As South Carolina legislators consider reforms to the state’s computer security network, a top consultant is warning them to not do too much at once.
The House Ways & Means Committee is scheduled to take up a cyber-security bill next week in response to a massive hack at the state Department of Revenue (SCDOR) last fall that compromised over 3.8 million Social Security numbers.
As part of a state contract, New York-based Deloitte & Touche, LLC., conducted a six-week assessment of how the state operates and maintains its complicated computer networks and databases. The project’s lead director Michael Wyatt presented the findings to the committee Thursday.
“There is a crawl, walk, run model that needs to be in place here,” Wyatt told legislators. He said the recommendations would cost nearly $15 million to implement immediately, and over $7 million to maintain each year after that.
Right now, each state agency is largely responsible for its own information technology and security. There is a Division of State Information Technology, but its purpose is to make recommendations and provide updates for agencies. However, it does monitors some agencies and local government networks to watch for hackers. It was not responsible for monitoring SCDOR prior to the 2012 data breach.
Lawmakers want to create a new Department of Information Security, which was included in a bill the Senate passed last month. During Thursday’s meeting, House members made it clear that they want to move to a centralized network immediately. But Wyatt warned that may cause too much strain during the transition.
“You are not going to move from the current state to where you’d like to be overnight,” he said. “It’s going to be a multi-year program. It’s going to take some time.”
Instead, he pushed for what he called a “federated” model— creating an agency responsible for security policy, but making each state agency responsible for implementing those policies. Eventually the state could move to a centralized model after about five to ten years, he said.
Legislators asked whether it would be possible to transition at a quicker pace, noting the hacking aftermath had created bipartisan opportunity for a permanent fix. “There won’t be the political will in ten years to make big changes,” State Rep. Chip Limehouse (R-Charleston) said “Now’s the time to do whatever we’re going to do.”
The Deloitte assessment also strongly recommended better, constant training for state employees in computer use. Investigators believe the SCDOR hacker got into the agency’s databases by tricking at least one employee into opening a virus from a corrupted email.
Some legislators were concerned about language in the report that noted a hostile relationship between DSIT and other agencies. “Agencies have a degree of skepticism and distrust toward (DSIT) owing to a history of friction, primarily related to the cost of services provided,” the Deloitte assessment notes.
Rep. Harry Ott (D-St. Matthews) said that could not continue. “I don’t care how much money we spend,” he said, “If we don’t have employees that know what they’re doing and don’t trust each other, we’re just throwing more money down after a bad problem. That’s a big red flag for me.”
As per its contract, Deloitte & Touche will spend the next two years conducting more in-depth analysis and recommendations.