State auditor warns government agencies in danger of hacking

State Auditor Elaine Howle, who issued a report last year warning of cybersecurity problems at dozens of state agencies, says the problems remain mostly unaddressed.

Testifying at a recent hearing of the Assembly Committee on Privacy and Consumer Protection and Select Committee on Cybersecurity, Howle said 73 of the 77 agencies she reviewed had inadequate or worse safeguards against hacking. Her three biggest concerns: the state’s court system, the Board of Equalization and the California Public Utilities Commission.

Howle’s remarks were countered by a representative of the Brown administration. The state Department of Technology’s chief information security officer, Michele Robinson, said Howle had exaggerated the state’s problems.

But lawmakers didn’t appear to accept Robinson’s defense of the state’s efforts. Assemblywoman Jacqui Irwin, D-Thousand Oaks, told Sacramento TV station KCRA after the hearing that she considered Howle’s warnings “very disturbing. …  We have 160 departments that are holding your private information. So Social Security numbers, addresses, medical information — yes, there is a risk for the typical Californian.”

Here is the key summary of Howle’s 2015 audit:

In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. Most recently, in June 2015 the federal Office of Personnel Management announced that a cybersecurity intrusion had potentially exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California’s economy and the value of its information, the state presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous. However, despite the need to safeguard the state’s information systems, our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.

But Howle didn’t just offer this general conclusion. She also specifically criticized the Brown administration:

Despite the pervasiveness and seriousness of the issues we identified, the technology department has failed to take sufficient action to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, we received complete survey responses from 41 reporting entities that self-certified to the technology department that they were in compliance with all of the security standards in 2014. However, when these 41 reporting entities responded to our detailed survey questions related to specific security standards, 37 indicated that they had not achieved full compliance in 2014. … The technology department was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies.

According to KCRA, a state task force created last year could turn in the first draft of a state government cybersecurity initiative this month.

The Howle audit knocking the state government’s failure to worry enough about hackers was one of six harsh reports she issued in a three-month span last summer, as CalWatchdog reported. Perhaps the most alarming report found that the state did a poor job tracking mentally ill gun owners, despite a previous 2013 audit that warned about the shortcomings of the state’s efforts.