The State Worker

Data breach a warning for states

Private and public employers are battling for top cybersecurity talent as the number and complexity of IT attacks escalate.
Private and public employers are battling for top cybersecurity talent as the number and complexity of IT attacks escalate. Associated Press file

The attacks on Target and Sony were bad enough, but IT breaches crossed a new line with the recent federal data hack that exposes just how vulnerable government technology has become.

Once the purview of college students looking for a challenge, hacking and data theft have evolved in the last quarter century from criminal enterprises (Target) to public-shaming devices (Sony) into blunt instruments of government-sanctioned espionage.

On June 4, for example, authorities disclosed a data breach that hacked the records of 4.1 million current and former federal employees. The bulk theft reportedly captured personal financial and investment records, kids’ and relatives’ names, trips out of the country, residence histories, names of friends and neighbors – even data on Cabinet-level officials was compromised.

U.S. authorities have accused China of taking the information. Chinese officials have denied involvement.

Why does that matter to California? Because, says tech-threat expert Kevin Mandia, the federal government is the class valedictorian of IT security. States, which spend far less on tech security, are barely graduating.

“If you’re an ‘A’ in cybersecurity or an ‘F’ you probably have about the same chance of being compromised,” said Mandia. a former federal cybersecurity officer who now heads IT-security firm FireEye Inc. “But the ‘F’s’ don’t know it. The ‘A’s’ do. That’s the difference.”

Michelle Robinson, California’s chief information security officer, said the state “takes cybersecurity very seriously” but that it also “has seen an uptick in reconnaissance and attempted attacks.”

State agencies reported 204 data breaches last year, from lost thumb drives to website hacks, up from 135 in 2013.

By law, state agencies are supposed to have someone responsible for IT security, Robinson said, and the state has various training initiatives to keep the issue front and center. Some IT security work is contracted out, but the Department of Technology doesn’t know how much. Robinson acknowledged that state cybersecurity jobs are tough to fill.

Other states face similar challenges. The National Association of State Chief Information Officers found that two-thirds of state IT managers said security staff are the toughest to attract and retain. They blamed low state pay, a shortage of qualified candidates, retirements and the glacial speed of civil-service hiring.

Nearly half of the respondents said they planned to “expand outsourcing” for security services, while 25 percent said they will “maintain the status quo.” Less than 10 percent planned to “increase state IT staff.”

States are trying various tactics to draw and develop top talent, the report says, including bonuses and pay differentials, flexible hours, IT academies, recognition awards and even new job classifications.

It’s a sign that high-tech security comes down to a low-tech strategy – treating employees well.