Cybersecurity Report Reveals Lack of Risk Assessments by Maryland State Agencies

A report released Tuesday by the Maryland Cybersecurity Coordinating Council found that more than 60% of state agencies surveyed have not conducted a cybersecurity risk assessment.

This content was republished with permission from WTOP’s press partners at Maryland Matters. Register for Free Maryland Matters Email Subscription today.

A report released Tuesday by the Maryland Cybersecurity Coordinating Council found that more than 60% of state agencies surveyed have not conducted a cybersecurity risk assessment.

According to the study by the council’s ad hoc committee on national and local cybersecurity, surveys were sent to 89 executive government units in 2021. Only 70 responded at the time of writing.

Notably, the State Board of Elections was among those who did not provide responses.

Additionally, aggregated data from agency survey responses revealed that 40% of agencies had at least one legacy IT system and more than half had no recovery time objectives for their systems. .

The lack of stimulus packages has rattled Sen. Katie Fry Hester (D-Howard), co-chair of the Maryland Cybersecurity Coordinating Council’s National and Local Cybersecurity Ad Hoc Committee.

“That means if they’re attacked, they’re really, really in no position to react,” she said.

And the study found that the shift to working from home due to the COVID-19 pandemic posed safety risks.

The report notes an “increase in fraud activity against both employees and the state” via gift card scams and attempted fraud on the Department of Labor’s unemployment program.

According to the study, the state experienced “few successful attacks” from gift card scammers and was able to “prevent and stop” many unemployment fraud schemes.

The release of these results comes as Maryland continues to unravel the ongoing repercussions of one ransomware attack against the Maryland Department of Health.

In a phone interview on Tuesday, Ben Yelin, co-chairman of the Maryland Cybersecurity Council’s National and Local Cybersecurity Ad Hoc Committee, said he was not surprised the attack happened.

“I think one thing we learned from both investigating state agencies and local jurisdictions is that given the increased prevalence of cyberattacks and the vulnerabilities that we identified, it was only ‘a matter of time,’ he said. “There’s a kind of sense of inevitability.”

But lawmakers are still left with unanswered questions about the nature of the attack.

AT joint legislative hearing last week Chip Stewart, the state’s information security officer, declined to release many details, citing an ongoing investigation.

Stewart’s position, the Office of Security Management, and the Maryland Cybersecurity Coordinating Council were all created by executive order in 2019. In his role, he is able to remove any agency from the network system of Maryland if it did not meet the state’s minimum safety standards.

At the joint hearing last week, Hester asked Stewart if, at the time of the ransomware attack, the Department of Health was meeting minimum security standards. He refused to answer.

“You have this authority, but what is the use of authority and you don’t have the [insight] to use it?” Hester asked rhetorically on Monday.

He again declined to answer the question in an email exchange on Monday.

Hester confirmed in a telephone interview that the Department of Health had submitted a response to the investigation.

And, according to fellow board members, Stewart, who led the state agency’s investigation, has been quiet since the study began.

“One of the things that myself and a few others…have been trying to get across to him is basically, ‘Who are the problem kids? ‘” Yelin said. “He, I think for good reason, wouldn’t even tell us the extent of those vulnerabilities.”

The report recommends that Maryland Cybersecurity Coordinating Council meetings be exempted from the open meeting law to allow members to speak more freely about cybersecurity issues and recommendations for addressing them.

“Frankly, the discussions among its members have not been very fruitful because they are not able to discuss sensitive cybersecurity issues and they are not really able to speak with any franchise to share recommendations to the State. [chief information security officer]“, said Yelin.

Trend towards a centralized structure

According to the study, states are beginning to move toward a centralized structure, typically giving a jurisdiction’s information technology agency the decision-making authority over cybersecurity.

Maryland is decentralized, which means state agencies have their own cybersecurity leads and their own IT budgets.

Hester said that if Maryland were to centralize its cybersecurity systems, departmental cybersecurity leads would report to the secretary of information technology and their budgets would also be part of the department of information technology budget.

The report also advocates a centralized system as a way to protect local government agencies, noting that attacks on localized government units could quickly turn into state-level problems.

Several ransomware attacks have been perpetrated against local governments in recent years, and at great cost.

According to the report, the 2019 ransomware attack on Baltimore cost around $18 million. The 2021 ransomware attack on schools in Baltimore County cost an estimated $7.7 million. And ransomware attacks on Leonardtown and North Beach disrupted day-to-day government operations, such as issuing water bills, and forced them to use large sums to recover.

The ad hoc committee surveyed county and city governments, local emergency officials, and school districts about their cybersecurity networks.

The results of this survey demonstrated a desire to improve cybersecurity at the local level. But small agencies are constrained by a lack of funding and access to resources.

Kevin Kinnally, Legislative Director of the Maryland Association of Counties, assisted with data collection from county governments. He said he saw the state “as a partner” who could provide tools to help fill the void.

“But one size doesn’t work for Dorchester County versus Montgomery County. Their needs are obviously different,” Kinnally said Tuesday. “But if the state can step in and make sure we have those things available to us, that’s what we’re looking for here.”

“We have to work together”

Data shows that cybersecurity measures have improved in recent years.

The survey of state agencies found that 63% of respondents require multi-factor authentication to access email accounts and that all but three agencies hold mandatory cybersecurity training sessions for their employees.

And although the Office of Legislative Audits found 84 instances of weak data loss prevention controls among 69 state and local government units between 2016 and 2019, the Maryland Cybersecurity Coordinating Council reported that of the 21 audits carried out in 2020, only one negative result relating to the protection of personally identifiable information was repeated.

The Joint Committee on Cybersecurity, Information Technology and Biotechnology will present 35 recommendations from the 57-page report to the House Appropriations Committee on Friday afternoon.

Hester, in tandem with Del. Patrick G. Young Jr. (D-Baltimore County) — who co-chairs the Joint Committee on Cybersecurity, Information Technology, and Biotechnology — plans to introduce a set of three bills in the 2022 session to put some recommendations in practice: one to modernize the old computer systems of the State; another to establish firmer governance in the management of state computer systems; and the third to create a cybersecurity support fund to help local agencies that lack the resources to adequately protect themselves.

“I think it’s the state’s commitment to solving this complex problem and understanding that we have a lot of legacy systems in the state that the state and counties share,” Kinnally said of the fund. Support. “And so, you know, we’re all vulnerable here and we have to work together.”

Martin E. Berry