Under attack in the states

Michigan opened a Web portal last month that will give state employees access to computer and Internet security awareness programs.

Dan Lohrmann, Michigan's chief information security officer (CISO), said the portal is part of a larger effort to improve the state's computer network security by educating employees about proper security procedures and practices.

Cybersecurity has emerged as a major concern among state chief information officers, who say their networks are increasingly under attack. It's "definitely the thing that keeps us up at night," said Tom Jarrett, Delaware's CIO and president of the National Association of State CIOs (NASCIO).

Since Lohrmann's CISO position was created three years ago in Michigan's Information Technology Department, state officials have coordinated efforts to reduce their computer systems' vulnerability. Their efforts have included a six-month review of methods to improve security through training and awareness programs.

The state's employees now receive one hour of computer and Internet security training each year. Lohrmann said that although one hour is not much, it raises employees' awareness of cybersecurity risks, he said.

A few years ago, state officials had to fire several student interns because they were using peer-to-peer file-sharing applications.

"We have targeted training plans for different roles," Lohrmann said. "If I'm the systems administrator, I go through different training than if I'm a secretary. Some is mandatory and some is optional," depending on the training plan that a manager sets up for each employee.

Lohrmann said cybersecurity is a constant challenge because new threats continue to emerge. In addition to firewalls and other protective technologies, Michigan officials use special software to block spyware and about 100,000 spam messages daily.

In a state where 50,000 employees have e-mail accounts, 100,000 fewer spam messages isn't much of a reduction, Lohrmann said. But even that amount has made a difference in employees' productivity.

Chris Dixon, NASCIO's issues coordinator, said Michigan is a leader in improving cybersecurity, especially through its security awareness training programs. Michigan has an easier challenge because the state's centralized IT Department can set and enforce cybersecurity policies and practices statewide, he said.

Most states lack such an organization, but each addresses cybersecurity in some way, Dixon said. Many states, however, lack sufficient training and education programs.

"In many states, that [requires] a level of maturity beyond where they probably are right now," Dixon said.

Lohrmann offered a mixed picture of states' cybersecurity readiness. Many states face budget pressures, forcing them to do more with less. And few state officials think holistically about cybersecurity, he said.

Lohrmann remembers when he worked for the National Security Agency, where people would say — and mean — "Security is our middle name."

State government is not quite there yet, he said.