http://www.freep.com/news/statewire/sw120363_20050825.htm August 25, 2005 LANSING, Mich. (AP) -- Obtaining a driver's license got a lot tougher recently when a cyberworm hit government computers in Massachusetts, forcing customers to wait until technicians got infected computers running again. The Zotob virus and its variations also attacked businesses such as automaker DaimlerChrysler AG, idling up to 50,000 workers at 13 plants, and media companies such as CNN, ABC and The Associated Press. The scramble in Massachusetts, Michigan, Kansas and elsewhere to fend off the virus shows the vulnerability of states to potential shutdowns in service now that they offer everything from hunting licenses to physician discipline reports on the Internet and keep millions of computerized tax, voter registration and driving records. Most states, including Michigan, suffered little damage from the attack. But risks remain. Compounding the problem is the relatively little that states spend to protect those systems from hackers and other threats. James Krouse, manager of state and local analysis for the information technology research firm INPUT in Reston, Va., estimates states spend about $1.9 billion a year on such security, about 4 percent of their IT budgets. The federal government spends about 7 percent. The private sector does even better, spending nearly 9 percent of its $700 billion-plus IT budgets on security, according to Natalie Lambert, security analyst with Forrester Research in Cambridge, Mass. That ranges from a low of just over 7 percent in retail and wholesale trade to a high of more than 10 percent in business services. Chris Dixon, issues coordinator for the National Association of State Chief Information Officers, says some states spend as little as 1 percent of their IT budgets on security. State IT directors often find security needs aren't considered as critical as taking care of the poor or paying for schools when budgets are approved. He noted, though, that most states are beginning to see the need to spend more. "Cybersecurity is just now getting the attention it's due," Dixon said. Ann Garrett, North Carolina's chief information security officer, said protecting data is critical because states hold so much confidential information. To find their way into a state's computer database, all people have to do is register a boat or motor vehicle, receive an unemployment or welfare check, apply for an occupational license, pay state taxes, get state-paid health benefits or buy a fishing license, among many other avenues. "I take very seriously that we as the government force people to give up information," Garrett said. "We've got to take that responsibility to guard it seriously." Michigan, which controls 55,000 desktop computers and 2,300 servers, fends off nearly 22,000 attempted e-mail virus attacks each day, as well as 35,000 tries to break into state computers and 4,000 attempts to deface government Web sites. The state blocks about half the 4.8 million e-mails that arrive each month to keep out spam. As the winner of the National Association of State Chief Information Officers' top security award for the past two years, Michigan is considered a leader among states fighting to protect sensitive information and educate tens of thousands of state employees about the dangers of viruses and spyware. But Dan Lohrmann, Michigan's chief information security officer and a former National Security Agency network systems analyst, said getting the money to protect state computer systems and data isn't easy. Ask most citizens if they'd prefer states to spend money in already tight budgets on schools and roads or computer security, and the latter generally will lose out, Lohrmann said. "It's just tough at a time of budget cuts," he said. Tom Jarrett, NASCIO president and chief information officer for the state of Delaware, told a U.S. Senate subcommittee last month that not having enough protection can lead to disaster. "New threats appear almost daily and they can, in a matter of seconds, render services we've all come to depend upon, like e-mail and Web browsing, completely unusable," Jarrett told the subcommittee. "In the worst case scenario, without proper protection and due diligence, an attack could potentially cripple or completely shut down an entire state government." Lohrmann has been able to use federal homeland security money to beef up protection for Michigan's computer system. The money has helped buy backup generators to run computers if a blackout hits and to put protections in place the state otherwise couldn't afford. "A big part of this becomes how do you protect your data centers," he said. Larry Kettlewell, Kansas' chief information security officer, said states are growing increasingly sophisticated about handling threats to their computer systems. But he agrees most state CISOs would like to have more money to deal with the rising barrage of worms and viruses. "Until a whole network gets taken down for a week, 10 days ... it's not going to make a difference," Kettlewell said. "That's when people will wake up." -=- On the Net: National Association of State Chief Information Officers: http://www.nascio.org _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Mon Aug 29 2005 - 11:37:19 PDT