RE: CRIME Issues

From: Dorning, Kevin E - DI-3 (kedorning@private)
Date: Wed Sep 04 2002 - 16:04:56 PDT

  • Next message: Andrew Plato: "RE: CRIME Issues"

    I have to agree with John.
    Being a Fed myself and the manager of Cyber security, I rarely look at the
    least cost solution.  We expend a lot of effort evaluating solutions that
    are not only cost effective, but effective.  It never pays to base your
    solutions on cost.  I have seen far too many high cost solutions that have
    failed because the proper requirements phase and product eval's were not
    done.  
    We do care about this stuff.
     
    K.D.
    
    -----Original Message-----
    From: RADFORD John J * DAS SCD [mailto:John.J.Radford@private]
    Sent: Wednesday, September 04, 2002 3:56 PM
    To: 'Andrew Plato'; crime@private
    Cc: Crispin Cowan
    Subject: RE: CRIME Issues
    
    
    
    Andrew, you're painting with an awful big brush there buddy.  There is of
    course a litany of private sector projects that one could point out, not to
    mention Enron, WorldCom, Global Crossing, Adelphia, Quest, etc. etc. etc.
    New Age purchasing managers are turning more and more to the value
    proposition and imbedding sufficient controls in the business processes to
    ensure accountability.  
    
    -----Original Message----- 
    From: Andrew Plato [ mailto:aplato@private <mailto:aplato@private> ]
    
    Sent: Wednesday, September 04, 2002 2:52 PM 
    To: crime@private 
    Cc: Crispin Cowan 
    Subject: RE: CRIME Issues 
    
    
    > A large part of how this problem comes about is the 
    > procurement process, 
    > which ultimately results in a large, proprietary, 
    > unmaintainable system. 
    > The State then hobbles along with it until it collapses of its own 
    > weight, and then the State procures a newer system, with the 
    > same problems. 
    
    That's a good summation, but what you're not considering is the fundamental
    flaw in all government procurement. Most government procurement is based on
    the least-expensive solution that meets vague requirements. Hence you have
    entire businesses that a built on generating and providing half-assed
    solutions to government organizations at cut-rate prices. There is ZERO
    incentive for these government churn shops to provide support, management,
    and maintenance etc. since most RFPs are based on winning the initial deal -
    management, support, etc. is another RFP (and a whole new set of companies
    feeding off that business.) 
    
    This whole process supports an industry of leeches who are masters at
    selling BS to governments. They know exactly how to maneuver through the
    government agencies, kiss the right butts, and get the contracts, thanks to
    lowballing their quotes with lame solutions. Skilled, talented folks get
    pushed right out the door because - well - skill and talent tends to cost
    more. Talented people aren't willing to work for $4.00 an hour. Morons are.
    Morons also don't need to worry about reputation since they can just sucker
    the next agency out of some money and move along.  
    
    > If the State made it a procurement *requirement* that all 
    > such systems 
    > being paid for by the State be delivered with an open source license 
    > (OSD compliant http://www.opensource.org/docs/definition_plain.php
    <http://www.opensource.org/docs/definition_plain.php>  ) 
    > then the State has a great deal more flexibility in maintaining the 
    > system in the future. In particular, it frees the State to: 
    > 
    >     * hire additional developers to work on the project outside the 
    >       primary contractor 
    >     * hire maintenance staff from any source 
    >     * fire the primary contractor and replace the development staff 
    >       without having to flush 100% of the software developed so far 
    >     * engage in open source security and quality reviews of 
    > the software 
    >       without having to apply NDAs to the reviewers 
    > 
    > This is not my idea; it is being widely discussed. It has 
    > been proposed 
    > for the state of California, the Federal government of Peru, and 
    > actually implemented for the federal government of Venezuala. 
    
    You make a compelling argument, Crispin. And in many ways, government would
    be well served by open-source technologies. And it would make more sense.
    The money they save could be used to hire talented people with expertise in
    these technologies. 
    
    However, it does open up a truck load of questions. I mean, as it stands,
    the low-price bidder gets the job these days. How on earth would governments
    chose open-source products? Given the politicking and  backstabbing just to
    get governments to agree they actually NEED security is hard enough. Then to
    unleash a myriad of products on them all with varying levels of obsession
    from a wide array of lunatics. There is a reason they call them Holy Wars. 
    
    Honestly, I think governments need good advice and guidance. They need
    industry experts to help guide them into solid and efficient evaluation and
    decision making processes. And the RFP process needs to consider much more
    than merely price. The adage "you get what you pay for" has real meaning. If
    you pay nothing for something, you're getting a product that is going to be
    lacking in many ways. Likewise, paying big money for extravagant solutions
    is any better. There has to be some compromise between inexpensive and
    quality. Open-source can fill some of those needs. But I am not sure they
    can fill ALL needs.
    
    ------------------------------------ 
    Andrew Plato, CISSP 
    President / Principal Consultant 
    Anitian Corporation 
    
    (503) 644-5656 office 
    (503) 201-0821 cell 
    http://www.anitian.com <http://www.anitian.com>  
    ------------------------------------ 
    



    This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 16:46:45 PDT