Stateline Story

States Fear Cyber-Space Invaders

  • July 22, 2005
  • By Mark K. Matthews

Three months ago, Larry Kettlewell noticed a mysterious $70 charge while scanning his bank account. A cyber-security expert for the state of Kansas, he decided to investigate -- and discovered he'd been robbed.

Someone had stolen $70, and much of Kettlewell's personal information, to set up a Web site in his name. "Even me, being in the industry, shows that it can happen to the best of us," said Kettlewell, whose job is to safeguard state government computers.

Security breaches are a scary possibility for state governments, which stand to lose far more than a $70 pinch. An identity thief can sneak in and pilfer millions of Social Security numbers. A well-timed virus can be equally devastating, knocking out government computers during a hurricane, or stalling networks during a heated statehouse debate.

While breaches of state computer systems have lacked the magnitude of failures in the private sector -- such as the recent disclosure that 40 million accounts were put at risk by a credit-card processing company -- there have been problems.

In February, a state employee in North Carolina downloaded more than 3.8 million addresses before being caught. In June, a virus knocked out hundreds of government computers in West Virginia, and forced officials to disconnect a state Website. And there have been several security breaches at public colleges in the last few months.

"In the worst-case scenario, without proper protection and due diligence, an attack could potentially cripple or shut down an entire state government," said Thomas Jarrett, Delaware's chief information officer and president of the National Association of State Chief Information Officers . He spoke July 19 at a hearing by a Senate subcommittee investigating cyber-security.

Part of the problem, Jarrett said, is the constant barrage of electronic nasties state governments must counter. So far in 2005, Montana has beaten back nearly 45 million attempted virus infections, up from a mere 93 in 1997. And in Kansas, Kettlewell said the state was once attacked about 600,000 times in an hour -- a rate of 10,000 every minute.

To defend against all these threats, states often must spend millions of dollars, experts said. Help from federal officials has been limited and uneven, meaning states must pick up the expensive tab. For example, a security assessment in North Carolina revealed more than $50 million would be necessary to protect the state government's system and to upgrade equipment.

Plus, there's the time needed to educate state employees to better protect themselves and their computers. Ann Garrett, chief information security officer for North Carolina, said it all starts with adjusting workplace culture to make cyber-security part of the routine.

"You educate. You train. You work with people. You just have to say, 'This is going to be the way it is. I do not deal with exceptions,'" Garrett said. "The security officer's role is not to grant exception as some sort of queen."

Time is also a constant worry. With computers growing increasingly connected, networks have little time to draw up the bridge before a virus, mass attack or hackers hit the gates -- all the more reason that better preparations are needed, cyber-security experts say.

Jarrett and the National Association of State Chief Information Officers contend states must be included -- but haven't been -- when federal officials prepare cyber-defenses. As part of that effort, federal officials must help collect state-by-state cyber-security plans so information and good ideas can be shared more readily, Jarrett said.