South Carolina learned firsthand the havoc a hacker can have on state-owned computer systems when last October approximately 3.8 million Social Security numbers, 387,000 credit and debit card numbers and 657,000 business tax filings were exposed in a security breach at the state Department of Revenue.
This is the type of cyberattack governors are gearing up to prevent. “Every day, states are exposed to phishing scams, malware, denial-of-service attacks, and other common tactics employed by cyberattackers,” according to a call-to-action paper released Thursday by the National Governors Association.
Michigan Gov. Rick Snyder, a Republican, was in Washington to launch the NGA bipartisan effort, led also by Maryland Gov. Martin O'Malley, a Democrat.
“As governors, we are directly responsible for ensuring the security of a wide array of state-owned assets and personally identifiable information such as tax records, driver's licenses and birth records,” Snyder said in a statement. “We also play a critical role in ensuring that private-sector assets within our states are secure,” the former president of Gateway computers said.
As Stateline has reported, Michigan has been a leader on this front, enlisting the help of everyone from the major utility companies to the state police to launch a multi-pronged pre-emptive strike. Cyberattacks on the state of Michigan's computer systems have increased to about 500,000 a day, The Detroit News reported.
In its six-page paper, NGA urges governors to look at what their peers are doing. The report highlights:
- Michigan requires security awareness training for all state employees, and launched with universities and the private sector a state-of-the-art Michigan Cyber Range research center.
- Maryland leverages the cybersecurity capabilities of the Warfare Squadron to support its cybersecurity assessments, including having state agencies participate in Internet training exercises that simulate cyberattacks.
- Minnesota's chief information security officer works closely with the governor, a Technology Advisory Committee, and other agency leaders.
- California Cybersecurity Task Force is a new state-led collaboration between state and private-sector IT officials.
- Delaware state employees conduct cybersecurity presentations for elementary school students and host video and poster contests to reinforce the importance of Internet safety practices.
A 2012 survey of state chief information security officers found that only 24 percent were “very confident” that their state assets are protected against external threats, while only 32 percent said their staff have the required cybersecurity competency.
Those findings were part of a 2012 report about cybersecurity from Deloitte and the National Association of State Chief Information Officers that also estimated that government agencies had lost more than 94 million citizen records since 2009. The average cost per lost or breached record is $194.
While NGA's paper doesn't specifically mention the South Carolina case, it notes, “Several recent attacks reveal that states which fail to put in place a strong governance structure are at a distinct disadvantage.”