PD Editorial: Data remains vulnerable on state computers

The California Department of Technology isn’t doing a good enough job overseeing data security in the state. That’s the message — once again — from the state auditor. If things don’t change, it’s only a matter of time until a disastrous cyberattack occurs.

Imagine the headaches for Californians if hackers forced the Department of Motor Vehicles offline for days or weeks. Or consider what might happen if the Employment Development Department systems couldn’t deliver unemployment assistance on which millions of Californians rely to survive week-to-week.

All Californians are at risk if government computers aren’t secure. The state has digital records about Californians, their jobs, their taxes and more. Hackers who steal that information could exploit it for identity theft and other crimes.

Attacks are already happening. In 2020, UC San Francisco paid more than $1 million in ransom to cybercriminals who had encrypted research data. This week, Sacramento County said that in 2021 its network filters blocked 360 million unauthorized attempts to connect to information systems and 145 million malicious emails. That’s more than 1 million attack vectors per day on average.

Staying ahead of cybercriminals requires vigilance, frequent upgrades and technical expertise. That’s where the California Department of Technology comes in. Its information technology experts are supposed to work with state entities to ensure that their security is up to snuff.

It should be doing a better job, according to an analysis released by acting state Auditor Michael Tilden. The audit focused on 108 state entities in the executive branch that report to Gov. Gavin Newsom, as well as some nonreporting entities.

The Technology Department is behind schedule auditing the security status of critical entities. Without those audits — and accurate self-reporting by agencies, which also is lacking — the department cannot accurately assess whether agencies are doing everything they should to protect data and information infrastructure.

Dozens of other agencies that don’t directly report also do not meet information security standards, according to the report.

The audit further found that the Technology Department provides unclear security guidelines for telework. The ability to keep data secure while working remotely has become essential during the pandemic. The department ought to share clear best practices and help other agencies implement them.

The Department of Technology responded to the audit by invoking COVID-19 as an excuse for some of its problems. That might be more believable if it weren’t for the fact that this is the sixth state audit since 2013 with similar critical findings.

As always, the state auditor offered recommendations to improve things. Some are obvious, like clarifying guidance on how state workers can securely work remotely. Others will require the Legislature to act. For example, the Department of Technology should provide a confidential annual security status report to lawmakers so they can accurately assess performance. We would add that a public version of that report with top-line findings should go out, too, so Californians can make their own assessments.

There are other recommendations, all of them reasonable and most of them long overdue. Let this be the last critical report of the state’s information security lest the next one highlights a major breach. Cybercriminals aren’t resting.

You can send letters to the editor to letters@pressdemocrat.com.