The Woeful State of State Cybersecurity: Be Very Afraid

The report out of the Pell Center for International Relations and Foreign Policy is almost enough to make you crawl under the covers and turn off the lights. In its review of cybersecurity practices of United States’ states it found that there is plenty to worry about. Your personal data may be at very high risk when it is in the care of state agencies.

Here is the essence of the report’s warning: “While some progress has been made to increase states’ cybersecurity preparedness and resilience, there is still much more work to be done to increase the maturity, readiness, and risk awareness of state governments and their agencies. The 2013 Nationwide Cyber Security Review…found that ‘states’ progress in cybersecurity preparedness has not kept up with advances in cyber threats and that there was ‘little progress in the overall maturity of security programs in place across state, local, tribal and territorial (SLTT) governments to defend against the attacks.’”

Read that again: it is saying that states have not done nearly enough to keep up with the rapid advances in maturity, skill and determination of cybercriminals. Eight states are “leading the rest,” per Pew – California, Maryland, Michigan, New Jersey, New York, Texas, Virginia, and Washington. As for the 42 other US states, well, good luck.

Here is why this matters: “With greater and greater frequency, state governments are falling victim to an array of cyber threats, including data breaches, tax fraud, and political hacktivism,” said Pell Center Executive Director Jim Ludes.

Remember, too, states typically have a full menu of data on their residents – everything from Social Security numbers to driver’s license numbers, home addresses and more.

Pell Senior Fellow Francesca Spidalieri added: “Local and state governments, just like the federal government, hold the information of millions of people and depend on information communication technologies and the Internet to provide a number of services to their citizens, to maintain critical infrastructure as public utilities, to share information across states and federal networks, and to make sure that first responders receive the data they need in crisis situations. This is why it is critical,” she continued, “that states protect their cyber infrastructure and digital investments and develop comprehensive plans to increase their preparedness and resilience.”

You’re not in the US? Don’t laugh about America’s travails. It is naive to think regional and provincial protections are stronger in Canada, Australia, the United Kingdom, Germany and down the line. Provincial governments – most of them around the world – have struggled in the global recessions of recent years and that has meant budget cuts. One place to cut that no one will notice: cybersecurity.

Or maybe it is not so much budget cutting as simply not increasing the cybersecurity budget to the level needed to keep up with the explosion of highly skilled and well-funded state sponsored hackers as well as employees of highly profitable criminal enterprises. The black hats have been spending. Not so much provincial governments.

Know this is not an academic discussion. States already have been breached, painfully. A case in point is South Carolina, which in 2012 suffered a massive breach of its tax department which means the hackers got away with records including taxpayer Social Security numbers, home addresses and more. One expert called it at the time “the mother of all data breaches.”

More amazing: in Texas in 2011, the state’s Comptroller’s office admitted a publicly facing computer in its offices exposed Social Security numbers and other records of some 3.5 million Texans. It is unclear how long the data was there to be picked through by criminals.

Such stories are – sadly – not unique. What’s unknown is exactly how many other states have suffered similar incidents. But guesses by experts are that many have – and many may not even know it. That is how porous government security gets.

“Just about any state could suffer a breach,” said Steve Barone, founder and CEO of IT risk management firm CBI. His claims: state IT has never been structured with security in mind, often it’s a patchwork of very old systems and there has been no concerted effort to protect the data.

Added Barone: “How dare they store our info on 30 year-old servers – and that is what they are often doing.”

Indeed, how dare they?

Leave a Comment