CapITol Insider

Computerworld - Hacking for dollars: The Navy outsourced much of its IT infrastructure under a $6.9 billion contract approved last fall with Electronic Data Systems. But Navy CIO Ron Turner didn't outsource his "red team" hackers. If the Navy can successfully penetrate EDS' security measures, the company will be "cost penalized - it's a cost penalty if we break in," says Turner, who is hoping to make some money off that provision. The National Security Agency, which is considering outsourcing its non-classified systems, is also looking at a performance contract with a similar clause. What vendor would want to go up against the NSA's hackers? What odds would Las Vegas give?
FUD alert: U.S. Sen. Robert Bennett (R-Utah) is trying to drum up congressional interest in critical infrastructure protection by comparing a hacker attack to nuclear war. If hackers, Bennett argues, manage to disrupt the Federal Reserve's fund transfer system, Fedwire, they could shut down all financial transactions. And that, argues Bennett, would "devastate the United States more than a nuclear device set off over a large city," he says. "It will cause more long-term havoc." We're sorry, but if the choice is between getting nuked and not being able to use an ATM, we'll take the latter.
Vendor fever: One way to get a sense of just how much money the federal government spends on IT, now at $44 billion annually, is to compare it to the private sector. Measured against the Fortune 500 list, federal IT would rank about 25th, somewhere between the revenues reported last year by Home Depot and Compaq Computer Corp. It's a lot of money, and it explains why vendors are anxious to see the Bush administration follow through on its plan to outsource up to half of eligible government services.
Rumor control: The U.S. Department of Health and Human Services has been less than forthcoming about when it plans to release the security component of Health Insurance Portability and Accountability Act (HIPAA) rules. Best estimate from an HHS official: this summer.
Change in conventional wisdom? Many computer security experts say insiders pose the greatest security threat. But some say that's changed. "E-business has moved the primary risk back outside the enterprise walls," says Patrick Milligan, Ford Motor Co.'s director of security, at a recent security conference in the Washington area. But just to be safe, Ford's $100 million security upgrade, which it launched last summer, includes the use of smart cards for end users.
No big boats for "Safe Harbor." Privately, tech industry wags arelaughing over Washington's efforts to get companies to sign up for U.S.-Europe "safe harbor" data privacy agreement, calling the 40 firms who have signed up for it the longest list of companies no one has ever heard of. It's an exaggeration to be sure, but the point is that with the exception of Dun & Bradstreet Corp., Hewlett-Packard Corp. and most recently Microsoft Corp., most large companies are holding back and waiting to see just what the Europeans really plan to do to enforce their stringent privacy laws. European data protection authorities are expected to begin taking action after July 1. Companies that agree to follow the safe harbor rules are allegedly protected against legal action.

Read more about privacy in Computerworld's Privacy Knowledge Center.