Vernon Fraud in Audit Report

Vernon, California is a town just five miles South of the center of Los Angeles and near another town that has been infamous for government fraud investigations and arrests.

On a map Vernon may be hard to find because it seems to be just a few empty industrial-looking streets in a giant maze. Despite being near the center of LA, however, it is recorded with a population of about 100 people who host about 1,800 companies with 50,000 workers generating a quarter-billion in annual revenue on a property tax base of four billion. It officially is the smallest incorporated city in the state, while being at the center of one of the largest cities.

Vernon map

That introduction should give you some clue to where I am going with this story. Vernon appears to be on its way to be known as another unfortunate example of corruption and misrepresentation. An audit of the California Public Employees’ Retirement System (CalPERS) has uncovered that many of the Vernon officials found and exploited loopholes in how retirement was calculated.

CalPERS is taking steps to cut the retirement benefit of former City Administrator Bruce Malkenhorst Sr. from $45,073 per month to $9,654 per month, following an audit CalPERS completed in April 2012.

The press release from CalPERS is a bit vague in describing the exploits. Take this sentence for example, which emphasizes that documentation is required to prove a retirement calculation is justified.

Of the numerous positions Malkenhorst Sr. performed simultaneously at the City of Vernon, the City Clerk position was the only position that had a publicly available pay rate for a single position, and which did not constitute pay for duties in addition to normal duties, or overtime.

The problem is not just that documentation was missing. That obviously will trip up any audit. A really interesting problem is related to the phrase “performed simultaneously”. Guess how many jobs/hours the accused Vernon official was trying to cash in.

The audit said Vernon failed to substantiate the number of hours worked by Malkenhorst, who at one point held 10 different positions in city government and earned as much as $911,000 in 2006.

You can read the audit itself to really get details but from what I’ve read the Vernon officials figured out that in a small town you could stack together an unlikely, or even impossible, record of work and still submit it for retirement calculation. It obviously doesn’t help if controlling funds and dispursing them is within that set of ten jobs held by one person. Any government income reported above a certain threshold will surely raise an automatic pension flag now, not to mention a flag for lack of independence.

Other loopholes cited in the audit include paying people who were inelligible, declaring the legal profession a high-risk job, and massively increasing pay just before the cut-off for calculating retirement (e.g. spiking the rate to inflate the average). While messing with the numbers used to calculate retirement benefits, officials also are accused of underreporting.

[The audit] also criticized the city for not reporting Fresch’s full compensation, which reached as high as $1.65 million in 2008. Fresch, who succeeded Malkenhorst as Vernon’s top administrator, has remained a special [legal] consultant to Vernon over the last year at a rate of $525 an hour…

Basically the town’s records had no data integrity, which was noticed by investigative journalists after the Bell scandal. It seems that neither state funds, nor other government funds, would be caught up in the CalPERS pension scandal for Vernon employees. Nontheless, it will be interesting to see now how the city will reform itself and form a relationship with external and independent audits.

Like a false republic, which Americans often make fun of as a problem overseas, the lack of an independent electorate makes the options seem limited. By agreeing to change led by the state, it so far has been able to avoid un-incorporation measures. But it obviously has a long way to go, based on the details in an opinion piece in the LA Times:

Vernon has never made any pretense of normal governance. Founded as a family fiefdom, it has remained so for a century. John Leonis, Vernon’s co-founder, served 45 years on its City Council. His grandson, Leonis Mahlberg, served 53. If any real-life entity reflects the cynical manipulation of public institutions portrayed in the iconic movie “Chinatown,” it is Vernon. The hereditary dons of the Vernon council serve for decades, jetting off on lavish “trade missions” to Asia, Europe and elsewhere at public expense. They ruthlessly suppress even the shadow of dissent, and rigorously control who is allowed to live in nearly every dwelling in the city. Bruce V. Malkenhorst at one time served simultaneously as Vernon’s city manager, finance director, city clerk, redevelopment director, treasurer and chief of light and power, drawing the highest salary of any public official in California. After 33 years as city administrator, he passed the job to his son, Bruce V. Malkenhorst Jr.

As part of the reform the state could perhaps turn it into an educational theme park. Imagine a sign that said “Welcome to Cleptocracy World”.

…generally associated with corrupt forms of authoritarian governments, particularly dictatorships, oligarchies, military juntas, or some other forms of autocratic and nepotist government in which no outside oversight is possible, due to the ability of the kleptocrat(s) to personally control both the supply of public funds and the means of determining their disbursal…most common in third world countries…

…or as found in America, particuarly around LA.

When Is Electronic Espionage an ‘Act of War?”

Is the U.S. engaged in a “cyber war?” 

Until recently the identity of the perpetrators of cyber-attacks against U.S. networks, infrastructure and the military were clouded in suspicion and not spoken of out loud.  There has been much speculation about cyber war or a cyber-Pearl Harbor, but no official declaration of what constitutes cyber war or naming of names, until now. 

In March, General Keith Alexander, speaking before Congress, and in May, Secretary of Defense Leon Panetta, during an interview with ABC News, outwardly named China as the main perpetrator and identified criteria for defining cyber war.  General Alexander, the Director of NSA and CYBERCOM commander, stated, “China is stealing a ‘great deal’ of military-related intellectual property from the United States and was responsible for last year’s attacks against cyber security company RSA . . . .”[1] Secretary of Defense Panetta said, “Well, there’s no question that if a cyber attack, you know, crippled our power grid in this country, took down our financial systems, took down our government systems, that that would constitute an act of war.”[2]

Over the last year the Department of Homeland Security (DHS) has voiced their concern over the vulnerability of our critical infrastructure, oil and gas refineries, electric grids and nuclear reactors, to potential cyber-attacks. If you are not fully convinced of the threat, consider the “Shady RAT (remote access tool)” report by McAfee wherein they identify companies and governments which recently discovered that hackers have been in their networks for the last five or six years undetected.[3]

One might conclude that a clear picture is emerging, but is it? 

During the Cold War, when government secrets were stolen, it was treated as espionage or spying.  Remember all of the spies tried for espionage: Aldrich Ames, Robert Hansen, the shoot down of Gary Powers and the U2 spy plane over the USSR.  What if a nation placed “sleeper cells” in its adversary’s country ready to attack critical infrastructure if a war broke?  Would this be considered spying and part of the “cat and mouse” game or grounds for a retaliatory strike?

Does the fact that these activities can now be accomplished electronically from the safety and comfort of your own nation change the playing field?  At the time, we probably considered the flights of the U2 relatively safe since it flew above the threat zone of anti-aircraft guns.  Does stealing terabytes of military secrets or planting logic bombs in critical infrastructure (to be launched in a moments’ notice to disable the infrastructure) cross the line from espionage to war or an “act of aggression?”  

This and many similar scenarios are now the new normal and must be defined as nations and the international community grapple with technology and current and future capabilities.  Where should the line be drawn?  Do we just accept, that an adversary, via computers, can now access and potentially steal, manipulate, or destroy information and functionality, or should nations aggressively draw the line now and openly retaliate in protest?

Obviously, as Secretary of Defense Panetta stated, if you disrupt critical infrastructure, deny critical communications, or blind a military defense system, the line has likely been crossed.  Certainly defacing a website does not even come close to being an act of war or aggression.  What about stealing terabytes of military secrets to later be used to disable your adversary’s defenses?  Possibly!  For now the line will be defined by the reactions of various nations faced with cyber-attacks.  If a nation does nothing or retaliates with a similar attack, e.g. theft for theft, then a line has been drawn and a precedent set.

A similar problem is the issue regarding Iran and nuclear weapons.  Is Iran’s pursuit of nuclear weapons and statements attributed to them about annihilating Israel and the West enough provocation to take aggressive action to prevent them from obtaining a bomb?  Clearly no one wants to escalate the situation but most agree something must be done before it is too late.  Similarly, in the cyber arena, all interested parties are reacting very cautiously in their response to cyber-attacks, likely to avoid escalation and the setting of precedence. 

In the Estonian and the Georgian conflicts the reaction was to block, clean up, and speculate about who may have launched the attacks and only the media claimed cyber war.  Not until recently has one nation, e.g. the U.S., been so vocal about who is using cyber espionage and attacks to invade and plague their networks.


[1] NSA Chief: China Behind RSA Attacks, J. Nicholas Hoover, Information Week Government (Mar. 27, 2012) http://www.informationweek.com/news/government/security/232700341.

[2] Leon Panetta: A Crippling Cyber Attack Would Be ‘Act of War’, Jake Tapper, ABC News (May 27, 2012) http://abcnews.go.com/blogs/politics/2012/05/leon-panetta-a-crippling-cyber-attack-would-be-act-of-war/.

[3] McAfee: Operation Shady RAT, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.

NSA announces new Cyber Operations program

From the desk of the NSA, a new National Centers of Academic Excellence (CAE) has been formed:

The CAE-Cyber Operations program is intended to be a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science (CS), computer engineering (CE), and/or electrical engineering (EE) disciplines, with extensive opportunities for hands-on applications via labs/exercises.

“Extensive opportunities for hands-on” is perhaps a subtle way of saying the U.S. is a little behind in its “collection, exploitation, and response” work. Apparently the U.S. Government is having a hard time finding talent.

DHS with great fanfare announced in 2009 that it would hire 1,000 cybersecurity experts. At a House Homeland Security Committee hearing, Philip R. Reitinger, deputy undersecretary for the National Protection and Programs Directorate, admitted that the department has fallen far short, and has only brought on some 260 new personnel. The new goal is 400 by October 2012. This comes at a time when the White House is giving more responsibility to DHS to protect computer networks in not only the civilian departments, but in the private sector as well.

If you think that it is nice of the U.S. Government to train students to fill the gap, you would not be mistaken:

The program is in support of the President’s National Initiative for Cybersecurity Education (NICE)

The NSA program to promote information assurance and cybersecurity was started in 2004, yet there are only 145 CAE (3% of institutions). Almost a dozen states in the U.S. still do not yet have even one CAE.

Aside from the scope of the project there are is the question of effect. Will boosting numbers of CS/CE/EE move the dial for national security on its own? We repeatedly see that human behavior is the source and solution of serious risk. What will the NSA do about training students for the soft power element of smart power?