Stateline Story

De-Bugging Computers a State Priority

Computer worms that ate their way into state computer systems in August forced Kentucky and Maryland motorists to hold off renewing their drivers' permits while Montana sportsmen and women had to wait for hunting and fishing licenses.

Meantime, technology experts at state agencies throughout the country scrambled to make sure their computers had the latest "patches" and anti-virus systems to thwart worms named "SoBig.F" and variations of "Blaster" worms called "nachi," and "Welchia" that entangle themselves in computers with Microsoft Windows.

Most states said they didn't lose data and their systems didn't crash when the latest worms infected and clogged their computers last month. A U.S. Department of Homeland Security official said "no more than a dozen" of the states' computer systems were affected during the last worm outbreak, declining to give a specific number.

Proper cyber upkeep is key, computer experts said, more so than state laws. Sixteen states passed laws in the 1990s laying out penalties for spreading computer viruses (see side bar), but the laws are so new they have yet to be tested, said Janna Goodwin, a technology expert at the National Conference of State Legislatures.

"It's so difficult to prosecute" these cases, primarily because of jurisdictional issues, Goodwin said, noting that most computer viruses cross state lines. "It's easy to put on the books, but in reality it's really difficult to actually go through the process," she said. Federal not state authorities on Aug. 29 arrested and charged a Minneapolis teenager for developing and releasing a variant of the "Blaster" computer worm.

The latest bout of computer attacks hit some state agencies harder than others. In Montana, between 250 and 300 of Montana state government's 10,000 computers were affected, primarily by the "nachi" bug, said Tony Herbert, Montana's deputy chief information officer for operations.

The state's information technology department essentially disconnected most agencies' systems when the "nachi" worm hit Aug. 19 and then brought them back up when the systems were certified as OK. Only a handful of state agencies were completely unscathed, he said.

Herbert pointed to two potential problem areas: lap tops that were taken on travel and may have been infected and anti-virus software patches that had been installed but "didn't take" properly.

In Kentucky, the nachi/Welchia computer virus slowed traffic down in the state's IT network, affecting drivers license offices across the state said Rodney Murphy, executive director of Kentucky's Office of Infrastructure Services. Some shut down until computers in those offices could be patched and brought back online, he said.

The latest worm outbreak caused problems for Oklahoma's 1,600 computers in the state's court records system, but no data or hardware were damaged, The Oklahoman reported Aug. 27.

California "fared extremely well," said Kevin Terpstra, the state's spokesman for IT issues, noting that "hundreds of thousands" of worm incidents were blocked. Of the 300,000 desktop computers that state workers use, only about 1,000 were affected and even in those situations, the systems didn't crash, he said.

Terpstra credited the state's "IT swat team" that went floor by floor, building by building, to check for problems as one of the reasons the state managed to escape major problems. The state also has rigorous reviews to make sure the systems have up-to-date patches and anti-virus systems in place, he said. "We checked and rechecked our various security measures," even if they were automatic, he said.

Iowa's top IT specialist Mollie Anderson said the "size and scale of the attacks have been unprecedented" but said state agencies weren't affected.

South Dakota's estimated 9,000 computers also emerged relatively unharmed from last month's outbreak of computer bugs, said Jim Edman, network manager of the state's Division of Telecommunications. Edman said the state's computer systems are more centralized than other states so it was easier for the state to jump in and make corrections.

Edman said the "most valuable lesson" South Dakota learned from the latest worm attacks is the importance of having an automated system for delivering Window patches and making sure anti-virus definitions are current.

The virus attacks also prompted states to take a closer look at their security policies. Montana, for example, is looking at its procedures for workers who take laptops out of the office, Herbert said. The state is considering requiring that workers use protected Internet ports so that when the laptop is returned to the office, the IT folks can be sure the laptops aren't infected, he said.

South Dakota is stepping up efforts to make sure government employees understand the state's security procedures. "It doesn't do us any good to put a policy in place if we don't explain it," Edman said.