Cyberethics: What the Public and Private Sector Misses

In the first of a two-part series, we talk with Michigan CISO Dan Lohrmann about his experience with security, consolidation, and public- versus private-sector considerations.

Dan Lohrmann is chief information security officer (CISO) for the state of Michigan. He is also an executive board member of the Multi-State Information Sharing and Analysis Center (MS-ISAC), which coordinates cybersecurity actions among the 50 states. He sits on the Department of Homeland Security's IT Government Coordinating Council (GCC) which involves writing and implementing the National Infrastructure Protection Plan (NIPP) IT Sector Plan.

In 2006, Lohrmann was selected as Information Security Executive of the Year (Central USA) by the Executive Alliance and selected as a "Government Visionary" by Symantec Corporation.

In our conversation with Lohrmann, we explore a wide range of issues, from what private and public sector security pros are missing (and the differences between security issues between these sectors) to external versus internal threats and the nature of network intruders.

- - -

ESJ::: With your work with Homeland Security, what do you see in the landscape for both institutions and enterprises, in other words the public and private sectors, and where they are missing the boat?

DL: It’s the whole cyberethics question.

We have two extremes. We have done a very good job getting the word out to the novice users about viruses, worms, the need for firewalls, those things. Many enterprises are doing very well with that message.

But the trend I am seeing is the more-advanced, more-knowledgeable employees are some of the worst offenders for following acceptable-use agreements. So how do we change that culture?

I call it cyberethics. I think it is an up-and-coming field, but it’s not widely acknowledged. There aren’t any books out there. In that 7 by 24 by 365 world, we ask people to do telework, and yet drawing the line in what is acceptable and not acceptable is probably the biggest area of concern.

ESJ:: When you think of ethics, you normally think of a code of conduct, but in some business, codes of conduct get ignored.

DL: I agree and believe it is a moral issue. I think that we have a fine line to walk between moral/religious issues and just good business ethics. As a society, it will be a major issue in the next couple of years. Internet behavior. Codes of ethics. It is ignored by many people and may be the hardest thing to change.

The question is down at all the levels. There are 55,000 state employees in the state of Michigan. How do you provide good examples, training, and motivation around acceptable and even best practices? I think that is an ongoing challenge.

In Michigan, we have several good solutions. We have [the Web site] that really does train people on the dos and don’ts of acceptable-use policies, and as an industry, I think we do a very good job.

I think the hard part is an age-old question; a lot of people break the Ten Commandments. So how do you provide the motivation and role models for the next generation that was born and raised on the Internet and MySpace?

ESJ:: When you look at security issues today and people, how many are external threats and how many are internal threats?

DL: I’ve heard different percentages; I’ve heard people say 70-30 [external versus internal]. In Michigan, we deal with both. If a gun were stuck to my head, I’d probably say 50-50.

Clearly, we are getting them on the external side. We are getting regular virus and worm attacks sent to us. We just did our numbers for 2006. We had 120 million e-mails sent to us; 90 million—three-quarters—were spam or viruses we blocked.

We have attacks. We have external people and botnets from all over the world regularly trying to break into our network. We have internal people who are going to places where they shouldn’t go, so we need to protect people from those places.

We have 840,000 blocked connection attempts on a monthly basis, connections from both sides of the firewall. For example, somebody goes to a Web site and it’s compromised or malicious and tried to download malware.

From an internal “people” perspective, we look at honesty and integrity in the employees, but a lot of people don’t know what they don’t know, so preventing them from accessing bad sites and blocking malicious downloads is important to us.

In a sense, some of the problems are internal people going to the wrong places and a lot of people trying to break into networks.

ESJ:: What type of information are network intruders trying to grab?

DL: We seeing the most attempts at the information that are going to make them money, like identify theft.

Real hot-off-the-press: right now we are seeing more botnets and people wanting to get credit card information. We’ve seen the attempts in the last couple of weeks attempting to take over one of our Web servers in the DMZ.

One scenario is planning the Web bug, that one pixel on the screen, and then people [our employees or citizens] are redirected to Korea or some other Web site in the third world. While the person is surfing, the site is background downloading malware. Those bad guys, whether it be Eastern Europe or wherever in the world, now have control of the system and now you’re in the bot situation. Now they know your passwords, credit card information, and banking information that they can use that for identity theft. That’s one scenario and that’s why we use surf blocking.

Another scenario is that they are trying to break into our big databases, the type of attack which has been in the headlines for last year and a half. Big data breaches, if they can grab all state employees’ Social Security numbers, are very valuable to them. Basically, [they are after] any sensitive information that would make them money.

ESJ:: Obviously some Web sites have higher value. If you were able to broach the Department of Motorized Vehicles or equivalent, you could harvest information there that has a tremendous value over others.

DL: I agree. They are going after key databases. We run penetration tests and look at our vulnerabilities and how we could plug them. We have put into place IDS [intrusion detection systems] and IPS [intrusion prevention systems].

In the last three years we’ve spent over six million in Homeland Security dollars to add protections around our resources. Prioritizing what are those most critical resources and how can we protect those. It’s kind of a triage method to make sure the right “eggs” are guarded closely.

We’re working smarter, not necessarily more hours or more people. We have doubled our security budget in Michigan, going from one percent to two percent of IT spending, but the problems we are facing are also much bigger.

[Online services] have to be secure, that trust obviously has got to work, just like online banking. The challenges are huge, but we have to work together and partner with other organizations to solve this.

We have a multi-state ISAC [Information Sharing and Analysis Center] which works with all 50 states and is run out of Albany, NY. We are working with the US CERT. We have just put up a Michigan ISAC, and we are reaching out and working together on a common portal with local governments in Michigan.

ESJ:: You have a myriad of agencies, don’t you?

DL: In Michigan about five years ago we consolidated all the different IT departments into a central department called the Department of Information Technology (MDIT). We have approximately 55,000 endpoints and 3,000 servers. We have about 1,700 employees and ballpark around 1,000 contractors.

We look at all aspects of IT. Everything from building systems to the infrastructure to the networks—all has been centralized. We have data centers all over the state. We are consolidating them but haven’t finished yet. That kind of organizational structure has enabled us to leverage tools that can scale as well. That’s where Symantec has come in. We are doing the same consolidation with endpoint security.

As we do more and more wireless, there are huge associated risks. It’s not just losing laptops, but as people connect to the Internet not just at home but at other places like Wendy’s (all of the Wendy’s around here have wireless), you need to ensure those end-points are secure. We have been partnering with Symantec on that as well.

ESJ:: Is it just antivirus with Symantec or something more?

DL: It’s much more. It’s endpoint security. It is firewalls, VPN [virtual private networking], connections from remote locations, and remote access, It’s antivirus, antispam, looking at anomies on the hard drive, looking at anomies everywhere. It’s not all there now, but ultimately it’s preventing all threats that could hit that endpoint.

ESJ:: Are you using any other Symantec product such as SIM?

DL: We are using SIM as well, but we are not exclusively a Symantec customer. We have SurfControl for web filtering. We have some ISS (Internet Security Systems) products. We have LanPatrol products. We have other security products and security vendors but Symantec is a major partner.

ESJ:: When it comes to security, are there more differences or similarities between the public and private sectors?

DL: With Michigan, I’ve seen more similarities. I don’t want to knock other states, but there is a group of states that are doing real well. There are local governments that are way behind. We have leaders and followers and laggers.

I’m the president of Michigan InfoGuard and was its vice-president for two years. I’m dealing with the same issues my colleagues are dealing with. We talk about the whole thing: education awareness, employees, some of the issues we discussed as in culture, around the bad guys (you know, the smartest ones are the bad ones).

If you have a mature security organization, I think the majority of the issues are very, very similar between the public and the private sector. We deal with the politics and the administration turnover, the state budget process. How we work as a business might be different than the private sector, but wireless, botnets, and those kinds of things, those are the same issues.