‘Scary’ audit findings highlight the need for more cyber-security funding in all state governments, official says.
The Colorado state auditor’s report that state government networks and computers are at “high risk” of compromise and data breach may have made headlines last week because hundreds of vulnerabilities were found, but IT officials inside and outside the state said what made the report truly newsworthy is the evident need for more cyber-security funding in all state governments — not just Colorado.
“When you look at how complicated security is and how big state governments are and how many borders and defenses they have to put in place, I don’t think it’s any surprise to anyone who manages security and government,” said Chris Buse, Minnesota’s chief information security officer, about the security flaws found in Colorado’s computer systems.
Travis Schack, Colorado’s acting chief information security officer, said the unflattering audit findings were expected.
That’s because the state’s Office of Information Technology (OIT) collaborated with the state auditor’s office to run the penetration vulnerability tests on state agencies’ critical computer systems. In part, the purpose was to demonstrate the need for cyber-security funding as the state continues its four-year plan for IT consolidation.
“With the centralization, we are still getting our hands around each of the environment risks that are inside each of those [agency] environments,” Schack said. “This [audit] was the next step to see where we truly are.”
There is much work to be done. Colorado state auditors contracted a private security firm to test the security of agencies’ computer systems and were able to identify hundreds of vulnerabilities, 22 percent of which were deemed high risk.
The auditors gained unauthorized access to several state computer systems and thousands of people’s personally identifiable information, including Social Security numbers, phone numbers, birth dates, user names and passwords. Among the compromised data, information was obtained for government employees.
Since the report was released last week, the Colorado Office of Information Technology already has started to garner support from policymakers, agency staff and agency executive directors, said the OIT’s Chief of Staff Dara Hessee. “This audit has allowed us to move more quickly than it would have otherwise,” she said.
Throughout the audit, Schack and his team worked with the auditor’s office and remedied many of the vulnerabilities as they were found.
The OIT is currently undergoing an analysis with an outside consultant to calculate total costs for fixing problems identified in the audit findings by summer 2011. The office cannot estimate how much it will cost to implement an adequate cyber-security system until the meetings are complete, Schack said. An earlier report that the necessary sum would be $40 million is an outdated figure, officials said. By comparison, Colorado’s cyber-security office reported that it spent less than $500,000 in fiscal 2010.
Colorado isn’t alone in its struggle with computer vulnerabilities and cyber-security funding. A recent Deloitte and National Association of State Chief Information Officers study found that many state chief information security officers lack the funding, programs and resources to adequately protect vital government data, including constituents’ personal information, especially compared to counterparts in private-sector enterprises.
Minnesota’s Buse said that in the private sector, roughly 5 percent of a company’s budget is spent on cyber-security, compared to 1 to 2 percent in state governments. “It should be higher, given the type of data we have,” he said.
Three years ago, Minnesota implemented a vulnerability management security solution that continually scans for vulnerabilities on the 150, 000 endpoints throughout the state’s government and higher-education systems. The system costs the state more than $1 million a year, but the price is worth it, said Buse, because the state has significantly fewer weaknesses to report.
Buse, who previously worked as a Minnesota state technology auditor before taking his current position as chief information security officer, said that he’s not shaken by the Colorado audit’s results because most state agencies have many issues that need to be addressed, including centralizing IT, he said.
Hessee looks at the audit results as a unique opportunity to show policymakers the hard evidence of a statewide cyber-security problem that has been historically underfunded. “It is something that not everybody thinks about … and it is truly a shared responsibility.”