State of the States:
State of the States:
IT Trends and the Cyber
Security Agenda
Executive Policy Forum on
Cyber and Electronic Crime
Cyber and Electronic Crime
NGA Center for Best Practices September 9, 2008
Doug Robinson Executive Director
NASCIO NASCIO
About NASCIO
NASCIO represents state chief
information officers and information
information officers and information
technology executives from the
states, territories and D.C.
,
NASCIO's mission is to foster
t ll
th
h
government excellence through
quality business practices,
information management and
information management, and
technology policy.
Mission
NASCIO's mission is to foster government excellence
through quality business practices, information
management, and technology policy.
Goals
NASCIO is the premier network and resource
for state CIOs
for state CIOs
Advance state CIOs as key members of the
leadership team
leadership team
NASCIO is a effective advocate for information
technology policy at all levels of government
State IT Landscape Today
Continued consolidation – infrastructure, services and
people
Cyber security: Government At Risk!
Critical infrastructure protection – uneven investments
Ramifications of data breach and citizen trusta cat o s o data b eac a d c t e t ust
Insider threats and employee training
State IT workforce: retirement wave, IT skills gap,
challenge of recruiting challenge of recruiting
Data management: quality and sharing
Impact from federal laws, changing programs and
unfunded mandates: REAL ID, Medicaid, Homeland Security
Multifaceted Role of the State CIO
C B d Cross Boundary Collaboration Customer Service Manage, Deploy,and Develop State IT Resources Enterprise Architecture Frontline in Securing State IT Assets
State CIO
State CIO
Strategic Planning Legislation, Policy and DirectivesState CIO
State CIO
Procurement State IT Governance Provision of State IT InfrastructureChallenges of State CIOs
Challenges of State CIOs
Bringing the focus to the “enterprise”
Bringing the focus to the enterprise
Collaborating across and beyond government
State IT workforce – skills and demands
State IT workforce skills and demands
Facilitating efficient, safe exchange of data
Managing risks cyber security
Managing risks – cyber security
Building relationships
in the face of change
in the face of change
Managing and cultivating
funding
State CIO Priorities: 2008
1. Consolidation: centralizing, consolidating services, operations,
resources, infrastructure
2. Security: Tightening security safeguards, enterprise policies,
2. Security: Tightening security safeguards, enterprise policies,
3. Disaster Recovery: Improving disaster recovery, business
continuity planning and readiness
4. Electronic Records Management/Digital Preservation/E-discovery: strategies, policies, services
5. Health Information Technology: Assessment, partnering
5. Health Information Technology: Assessment, partnering
6. Shared Services: Sharing resources, services, infrastructure
7. Connectivity: Strengthening statewide connectivity, broadband
8 Governance: Improving IT governance
8. Governance: Improving IT governance
9. Interoperability: infrastructure and data
10. Human Capital/IT Workforce: attracting, developing and retaining
IT l ti l i
IT personnel, retire wave planning
State CIO: IT and Solution Priorities
:
1. Virtualization – computing and storage
2. Security enhancement tools
3. GIS and spatial analysis
4 L g d i ti d g d
4. Legacy modernization and upgrades
5. Identity Access and Management (IAM)
6 Networking voice and data communications
6. Networking, voice and data communications
7. Document/Content management
8. Wireless: Mobile, remote and fixed wireless,
9. Service Oriented Architecture (SOA) and web services
States Adopting More Business
Di i li
i IT t M
Ri k
Disciplines in IT to Manage Risk
Enterprise architecture: blueprint for better
government
Organizational Transformation / Change
Management
Enterprise Governance - Series
Project and Portfolio Management
Service Oriented Enterprise
Service level management
Disaster Recovery & Business Continuity
Government at Risk: critical
infrastructure protection
Aging state data centers
Critical business recovery
No state ready for pandemic
y
p
IT resiliency and the continuity of
government
g
CIO challenge: making the business
case for the investment
Facing the IT Workforce Challenge
Over 27% of state IT
workforce will be
workforce will be
eligible to retire in 5
years
y
Who will actually
retire and when?
How best to address
the skills gap?
Best practices for
recruiting and
kf
Cyber Security and the States
Critical infrastructure protection
Spam hacking spyware malware
Spam, hacking, spyware, malware,
phishing and probes up!
More aggressive threats
More aggressive threats –
organized criminal activity
I id h
i REAL!
Insider threat is REAL!
Growing role of state CISO
The Insider Threat is REAL!
The Insider Threat is REAL!
IT security incidents:
IT security incidents:
61% caused by
insiders
Employee awareness
and education is
critical
Asset management
d d
i
Why Worry?
Data breach at Progressive highlights
Why Worry?
insider threat (April 06, 2006)
• An employee at Progressive Casualty Insurance Co • An employee at Progressive Casualty Insurance Co.
wrongfully accessed information on foreclosure
properties she was interested in buying. Progressive officials today confirmed that the company sent out officials today confirmed that the company sent out letters in January to 13 people informing them that confidential information, including names, Social
Security numbers birth dates and property addresses Security numbers, birth dates and property addresses had been wrongfully accessed by an employee who has since been fired.
Why you should worry…
Gap security breach exposes data on 800,000 Gap security breach exposes data on 800,000 (September 28, 2007)
• A laptop containing the personal information of job applicants was stolen from third-party vendor that
manages job applicant data for Gap. Personal data for approximately 800,000 people who applied online or by approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.’s brands
between July 2006 and June 2007 was contained on the stolen laptop
Consequences are real…
Company Says Worker Stole, Sold Data (July 3, 2007)
• Fidelity National Information Services reported a k t f it b idi i t l 2 3 illi worker at one of its subsidiaries stole 2.3 million
consumer records containing credit card, bank account
and other personal information. The database p
administrator sold the information to an unidentified data broker, who sold some of it to direct marketing
i companies.
Loss of property…
Angry Employee Deletes All of Company's Data Angry Employee Deletes All of Company s Data (January 24, 2008)
When Marie Lupe Cooley, 41, of Jacksonville, Fla., saw a help-wanted ad in the newspaper for a position that
looked suspiciously like her current job she assumed she was about to be fired. So, police say, she went to the was about to be fired. So, police say, she went to the architectural office where she works late Sunday night and erased 7 years' worth of drawings and blueprints, estimated to be worth $2 5 million
Loss of trust…
Sensitive data loss soars (July 11, 2007)
• The number of Ohio taxpayers whose personal
i f ti t l t t d t d i h
information was on a stolen state data device has more than tripled, climbing to 800,000, Gov. Ted Strickland
announced. The names and Social Security numbers of y
561,126 taxpayers were recently discovered as officials continue to review a copy of the data cartridge stolen from a state intern's car on June 10
Loss of sensitive data…
Personal information of 30 000 patients
Personal information of 30,000 patients
available online for month (August 11, 2007)
• Patient records were available by web search during a Patient records were available by web search during a four-week period after Sky Lakes Medical Center
(Oregon) shut down its online bill-payment system, and a third party Verus Inc transferred the data from
a third-party, Verus, Inc., transferred the data from one server to another to perform maintenance. The hospital terminated its contract with Verus and shut down the system.
Corporate liability…
AG Announces Data Breach At New York Bank
AG Announces Data Breach At New York Bank
(May 21, 2008)
• Attorney General Richard Blumenthal today announced • Attorney General Richard Blumenthal today announced
that a storage company for a New York bank lost an unencrypted backup tape containing Social Security
b d b k f b l
numbers and bank account information belonging to as many as hundreds of thousands of Connecticut
consumers and personal information of millions more p
Government sabotage…
San Francisco officials locked out of computer
San Francisco officials locked out of computer
network (July 15, 2008)
• A disgruntled city computer engineer has virtually • A disgruntled city computer engineer has virtually
commandeered S.F's new multimillion-dollar computer network, altering it to deny access to top administrators
h it i j il $5 illi b il th iti id even as he sits in jail on $5 million bail, authorities said. One official said he had been disciplined on the job in recent months for poor performance and that his p p
Don’t be a news story…
The IT Threat Landscape
The IT Threat Landscape
Theft
INTERNAL THREATS EXTERNAL THREATS
Negligent employees Theft Hackers Competitors Business Partners Contractors Fraud Sabotage Lack of compliance Criminals Contractors Ex-employees Terrorists
Why Insider Threat is Worse
Why Insider Threat is Worse
• Insiders have characteristics that
outsiders don’t: knowledge, access and
trust
• Insider threats are the easiest to
perpetrate, most difficult to prevent,
p p
,
p
,
possibly hardest to detect
• Not just about technology! Effective
Not just about technology! Effective
solution must involve people, process and
technology
CERT Insider Threat Analysis
CERT Insider Threat Analysis
Studied 250 insider threat cases between
Studied 250 insider threat cases between
1996 - 2007
30 percent were IT sabotage cases
30 percent were IT sabotage cases
Most were premeditated attacks
id tifi bl b d fl b h i
identifiable by red-flag behavior
30 percent of the attackers had been
arrested previously
Source: Carnegie Mellon Software Engineering Institute's Computer Emergency Response g g g p g y p Team, 2008.
