Although states have strengthened their defenses against hackers and cybercriminals who attack their computer networks, officials admit they’re not fully prepared for increasingly complex threats that could expose the personal information of their residents.
This article originally appeared in Stateline, an initiative of the Pew Charitable Trusts.
State information technology officials have strengthened their defenses against hackers and cybercriminals who attack their computer networks millions of times a day, but admit they’re not fully prepared for increasingly complex threats that could expose the personal information of their residents.
A report by the National Association of State Chief Information Officers (NASCIO) and consulting firm Deloitte & Touche LLP released Tuesday revealed that cybersecurity is the foremost priority for state IT officers, who are highly concerned about increasing efforts, especially by sophisticated crooks, to breach their systems.
“These sophisticated threats have grown significantly,” said Doug Robinson, NASCIO’s executive director. “There’s a never-ending parade of bad guys who are attempting to penetrate the network.”
For citizens, the stakes in averting breaches are high. State data systems contain personal information about millions of people that is valuable to identity thieves. They house birth and death certificates, and driver’s license numbers. The systems also house Social Security numbers of state income taxpayers and the credit card numbers of people who make payments to state agencies.
The report, in which top IT security officers from 48 states were surveyed, predicted the most prevalent threats to their systems were those targeted at state employees by crooks looking for a way in.
Some fraudsters go “phishing,” using emails to guide unwitting state employees to fake websites designed to get personal information, such as passwords.
Others go “pharming,” redirecting internet users from a legitimate website that’s been tampered with to a fake one that looks real.
And while most elected and appointed state officials overestimate how well threats will be handled by their IT security officials, the report found, only about a quarter of the security officials responsible for dealing with the threats are very or extremely confident that adequate measures are in place to protect the data.
“As these cybercriminals get more sophisticated, that means the defense mechanisms I’m relying upon may not be able to keep up,” said Victor Chakravarty, Maine’s chief information security officer.
In August, Maine’s IT network got “probed” more than 6 million times a day, every day, and most of the would-be intruders looking for an entry point likely were sophisticated cybercriminals, Chakravarty said.
“These are not the kids in their mom’s basement,” he said. “They are cartels.”
So far, Chakravarty said he knows of no instance in which the state’s network was breached. But computer breaches can go undetected for weeks or months.
As states continue to outsource IT services to private contractors and software companies, the security officials surveyed also expressed concern about their cybersecurity practices, such as taking adequate measures to protect sensitive information. Nearly a quarter said they were “not very confident” about those efforts.
The report found that while governors and state executives have been paying more attention to cybersecurity, that’s not the case with legislators. Most states don’t have legislation requiring that cybersecurity risks and the progress made be reported to the legislators. Nearly a third of the IT security officers said they never communicate with their legislatures about cybersecurity.
“Legislators need to know what the risks are that states are dealing with and how they can tackle those by giving them resources and budget,” said Srini Subramanian, a state cybersecurity principal at Deloitte who co-authored the report.
The danger to residents
State computer systems contain more information on people than local or even federal government computers.
“They have all of the data around everyone’s lives, from their Social Security numbers to their tax information,” said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states. “That’s the data that can be used to commit identity theft, and it can be devastating to somebody. They’ve got the crown jewels.”
Any breach can be serious business, Lohrmann and other IT specialists warned, and state officials need to take steps to constantly look for vulnerabilities and shore up defenses to ensure there won’t be any. Some are trying to do just that.
Last week, Oregon Democratic Gov. Kate Brown ordered state agencies to overhaul their cybersecurity systems, which she called “antiquated” and vulnerable to attacks.
Last month, the National Association of Secretaries of State cautioned election officials to remain vigilant against attacks following hacks that targeted voter registration systems in Arizona and Illinois.
In doing so, the association noted that it would be “highly improbable” for the national election to be hacked because of the decentralized process in which each state and local government conducts its own system of voting.
In California, the state auditor issued a stinging report last year about cybersecurity oversight after finding that “weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure or disruption.”
Funding and staffing worries
Despite the growing threat, state IT security officials say they still suffer from inadequate funding and have trouble hiring qualified cybersecurity specialists.
While most states have gotten more money since 2014 for cybersecurity, those increases have usually been small. Eighty percent of the officers surveyed said a lack of funding remains a top barrier.
In most states, the report said, spending on cybersecurity was only a fraction of the overall IT budget, ranging from zero to 2 percent.
“The funding is not commensurate to the risk that the states face,” said NASCIO’s Robinson. “That’s a challenge the states need to address.”
Chakravarty, Maine’s chief IT security official, said residents trust states with a vast repository of personal information, and, in exchange, the states must maintain the highest level of privacy and security.
“If states are underfunding that resource, they have very little margin in protecting that citizen data,” he said. “That doesn’t mean tomorrow it will be breached. But it means the walls are not as thick as the industry says it should be.”
State IT security officials also continue to have trouble finding and keeping a qualified cybersecurity workforce, which Robinson calls a “talent crisis.”
The private sector pays better. And state retirement plans that once were “carrots” to attract staff are no longer a given, making the jobs less appealing to cybersecurity professionals, the report found.
Many state IT security officials said they try to attract and retain staff by focusing on job stability, as well as promoting the idea of giving back by serving and contributing to the state, which they hope will attract millennials.
But Security Mentor’s Lohrmann, who was the chief IT security officer in Michigan, said he’s somewhat skeptical those tactics will make a huge difference.
“The brain drain from government in the last two years that I’ve seen on the ground is huge,” he said. “The talent going to the private sector is growing. It’s true that people want to give back. But they also want to get back into the private sector and make money.”