Security in numbers
- By Dibya Sarkar
- Aug 06, 2001
There just aren't enough security experts to go around these days.
State agencies had an easy enough time when security planning only meant deciding which firewall to buy. But as the potential for hackers, viruses and other cyberthreats has continued to mount, many agencies, left to their own devices, simply have not had the wherewithal to put up an adequate defense.
Lacking security expertise on staff, they have applied security policies and procedures inconsistently — and with little enforcement oversight — and they have not kept their technology up-to-date.
Such vulnerability is not acceptable. With so much at risk, state governments are stepping up their efforts and taking a more proactive and sweeping approach to protect their information systems, data and, in a way, the future of e-government.
They are adopting statewide policies, guidelines and procedures to monitor and report security breaches, holding training workshops for employees and appointing personnel whose sole job is to guard all digital doorways.
They are constantly testing their systems for weaknesses and installing better antivirus protection software, firewalls and intrusion-detection systems, in addition to implementing authentication measures such as digital signatures.
The lack of expertise in agency offices has not changed. What has changed is that many states are now coordinating their security efforts through a single government agency, usually the state's information technology department or a security office housed within it. And lawmakers, recognizing the significance of protecting the public's privacy, are devoting more money to security.
States are also forming intergovernmental relationships with other states and with federal organizations to share information and prepare coordinated responses to threats, according to several state chief information officers, security officials and experts.
Charles Gerhards, Pennsylvania's deputy secretary for information technology, said states must be prepared at all costs.
"Understanding that and understanding the potential havoc one could wreak in a breach, we have a fiduciary responsibility, all of the states, to try to protect [our] information to the best of our ability," he said.
A recent joint survey by the Computer Security Institute, a San Francisco-based association of security professionals, and the FBI found that 85 percent of respondents, primarily large corporations and government agencies, detected computer security breaches in the past year.
"I think the No. 1 threat to the future of electronic government is having a major breach of security where the public loses confidence that government can keep information confidential," Gerhards said. "So unless we can adequately and safely deal with this issue, we will have significant problems to try to convince the public that e-government is worthwhile."
Earlier this year, Texas hired Sprint to do a statewide assessment of its security infrastructure. The company recommended a dedicated security office within the Department of Information Resources (DIR). Money forthe office was included in the state's 2002-2003 general appropriations bill, signed into law June 17.
The Texas study said that in many areas, IT security was immature and systems were inadequate. It said the state's computer incident reporting process was underused and that more than half of all state agencies failed to provide required monthly security incident reports. But, most significantly, Sprint found no statewide policy for Internet security.
"What was evident is that either [our] agencies have policies that are not being enforced, are not being followed for the most part, or there were no policies," said Mel Mireles, DIR's statewide IT planning manager. "When you couple that with the lack of perimeter security — infrastructure, hardware, software — you get a kind of a double whammy here."
The study said centralizing security into a single office would improve online security and reduce costs for state agencies that may not have the money or expertise to do it. A central office would provide a more rapid and effective response, leverage security experts to benefit more agencies, maintain and enforce security policies, foster public confidence and provide consistent levels of training and awareness education, according to the report.
It's unclear just how many states have adopted an enterprisewide approach, but several officials said they believed all state governments have taken the first step, are in the process of developing an enterprisewide approach or are at least thinking about it.
Iowa, Pennsylvania, California, Utah and Kansas have established agencywide policies and dedicated personnel to create, oversee and test security policies and measures.
Kip Peters, Iowa's chief security officer, said his state conducted a study of its security systems three years before Texas' study. "Probably the reason why nobody knew about us was because the study itself contained specific vulnerabilities and had issues concerning each one of the agencies," he said. "And because of that it needed to be confidential."
Iowa plans to release a statewide security policy by summer's end. In the meantime, Peters' team has been testing the system for weaknesses, including pinging agency Web sites. He said in any system, including Iowa's, you're "virtually guaranteed" to find weaknesses. He said the tests are done "not to embarrass anyone," but to educate people and improve the system. He said Iowa's "security posture" has improved since the testing.
Peters' team offers agencies security consulting services and notifies agencies of vulnerabilities, threats and needed patches. They've built a test bed for new security products. Another priority has been a security awareness and training program, including sending out e-mail messages, posters and a newsletter for state workers to recognize breaches and report incidents.
"We're looking for opportunities to provide centralized training, more specific technical training to the administrators and security people in such a way that we can bring the costs down so it's a little bit more palatable for the agencies to purchase that training," he said. Peters said the state would also install advanced help-desk software, so if somebody reports an incident, a notification would be automatically sent to several key people. Currently, workers call, e-mail or post incidents on an intranet, but the notifications aren't automatically routed to other workers.
In California, CIO Elias Cortez said his state began looking at securityf rom an enterprise perspective during the Year 2000 problem. "During Y2K, we did find minimal issues of not understanding the priority of security," he said, adding security was then practiced on a "department-by-department approach."
But now that security is on the front burner, Cortez's IT department sponsors quarterly workshops, with attendance consistently averaging more than 200 participants. Subjects have included Web site vulnerabilities, e-mail and virus protection, general security awareness, authentication, encryption and public-key infrastructure.
When they started the program in the third quarter of 1999, Cortez said participants weren't ready for in-depth technical discussions so they taught general awareness training. Since then, discussions have become more technical. California has a person dedicated to overseeing security on an enterprisewide basis, but Cortez said there are also dedicated security employees within each agency. The state also has a computer security incident response team, composed of experts from various agencies, to deal with security problems.
In Utah, Bob Woolley, assistant director of the Department of Information Technology Services, said they've had an enterprise model for about a year because it was too costly for state agencies to implement security measures on their own. He also said policies weren't being applied or enforced, and security training and awareness were inadequate.
Woolley said agencies just needed to install patches and perform other minor corrections to shore up security. Until something bad happens, he said, agencies become somewhat complacent in upgrading their securities.
Pennsylvania formed a nine-person security team three years ago within Gerhards' department when the commonwealth networked its 40,000 PCs. Similar to what Iowa and Texas did, the security team grew out of a recommendation from a study conducted by the Computer Emergency Response Team at Carnegie Mellon University and its sister group Secure360. The commonwealth also has Electronic Data Systems Corp. under contract to assist them with security measures.
The commonwealth's security is applied in layers, Gerhards said. Users must first pass through the front portal, monitored by his department, before they are allowed access to agency Web sites. "What my group does is to try to guard hacking from a wide-area network, that is not even let them in the front door to try to even get to our agencies," he said. "We then have state agencies whohave security at their level as well.
Money's No Object
In Kansas, CIO Don Heiman said both lawmakers and citizens have been very concerned about privacy and security. And security has been one of the state's top priorities for the last four years.
"As we deploy distributed systems, as we really got aggressive about e-government and e-commerce in a federated environment, it challenged our ability to manage all the elements of security," he said.
Last year, the state adopted a security policy for all three government branches. Agencies and departments can either adopt the policy, or model and craft their own, building upon the state policy, Heiman said. He also said that as states increase their security measures, they should be careful not to exclude people with physical and other disabilities from gaining access to their Web sites. Officials also emphasized that an enterprisewide approach enables governments to make the most of their buying power, thereby saving money.
"It's kind of motherhood and apple pie because everyone is interested in maintaining privacy of information," said Gerhards, referring to sufficient fundingfor security measures.
But Peters said officials shouldn't go overboard with such measures. "What we really try to avoid doing is protecting a $5 horse with a $50,000 fence," he said. Deploying elaborate security measures to protect a public Web site that only posts information may be excessive because it could limit public users' access to the site. Leaving the site open to defacements is, in general, something "you have to put up with," he said.
But Vincent Steckler, Symantec Corp.'s public sector vice president, said he wasn't too sure that states were on top of the security game and stressed they needed to do more. "We see states less aware than the federal government," he said. "That's because they have had less of a threat. The federal government is much more of a significant hack target than state government."
Citing a commissioned study conducted by La Jolla, Calif.-based Harte-Hanks Market Intelligence, Steckler said state and local governments were further behind the federal government in using certain security measures, such as authentication and access control, intrusion detection and vulnerability assessment software.
Symantec officials, he said, have been talking with two state governments that "have become keenly aware of their [security] deficiencies" after their Web sites were vandalized by Chinese hackers who waged a so-called cyberwar with American hackers after the April collision between a U.S. Navy spyplane and a Chinese jet fighter.
And as more governments use virtual private networks, he said employees— working from the field or from home and using a Digital Subscriber Line or cable connection — might not have the proper firewalls to keep out hackers. In those instances, hackers can piggyback onto an employee's connection and enter the government system.
State Meets Federal
State governments are also looking to each other, the private sector and the federal government for help and support.
Nationally, state governments have banded together to develop an information-sharing network. The National Association of State Chief Information Officers has created a working group to address critical security issues, share information and develop a best practices template for ensuring security, said Michigan CIO George Boersma, who sits on NASCIO's executive committee.
The Partnership for Critical Infrastructure Security, born out of a presidential directive three years ago that requires federal agencies to protect their critical information systems and infrastructures against cyberattacks, has invited NASCIO to be an ad hoc member. The public/ private partnership monitors nine sectors, including electricity, oil and gas, water, transportation, banking and finance, information and communication systems, emergency systems, law enforcement and aviation.
PCIS president Ken Watson, manager of Cisco Systems Inc.'s critical infrastructure assurance group, said that with security breaches increasing, the group wants to raise the public consciousness about security worldwide because society has become dependent on information systems.
By late fall, Watson said he hopes to have a joint public/private document published as a security blueprint to help companies and governments. While PCIS has a strong relationship with the federal government, he said it was important to form a relationship with state and local governments. They "represent the front line of defense" because they reach down to fire,police and emergency health services.
Another national initiative many state governments are participating in is the FBI's InfraGard Program. It's a public/private information-sharing network that addresses physical and cyberthreats, including recreational hackers, organized crime, industrial espionage and national security threats. All 56 FBI field offices have InfraGard chapters.
Similar to PCIS, InfraGard gathers and disseminates information, educates the public and chapter members about infrastructure protection and facilitates better communication among private-sector groups.
State officials said that security is an ongoing and developing process and that they can never let their guard down. "I want to stress this is a challenge," Gerhards said. "Anyone that will tell you that they totally have it locked down are fooling themselves. We're constantly being vigilant about it, but we recognize there are a lot of folks out there, very talented folks, who have the capacity to come up with a way of breaching a system that security experts haven't even thought of."