Fear factor

More than 300,000 Nebraskans worried that their personal information had been compromised in June after a computer hacker infiltrated the state treasurer's child-support payment system.More than 26 million veterans in May had cause to worry about the safety of their personal information. It was then that a notebook PC containing their Social Security numbers and birthdays was stolen from the home of a Veterans Affairs Department employee, who had flouted VA regulations in bringing the PC home.Ohio University revealed in May that servers in its technology transfer and alumni relations departments, as well as its health center, had been compromised for at least a year, exposing sensitive information on nearly 200,000 students, alumni and university employees.State governments that began ramping up IT security in the wake of Sept. 11, 2001, are redoubling their efforts in response to the numerous hacking and breaching incidents over the last year, industry and government officials said.The proliferation and easy availability on the Web of illegal hacking tools has put the onus on state governments to do more to protect the personal information of its citizens and employees, they said.Routine IT security work is done as part of larger systems implementations, but now states are hiring companies that specialize in IT security to do risk assessments and penetration testing on state IT systems. By assessing their infrastructures, states create a foundation of knowledge on which to build additional security improvements.IT security includes a broad range of technologies and techniques, from external network protection such as firewalls and intrusion detection and prevention systems, to passwords and fingerprint scan logons. The goal of IT security remains keeping information in the hands of those authorized to have it and away from those who are not.IT security is most effectively tackled at the point of systems implementation. States are commissioning independent tests to ensure the effectiveness of IT security on vendor-installed systems and that they comply with newly enacted privacy laws, industry officials said. If the systems don't meet a state's expectations, it can hire another vendor to strengthen security."Even three years ago, the budgets, the compliance requirements weren't there at all," said Doug Howard, chief operating officer for Counterpane Internet Security Inc., Mountain View, Calif. "All of a sudden, you had the recognition that tens of thousands, even millions of people's personal information was getting out."States were quick to enact laws to help prevent such exposure. IT departments must comply with those laws, Howard said.In February 2005, databases belonging to ChoicePoint Inc., an information collection company in Alpharetta, Ga., were hacked, and records on 145,000 people were accessed. The incident created an uproar when ChoicePoint notified only the 35,000 California residents whose data was endangered, said George Schu, vice president of business development for VeriSign Inc., Mountain View, Calif. California was the only state with a law protecting the privacy of such personal information. Since then, at least 31 other states have enacted such legislation, according to data from the National Conference of State Legislatures in Denver.Privacy legislation and the need to meet new regulations are driving new IT security work, industry officials said."It started with the ChoicePoint disclosure, and now it's across the board: federal, state and local, health care and education," said John Lainhart, a partner in IBM Corp.'s security, privacy and wireless business consulting services.State IT officials have struggled in recent years to justify the need for security tools. Without an in-state incident, it can be hard to demonstrate the threat of identity theft and the risks that lax use of security tools and procedures create for state networks, said Tom Jarrett, Delaware CIO and a past president of the National Association of State Chief Information Officers."You have to try to make a business case in English for something that, in a lot of ways, is very technical," he said.The difficulty of doing that has left states with varying degrees of protection, and some state information systems are left completely unprotected, Jarrett said.But the visibility of numerous, recent security breaches is helping to turn the tide, and state legislatures are budgeting larger sums of money to work on their IT security, Counterpane's Howard said."They don't always know exactly what they need to do or how they need to do it, but they're budgeting larger sums to get something in place," he said.States are hiring companies such as Counterpane; SunGard Data Systems Inc., Wayne, Pa.; Symantec Corp., Cupertino, Calif.; and VeriSign, along with large systems integrators such as IBM to do risk assessments and penetration testing on state IT systems.Microsoft Corp. and other companies are providing states with data to help persuade politicians to fund IT security.By assessing their infrastructures, states create a foundation of knowledge on which to plan improvements, industry officials said.Follow-on work also can be a boon to companies; 30 percent of Counterpane's annual revenue comes from sales to existing customers, Howard said.Risk assessment work can cost a state as little as $50,000, and monitoring can cost as little as $20,000. But by adding new and more complex systems, costs can quickly soar into the millions. No industry officials would discuss prices for high-end implementations or for specific examples of their work with states.Because so many new IT security systems implementations are embedded in larger systems contracts, it is difficult to determine the size of the state and local market for IT security, said James Krouse, acting director of public sector market analysis for market research firm Input Inc., Reston, Va.Input, which tracks federal spending on IT security, projects it to grow at a compound annual growth rate of 4.3 percent from $5.1 billion in fiscal 2006 to $6.3 billion in fiscal 2011, Krouse said. State figures likely would be similar, he said.But increased security funding from states is not enough, Jarrett said. More aid also is needed from the Homeland Security Department to protect state information networks from hackers in Asia and Eastern Europe as well as the large domestic population of malicious hackers, he said."All the funding seems to be directed toward stuff, the old 'boots and suits,' " Jarrett said. "That's not a bad thing, but people aren't paying enough attention to the network security issues."A failure to focus adequately on information security is serious cause for concern, Input's Krouse said."The next major terrorist attack could very well be cyber in nature, and not just hacking some state's Medicaid system, I'm talking about taking down a power grid," Krouse said. "You don't have to be within the confines of the 50 states to do it."Staff Writer Ethan Butterfield can be reached at ebutterfield@postnewsweektech.com.