Financial Times: US state and local government bodies lack cyber defences

Originally Published in the Financial Times | June 25, 2014 | By Hannah Kuchler

Cyber criminals on the hunt for poorly protected confidential data are circumventing the US federal government and targeting state and regional authorities on the basis that they have fewer resources to defend themselves.

Social security numbers, driving licence numbers and home addresses are among the data kept by government now that access to local services is moving increasingly online.

More than two-thirds of US government data breaches were at non-federal agencies in 2012, the latest year that data were available from the US computer emergency response team.

Computer security incidents rose 42 per cent in the US regions and provinces compared with a rise of only 5 per cent overall.

Wade Williamson, senior threat researcher at the Google Ventures-backed security start-up, Shape Security, says that given the large amount of sensitive information they hold, state government agencies are “really enticing targets”.

He says that hacktivists – who attack for publicity – had often chosen them as targets, because they are highly visible in the media and do not have anywhere near the budgets or personnel of federal government.

“Hackers can expose a bunch of personal information and post it out there to show ‘we broke into a site’. It is going to gain them notoriety,” he says.

“We’ve seen this quite a bit all the way down to individual towns’ police forces that are hacked as soft targets.”

Groups affiliated with Anonymous, a loosely knit hacking activist association, have explicitly targeted local government. This includes a campaign against the Los Angeles police department and a contractor that builds websites for sheriff’s agencies across the US.

The financial benefits of stealing data are alluring. Personal information can be sold on the black market, even if it does not include credit card details.

Cyber criminals stole social security numbers of up to 280,000 people when they broke into the Utah state government servers in 2012. Hackers may have obtained up to 160,000 numbers and 1m driving licence numbers after an attack in Washington state last year.

Meanwhile, South Carolina blamed an “international hacker” for an incident that affected more than three-quarters of the state’s 4.6m population.

This year, according to Privacy Rights, a group that collects information on data breaches, this year, the California driving licence authority has investigated a potential breach of card data, while the city of Detroit has reported the exposure of information related to almost 2,000 current and former employees.

With small teams, often composed of fewer than five people, state governments find it difficult to secure data.

A survey of chief information security officers of US states, counties, cities and towns last year reported almost half as saying their IT infrastructure was not prepared for an attack, according to Consero, a Maryland-based company that runs forums for executives.

Mr Williamson says even if state and local government were to increase their cyber security budgets, they would struggle to recruit skilled security engineers in a very competitive market.

“They have a really hard time holding on to their people, so it is important for them to look at a solution that minimises how much human interaction it requires,” he says.

“They can’t have a new product that needs two PhDs to run the thing, as they might not have the talent in-house.”

Some 86 per cent of chief information security officers in state government agencies say a lack of sufficient funding is the main barrier to addressing cyber security problems.

Half manage a team of fewer than five, according to a 2012 survey by Deloitte and the National Association of State Chief Information Officers.

States may handle large sums of money, comparable to those managed by Fortune 500 companies, but they have far fewer cyber security staff. Most financial institutions employ more than 100 people in their security operations.

On average, cyber security only receives 1 to 2 per cent of a state’s overall technology budget and, unlike in the private sector, this does not appear to be rising.

Srini Subramanian, who leads Deloitte’s cyber risk services practice for state and local governments, says that five or six years ago most data breaches were inadvertent; for example, an official might have lost a laptop. In the past couple of years, states had begun to be subjected to sophisticated attacks.

Mr Subramanian says state government bodies are more vulnerable because they are not subject to the strict regulations that federal agencies submit to, or, if they are – in the case of agencies handling tax data or health information – the laws are not enforced.

“The federal agencies do these assessments [on state bodies] more as safeguards, to give feedback. They seldom result in penalties or immediate impact, such as the connection to the federal agency being terminated,” he says.