October 28, 2003 By Shane Peterson
As if that wasn't enough the state auditor said computer logs showed some employees had visited pornographic Web sites or viewed pornographic images on Transportation Cabinet machines. Finally 33 routers and switches used by the Cabinet were running without password protection, and the state auditor said malicious hackers used these open doors to enter the Cabinet's network and install software tools to ferret out system administrator passwords.
Kentucky's situation may have been extreme, but officials there weren't alone in coping with information security issues. It was not a pleasant summer for a lot of CIOs. A host of worms plagued state and local government IT systems, paralyzing networks and forcing some state agencies to temporarily close their offices.
The events gave policy-makers and IT professionals ample reason to reconsider the importance of security policies and enforcement issues.
Although recent events help underscore the danger, one problem with information security is its vagueness. It's difficult to convince lawmakers to approve significant spending on security when nothing is going wrong. Allocating money for information security means those dollars won't be spent elsewhere, and absent a visible crisis, lawmakers will likely choose the path of least resistance.
Besides securing their computing infrastructure, states must deal with the human side of security. Where should acceptable-use policies originate? Who should enforce those policies? How much latitude should there be?
Not Out of Mind
In Kentucky, CIO Aldona Valicenti weathered a storm over the state's well publicized security nightmares, and the hullabaloo over the unfortunate situation is enlightening on many fronts.
At the end of July, Kentucky's auditor of public accounts sent out a press pack airing the Transportation Cabinet's dirty laundry.
The press pack contained a letter to the secretary of the Transportation Cabinet detailing that French hackers had been distributing pirated material and hosting a chat room on the Transportation Cabinet's servers since early April 2003.
Local newspapers reported later that cyber-attackers from two other countries, Croatia and Canada, also joined in the fun.
The auditor's office also said it had "documented evidence that approximately 30 Transportation Cabinet computers were used 6,000 times within a four-day period to browse pornographic Web sites, images or other materials."
The auditor's press release also blamed the Governor's Office for Technology (GOT) -- led by Valicenti -- and accused the Transportation Cabinet and the GOT of being "asleep at the switch while state computers have been used for illegal purposes."
The spar made for juicy headlines, and though problems in government are sometimes sensationalized out of proportion, there appears to be a fire behind all the smoke. In August, Valicenti confirmed that the FBI seized 11 PCs from the Transportation Cabinet for investigation of potential child pornography.
"For three years," said the auditor in the release, "I have been warning those who manage state systems to make computer security job one."
Cynics may have dismissed the auditor's tactics as an attempt to politicize a nonpolitical issue, but certainly something went wrong in the Transportation Cabinet. Perhaps unfair is that the auditor's attack glued two entirely different security issues -- violations of acceptable-use policies and network infrastructure security -- into one supersecurity problem.
Shooting the Messenger
The GOT is indeed the agency responsible for promulgating a statewide information security policy, and its new Enterprise Network Security Architecture Policy took effect in January 2003.