Audit Finds California Vulnerable to Hackers

     SACRAMENTO (CN) – Most California state agencies inadequately protect “an extensive range of confidential and sensitive data,” leaving critical information systems vulnerable to cyber attack, the state auditor reported Tuesday.
     The report blasted the California Department of Technology’s oversight of security, and revealed that 73 of 77 state entities admit they cannot comply with security standards.
     The 75-page audit , “High Risk Update – Information Security” found safety monitoring by the Department of Technology woefully ineffective, and the agency unaware that so many state agencies are so vulnerable.
     Of the 77 entities surveyed by State Auditor Elaine Howle, 22 estimated they could not meet state security standards until 2018, and 13 of them until 2020 or later.
     The state’s weaknesses put individual citizens at risk, according to the audit, which cites poor controls in classified information that includes Social Security numbers, income tax and health records.
     Nor does California’s cyber security watchdog have a solid plan for getting the departments compliant, other than an outdated self-certification form filled out by the departments it oversees, the auditor said.
     “Because of the nature of its self-certification process, the technology department was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies,” the audit states.
     While the technology department has implemented a pilot auditing program, Howle found it ineffective.
     She says the technology department employs just four auditors, whom it would take 20 years to study each of the 77 state entities. (Making the state’s computers safe, assuming instant compliance with the findings, by the year 3455.)
     Howle said the technology department should be auditing each entity every two years.
     She recommended the Legislature require entities to comply with information security standards or risk losing state funding.
     Hackers broke into the Internal Revenue Service database in May and illegally accessed information of 220,000 taxpayers. The hackers broke into the system that allows taxpayers to see their old tax returns. The IRS suspects Russian hackers did it.
     Despite the prevalence of large-scale cyber attacks on government and private businesses’ databases, the audit found that the technology department does not have a process to follow up with agencies that flunk security standards.
     “More than half of the entities that responded to our survey indicated that the technology department’s guidance for complying with security standards was insufficient,” the audit states.
     The audit leaves out the names of departments to protect their identities, but it identified several departments that declined to cooperate with auditors, including the California Air Resources Board and the California State Teachers’ Retirement System.
     The technology department declined to comment to Courthouse News, referring to the response it provided for the audit.
     “The department has a strong commitment to improving its existing oversight activities and to improving the state’s overall information security posture,” the response letter stated. “The department will continue to work with reporting entities to achieve full compliance with all security standards.”
     The subtitle of the auditor’s report is: “Many State Entities’ Information Assets Are Potentially Vulnerable to Attack or Disruption.”
     Its introductory letter to the governor and Legislature states: “If unauthorized parties were to gain access to the State’s information systems, the costs both to the State and to the individuals involved could be enormous.”

%d bloggers like this: