Security costs test states’ budgets

Budget-constrained states face increased security requirements

ST. LOUIS – Proliferation of security threats. Pressure for freer access to network resources. Reduced staffing and funding.

Sound familiar?

Any corporate IT department faces these challenges, but the problem is magnified for those in charge of security for state government networks, according to speakers and attendees last week at the National Association of State Telecommunications Directors (NASTD).

“Security is on all our minds every day,” said Jim Edman, manager of network technologies for the bureau of information and telecommunications for South Dakota. “Everybody wants access to everything from everywhere all the time, but there’s a price to pay for that.”

According to NASTD estimates, the 50 states spend at least $3.5 billion a year on IT, but with declining cash and new mandates for public safety systems and compliance with a Health Insurance Portability and Accountability Act, they still are strapped.

Linda Luebbering, Missouri’s budget director, said that for the first time, the state has suffered two consecutive years of declining revenue with no end in sight. “Next year is going to make this year look easy,” she said.

Federal officials, who demand some of the security improvements without funding them, don’t seem to have a sense of urgency to do so, said Paul Taylor, chief strategy officer for the Center for Digital Government. “There is no public investment for public infrastructure right now. They’re not treating it like it’s real yet,” he said. “A lot of things we said we were going to do after Sept. 11 haven’t been done yet.”

That has many states looking to each other for proven ways to implement effective security policies economically. Many are looking at the Kansas Bureau of Investigation (KBI) implementation of a secure network over the Internet using a combination of firewalls and VPNs from remote desktops to the statewide network. It uses authentication tokens, a public-key infrastructure (PKI) and its own certificate authority to handle digital certificates. Rather than using dedicated circuits or secured public data networks, the KBI uses the Internet to transport traffic. The KBI avoids paying $2.5 million per year it would otherwise spend on those more expensive networks, said Norma Jean Schaefer, who was in charge of the KBI project and is now network infrastructure manager and information security officer for the Kansas Department of Health and Environment.

Agencies wanting to access the network must comply with strict standards to support security, but also to support effective management, Schaefer said. “Everybody wanted to connect to us. If I had to manage trust with all those agencies, imagine all the time it would take,” she said.

Meanwhile, other states without centralized security policies suffered from recent worms and viruses. Pockets of state agencies in Georgia and Arkansas were hit, for example, where independent agency IT staff had autonomy from the state security policies. Representatives from both states said agencies that did follow state security guidelines suffered less or not at all.

Making the transition to centralized management is tough where agencies cherish their independence, and politics can slow the process down. “In the public sector we make sure security is bipartisan,” said Claire Bailey, director of Arkansas’ department of IS division of enterprise services.

States also have to weigh liabilities that private business might not, she says. Arkansas officials are deciding whether to set up their own certificate authority for a PKI designed to protect confidentiality of private data. “What is the liability if you are your own certificate authority and it is breached? Can that be offset by outsourcing it to a vendor?” Bailey asked.

That question is troubling Mississippi, where PKI could make transactions secure enough to further its e-government effort, said Dennis Bledsoe, the state’s e-government infrastructure coordinator. E-government projects are supposed to save money long-term by automating standard transactions such as license renewals, he said.

But with money being tight, such benefits have to be sold convincingly, Missouri’s Luebbering said. “You have to explain why it is much cheaper to invest up front than to try to plug those holes afterward,” she said. Otherwise, “If you can’t prove it will save money within the next 12 months, it will be a target for cuts,” she said.