State lawmakers addressed concerns about protecting Texans’ information Wednesday in order to identify possible policy changes.
The Senate Select Committee on Cybersecurity was created in October by Lt. Gov. Dan Patrick to take a closer look at security plans for state agencies as well as “identify risks and vulnerabilities.”
“We need to protect our data and info at all levels,” said the committee’s chair, Sen. Jane Nelson, R-Flower Mound.
Mike Sturm, who runs the city of San Marcos’ Information Technology department, said cities face a “scary world” at the local level.
He said the city has fallen victim to phishing scams more than once in recent memory.
“Email communication came in to accounts payable clerk, asking about a status of a check,” Sturm said, adding that the hacker asked the clerk to “change our banking information,” and the clerk followed along.
The city’s insurance policy covered the first year of identity protection after the incident, and the two subsequent years were funded by the city. Another hack to the city’s cloud server forced officials to find a new host for the city’s website, when hackers took the site down.
Situations like this in cities with smaller IT departments pose threats to the safety of private information. With state agencies, while there are more safeguards, the stakes are also higher.
“Cradle to grave, [state agencies] have your full life in trust and today in a digital format more than ever, so that makes it very attractive,” Doug Robinson, executive director for the National Association of State Chief Information Officers said on Wednesday.
“Unfortunately, [hackers] are operating 24 hours a day seven days a week, so their sole motivation is financial gain or embarrassment,” Robinson said. “[Hackers] only have to get it right once, the state agency has to be right all the time.”
Robinson said most states direct two percent of the budget to cybersecurity, while the private sector budgets about 8-10 percent overall, and the federal government appropriates 16 percent to cybersecurity.
Robinson suggested simple “cyber hygiene checks,” using tools like password management, software updates and encryption of sensitive data.
Nelson compared digital attacks to “whack-a-mole.” When one data breach is identified and plugged, hackers will target another weakness.
Nancy Rainosek, chief information security officer for the Department of Information Resources (DIR), said the agency has signed a new contract to handle security management, including firewall protection, security assessment and data breach response. She expected it to be “fully operational,” by spring.
She said every two years, DIR asks each state agency for its security plan. In the most recent round of requests, 143 of 170 agencies submitted. Rainosek attributed the fact that not all agencies participated to the fact that some sent compiled reports, like 20 courts who all consolidated into one report.
Rainosek also said DIR would participate in a national incident management exercise with federal officials through the Department of Homeland Security in April.
Chief Information Security Officer for the Department of Public Safety (DPS), Aaron Blackstone, said his agency gets around one report of phishing each day.
“[DPS is] doing an excellent job protecting your information, and the public’s information, and we’re going to continue to grow and expand that level of comfort that we provide,” Blackstone said.
One of the best things people at any level can do to prevent a malicious attack is to create complicated passwords, change them often, and avoid sharing them with anyone.
