Cash-Strapped States Burdened By Expensive Data Security Breaches

CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."

Parks

[Osgeld]

I live in a town of ~30,000 ... we have 2 new (pretty large) parks that were made before the shit started hitting financially ...

what if ... instead of pissing money away on bread and circuses, they fixed some (any) issues?

hell no! build a park, put brick roads in, traffic cameras! screw the guy standing at the DMV cause the windows XP sp0 running the whole fucking thing is sending out 1,000 spam messages a second while skimming everything you would need for identity theft for the entire county.

I honestly think it would be better if we banned government from having computers, none of their employees know how to use the damn things, they are always broken, and its no fucking faster than when they were on paper.

Re:

[iamagloworm]

I wish more governments would build parks. I would vote for anyone promising to build parks!

The bills eventually come due

[stox]

Things weren't any better when the states were flush with cash. Contracts are granted more on the ability to navigate the bidding process than they are by the ability of the bidder(s) to get the job done. Until that changes, we deserve what we get.

Re:The bills eventually come due

[Bacon Bits]

Contracts are always granted to the lowest bidder. Think about what that means. You will always be hiring the guy who is cutting the most corners, hiring the fewest, least skilled workers, purchasing the lowest quality or oldest tools and materials, etc. The only time you don't go with the lowest bid is when you can show that there's something wrong with the bid itself (i.e., it missed one of the requirements).

Example: There was a contract for copier service and repair at one of the K-12 schools we supported. The contract bid was half that of the other bids. Indeed, it was half the cost of the previous contracts to support the same number of copiers. Even though this makes no sense, they got the contract. New copiers were leased and installed and users were trained. 8 months through the first year, the business ran out of money. They stopped responding to calls. Then we discovered that their techs had left for another service company because their paychecks bounced. The business filed for bankruptcy. The school had to hire another service company to support the next 6 months at higher expense while a new contract was bid. The new contract was more reasonable, but the copiers were a different make. So, new copiers were leased and installed and users were trained all over again. This is how government waste happens.

By the way, if you don't go with the lowest bid the citizens will inevitably complain to the city council or representative. They will do this anyways because Americans always complain, but when there's something a council member or rep can pin on you, well it's something you want to be able to justify. "I know these guys are shady" just isn't going to cut it in all cases.

Re:

[jhoegl]

So politics leads to waste.
Good catch :)

Re:

[Anonymous Coward]

No, BAD politics leads to waste. Keep on electing politicians who myopicslly beleive that all government is bad and they will make it so.

Re:

[Bacon Bits]

Sorry, do you routinely make decisions at your job which are likely to be nit picked by the general population (who lack context) and by elected officials (who lack backbones)? I've seen people make the right decision, seen the decision lambasted by the press, made a scapegoat by the board or city council, and "decide" soon thereafter to "retire early." It is entirely reasonable to consider the impact your decisions will have. That is kind of the point of democracy. This is what accountability looks like

Re:

[AK Marc]

I've seen a number of contracts go, not to the lowest bid, but to the bid by the incumbent because it was asserted that they have a proven ability to deliver. The waste is that anyone who actually cuts costs and delivers will never get the chance because the bid will go to the higher bidders because they are proven to deliver.

Re:

[Bacon Bits]

I've seen a number of contracts go, not to the lowest bid, but to the bid by the incumbent because it was asserted that they have a proven ability to deliver.

Yeah, our incumbent had a proven inability to deliver.

Re:

[am 2k]

A good UI also comes at a price (mostly in R&D though). I suspect that there was no budget for copiers where this was factored into the device's development costs.

Re:The bills eventually come due

[DarkOx]

Contracts should go to the lowest bidder who can do the work. Specs should be written completely and independently before jobs are put out to bid. The real problem is that requirements are being written by people with a specific vendor in mind.

The situation you cite sounds like fraud to me. Maybe not but I would say the proprietors should be dragged into court and the state ought try and prove they never intended to be a going concern and always planed to take the money and not provide the services and If they can put'em the slam. At least it would remove the bad actors from our society and discourage others from trying to run such scams

Also the fuckwhit state employees who decided to pay some fly by night for a years services in advance should be fired for miss handling the publics funds. One of the requirements should have been to pay month to month. That way when the company folded up they would have been out at most 30 days cost in the case of a legitimate bankruptcy.

Re:

[Bacon Bits]

None of the school districts I've worked with do anything other than full year or multi-year contracts. Because student enrollment on two days (one in October, one in February) determines annual funding in my state. The only way to control spending is be able to predict it, and that means longer contracts. Additionally, you must consider that our school districts have lost 3-5% of our funding every year for the past 14 years. Our state changed funding to be centrally funded, so millages cannot be levied

Re:

[DarkOx]

You can still do a year or multi-year contract nothing wrong with that. You just make sure you pay for services as they are consumed or performed.

I have had lots of carrier contracts for leased lines and such that I have been responsible. We would do them under 3 and 5 year contracts. There would be penalties if you just backed out, but you paid every month. If the lines just went dead, I would stop paying.

I don't see why a friction free copier support contract should be any different. If its $60k all

This comes as no surprise to me

[Bacon Bits]

I worked help desk in K12 education a few years ago. In one district we supported there was a teacher that routinely responded to every phishing email she got. Every "go to this site and enter your password" or "email us your username and password" email she got she would immediately respond to. About once every six weeks we would get a call from her saying she wasn't getting email. Well, the hackers would connect to her compromised email address and configure Outlook rules to delete all her email and forward the spam or command messages they were sending out. Every six weeks we would have to reset her account password, delete all the rules, and essentially rebuild her mailbox from scratch. Every time we did this we told her "We will never, ever ask for your password in an email or with a link in email. Emails saying as such will always be attempts to steal your account. Again." Then six weeks later....

The woman was lucky she worked for the smallest district we supported. All the other districts had computer security agreements that would've had her up for disciplinary action or termination, but this district did not because the superintendent did not see why it was necessary. We all agreed her blatant inability to learn was pretty depressing considering her profession, and that it was almost certain her repeated violations would constitute negligence and numerous FERPA violations.

Re:

[ColdWetDog]

If I were the CIO, I'd give her an Etch-A-Sketch. Much safer. She'd likely never notice.

not being able to handle?

[TubeSteak]

States have never been able to handle their data security, the Federal Government has done slightly better,
and private business has done the worst job of all because they just don't disclose anything unless required to by law.

Re:

[jhoegl]

The information is right about the phishing attacks too.
I generated a learning program for new hires at my business to understand and mitigate threats.
It focused on phishing attempts and attacks because our business was partially done through email.
Now imagine a politician and their staff... they have to correspond with people, and the easiest, most efficient way is... through email.
So, the concern about phishing attacks is true, but can be mitigated through training on what to spot for.
By the way, my

Re:not being able to handle?

[Jane Q. Public]

"... and private business has done the worst job of all because they disclose everything, just not intentionally.

There. FTFY.

Just a small chunk out of the savings.

[dohzer]

I guess this is just a small bite out of the savings made by switching to digital records.
If it gets too large, they can just switch back to print.
Or does it not work like that?

Deloitte ? Don't make me laugh.

[vikingpower]

I grew suspicious on seeing the name "Deloitte" in the association's name. That is one more organisation preying on already cash-strapped government institutions, by sending in 25-years old with the roaring title as "consultants" for exorbitant fees. You always see where the corpses are by paying attention to where the vultures gather.

My state just lost 70% of all residents SSNs

[trdtaylor]

3.6 million SSN lifted, governer claims it was encrypted.
I'm 80% sure it's unsalted, sha5 or less strength, just because it's a state run operation.

http://news.cnet.com/8301-1009_3-57541481-83/millions-of-ssns-lifted-from-south-carolina-database/ [cnet.com]

I am sure you have no clue

[Anonymous Coward]

Because I am a generous, benevolent man who cares about random idiots like you, I suggest you to read a good book on cryptography. Start with "Applied Cryptography" by Bruce Schneier. You will figure that encryption is not the same as hashing. And you will figure that salting makes only sense with hashing passwords. Maybe, yes maybe you will figure that SSNs are not passwords and that using SSNs like passwords is a royally fucked-up practice of USG agencies. It is a testimony of Dumbness In Government.

Re:

[couchslug]

I've lived in SC for many years, and am confident they used the best ROT13 encryption available.

Useless "report"

[dgharmon]

"As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches."

Use a computer that don't get viruses merely by, browsing the web or opening an email attachment ...

Cry A Fucking River

[Anonymous Coward]

So they "cannot afford" 5% of their IT budget going into Security ? 5% is a realistic number, as military R&D programs apparently spend in the order to 10 to 20% of their R&D budgets just on IT security, managing all the security measures etc. It is high time to accept that IT Security is not optional - it must be architected into any IT system from day one. All IT concepts must be checked for their security by professionals who have a clue about Computer Science and Computer Security.

I know that the MBA Clueless are overruling sane security arguments these days; I know that the MBA Ignorants don't want to spend a penny on proactive IT security; I know that MBAers cannot think rigorously. Government managers are probably even more stupid than the MBA Crap, but we won't fix security by whining and hand-wringing. We cannot "bolt on" security; instead sane security methods and practices must be applied.

If you cannot afford IT Security, you simply cannot afford IT. Then simplify your processes, use paper and actually do some work instead of getting fat in a government chair.

The rational way forward would be to pool resources with other states and get economy of scale from that. This requires that processes are standardized and that lawmakers don't make fucking stupid legislation which requires billions of dollars in bespoke software development.

Report from the Trenches

[Salgak1]

Don't remind me. I work at a un-named Federal Agency. Routinely, I write up problems and solutions, not just for the immediate issue, but for the problem in general.

And then . . . . . crickets. But Ghod forbid that I don't "produce" a number of incident write-ups/etc per shift. . . .

Alas. . . .there ARE no private sector jobs I seem to be able to get: I'm stuck in the Federal "ghetto". . .

Re:

[Anonymous Coward]

If you're even halfway competent, there are private sector jobs for you making more than federal sector. Put yourself on linkedin, flesh that baby out, join as many relevant or near-relevant groups as possible, and then get your ass to the user group meetings anywhere within 100 miles of your location. They usually meet between 1 and 3 months periodically, having guest speakers. But more importantly, all the headhunters are there looking for IT workers to place in better jobs. Free food, you get to netw

Priorities, priorities

[Bruce66423]

The problem is that state officials fail to see that cyber-security is a fundamental component of doing business over the internet, on a level with paying for the electricity. Our duties as techies is to point this out as frequently as possible in verifiable documents so that when the breaches occur there can be no doubt about who failed to make sure the budget was enough. The story of the UK police force that was fined for a data breach http://www.ico.gov.uk/news/latest_news/2012/police-force-pays-120000- [ico.gov.uk]

This will be SOOO fixed with RomneyCare!

[LostMyBeaver]

If Romney gets in, cash strapped states can siphon off the health care budget and then ask for more. Best thing about leaving it up to the states to manage their own budgets is that they generally have so much extra cash laying around that they shouldn't have a problem with it.

Kinda lame that Obama thinks it's a better idea to have central control over it. How the hell are states going to properly misappropriate funds if we don't give it to them in the first place? I know I sure as hell don't want to pay ta

Re:

[brianerst]

Yeah, because the federal government has been so much better at keeping its fiscal house in order.

The highest debt per capita of any state in the country is Connecticut at $5,402. [huffingtonpost.com]

The per capita debt of the federal government is $51,654.92 [brillig.com] or more than 9 times as much.

Total spending per capita in the United States has gone from $6,339.90 [usgovernmentspending.com] in 2000 to $11,194.30 [usgovernmentspending.com] in 2010. The inflation adjusted increase [usinflatio...ulator.com] was 39.4%.

California and Illinois are acknowledged fiscal basket cases - the inflation adjusted per capita inc [taxfoundation.org]

States exempt themselves from the rules

[roarkarchitect]

In Massachusetts businesses can be fined 1,000s of dollars for not having a written data breach plan, but the state is exempt from the rules. A few years back the unemployment office released personal information because of a virus installed on computers used by clients. There was no consequence for the state - and their response was - we can't do anything about it.

Re:

[girlinatrainingbra]

The USA Federal Government also exempts itself from the rules and laws it creates, particularly employment discrimination laws.

``Above Their Own Laws'' [time.com], in Time magazine.

And don't forget how law enforcement divisions always review their own problems and always seem to come to the conclusion that the application of force was justified. Sure, that's an unbiased and reasonable conclusion to always come to, right?

South Carolina

[Anonymous Coward]

Look what happened to South Carolina. http://www.forbes.com/sites/anthonykosner/2012/10/27/cyber-security-fails-as-3-6-million-social-security-numbers-breached-in-south-carolina/

Disconnect

[jasnw]

Just a thought. Perhaps given the fact that cybersecurity is impossible from a practical standpoint, maybe we should be thinking about taking things off the 'net. By "practical standpoint" I mean folding in reality factors like low-bid contract policies, cronyism, people who give away their passwords, etc. I am giving serious consideration to taking all my personal financial activities offline (or as much so as my financial institutions will let me), and maybe it's time this philosophy is given equal time with the rush to make all things accessible from the Internet (with all its tubes and pipes). For starters, any system with things like people's SSN on them are NOT reachable by the Internet. This won't avoid idiots losing laptops full of information, but it does close down remote inroads to the information (or access to control of things like power grids). Granted that it's nice to have full access all-the-time to everything, but perhaps since we can't protect the things that need protecting this is too costly a desire to meet.

This seem brainwashing

[ruir]

seems like an undergoing campaign for further waste of public money

get the farkin data off the internet

[Anonymous Coward]

technology is not the answer to everything. and money "saved" by implementing new technology isn't necessarily "saved" but rather may cost *more* in the long run.

government INFORMATION can be online.. programs, policies, forms and whatnot.. but keep everything else OFFLINE on completely separate network from the internet. that eliminates most data breaches -- then some common sense (if such can be found in government) practices can eliminate the rest (lost laptops, etc).

we functioned for centuries without

Saving money with Windows

[Relayman]

How's that Windows think working for ya? Specifying Windows as the main operating system may appear to save you money, but you also have to pay money on security software and services as well. Sure the whole package may be less expensive than Linux, Unix, z/OS or IBM i, but you still have to include the security piece.

Fighting stupidity

[xenobyte]

In order to combat data breaches you need to be secure to begin with. This is where almost everybody fails. Trying to keep a flawed system secure is like trying to keep a leaking boat afloat - if you work hard and the hole is small enough, it just might work, but...

But even with the perfect system to begin with, things change and before you know it, action is required to keep things secure. Fail here and you're back in the leaking boat.

Now add people. Gullible, naive and stupid. Have the ability to turn eve