21st century imperative: Protect computer data
Coming on the heels of the WikiLeaks release of hundreds of thousands of supposedly secure U.S. State Department cables and the news that decades’ worth of Mesa County Sheriff’s Department records were inadvertently made available over the Internet, the news that state computers are also vulnerable to cyber attacks is hardly astonishing.
But the audit released Monday to state lawmakers — parts of which were also made public — is nonetheless troubling because it indicates how easily sensitive information can be accessed through state computers.
Most worrisome is the statement in the audit that the state’s Office of Cyber Security “lacks a strategic plan for directing its operations, lacks any meaningful measures for assessing its performance and does not have procedures to collect and analyze meaningful cyber-security information.”
It is a legitimate question to wonder exactly what the office does with its 17 full-time workers and budget of $2.5 million.
The audit also said there is a lack of leadership within the office and ineffective oversight from Gov. Bill Ritter’s office.
According to the Associated Press, the governor’s information technology office says steps have already been taken to fix the problems. But to really deal with problems would require approximately $40 million, one state official said.
That’s not likely to be forthcoming, given the state’s difficult budget situation. Furthermore, while high-dollar fixes might be the ultimate solution to the cyber-security problems, the state auditor’s report pointed to a number of problems that can be remedied without large infusions of cash.
Among other things, the report listed overly simple or easily guessable user names and passwords for access to state sites, old and unused Internet addresses that still provide access into state systems and unsecured Internet applications that allow anyone to access sensitive information — including information on individual Coloradans.
Obviously, protecting sensitive information on computers is difficult in an age of sophisticated hackers and people who are eager to make public any bits of information they can.
But it is equally evident, based on the auditor’s report, that the state agency tasked with securing that information has been doing a less-than-stellar job in meeting its responsibilities.