States must act now to crush cybercrime
Citizens and businesses rely on their states' infrastructures, and each state relies more and more on information technology for that infrastructure. But those infrastructures are dangerously vulnerable, particularly for systems that handle the needs of small business, education and social services.
Large businesses and state governments have the resources to protect their information systems. State governments need to take a leadership role in mobilizing small businesses and citizens against the dangers of systems hackers, saboteurs, con artists and the like.
One of my nightmares is of a coordinated, statewide attack on particular information system databases, such as those handling tax collection or human resources data. This may seem outlandish or unlikely to have widespread impact, but consider the IT needed these days to run utilities, governments, businesses and households.
Via IT, public enemies can attack several institutions at once. A network intruder can change confidential financial records'can transfer funds'among multiple banks. Can banking and similar organizations defend their systems against IT-enabled disruption, destruction and fraud?
Hackers scrawl political statements on Web sites like so much graffiti. How can we be sure someone is not stealing our computing resources every day? Unauthorized access to individuals' and businesses' databases slows progress as we battle for privacy. These situations are no longer the stuff of science fiction.
There are five actions states must take to protect infrastructure assets and combat security risks:
First and foremost, each state administration should create a high-level coordinating task force for IT security. Only state leadership can determine IT security risks within a state's infrastructure. Lessons learned from work on the year 2000 date rollover will serve us well here. The task forces can identify IT resources across the state and work to apply those where the security risk is greatest.
Second, states need to establish detection and prevention methods in businesses and households. States must support law enforcement's ability to apprehend and the courts' ability to prosecute. Those affected also must learn guidelines for uniform evidence handling.
Third, educating the public about IT security risks and their consequences will help prevent crimes. State officials should alert the business community and citizens of IT safety precautions. State IT leaders also must stay current with the technology as it'and its dangers'evolve.
Fourth, a new public policy must be developed and implemented to reduce systems vulnerability. Collectively the states could create a catalog of model legislation. Legislatures should enact laws that prevent, deter and punish cybercrimes against state information systems.
Finally, IT officials must help law enforcement and the courts by mandating interagency protocols and standards. One way is to establish joint training for federal, state, local and tribal peace officers. IT security crimes have no boundaries and often cross jurisdictions. Bringing the perpetrators to justice will be next to impossible without the coordinated efforts of many organizations.
If states adopt these five measures, the public and the business community will be able to continue to rely on the state infrastructure. We can declare success when all residents are enlisted in the fight against the multitude of systems security threats.Otto Doll, South Dakota's chief information officer, formerly worked in federal information technology and was president of the National Association of State Information Resource Executives.