In a ‘scary world,’ state leaders struggling to keep hackers at bay

KXAN file photo
Computer (KXAN file photo)

AUSTIN (KXAN) — State lawmakers addressed concerns about protecting Texans’ information Wednesday in order to identify possible policy changes.

The Senate Select Committee on Cybersecurity was created in October by Lt. Gov. Dan Patrick to take a closer look at security plans for state agencies as well as “identify risks and vulnerabilities.”

“We need to protect our data and info at all levels,” said the committee’s chair, Sen. Jane Nelson, R-Flower Mound.

Mike Sturm, who runs the city of San Marcos’ Information Technology department, said cities face a “scary world” at the local level.

He said the city has fallen victim to phishing scams more than once in recent memory.

“Email communication came in to accounts payable clerk, asking about a status of a check,” Sturm said, adding that the hacker asked the clerk to “change our banking information,” and the clerk followed along.

State Sen. Jane Nelson, R-Flower Mound, presiding over the Senate Select Committee on Cybersecurity on Dec. 6, 2017. (Nexstar Photo/Wes Rapaport)
State Sen. Jane Nelson, R-Flower Mound, presiding over the Senate Select Committee on Cybersecurity on Dec. 6, 2017. (Nexstar Photo/Wes Rapaport)

The city’s insurance policy covered the first year of identity protection after the incident, and the two subsequent years were funded by the city. Another hack to the city’s cloud server forced officials to find a new host for the city’s website, when hackers took the site down.

Situations like this in cities with smaller IT departments pose threats to the safety of private information. With state agencies, while there are more safeguards, the stakes are also higher.

“Cradle to grave, [state agencies] have your full life in trust and today in a digital format more than ever, so that makes it very attractive,” Doug Robinson, executive director for the National Association of State Chief Information Officers said on Wednesday.

“Unfortunately, [hackers] are operating 24 hours a day seven days a week, so their sole motivation is financial gain or embarrassment,” Robinson said. “[Hackers] only have to get it right once, the state agency has to be right all the time.”

Robinson said most states direct two percent of the budget to cybersecurity, while the private sector budgets about 8-10 percent overall, and the federal government appropriates 16 percent to cybersecurity.

Robinson suggested simple “cyber hygiene checks,” using tools like password management, software updates and encryption of sensitive data.

Nelson compared digital attacks to “whack-a-mole.” When one data breach is identified and plugged, hackers will target another weakness.

Senate Select Committee on Cybersecurity meeting on Dec. 6, 2017. (Nexstar Photo/Wes Rapaport)
Senate Select Committee on Cybersecurity meeting on Dec. 6, 2017. (Nexstar Photo/Wes Rapaport)

Nancy Rainosek, chief information security officer for the Department of Information Resources (DIR), said the agency has signed a new contract to handle security management, including firewall protection, security assessment and data breach response. She expected it to be “fully operational,” by spring.

She said every two years, DIR asks each state agency for its security plan. In the most recent round of requests, 143 of 170 agencies submitted. Rainosek attributed the fact that not all agencies participated to the fact that some sent compiled reports, like 20 courts who all consolidated into one report.

Rainosek also said DIR would participate in a national incident management exercise with federal officials through the Department of Homeland Security in April.

Chief Information Security Officer for the Department of Public Safety (DPS), Aaron Blackstone, said his agency gets around one report of phishing each day.

“[DPS is] doing an excellent job protecting your information, and the public’s information, and we’re going to continue to grow and expand that level of comfort that we provide,” Blackstone said.

One of the best things people at any level can do to prevent a malicious attack is to create complicated passwords, change them often, and avoid sharing them with anyone.

KXAN.com provides commenting to allow for constructive discussion on the stories we cover. In order to comment here, you acknowledge you have read and agreed to our Terms of Service. Users who violate these terms, including use of vulgar language or racial slurs, will be banned. If you see an inappropriate comment, please flag it for our moderators to review.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s