Editor’s note: Today’s editorial originally appeared in The (Eugene, Ore.) Register-Guard. Editorial content from other publications and authors is provided to give readers a sampling of regional and national opinion and does not necessarily reflect positions endorsed by the Editorial Board of The Daily News.
Imagine a customer service survey composed of a series of questions and circles to fill in according to your level of response:
A circle left blank means “Poor.” A half-darkened circle means “Making progress.” A completely darkened circle means “Excellent.” If you were the company owner reviewing the composite results of the survey, you would hope to see all the circles darkened, indicating excellent performance.
Imagine if instead you saw most of the circles remained blank, and the remainder were only half-darkened. The message would be unmistakable: Failure. This is reality, not imagination, when it comes to cybersecurity in our state government. Those circles and graphs displayed the results of a devastating audit report that found the state’s lead agency, the Department of Administrative Services, “lacks many of the basic security controls to prevent cyber intrusions.”
Auditors from the Secretary of State’s Audits Division used the circles to illustrate whether DAS had “not implemented,” “partially implemented” or “fully implemented” the industry-standard cybersecurity protocols. None were fully implemented.
The audit’s conclusions are scary but not surprising. Our state government, like many public and private organizations, struggles mightily with information technology. There have been epic failures, some successes and an ongoing over-reliance on outdated software and hardware.
Released last week, the audit report tells the story of a department whose IT supervision is fragmented, with robust controls in some places but not others and most of the computer applications not being supported by DAS IT staff.
DAS management agreed with the auditors’ recommendations, began making improvements but said some will take up to four years to implement.
Money and staffing are an issue, but that time lag is unconscionable. Oregonians, who are both the “owners” and the customers of state government, should demand swift action from Oregon’s CEO — Gov. Kate Brown — and its board of trustees, the Legislature.
You have free articles remaining.
The stakes are high. This is just one department, and the audit findings might apply equally to dozens of other state agencies. Recent data breaches have potentially compromised personal information at the Department of Human Services, Oregon State Hospital and other agencies.
State law requires any state agency or business to notify Oregon consumers whose personal information was subject to a security breach. The state Department of Justice database lists more than 300 such instances affecting Oregonians since 2015, including state agencies, local governments, school districts and colleges, as well as medical clinics, stores, hotels and many other businesses.
Public services themselves are at risk. Dozens of government organizations around the country have suffered ransomware attacks this year from hackers who gained control of IT systems and demanded ransoms for unlocking the systems.
Hackers seeking a $76,000 ransom recently shut down most city services in Baltimore for weeks, costing the city about $18 million in restoration costs and lost or delayed revenue. This was the second ransomware attack in a little over the year.
The state of Oregon has experienced some ransomware attempts, but officials have not released the details because they don’t want to compromise security.
In most instances of computer intrusions, however, it’s not that brilliant hackers manage to penetrate the toughest defenses available. It’s that organizations don’t practice basic cyber hygiene, including applying regular software patches and backing up data. Employees at every level of an organization must buy into the importance of constantly practicing safe computing.
Last month, the state’s chief information officer released the 2019 Statewide Information and Cyber Security Standards, a 70-page document that includes protections against ransomware and other threats.
The DAS audit, coupled with well-known bad experiences at every level of government, should cause state agencies to make sure they understand, appreciate and meet those industry standards.