This article was republished with permission from 海角社区app’s news partners at .聽Sign up for today.
This content was republished with permission from 海角社区app鈥檚 news partners at Maryland Matters. Sign up for聽听迟辞诲补测.
A report released by the Maryland Cybersecurity Coordinating Council on Tuesday found that over 60% of surveyed state agencies have not performed cybersecurity risk assessments.
According to the study completed by the council鈥檚 Ad Hoc Committee on State and Local Cybersecurity, surveys were sent to 89 units of executive government in 2021. Only 70 responded by the time the study was written.
Notably, the State Board of Elections was among those who did not provide answers.
Also, aggregated data from agency survey responses found that 40% of agencies had at least one legacy IT system and more than half didn鈥檛 have recovery time objectives for their systems.
The lack of recovery plans shook Sen. Katie Fry Hester (D-Howard), co-chair of the Maryland Cybersecurity Coordinating Council鈥檚 Ad Hoc Committee on State and Local Cybersecurity.
鈥淭hat means if they get attacked, they鈥檙e really, really not in a good place to respond,鈥 she said.
And the study found that the shift to working from home due to the COVID-19 pandemic has posed security risks.
The report notes an 鈥渦ptick in fraud activities聽both against employees and the state鈥 via gift card scams and attempts to defraud the Department of Labor鈥檚 unemployment program.
According to the study, the state experienced 鈥渇ew successful鈥 attacks from gift card scammers and was able to 鈥減revent and stop鈥 many unemployment fraud schemes.
Publication of these findings comes as Maryland continues to untangle the聽聽of a聽聽against the Maryland Department of Health.
In a phone interview Tuesday, Ben Yelin, the co-chair of the 鈥嬧婱aryland Cybersecurity Council鈥檚 Ad Hoc Committee on State and Local Cybersecurity, said he wasn鈥檛 surprised that the attack occurred.
鈥淚 think one thing that we learned both in surveying state agencies and local jurisdictions is that 鈥 given the increased prevalence of cyberattacks and given the vulnerabilities that we identified 鈥 it simply was a matter of time,鈥 he said. 鈥淭here is sort of a sense of inevitability.鈥
But legislators still find themselves with unanswered questions about the nature of the attack.
At a聽聽last week, Chip Stewart, the state chief information security officer, declined to divulge many details, citing an ongoing investigation.
Stewart鈥檚 position, the Office of Security Management and the Maryland Cybersecurity Coordinating Council were all established by a 2019 executive order. In his role, he is able to take any agency off Maryland鈥檚 network system if they weren鈥檛 meeting the state鈥檚 minimum security standards.
During the joint hearing last week, Hester asked Stewart if, at the time of the ransomware attack, the Department of Health met the minimum security standards. He declined to answer.
鈥淵ou have this authority, but what good is the authority and you don鈥檛 have the [insight] to use it?鈥 Hester asked rhetorically Monday.
He, again declined to answer the question in an email exchange Monday.
Hester confirmed during a phone interview that the Department of Health did submit a response to the survey.
And, according to his fellow councilmembers, Stewart, who conducted the state agency survey, has been tight-lipped since the beginning of the study.
鈥淥ne of the things that myself and a few others 鈥 tried to get out of him is basically like, 鈥榃ho are problem children?鈥欌 Yelin said. 鈥淗e, I think for good reason, didn鈥檛 want to even reveal to us the extent of those vulnerabilities.鈥
The report recommends that meetings of the Maryland Cybersecurity Coordinating Council be exempt from the Open Meetings Act to allow members to speak more freely about cybersecurity problems and recommendations to fix them.
鈥淔rankly, the discussions among its members haven鈥檛 been very fruitful because they鈥檙e not able to discuss sensitive cybersecurity issues and they鈥檙e not really able to speak in any sort of candor to share recommendations to the state [chief information security officer],鈥 Yelin said.
Trending toward a centralized structure
According to the study, states are beginning to trend toward a centralized structure, generally giving a jurisdiction鈥檚聽information technology agency the decision-making authority on cybersecurity.
Maryland is decentralized, meaning that state agencies have their own cybersecurity officers and IT budgets.
Hester said that if Maryland were to centralize its cybersecurity systems, departments鈥 cybersecurity officers would report to the secretary of information technology and their budgets would also become part of the budget of the Department of Information Technology.
The report also advocates for a centralized system as a means to protect local government agencies, noting that attacks against localized units of government could quickly balloon into problems at the state level.
Several ransomware attacks have been perpetrated against local governments in recent years, and at a high cost.
According to the report, the 2019 ransomware attack against Baltimore cost an estimated $18 million. The 2021 ransomware attack against Baltimore County Schools cost an estimated $7.7 million. And ransomware attacks against Leonardtown and North Beach disrupted everyday government activities, such as issuing water bills, and caused them to use significant amounts of money to recover.
The ad hoc committee conducted a survey of county and municipal governments, local emergency managers and school districts about their cybersecurity networks.
Results of that survey demonstrated a desire to improve cybersecurity at a local level. But smaller agencies are limited due to a lack of funding and access to resources.
Kevin Kinnally, legislative director for the Maryland Association of Counties, helped with data collection from county governments. He said that he views the state 鈥渁s a partner鈥 that could provide tools to help pick up the slack.
鈥淏ut a one-size-fits-all does not work for Dorchester County versus Montgomery County. Their needs are obviously different,鈥 Kinnally said Tuesday. 鈥淏ut if the state can step in and make sure that we have this stuff accessible to us, that鈥檚 what we鈥檙e looking for here.鈥
鈥榃e need to work together鈥
Data demonstrate that cybersecurity measures have improved in recent years.
The survey of state agencies found that 63% of respondents require multi-factor authentication to access email accounts and all but three agencies conduct mandated cybersecurity training sessions for their employees.
And though the Office of Legislative Audits found 84 instances of weak data loss prevention controls among 69 units of state and local government between 2016 and 2019, the Maryland Cybersecurity Coordinating Council reported that, of the 21 audits performed in 2020, only one negative finding relating to the protection of personally identifiable information was repeated.
The Joint Committee on Cybersecurity, Information Technology, and Biotechnology will present 35 recommendations that came from the 57-page report before the House Appropriations Committee on Friday afternoon.
Hester, in tandem with Del. Patrick G. Young Jr. (D-Baltimore County) 鈥 who co-chairs the Joint Committee on Cybersecurity, Information Technology, and Biotechnology 鈥 plans to introduce a package of three bills during the 2022 session to put some recommendations into practice: One to modernize the state鈥檚 older IT systems; another to establish firmer governance in managing state IT systems; and the third to create a cybersecurity support fund to aid local agencies who don鈥檛 have resources to adequately protect themselves.
鈥溾嬧婭 think that鈥檚 the state committing to solving this complex issue and understanding that we do have a lot of legacy systems in the state that the state聽and the counties share,鈥 Kinnally said of the support fund. 鈥淎nd so, you know, we鈥檙e all vulnerable here and we need to work together.鈥
