Cash-Strapped States Burdened By Expensive Data Security Breaches

CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."

Parks

[Osgeld]

I live in a town of ~30,000 ... we have 2 new (pretty large) parks that were made before the shit started hitting financially ...

what if ... instead of pissing money away on bread and circuses, they fixed some (any) issues?

hell no! build a park, put brick roads in, traffic cameras! screw the guy standing at the DMV cause the windows XP sp0 running the whole fucking thing is sending out 1,000 spam messages a second while skimming everything you would need for identity theft for the entire county.

I honestly think it would be better if we banned government from having computers, none of their employees know how to use the damn things, they are always broken, and its no fucking faster than when they were on paper.

The bills eventually come due

[stox]

Things weren't any better when the states were flush with cash. Contracts are granted more on the ability to navigate the bidding process than they are by the ability of the bidder(s) to get the job done. Until that changes, we deserve what we get.

Re:The bills eventually come due

[Bacon+Bits]

Contracts are always granted to the lowest bidder. Think about what that means. You will always be hiring the guy who is cutting the most corners, hiring the fewest, least skilled workers, purchasing the lowest quality or oldest tools and materials, etc. The only time you don't go with the lowest bid is when you can show that there's something wrong with the bid itself (i.e., it missed one of the requirements).

Example: There was a contract for copier service and repair at one of the K-12 schools we supported. The contract bid was half that of the other bids. Indeed, it was half the cost of the previous contracts to support the same number of copiers. Even though this makes no sense, they got the contract. New copiers were leased and installed and users were trained. 8 months through the first year, the business ran out of money. They stopped responding to calls. Then we discovered that their techs had left for another service company because their paychecks bounced. The business filed for bankruptcy. The school had to hire another service company to support the next 6 months at higher expense while a new contract was bid. The new contract was more reasonable, but the copiers were a different make. So, new copiers were leased and installed and users were trained all over again. This is how government waste happens.

By the way, if you don't go with the lowest bid the citizens will inevitably complain to the city council or representative. They will do this anyways because Americans always complain, but when there's something a council member or rep can pin on you, well it's something you want to be able to justify. "I know these guys are shady" just isn't going to cut it in all cases.

Re:The bills eventually come due

[AK+Marc]

I've seen a number of contracts go, not to the lowest bid, but to the bid by the incumbent because it was asserted that they have a proven ability to deliver. The waste is that anyone who actually cuts costs and delivers will never get the chance because the bid will go to the higher bidders because they are proven to deliver.

Re:The bills eventually come due

[DarkOx]

Contracts should go to the lowest bidder who can do the work. Specs should be written completely and independently before jobs are put out to bid. The real problem is that requirements are being written by people with a specific vendor in mind.

The situation you cite sounds like fraud to me. Maybe not but I would say the proprietors should be dragged into court and the state ought try and prove they never intended to be a going concern and always planed to take the money and not provide the services and If they can put'em the slam. At least it would remove the bad actors from our society and discourage others from trying to run such scams

Also the fuckwhit state employees who decided to pay some fly by night for a years services in advance should be fired for miss handling the publics funds. One of the requirements should have been to pay month to month. That way when the company folded up they would have been out at most 30 days cost in the case of a legitimate bankruptcy.

Re:The bills eventually come due

[Bacon+Bits]

None of the school districts I've worked with do anything other than full year or multi-year contracts. Because student enrollment on two days (one in October, one in February) determines annual funding in my state. The only way to control spending is be able to predict it, and that means longer contracts. Additionally, you must consider that our school districts have lost 3-5% of our funding every year for the past 14 years. Our state changed funding to be centrally funded, so millages cannot be levied (the money just goes to the state). Google "Michigan Proposal A 1995". All the money still goes to the state education fund along with lottery revenue, but it is routinely raided by the legislature (because the state is in so much trouble). Because so much of our tax money would go to Detroit schools, our citizens have little motivation to pass millages.

There's also two other issues going on here. First, this is a town of 50k people, surrounded by farmland, wilderness, and two other towns about the same size. The next town of larger size is over 100 miles away. Second, the vendors in our area only support one copier make. If you want Kyocera, you go with A, if you want Canon, you go with B. Why? There aren't enough customers to go around. At the time bidding closed, we only got two bids: one from the old vendor (that we were unhappy with for a variety of reasons, technical and business-wise) and one from this second vendor. Until they ran out of money, the business that failed provided excellent service and we had no complaints. This was a drastic improvement on our previous vendor. The current vendor is actually the company the techs from the failed company went to, so now we still get excellent service. (Yes, the current company that provides service now was a third make of copiers.)

This comes as no surprise to me

[Bacon+Bits]

I worked help desk in K12 education a few years ago. In one district we supported there was a teacher that routinely responded to every phishing email she got. Every "go to this site and enter your password" or "email us your username and password" email she got she would immediately respond to. About once every six weeks we would get a call from her saying she wasn't getting email. Well, the hackers would connect to her compromised email address and configure Outlook rules to delete all her email and forward the spam or command messages they were sending out. Every six weeks we would have to reset her account password, delete all the rules, and essentially rebuild her mailbox from scratch. Every time we did this we told her "We will never, ever ask for your password in an email or with a link in email. Emails saying as such will always be attempts to steal your account. Again." Then six weeks later....

The woman was lucky she worked for the smallest district we supported. All the other districts had computer security agreements that would've had her up for disciplinary action or termination, but this district did not because the superintendent did not see why it was necessary. We all agreed her blatant inability to learn was pretty depressing considering her profession, and that it was almost certain her repeated violations would constitute negligence and numerous FERPA violations.

Just a small chunk out of the savings.

[dohzer]

I guess this is just a small bite out of the savings made by switching to digital records.
If it gets too large, they can just switch back to print.
Or does it not work like that?

Deloitte ? Don't make me laugh.

[vikingpower]

I grew suspicious on seeing the name "Deloitte" in the association's name. That is one more organisation preying on already cash-strapped government institutions, by sending in 25-years old with the roaring title as "consultants" for exorbitant fees. You always see where the corpses are by paying attention to where the vultures gather.

My state just lost 70% of all residents SSNs

[trdtaylor]

3.6 million SSN lifted, governer claims it was encrypted.
I'm 80% sure it's unsalted, sha5 or less strength, just because it's a state run operation.

http://news.cnet.com/8301-1009_3-57541481-83/millions-of-ssns-lifted-from-south-carolina-database/

Useless "report"

[dgharmon]

"As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches."

Use a computer that don't get viruses merely by, browsing the web or opening an email attachment ...

Cry A Fucking River

So they "cannot afford" 5% of their IT budget going into Security ? 5% is a realistic number, as military R&D programs apparently spend in the order to 10 to 20% of their R&D budgets just on IT security, managing all the security measures etc. It is high time to accept that IT Security is not optional - it must be architected into any IT system from day one. All IT concepts must be checked for their security by professionals who have a clue about Computer Science and Computer Security.

I know that the MBA Clueless are overruling sane security arguments these days; I know that the MBA Ignorants don't want to spend a penny on proactive IT security; I know that MBAers cannot think rigorously. Government managers are probably even more stupid than the MBA Crap, but we won't fix security by whining and hand-wringing. We cannot "bolt on" security; instead sane security methods and practices must be applied.

If you cannot afford IT Security, you simply cannot afford IT. Then simplify your processes, use paper and actually do some work instead of getting fat in a government chair.

The rational way forward would be to pool resources with other states and get economy of scale from that. This requires that processes are standardized and that lawmakers don't make fucking stupid legislation which requires billions of dollars in bespoke software development.

Report from the Trenches

[Salgak1]

Don't remind me. I work at a un-named Federal Agency. Routinely, I write up problems and solutions, not just for the immediate issue, but for the problem in general.

And then . . . . . crickets. But Ghod forbid that I don't "produce" a number of incident write-ups/etc per shift. . . .

Alas. . . .there ARE no private sector jobs I seem to be able to get: I'm stuck in the Federal "ghetto". . .

Re:not being able to handle?

[Jane+Q.+Public]

"... and private business has done the worst job of all because they disclose everything, just not intentionally.

There. FTFY.

States exempt themselves from the rules

[roarkarchitect]

In Massachusetts businesses can be fined 1,000s of dollars for not having a written data breach plan, but the state is exempt from the rules. A few years back the unemployment office released personal information because of a virus installed on computers used by clients. There was no consequence for the state - and their response was - we can't do anything about it.

Re: States exempt themselves from the rules

[girlinatrainingbra]

The USA Federal Government also exempts itself from the rules and laws it creates, particularly employment discrimination laws.

``Above Their Own Laws'', in Time magazine.

And don't forget how law enforcement divisions always review their own problems and always seem to come to the conclusion that the application of force was justified. Sure, that's an unbiased and reasonable conclusion to always come to, right?

Disconnect

[jasnw]

Just a thought. Perhaps given the fact that cybersecurity is impossible from a practical standpoint, maybe we should be thinking about taking things off the 'net. By "practical standpoint" I mean folding in reality factors like low-bid contract policies, cronyism, people who give away their passwords, etc. I am giving serious consideration to taking all my personal financial activities offline (or as much so as my financial institutions will let me), and maybe it's time this philosophy is given equal time with the rush to make all things accessible from the Internet (with all its tubes and pipes). For starters, any system with things like people's SSN on them are NOT reachable by the Internet. This won't avoid idiots losing laptops full of information, but it does close down remote inroads to the information (or access to control of things like power grids). Granted that it's nice to have full access all-the-time to everything, but perhaps since we can't protect the things that need protecting this is too costly a desire to meet.