Cash-Strapped States Burdened By Expensive Data Security Breaches

CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."

Parks

[Osgeld]

I live in a town of ~30,000 ... we have 2 new (pretty large) parks that were made before the shit started hitting financially ...

what if ... instead of pissing money away on bread and circuses, they fixed some (any) issues?

hell no! build a park, put brick roads in, traffic cameras! screw the guy standing at the DMV cause the windows XP sp0 running the whole fucking thing is sending out 1,000 spam messages a second while skimming everything you would need for identity theft for the entire county.

I honestly think it would be better if we banned government from having computers, none of their employees know how to use the damn things, they are always broken, and its no fucking faster than when they were on paper.

Re:Parks

[iamagloworm]

I wish more governments would build parks. I would vote for anyone promising to build parks!

Re:Parks

I honestly think it would be better if we banned government from having computers, none of their employees know how to use the damn things, they are always broken, and its no fucking faster than when they were on paper.

You mean the same government that brought you the internet? Do you think NASA/JPL can run that rover on Mars using paper? Your over generalization has lost all touch with reality.

The bills eventually come due

[stox]

Things weren't any better when the states were flush with cash. Contracts are granted more on the ability to navigate the bidding process than they are by the ability of the bidder(s) to get the job done. Until that changes, we deserve what we get.

Re:The bills eventually come due

[Bacon+Bits]

Contracts are always granted to the lowest bidder. Think about what that means. You will always be hiring the guy who is cutting the most corners, hiring the fewest, least skilled workers, purchasing the lowest quality or oldest tools and materials, etc. The only time you don't go with the lowest bid is when you can show that there's something wrong with the bid itself (i.e., it missed one of the requirements).

Example: There was a contract for copier service and repair at one of the K-12 schools we supported. The contract bid was half that of the other bids. Indeed, it was half the cost of the previous contracts to support the same number of copiers. Even though this makes no sense, they got the contract. New copiers were leased and installed and users were trained. 8 months through the first year, the business ran out of money. They stopped responding to calls. Then we discovered that their techs had left for another service company because their paychecks bounced. The business filed for bankruptcy. The school had to hire another service company to support the next 6 months at higher expense while a new contract was bid. The new contract was more reasonable, but the copiers were a different make. So, new copiers were leased and installed and users were trained all over again. This is how government waste happens.

By the way, if you don't go with the lowest bid the citizens will inevitably complain to the city council or representative. They will do this anyways because Americans always complain, but when there's something a council member or rep can pin on you, well it's something you want to be able to justify. "I know these guys are shady" just isn't going to cut it in all cases.

Re:The bills eventually come due

[jhoegl]

So politics leads to waste.
Good catch :)

Re:The bills eventually come due

[AK+Marc]

I've seen a number of contracts go, not to the lowest bid, but to the bid by the incumbent because it was asserted that they have a proven ability to deliver. The waste is that anyone who actually cuts costs and delivers will never get the chance because the bid will go to the higher bidders because they are proven to deliver.

Re:The bills eventually come due

So, new copiers were leased and installed and users were trained all over again

You had to "train people all over again" just because a new type of copier was put in place?

That makes no sense at all. Do they also need to be trained all over again when the cafe switches from metal forks to plastic ones?

Maybe it makes sense to hire people who are able to cope with such a minor change without needing "retraining" on the new devices.

Re:The bills eventually come due

[am+2k]

A good UI also comes at a price (mostly in R&D though). I suspect that there was no budget for copiers where this was factored into the device's development costs.

Re:The bills eventually come due

[DarkOx]

Contracts should go to the lowest bidder who can do the work. Specs should be written completely and independently before jobs are put out to bid. The real problem is that requirements are being written by people with a specific vendor in mind.

The situation you cite sounds like fraud to me. Maybe not but I would say the proprietors should be dragged into court and the state ought try and prove they never intended to be a going concern and always planed to take the money and not provide the services and If they can put'em the slam. At least it would remove the bad actors from our society and discourage others from trying to run such scams

Also the fuckwhit state employees who decided to pay some fly by night for a years services in advance should be fired for miss handling the publics funds. One of the requirements should have been to pay month to month. That way when the company folded up they would have been out at most 30 days cost in the case of a legitimate bankruptcy.

Re:The bills eventually come due

No, BAD politics leads to waste. Keep on electing politicians who myopicslly beleive that all government is bad and they will make it so.

Re:The bills eventually come due

[Bacon+Bits]

None of the school districts I've worked with do anything other than full year or multi-year contracts. Because student enrollment on two days (one in October, one in February) determines annual funding in my state. The only way to control spending is be able to predict it, and that means longer contracts. Additionally, you must consider that our school districts have lost 3-5% of our funding every year for the past 14 years. Our state changed funding to be centrally funded, so millages cannot be levied (the money just goes to the state). Google "Michigan Proposal A 1995". All the money still goes to the state education fund along with lottery revenue, but it is routinely raided by the legislature (because the state is in so much trouble). Because so much of our tax money would go to Detroit schools, our citizens have little motivation to pass millages.

There's also two other issues going on here. First, this is a town of 50k people, surrounded by farmland, wilderness, and two other towns about the same size. The next town of larger size is over 100 miles away. Second, the vendors in our area only support one copier make. If you want Kyocera, you go with A, if you want Canon, you go with B. Why? There aren't enough customers to go around. At the time bidding closed, we only got two bids: one from the old vendor (that we were unhappy with for a variety of reasons, technical and business-wise) and one from this second vendor. Until they ran out of money, the business that failed provided excellent service and we had no complaints. This was a drastic improvement on our previous vendor. The current vendor is actually the company the techs from the failed company went to, so now we still get excellent service. (Yes, the current company that provides service now was a third make of copiers.)

Re:The bills eventually come due

[Bacon+Bits]

I've seen a number of contracts go, not to the lowest bid, but to the bid by the incumbent because it was asserted that they have a proven ability to deliver.

Yeah, our incumbent had a proven inability to deliver.

Re:The bills eventually come due

[Bacon+Bits]

Sorry, do you routinely make decisions at your job which are likely to be nit picked by the general population (who lack context) and by elected officials (who lack backbones)? I've seen people make the right decision, seen the decision lambasted by the press, made a scapegoat by the board or city council, and "decide" soon thereafter to "retire early." It is entirely reasonable to consider the impact your decisions will have. That is kind of the point of democracy. This is what accountability looks like. It works well, and it works horribly. It's still the best thing we have.

Re:The bills eventually come due

Just because you have a year-long contract does not preclude paying monthly. If I sign a three year lease for a car, I don't pay for the three years up front: I pay monthly.

Re:The bills eventually come due

[DarkOx]

You can still do a year or multi-year contract nothing wrong with that. You just make sure you pay for services as they are consumed or performed.

I have had lots of carrier contracts for leased lines and such that I have been responsible. We would do them under 3 and 5 year contracts. There would be penalties if you just backed out, but you paid every month. If the lines just went dead, I would stop paying.

I don't see why a friction free copier support contract should be any different. If its $60k all you can eat per year, I'd insist on paying $5000 and an SLA that gives me an out of the contract if machines are left broken or un supplied for days on end. That would have been the responsible thing to do with the publics money.

Re:The bills eventually come due

I saw the different scams many times over, talking to friends in different industries they echo my stories as well.

Contract up for bid (step 1) Company A bids on contract about 20% below expected cost, all the other (fools) bid at cost (no profit at all)
Step 2: Company A wins bid. Immediately goes to the organization (other company, government agency, school, church, whatever) and offers to save them a bucket of money on the contract by (choose one from the list) a. reducing the cost of the equipment by selling them re-manufactured equipment b. reducing the cost of labor by bringing in "non-union" ---read that illegal immigrant--- workers who will be "independent contractors" and therefore have to pay their own benefits packages c. Change the specs to read ... input something that sounds innocuous, would save a little bit of money for the cost of materials but actually the main costs (labor, overhead, profit) would remain in the cost structure. See the pattern? It happens all the time, I worked under an estimator who was just learning how to fine tune the scam so that he could underbid whenever he really wanted a job and get it.

The real, honest players are now out of business, in all the businesses, they lost too many times to this kind of bidding. Odds are the situation mentioned above was played by someone who really was clueless and underbid way too much. It is a skill to know exactly how much to cheat your customers.

BTW, I blame this on the rise of the MBAs in the 80's. The old guys who knew the various industries and bid honestly got squeezed out by the MBAs who had been taught that money was the only way to judge winning or losing. If you had more money today you won. Your legacy, your name, your future, well you could buy all that later. And, unfortunately, that is how is seems to have turned out. We have a child of that world running for president today and people take him fucking seriously as, like, a real human being. What a world...

This comes as no surprise to me

[Bacon+Bits]

I worked help desk in K12 education a few years ago. In one district we supported there was a teacher that routinely responded to every phishing email she got. Every "go to this site and enter your password" or "email us your username and password" email she got she would immediately respond to. About once every six weeks we would get a call from her saying she wasn't getting email. Well, the hackers would connect to her compromised email address and configure Outlook rules to delete all her email and forward the spam or command messages they were sending out. Every six weeks we would have to reset her account password, delete all the rules, and essentially rebuild her mailbox from scratch. Every time we did this we told her "We will never, ever ask for your password in an email or with a link in email. Emails saying as such will always be attempts to steal your account. Again." Then six weeks later....

The woman was lucky she worked for the smallest district we supported. All the other districts had computer security agreements that would've had her up for disciplinary action or termination, but this district did not because the superintendent did not see why it was necessary. We all agreed her blatant inability to learn was pretty depressing considering her profession, and that it was almost certain her repeated violations would constitute negligence and numerous FERPA violations.

Re:This comes as no surprise to me

[ColdWetDog]

If I were the CIO, I'd give her an Etch-A-Sketch. Much safer. She'd likely never notice.

not being able to handle?

[TubeSteak]

States have never been able to handle their data security, the Federal Government has done slightly better,
and private business has done the worst job of all because they just don't disclose anything unless required to by law.

Re:not being able to handle?

[jhoegl]

The information is right about the phishing attacks too.
I generated a learning program for new hires at my business to understand and mitigate threats.
It focused on phishing attempts and attacks because our business was partially done through email.
Now imagine a politician and their staff... they have to correspond with people, and the easiest, most efficient way is... through email.
So, the concern about phishing attacks is true, but can be mitigated through training on what to spot for.
By the way, my training program never went through, because of the time it takes and what not. So, the same will happen here. IT will have to continually fight against an ill informed user and an attacker, and let me tell you two war fronts are more difficult than one.

Re:not being able to handle?

[Jane+Q.+Public]

"... and private business has done the worst job of all because they disclose everything, just not intentionally.

There. FTFY.

Just a small chunk out of the savings.

[dohzer]

I guess this is just a small bite out of the savings made by switching to digital records.
If it gets too large, they can just switch back to print.
Or does it not work like that?

Deloitte ? Don't make me laugh.

[vikingpower]

I grew suspicious on seeing the name "Deloitte" in the association's name. That is one more organisation preying on already cash-strapped government institutions, by sending in 25-years old with the roaring title as "consultants" for exorbitant fees. You always see where the corpses are by paying attention to where the vultures gather.

Re:Deloitte ? Don't make me laugh.

I had the unfortunate situation on my last flight to be stuck next to a pair of said "consultants" from Deloitte. I've never seen a pair of more self-centered pricks in my life. Their entire conversation was about the different girls they had went out with in the last month, and how any of them who refused to put out after two dinner dates where worthless, and how any who did were sluts to be thrown away.

My state just lost 70% of all residents SSNs

[trdtaylor]

3.6 million SSN lifted, governer claims it was encrypted.
I'm 80% sure it's unsalted, sha5 or less strength, just because it's a state run operation.

http://news.cnet.com/8301-1009_3-57541481-83/millions-of-ssns-lifted-from-south-carolina-database/

Re:My state just lost 70% of all residents SSNs

[couchslug]

I've lived in SC for many years, and am confident they used the best ROT13 encryption available.

Useless "report"

[dgharmon]

"As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches."

Use a computer that don't get viruses merely by, browsing the web or opening an email attachment ...

Cry A Fucking River

So they "cannot afford" 5% of their IT budget going into Security ? 5% is a realistic number, as military R&D programs apparently spend in the order to 10 to 20% of their R&D budgets just on IT security, managing all the security measures etc. It is high time to accept that IT Security is not optional - it must be architected into any IT system from day one. All IT concepts must be checked for their security by professionals who have a clue about Computer Science and Computer Security.

I know that the MBA Clueless are overruling sane security arguments these days; I know that the MBA Ignorants don't want to spend a penny on proactive IT security; I know that MBAers cannot think rigorously. Government managers are probably even more stupid than the MBA Crap, but we won't fix security by whining and hand-wringing. We cannot "bolt on" security; instead sane security methods and practices must be applied.

If you cannot afford IT Security, you simply cannot afford IT. Then simplify your processes, use paper and actually do some work instead of getting fat in a government chair.

The rational way forward would be to pool resources with other states and get economy of scale from that. This requires that processes are standardized and that lawmakers don't make fucking stupid legislation which requires billions of dollars in bespoke software development.

I am sure you have no clue

Because I am a generous, benevolent man who cares about random idiots like you, I suggest you to read a good book on cryptography. Start with "Applied Cryptography" by Bruce Schneier. You will figure that encryption is not the same as hashing. And you will figure that salting makes only sense with hashing passwords. Maybe, yes maybe you will figure that SSNs are not passwords and that using SSNs like passwords is a royally fucked-up practice of USG agencies. It is a testimony of Dumbness In Government.

Re:I am sure you have no clue

In all my years of consulting, the people of South Carolina are the dumbest, and completely unaware of their position. This is probably due to their having sent Strom Thurmond to the U.S. Senate to represent them for 48 years without him raising them from the bottom 5 in U.S. literacy. Why the hell would you keep sending him back when he does nothing for you? Oh yes, you're too dumb to know better.

Don't think So

All the self-trained crap working in IT functions these days (manager, developers, admins) are certainly capable of fucking up Linux security, too. Linux would be a key part of a secure solution, but certainly only a part of a much bigger concept. Think of securely building dynamic SQL strings and so on.

Oh Really ?

I assume contracts are granted to "those whom I know best". Coincidentally, these people also know how to fiddle the process so that it looks as if they were the cheapest. Mr Jack Corrupto from government will design requirements such that only his best friend can meet them. If there is just one bidder, he is cheapest by default.

Priorities, priorities

[Bruce66423]

The problem is that state officials fail to see that cyber-security is a fundamental component of doing business over the internet, on a level with paying for the electricity. Our duties as techies is to point this out as frequently as possible in verifiable documents so that when the breaches occur there can be no doubt about who failed to make sure the budget was enough. The story of the UK police force that was fined for a data breach http://www.ico.gov.uk/news/latest_news/2012/police-force-pays-120000-penalty-for-data-breach-16102012.aspx has probably frightened a lot of local government people here. OTOH the observation that this was a 'Deloitte' funded report does remind us that there's money to be made here.

Proven To Bribe

I think that is what you meant to say. And yeah, there won't be an easy financial paper trail for the bribe. It works more like "my nephew needs a cushy job and I wanted to discuss that with you, before we talk about that 50 million IT contract you are bidding for".

Report from the Trenches

[Salgak1]

Don't remind me. I work at a un-named Federal Agency. Routinely, I write up problems and solutions, not just for the immediate issue, but for the problem in general.

And then . . . . . crickets. But Ghod forbid that I don't "produce" a number of incident write-ups/etc per shift. . . .

Alas. . . .there ARE no private sector jobs I seem to be able to get: I'm stuck in the Federal "ghetto". . .

Re:Report from the Trenches

If you're even halfway competent, there are private sector jobs for you making more than federal sector. Put yourself on linkedin, flesh that baby out, join as many relevant or near-relevant groups as possible, and then get your ass to the user group meetings anywhere within 100 miles of your location. They usually meet between 1 and 3 months periodically, having guest speakers. But more importantly, all the headhunters are there looking for IT workers to place in better jobs. Free food, you get to network with other professionals, you get to learn near-cutting edge technologies and techniques. While there, ask questions and state opinions, so you get noticed. Not just the headhunters, but all the other IT pros will try to place you in a better job. Oh one final word, have a good attitude and don't bitch about your current job.

This will be SOOO fixed with RomneyCare!

[LostMyBeaver]

If Romney gets in, cash strapped states can siphon off the health care budget and then ask for more. Best thing about leaving it up to the states to manage their own budgets is that they generally have so much extra cash laying around that they shouldn't have a problem with it.

Kinda lame that Obama thinks it's a better idea to have central control over it. How the hell are states going to properly misappropriate funds if we don't give it to them in the first place? I know I sure as hell don't want to pay taxes to carry the burden of the poor... like Mississippi.

Re:This will be SOOO fixed with RomneyCare!

If Romney gets in, cash strapped states can siphon off the health care TAX and then ask for more.

FTFY

Never forget the Health Care program is a tax, was presented in writing as a tax, and lost the Supreme Court battle on this basis.

Re:This will be SOOO fixed with RomneyCare!

[brianerst]

Yeah, because the federal government has been so much better at keeping its fiscal house in order.

The highest debt per capita of any state in the country is Connecticut at $5,402.

The per capita debt of the federal government is $51,654.92 or more than 9 times as much.

Total spending per capita in the United States has gone from $6,339.90 in 2000 to $11,194.30 in 2010. The inflation adjusted increase was 39.4%.

California and Illinois are acknowledged fiscal basket cases - the inflation adjusted per capita increase in spending in those two states from 2000 to 2012 were 42% and 57% respectively. The median state (Michigan at #25) had a 38% increase - slightly better than the US.

Let's just say that neither level of government has been fiscally responsible. All of these figures are increases per capita - more money being spent per person - which means even if everyone (including the rich) was pitching in like it was the height of the dot-com bubble we'd still be under water.

Re:This will be SOOO fixed with RomneyCare!

We have a health care system where the communal health care is responsible the general public health care and the more special services, such as general hospitals are financed by multiple collaborating communities. Additionally, there is the national health insurance and the private health industry, with private hospitals, health care, insurance and other services. The big and wealthy communities are responsible for sponsoring smaller, poorer communities from their tax income which the bigger communities do not like. Scale this up to state sized entities and you got probably something like a Robama-care type of system, minus the tax balancing system.
  Anyway, the communities do not provide an equal or even appropriate level of services for the obvious reasons for the basic health care even if the law requires them to, and the communities sometimes built their ice hockey rings and other sport monuments with the money which should have gone into elderly care, for example.
  Both the basic health care and apparently IT services could benefit from multi-state collaboration, investment and management also in the US. Perhaps implementation of multi state clouds are only matter of time.

Re:This will be SOOO fixed with RomneyCare!

Not if you ask Obama, it is not a TAX which is a mere convenience to support the outright lie that he did not increase taxes.

Re:This will be SOOO fixed with RomneyCare!

I agree completely with much of that. :)

That said, at least when we're paying for it at a federal level, we're calling a pig a pig. When you pay a federal tax for a federal program, that's ok. When the feds have to start laying out cash to support health plans in poor states so people in states that ARE more responsible now have to pay for their plan to the state and pay for the other state's plan through the feds, that's wrong.

The other thing I don't like is, where the hell are the bible belt states going to get software to run the medical systems? It'll cost billions at the federal level. The states will have to all make their own for billions instead. Great idea. Let's write 50 different medical systems for 50 different states with 50 different sets of rules for only 50 times the price. Best part is, in government software system development, misappropriation probably makes up 90% of the system budget. Now companies can scam each state individually.

Remember that crooks at a state level are much easier to hide than at a federal level where we watch them like rabid dogs.

States exempt themselves from the rules

[roarkarchitect]

In Massachusetts businesses can be fined 1,000s of dollars for not having a written data breach plan, but the state is exempt from the rules. A few years back the unemployment office released personal information because of a virus installed on computers used by clients. There was no consequence for the state - and their response was - we can't do anything about it.

Re: States exempt themselves from the rules

[girlinatrainingbra]

The USA Federal Government also exempts itself from the rules and laws it creates, particularly employment discrimination laws.

``Above Their Own Laws'', in Time magazine.

And don't forget how law enforcement divisions always review their own problems and always seem to come to the conclusion that the application of force was justified. Sure, that's an unbiased and reasonable conclusion to always come to, right?

Re: States exempt themselves from the rules

Great nick!! Is it real?

South Carolina

Look what happened to South Carolina. http://www.forbes.com/sites/anthonykosner/2012/10/27/cyber-security-fails-as-3-6-million-social-security-numbers-breached-in-south-carolina/

Disconnect

[jasnw]

Just a thought. Perhaps given the fact that cybersecurity is impossible from a practical standpoint, maybe we should be thinking about taking things off the 'net. By "practical standpoint" I mean folding in reality factors like low-bid contract policies, cronyism, people who give away their passwords, etc. I am giving serious consideration to taking all my personal financial activities offline (or as much so as my financial institutions will let me), and maybe it's time this philosophy is given equal time with the rush to make all things accessible from the Internet (with all its tubes and pipes). For starters, any system with things like people's SSN on them are NOT reachable by the Internet. This won't avoid idiots losing laptops full of information, but it does close down remote inroads to the information (or access to control of things like power grids). Granted that it's nice to have full access all-the-time to everything, but perhaps since we can't protect the things that need protecting this is too costly a desire to meet.

Their own damn faults.

So many of these idiots switched off secured systems (mainframes, unix) to Windows. Now, they have to pay the high prices that it takes to secure Windows. And sadly, there is no such thing as even a weakly secured Windows System, let alone a Strongly Secured one. Putting windows in your gov. or business is about as useful as putting a window in a submarine.

yeah, you were labelled flamebait

but it's the truth.

I'll add most employees at nonprofits. Giving them EtchASketches would only improve their productivity and save us taxpayers bundles.

This seem brainwashing

[ruir]

seems like an undergoing campaign for further waste of public money

get the farkin data off the internet

technology is not the answer to everything. and money "saved" by implementing new technology isn't necessarily "saved" but rather may cost *more* in the long run.

government INFORMATION can be online.. programs, policies, forms and whatnot.. but keep everything else OFFLINE on completely separate network from the internet. that eliminates most data breaches -- then some common sense (if such can be found in government) practices can eliminate the rest (lost laptops, etc).

we functioned for centuries without online registrations, fee payments and online everything else. we can continue to do so. there's nothing wrong with paper forms, writing checks, going to a government office or using a stamp every now and then.

same goes for banks, utilities and other businesses that *can* do business with customers entirely offline.... we don't *need* online banking, "e-statements", etc... -- we certainly aren't seeing the "cost savings" of such changes being passed down to the customer... (heck, in some cases, and even with the state government here, it costs *MORE* to do things "electronically") or online) so why do it? keep your paper statements coming (once you switch to "paperless" you likely can't revert back), write those checks every month. it's *BETTER* that way.

Saving money with Windows

[Relayman]

How's that Windows think working for ya? Specifying Windows as the main operating system may appear to save you money, but you also have to pay money on security software and services as well. Sure the whole package may be less expensive than Linux, Unix, z/OS or IBM i, but you still have to include the security piece.

is it real?

Of course it's a real nick. She's got an id too,2738457, which looks real, while 2738457i would be imaginary.

Great hiding behind Anonymous Coward. Is that real too? ;>p

Isn't a grade of A the best? or like Bond ratings, (not Bond-girl ratings), is AA and AAA even better? What exactly are they training for? Can I help train? Were you at the La Jolla / San Diego barcamp /. anniversaire bash?

Fighting stupidity

[xenobyte]

In order to combat data breaches you need to be secure to begin with. This is where almost everybody fails. Trying to keep a flawed system secure is like trying to keep a leaking boat afloat - if you work hard and the hole is small enough, it just might work, but...

But even with the perfect system to begin with, things change and before you know it, action is required to keep things secure. Fail here and you're back in the leaking boat.

Now add people. Gullible, naive and stupid. Have the ability to turn even the best system into one big hole.

There's only one solution: Add enough security staff to both project new secure systems, keep the systems secure and to educate its users. Much cheaper in the long run against the alternative of 'fixing' massive data breaches.