Security on a shoestring

Like public officials everywhere, information system

managers are struggling to create policies and procedures aimed at preventing a terrorist attack or other large-scale emergency from bringing down federal, state or local computer

infrastructures. Recent events like the destructive W32.Blaster worm,

while not believed to be terrorist inspired, show how vulnerable computer networks and individual network nodes are to malicious hackers.

But although chief information officers say security is high on their list of priorities, and was even before the Sept. 11, 2001, attacks, they also report that federal resources for new IT infrastructure, training and technical assistance are in short supply.

The Homeland Security Department and other federal agencies have outlined a number of assistance programs. For now, however, most of those anxiously awaited resources are in their infancy and have yet to deliver concrete results.

"The problem is they're in the process of getting up and running, and DHS hasn't made any outreach to the states" for cybersecurity, said Larry Kettlewell, chief information security officer for the state of Kansas in Topeka. "DHS is not in a position to talk technology subjects yet. But the problems are here and now, not in the future."

What can federal and local CIOs do in the meantime? The response for many is to take advantage of some venerable federal resources and develop grass-roots efforts that use the Internet as a nationwide information clearinghouse for best practices, policy templates and interactive/instant advice when a new security problem hits home.

Making do

Although cybersecurity has been at the top of Iowa's strategic list, only recently have state officials seen DHS focus on it in a substantive way, said Ellen Gordon, homeland security adviser and emergency management administrator for Iowa's Department of Information Technology Enterprise in Des Moines.

"We would like to see from the federal government help in understanding the interdependencies among state, federal and local cybersystems," she said. "We don't have that picture at this point. Ultimately, that would lead us to identify what's most critical for our continuity of

operations."

Like many other governments, Iowa has pushed forward in the absence of federal help, using resources that are available now. For example, the state is working with Iowa State University's Information Assurance Center.

For Matthew Baum, computer security officer and acting director of information assurance at the Education Department in Washington, D.C., the National Institute of Standards and Technology (NIST) provides a lifeline for the department's security efforts.

"A lot of security officers are using that more and more," he said. The attraction is that NIST posts security procedures and plans devised by it or other federal agencies that can become templates for others.

The NIST Web site "is time-

consuming to go through, but the rewards can be great because it reduces the amount of time you need to produce" security policies, Baum said.

For example, Education recently needed an updated security checklist for its mainframe systems. Even though the NIST site didn't offer any alternative, Baum e-mailed a NIST forum for federal security managers — a group of about 500 IT specialists — asking for help.

"Within a day or two, another federal agency forwarded what they use, and we modified it to fit our environment," Baum said.

Collective intelligence and online information sharing have become increasingly popular features of that forum in recent years, Baum added. Now, "not a day goes by when a security officer doesn't raise a security issue or a question, followed by a response by someone who has solved the problem," he said. The result is that new policies and practices are put in place more quickly than when security managers worked alone to address challenges.

"In the past, if we identified a security issue and didn't have the resources in-house to solve it, we contracted someone from the outside," Baum said. "These days, with the NIST Web site and the Security Managers' Forum, the development of a document isn't something you create from scratch anymore. You can get a template for a complete document so you're not reinventing the wheel. In the long run, when a lot of agencies share information, some of their costs for program management are going to go down."

As chief of information technology security for the relatively small National Labor Relations Board in Washington, D.C., Daniel Wood said information about what larger agencies are doing to "button down" their networks saves time and money.

Both NIST and the Federal Computer Incident Response Center (FedCIRC), a DHS clearinghouse for incident reports and prevention measures, provide this information. Access control, intrusion detection and IT security policies are important topics on which Wood has looked to NIST for help.

"Larger agencies may have standardized on particular standards," he said. "Utilizing what's already been published helps to facilitate the acceptance of these standards within our agency."

Wood also gives high marks to FedCIRC's Patch Authentication and Dissemination Capability, a Web service that automatically sends alerts about new computer threats and provides validated "patches," pieces of software that shore up security holes in applications, operating systems and network components.

"It helps us understand what the current threats are, and in addition, it helps us to better address those which we may be most susceptible to," he said.

In the Midwest, an effort called the Secure Michigan Initiative is attempting to minimize cybersecurity risks and build awareness of safe practices among state employees. To do this, the state is testing a pilot Web site that it plans to fully launch early next year. It provides security fundamentals and online training for Michigan workers.

Dan Lohrmann, chief information security officer for the state, said the site used the Stay Safe Online Web site from the National Cyber Security Alliance as a model. The alliance is a collaborative effort by DHS and technology companies. "There's an abundance of information about security out there, so it's a matter of packaging it in an efficient way to not inundate users," Lohrmann said.

Gary Underwood, deputy CIO and state security officer for Arkansas, depends on security reports from InfraGard, a service run in part by the FBI.

"The daily briefings on vulnerabilities are very valuable to get an idea of what's coming," he said. "Sometimes the reports verify what we're already trying to battle, sometimes they provide an advanced warning about a vulnerability that's been exposed that we haven't already seen. It helps you understand that other people are dealing with the same problems you are."

Although no one wishes to share the pain of a cyberattack, sharing practical information about stopping one can be an important key for cybersecurity. l

Joch is a business and technology writer based in New England. He can be reached at ajoch@monad.net.