State computers increasingly under attack by cybercriminals

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jenni Bergal
 

Connecting state and local government leaders

By Jenni Bergal

|

Although states have strengthened their defenses against hackers and cybercriminals who attack their computer networks, officials admit they’re not fully prepared for increasingly complex threats that could expose the personal information of their residents.

This article originally appeared in Stateline, an initiative of the Pew Charitable Trusts.

State information technology officials have strengthened their defenses against hackers and cybercriminals who attack their computer networks millions of times a day, but admit they’re not fully prepared for increasingly complex threats that could expose the personal information of their residents.

A report by the National Association of State Chief Information Officers (NASCIO) and consulting firm Deloitte & Touche LLP released Tuesday revealed that cybersecurity is the foremost priority for state IT officers, who are highly concerned about increasing efforts, especially by sophisticated crooks, to breach their systems.

“These sophisticated threats have grown significantly,” said Doug Robinson, NASCIO’s executive director. “There’s a never-ending parade of bad guys who are attempting to penetrate the network.”

For citizens, the stakes in averting breaches are high. State data systems contain personal information about millions of people that is valuable to identity thieves. They house birth and death certificates, and driver’s license numbers. The systems also house Social Security numbers of state income taxpayers and the credit card numbers of people who make payments to state agencies.

The report, in which top IT security officers from 48 states were surveyed, predicted the most prevalent threats to their systems were those targeted at state employees by crooks looking for a way in.

Some fraudsters go “phishing,” using emails to guide unwitting state employees to fake websites designed to get personal information, such as passwords.

Others go “pharming,” redirecting internet users from a legitimate website that’s been tampered with to a fake one that looks real.

And while most elected and appointed state officials overestimate how well threats will be handled by their IT security officials, the report found, only about a quarter of the security officials responsible for dealing with the threats are very or extremely confident that adequate measures are in place to protect the data.

“As these cybercriminals get more sophisticated, that means the defense mechanisms I’m relying upon may not be able to keep up,” said Victor Chakravarty, Maine’s chief information security officer.

In August, Maine’s IT network got “probed” more than 6 million times a day, every day, and most of the would-be intruders looking for an entry point likely were sophisticated cybercriminals, Chakravarty said.

“These are not the kids in their mom’s basement,” he said. “They are cartels.”

So far, Chakravarty said he knows of no instance in which the state’s network was breached. But computer breaches can go undetected for weeks or months.

As states continue to outsource IT services to private contractors and software companies, the security officials surveyed also expressed concern about their cybersecurity practices, such as taking adequate measures to protect sensitive information. Nearly a quarter said they were “not very confident” about those efforts.

The report found that while governors and state executives have been paying more attention to cybersecurity, that’s not the case with legislators. Most states don’t have legislation requiring that cybersecurity risks and the progress made be reported to the legislators. Nearly a third of the IT security officers said they never communicate with their legislatures about cybersecurity.

“Legislators need to know what the risks are that states are dealing with and how they can tackle those by giving them resources and budget,” said Srini Subramanian, a state cybersecurity principal at Deloitte who co-authored the report.

The danger to residents

State computer systems contain more information on people than local or even federal government computers.

“They have all of the data around everyone’s lives, from their Social Security numbers to their tax information,” said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states. “That’s the data that can be used to commit identity theft, and it can be devastating to somebody. They’ve got the crown jewels.”

Any breach can be serious business, Lohrmann and other IT specialists warned, and state officials need to take steps to constantly look for vulnerabilities and shore up defenses to ensure there won’t be any. Some are trying to do just that.

Last week, Oregon Democratic Gov. Kate Brown ordered state agencies to overhaul their cybersecurity systems, which she called “antiquated” and vulnerable to attacks.

Last month, the National Association of Secretaries of State cautioned election officials to remain vigilant against attacks following hacks that targeted voter registration systems in Arizona and Illinois.

In doing so, the association noted that it would be “highly improbable” for the national election to be hacked because of the decentralized process in which each state and local government conducts its own system of voting.

In California, the state auditor issued a stinging report last year about cybersecurity oversight after finding that “weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure or disruption.”

Funding and staffing worries

Despite the growing threat, state IT security officials say they still suffer from inadequate funding and have trouble hiring qualified cybersecurity specialists.

While most states have gotten more money since 2014 for cybersecurity, those increases have usually been small. Eighty percent of the officers surveyed said a lack of funding remains a top barrier.

In most states, the report said, spending on cybersecurity was only a fraction of the overall IT budget, ranging from zero to 2 percent.

“The funding is not commensurate to the risk that the states face,” said NASCIO’s Robinson. “That’s a challenge the states need to address.”

Chakravarty, Maine’s chief IT security official, said residents trust states with a vast repository of personal information, and, in exchange, the states must maintain the highest level of privacy and security.

“If states are underfunding that resource, they have very little margin in protecting that citizen data,” he said. “That doesn’t mean tomorrow it will be breached. But it means the walls are not as thick as the industry says it should be.”

State IT security officials also continue to have trouble finding and keeping a qualified cybersecurity workforce, which Robinson calls a “talent crisis.”

The private sector pays better. And state retirement plans that once were “carrots” to attract staff are no longer a given, making the jobs less appealing to cybersecurity professionals, the report found.

Many state IT security officials said they try to attract and retain staff by focusing on job stability, as well as promoting the idea of giving back by serving and contributing to the state, which they hope will attract millennials.

But Security Mentor’s Lohrmann, who was the chief IT security officer in Michigan, said he’s somewhat skeptical those tactics will make a huge difference.

“The brain drain from government in the last two years that I’ve seen on the ground is huge,” he said. “The talent going to the private sector is growing. It’s true that people want to give back. But they also want to get back into the private sector and make money.”

NEXT STORY: Bug bounties: How federal agencies can learn from Apple

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.