Listen: teaching state employees about cyberhacking
By MIKE DENISON
Capital News Service
ANNAPOLIS -- Maryland government entities have suffered at least six cyberattacks since the beginning of 2013, according to incident reports from the Department of Information Technology.
The heavily-redacted reports, obtained by Capital News Service through a Maryland Public Information Act request, reveal that data-hungry hackers and scammers aren't only going after retailers like Target and Neiman Marcus -- they're targeting state agencies.
"Our government doesn't move as quickly as the private sector ... and the private sector isn't moving as quickly as it should be," Sen. Catherine Pugh, D-Baltimore, said in an interview.
The report said a phishing scam that hit the Department of Labor, Licensing and Regulation affected "more than 100 users," and two other incidents affected an estimated "more than 10 users."
Elliot Schlanger, the state director of cybersecurity, said specific numbers of affected users are often difficult to pin down, particularly with phishing attacks. Phishing involves sending a large number of emails asking for sensitive information, like passwords, under the guise of a legitimate sender.
One listed incident involved the Maryland State Police in September. Last year, the police were bombarded with thousands of gun applications ahead of incoming stricter firearm laws. To reduce the massive backlog, volunteers from the departments of Health and Mental Hygiene, Transportation, Public Safety and Correctional Services, Human Resources and Juvenile Services offered to help out with data entry, according to a police press release. According to a National Rifle Association press release, some state agencies' computers were not adequately secured to handle gun applications, which include sensitive information.
Elena Russo, director of the police's communications department, said the incident on the Department of Information Technology report was merely a notification of a potential security risk.
"It was not a security breach, it was not a cyberbreach, there were no hacks and no data brought forward by the Maryland State Police," she said.
Similarly, Maureen O'Connor, director of media relations for the Department of Labor Licensing and Regulation, said that no personnel data was stolen in a phishing attack on her department. However, a malicious program known as a "ransomware" encrypted department information, demanding that money be sent to a specific account to unlock the data.
The attack began when an employee ignored a department-wide warning not to open a suspicious email. O'Connor said the malware was eliminated and the data restored within five days.
The document also said that three Department of Human Resources servers were attacked on Oct. 22. Brian Schleter, director of communications for the agency, said the attack was launched on a department website used to post press releases. No data was compromised.
The proposed budget for fiscal year 2014 notes that no "substantial disruptions" of state network services have occurred since 2011, when records of disruptions began.
The state has taken steps to teach its employees about best practices in cybersecurity. In February, Isabel FitzGerald, secretary of the Department of Information Technology, told the House of Delegates that the department had begun monthly cybersecurity training courses for more than 40,000 state employees and contractors.
"They endeavor to make sure all the employees of all the agencies are aware of the possibilities of attacks," said O'Connor, who has taken the course.
The state's vulnerabilities aren't new. The Office of Legislative Audits has outlined weaknesses in several agencies' cybersecurity plans over several years. An audit of the state police from February 2009 to December 2011 found that some servers that guarded personal information, including about 176,000 Social Security numbers, were insufficiently secured. In a March 2013 response to the audit, the police insisted the auditors misunderstood a security measure, and personal information was secure.
The audit also found that police networks lacked systems designed to detect intrusions. The response said that those systems were added after the audit.
Similar audits found more cyber vulnerabilities in the departments of Labor, Transportation and Education as well as the State Archives.
Pugh aimed to promote state cybersecurity even further during the recently-ended 2014 legislative session. She authored a bill to adopt an overarching cybersecurity plan based on a similar document published by the National Institute of Standards and Technology. The Senate passed the bill unanimously, but it died in the House of Delegates in committee.
Pugh said the bill arose out of concerns for the state's long-term condition, citing the growing amount of information that state entities and contractors transfer online. A 2012 hack into South Carolina records that exposed 3.6 million tax returns, according to the South Carolina Department of Revenue, encouraged her to make sure Maryland didn't suffer a similar fate.