Local governments are lining up for cybersecurity audits in Washington state

No one wants to get audited, but in Washington state, local governments are literally asking for it.

Appearing as yet another sign of cybersecurity’s tightening grasp on the hearts and minds of America, the Washington State Auditor’s Office (SAO) recently expanded its cybersecurity auditing services after state agencies and local governments began requesting penetration testing and reviews of their security controls. 

The expansion signifies a growing need for cybersecurity resources provided to state and local government and the limited pool that many offices draw from in ensuring the integrity of the digital infrastructure and citizen data they have been charged with protecting.

Erin Laska, a principal performance auditor for SAO, told StateScoop the office began performing IT security performance audits in 2013, and they’ve been growing in demand ever since.

“After we published that audit [in 2014], we heard from several state agencies we had audited that the work was very valuable and, in fact, the state chief information officer, [Michael Cockrill], told us that our work was valuable and that the outcome of this was that we had improved the state’s security posture, … so we felt this was a real valuable area to focus our resources.”

The state began advertising its free cybersecurity audits and more state agencies began volunteering, followed soon by local governments, Laska said. The cities of Maple Valley and Mill Creek volunteered in 2014. Five more local governments are now being tested, with eleven others in various stages of audit preparation, including four on a waiting list, Laska said.

The office’s testing consists of an audit of security controls and penetration testing, which Laska confirmed has prompted several changes in Washington state agencies.

Penetration testing, which can be prohibitively expensive for local governments, is made possible in Washington through Initiative 900, a state initiative approved by voters in 2014 that makes available to the auditor’s office about $40 million annually through the allocation of a small portion of the state’s sales tax. The state auditor appropriates about $20 million from that fund for performance audits of various types, including for cybersecurity.

Mill Creek, a city of fewer than 20,000 residents north of Seattle, would not have been able to conduct its assessment alone, said James Busch, the city’s IT director and sole IT staff member.

“Especially for a smaller city like Mill Creek, it’s difficult to have the resources available to put towards cybersecurity and cybersecurity awareness,” Busch said. “To be able to utilize the state auditor’s office for the cybersecurity audit was definitely a welcomed resource for us.”

The report from the auditor’s office notes that the city’s internal controls were “adequate” and that it complied with state laws and regulations. Busch told StateScoop that the penetration testing, however, found a few holes, which were fixed, and engendered a new mindset when it came to their policies.

“It’s made us more aware of things we need to do on an ongoing basis,” Busch said. “It’s definitely changed our thinking going forward as we bring new systems online, rather than just ‘plug and play and let’s go.'”

Washington’s arrangement is uncommon, but could catch on if legislation is passed in other states to provide funding and authority through auditors’ offices. In Colorado, the Office of the State Auditor (OSA) is permitted by statute to “assess, confirm, and report on the security practices” of the state’s IT, and perform similar assessments for local governments where the auditor’s office has already been granted authority to conduct a financial or performance audit.

But Greg Fugate, an audit manager at OSA, said he wasn’t aware that this authority has ever been used, particularly since the statute was created only within the past few years.

Laska told StateScoop that Michigan might be considering a similar arrangement, but knew of no other states with similar authority and funding to Washington’s. An official from the Michigan Office of the Auditor General told StateScoop it currently has no authority over local governments.

“Nobody really wants to be audited,” Laska said. “It’s a lot of work to get an audit. We come to your agency, we ask for tons of information, we have to interview folks, we do tests — it’s a lot of work. But I think … state agencies are seeing what’s going on at the federal, state and local level throughout the United States, throughout all governments throughout the world. It’s a real up and coming area of risk for everyone and I think that everyone is trying to get their house in order.”