The afternoon of Sept. 11, for example, Florida Director of Cyber-Security Scott McPherson was in the state Emergency Operations Center being pulled between two committees - he had vital information on potential targets within Florida, which was collected from statewide Y2K preparations he previously headed up.
McPherson, who is also CIO of the Florida Department of Corrections and chief technology officer for public safety within the State Technology Office, said information gathered during Y2K preparations is extremely valuable now.
"Get out all your old Y2K stuff, your disaster recovery plans, your business continuity plans and of course the people who were involved in all that" he said. "There is no doubt that here in Florida, for instance, the return on investment on Y2K is almost off the charts. That is because we have leveraged and reused so much of the Y2K stuff in a post-9-11 environment."
As a case in point, the state's new enterprise-wide information security program had its genesis in those same Y2K preparations. Polling of Florida's citizens prior to Y2K showed concerns about hackers and computer viruses, and state leaders recognized such threats were not going to go away. As hackers became more proficient, exchanging technical information through hacker Web sites, the threat was going to intensify in the years following the millennium rollover.
To tackle Y2K, McPherson created a think tank of innovative intellectuals where applicants were granted admission if they came up with a new idea. A Coast Guard commander, for example, warned of possible Y2K problems for the many drawbridges in the state - problems which would have occurred if left uncorrected.
In Feb. 2000, after the resounding success of the state's Y2K efforts, McPherson submitted a proposal to Gov. Jeb Bush for the creation of a Bureau of Information Security; he immediately harnessed the brainpower of his think tank to look at the security challenges ahead.
In late 2000, McPherson was given the green light to set up an Office of Information Security within the State Technology Office (STO). However, still lacking a budget, the only things McPherson had were a few staff floating between assignments, a mandate, a vision from the governor and the original planning document prepared with his think tank's help about 10 months prior.
At that time, existing Florida law made information security the responsibility of individual agency heads. "So really the first thing we had to do was get the law changed to allow the STO to insinuate itself into agency security operations," McPherson said.
In the spring of 2001, the Florida Legislature changed the law to give the STO authority to work with state agencies on their security plans. Lawmakers also gave the new security office a small budget of $900,000 to begin implementation.
Small Beginnings
"First, we started pulling the information security officers together from the respective agencies," McPherson explained. "We briefed the CIOs. We briefed the agency heads. We got buy-in from all of them on an enterprise-wide approach to information security."
The Office of Information Security then started interviewing about a dozen security companies about what they could do for the state, settling upon TruSecure Corp., of Herndon, Va.
"They were not going to actually come in and do everything," McPherson said. "Instead, they were going to help us set up this enterprise approach, and they were going to make our people smarter. That was music to our ears. This was exactly what we wanted, because we have considerable assets out in the agencies. The problem was that each agency had a varying degree of competence."
Indeed, a number of Florida agencies already were in good shape, particularly those involved in public safety and law enforcement. But others were not handling security as well. Moreover, each agency had its own security policies and procedures, a situation far removed from an enterprise-wide approach.
"We decided that with the small appropriation we were given, the greatest good we could do would be to go forward and actually do third-party audits, starting with the governor's agencies first," McPherson said.
Florida's governmental structure includes an elected Cabinet - the governor controls about half the state agencies, Cabinet members control many of the remaining agencies, and the Cabinet, sitting as a kind of board of directors, governs the rest.
Because the Office of Information Security is situated under the governor, the extent of its power over cabinet-controlled agencies remained unclear. However, as a testing ground, the governor's agencies presented ample fodder, and McPherson began auditing and implementing best practices in these organizations.
"Then the Nimbda virus hit," McPherson said. "We discovered that the agencies that really were impacted were outside of the executive office of the Governor. Recognizing this, the Florida Legislature gave us an additional $500,000 in Dec. 2001, with a clear mandate to expand the audits to all of the Cabinet and Cabinet-level agencies."
Certification and Enforcement
Establishing third-party audits and expectig agencies to meet standards set by those audits gave the Information Security Office authority to set up interim policies and procedures. "Certification by TruSecure Corp., became the prize," McPherson said. Once an agency received certification, it would have to continue passing upcoming audits.
"If you are not out there actually forcing the agencies to move toward that goal of certification, then this exercise and the money spent has been for naught," McPherson said. "There were agencies in Florida that had security audits done a couple of years prior that did not fair well under Nimbda. And if they had implemented the results of the audits, they would not have been affected by Nimbda to the extent that they were. This was actually what convinced the Legislature to go forward and give the STO more authority."
McPherson added that Florida agencies put up little resistance to the plan - and what resistance there was dissipated after Sept. 11. "Before, we were more worried about a 16-year-old kid from Yonkers than we were about someone in a cave in Tora Bora," McPherson said. "But now everybody understands that you have to be vigilant, even for things we haven't even thought of yet."
Since coming aboard as Florida's CIO, Kimberly Bahrami has ensured the security program continued to get the resources, tools and executive sponsorship to accomplish its mission. In December 2001, for example, Mike Russo - with three decades of audit and fraud investigation experience behind him - was hired as the state's information security compliance officer. He has the authority "to hold the agencies' feet to the fire and force them forward with all deliberate speed toward compliance," as well as act as an ombudsman if agencies disagree with TruSecure, McPherson said.
He added that the Florida Legislature has continued to be support the security initiative. "They have given us pretty much everything we have always wanted because the Florida legislative leadership in both parties recognized even before 9-11 that security was not a issue to be taken lightly," he said.
Infrastructure Protection
Continued legislative support meant the plan's next phase would be underway in early 2002. This involved expanding the scope of security audits to include all legislative and judicial branches of state government, as well as the launch of a Florida Infrastructure Protection Center. The center tracks cyber-terrorism - including cyber-crime and computer hacking - that targets Florida's government, financial services, utilities and other critical infrastructures.
The center is a joint project involving the Florida Department of Law Enforcement and other agencies, and it will coordinate closely with the National Infrastructure Protection Center (NIPC). "We believe this new initiative will become an instant national model," McPherson said.
Ongoing vigilance is the hallmark of Florida's enterprise-wide security initiatives. "Perhaps the biggest problem in cyber-security seems to be the machine that didn't get patched," McPherson said. "So all this has to be ongoing. You have to constantly scan yourself. You're only as good as the next attack."
