Under attack in the states

Michigan portal helps workers e-learn cybersecurity awareness

Michigan opened a Web portal last month that will give state employees access to computer and Internet security awareness programs.

Dan Lohrmann, Michigan's chief information security officer (CISO), said the portal is part of a larger effort to improve the state's computer network security by educating employees about proper security procedures and practices.

Cybersecurity has emerged as a major concern among state chief information officers, who say their networks are increasingly under attack. It's "definitely the thing that keeps us up at night," said Tom Jarrett, Delaware's CIO and president of the National Association of State CIOs (NASCIO).

Since Lohrmann's CISO position was created three years ago in Michigan's Information Technology Department, state officials have coordinated efforts to reduce their computer systems' vulnerability. Their efforts have included a six-month review of methods to improve security through training and awareness programs.

The state's employees now receive one hour of computer and Internet security training each year. Lohrmann said that although one hour is not much, it raises employees' awareness of cybersecurity risks, he said.

A few years ago, state officials had to fire several student interns because they were using peer-to-peer file-sharing applications.

"We have targeted training plans for different roles," Lohrmann said. "If I'm the systems administrator, I go through different training than if I'm a secretary. Some is mandatory and some is optional," depending on the training plan that a manager sets up for each employee.

Lohrmann said cybersecurity is a constant challenge because new threats continue to emerge. In addition to firewalls and other protective technologies, Michigan officials use special software to block spyware and about 100,000 spam messages daily.

In a state where 50,000 employees have e-mail accounts, 100,000 fewer spam messages isn't much of a reduction, Lohrmann said. But even that amount has made a difference in employees' productivity.

Chris Dixon, NASCIO's issues coordinator, said Michigan is a leader in improving cybersecurity, especially through its security awareness training programs. Michigan has an easier challenge because the state's centralized IT Department can set and enforce cybersecurity policies and practices statewide, he said.

Most states lack such an organization, but each addresses cybersecurity in some way, Dixon said. Many states, however, lack sufficient training and education programs.

"In many states, that [requires] a level of maturity beyond where they probably are right now," Dixon said.

Lohrmann offered a mixed picture of states' cybersecurity readiness. Many states face budget pressures, forcing them to do more with less. And few state officials think holistically about cybersecurity, he said.

Lohrmann remembers when he worked for the National Security Agency, where people would say — and mean — "Security is our middle name."

State government is not quite there yet, he said.

What do you know?

Michigan's Information Technology Department has developed several online multiple-choice and true/false quizzes to raise employees' awareness about cybersecurity. The questions below are taken from an advanced quiz. To take the test, visit Michigan's cybersecurity Web site at www.michigan.gov/cybersecurity. Find the answers on FCW.com Download's DataCall at www.fcw.com/download.

  • What protocol ensures privacy between communicating applications and their users on the Internet?
  • This standard being developed by IBM, Microsoft, Novell and others will allow different manufacturers' biometric software to interact. What is it?
  • What governs the type of traffic that is and is not allowed through a firewall?
  • What is the term for an attempt to determine valid e-mail addresses associated with an e-mail server so they can be added to a spam database?
  • This two-level scheme for authenticating network users functions as part of the Web's Hypertext Transfer Protocol.
  • — Dibya Sarkar

    Who's Fed 100-worthy?

    Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

    Featured

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above