Bad news travels fast
<FONT SIZE=2>On May 16, South Carolina Chief Information Security Officer Jim MacDougall discovered that the state's servers were being scanned for vulnerabilities by a hacker in Beijing. After informing Matt DeZee, the state chief information officer, MacDougall blocked out a range of Internet protocol addresses, including the ones scanning the system.</FONT>
On May 16, South Carolina Chief Information Security Officer Jim MacDougall discovered that the state's servers were being scanned for vulnerabilities by a hacker in Beijing. After informing Matt DeZee, the state chief information officer, MacDougall blocked out a range of Internet protocol addresses, including the ones scanning the system.
When DeZee related the story to fellow CIOs at a breakfast meeting in Washington the following week, three other CIOs said their servers also had been scanned by someone in China.
The incidents suggested that there was an orchestrated attack, DeZee said. "Unless we had that breakfast, we wouldn't have known that," he said.
This may soon change. The National Association of State Chief Information Officers signed an agreement with the National Infrastructure Protection Center July 25 to begin receiving sensitive alerts from the federal government. The NIPC, located at FBI headquarters in Washington, is the national focal point for gathering information on threats to critical infrastructures.
State data centers are hit by several hundred attempted scans each week, and more than half of them originate from outside of the United States, said DeZee, who heads the security and reliability team for Lexington, Ky.-based NASCIO. A hacker generally scans a system to assess vulnerabilities for the purpose of entering and masquerading as a legitimate user. The hacker scans various ports that allow entry into a system, seeking active ports that are easy to enter, DeZee said.
For states to receive the alerts, they must sign an agreement stating they will take full responsibility for distributing the alerts appropriately through their enterprise, including to data centers and other IT systems, NASCIO said.
"In the past, the NIPC sent the threat information to law enforcement, but it wasn't coming to those that protect the systems," DeZee said.
Gregg Kreizman, public-sector research director for the market research firm Gartner Dataquest of Stamford, Conn., said it is now routine for state government to make security part of enterprise architectures and to include security in the state governance structure. This assures that new applications meet established security controls and fit into established security strategies.
This is not as easy as it sounds, though. "These things are very hard to pull off in state governments because of dispersed or fractured IT governance, Kreizman said.
State technology officials know they must do more than send and receive alerts. Consequently, they also are shopping for managed security services, such as management and monitoring of firewalls, intrusion detection systems and anti-virus software to protect IT systems.
States have large networks with lots of Internet address space and servers that house highly sensitive financial and medical information. These systems are at high risk for cyberattack, said Peter Horst, senior vice president of strategy and marketing for TruSecure Inc. of Herndon, Va. As a result, the company is seeing an increasing demand at the state government level for managed security services, he said.
PWC Consulting is seeing the same trend, said John Lainhart, a partner and head of the company's information assurance practice. "All 50 states will be looking for help, to some degree, from outside contractors," he said.
As cyberthreats increase in frequency and type, it is becoming more difficult for states to counter them with in-house resources, said Glenn Taylor, director of state and local government and academic programs for Symantec Inc., Cuppertino, Calif.
Don Heiman, a former Kansas CIO and author of a post-Sept. 11 report on public-sector information security published by NASCIO with a grant from PWC's Endowment for the Business of Government, said the public sector needs solutions that are both offensive and defensive in nature. What's more, states need policies and agreements in place that enable them to go after state-sponsored, as well as individual, hackers.
"We need to know who is coming at us," Heiman said. "We need to be aggressive. It's not good enough to be defensive."
So if a state or local government is attacked deep inside its IT infrastructure, it must have the capability to quarantine the hack, trace it back to its source through multiple systems in real time and have an enforcement mechanism in place that allows it to respond quickly to the matter, he said.
Whether states will have sufficient resources to fund cybersecurity efforts is still in doubt. DeZee said savvy state CIOs will establish IT initiatives that will produce savings for their states. For example, a state CIO might consolidate state data centers, data warehouses and other resources, he said. Those savings then can be funneled into cybersecurity, he said.
"You can't count on [state] revenue," DeZee said.
NEXT STORY: Opportunity knocking: Contracts