What states can learn from the OPM breach

The recent news of the cyber attack that compromised the data of millions of federal employees should galvanize states to strengthen their own defenses, technology experts said. And many state IT executives said they are heeding the warning.

“As if there haven’t been enough wake-up calls yet, states should really take this as yet another wake-up call,” said Jeff Schmidt, the CEO and founder of JAS Global Advisors, a cybersecurity consulting company.

Indeed, states are no strangers to data breaches. In late 2012, a breach that compromised the personal data, including credit card numbers, of more than 3.8 million South Carolinians rocked the state. In February 2014, hackers broke into Oregon’s campaign finance website.

But Schmidt said the recent breaches to the federal Office of Personnel Management’s systems, which exposed the personally identifiable information of reportedly as many as 18 million people, underscore the importance of conducting vulnerability assessments and managing patches.

Several state IT leaders agreed. Arkansas Chief Technology Officer Mark Myers said states must ensure that their systems run the latest versions of their software. And, overall, he said it’s important to determine where network weaknesses lie.

“States need to go out and seriously look at doing a vulnerability assessment of their own systems,” Arkansas Chief Technology Officer Mark Myers told StateScoop. “As a state CIO, I’m not sure that you [otherwise] have the capability to know [where all the weaknesses are] because our systems are so large and diverse.”

Myers said states like Colorado are on the right track: Colorado Chief Information Security Officer Deborah Blyth said her team plans to test how state systems would fare against a cybersecurity threat in early July. A week after that exercise, the Office of Information Technology would team with the state law enforcement agencies to test the statewide cybersecurity emergency support function.

Through those risk assessments, Blyth plans to take an inventory of where sensitive information is stored so her office knowns where to apply security controls.

“Data breach and theft of sensitive information is top-of-mind currently, and I know my CISO peers at other states are equally concerned and are taking steps to strengthen controls to prevent a data breach,” she told StateScoop in an email.

Similarly, further east, Pennsylvania CISO Erik Avakian told StateScoop in an email that the breach provides an opportunity to evaluate the state’s cybersecurity measures.

“States need to understand where they are and where any gaps might be, and then develop and implement safeguards to improve their security posture,” Avakian said. “Hackers are always looking to exploit new vulnerabilities and are always upping their game and their tactics.”

While throwing more money at cybersecurity won’t necessarily make states more secure, some research has indicated that inadequate funding can hinder states’ cyber efforts, said Doug Robinson, the executive director of the National Association of State Chief Information Officers.

“I think we have a crisis of prioritization in terms of money being spent on ineffective approaches, and so that’s something that needs to be addressed,” Robinson said.

In a post-OPM breach world, leaders in state government must focus on bolstering cyber risk management, Robinson said. And he said IT leaders have an “obligation” to “preach the gospel” of supporting cybersecurity.

“As I talk to governors, others and legislators, I tell them this is a business issue,” he said. “It’s not just a technology issue. It’s a business issue that can have dramatic impact on individuals.”