States to Escalate Computer Security and Data Backup
Those Without a Security Chief Will Hire One<@VM>Looking Forward
- By William Welsh
- Oct 04, 2001
Investigators comb the crash site of Sept. 11 of a hijacked United Airlines jet near Shanksville, Pa. The state's IT infrastructure was put under increased physical security as a result.
When hijacked jetliners crashed into the World Trade Center and the Pentagon Sept. 11, state technology officers on the East Coast moved quickly to secure data centers and technology office operations.
Virginia Secretary of Technology Don Upson said he "locked down" state technology offices in Richmond and data centers throughout the state, and gave instructions to allow building access to essential personnel only.
In Pennsylvania, where a hijacked jetliner crashed in a rural southwestern part of the state, officials did not evoke statewide emergency plans but increased the physical security of the IT infrastructure, said Charles Gerhards, Pennsylvania's chief information officer and deputy secretary for information technology.
Gerhards declined to disclose all the precautions taken in the aftermath of the event, but said state technology officials closely monitored entry points into the state's network.
"We perceived a threat," he said.
North Carolina responded to the attacks with partial activation of its emergency management plans to guard against further acts of terrorism, said North Carolina CIO Ron Hawley.
Meanwhile, New Jersey closely monitored its network and telephone lines to see how they were responding throughout the day, said state CIO Wendy Rayner. To alleviate pressure on the network, state employees were told to limit their use to critical business.
Many businesses that were in the World Trade Center also have offices in New Jersey, so state officials activated emergency response plans for human services and labor to provide recovery assistance to them, Rayner said.
Lessons learned from the attacks suggest that states now will expand backup systems and beef up staff specializing in Internet and network security. The focus on security "will escalate in all states," said George Boersman, Michigan's CIO and chairman of the National Association of State Chief Information Officers' Security and Reliability Team.
This means states that don't already have one will hire chief security officers, and they will create security divisions, he said.
Most state officials interviewed for this article said their emergency preparedness plans for IT infrastructures were an outgrowth of year 2000 plans. Such plans should serve as "a living document" for state technology offices, Gerhards said.
New Jersey's IT emergency plans are based on updated Y2K plans that are refreshed on a routine basis, Rayner said.
Planning for Y2K also made the states come to grips with how they would continue operations with partial or complete loss of data or network operations, said David Lewis, Massachusetts' CIO and IT division director. As a result of the attacks, "everyone will be updating" their Y2K plans, which are now two years old, he said.
But North Carolina's Hawley balked at having his state's emergency preparedness plans described as an outgrowth of Y2K. Although the state's Y2K plan served as a foundation for network and infrastructure security, it is neither the mainstay of its current plan nor what the state used Sept. 11.
"It would be misleading to say we used [the Y2K plan] or revamped it," he said. Instead, North Carolina's emergency management plans are a product of collaboration between the state Office for Technology and the Information Technology Management Advisory Council, a private-sector advisory group, Hawley said.
New Jersey's Rayner said she plans to see if the backup for the state's network is secure, and will look at the cost of additional backup measures and systems.
Massachusetts will review its IT infrastructure to ensure redundancy and continuous availability, paying particular attention to backing up its more critical systems, Lewis said. This marks a significant departure from how things have been done in the past, where state officials focused primarily on recovering those systems in the case of a local disaster, he said.
"People will look at things from a redundancy viewpoint," he said. "They will ask, 'What are the things that I have to have the most?' " Among the more critical systems in this regard include financial, health and human services and public safety systems, he said.
Even before the attacks, state technology offices were expanding their security resources to defend against daily attempts to corrupt or breach their systems.
Not a day goes by that North Carolina's IT network is not attacked by the worm or the virus of the day or a hacker taking a joy ride over the Internet, Hawley said.
"Some sort of denial-of-service attack happens every day, and that is a now just a routine part of the business that we are in, and [it is the reason] we have incident response plans," he said.
William Welsh is a freelance writer covering IT and defense technology.