It's much easier to take steps to secure any network when there's money available to do so, and Greg Jackson, CIO of Ohio, has the luxury of working with $3.5 million over the next two years to secure Ohio's wide area network.
He needs to worry about 4,500 T1s or better throughout the state running off the state's WAN, and it's a network that's shared with K-12, the public library system and state agencies. The state's effort to harden its defenses is called the e-secure Ohio program.
"Since so many audiences are utilizing that network, one of our concerns is the security of the transactions happening over the network when it comes to state agencies and fiscal information," Jackson said. "We have been granted the funding to actually secure the network and to deploy virtual private networks to deploy our fault-management mechanisms, configurations, accounting mechanisms, performance measurement systems, security measurements to make the network in general more secure, more robust and more dependable moving forward."
Jackson said he used part of the money to conduct a security assessment of 14 state agencies (out of a potential 23 agencies total) to gauge their level of security and their vulnerability to outside malicious hackers. Agencies didn't have to spend a dime, but they needed to be convinced that it would be in their best interest to be assessed.
"The outcome of the assessments were theirs alone," he said. "We didn't receive the details of any of their vulnerabilities. We did receive generic information across the enterprise that was not identifiable to any specific agency, so we could get a sense of how good or bad things were out there. That approach seemed to work very well, and we had more agencies sign up than we expected."
A Free Pass
The level of vulnerability in some agencies was surprising, he said, especially when the firm the state hired to perform the assessment gave their final report.
"Some things were so weak that one of the analogies they used was that if you were standing in a room and you touched a window, the window just fell out of the wall," he said. "They also said that as soon as they ran the first of many planned scans in a couple of areas, their networks went down immediately. I was surprised that we were that vulnerable in some areas."
Jackson said the security assessments, performed in October 2002, saved the state a lot of grief later when the Sobig and Blaster worms hit. Still, the biggest lure Jackson said he had in persuading agencies to volunteer for the assessment was to not lower the boom on them when the results came out.
Jackson said he told agencies that during the first year, he wanted to give them a chance to get their houses in order because security vulnerabilities had not been a primary focus previously and because he realized it wasn't fair to launch into attack mode on agencies.
"But I also told them, 'I can't promise you we're going to do this the second year,'" he said, adding that he and his colleagues are still deciding whether to give agencies that cloak of anonymity for the next assessment, which is scheduled for this fall.
One problem is that assessments that publicly call out agencies for their failure to act in a particular way also air out dirty laundry, which then sets the stage for plenty of small political battles. Deciding whether to fight these battles or air dirty laundry is something that every CIO will approach differently.
Participating in the security assessments is currently voluntary, he said, though there is discussion to make participation mandatory.
The looming question is what happens if an agency fails to address its