of an ID. Louisville has also created digital trackers on its city website where employees can track their progress and easily submit evidence to earn their badges. At its most basic level, this is a creative alternative to traditional innovation training efforts like requiring staff to take time out to attend classes or lectures.
This, however, is not the only effort in Louisville that fits that description. Earlier this year, the innovation department put together a kit for analog hackathons, which essentially removes the digital component from the traditional hackathon concept, breaking attendees into groups of three to five people and then giving them a kit of 10 informational transparencies, sized a bit bigger at 11 by 17 inches. The groups are then asked to highlight an example of some info within that peeked members’ interest, a tech solution that could be created with this info, and ideas for the other info they would need to improve the project.
These analog hackathons, which Louisville has organized multiple times, are rapid. Those three steps take between 10 and 15 minutes. It’s basically the first half of a normal hackathon, lacking the second half that involves the actual tech work. The city’s innovation department has so far been pleased with the events, saying each one has yielded different ideas from the same data.
Ed Blayney, Louisville’s innovation project manager, said these sort of hackathons are a great way to get city staffers thinking differently, which leads them to conceptualize projects.
“It’s not necessarily that every single project comes out of a hackathon, but that they come out of hackathon thinking,” Blayney said. “The best projects I’ve had are the ones that combine two completely different departments.”
Cooperation between seemingly unrelated entities has long been a staple of the hackathon format, or at least a desired outcome. The third major concept that Louisville has used to entrench innovation deeper in its culture this year is that of the internal hackathon. Using data from the Waze app, the city held its first internal hackathon: a city-only hackathon that brought technologists together with other staffers. These events aspire for the same creation of projects and ideas that standard hackathons do, while also giving technologists an opportunity to train attendees on new tools.
These new concepts are also built upon existing support for innovation from Louisville Mayor Greg Fischer, who encourages public servants to set aside a certain amount of time each week for innovation and breakthrough work in addition to their daily tasks.
“This is not asking you to go out and do a random challenge,” Blayney said. “It’s asking you to apply it to your daily work, showing that you’re changing the way you’re doing your job. I think that’s the most powerful thing about it. It’s really about learning skill through experience, rather than through a traditional classroom setting.”
A variety of online public services in Mecklenburg County, North Carolina’s most populous county, were running slow or unavailable, days after hackers penetrated dozens of servers and froze data. But officials said Dec. 6 that the county will not pay the more than $23,000 ransom.
In a news release, County Manager Dena Diorio said the regional government is confident its backups are secure, and it has the resources needed to restore the data.
“It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves. And there was no guarantee that paying the criminals was a sure fix,” Diorio said in a statement. The news release indicated the agency consulted “multiple” cybersecurity experts.
“It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible,” Diorio added. Achieving that goal will require the county to use its backups to rebuild applications from scratch, the county said.
During a Wednesday press conference on Facebook Live, the county manager stressed that while 48 of the county’s 500 servers were impacted, as well as multiple applications that run through those servers, no sensitive or confidential information is believed to have been compromised.
“We are open for business and we are slow, but the good news is that based on what we know today, there’s no indication that any data has actually been lost, or personal or health information has been compromised,” Diorio said then, noting that it may be several days before a “methodical, detailed review of all servers” is complete and services are completely restored.
Late Wednesday, The Associated Press reported county sheriff’s deputies were processing inmates by hand; a tax office had turned away electronic payments; and building inspectors had switched to paper records.
The hack, which likely began over the weekend but was discovered Monday, is now affecting eight county departments including Social Services; Child Support Enforcement; Parks and Recreation; Finance; Human Resources; the Register of Deeds; the county Assessor; and the Land Use and Environmental Services Agency.
Third-party experts retained by the county believe the ransomware is “a new strain” known as “LockCrypt,” and “very little is known about it,” the county manager said.
“Based on its attributes, it looks like the criminals are from either Iran or the Ukraine,” Diorio said during the press conference.
The county manager said that contrary to erroneous reports, the hackers are only demanding $23,000 in ransom to release the data — but the process of establishing a cryptocurrency account and using it to meet the demands could take several days. Not paying and instead rebuilding applications could take longer still, she added.
“The bottom line is regardless of what direction we take, whether we pay or we don’t pay, this situation will be resolved in days and not hours,” Diorio said.
There’s no evidence Mecklenburg County was specifically targeted, county Public Information Director Danny Diehl said — but for obvious reasons, the decision of whether or not to pay the hackers was a complicated one.
“You’re taking a risk when you do that,” he said.
The exact financial impact to the county is unclear because the situation is still developing, Diehl said, but as officials inspect its hundreds of servers, they’re giving priority to key areas.
“Our priorities are going to be systems that affect health and human services, like the Department of Social Services, Health Services, Child Support Services,” Diehl said.
Mecklenburg County, which is home to more than 1 million residents and includes Charlotte, the state’s most populous city, has had contact with Gov. Roy Cooper’s office, the FBI, Secret Service, Department of Homeland Security and with companies including Bank of America, which is headquartered in Charlotte.
On Twitter, Sandy D’Elosua Vastola, the city of Charlotte’s director of communications and marketing, indicated its servers are “on completely different systems” and were not affected by the breach.
“The city has severed direct connection to Mecklenburg County systems, including email,” D’Elosua Vastola said in the statement. “The city’s Innovation and Technology department has taken steps to ensure the security of the city’s systems.”
— City of Charlotte (@CLTgov) December 6, 2017
Charlotte CIO Jeff Stovall said the city is always vigilant but has increased its monitoring of “any activities that are happening on our networks and on our devices,” and sent out reminders to staff of the proper handling procedures for emails and attachments.
The CIO pointed out that events similar to the hack in Mecklenburg County will continue to happen around the world, and require public officials to be continually on guard against cyberintruders.
“I wouldn’t say that this particular incident is unusual in the operation of any large enterprise. I would say, really, that our roles require constant vigilance and constant reevaluation of our security posture, and, unfortunately, constant investment in modernizing and ensuring our assets are appropriate for countermeasures against this type of attack,” Stoval said.
“Our cybersecurity infrastructure is just as important as any physical infrastructure that we have,” he added.
Indiana is the next state moving to allow testing of autonomous vehicles on its roadways.
Rep. Ed Soliday, a member of the Indiana House of Representatives, plans to introduce a bill in the next two weeks that will be considered early next year. The bill would establish a five-member committee to oversee applications to test autonomous vehicles in Indiana. The committee would include representatives from departments like Motor Vehicles, Transportation, State Police, and Insurance, in addition to a representative from the local jurisdiction where the testing would occur. The Indiana Department of Transportation (INDOT) would serve as the lead agency.
“It’s an important bill, and it’s important to educate people,” said Soliday, a Republican, of his desire to file the bill early in the 2018 session. “We’ve been very deliberative, and tried to be very, very careful and inclusive, and I’m pretty positive about where we’re at.”
If approved, Indiana would join some 20 other states that have allowed some form of testing or even willingness to test self-driving cars. States like California, Arizona, Nevada and Michigan have been aggressive in their wooing of AV car companies, attracting the likes of Waymo, General Motors and others.
With AV technology so new, and federal regulations so few, Soliday stressed that his main goal is to provide a framework that makes the state attractive to automotive innovation while ensuring the safety of residents and motorists.
“People that elect me want to know that they can push their baby carriage across the street,” he said, adding that the move should help the public realize that the Indiana state legislature is very "pro innovation."
INDOT will oversee testing and how the system should be structured, according to officials.
“INDOT is very much in agreement with Rep. Soliday on the structure and organization of the committee at this point,” said Scott Manning, an INDOT spokesman.
To get to this point, Soliday, a former vice president of safety, quality assurance and security at United Airlines, formed a 25-member stakeholder group with a range of backgrounds such as insurance, manufacturing, trucking and others to put together the draft legislation.
“We are open for business. We aren’t going to compromise safety. Within those boundaries, I’m willing to listen,” the lawmaker said.
The state does not intend to develop specific infrastructure such as AV testing facilities, preferring to rely on the private sector for that, Soliday explained.
Much of the AV testing today is done in what many describe as the fair-weather conditions of the West, in places like Arizona and California. Soliday says Indiana offers a wider swath of conditions ranging from winter weather, high-traffic corridors and road construction.
“That’s where the shoe-leather really meets the pavement.,” he said. “It’s one thing to test in Arizona. It’s another to test on [Interstate] 80-94 in a snowstorm.”
By its recent broadband policy decisions, or intent thereof, the FCC majority has proven itself an adversary of consumers, small businesses and local governments. An increasing number of municipalities, public utilities, co-ops and local ISPs are exploring avenues for getting community-owned or controlled broadband networks.
Communities cannot afford to continue to produce yet another feasibility study that just sits on a shelf while stakeholders try to determine what to do next. For the health of your broadband plan, maybe your community should turn to telehealth.
Broadband Adoption and Telehealth Adoption Are Joined at the Hip
Current conventional wisdom that governs many broadband plans is that communities need to build these networks to ensure local economies stabilize or advance. It’s proven that many local companies in underserved areas need better broadband if they are to stay in the community. But how to attract new companies?
Frank Maddux, nephrologist and co-founder of Gamewood Inc., an ISP that joined the Danville, Va., public utilities broadband network, feels economic development has moved from a “value proposition” to the “expected amenity.”
“Not having broadband makes your community less desirable to businesses planning to relocate,” Maddux said, “but it doesn’t necessarily make you stand out from cities that also have broadband.”
“Some find more interest among community stakeholders for using broadband for telehealth, and its subset telemedicine, than for economic development,” said John Windhausen, executive director of the Schools, Health and Libraries Broadband (SHLB) Coalition. “There can be several reasons, starting with the fact that almost everybody is affected by health care.”
Telehealth requires high-speed quality Internet access. John Baker, senior telemedicine and video conferencing network analyst at Children’s Mercy Hospital in Kansas City, Mo., said, “You need good or excellent broadband for your telehealth services to be useful. When I came on board three years ago, our director of telemedicine had done a lot of research and determined that we needed to accelerate our efforts and our bandwidth.”
“The main medical disciplines that have adopted telemedicine historically have been tele-stroke, mental health, and dermatology,” said Eric Bacon, president of AMD Global Telemedicine. "Woman's health, particularly in underserved and rural areas, is a growing application.” Some consider women’s health care as No. 4 on the list that telemedicine can impact.
“I concur with AMD’s assessment,” said Dr. Jon Belsher, board member of Partners Urgent Care. “I expect a tidal wave of activity in the area of tele-mental health over the next 10 years. There is a severe shortage of specialists, an overwhelming need for mental health services and a high probability for successful patient outcomes.”
Conditions Are Right for Community Networks and Telehealth
General health care, telehealth, and telemedicine delivery can make a strong financial business case that justifies community broadband investment, and makes it easier to raise money. Community leaders, health-care stakeholders, and telehealth application users should conduct needs analysis that strengthens the business case.
A blog post by Sherie Sanders of eCivis highlights the dire state of rural hospitals. “According to the National Rural Health Association, more than 75 rural hospitals have closed since 2010, with 673 at risk of meeting the same fate,” she writes. “That could leave up to 11.7 million people with nowhere to turn.”
Furthermore, about 20 percent of the U.S. population — more than 50 million people — live in rural areas, but only 9 percent of the nation's physicians practice in rural communities, according to the Bureau of Health Professions.
Only 62 percent of rural Americans have broadband installed in their homes, according to the think tank New America, and those who do often pay exorbitant prices for sluggish speeds. There are similar statistics from low-income urban communities, such as 40 percent unconnected in Detroit. A report by national and local advocacy groups says, “AT&T has withheld fiber-enhanced broadband improvements from most Cleveland neighborhoods with high poverty rates.”
Additionally, “over 70 percent of small businesses, which include small health-care clinics, have less than 4 Mbps upload speed,” according to data collected by Strategic Network Group.
Broadband in the Telehealth Mix
Children’s Mercy uses AMD Global Telemedicine's devices and software to link the main hospital, their satellite hospital, and their general offices down the street. They will expand the technology when they build the new clinic in Junction City, Kan. The hospital manages three satellite clinics, and the staff visits several rural clinics on a quarterly basis to provide telemedicine services.
“We generate 13 to 16 gigabits a day Monday through Friday,” Baker says. “There are 200 telehealth visits a month that are 30 minutes each. We have a 2 Gbps connection to our main hospital, a 1 Gbps to a couple of sites, and a 100 Mbps, 50 Mbps and a few actual T-1 lines that have 1.5Mbps bandwidth.” However, it’s difficult to do video-centric telemedicine with T-1.
The main hospital uses a local broadband provider, though additionally they have tested Google Fiber. The clinics are in the metro area, so it’s not a true rural setting. The clinics use ISPs located closest to them, but unfortunately, those connections were not reliable or fast enough. The hospital staff carries a commercial hot spot that they plug into rooms at the clinics to provide 20 Mbps of cellular coverage.
Looking at the big picture, it makes financial and political sense to align hospitals and health-care institutions, schools and libraries into a health-care hub. This infrastructure triple play can lay a foundation for building broadband in stages throughout the community.
An engineering design team can create a wired and wireless infrastructure that links all three groups into a mini network and add a number of telemedicine applications and services. Then the community, via the local government, public utility, co-op or a public-private partnership can construct and operate the network.
If a community does its due diligence and advances a strong business case for these health-care hubs, the triple play should open up various additional opportunities for funding, even if the community doesn’t receive government funds.
“Plan and then execute the health-care hub with efficiency,” said Brian Snider, network design practice area leader for engineering and design firm Foresite Group. “Focus on building a network designed for growth, security and reliability. It is also important that the network be built with redundancy in mind.”
An unknown entity took over the Explore Minnesota Facebook page for more than eight hours on Dec. 4, posting non-travel-related content until officials were able to regain control of the popular webpage.
A spokesperson for the state's tourism agency said staffers first noticed the page had been hacked around 8 a.m. Central Standard Time (CST). The state immediately contacted officials at Facebook and at Minnesota IT Services (MNIT) for assistance in resolving the issue.
Explore Minnesota officials were briefly successful in regaining control of the page, their most-followed social media outlet, during the day — but otherwise worked with the company and MNIT to mitigate the incident’s effects, warn social media followers of the breach; and afterward, to remove added content.
We are aware that the Explore Minnesota Facebook page is acting up and are looking into the matter. Thanks for your patience while we resolve this issue.
— Explore Minnesota (@exploreminn) Dec. 4, 2017
Alyssa Hayes, Explore Minnesota spokesperson, said control was restored around 4:30 p.m. CST, and while there appears to be no lasting damage to the agency or to its social media page, the hack was no small incident.
“It was a serious cyberattack against our Explore Minnesota page. We were working diligently with the actual team at Facebook headquarters for about nine hours yesterday to resolve the issue,” Hayes said. “We ended up gaining access at one point (but) the hacker had completely closed us off after we had addressed that.”
A Facebook spokesperson said via email that the company works “around the clock” to safeguard accounts and pages, but did not specifically discuss the Explore Minnesota incident. The spokesperson urged users who believe their accounts may have been compromised to visit facebook.com/hacked, or to report a hacked page at: facebook.com/help/contact/434468003315353.
Hayes praised MNIT for assisting the tourism agency in investigating the matter, and said the breach was something of a reminder that teamwork and swift action are essential during a hack.
“I’m not sure if it’s a lesson, but we do know that addressing these things as quickly as possible is very important and learning to lean on our allies, like our state partner agencies, like MNIT Services,” Hayes added.
Cambray Crozier, director of communications at MNIT, said the incident is proof that public agencies must continually do everything possible to guard their technology and online presence against bad actors.
“A good talking point is that they fend off more than 3 million attempted cyber attacks every single day,” Crozier said of MNIT’s state security operations center, noting that the Legislature declined to approve Gov. Mark Dayton's $27 million cybersecurity investment request during its last session.
“In our view this is a great example of something we’ve been advocating in the legislature, the importance of proactively funding better cybersecurity protection in our state and investing in advance in better tools including password managers to protect Minnesota and the people we serve,” Crozier said.
The communications director recommended via email that Minnesotans create “long and strong” passwords using letters, numbers and symbols that are unique to each account; use two-factor authentication if available; and “when in doubt, don’t click.”
“I think the most important thing to highlight is that, at MNIT, we think it’s tremendously important to have honest conversations about how technology is driving business and government in the state of Minnesota,” Crozier added, pointing out that residents’ private tax information, for example, must receive public protection from the state once they file their taxes.
It’s unclear how the hacker or entity may have gained access to Explore Minnesota’s Facebook account, but Hayes said the webpage’s relatively high number of around 226,000 followers could have attracted the unwanted attention.
“We’ve been in close discussion with the state of Minnesota IT services and their cybersecurity team. They’ve explained to us over and over again that this can happen to anyone,” Hayes added.
The tourism agency’s Instagram page has about 121,000 followers, while its Twitter account has around 58,000 followers — but in terms of connectivity, Hayes said Explore Minnesota’s Instagram runs first, having achieved more than 560,000 of the around 700,000 uses of the statewide travel hashtag #OnlyinMN.