Michele Robinson

Michele Robinson, the state’s top officer in charge of cybersecurity, stepped down last week after spending the last seven months under fire for widespread lapses in the state’s safeguards against hacking.

In an email to colleagues, Robinson was vague about her reasons, mentioning some “personal family matters.” She was mum on the security concerns raised by California State Auditor Elaine Howle in both an audit in August and a hearing last month.

“It has been an honor to serve as your (chief information security officer) and to work with you all toward the advancement of information security and privacy programs in state government, as well as California’s overall cybersecurity posture,” Robinson wrote.

In February’s hearing, Howle doubled down on an audit her office issued last year, which reported 73 of the 77 state agencies had inadequate or worse protections against hacking. Howle’s top three concerns were the systems protecting state’s judicial branch, the Board of Equalization and the Public Utilities Commission.

While Howle told the Assembly Committee on Privacy and Consumer Protection and Select Committee on Cybersecurity that the concerns from the summer remained largely unchanged, Robinson contended that Howle had exaggerated the problems.

A spokesman for Gov. Jerry Brown administration told CalWatchdog that the administration would work to fill the position “as quickly as possible.”

Robinson was promoted to the post in May 2013.

Testifying at a recent hearing of the Assembly Committee on Privacy and Consumer Protection and Select Committee on Cybersecurity, Howle said 73 of the 77 agencies she reviewed had inadequate or worse safeguards against hacking. Her three biggest concerns: the state’s court system, the Board of Equalization and the California Public Utilities Commission.

Howle’s remarks were countered by a representative of the Brown administration. The state Department of Technology’s chief information security officer, Michele Robinson, said Howle had exaggerated the state’s problems.

But lawmakers didn’t appear to accept Robinson’s defense of the state’s efforts. Assemblywoman Jacqui Irwin, D-Thousand Oaks, told Sacramento TV station KCRA after the hearing that she considered Howle’s warnings “very disturbing. …  We have 160 departments that are holding your private information. So Social Security numbers, addresses, medical information — yes, there is a risk for the typical Californian.”

Here is the key summary of Howle’s 2015 audit:

In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. Most recently, in June 2015 the federal Office of Personnel Management announced that a cybersecurity intrusion had potentially exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California’s economy and the value of its information, the state presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous. However, despite the need to safeguard the state’s information systems, our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.

But Howle didn’t just offer this general conclusion. She also specifically criticized the Brown administration:

Despite the pervasiveness and seriousness of the issues we identified, the technology department has failed to take sufficient action to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, we received complete survey responses from 41 reporting entities that self-certified to the technology department that they were in compliance with all of the security standards in 2014. However, when these 41 reporting entities responded to our detailed survey questions related to specific security standards, 37 indicated that they had not achieved full compliance in 2014. … The technology department was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies.

According to KCRA, a state task force created last year could turn in the first draft of a state government cybersecurity initiative this month.

The Howle audit knocking the state government’s failure to worry enough about hackers was one of six harsh reports she issued in a three-month span last summer, as CalWatchdog reported. Perhaps the most alarming report found that the state did a poor job tracking mentally ill gun owners, despite a previous 2013 audit that warned about the shortcomings of the state’s efforts.

And as for retirement benefits, increase those by 79 percent total, or 53 percent per individual employee.

These are figures for the California Department of Technology, which again finds itself the butt of a fault-finding audit.

The report is one big bad report card. It notes that 73 of 77 state departments have not met standard safeguards for their information, for which the department is supposed to be the guardian.

Prone to Hackers

The newly discovered trouble involves the security of state-held information, including the news that the state’s data centers are subject to thousands of hacker attempts every month.

“The California Department of Technology does not provide adequate oversight or guidance to state entities under the direct authority of the governor (reporting entities) for which it has purview,” the audit finds.

Auditors were so troubled by lapses in information security at the state’s Department of Corrections that they issued a separate memo to that agency outlining the problems — the details of which were “too sensitive to release publicly.”

State agencies possess reams of information, from the bank account numbers on income tax forms to the birth dates of victims of crime and the Social Security numbers of people applying for food stamps.

The Department of Motor Vehicles alone holds more than 27 million records.

There are committees (“the Select Committee on Cybersecurity” in the statehouse) and task forces (the “California Cybersecurity Task Force”) in place to help protect data and info from intruders. But it’s the tech department that has responsibility for ensuring departments’ info is secured. To do so, it requires three annual reports. Last year it even offered a one-day seminar to teach info management people what’s up with data safeguarding.

Who’s at Fault?

In one regard, it’s not all on the department; the report found that 90 percent of select departments queried said that they had met the mandates for security when they really hadn’t.

Still, when four in 10 departments reported they had not achieved full compliance, “we expected that the technology department would have followed up. … However, when we reviewed the 2014 correspondence between the technology department and a selection of eight noncompliant reporting entities, we found that the technology department did not conduct any follow‑up.”

In addition, there are no policies on how to enforce the security requirements.

One more interesting element of the audit: Twenty agencies declined to be monitored or assessed and were therefore not measured for cybersecurity compliance. Among them were the Office of the Inspector General, California Department of Resources Recycling and Recovery and the Public Employees’ Retirement System.

The auditing team recommends that state lawmakers require the tech department to do an independent, comprehensive security assessment of each reporting entity at least every other year.

Auditors also ask legislators to allow the department to ask for money upon any finding of security flaws. The technology department should follow up on any troubled agency and how that agency intends to make its information more secure, the report says.

Then a final scold from the auditors: “As a result of the outstanding weaknesses in reporting entities’ information system controls and the technology department’s failure to provide effective oversight and assist noncompliant entities in meeting the security standards, we determined that some of the state’s information, and its critical information systems, are potentially vulnerable and continue to pose an area of significant risk to the state.”

The Department of Technology didn’t answer questions, but gave the Associated Press a written statement, saying that it is committed to improving oversight and to “improving the state’s overall information security posture.”

A Continuing Pattern

The report is the second in the last six months to beat down the department. The last one upbraided tech department officials for wasting tens of millions of dollars due to computer troubles and aborted projects that cost taxpayers up to $1 billion.

Some lawmakers are trying to throw more money at the agency.

One measure would allow the technology department to size up contractors with an evaluation scorecard that would cost  $350,000.

“There is no guarantee that they will implement the evaluation system in a long term capacity,” Assemblywoman Autumn Burke, D-Los Angeles, told a Senate committee earlier this month. “In fact, a simple change of leadership with CalTech could put the evaluation system in jeopardy.”

Also noted in the conversation was something as scary as a data breach: “Currently the state has 44 IT projects under development that are reported to cost more than $4 billion,” Burke told her colleagues.

He’ll talk at the White House Summit on Cybersecurity and Consumer Protection. According to Stanford News, participants include other government leaders, law-enforcement officials, consumer advocates, students and executives from finance, technology, security and communications companies.

Most watched will be the president’s remarks on information security and the reaction of top Silicon Valley executives, Jim Harper told CalWatchdog.com; he’s a senior fellow in information studies at the Cato Institute. He said that, because the president now is a lame duck and doesn’t face re-election, he might not “feel he has to be too strong on cybersecurity” by his own government.

It’s been less than two years since National Security contract employee Edward Snowden exposed how the NSA essentially scoops up almost all data in America. Yet neither the president nor Congress has advanced any substantial changes in policy.

“Obama has essentially allowed the NSA free rein,” Harper said. “And what the NSA has done is a major setback for Silicon Valley” because potential customers, especially overseas, can’t be sure American services aren’t bugged by the NSA from the start. That situation encourages business moving to the foreign competition.

Harper said he expects “some of the speeches from Silicon Valley will give him a piece of their mind” on the security issue. Most watched will be the comments of Tim Cook, the CEO of Apple Inc., the Valley’s most glittering and profitable company.

And because of the president’s problem with government spying on data, Harper added, anything he says about private security networks will be questioned.

FCC regulations

The president’s visit also comes as his appointees on the Federal Communications Commission seek heavier regulation of the Internet through what is called “Net Neutrality” or the “Open Internet.” It’s a topic he also might address.

According to the FCC’s website, “Under this principle, consumers can make their own choices about what applications and services to use and are free to decide what lawful content they want to access, create, or share with others. This openness promotes competition and enables investment and innovation.”

Critics charge Net Neutrality would mean 1930s-era telephone regulations applied to the Internet, with heavy handed government involvement stifling innovation.

Harper said Obama now is “at the mercy of the bureaucrats” he appointed. And because the president is a lame duck, he doesn’t have a compelling reason to go against the FCC.

The Federal Election Commission also is getting into the act. The Washington Examiner reported today, “Claiming that thousands of public comments condemning ‘dark money’ in politics can’t be ignored, the Democrat-chaired Federal Election Commission on Wednesday appeared ready to open the door to new regulations on donors, bloggers and others who use the Internet to influence policy and campaigns.”

Silicon Valley

Silicon Valley remains the driving engine of California’s economy, as well as much of the U.S. and world economies. So the reactions of tech luminaries to the president’s words will be telling on how the industry, which has been increasingly active in politics, will be reacting to Obama administration actions.

Just last October, Apple offered stronger encryption on its communications, bringing down a condemnation from the Obama administration.

Reported the Guardian, “The latest version of Apple’s operating system for desktop and laptop computers, Mac OS X 10.10 ‘Yosemite,’ encourages users to turn on the company’s FileVault disk encryption, as the company hardens its pro-security stance. … The FBI’s director, James Comey, decried the company’s decision to offer similar tools on mobile devices running iOS 8.”

Google quickly followed suit with its Android operating system.

Speakers

According to the White House agenda, in addition to Cook, those in the private sector scheduled to speak or on panels include:

• Stanford President John Hennessy;
• Michael Brown, CEO, Symantec;
• Lorrie Faith Cranor, Professor, Carnegie Mellon University and Advisory Board Member, Electronic Frontier Foundation;
• Stina Ehrensvard, CEO and Founder, Yubikey;
• Mark Kelsey, CEO, LexisNexis;
• Scott Charney, Corporate VP Trustworthy Computing, Microsoft;
• Eric Grosse, VP for Security Engineering, Google;
• Melody Hildebrandt, Global head of cyber security, Palantir;
• Alex Stamos, Chief Information Security Officer, Yahoo;
• Joe Sullivan, Chief Information Security Officer, Facebook.

In addition to the president, government speakers include:

• Lisa Monaco, National Security Council;
• Jeff Zients, National Economic Council;
• Administrator Maria Contreras-Sweet, U.S. Small Business Administration;
• Alejandro Mayorkas, Deputy Secretary, U.S. Department of Homeland Security;
• Matt Olsen, Former Director, National Counterterrorism Center;
• Joseph Demarest, Federal Bureau of Investigation;
• Ed Lowery, U.S. Secret Service;
• Jamie Saunders, Director National Cyber Crime Unit, United Kingdom National Crime Agency;
• Bilal Sen, United Nations Office of Drug and Crime.