California state agencies easy targets for hackers

This is how the state government handles a department that has continually received sub-par evaluations: add employees, boost wages 17 percent and total spending on salaries by 36 percent.

And as for retirement benefits, increase those by 79 percent total, or 53 percent per individual employee.

These are figures for the California Department of Technology, which again finds itself the butt of a fault-finding audit.

The report is one big bad report card. It notes that 73 of 77 state departments have not met standard safeguards for their information, for which the department is supposed to be the guardian.

Prone to Hackers

The newly discovered trouble involves the security of state-held information, including the news that the state’s data centers are subject to thousands of hacker attempts every month.

“The California Department of Technology does not provide adequate oversight or guidance to state entities under the direct authority of the governor (reporting entities) for which it has purview,” the audit finds.

Auditors were so troubled by lapses in information security at the state’s Department of Corrections that they issued a separate memo to that agency outlining the problems — the details of which were “too sensitive to release publicly.”

State agencies possess reams of information, from the bank account numbers on income tax forms to the birth dates of victims of crime and the Social Security numbers of people applying for food stamps.

The Department of Motor Vehicles alone holds more than 27 million records.

There are committees (“the Select Committee on Cybersecurity” in the statehouse) and task forces (the “California Cybersecurity Task Force”) in place to help protect data and info from intruders. But it’s the tech department that has responsibility for ensuring departments’ info is secured. To do so, it requires three annual reports. Last year it even offered a one-day seminar to teach info management people what’s up with data safeguarding.

Who’s at Fault?

In one regard, it’s not all on the department; the report found that 90 percent of select departments queried said that they had met the mandates for security when they really hadn’t.

Still, when four in 10 departments reported they had not achieved full compliance, “we expected that the technology department would have followed up. … However, when we reviewed the 2014 correspondence between the technology department and a selection of eight noncompliant reporting entities, we found that the technology department did not conduct any follow‑up.”

In addition, there are no policies on how to enforce the security requirements.

One more interesting element of the audit: Twenty agencies declined to be monitored or assessed and were therefore not measured for cybersecurity compliance. Among them were the Office of the Inspector General, California Department of Resources Recycling and Recovery and the Public Employees’ Retirement System.

The auditing team recommends that state lawmakers require the tech department to do an independent, comprehensive security assessment of each reporting entity at least every other year.

Auditors also ask legislators to allow the department to ask for money upon any finding of security flaws. The technology department should follow up on any troubled agency and how that agency intends to make its information more secure, the report says.

Then a final scold from the auditors: “As a result of the outstanding weaknesses in reporting entities’ information system controls and the technology department’s failure to provide effective oversight and assist noncompliant entities in meeting the security standards, we determined that some of the state’s information, and its critical information systems, are potentially vulnerable and continue to pose an area of significant risk to the state.”

The Department of Technology didn’t answer questions, but gave the Associated Press a written statement, saying that it is committed to improving oversight and to “improving the state’s overall information security posture.”

A Continuing Pattern

The report is the second in the last six months to beat down the department. The last one upbraided tech department officials for wasting tens of millions of dollars due to computer troubles and aborted projects that cost taxpayers up to $1 billion.

Some lawmakers are trying to throw more money at the agency.

One measure would allow the technology department to size up contractors with an evaluation scorecard that would cost  $350,000.

“There is no guarantee that they will implement the evaluation system in a long term capacity,” Assemblywoman Autumn Burke, D-Los Angeles, told a Senate committee earlier this month. “In fact, a simple change of leadership with CalTech could put the evaluation system in jeopardy.”

Also noted in the conversation was something as scary as a data breach: “Currently the state has 44 IT projects under development that are reported to cost more than $4 billion,” Burke told her colleagues.