Opinion: As Maryland Knows, Cybersecurity Is Easier Said Than Done

As Gov. Larry Hogan wades into national issues with increasing frequency, he should check if Maryland is leading by example before plunging into the deep end.

Recently, in an opinion piece for USA Today, Hogan made waves saying Washington is asleep on cybersecurity and America is vulnerable to attack following the highly-publicized Colonial Pipeline ransomware hack.

On that point, we’re agreed. Particularly since I am a resident of the Greater Baltimore area where cybersecurity attacks have shut down too often critical infrastructure affecting our daily, basic quality of life.

President Biden recently touted his “bipartisan leadership” on the topic. He wants to invest $65 billion in broadband infrastructure framework to bring universal, reliable and affordable coverage to every American family — although it still needs to get enough votes to pass in Congress and then get Republican Senate Minority Leader Mitch McConnell on board. I stopped holding my breath after the horrific events of Jan. 6.

Hogan on CNN’s “State of the Union” said cybersecurity is a “huge issue.” The governor then wrote an opinion article which WUSA-TV in Washington describes as a “scathing” indictment of federal efforts to thwart cyberattacks.

Both parties in Congress are to blame as are three presidential administrations, according to Hogan’s USA Today piece, characterizing cybersecurity as too often a “technical afterthought.” The governor goes on to suggest security measures should be integral to information technology and related systems.

Indeed, the governor’s own IT department is empowered to ensure such integration takes place across state government. It was a key tenet of Hogan’s innovative shared-solutions government model during his 2014 campaign.

Yet, the Maryland Department of Information Technology is not tracking critical information about state government computer projects, according to legislative auditors in May 2020. The Office of Legislative Audits found the state IT department failed to effectively monitor $1.6 billion in major technology development projects in health, education, financial, commerce, transportation and public safety sectors of state government. They uncovered critical information missing in departmental status reports and instances where the governor received wrong information.

Responding to General Assembly Senate and House members, Maryland’s top technology official, a political appointee of Hogan’s second-term administration, gave a stunning explanation in a little-noticed video conference in March 2021. Michael Leahy, the secretary of the IT Department, said his staff is not able to keep up with technology.

“We just don’t have [the means] to internally keep up with many of the advances in technology amongst our own staff,” said Leahy, responding to a question from state Sen. Sarah Elfreth of Annapolis. Leahy was excusing his department’s reliance on outside vendors for project oversight.

Auditors, however, are concerned not only with the department’s management of contractors but also its direct oversight of actual projects.

The Office of Legislative Audits examines each unit of state government in regular cycles and works with departments and agencies to resolve issues. That is not happening here. Oversight problems with IT projects are documented in three separate reports over several years, a situation which a Baltimore City lawmaker describes as an “outlier” in state government. As former Del. Keith Haynes (D-Baltimore City) put it, the unresolved findings are a vicious cycle, “where the buck keeps getting passed back and forth on who is responsible for what.”

The audit report from May 2020 gave Leahy another chance to outline corrective measures. Instead, the cabinet secretary rejects key recommendations, adopting a more narrow interpretation of his legal authority that reduces accountability. Leahy gave lawmakers only vague assurances to continue addressing audit findings during the March 2021 committee meetings.

In addition to developing the state’s cybersecurity strategy, Maryland’s IT Department will also be assisting local government security efforts under legislation passed this year. Maryland’s IT Department is also charged with implementation of major state computer development projects ranging from the state police’s communication system to poll book devices for elections. Department duties include developing and enforcing information technology policies, procedures and standards. This sweeping mandate allows the IT Department to flag potential security breaches before systems become operational.

Cybersecurity is hard work. We know that from our experience in Baltimore in 2019 in which basic functions of municipal government were crippled in a ransomware attack that cost the city over $18 million.

Former Mayor Bernard C. “Jack” Young quickly understood the significance of thousands of interconnected computers spread across city government, many of which required manual security software updates.

Just over a year before that, key functions of the city’s 911 system were inoperable in the wake of a separate cyberattack. Ransomware intrusions caused schools to shut down in Baltimore County last fall and electronic medical records had to be taken offline in one of our largest hospitals.

What can those concerned about cybersecurity learn from our experience in Maryland and from Gov. Hogan?

Cybersecurity is easier said than done.

The governor does not need to know what software is on every workstation at the Department of Motor Vehicles. Or even the health department and unemployment office. But in the event an attack shuts down key functions of government, the public will want to know the governor is in charge and the buck stops with him.

That is not likely to happen until his own tech people get a handle on major computer projects and can transparently demonstrate correct fiscal responsibilities by the executive branch.

— E.J. MCNULTY

The writer is a health care policy and technology consultant. She is a longtime Maryland Republican strategist and advocate for government transparency, who served in Gov. Larry Hogan’s first administration and as a Republican strategist. She resides in Baltimore County. She can be reached at [email protected].