This morning's stories deal with the Gartner-ordered Iowa State Auditor's investigation of the Colloton emails leak, the Press-Citizen's revelations of Downer-Colloton correspondence and e-mails, a Daily-Iowan editorial regarding Grassley's investigation of the tax deductibility of "contributions" to college athletic programs, and letters to the Press-Citizen involving the "attack" on Colloton and the UI sports program's involvement with the Iowa Lottery. There's even an Earthpark story! (The Press-Citizen letters from Saturday and Sunday's editions, and the Monday morning Daily Iowan, were not available when yesterday's blog entry was prepared, but are included in the links below.)
There are a number of aspects of the use of the Iowa State Auditor to investigate computer security at the UIHC that concern me.
1. Gartner's role and Board governance. The Daily Iowan reminds us this morning, "This issue first publicly surfaced when state Board of Regents President Michael Gartner asked for an investigation into the incident during a Jan. 11 telephone conference." There may have been formal Board action on this matter during the January 11 phone call. I don't know. But what it sounds like is yet one more example of Board President Gartner's unilateral action in the name of the Board -- while the Board members sit idly by and let him do it without even questioning, let alone rebelling at, what he is doing.
2. Micromanaging and Board governance. Assume for the moment that this did involve formal Board action. Is it an appropriate thing for a Board (a board of any institution) to get itself involved in? Whether it is characterized as a "security breach" (Gartner's characterization) or a "personnel matter" (the University's characterization) it strikes me as a level of detail that involves many layers of management below a board that is properly focused on "policy." I'm not suggesting it wasn't serious or important. I'm just questioning who should most appropriately have first responsibility for following up. I don't think that's the Regents. I don't even think it is a matter for University Interim President or the newly appointed hospital vice president. It's a detail for the hospital CEO, if that.
3. Violation of Board's appellate responsibilities. When this investigation was first proposed by Gartner, it was pointed out how it violated the Regents' responsibilities as an appellate body. I have not researched this, so I don't speak with any authority, but it is my understanding that, if a UI employee wishes to appeal a punishment imposed upon him or her, the appellate process ultimately lands on the Regents' desks. If that were to occur in this case, as a result of the Regents playing the role of the prosecutor their independence as a reviewing body has been compromised.
4. Did the UI "request" this audit or not? Erin Jordan's story begins, "The University of Iowa has asked the state auditor's office to investigate computer security at University Hospitals after an employee accessed private information of a former director. U of I Interim President Gary Fethke said in a news release Monday he wanted the external review . . .." Isn't this a Regent-ordered investigation -- complete with (according to Jordan's story) the use of the Regents' own internal auditor? The University earlier said that this was a "personnel matter" that was thoroughly investigated, and on which the case was closed as of January 15. What happened in the interim that would cause Fethke to say that "he wanted the external review"? Was he instructed to say this, and if so by whom?
5. What is there to audit? The University in general, and the UIHC in particular, have computer systems ("Information Technology," "IT") professionals in place. They are very conscious of the security risks that come with computer and network hardware and software in large institutions, and the computer hackers who like to break into systems -- mostly for fun, but some to engage in identity theft, invasions of privacy, or access to cash or credit cards. They have systems in place to minimize such risks, and they are updated regularly as new risks are known. As Lyle Muller reports this morning, "Interim UI President Gary Fethke said the university constantly audits how it controls access to its information technology in an effort to protect electronic records and documents."
Moreover, it is relevant to note that hardware or software (a "security breach") was not the cause of the unauthorized access to John Colloton emails -- if the University's earliest representations can be believed. There was no "hacker." There was no compromise of employee or patient records. It was described as a "personnel matter." That suggests another category of risks that has little or nothing to do with IT procedures regarding hardware and software.
I cannot know what happened. I have no source other than the stories in the papers. But it sounds like someone who was authorized to have access to Colloton's computer, or that of his secretary, or the backup tapes (or other media) on which the emails were stored -- but someone who was not authorized to copy and remove from the premises the content of those emails -- may have made copies that played a role in the process that resulted in some of Colloton's emails having been provided to the Press-Citizen.
That is what I would call a "personnel matter." And the University says its investigation of that was completed by January 15.
So the State Auditor can try to familiarize himself with the hardware and software protections the UI IT people have in place -- even though those protections are apparently irrelevant to this case. And he can find out what practices are followed in the hiring and oversight of IT personnel. But unless he can come up with some new "employee honesty vaccine" with which all IT new hires are injected there's not much he can do.
And, failing those options, what is there to "audit" -- especially what is there to audit that will take "a number of months" (which is what Lyle Muller quotes State Auditor David Vaudt as saying is his timeline)?
6. What's this really about? What is Gartner up to, and why? Is he really more interested in who did it than in what that person did, and what can be done to minimize the risk of such things occurring again? Does he want to impose his own personal punishment on whoever did this dastardly deed that might end up embarrassing him and his friend John Colloton?
Speculation is not very productive. But the saga of the Regents and the University of Iowa does get "curiouser and curiouser," doesn't it?
This blog has been blessed with some high quality comments from time to time for which I am grateful. Sometimes funny, often serious, almost always insightful, few actually require a response from me, but all are appreciated. When I do respond, however, I tend to do it within a blog entry, rather than as a comment -- as the other day when I followed up on the comment regarding the op ed last December about the Attorney General's advice to prior search committees regarding their open meetings obligations.
Here are a couple more.
On January 28 John Neff wrote regarding my letter to the editor of the Daily Iowan responding to their editorial advocating a new Johnson County Jail:
"I have some questions for you about the jail;1. The population of the jail has grown at about 3% per year for the past twenty years and the population of the county has grown at about 1.5% over the same time interval. For the past four years the jail has grown at about 4.5% per year. What do you think can be done to reduce the growth rate?2. The glue that holds the Johnson County Criminal Justice System together is about 2000 offenders. About 6% are incarcerated and the other 94% are on pretrial release, probation, parole, waiting to get into jail to serve their sentence, on home detention or in a residential work release facility. To solve jail crowding the judges will have to move 3% from the jail into an alternative program. They have not done so. Why not?"
Response: I was advocating for some "thinking outside the box" ("the jail cell"); looking for alternatives to new jails that might better serve the incarcerated and the community and at lower cost. I phrased it in terms of "if" ("if we haven't yet done that") rather than an assertion that we had not. If it's the case that we're already using alternatives to incarceration for all but 6% of those we might have placed in jails, I'd say we're doing pretty well on that score. John asks, why have the judges not cut it even further, to 3%? I haven't a clue; but I'd guess it may well be because they think they've pushed about as far in that direction as they need to or can.
On January 29 (yesterday) "Anonymous" wrote:
"You are only seeing one angle on the jail. There is also a facilities angle. The current structure is 25 years old. It is used 24/7/365. The building itself is worn out and basically fully depreciated. It needs replacement even if you just leave it at the same capacity. That of course would be stupid in a county that has grown by almost 40,000 people since the current jail was built."
Response: If we have but two choices -- (1) tear down the present jail and build another in its place that is identical to the present one, or (2) tear down the present jail and build a replacement that is somewhat larger (and, presumably, includes whatever features the best literature suggests are improvements we've learned about regarding jails in the last 25 years) -- then I'd say you're right: that's pretty much a no-brainer. But I was unaware (until now) that those were our only choices. And I don't know what "worn out" and "fully depreciated" (except in the accounting sense) means with regard to a solid brick building that looks pretty good from the outside.
While it may seem internally inconsistent, I'd like to believe that it's not, that I: (1) support expanding a great many public programs (especially when, by spending now we save even greater costs in the future), including additional prisons, up to and including raising taxes (preferably income taxes), but (
2) I'm a strong advocate of exploring every possible alternative to doing so first (especially alternatives that can produce a higher quality output at a lesser cost than at present) -- an intellectual exercise that doesn't seem to be very popular with public officials. In my letter to the editor I offered some of those alternatives for jails; in the blog posting I went on to give an example with K-12 expenditures.
Once a thorough and honest effort has been made -- by those who don't have a self-interest in the outcome -- and all possible alternatives have been examined and rejected, and the need remains, then, of course, go ahead.
"Anon77" reminded me, yesterday, that I had meant to include that PC story, and forgot in the rush. I may still now. Meanwhile, read his (or her) comment regarding Gartner's seemingly staying out of the fray at the Legislature.
And "Anonymous" wrote yesterday: "Why don't you comment more on say the FCC basically saying local government cable franchise agreements are dead?"
Response: There are a number of publications that report monthly, weekly, and even daily, on the doings at the FCC -- in addition to the FCC's opinions, new regulations, and other output. There's no way I can keep up with that with a daily blog and get anything else done in my life. I spent seven years writing 400 dissenting opinions -- plus magzine articles, speeches and even books -- about how horrible it was 35 years ago. Plus, today there's more to be offended and write about. Compared with the present Commission, we now look back on those earlier days I then thought were so awful as "the Golden Age of Responsible FCC Regulation." I'll put a toe in that water again from time to time, but I've had my full emersion baptism.
[Note: If you're new to this blog, and interested in the whole UI President Search story, these blog entries begin with Nicholas Johnson, "UI President Search I," November 18, 2006. Wondering where the "UI Held Hostage" came from? Click here. (As of January 25 the count has run from January 21, 2006, rather than last November.) For any given entry, links to the prior 10 will be found in the left-most column. Going directly to FromDC2Iowa.Blogspot.com will take you to the latest. Each contains links to the full text of virtually all known media stories and commentary, including mine, since the last blog entry. Together they represent what The Chronicle of Higher Education has called "one of the most comprehensive analyses of the controversy." The last time there was an entry containing the summary of prior entries' commentary (with the heading "This Blog's Focus on Regents' Presidential Search") is Nicholas Johnson, "UI President Search XIII -- Last Week," December 11, 2006. My early proposed solution to the conflict is provided in Nicholas Johnson, "UI President Search VII: The Answer," November 26, 2006. And the fullest collection of basic documents related to the search is contained in Nicholas Johnson, "UI President Search - Dec. 21-25," December 21, 2006 (and updated thereafter), at the bottom of that blog entry under "References". A Blog Index of entries on all subjects since June 2006 (updated January 17, 2007) is also available.]
Editorial, "Athletics tax deductions not right message," The Daily Iowan, January 29, 2007
Neal Sauerberg, "State auditor to probe UIHC info leak," The Daily Iowan, January 30, 2007
Terry McCoy, "Panel begins UI-head search," The Daily Iowan, January 29, 2007
Dean Treftz, "Sports donors under review," The Daily Iowan, January 29, 2007
Erin Jordan, "U of I requests review of hospital's data security," Des Moines Register, January 30, 2007
James Q. Lynch, "Grassley says 'no' to Earthpark extension; Project's supporters must match federal grant of $50 million," The Gazette, January 30, 2007
Lyle Muller, "Auditor to check safeguards used at University Hospitals; Audit in response to employee’s improper use of resources," The Gazette, January 30, 2007
Brian Morelli, "Auditor to Look Into UI Breach," Iowa City Press-Citizen, January 30, 2007
Brian Morelli, "Letters touch on allegations of blame; Correspondence shows glimpse into Wellmark dispute," Iowa City Press-Citizen, January 30, 2007
Stan Miller, "UI and Lottery Should Not Mix," Iowa City Press-Citizen, January 28, 2007
Dave Nagle, "Colloton Has Left Us a Great Legacy," Iowa City Press-Citizen, January 27, 2007
State29, "Athletic Supporter Tax Deductions," January 29, 2007
State29, "Earthpork Deadline," January 30, 2007
State29, "The Botanical Center's Red Ink," January 30, 2007
Technorati tags: football, athletics, academics, high school, college, University of Iowa, education, K-12, leadership, university president, Michael Gartner, Iowa Board of Regents, UI president search, Nicholas Johnson, FromDC2Iowa
Nicholas Johnson's Main Web Site www.nicholasjohnson.org
Nicholas Johnson's Iowa Rain Forest ("Earthpark") Web Site
Nicholas Johnson's Blog, FromDC2Iowa
Nicholas Johnson's Blog Index