'It's Just a Matter of Time'
by Jennifer Ginn, CSG Assocaite Editor
In the early 1980s, a movie called WarGames featured a young computer hacker who accidentally ends up nearly causing World War III after he finds his way into a military supercomputer. By the 1990s, when America’s fledgling love affair with the Internet was just beginning to bloom, nosy hacker kids were about all businesses and governments needed to worry about with security breaches.
“The first ones (hackers) were typically high school kids trying to demonstrate they were really smart and trying to get into the Pentagon,” said Larry Ponemon, chairman and founder of the Ponemon Institute, a research organization dedicated to cybersecurity, data protection and privacy. “It wasn’t really about stealing anything. It was about getting into places you weren’t supposed to go.”
Now those kid hackers, the Internet and a new breed of cybercriminals have all grown up. Cyber pranks have turned into cyber warfare and state governments are learning that nobody is safe.
Problem Not Going Away
Ponemon said people often wonder why we are still talking about cybersecurity. That’s because it’s not going away, he said.
“It’s kind of evolved now to where we’re actually contemplating cyber warfare,” he said. “It’s become a tool of mass destruction. If you turn off a utility or power company, it can cause a lot of damage and harm people.
“The … security solutions that worked so well 10 or 15 years ago have become pretty much irrelevant. It’s a little like a nuclear arms race. … It’s a very, very hard, complex issue to manage. That’s why security has never been solved, really; it’s an unsolvable question.”
Security breaches are not uncommon. According to a report from Rapid 7, a security software company, 268 data breaches in government agencies from Jan. 1, 2009, to May 31, 2012, exposed private information in more than 94 million records.
Chad Grant, senior policy analyst for the National Association of State Chief Information Officers—also known as NASCIO—said state technology leaders are well aware of online threats.
“It’s something that has been a major issue for state CIOs over the past decade and it’s continuing to be a larger and larger priority,” Grant said. “Every year we put together a state CIO priority list that the members vote on, and this year, security is still up there in that top 10. It was actually ranked at number three this year, just behind consolidation and cloud services.
“The citizens want to be able to move to mobile environments; they want to move to an online instead of inline type of service environment if possible. That needs to be done with protecting personal information. Over 20 percent of data breaches within the U.S. occur in the public sector.”
While securing residents’ private information is important, many state chief information officers don’t believe they have the resources to do it. In a 2012 Deloitte-NASCIO survey, 92 percent of state officials think cybersecurity is very important for their state, yet only 24 percent of chief information security officers were very confident their state’s data was protected.
Eighty-six percent of information officers said insufficient funding was the key barrier to addressing cybersecurity, and 70 percent of them have reported a breach.
“When you look at states, from cradle to grave, all your information is there,” Grant said. “It’s important the state be able to protect it.”
South Carolina Security Breach
In the fall of 2012, the South Carolina Department of Revenue became victim to the single-largest security breach in the country. Between Aug. 13 and Sept. 15, 2012, cyber criminals gained access to 44 of the revenue department’s computer systems. According to a story from The Greenville News, the hackers ended up with 3.8 million Social Security numbers, 3.3 million bank account numbers and information on almost 700,000 businesses.
The preamble to Senate Bill 334—written in response to the breach and introduced in February—attributed the data breach to lax security measures because revenue officials thought there was little chance of a problem.
“This cybersecurity breach at the Department of Revenue was not primarily about the failure of technology, but was about the failure to deploy even the most basic technology and a failure of organizational structure,” the bill states. “Under the state’s current decentralized approach to information security, each agency decides its own risk tolerance for data loss and creates its own information security plan, absent statewide oversight and standards, … creating unacceptable risks for data breaches throughout all of state government.”
The bill, among other things, would create an Identity Theft Unit within the Department of Consumer Affairs. The unit would receive complaints about identity theft and assist victims, promote the use of best practices and provide a centralized location to collect information related to identify theft incidents.
Grant said there is a lot more discussion happening in South Carolina now about protecting personal data. The state also is doing an extensive audit of its security practices, as well as providing credit monitoring for those affected by the breach, which will cost $12 million for just one year. The bill failed to pass in this session.
“I think one thing that states can take away from this … is you need to be prepared,” Grant said. “It’s not necessarily that you can protect yourself 100 percent, but you need to be prepared in the event that something does happen. One thing that has occurred since the South Carolina breaches, there’s been a lot more information sharing. That’s the thing, I think, (that) is going to help states, locals, and territories and tribes, … so they understand what the threats are.”
Utah Breach in Medicaid Data
Utah experienced its own data breach in March 2012, when personal data for more than 700,000 residents was stolen.
Sen. Stuart Reid, who introduced Senate Bill 20 in response to the theft, said the problem arose when doctors’ offices were checking the state’s databases on all of their patients, also known as pinging, to see if they were covered by Medicaid or Medicare. Each time a patient is pinged, the firewall securing the state data is supposed to go down briefly.
“Usually, it’s just a matter of milliseconds when the pinging goes through, then the door closes behind it and the state responds,” Reid said. “For whatever technical reason, that firewall was left open for a fairly lengthy period of time.”
Senate Bill 20, signed into law in March, requires the state to use best practices for data security at all times. If best practices cannot be used, the governor, the speaker of the house and the president of the senate must be notified. Those three officials also must be notified if best practices are not being implemented because of a budgetary reason. A committee of experts has been put into place to monitor security practices and an expert third party will conduct an audit at least every two years to assess whether the state is still conforming to the industry’s best practices.
Reid said until this breach, data security was not a big concern among most Utah legislators.
“The only time people really talked about identity theft or personal data theft was during our debates on immigration and so forth, people stealing identities because of illegal immigration,” he said. “Ignorance was bliss until this event took place.”
Reid said the incident is going to end up costing the state $6 million to $10 million, which includes credit monitoring for those affected, upgrading technology and covering costs of the panel of experts. The state also is likely to be fined by the federal government for the breaches in the Medicaid database.
“Every state is being attacked daily,” Reid said. “It’s not if, it’s when they’re going to be breached. If you’re not maintaining the best practices, you’re going to be paying for it. They (legislators) need to think of this as important as making sure the power is on. It is the cost of doing business. It’s an infrastructure cost, a utility cost they cannot shortchange.”
Insurance and Aggressive Security
South Carolina and Utah are finding that data breaches can cost tens of millions of dollars, which is hard to pay for in a tight budget.
Montana is one of the few states with insurance coverage for data breaches. Nobody is sure of the exact number of states carrying such insurance since states are not required to report it.
Brett Dahl, Montana’s risk insurance manager, said the state has had the coverage since 2010 as an add-on to its property insurance policy. It covers up to $2 million in costs and provides expert assistance should a breach occur. Dahl said each state needs to take an honest assessment of their vulnerabilities.
“Try to put an insurance product in place to try to mitigate these unforeseen costs,” he said. “To come up with $8 million to $10 million in our budget would be a real hardship for any of our agencies in Montana.”
While experts admit that cybersecurity is a costly issue, Michigan officials said their state has managed to invest even with tight budgets. Dan Lohrmann, Michigan’s chief security officer, said his state spends about 2 percent of its yearly technology budget on security. NASCIO’s Grant said the national average is closer to 1 percent for states, while banks and other industries spend closer to 10 percent.
Lohrmann said Gov. Rick Snyder, who sat on the board of directors for Gateway computers, has an intense awareness of data security issues. The state created the Michigan Cyber Range, a state-of-the-art facility that offers cybersecurity training for state workers, businesses and residents. Much like a shooting range gives police officers the chance to practice their skills, the cyber range gives IT people the chance to hone their skills by responding to a simulated attack.
“We’ve had other states come to us and ask if we could provide them some services,” Lohrmann said. “The governor sees this as an economic development opportunity.”
Lohrmann said Michigan officials also support forming partnerships with the federal government to gain access to new technology and training that otherwise wouldn’t be available.
“We’re not CIA, we’re not NSA, we’re not Homeland Security and we’re not FBI,” he said. “We’ve got to partner with the people who are the best.”