Florida: The cybersecurity state

Florida State Technology Office

As Florida information technology officials began preparing for the Year

2000 conversion, they also became concerned about cyberterrorism.

"We were going to have to worry about worms, viruses, hacking and other

acts of cybervandalism and cybersabotage forever, and we felt that we needed

a permanent presence to be able to deal with the issues," Scott McPherson,

who led the state initiative. "Nobody was thinking about al Qaeda back in

those days."

The concern led to the formation of the Office of Information Security

about two years later to handle protection for all Florida state agency

information systems. The office, which is housed within the State Technology

Office, now has a staff of seven and budget of $4 million.

"We tried to always be mindful that we had to take an enterprisewide

approach to this especially with all the interoperability and connectivity

issues between agencies.... Otherwise, you just try to do this agency or

that agency or the other agency, and you're still going to leave yourself

wide open," said McPherson, the chief information officer for Florida's

Corrections Department and the leader in creating the information security

office.

Even before Sept. 11, 2001, state governments increasingly have become

aware of the risk to their information systems and have implemented statewide

strategies to protect their data and critical infrastructures. Just how

many states, or to what degree, is unclear.

The National Association of State Chief Information Officers (NASCIO)

has led the charge for greater security and, this summer, issued a report

calling for stronger public-sector measures in cybersecurity protection.

It is also developing an Interstate Information Sharing and Analysis Center

to provide aggregate state incident data, early warnings and notices.

At NASCIO's annual conference last month, McPherson discussed Florida's

approach, which included contracting with a vendor — in this case, Herndon,

Va.-based TruSecure Corp.

Such an arrangement was important, he said, to get a true, independent

assessment. "I've recognized from my prior experience and my Y2K experience

that state agencies when left to their own devices will rise or fall to

their own levels of competence," he said.

TruSecure recently finished a statewide security audit for the state's

three branches of government. Audits included "everything from penetration

tests to war dialing to physical security, inspections, and looking at policies

and procedures, everything from screen savers to port scans and almost literally

everything in between," McPherson said.

Initially, the governor's agencies were targeted "because those are

the ones we can crack the whip on the easiest," McPherson said. But after

lawmakers saw how well those agencies fared against the Nimda virus last

fall, the legislature provided an additional $500,000 to expand the program

statewide, an effort that began earlier this year and was completed in late

September.

No agency got a clean bill of health from the company's security assessment,

McPherson said, and agencies have to fix any security deficiencies themselves.

The company will now start conducting supplemental audits, "which come at

a moment's notice [and] will be systematic and ongoing."

If a governor's agency starts to "drag," McPherson said the governor

would get involved. If a cabinet agency doesn't comply, then the legislature

will hold a joint session behind locked doors to hear the complaint and

possibly reprimand the agency. "We have never had to do this and that's

the beauty of having the power," he said. "If you have the power and other

people know you have the power and you're not afraid to use it, then they

will comply."

The security office also is providing training to agency security officers

to bring them up to a specific level of competence. The state also is developing

security policies and procedures.

"Agencies will be allowed to adopt more restrictive policies, but no

agency will be allowed to exempt themselves from the policies," he said,

adding the baseline policies should be finished by year's end.

McPherson said the state "doesn't profess to have the best solution,"

but is "bore fruit."

"The one thing that we do recognize is that we're only as good as our

next foray into the unknown and that's why it's so important for these audits

and these vulnerability assessments to be ongoing," he said.