The state needs a more comprehensive approach to cyber security to prevent another massive breach like the one that resulted in millions of taxpayer records being stolen from the Department of Revenue, according to an interim report released Tuesday by the South Carolina inspector general.
The report found the state government’s decentralized programs, with no one entity “with the authority, or responsibility, to provide leadership, standards, policies and oversight,” put it at an inherent security disadvantage.
“Given the state’s low risk tolerance for another significant data loss, the current level of statewide INFOSEC risk is not acceptable,” the report stated.
Based on interviews Inspector General Patrick Maley’s office conducted with computer specialists from 18 state agencies and a number of outside experts, the 18-page report offers recommendations to reduce the state’s vulnerability in a frightening new world in which no state or individual is completely safe from resourceful hackers.
A spokesman for Gov. Nikki Haley said it is “exactly what she wanted when she asked [Maley] to undertake a comprehensive review of our data systems.” But the report, which follows one from cyber security company Mandiant about how the hack happened, still leaves questions unanswered, such as how much the overhaul will cost.
“It’s a pretty cookie-cutter kind of first-steps approach that I think correctly identified the priorities, but ... implementing all these steps quickly is an enormous amount of work,” said Stu Sjouwerman, founder and CEO of KnowBe4, a Florida-based cyber security training company. “The error that most people make is that they incorrectly estimate the amount of effort that goes into these types of programs to get them to where they need to be.”
Doug Benefield, director of research and development for Barling Bay, a SPAWAR security contractor, called the report “obvious” and said an information security framework prescribed in the report “a starting point only” that could “easily turn into another bureaucracy.”
Maley said he just wanted to get his team’s research in the hands of the “decision-makers,” and that what happens from here depends on what Haley and lawmakers do. “Everybody is pedaling as fast as they can pedal,” he said.
Among other things, the report recommends:
Establishing a “federated” statewide security program for protecting information from hackers that is centrally coordinated but that still allows some agency flexibility.
Creating a chief information security officer position to lead the development and implementation of a statewide protection program.
Establishing a committee of experts to help with development of a security program.
Hiring an outside consultant to help the state develop a framework for enacting an improved system for dealing with hacking threats.
The report comes in response to the hack at the Revenue Department that compromised as many as 3.8 million individual taxpayers, 1.9 million dependents, 699,900 businesses, 3.3 million bank accounts and 5,000 credit card accounts that are now expired. Experts have warned that the data could be used to steal identities, make fraudulent purchases and raid bank accounts.
Maley’s next report will focus on the details of implementing the recommendations, but questions of cost and timing will likely arise this morning at a special Senate subcommittee hearing where Maley and Division of State Information Technology Director Jimmy Earley are scheduled to testify.
Mandiant has reported the breach stems from a “phishing” email sent to multiple Revenue Department employees in August. At least one of the employees clicked the link in the email, unknowingly executing malicious software and compromising the database, according to the company.
Gov. Haley has said the two central faults in the attack were that the Revenue Department didn’t have dual verification to get into its system, and that Social Security numbers were unencrypted.
The CIOs interviewed for the report “cited the lack of employee awareness training and developing a culture of security with unusual frequency and intensity” and deemed it “low cost and high return INFOSEC investment.”
“That would be the first Band-Aid to stop the bleeding,” said Sjouwerman, who offered his company’s free phishing security test to the state. “They basically need to understand that every email that pops up in their inbox ... is a potentially lure for a cyber attack.”
The report cast doubt on the post-hack role of DSIT by noting state agencies’ “skepticism and distrust toward DSIT owing to a history of friction, primarily related to the cost of services provided.”
“Therefore having DSIT ‘drive’ any change initiative comes with some historical trust baggage,” the report stated.
Stephen Largen contributed to this report.