New York pulls sensitive data from state's Web sites

Computerworld - New York Gov. George Pataki has ordered a statewide scrub of government agency Web sites to remove sensitive information that might help terrorists plan and carry out attacks on the state's critical infrastructure.

The move comes two weeks after an investigative report by Computerworld uncovered dozens of corporate and federal government Web sites that provide interactive maps depicting information such as the location of nuclear waste storage facilities, detailed data on nuclear reactors, state power grid profiles and detailed diagrams of every major telecommunications network in the U.S. (see story).

Among the data that may be removed from the Web sites is information on state government offices, dams, maps and power stations.

Mollie Fullington, a spokeswoman for Pataki, didn't return calls for comment by deadline. However, experts point out that while the state's efforts to impede future terrorist plans are laudable, most of the detailed information about sensitive infrastructures that is available on the Web doesn't belong to the state. Most of the data that has been out there for years was put there by private companies that own and operate the facilities and by the federal government, experts said.

"This action is like locking the barn after the horse has been stolen," said Ed Badalato, president of Washington-based Contingency Management Services Inc. and the former deputy assistant secretary for energy emergencies at the Department of Energy (DOE). However, many state agencies have regulatory ownership and even managerial responsibility for various critical infrastructures and potential targets, said Badalato.

Although most of the information that would be useful to attack planning has probably already been downloaded, "I can't fault [Pataki] for carrying out his responsibilities," Badalato said. "It will keep the bad guys from getting all of the updates, and may make them work a little harder to hack their way into critical IT command and control sites."

Chris Dixon, digital government coordinator and security specialist at the Lexington, Ky.-based National Association of State Chief Information Officers (NASCIO), said a large number of states are conducting similar Web security audits. However, "the states probably have a limited amount of information," said Dixon. "Although it varies from state to state, most are taking down the information that might be most readily used, such as aerial photos and infrastructure maps."

Eric Shaw, a former CIA psychologist and profiler and the principal author of a recent study published by Manhattan-based consulting firm Stroz & Associates, said most of the important information from a terrorism perspective belongs to and is managed by the federal government.