Testifying at a recent hearing of the Assembly Committee on Privacy and Consumer Protection and Select Committee on Cybersecurity, Howle said 73 of the 77 agencies she reviewed had inadequate or worse safeguards against hacking. Her three biggest concerns: the state’s court system, the Board of Equalization and the California Public Utilities Commission.

Howle’s remarks were countered by a representative of the Brown administration. The state Department of Technology’s chief information security officer, Michele Robinson, said Howle had exaggerated the state’s problems.

But lawmakers didn’t appear to accept Robinson’s defense of the state’s efforts. Assemblywoman Jacqui Irwin, D-Thousand Oaks, told Sacramento TV station KCRA after the hearing that she considered Howle’s warnings “very disturbing. …  We have 160 departments that are holding your private information. So Social Security numbers, addresses, medical information — yes, there is a risk for the typical Californian.”

Here is the key summary of Howle’s 2015 audit:

In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. Most recently, in June 2015 the federal Office of Personnel Management announced that a cybersecurity intrusion had potentially exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California’s economy and the value of its information, the state presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous. However, despite the need to safeguard the state’s information systems, our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.

But Howle didn’t just offer this general conclusion. She also specifically criticized the Brown administration:

Despite the pervasiveness and seriousness of the issues we identified, the technology department has failed to take sufficient action to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, we received complete survey responses from 41 reporting entities that self-certified to the technology department that they were in compliance with all of the security standards in 2014. However, when these 41 reporting entities responded to our detailed survey questions related to specific security standards, 37 indicated that they had not achieved full compliance in 2014. … The technology department was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies.

According to KCRA, a state task force created last year could turn in the first draft of a state government cybersecurity initiative this month.

The Howle audit knocking the state government’s failure to worry enough about hackers was one of six harsh reports she issued in a three-month span last summer, as CalWatchdog reported. Perhaps the most alarming report found that the state did a poor job tracking mentally ill gun owners, despite a previous 2013 audit that warned about the shortcomings of the state’s efforts.

The attack on Anthem comes on the heels of similar breaches of data for Target, Home Depot and other companies.

Anthem President and CEO Joseph Swedish wrote in a letter to members:

“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.

“Anthem’s own associates’ personal information – including my own – was accessed during this security breach.”

CalPERS concern

In an email obtained by CalWatchdog.com, Rita L. Gallardo, division chief of CalPERS’ Office of Stakeholder Relations, wrote earlier today to those affected:

“As many of you have heard in the news, our health plan partner Anthem Blue Cross disclosed late last night that hackers breached its computer systems and the personal information of its members.  Like you, we are very concerned and frustrated about this unacceptable breach.  We have been in touch with Anthem this morning to ensure they are doing everything possible to protect our members and their families who are enrolled in the plan.”

Precautions

The hacker attack should not seriously affect Anthem members, whether or not they are part of CalPERS — provided people take precautions, Jim Harper told CalWatchdog.com; he’s a senior fellow in information studies at the Cato Institute.

He said that even if hackers obtain Social Security numbers, “it actually isn’t that serious because identity fraud takes a lot of work to pull off. When 80 million sets of ID are stolen, that doesn’t mean there will be 80 million incidents of identity fraud.”

The real risk now, he warned, is to make sure hackers don’t use the Anthem news itself as a way to trick people. As the Anthem and CalPERS statements quoted above indicate, members will be notified about the attack, and about what they can do.

Harper said people might get so tired of responding to legitimate inquires that, when a hacker inquiry pops up, they complacently could think, “Oh, not another one! All right, I’ll fill out the form and give them the information” — which then is use by the hacker for a serious security breach.

He urged Anthem members to change their passwords often to prevent identity theft. Which is good advice as well for those not part of Anthem, and for any system involving passwords.

CalPERS activism

CalPERS, the country’s largest retirement system, also is known for its shareholder activism, such as discouraging what it considers “excessive CEO pay” by companies. CalPERS maintains its activism helps improve company performance and is for the overall betterment of society.

Critics say such activism can reduce investment values, with the taxpayers who ultimately backstop CalPERS’ investments put on the hook for any shortfalls.

It’s too early to know, but Harper said the Anthem security breach might spark CalPERS’ activism in this area, in particular ensuring that “consumers have a right to know a breach has occurred. That sounds good. Yet it’s not necessarily good for consumers.”

He said that, given the ongoing security breaches, with more expected in the future, “If you hear about it all the time, it creates fear and unease, but not much more security.”

Instead, he reiterated that the best policy for consumers is constant vigilance over their own passwords and other data.

So which sort of institution is particularly vulnerable? One would think the state of California because of its long history of incompetence in upgrading and installing computer systems.

This is from a 2010 Sac Bee story about the state being unable to adjust paychecks to reflect fewer hours paid during a furlough:

“California’s payroll computer system is so old that it relies on programming language, Common Business Oriented Language, or COBOL, that was introduced in the late 1950s, popularized in the 1960s and 1970s, and is no longer routinely taught to programmers.

“’When I was studying computer science in India, in 1973, none of us wanted to study because it was considered old-fashioned back then,’” said Prem Devanbu, computer science professor at the University of California, Davis.

State agency overwhelmed by computer chores

This is from a Governing magazine story the same year:

Dale Jablonsky, who until August was CIO of the California Employment Development Department (EDD), knows the situation all too well. The EDD runs California’s unemployment insurance program, where caseloads skyrocketed during the current recession. As the economic downturn deepened, Congress repeatedly extended the length of time individuals could draw unemployment benefits.

“In all, federal lawmakers approved seven benefit extensions since the recession began — and each was a nightmare for the EDD. Every extension requires changes to several hundred interconnected computer programs in the EDD’s eligibility system. Those programs are written in common business oriented language (COBOL), an ancient programming language, and modifications must be hand-performed by increasingly rare — and expensive — COBOL experts.

“’It typically takes two to three weeks to implement changes, depending on how complex the federal legislation is,’ Jablonsky says. ‘Sometimes the legislation is so complex it takes five to six weeks to implement.’ Indeed, implementing one particularly complex piece of legislation in late 2009 required changes to 650 programs in the EDD system. The resulting delay in mailing unemployment checks made front-page news throughout the state … .”

COBOL not hospitable to hackers

Oddly enough, however, using a computer language invented in 1959 actually is a deterrent to hackers. Computer World explained why in 2000. COBOL is a …

… simple language that’s so easy to read, it’s impossible to hide malicious programs. A language for mainframe data locked securely behind tried-and-tested access controls like the Resource Access Control Facility (RACF), Top Secret and ACF2…. Checking code for malicious programs is easy in COBOL.

COBOL can be part of a larger security problem when programmers try to connect it with newer software that can be accessed over the Internet. But by itself, its backwardness is an asset.

So now the government in the state that’s home to Silicon Valley and the birth of the information technology revolution has a reason to remain trapped in the mid-20th century on its IT.

Merry Christmas!