Back in the late 1990’s when I was State CIO, our team at Department of Information Technology (DOIT) was responsible for addressing the “dreaded” Year 2000 issue affecting state computers systems. Led by longtime state employee Claudina Nevis DOIT oversaw the identification of, and mitigation efforts of 150 state agencies whose initial task was to identify often for the first time all existing state IT systems and databases. The results were not surprising considering the vast state government enterprise. We found over 3,000 individual data systems, then assessed the impact of the new century date, and DOIT guided efforts to fix the affected systems.
We were reminded of the Year 2000 effort watching a startling Congressional hearing yesterday where the U.S. Office of Personnel Management (OPM) data breaches were referred to as “catastrophic,” “devastating,” and even deemed more serious to national security than the 9/11 World Trade Center attack. According to one report, this attack involved the theft of “30 years’ worth of sensitive security-clearance, background-check, and personal data from at least 10 million current, past, and prospective federal employees and veterans. The government didn’t merely reveal shoddy IT security on the part of its agencies and contractors. It also revealed unforgivable negligence, because OPM and the government had known about these security problems for two years, already suffered multiple breaches, and done little to nothing about them.”
One after the other, the members of Congress in a rare display of bi-partisanship questioned the OPM director, CIO, CISO, inspector general and others under oath , “How was the breach allowed to happen and could it have been prevented?” Vitriol omitted, but not here. See video. Mandatory viewing for all government department directors, CIO’s and CISO’s who may find themselves in a similar photo op.
We have to ask ourselves. Could this breach happen here in California?
Over the last decade and a half since our Year 2000 efforts, no doubt those state systems have grown significantly.
How many are there now? How many contain sensitive, personal information on 38 million Californians, or confidential financial information about the state’s 1 million businesses?
Is the data encrypted? Does access require a multifactor Authentication? If not, should the system be shut down/locking out all access until it is?
These questions need to be asked now. Perhaps all is well. But as my old boss President Reagan said, “Trust, but Verify”. And verification is a never ending job when it comes to cybersecurity.
The Brown Administration and the legislature have been busy lately, and congrats are warranted for getting the budget approved again on time this year. Also, the Governor in announcing the accord, called for two special sessions to address “important business”– one to address health care, the other to discuss funding road and other infrastructure repairs.
Here at TechLeader.TV we strongly suggest Governor Brown and the legislature consider a third session, on potentially more “important business”.
In light of the Digital Pearl Harbor inside the beltway with implications around the globe, TechLeader.TV suggests that this session focus on answers to all these questions from appropriate state officials, and demand appropriate action.
There was a tech surge in Washington, DC to salvage the feds disastrous healthcare.gov roll-out. The feds need a cybersecurity surge now, and if warranted, the State of California should not wait to embark on the same path.
Remember, there are two kinds of organizations in this brave new world: those that have been hacked and know it, and those that have been hacked and don’t.