Staying Ahead of Hackers
Somewhere out there, as all government techies know, lurk bad guys itching to inflict mayhem on government computer systems.
Somewhere out there, as all government techies know, lurk bad guys itching to inflict mayhem on government computer systems. State and local governments taking a proactive approach are on the prowl themselves, racing to find vulnerabilities in their own systems before the system crackers do.
Maricopa County, Arizona, developed a software tool for scanning the county's internal computer network for system vulnerabilities. It's called ASSET, or Automated Security Scanning Enforcement Tool. Although the county has a decentralized network of agency computer systems and more then 40 Internet servers, this tool manages security for all of them in a centralized way. Launched in June, the software pretty much runs constantly, essentially simulating an attack.
As soon as ASSET finds a vulnerability, it notifies IT staffers. "You almost have to become your own hacker," says network manager Tom Crosby. "We know everyone else is going to try. We might as well have someone internally do the same thing."
North Carolina also has an intrusion-and-detection system running on an enterprise-wide level. It's cheaper than doing it agency by agency and provides more security since, while the agency people go home at 5 p.m., the information technology services agency watches and monitors 24 hours a day, says State Auditor Ralph Campbell Jr.
Since the September 11 attacks, the security of computer networks has become a major concern of governments. That has not necessarily translated into tighter security. "After 9-11, there was a lot more lip service, not a lot of action," says Zot O'Connor, president and CEO of White Knight Hackers, an Internet security firm. "I've been in a lot of meetings with city governments. When budget meetings come up, all of a sudden they view it as a cost," in the sense that it's cuttable in lean budgetary times and not a mandatory expense. "If you view security as a cost, you shouldn't be out there on the Net. If you looked at insurance as a cost, nobody would buy it." Governments and companies are equally vulnerable, O'Connor says. The only sites that are really "tight" in terms of security are those in private industry that took it seriously from the start, such as banking institutions.
Cybersecurity is one area in which governments need to follow best business practices, O'Connor says. That means applying all recommended software patches to systems, keeping antivirus tools updated, encrypting information, designing networks with security in mind, and testing for weaknesses. "People in government have to follow some of the basic, basic, basic rules," O'Connor says.
Although the September 11 attacks raised fears of cyberterrorism from outside, most of the security breaches come from inside organizations. Governments should be more worried about disgruntled employees than about terrorists, experts agree, since insiders are more likely to be able to do something far more damaging. "Someone from the outside will only do it by accident," O'Connor says. "The insider knows and understands the business flow."
Many systems remain exposed. The U.S. General Accounting Office found that more than 4,000 District of Columbia government computers had access to software that could bypass security controls that were guarding systems containing finance, payroll, personnel and taxpayer data. (On the federal side, the GAO gave executive agencies an "F" grade overall on a computer security report card.)
THE PASSWORD BARRIER
What is there to do now? Many steps can be taken. The No. 1 protection for governments is good network design, O'Connor says. It's also important to have security policies and procedures in place. Formalizing statements as simple as "this computer system is for authorized users only" can help. Without policies, it's difficult to fire people or assist law enforcement in arresting them for breaches.
Campbell in North Carolina stresses the importance of "very good" password policies so users don't use ridiculously obvious ones. And he agrees that security patches have to be applied as soon as they are available. North Carolina has done preliminary vulnerability tests of its systems and is doing more comprehensive tests now. As part of state anti-terrorism legislation, additional funding has been provided for information security.
While system-vulnerability testing is done in many states, only a few have passed laws that explicitly keep the findings from the public eye. Both North Carolina and Rhode Island enacted legislation classifying the reports generated from security testing. Legislators in Rhode Island faced protests from the American Civil Liberties Union, but the auditor general's office, which was given the authority to do the vulnerability testing, prevailed. "If we made them public," says Auditor General Ernest Altamonte, "it would be a roadmap for a hacker to get into systems."