(The following are notes from an NCSL session about CYBER WARFARE. These are my notes, as presented in the session, without my bias or input unless noted. I may or may not agree with what is said, but wanted you to know what lawmakers are discussing as they deal with CYBER WARFARE).
Senator Michael Fair, South Carolina
- October 10, 2012, South Carolina Governor was informed by the federal government there had been a Cyber Security breach of their state data in their Department of Revenue (DOR)
- One of the largest security breaches of public data
- Pfishing email sent to employees; hackers
- Opened by DOR employee
- Hackers got access to personal information of 6,000,000 people
- Between August 9 – September 12 data was downloaded
- Attack had a price tag of $22 million cost to taxpayers
- SC made several critical mistakes
- No encryption of personal data
- No “multiple factor” authentifications
- DOR has made the corrections
- More long term recommendations have been made
- Legislation passed to deal with accountability, plan of action, identity theft services;
- The state appropriated money for an insurance policy to pay for any troubles people who had their information hacked were experiencing because of the breach
Doug Robinson, Executive Director, National Association of State CIO’s
Survey in 2012 of state CIO’s – 4 findings
- Significant gap in necessary funding
- Most states spend less than 2% of budget on security
- States should spend at least 10% on security
- Lack of governance and authority
- Who’s in charge?
- The difference in what state leaders think is security and what security experts think is secure is VERY wide
- 74% of state CIO “somewhat” confident in their ability to stop threats
- Emerging threats from emerging technologies
- no enterprise wide policy for how new technology like “Bring Your Own Device” (BYOD) is to be used
- need a state-wide framework
- not just at the CIO level, but across the agency levels as well
Top Issues for state legislatures:
- Cloud services
- Mobility services
- Budget and cost control
- Shared services
- Health care
- Safety on broadband networks
- Protecting legacy systems
- Malicious software
- Inadequate policy compliance
- Mobile devices and services
- Use of social media platforms
- Use of personally owned devices for state business
- Adoption o cloud services; rogue cloud users
- Foreign state-sponsored espionage
- Their-party contractors and managed services
** Achilles heel of Cyber Security is lack of funding **
Call to action for states
Key questions to state legislators
- Do you have a culture of information security?
- Do you have a cyber security framework?
- Do you have continuous vulnerability management capabilities?
- Do you have metrics and testing for effectiveness of your security?
- Do you have security awareness training for workers and contractors?