Solid ideas of improving state government’s cyber security

Accountability and oversight demand a responsible central authority. And such an authority has been clearly lacking in our state government’s woefully inadequate cyber security system, according to S.C. Inspector General Patrick J. Maley.

In his recent analysis of cyber security over the spectrum of South Carolina government, Mr. Maley makes a compelling case for stronger central control. That includes leadership, security policies and oversight.

“The lack of standard policies produces uneven quality in individual agency security postures,” he wrote. “This decentralized approach also prevents the state from understanding, let alone managing, statewide INFOSEC [information security] risk which has the capacity to impact the entire state government.”

Or worse, considering the potential consequences of the September cyber theft from the S.C. Department of Revenue — the loss of Social Security numbers of millions of state taxpayers and other financial information on those tax forms. It was the most serious cyber breach yet experienced by any state government across the nation.

Mr. Maley urged the creation of centralized security policies and protocol under the authority of a chief cyber security officer. He insists, however, that the policy can largely be delegated to the various agencies with proper oversight and system audits.

He cites the necessity for a range of controls dealing with encryption, passwords, mobile device access, Internet firewalls, systems monitoring and employee training.

But Mr. Maley cautions that security is a continuous process aimed at experienced cyber thieves who “use increasingly sophisticated methods to target computer systems for monetary gain and to make political statements.”

Even then, there’s no way to eliminate the risk of data loss.

“The level of hacker sophistication is clearly increasing at a faster rate than our ability to comfortably defend,” he wrote.

Certainly, the absence of adequate controls by South Carolina state government has a political message about state leadership — including the executive and legislative branches. It also speaks to the inadequacy of the current system of decentralized government.

That’s not to let Gov. Nikki Haley off the hook. The hacking occurred in a Cabinet agency and on her watch.

But a centralized system with greater safeguards might well have been a better system, as Mr. Maley’s findings suggest.

The inspector general says, too, that a centralized system has the capacity to streamline an essential government service, providing greater efficiency and lower costs.

He recommends employing private consultants to help develop a system, and hiring an expert who would assist with the implementation of a statewide policy and oversee the various agencies — 100 or so including state colleges and universities — on cyber security.

His recommendation for a steering committee using experts at state universities and in the private sector should be quickly adopted. Such a committee would prove useful to the Legislature as it proceeds with its investigation of the cyber breach.

The ongoing investigation is necessary to plug the security holes and, as Mr. Maley says, “regain some of the lost trust from our citizens by doing everything possible to protect their information entrusted to the state.”

State leaders should concentrate less on seizing political advantage and more on creating a dependable cyber security system as soon as possible.