Cybersecurity Report Finds Lack of Risk Assessments by State Agencies, Ill-Equipped Local IT Departments
A report released by the Maryland Cybersecurity Council on Tuesday found that over 60% of surveyed state agencies have not performed cybersecurity risk assessments.
According to the study completed by the council’s Ad Hoc Committee on State and Local Cybersecurity, surveys were sent to 89 units of executive government in 2021. Only 70 responded by the time the study was written.
Notably, the State Board of Elections was among those who did not provide answers.
Also, aggregated data from agency survey responses found that 40% of agencies had at least one legacy IT system and more than half didn’t have recovery time objectives for their systems.
The lack of recovery plans shook Sen. Katie Fry Hester (D-Howard), co-chair of the Maryland Cybersecurity Council’s Ad Hoc Committee on State and Local Cybersecurity.
“That means if they get attacked, they’re really, really not in a good place to respond,” she said.
And the study found that the shift to working from home due to the COVID-19 pandemic has posed security risks.
The report notes an “uptick in fraud activities both against employees and the state” via gift card scams and attempts to defraud the Department of Labor’s unemployment program.
According to the study, the state experienced “few successful” attacks from gift card scammers and was able to “prevent and stop” many unemployment fraud schemes.
Publication of these findings comes as Maryland continues to untangle the ongoing repercussions of a ransomware attack against the Maryland Department of Health.
In a phone interview Tuesday, Ben Yelin, the co-chair of the Maryland Cybersecurity Council’s Ad Hoc Committee on State and Local Cybersecurity, said he wasn’t surprised that the attack occurred.
“I think one thing that we learned both in surveying state agencies and local jurisdictions is that — given the increased prevalence of cyberattacks and given the vulnerabilities that we identified — it simply was a matter of time,” he said. “There is sort of a sense of inevitability.”
But legislators still find themselves with unanswered questions about the nature of the attack.
At a joint legislative hearing last week, Chip Stewart, the state chief information security officer, declined to divulge many details, citing an ongoing investigation.
Stewart’s position, the Office of Security Management and the Maryland Cybersecurity Coordinating Council were all established by a 2019 executive order. In his role, he is able to take any agency off Maryland’s network system if they weren’t meeting the state’s minimum security standards.
During the joint hearing last week, Hester asked Stewart if, at the time of the ransomware attack, the Department of Health met the minimum security standards. He declined to answer.
“You have this authority, but what good is the authority and you don’t have the [insight] to use it?” Hester asked rhetorically Monday.
He, again declined to answer the question in an email exchange Monday.
Hester confirmed during a phone interview that the Department of Health did submit a response to the survey.
And, according to his fellow councilmembers, Stewart, who conducted the state agency survey, has been tight-lipped since the beginning of the study.
“One of the things that myself and a few others … tried to get out of him is basically like, ‘Who are problem children?’” Yelin said. “He, I think for good reason, didn’t want to even reveal to us the extent of those vulnerabilities.”
The report recommends that meetings of the Maryland Cybersecurity Coordinating Council be exempt from the Open Meetings Act to allow members to speak more freely about cybersecurity problems and recommendations to fix them.
“Frankly, the discussions among its members haven’t been very fruitful because they’re not able to discuss sensitive cybersecurity issues and they’re not really able to speak in any sort of candor to share recommendations to the state [chief information security officer],” Yelin said.
Trending toward a centralized structure
According to the study, states are beginning to trend toward a centralized structure, generally giving a jurisdiction’s information technology agency the decision-making authority on cybersecurity.
Maryland is decentralized, meaning that state agencies have their own cybersecurity officers and IT budgets.
Hester said that if Maryland were to centralize its cybersecurity systems, departments’ cybersecurity officers would report to the secretary of information technology and their budgets would also become part of the budget of the Department of Information Technology.
The report also advocates for a centralized system as a means to protect local government agencies, noting that attacks against localized units of government could quickly balloon into problems at the state level.
Several ransomware attacks have been perpetrated against local governments in recent years, and at a high cost.
According to the report, the 2019 ransomware attack against Baltimore cost an estimated $18 million. The 2021 ransomware attack against Baltimore County Schools cost an estimated $7.7 million. And ransomware attacks against Leonardtown and North Beach disrupted everyday government activities, such as issuing water bills, and caused them to use significant amounts of money to recover.
The ad hoc committee conducted a survey of county and municipal governments, local emergency managers and school districts about their cybersecurity networks.
Results of that survey demonstrated a desire to improve cybersecurity at a local level. But smaller agencies are limited due to a lack of funding and access to resources.
Kevin Kinnally, legislative director for the Maryland Association of Counties, helped with data collection from county governments. He said that he views the state “as a partner” that could provide tools to help pick up the slack.
“But a one-size-fits-all does not work for Dorchester County versus Montgomery County. Their needs are obviously different,” Kinnally said Tuesday. “But if the state can step in and make sure that we have this stuff accessible to us, that’s what we’re looking for here.”
‘We need to work together’
Data demonstrate that cybersecurity measures have improved in recent years.
The survey of state agencies found that 63% of respondents require multi-factor authentication to access email accounts and all but three agencies conduct mandated cybersecurity training sessions for their employees.
And though the Office of Legislative Audits found 84 instances of weak data loss prevention controls among 69 units of state and local government between 2016 and 2019, the Maryland Cybersecurity Council reported that, of the 21 audits performed in 2020, only one negative finding relating to the protection of personally identifiable information was repeated.
The Joint Committee on Cybersecurity, Information Technology, and Biotechnology will present 35 recommendations that came from the 57-page report before the House Appropriations Committee on Friday afternoon.
Hester, in tandem with Del. Patrick G. Young Jr. (D-Baltimore County) — who co-chairs the Joint Committee on Cybersecurity, Information Technology, and Biotechnology — plans to introduce a package of three bills during the 2022 session to put some recommendations into practice: One to modernize the state’s older IT systems; another to establish firmer governance in managing state IT systems; and the third to create a cybersecurity support fund to aid local agencies who don’t have resources to adequately protect themselves.
“I think that’s the state committing to solving this complex issue and understanding that we do have a lot of legacy systems in the state that the state and the counties share,” Kinnally said of the support fund. “And so, you know, we’re all vulnerable here and we need to work together.”