[ISN] States face difficulties keeping up with cyberthreats

InfoSec News isn at c4i.org
Mon Aug 29 14:05:29 EDT 2005


August 25, 2005

LANSING, Mich. (AP) -- Obtaining a driver's license got a lot tougher
recently when a cyberworm hit government computers in Massachusetts,
forcing customers to wait until technicians got infected computers
running again.

The Zotob virus and its variations also attacked businesses such as
automaker DaimlerChrysler AG, idling up to 50,000 workers at 13
plants, and media companies such as CNN, ABC and The Associated Press.

The scramble in Massachusetts, Michigan, Kansas and elsewhere to fend
off the virus shows the vulnerability of states to potential shutdowns
in service now that they offer everything from hunting licenses to
physician discipline reports on the Internet and keep millions of
computerized tax, voter registration and driving records.

Most states, including Michigan, suffered little damage from the
attack. But risks remain.

Compounding the problem is the relatively little that states spend to
protect those systems from hackers and other threats.

James Krouse, manager of state and local analysis for the information
technology research firm INPUT in Reston, Va., estimates states spend
about $1.9 billion a year on such security, about 4 percent of their
IT budgets. The federal government spends about 7 percent.

The private sector does even better, spending nearly 9 percent of its
$700 billion-plus IT budgets on security, according to Natalie
Lambert, security analyst with Forrester Research in Cambridge, Mass.  
That ranges from a low of just over 7 percent in retail and wholesale
trade to a high of more than 10 percent in business services.

Chris Dixon, issues coordinator for the National Association of State
Chief Information Officers, says some states spend as little as 1
percent of their IT budgets on security. State IT directors often find
security needs aren't considered as critical as taking care of the
poor or paying for schools when budgets are approved.

He noted, though, that most states are beginning to see the need to
spend more.

"Cybersecurity is just now getting the attention it's due," Dixon

Ann Garrett, North Carolina's chief information security officer, said
protecting data is critical because states hold so much confidential

To find their way into a state's computer database, all people have to
do is register a boat or motor vehicle, receive an unemployment or
welfare check, apply for an occupational license, pay state taxes, get
state-paid health benefits or buy a fishing license, among many other

"I take very seriously that we as the government force people to give
up information," Garrett said. "We've got to take that responsibility
to guard it seriously."

Michigan, which controls 55,000 desktop computers and 2,300 servers,
fends off nearly 22,000 attempted e-mail virus attacks each day, as
well as 35,000 tries to break into state computers and 4,000 attempts
to deface government Web sites. The state blocks about half the 4.8
million e-mails that arrive each month to keep out spam.

As the winner of the National Association of State Chief Information
Officers' top security award for the past two years, Michigan is
considered a leader among states fighting to protect sensitive
information and educate tens of thousands of state employees about the
dangers of viruses and spyware.

But Dan Lohrmann, Michigan's chief information security officer and a
former National Security Agency network systems analyst, said getting
the money to protect state computer systems and data isn't easy.

Ask most citizens if they'd prefer states to spend money in already
tight budgets on schools and roads or computer security, and the
latter generally will lose out, Lohrmann said.

"It's just tough at a time of budget cuts," he said.

Tom Jarrett, NASCIO president and chief information officer for the
state of Delaware, told a U.S. Senate subcommittee last month that not
having enough protection can lead to disaster.

"New threats appear almost daily and they can, in a matter of seconds,
render services we've all come to depend upon, like e-mail and Web
browsing, completely unusable," Jarrett told the subcommittee. "In the
worst case scenario, without proper protection and due diligence, an
attack could potentially cripple or completely shut down an entire
state government."

Lohrmann has been able to use federal homeland security money to beef
up protection for Michigan's computer system. The money has helped buy
backup generators to run computers if a blackout hits and to put
protections in place the state otherwise couldn't afford.

"A big part of this becomes how do you protect your data centers," he

Larry Kettlewell, Kansas' chief information security officer, said
states are growing increasingly sophisticated about handling threats
to their computer systems. But he agrees most state CISOs would like
to have more money to deal with the rising barrage of worms and

"Until a whole network gets taken down for a week, 10 days ... it's
not going to make a difference," Kettlewell said. "That's when people
will wake up."


On the Net: 

National Association of State Chief Information Officers: 

More information about the ISN mailing list