Virginia governor orders statewide cybersecurity review
Editor’s Note: This story was updated to include quotes from Virginia Chief Information Officer Nelson Moe.
With reports of data breaches making headlines, Virginia Gov. Terry McAuliffe is taking new steps to beef up the state’s cybersecurity.
McAuliffe signed a directive Monday that orders the Virginia Information Technologies Agency to conduct a thorough review of the commonwealth’s networks to identify trouble spots before hackers can exploit them. VITA is charged with compiling a full inventory of state data and computer systems, and conducting security audits of those systems by Oct. 15.
“We want our data to be as safe as it can possibly be for our citizens and for what we do in the commonwealth,” Virginia Secretary of Technology Karen Jackson told StateScoop. “You have to start somewhere and this is where we’re starting.”
Jackson noted that McAuliffe has been pushing for better protection of state data ever since the massive breach at the Office of Personnel Management in July, and this directive is simply the latest effort in that process.
“I think the message is clear from the governor that protecting the data and securing the commonwealth to the best of all of our abilities is where we want to go,” Jackson said. “He’s instilled in us the need to really make sure that what we’re doing is really the right thing with our data.”
VITA has already been working to inventory the data and prioritize what represents the most sensitive material in the state, and they’ve been pushing to complete the security audits, Jackson said. Jackson feels that once they can gather all the information mandated by the directive, state IT leaders will have all the tools they need to craft an “internal cyber strategy.”
“We know some of this information, it’s not like we’re starting from scratch, but once we gain more information, then we can make strategic decisions about enterprise applications that need to be put in place or the shifting of personnel,” Jackson said.
“We know where the data is, it’s basically writing it down, and it’s working with the agencies to get a head start,” said Nelson Moe, Virginia’s chief information officer.
Moe said he’s eagerly waiting for VITA to complete their audits so his department will know what work is left to be done.
“At the end of them we’ll have a very clear picture of what the commonwealth’s status is,” Moe said. “It’s kind of like getting a car inspected or a house inspected, it’s a chance to go through and make sure you know what you know.”
Jackson is realistic about the financial challenges inherent to the public sector, and she believes that makes the need for a coordinated cybersecurity effort all the more pressing.
“It’s not inexpensive to fight cyber battles, and government is not always the most flush with available cash, so we have to be very targeted and very judicious with how to spend the dollars we have so we can get the biggest outcome,” Jackson said.
The directive also requires VITA to present the governor with a status report on these efforts by Oct. 1, 2016, but beyond the steps laid out in the directive, Jackson admits that it’s difficult to predict what else the commonwealth will have to do between now and then to secure its data.
“All these technologies and all these capabilities are moving so fast that it’s a process of keeping up and trying to get ahead,” Jackson said.
According to Jackson, the most important feature in any state is a commitment to cybersecurity from the top, and she believes that’s exactly what this new order represents in Virginia.
“Everybody knows that cybersecurity is a contact sport,” Jackson said. “The support system has to be there and it has to be constantly monitored, constantly updated, because this whole fight, if you will, is not going to end. It’s moving fast, the attacks are becoming more malicious, so it has to be a top-down, supported driver. And that’s what we have with the initiative.”
