The Ingham County firewall security system has stopped over one million attempts to deliver spam, viruses and malware to county systems in just the last week, says Tim Dolehanty the county controller. It deflects hundreds of millions of attacks each year.
But the county’s systems remain vulnerable, said Vincent Foess, the county’s interim director of the Innovation and Technology Department.
“Somebody sitting Europe could log into this thing right now. It’s all web-based,” Foess told the County Services Committee last week. By this thing, Foess meant the internal systems designed to deliver a variety of personnel and other matters throughout the county.
Exactly what information is at risk, however, is unclear.
“The IT department continues its ongoing quest to identify and address vulnerabilities to our network,” Dolehanty said. “For security reasons, we respectfully decline to specifically identify any suspected vulnerabilities.”
But Foess told commissioners that approval of a contract with Lansing-based Dewpoint for up to $30,000 was “very urgent.” The contract would pay Dewpoint to update the county website and close security gaps.
Foess said there were “security issues” with the web applications, adding that there had been “zero security on the back end” of past systems.
“You had social security numbers out there exposed,” he said. “You had personal information out there exposed. Anyone in the world could get on the web and see this information.”
Dolehanty and Ingham County Board of Commissioners Chairwoman Kara Hope, a Holt Democrat, said social security numbers are no longer at risk.
That problem, Foess said, was first identified when he started in August 2014. Dewpoint was hired to address some of those security issues in 2014, and the county commission is being asked to extend that contract.
Foess said extending the contract would ensure that someone was dedicated to addressing security issues, which he said the county has not had since a former employee retired and the job description was rewritten.
“We’ve had problems with this website for a long time,” said Deb Nolan, who chairs the County Services Committee. Nonetheless, committee members were not buying Foess’ urgency argument and tabled the resolution. Nolan said she wanted to allow a new, permanent director to review the situation and make recommendations.
The former director, Michael Ashton, was fired from the county when a City Pulse investigation revealed he had violated the county’s ethics policy. He was charged earlier this month with one misdemeanor count of bribery for taking tickets and other junkets from county IT contractors.
A new director could be announced in as few as two weeks, Dolehanty told committee members.
While County Services tabled the resolution to authorize the contract with Dewpoint, the Financial Services Committee, adopted the resolution. It has been forwarded to the full board for consideration.
Rejecting this tactic, Hope said the resolution will be sent back to County Services for action.