Wednesday, October 4, 2023
Courthouse News Service
Wednesday, October 4, 2023 | Back issues
Courthouse News Service Courthouse News Service

New audit shows California agencies remain at risk of cyberattacks

A decade of neglect by California's IT department has millions at risk of data leaks and cyberattacks.

SACRAMENTO, Calif. (CN) — California's Department of Technology has come under fire from the state auditor going as far back as 2013, with regular reports that the department is a high-risk agency. And an audit issued Thursday revealed the department has struggled with some of the same issues for 10 years and has made little progress.

The Department of Technology is vast, covering everything from government administrative services to information security and is the "guardian of California's public data." A threat to the department is a threat to voter registration, DMV data and unemployment benefits.

The new audit shows that even when it comes to basic planning, the department falls short. It has a mission statement and broad goals but needs the infrastructure to monitor progress, the state auditor said, noting previous plans were more detailed than the current one — which needs help too.

Liana Bailey-Crimmins, head of the California Department of Technology, touted the department's successes.

"Over the past decade, technology has become essential for all operations and services in state government. The California Department of Technology guides over 150 state departments, each with their own CIO, to achieve successful outcomes according to the Statewide IT Strategic Plan - Vision 2023. CDT stands on its record of success — and stands behind the thousands of state IT professionals who helped California lead the nation in pandemic response," Bailey-Crimmins said in an email statement.

However, the audit outlines an alarming lack of preparedness. For example, in 2016, the California Department of Motor Vehicles experienced a hard drive failure that caused a system outage at 122 of 188 offices, making them unable to process driver's licenses and other transactions for two weeks. In addition, the technology department has yet to set a process to seek out and assess outdated and unstable IT systems, many of which still run on unsupported technology systems.

"One agency stated that many of its systems are at least 15 to 20 years old, use unsupported technology, and pose significant security risks. Another agency noted that its primary safety alarm system, which provides alerts about medical emergencies, is becoming obsolete: the equipment is aging and automating updates is difficult," the audit states.

Further, the department still needs to evaluate the status of the state's information security which has already proven costly. The information the Department of Technology has collected shows that most agencies need to make significant progress in improving information safety.

The audit references two cyberattacks in 2022 alone, one that shut down the job search center of the Employment Development Department and another on the Department of Finance where leaked data may have contained Social Security numbers, bank account information and user passwords.

One significant hurdle to getting assessments done by the department is sheer capacity — it says it can't audit the over 100 entities with its current workforce. The department has acknowledged it has no plans to hire more staff but rather will launch a new IT system to help complete security audits faster.

"However, the deputy chief stated that CDT still has not secured the necessary funding for a new IT system, and as we noted in our previous report, a new system's implementation can take several years," the state auditor wrote.

The auditor called on the department to take accountability, urgently assess the state's information security and address its staffing issues. He also asked the Legislature to create an independent oversight committee.

"While we disagree with many of the conclusions and implications of the audit findings, the state auditor's recommendations will be considered," Bailey-Crimmins said in response to the report.

Follow @@smolestwriter
Categories / Government, Regional, Technology

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.