Government Technology

Insecurity Complex

October 28, 2003 By

In the last week of July, Kentucky newspapers spilled plenty of ink detailing exploits of French hackers who turned a server from the state's Transportation Cabinet into their personal file-sharing tool. The group used a proxy server to store and distribute a slew of pirated movies, TV shows, music, computer games and copyrighted medical textbooks.

As if that wasn't enough the state auditor said computer logs showed some employees had visited pornographic Web sites or viewed pornographic images on Transportation Cabinet machines. Finally 33 routers and switches used by the Cabinet were running without password protection, and the state auditor said malicious hackers used these open doors to enter the Cabinet's network and install software tools to ferret out system administrator passwords.

Kentucky's situation may have been extreme, but officials there weren't alone in coping with information security issues. It was not a pleasant summer for a lot of CIOs. A host of worms plagued state and local government IT systems, paralyzing networks and forcing some state agencies to temporarily close their offices.

The events gave policy-makers and IT professionals ample reason to reconsider the importance of security policies and enforcement issues.

Although recent events help underscore the danger, one problem with information security is its vagueness. It's difficult to convince lawmakers to approve significant spending on security when nothing is going wrong. Allocating money for information security means those dollars won't be spent elsewhere, and absent a visible crisis, lawmakers will likely choose the path of least resistance.

Besides securing their computing infrastructure, states must deal with the human side of security. Where should acceptable-use policies originate? Who should enforce those policies? How much latitude should there be?

Not Out of Mind

In Kentucky, CIO Aldona Valicenti weathered a storm over the state's well publicized security nightmares, and the hullabaloo over the unfortunate situation is enlightening on many fronts.

At the end of July, Kentucky's auditor of public accounts sent out a press pack airing the Transportation Cabinet's dirty laundry.

The press pack contained a letter to the secretary of the Transportation Cabinet detailing that French hackers had been distributing pirated material and hosting a chat room on the Transportation Cabinet's servers since early April 2003.

Local newspapers reported later that cyber-attackers from two other countries, Croatia and Canada, also joined in the fun.

The auditor's office also said it had "documented evidence that approximately 30 Transportation Cabinet computers were used 6,000 times within a four-day period to browse pornographic Web sites, images or other materials."

The auditor's press release also blamed the Governor's Office for Technology (GOT) -- led by Valicenti -- and accused the Transportation Cabinet and the GOT of being "asleep at the switch while state computers have been used for illegal purposes."

The spar made for juicy headlines, and though problems in government are sometimes sensationalized out of proportion, there appears to be a fire behind all the smoke. In August, Valicenti confirmed that the FBI seized 11 PCs from the Transportation Cabinet for investigation of potential child pornography.

"For three years," said the auditor in the release, "I have been warning those who manage state systems to make computer security job one."

Cynics may have dismissed the auditor's tactics as an attempt to politicize a nonpolitical issue, but certainly something went wrong in the Transportation Cabinet. Perhaps unfair is that the auditor's attack glued two entirely different security issues -- violations of acceptable-use policies and network infrastructure security -- into one supersecurity problem.

Shooting the Messenger

The GOT is indeed the agency responsible for promulgating a statewide information security policy, and its new Enterprise Network Security Architecture Policy took effect in January 2003.

| More


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
View All

Featured Papers