In October, just 36 hours after the District of Columbia announced its intention to let the public experiment with online voting, someone broke into the software application used for casting votes. The “hackers” were in fact computer scientists from the University of Michigan, who found and exploited a way to gain almost complete control of the online voting program. At first glance, the incident seemed simple and harmless: D.C.’s election officials heard Michigan’s college fight song when loading the site.
What they didn’t know was that the hackers also had the names, addresses and PINs of all the test voters, and they could change votes and reveal voters’ secret ballots, according to professor J. Alex Halderman, who led the attack to expose the system’s security flaws. Nor was the University of Michigan the only outside party probing the city’s online voting application. Halderman found evidence that hackers from Iran and China also had attacked the system.
While the exercise achieved its goal of exposing the system’s weaknesses, it was something of a setback for online voting overall, and a reminder of the vulnerabilities that exist in public-sector IT. The exercise also exposed the difficulty in providing security to the extensive network of computers, data and software programs that are integral to state and local government today.
For those who don’t have a deep knowledge of computers and computing, that level of difficulty can be hard to comprehend. Just look at what has happened with the Web. “For all of its user-friendly allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from personal bank accounts to key infrastructure to government and industrial secrets,” said Sen. Joe Lieberman, chairman of the Homeland Security and Governmental Affairs Committee, when he introduced a bill last June aimed at giving the federal government greater control over the Internet in times of an emergency. “Our economic security, national security and public safety are now all at risk from new kinds of enemies -- cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”
At the beginning of the new millennium, most government computer systems still ran on dedicated networks that were relatively easy to protect. Not so today. The highly decentralized -- and open -- Internet has penetrated just about every aspect of government computing. Add mobile computing, which has created even more access points, and you have a recipe for disaster. “What constitutes a cyber-security threat has changed from simply protecting a network from hackers to protecting information, systems and citizens,” says Mark Weatherford, vice president and chief security officer for the North American Electric Reliability Corp.
As technology has changed, so too has the focus on securing it. What was once very concrete in terms of protection has become far more nebulous as new forms of access open the door to a wide variety of vulnerabilities and threats, according to Weatherford, the former chief information security officer (CISO) of California and Colorado.
As a result, public officials are under growing pressure to increase funding for cyber-security, change the governance of state and local operations to make it less vulnerable, improve worker training to reduce errors that lead to data breaches and find better qualified cyber-security officers in a highly competitive market.
The Weakest Link in Cyber-Security
In 2008, a Privacy Rights Clearinghouse report showed that data breaches in state government had exposed the personal information of 3.8 million people. The roster of state agencies that had compromised their data security read like a laundry list for virtually every type of service provided at the state level, from welfare and revenue to motor vehicles and public safety. Despite the fact that nearly every state now has both an enterprise CIO and CISO, government at the state level remains riddled with fiefdoms when it comes to computer systems, networks and software programs that remain unconsolidated for various reasons. The ongoing legacy of maintaining separate computer systems in individual agencies makes the cyber-security job even harder.
Just ask Kansas CISO Larry Kettlewell, who oversees security for the state, which spends more than $300 million annually on IT. But Kansas’ IT networks and systems are not consolidated. The federated model of governance remains in place in Topeka, as it does in other state capitals. The major state departments continue to run their own computers using their own IT personnel. That leaves Kettlewell with the arduous task of securing everything from the networks down to the desktop PCs and mobile laptops -- without any overall control. “My job is really a super-coordinator and salesman for the network,” he says.
Even as the lack of security control over the state’s separate computer systems keeps Kettlewell awake at night, more troubling are “the thousand points of failure” that he and other CISOs must contend with daily as government workers log on, open an e-mail and decide to click on an attachment that may contain some form of malware -- the insidious software code that when launched can cause mischief, or worse, major damage to computer systems.
Governance, which is one of the top five issues listed in a recent cyber-security survey, State Governments at Risk: A Call to Secure Citizen Data and Inspire Public Trust, published by the National Association of State Chief Information Officers (NASCIO) and consulting firm Deloitte, can aid in thwarting the spread of data breaches. So too can proper training of employees, or as NASCIO calls it, “creating a cyber-mindset.”
“Our biggest weak link is the employee,” says South Dakota CIO Otto Doll. The problem isn’t with the growth rate in attacks (the quantity of external threats is down, he says), but with the quality of the attempts. According to Doll, hackers have sent fake tech-support messages to workers, attempting to get them to click on attachments or links that could launch attacks against the state’s computers.
The “bad guys,” as Doll calls the hackers and data thieves, continue to upgrade their skills and stay innovative in their attempts at attacking government computer systems. They often go after the weakest link in the chain: the state worker. To fight back, state and local cyber-security and information officers have stepped up their education efforts as part of what Weatherford calls “raising users’ IQ.” For the most part, they focus on simple but effective ways to avoid breaches: Don’t put a USB thumb drive into the port of a government laptop; don’t click on an e-mail link or attachment no matter how compelling it might sound.
But these tactical ways of combating security breaches only go so far. State and local governments need highly skilled cyber-security workers and CISOs, but they increasingly can’t afford to hire them -- or even find them. Demand is outstripping supply.
The Growth of the Cyber-Security Industry
Cyber-security has become a huge growth business in the federal government and private sector. Writing in The New Yorker, investigative reporter Seymour M. Hersh explained how a new “military cyber-complex” has been created in recent years, with the federal government spending between $6 billion and $7 billion annually on unclassified cyber-security work, and an equal amount on classified protection. In addition, the U.S. Department of Homeland Security (DHS) plans to hire more than 1,000 cyber-security staffers in the next three years, according to Hersh.
With the private-sector cyber-security industry also beefing up its personnel, state and local governments are left with limited options when finding qualified security workers. There just aren’t enough good workers at mid to senior levels in government cyber-security programs, according to Weatherford. Yet he urges states to try and hire the best, because the need for good skills has become critical to success.
This gets to the most fundamental problem that states and localities face when it comes to cyber-security: the lack of adequate funding. The NASCIO-Deloitte survey found that 88 percent of state CISOs consider lack of sufficient funding the greatest barrier to information security. In addition to having to pay more for better quality staff, the cost of keeping computer systems and networks up-to-date with the latest cyber-security threats continues to rise. Good security requires a constant “refresh” of technology to stay one step ahead of the cat and mouse game with hackers, thieves and foreign entities. But there aren’t many state governments that can afford to do that on an optimal basis.
Along with the growing reliance on the open Internet to serve constituents and the increased use of mobile technology, which presents new points of security failure, states are expanding their digital presence in areas that didn’t exist before. South Dakota now accepts a variety of credit card payments, all of which have added security requirements, and as a result, driven up the cost of business. Unfortunately, the gap between what state IT chiefs want to spend on security and what they can is large and growing.
Cyber-Warfare: A Looming Threat?
In June, a cyber-security firm based in Belarus, a small country on the border of Russia, identified a new cyber-threat -- a worm with the geeky name Stuxnet that attacked a certain type of industrial computer. What was so alarming about the incident was that it went after computers used in the Iranian nuclear program, and then spread to other types of industrial computing software programs used to manage oil pipelines and electrical grids in China, India and Indonesia. No one is sure who launched the attack, although some speculate that Israel may have been behind it, given its impact on Iran.
The potential for cyber-warfare remains unclear, and the American intelligence community disagrees on how to defend against it, making the topic hard to gauge in terms of an actual war breaking out. But it’s clear that external threats could cripple critical infrastructure and disrupt key data systems in states and cities, as well as in the federal government, making cooperation and coordination between different levels of government more important than ever. According to NASCIO, a growing number of states are seeking cyber-support in the form of grants from the DHS, as well as looking for other ways to partner with federal agencies and through state partnerships, such as the Multi-State Information Sharing and Analysis Center.
Howard Schmidt, appointed by the Barack Obama administration to oversee cyber-security initiatives within the DHS, told The New Yorker that he supports mandated encryption for the nation’s power and electrical infrastructure. Some people, including the head of the National Security Agency, would like to see a much broader use of this solution, which would mean the federal government could compel corporations and individuals to install the most up-to-date protection tools.
That might seem extreme to some people. But as South Dakota’s Doll points out, “Right now, it’s not a crime to have no security on a PC.” The result, of course, is a lack of consequence and accountability if someone’s PC becomes a “zombie” computer, taken over by a person or entity so it spews out malware and worms that infect and destabilize computer systems that serve the public. “In the future, that may have to change,” Doll says. “We may have to rethink that level of freedom.”