Florida: The cybersecurity state
- By Dibya Sarkar
- Nov 12, 2002
Florida State Technology Office
As Florida information technology officials began preparing for the Year
2000 conversion, they also became concerned about cyberterrorism.
"We were going to have to worry about worms, viruses, hacking and other
acts of cybervandalism and cybersabotage forever, and we felt that we needed
a permanent presence to be able to deal with the issues," Scott McPherson,
who led the state initiative. "Nobody was thinking about al Qaeda back in
The concern led to the formation of the Office of Information Security
about two years later to handle protection for all Florida state agency
information systems. The office, which is housed within the State Technology
Office, now has a staff of seven and budget of $4 million.
"We tried to always be mindful that we had to take an enterprisewide
approach to this especially with all the interoperability and connectivity
issues between agencies.... Otherwise, you just try to do this agency or
that agency or the other agency, and you're still going to leave yourself
wide open," said McPherson, the chief information officer for Florida's
Corrections Department and the leader in creating the information security
Even before Sept. 11, 2001, state governments increasingly have become
aware of the risk to their information systems and have implemented statewide
strategies to protect their data and critical infrastructures. Just how
many states, or to what degree, is unclear.
The National Association of State Chief Information Officers (NASCIO)
has led the charge for greater security and, this summer, issued a report
calling for stronger public-sector measures in cybersecurity protection.
It is also developing an Interstate Information Sharing and Analysis Center
to provide aggregate state incident data, early warnings and notices.
At NASCIO's annual conference last month, McPherson discussed Florida's
approach, which included contracting with a vendor — in this case, Herndon,
Va.-based TruSecure Corp.
Such an arrangement was important, he said, to get a true, independent
assessment. "I've recognized from my prior experience and my Y2K experience
that state agencies when left to their own devices will rise or fall to
their own levels of competence," he said.
TruSecure recently finished a statewide security audit for the state's
three branches of government. Audits included "everything from penetration
tests to war dialing to physical security, inspections, and looking at policies
and procedures, everything from screen savers to port scans and almost literally
everything in between," McPherson said.
Initially, the governor's agencies were targeted "because those are
the ones we can crack the whip on the easiest," McPherson said. But after
lawmakers saw how well those agencies fared against the Nimda virus last
fall, the legislature provided an additional $500,000 to expand the program
statewide, an effort that began earlier this year and was completed in late
No agency got a clean bill of health from the company's security assessment,
McPherson said, and agencies have to fix any security deficiencies themselves.
The company will now start conducting supplemental audits, "which come at
a moment's notice [and] will be systematic and ongoing."
If a governor's agency starts to "drag," McPherson said the governor
would get involved. If a cabinet agency doesn't comply, then the legislature
will hold a joint session behind locked doors to hear the complaint and
possibly reprimand the agency. "We have never had to do this and that's
the beauty of having the power," he said. "If you have the power and other
people know you have the power and you're not afraid to use it, then they
The security office also is providing training to agency security officers
to bring them up to a specific level of competence. The state also is developing
security policies and procedures.
"Agencies will be allowed to adopt more restrictive policies, but no
agency will be allowed to exempt themselves from the policies," he said,
adding the baseline policies should be finished by year's end.
McPherson said the state "doesn't profess to have the best solution,"
but is "bore fruit."
"The one thing that we do recognize is that we're only as good as our
next foray into the unknown and that's why it's so important for these audits
and these vulnerability assessments to be ongoing," he said.