within the network and that this is undocumented and unauthorized equipment," Robinson said.
In its August story, The Post reported that Childs set up unauthorized network doorways that allowed him "unfettered and undetectable access." He obtained pages of user names and passwords and downloaded gigabytes of city data to a personal storage device. At the time, Childs wasn't the only engineer with control over the network, but his control increased as his co-workers moved to other projects.
Childs left many devices inaccessible; he had gone through and encrypted many of them, Robinson said. These devices don't hinder the department from administering the network, but they do make it harder for personnel to identify and correct problems Childs may have left behind.
Robinson said the Department of Technology was in the process of furthering its security protocols and mechanisms, and Childs made the changes difficult by initially refusing to offer the passwords. These security steps included revisiting the city's intrusion detection and intrusion prevention strategies, architecture and approach. The city was also working to enhance asset management, identity access and password management tools.
Unfortunately insider sabotage comes with the territory. In 2007, the Journal of Computer-Mediated Communication published a graph of public- and private-sector security breaches from 1980 to 2006. In 2006 alone, of about 250 reported incidents, nearly 200 came from threats within the organizations that reported the breaches. This graph was reprinted in a 2007 report, Insider Security Threats: State CIOs Take Action Now!, published by the National Association of State Chief Information Officers (NASCIO).
The San Francisco story can also be seen as a warning, and CIOs have definitely taken notice.
Bill Schrier, chief technology officer of Seattle's Department of Information Technology, wrote about the incident on "The Chief Seattle Geek Blog." He advises that CIOs should be careful not to give one employee too much power over the network.
"That sort of responsibility has to be shared, and to actually share it, there ought to be multiple administrators who can do the same sort of work and have access to the passwords -- with management oversight to make sure that the job responsibilities are divided and supervised," he said.
Schrier isn't the only one with that opinion. "You must have a balance of authority across your security layer, either with the network or applications, so you don't have one person that is godlike and controls all your resources," said Rico Singleton, a New York state deputy CIO. "You typically have a decentralized or federated security model of which you have redundant levels of super-user administrator type of authority."
Redundant levels of access means there will be more than one way, or more than one high-level administrator, with top-level authority, to access the system. However, the ability to distribute network responsibilities between different people may not always be easy to attain in state and local government.
"Government budgets and government personnel policies make it much harder to sort of do things in an efficient way," said John Pescatore, a Gartner analyst who specializes in security and privacy. "We also see government staffs are often much more multipurpose." In other words, while a private company may have a large department of administrators, a much smaller government agency may only be able to afford one administrator who also performs other functions that are unrelated to IT administration.
"The more common problem people worry about, and the more common way things have gone wrong, is when an authorized administrator -- we typically call them a super-user -- oversteps their authority," Pescatore said. They might do things that they really shouldn't do just because they have administrative access, whether it's IRS taxpayer database surfing or passport application surfing, he said.
Pescatore also recommends that departments stay on top of