NEWS

Gov. Brown retools aging cybersecurity systems

Gordon Friedman
Statesman Journal
  • Decades old computer systems guard sensitive data held by state government
  • Some state agencies subject to costly, embarrassing hacks in recent years
  • Governor orders state agencies to unify cybersecurity programs
  • First step among many to improve data security, says state IT chief
Servers in a data center run by the State of Oregon.

Gov. Kate Brown issued an executive order directing state agencies to completely overhaul their cybersecurity systems — and they'll have less than two months to figure out how to do it.

The reason? Computer systems used by the state to protect private or sensitive information from hackers are "antiquated" and remain vulnerable to the "unrelenting threat of cyberattack," Brown wrote in an email Monday to state agency directors.

The executive order requires agencies to hand over their cybersecurity system documents and reassign all information technology security personnel to work for the state chief information officer by Nov. 1.

Agencies will also have to develop a plan to unify cybersecurity protocols across state government — a long overdue step for Oregon's outmoded systems, said state Chief Information Officer Alex Pettit. Some agencies and all state universities are exempt from the executive order.

The executive order tasks Pettit with leading the overhaul and he'll be boss to the borrowed employees until at least June 2017. The agencies sending IT security workers to Pettit will still pay the 40-some employees' salaries.

Pettit said he welcomes the changes — and that they're not coming a moment too soon. During an interview at his office in Salem, Pettit, the state CIO since 2014, said many IT security systems used by the state are disjointed, ineffective and obsolete a generation ago.

"What we're doing today is fundamentally not working," he said. "Who knows what's out there. Some of these systems are easily 25 years old."

A closer look at economic research on Measure 97

The result is that confidential information held on state government computers — like Social Security numbers, financial records and login information — is vulnerable to cyberattacks.

Alex Pettit, the State Chief Information Officer, speaks about public cybersecurity at the Oregon Department of Administrative Services in Salem on Tuesday, Sept. 14, 2016. Pettit's office is working to use apply the ideas and techniques of a public healthcare model to public cybersecurity.

Cyberattacks remain a threat in Oregon

Hackers have taken notice. At least eight state agencies have fallen victim to hacks in just the previous two years, Pettit said.

"Even though they're small attacks, they've had a big effect on us," Pettit said. "We have folks that attack for political, financial, reputational reasons."

He gave a hack of the Construction Contractors Board as one example. Digital thieves were able to steal login information of ODOT employees — a massive agency compared to the relatively tiny Contractors Board.

In another situation, Social Security numbers entered by state employees registering for health care through the Public Employees Benefit Board website were left vulnerable to hacks, Pettit said. Officials stepped in and prevented a breech, but the consequences could have been severe if a cyberattack had begun before the intervention.

Oregon Governor Kate Brown

Officials to pursue funds for IT security

Monday's executive order is one step among a larger push by officials to improve state cybersecurity systems. Pettit said there are plans to build a one-size-fits all security system for use across state government.

He said the state will ask lawmakers to fund a "Cybersecurity Center of Excellence" — a physical space in Corvallis where public and private entities would share resources on IT security. Intel, Hewlett Packard, the Department of Homeland Security, the FBI and and Oregon State University have been asked to participate, Pettit said.

Officials will ask the Legislature to fund the cybersecurity center during the 2017 legislative session, which begins in February. The amount to be requested remains unclear.

Send questions, comments or news tips togfriedman2@statesmanjournal.com or 503-399-6653. Follow on Twitter@GordonRFriedman.

GOP claims of ethics violations against Rep. Paul Evans fall short

State agencies hacked since 2014

  • Oregon Department of Transportation
  • Department of Veterans Affairs
  • Secretary of State's Office
  • Employment Department
  • Department of Land Conservation and Development
  • Department of Agriculture
  • Department of Fish and Wildlife
  • Construction Contractors Board

Source: Department of Administrative Services