December 10, 2012 By Wayne Hanson
This report is based on the activities of the Digital Communities program, a network of public- and private-sector IT professionals who are working to improve local governments’ delivery of public service through the use of digital technology. The program — a partnership between Government Technology and e.Republic’s Center for Digital Government — consists of task forces that meet online and in person to exchange information on important issues facing local government IT professionals.
More than 1,000 government and industry members participate in Digital Communities task forces focused on digital infrastructure, law enforcement and big city/county leadership. The Digital Communities program also conducts the annual Digital Cities and Digital Counties surveys, which track technology trends and identify and promote best practices in local government.
Digital Communities quarterly reports appear in Government Technology magazine in March, June, September and December.
Anyone responsible for the security of city or county information systems has reason for concern. Not only are hackers accelerating their attacks, but nations — including the United States, according to a recent New York Times article — also are joining in with new, well bankrolled attacks so sophisticated that it can take years to spot them. It is almost routine now to read of attacks that expose Social Security numbers, passwords, credit card information, medical records and more.
Even banks, supposedly the gold standard for IT security, have been hacked, and in one exploit — called Operation High Roller — a coordinated cyberattack against 60 different banks netted hackers some $78 million. Chiming in to the growing discord are “hacktivist” groups determined to make political or social points by attacking their opponents. What was once seen as a somewhat benign activity of young nerds has become much more serious.
Photo: Hackers and security researchers once mixed amiably at the annual DefCon hacker conference, but things are becoming more serious.
“The first 20 years in the war between hackers and security defenders was pretty laid back for both sides,” said Kevin Poulsen in a 2009 Wired magazine article. “The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple countermeasure of checking computer files for signatures of known attacks. Hackers and security researchers mixed amiably at DefCon [a hacker conference] every year, seamlessly switching sides without anyone really caring. From now on, it’s serious,” he warned. “In the future, there won’t be many amateurs.”
Poulsen — who served prison time for hacking and is now news editor for Wired.com — knows what he’s talking about. Attacks have become more sophisticated and numerous, creating real economic damage as Americans spend more time and money online. Consumer Reports said that in 2010, malware cost Americans $2.3 billion, and globally the annual price tag of consumer cybercrime is $110 billion, according to the 2012 Norton Cybercrime Report.
The threats have accelerated, and costs have spiked just as cities and counties struggle to emerge from the recession in which budgets were cut, IT staff slashed and new hiring virtually stopped. Chief information security officers are in short supply and only some larger jurisdictions can afford them, leaving information systems vulnerable.
But it’s not just smaller jurisdictions that are having trouble. When Eastern European hackers broke a weak password and grabbed 800,000 records from the Utah Department of Health, the state’s highly regarded CIO took the fall. Utah Gov. Gary Herbert said hackers mounted 1 million attacks per day on the state’s IT systems prior to the breach.
And according to a 2011 report from the U.S. Government Accountability Office, “Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing 650 percent over the past five years.”
Is there an end in sight? Will someone create a solution that will solve the problem and give everyone some much-needed relief? Not according to security experts. Some, including Internet pioneer Vint Cerf, have suggested that security might improve with better authentication although that may compromise privacy, while others see only a continual escalation of attack and defense.
In 2009, for example, Columbia University computer science Professor Steven Bellovin said, “The odds on anyone ... finding a magic solution to the computer security problems are exactly zero. Most of the problems we have are due to buggy code, and there’s no single cause or solution to that.”
In a recent interview with Government Technology, Bellovin — who is now the Federal Trade Commission’s chief technologist, but spoke for himself and not the FTC — said his viewpoint remains the same: The complexity of millions of lines of computer code is too difficult a problem to have a single solution. “I think we need to build systems with different architectures, ones that are designed under the realization that there will be security failures,” Bellovin said. “Authentication won’t do it. In most breaches, the bad guys go around the strong authentication, not through it. My own working philosophy is that programs will have security bugs — then what?”
By these accounts, it appears we are condemned to an eternity of infuriating, expensive and seemingly intractable cybersecurity attacks. Fortunately, however, there are things that can be done to improve security and prevent most — if not all — attacks. It’s similar to health, said several experts. No one can guarantee perfect health, but specific steps can be taken now to prevent the majority of illnesses and improve health while science works to eliminate disease. And that’s the practical approach to security advocated by many experts interviewed for this special section.