By David Robison Special to Texas Insider
By now we have all seen the alarming articles published which show our national and state technology infrastructures are under serious attack. For example in its April 21 2009 edition the Wall Street Journal reported that Chinese computer spies broke into the Pentagons $300 billion Joint Strike fighter program and copied several terabytes of sensitive data.
This data was accessed through unwitting but trusted outside contractors (Computer Spies Breach Fighter-Jet Projects").
At the same time we are becoming more and more vulnerable to the effects a successful cyber attack would have on our electronic infrastructure with deployment of such technology as the SMART Grid (
Smart Grid and the Possibility of an Electronic Pearl Harbor" The Industry Standard November 30 2009)
According to reports by several media outlets the United States and U.S. companies face more than 36000 serious cyber attacks every year. And those are just the ones officials can document.
These attacks are not e-mail hacking or spam. They are attacks involving critical assets of military municipal financial and government institutions on a large scale at a cost of tens of billions of dollars to repair the damage.
Sean Henry an assistant director of the FBI in charge of the Bureaus Cyber Division told 60 Minutes There are thousands of attempted attacks every single day tens of thousands of attacks."
Henrys job is to police potential targets all over the United States.
Some of these attacks come from the most predictable of places. Take for instance the attack on the City of San Francisco. In July 2008 a 43 year-old computer engineer who worked for the city locked out all passwords but his own after becoming disgruntled over being disciplined for poor performance. The city was completely locked out of all its computer systems and all the while the employee sat in jail refusing to cooperate with authorities.
The employees actions among other things froze all payroll systems and blocked access to important law enforcement files. For several days the city of
San Francisco was held cyber-hostage. Experts told Wired magazine that the hijacking in part was likely a result of poor internal security controls." San Francisco Mayor Gavin Newsom declared the computer engineer a rogue city employee.
In truth while technology has done a fairly good job of protecting our electronic infrastructure from outside threats because of some recent technology shifts it remains vulnerable to threats from inside.
All sorts of outside contractors are routinely cleared an authorized to enter our sensitive electronic facilities where there is little security from sabotage. This is exactly what the Chinese exploited. This does not even address the disgruntled employee already in place which is exactly the problem in the case of San Francisco.
These same scenarios could happen in Texas and Texas has no plan to deal with this potential disaster.
In 2007 the State of Texas reached an agreement with IBM to transfer most responsibilities for data storage and security to IBM as the private sector provider. Since that initial agreement little has worked out well for the interests of the State of Texas and its taxpayers.
The Austin American Statesman last week described the IBM deal as The mammoth data center project launched in 2007 has been bedeviled by delays
equipment failures and poor service. State agencies involved in the project had raised more than 800 issues with the contract and the service they have been getting from IBM."
Texas taxpayers will continue to pick up the cost for a failed $863 million venture with IBM. The chief negotiator and executor for the agreement with IBM is the Texas Department of Information Resources.
When confronted by lawmakers last February on concerns over security problems with the States online project and the pending bankruptcy of Bearingpoint the states private sector vendor Texas Department of Information Resources (DIR) failed to provide a public answer for a solution. Almost a year later DIR has yet to provide a budget or plans for a solution to the possibility of an internal attack.
How long should DIR be allowed to continue to fail to provide answers to state lawmakers?
DIR openly admits the only protection the state provides against internal attacks is laws and internal procedures to prosecute offenders that might perpetrate an attack on state assets. So if a rogue employee steals millions of dollars or locks out the states payroll for an unlimited period of time the state may only turn the employee over to the district attorney and hope the damage will be minimal.
This does not even begin to address the serious national security issues.
Here is another scenario which might give some pause about government employees and the responsive solutions from the nations Department of Defense.
When a worker at the Pentagon plugged a corrupted thumbnail drive into a Central Command (CENTCOMM) computer in November 2008 a malicious code opened a backdoor for a foreign power to get into the system. The intrusion went undetected for several days. Frustrated insiders in the Department of Defense leaked the story in an effort to force the adoption of added security.
The Pentagons solution? Ban all thumb drives. But is a wholesale ban on everything which might compromise a systems integrity really the best solution or realistic in todays technology driven culture?
When U.S. Congressman Jim Langevin heard about these attacks he began efforts to require the vulnerabilities be safeguarded. In a 60 Minutes interview Langevin said The private sector has different priorities than we do in providing security. Their bottom line is about profits. And we need to change that. We need to change their motivation so that when we see a vulnerability like this we can require them to fix it."
Langevin has been joined in his efforts by Texas Members of Congress Michael McCaul Sheila Jackson-Lee and a growing base of bipartisan support.
While Congress works to address concerns of the federal government what has been done to address concerns at the state level?
In 2009 the Texas Legislature took a huge leap in defining and securing the States computer systems. In a recessionary budget farsighted legislators mandated DIR develop and implement a solution to provide protection of cyber assets against internal attacks including those from private vendors. Meaning the farsided Texas Legislature recognized that threats from within are as dangerous as threats from without; and has expressed its intent that all events be centrally identified in order to safeguard Texas critical infrastructure.
The Department of Information Resources has yet to provide a plan to state legislators or a budget for securing the states cyber assets. Monitoring the entire system can be done in a way that compliments existing security investments regardless of the age or configuration of a system.
The real danger is to not guard the whole system. Its like wiring all your doors and windows with a sophisticated alarm but not wiring the pet door at the floor level. Something or someone can get in.
And you will never know it until its too late.
Hopefully the State Legislature and Department of Information Resources will provide a budget and plan to address this problem before some malevolent source causes significant irrecoverable destruction or even God forbid death.
David Robison is a communications & intelligence specialist based in Austin.
By David Robison Special to Texas Insider
By now we have all seen the alarming articles published which show our national and state technology infrastructures are under serious attack. For example in its April 21 2009 edition the Wall Street Journal reported that Chinese computer spies broke into the Pentagons $300 billion Joint Strike fighter program and copied several terabytes of sensitive data.
This data was accessed through unwitting but trusted outside contractors (Computer Spies Breach Fighter-Jet Projects").
At the same time we are becoming more and more vulnerable to the effects a successful cyber attack would have on our electronic infrastructure with deployment of such technology as the SMART Grid (Smart Grid and the Possibility of an Electronic Pearl Harbor" The Industry Standard November 30 2009)
According to reports by several media outlets the United States and U.S. companies face more than 36000 serious cyber attacks every year. And those are just the ones officials can document.
These attacks are not e-mail hacking or spam. They are attacks involving critical assets of military municipal financial and government institutions on a large scale at a cost of tens of billions of dollars to repair the damage.
Sean Henry an assistant director of the FBI in charge of the Bureaus Cyber Division told 60 Minutes There are thousands of attempted attacks every single day tens of thousands of attacks."
Henrys job is to police potential targets all over the United States.
Some of these attacks come from the most predictable of places. Take for instance the attack on the City of San Francisco. In July 2008 a 43 year-old computer engineer who worked for the city locked out all passwords but his own after becoming disgruntled over being disciplined for poor performance. The city was completely locked out of all its computer systems and all the while the employee sat in jail refusing to cooperate with authorities.
The employees actions among other things froze all payroll systems and blocked access to important law enforcement files. For several days the city of 
