U.S. Technology Marketplace:
Opportunities & Pitfalls for
Selling to the Southerners
Canadian Technology Forum David Z. Bodenheimer
June 10, 2009 Crowell & Moring LLP
© 2009 Crowell & Moring LLP
2
• Federal Information Downpour
• Cybersecurity Tidal Wave
• Homeland Security Blizzard
• Healthcare Technology Scorcher
The Technology Forecast
3
U.S. Federal IT Marketplace
800-Pound Information Gorilla
“The Federal government is the largestsingle producer, collector, consumer, anddisseminator of information in the UnitedStates and perhaps the world.” (OMB, 2007)
US IT Budgets
• $72.9 billion – (FY O9)
• $75.8 billion – (FY 10)
4
US Federal Information
Information Treasure Trove
• National Security
• Personal Data
• Infrastructure Data
• Technology
• Trade Secrets
5
US Federal Cybersecurity
Information Security Spending
• $14.6 Billion– (FY 09)
• $25.5 Billion– (FY 13)
• $30-40 Billion– (Next 5 Years)
6
US Homeland Security
Homeland SecurityPriorities & Dollars
• 6% FY10 over FY09
• $7.5 Billion (12% )– Transportation Security
• $918 Million (15% )– Critical Infrastructure– Electrical Grid– Financial Sector
• $127 Million (30% )– Inspector General
DHS Budget (FY10)
7
US Healthcare Technology
Heathcare TechnologyPriorities & Dollars
• Top Presidential Priority
• Health Information Technologyfor Economic & Clinical Health(HITECH, Title XIII, ARRA)
• $31 Billion Infrastructure &Health Information Technology
• $19 Billion Health IT
• 33% in VeteransAdministration IT Budget
Computerizing America’s health Recordsin five years. The current, paper-based medicalrecords system that relies on patients’ memoryand reporting of their medical history is prone toerror, time-consuming, costly, and wasteful. Withrigorous privacy standards in place to protectsensitive medical records, we will embark on aneffort to computerize all Americans’ health recordsin five years. This effort will help prevent medicalerrors, and improve health care quality, andis a necessary step in starting to modernize theAmerican health care system and reduce healthcare costs.
Homeland Security
Technology
© 2009 Crowell & Moring LLP
9
Security Technology
Technology Is The Key
“Technology is critical.”(Undersecretary Asa Hutchinson, March 12, 2003)
“Getting the best technology [and] havingit interoperable.”(Sen. Ted Kennedy, March 12, 2003)
“Force multiplying nature of technology.”(Sen. Jon Kyl, March 12, 2003)
10
Information Sharing
Daunting Challenges
DHS InformationManagement
Geography7,500 miles land border95,000 miles sea border
Multiple Agencies
Federal/State/Local80,000 law enforcementofficers @ 2,500 sites
• $$$ billions $$$• Multi-year projections• Interoperability• Schedule Pressures
Complexity
11
Security Technology
Opportunities
• No Technology Limits– Data Mining & Analysis– Biometrics & ID– Threat Sensors
• No Boundaries– Federal, State, Local– International
• Dual-Use Technologies– Public/Private
• Instant Demand– Ready-to-go Technology
And Challenges
• Product Differentiation– Multiple Solutions– Little Effectiveness Proof– No Central Data Bank
• Customer Fragmentation– No Single Entry Point– Export Restrictions
• Private-Use Barriers– National Security
• No Development Funds– Short-term Horizon
12
Liability Protection
SAFETY Act
“Support Anti-terrorismby Fostering EffectiveTechnologies Act of2002.”
• Homeland Security Act– Subtitle G, § § 861-865
• Enacted Nov. 25, 2002
13
Liability Protections
Why Get SAFETY Act Approval?
• Exclusive Federal Jurisdiction
• Damages Limitations
– No punitive damages
– No pre-judgment interest
– Limits on “noneconomic damages”
– Offset for Collateral Source Recovery
• Liability Cap – Insurance Coverage
• Government Contractor Defense
US Privacy &
Technology
© 2009 Crowell & Moring LLP
15
US Privacy Laws
Privacy Patchwork
“There is no comprehensivefederal statute that protects theprivacy of personal informationheld by the public sector.Instead, federal law tends toemploy a sectoral approach to theregulation of personalinformation.”
(Congressional Research Service,Privacy, Mar. 2003)
Privacy by Sector
• Financial Institutions– Gramm-Leach-Bliley Act
• Health Care Industry– HIPAA
• Educational Records– Family Educational Rights Act
• Telecom Industry– Telecommunications Act
16
Privacy
Privacy Wars
“I want to remind you ofthe lay of the privacylandscape – or perhapsit is better called abattlefield. On thatbattlefield, the worldhas become a moredangerous place.”
*Jennifer Stoddart (PrivacyCommissioner of Canada)
15
17
Privacy Technology Targets
Technology Targets
• ID & Biometrics
• RFID
• Intelligence Data Mining
• Commercial Data
Privacy Battlefield
National ID Badges
Skimming
Misuse Potential
No Redress or Access
18
Privacy Weapons
Battlefield Weapons
• Merger Opposition
– NSA Surveillance Program
• Union Challenges
– Outsourcing Protests
• Lawsuits
– $50 Billion Class Action
19
Privacy Casualties
Battlefield Casualties
• MATRIX Program– State & Local Law
Enforcement Data Mining
• CAPPS II + Secure Flight– TSA Passenger Screening
• Total InformationAwareness– DARPA Data Mining
20
Privacy Casualties
Total InformationAwareness (TIA)
• Data Mining
• Commercial Data
• Not Address Privacy
• Funding Terminatedby Congress
21
Privacy Protection
Public Law 108-90
• Data Accuracy & Testing
• Redress Process
• Privacy Oversight
– Internal
– External
• Security Controls
• Operational Safeguards
• No Technological Privacy
Concerns
Fair Info Practices
1. Collection Limitations
2. Data Quality
3. Purpose Specification
4. Use Limitations
5. Security Safeguards
6. Openness
7. Individual Notice & Redress
8. Accountability
Technology Flux &
Requirements Definition
© 2009 Crowell & Moring LLP
23
Technology Risks
President’s HelicopterNavy Cancels Contract forPresidential Chopper*
“The Navy on Monday moved toformally terminate its $13billion contract . . . for a newpresidential helicopter. Somelawmakers plan to continue theirefforts to extend funding for theprogram, which has already costsome $3 billion.”
*AIA Daily Lead (June 2, 2009)
Wall Street Journal (June 2, 2009)
24
Technology Maturity
Requirements Definition
• Weapon Systems AcquisitionReform Act of 2009
– Pub. L. No. 111-23 (May ‘09)
• Technological MaturityAssessment
• Trade-offs between cost,schedule, & performance
• Critical cost growth
25
Technology Risks
Requirements Definition (or not)
• “For the ACE program, weaknesses inrequirements definition were a major reason forrecent problems and delays”
• “For US-VISIT, test plans were incomplete”
• “Secure Flight’s requirements were not welldeveloped” (GAO, 3/29/06)
26
Technology Risks
From Honeymoon to Divorce
• Wedding (8/2/02): TSA selects “vendor for the TSAInformation Technology Managed Services” (DHS PressRelease)
• Honeymoon (5/11/04): “TSA’s $1 billion IT ManagedServices contract … is being hailed as one of the largestperformance-based IT contracts.” (Seminar Presentationdescription)
• Divorce (2/06): DHS IG “recommended that TSAterminate the current contract at the end of the baseperiod and re-bid the contract.” (OIG-06-23 Report)
27
Technology Risks
Changes: “continually changingand increasing InformationTechnology (IT)requirements”
Undefined Requirements.“TSA did not know exactlywhat its IT requirementswould encompass”
Unauthorized Work: “TSAagreed to pay $15 million [outof $40 million requested] forthe unauthorized work”
*DHS IG Report OIG-06-23 (2/06)
Cardinal Change: Air-A-PlaneCorp. v. US (Ct. Cl.) (over 1000changes fundamentally alteredcontract)
No Baseline: *InfotecDevelopment Inc., ASBCA(Government liability for delay inestablishing baseline)
Implied Contract: “Even though acontract be … not authorized . .. , it is only fair and just that theGovernment pay for goodsdelivered or services renderedand accepted under it.” Prestex,Inc. v. U.S. (Ct. Cl.)
28
Acquisition Management
DHS IG Report (OIG-06-23)
• “[Vendor] may have realizedadditional profit by billinguncompensated labor hours thatwere not reflected in the proposedbase labor rates used to build upthe ITOP II rates.”
• “The ITOP II fully burdened rateswere not representative of theactual performance of the …contract because [Vendor] usedentirely different subcontractorsand fewer subcontract labor hoursthan initially proposed for the ITOPII rates.”
DOD IG Handbook
• FRAUD INDICATORS
• Professional staff required to work asignificant amount of unpaidovertime on a variety of projects-bothdirect and indirect.
• Encouraging employees to worksignificant unpaid overtime but to notrecord the hours in direct conflictwith company policy.
• A significant variance betweenproposed and negotiated vendor/subcontract prices.
• Contractor using higher courtesybids to support proposal ornegotiations knowing that lower bidsare or will be available. Courtesybids also increase the lowest bid.
29
Acquisition Management
Self Protection – Define Requirements
• Proposal: State expectations
• Contract: Define the requirements (whodefines & when!)
• Disputes: File a claim
*Infotec Development Inc., ASBCA (Governmentliability for delay in establishing baseline)
30
Acquisition Management
Do a Requirements Inventory
• Performance Standards TBD?– Environmental conditions Location?
– Reliability/Durability/Operability How long?
• Interface Control Documents What interface?
• Test Requirement Documents When?
• Interoperability & Standardization What equipment?
• Inspection Standards Commercial?
• Government-Furnished– Property or Information When?
– Agency Control What agency?
Information Security
Opportunities & Risks
© 2009 Crowell & Moring LLP
32
Cybersecurity
Cyber Threats
• 3600% increase (since 1997)
• Cyber Crime = Top Problem (FBI)
• “Electronic Pearl Harbor”
• “Hackers for Hire” + Terrorists
33
262 Million Breaches
No One Remains to Have an ID Stolen
“2008 Data Breach Total Soars: 47% Increase over2007” Identity Theft News (Identity Theft Daily, Jan. 5, 2009)
Records with sensitive personal information involved insecurity breaches in the U.S. since January 2005:
262,424,592 records (Privacy Rights Clearinghouse, June 4, 2009)
127 million records compromised in 2007 alone
– 600% increase over 2006 (Identity Theft Resource Center)
34
Cyber-Crime > $100 Billion
Hacking is More Lucrative than Doping
INTERNET LAW – “Cyber-Crime Hits $100 Billion in 2007,
Out-earning Illegal Drug Trade” (IBLS Internet Law, Oct. 15, 2007)
>
“$1 trillion globally in lost intellectualproperty and expenditures for repairingthe damage” (House Homeland SecurityCommittee Hearing, Mar. 31, 2009)
35
Everyone’s On-Board
DNI, DHS & Industry Agree“Cybersecurity Near Top of DNI Concerns,”
(Federal News Radio, Jan. 26, 2009)
“Third area that’s on our agenda for [2008] is cyber security”
(Secretary Chertoff, DHS Press Release, Dec. 12, 2007)
“DHS Puts Cybersecurity Toward Top of 2008 To-Do List”
(Federal Computer Week, Dec. 13, 2007)
“Data Breach Likely to be Hot Topic at Porn Summit”
(Technology Daily, Jan. 14, 2008)
XXX
36
Information Security Law
The Law
• FISMA (44 USC § 3541-49)
– Information security for federal agencies
• Federal Acquisition Regulation (FAR)– Flows security requirements to contractors
– Leaves details to agencies (NASA rules)
• OMB & NIST Rules– Standards referenced in FAR
37
Information Security Law
Scope of FISMA
• Federal Information Security Mgmt. Act
– 44 USC § 3541-49
• Broad Scope
– Information collected/maintained for agency
– Information system used/operated by agency
– Information system of agency contractor
• Commensurate with Risk/Harm
38
Information Security Laws
FISMA Requirements:Contractor Coverage
“information collected or maintained. . . on behalf of an agency”
“information collected or maintained. . . by a contractor of an agency”
“information and informationsystems that support the operationsand assets of the agency, includingthose provided or managed byanother agency, contractor, orother source”
44 U.S.C. §§ 3544(a)(1), (b)
FAR Requirements:Contractor Coverage
“Section 301 of FISMA (44 U.S.C. 3544requires that contractors be heldaccountable to the same securitystandards as Government employeeswhen collecting or maintaining informationor using or operating information systemson behalf of an agency.”
“The law requires that contractors andFederal employees be subjected to thesame requirements in accessingFederal IT systems and data.”
(70 Fed. Reg. 57451 (Sept. 2005))
39
Information Security Laws
OMB (whitehouse.gov/omb)
OMB Circular A-130, TransmittalMemorandum #4, Management ofFederal Information Resources(Nov. 28, 2000)
OMB Memo M-08-09,New FISMA Privacy ReportingRequirements for FY 2008 (Jan. 18,2008)
OMB Memo M-07-16,Safeguarding Against andResponding to the Breach ofPersonally Identifiable Information(May 22, 2007)
NIST (csrc.nist.gov)
SP 800-53 A Guide for Assessing the SecurityControls in Federal Information Systems (July2008)
SP 800-53 Rev. 3 DRAFT RecommendedSecurity Controls for Federal Information Systemsand Organizations (Feb. 5, 2009)
SP 800-61 Rev. Computer Security IncidentHandling Guide (Mar. 2008)
SP 800-83 Guide to Malware Incident Preventionand Handling (Nov. 2005)
SP 800-100 Information Security Handbook: AGuide for Managers (Oct. 2006)
SP 800-122 DRAFT Guide to Protecting theConfidentiality of Personally IdentifiableInformation (PII) (Jan. 13, 2009)
40
Information Security Laws
NIST Security Program
• Establishing SecurityObjectives
– Integrity
– Confidentiality
– Availability
• Identifying Security Needs– Requirements identification– Risk assessment– Cost-effectiveness assessment– Appropriate level of security– Life-cycle security
NIST Security (cont.)
• Implementing the SecurityProgram– Policies & procedures– Security controls– Configuration controls– Continuity of operations
• Ensuring Compliance– Training– Periodic testing & evaluation– Accountability– Security incident detection &
reporting– Remedial actions
41
Cybersecurity
Security Program
• Risk Assessment + Life-Cycle Plan
• Policies & Procedures
• Security Controls
• Incident Management
• Monitoring & Oversight
• Accountability
42
Cybersecurity
How Cyber Breaches Hurt Companies
• Reputation & Business Loss
• Congressional Investigations
• Criminal & Civil Penalties
• Suspension & Non-Responsibility
• Contract Breach & Torts
43
Cyber Breaches
Major Risk Area
• Bad Press
• Bad Business
• Boycotts
Monster Hackers Also HitUSAJobs.gov (Aug. 31, 2007)
“It now appears thatMonster.com knew about abreach of its systems almost amonth before Symantec toldMonster of a massive phishingoperation targeting Monster.comusers. That long of a lag is"inexcusable," said W. DavidStephenson, a homeland securityand corporate crisis managementconsultant, "after the legacy ofpast problems."
44
Cyber Breaches
Congressional Focus
• Hearings
• GAO Reviews
• Legislative Risks
45
Cyber Breaches
Criminal & Civil Penalties
• Criminal Sanctions
• Civil Penalties
• State Actions
Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)
“criminal investigation”
“fraudulent statement”
46
Cyber Breaches
Contractual Risks
• Contract Breach
• Nonresponsibility
• Debarment
• Past Performance
Wednesday, February 15, 2006
Firm Fired by Ohiofor Lax PrivacyProtectionPursuing OutsourcedIRS Tax CollectionWork