Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

Insecurity Complex


October 28, 2003 By

In the last week of July, Kentucky newspapers spilled plenty of ink detailing exploits of French hackers who turned a server from the state's Transportation Cabinet into their personal file-sharing tool. The group used a proxy server to store and distribute a slew of pirated movies, TV shows, music, computer games and copyrighted medical textbooks.

As if that wasn't enough the state auditor said computer logs showed some employees had visited pornographic Web sites or viewed pornographic images on Transportation Cabinet machines. Finally 33 routers and switches used by the Cabinet were running without password protection, and the state auditor said malicious hackers used these open doors to enter the Cabinet's network and install software tools to ferret out system administrator passwords.

Kentucky's situation may have been extreme, but officials there weren't alone in coping with information security issues. It was not a pleasant summer for a lot of CIOs. A host of worms plagued state and local government IT systems, paralyzing networks and forcing some state agencies to temporarily close their offices.

The events gave policy-makers and IT professionals ample reason to reconsider the importance of security policies and enforcement issues.

Although recent events help underscore the danger, one problem with information security is its vagueness. It's difficult to convince lawmakers to approve significant spending on security when nothing is going wrong. Allocating money for information security means those dollars won't be spent elsewhere, and absent a visible crisis, lawmakers will likely choose the path of least resistance.

Besides securing their computing infrastructure, states must deal with the human side of security. Where should acceptable-use policies originate? Who should enforce those policies? How much latitude should there be?

Not Out of Mind

In Kentucky, CIO Aldona Valicenti weathered a storm over the state's well publicized security nightmares, and the hullabaloo over the unfortunate situation is enlightening on many fronts.

At the end of July, Kentucky's auditor of public accounts sent out a press pack airing the Transportation Cabinet's dirty laundry.

The press pack contained a letter to the secretary of the Transportation Cabinet detailing that French hackers had been distributing pirated material and hosting a chat room on the Transportation Cabinet's servers since early April 2003.

Local newspapers reported later that cyber-attackers from two other countries, Croatia and Canada, also joined in the fun.

The auditor's office also said it had "documented evidence that approximately 30 Transportation Cabinet computers were used 6,000 times within a four-day period to browse pornographic Web sites, images or other materials."

The auditor's press release also blamed the Governor's Office for Technology (GOT) -- led by Valicenti -- and accused the Transportation Cabinet and the GOT of being "asleep at the switch while state computers have been used for illegal purposes."

The spar made for juicy headlines, and though problems in government are sometimes sensationalized out of proportion, there appears to be a fire behind all the smoke. In August, Valicenti confirmed that the FBI seized 11 PCs from the Transportation Cabinet for investigation of potential child pornography.

"For three years," said the auditor in the release, "I have been warning those who manage state systems to make computer security job one."

Cynics may have dismissed the auditor's tactics as an attempt to politicize a nonpolitical issue, but certainly something went wrong in the Transportation Cabinet. Perhaps unfair is that the auditor's attack glued two entirely different security issues -- violations of acceptable-use policies and network infrastructure security -- into one supersecurity problem.

Shooting the Messenger

The GOT is indeed the agency responsible for promulgating a statewide information security policy, and its new Enterprise Network Security Architecture Policy took effect in January 2003.


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All