Opinion: Washington Should Brace for Next Security Breach

With state agencies' IT teams largely operating independently, neither the state's outgoing chief information officer nor his successor can be certain all state government business is being conducted securely.

Digital image of a closed padlock on top of lines of code.
Shutterstock/ranjith ravindran
(TNS) — The state's top tech official says he's "extremely" concerned that state computer systems may be vulnerable to hackers. Leaders better listen.

With state agencies' information technology teams largely operating independently, neither the state's outgoing Chief Information Officer  James Weaver  nor his successor can be certain all state government business is being conducted securely.

When asked if the setup is a disaster waiting to happen, Weaver was unequivocal:

"Candidly, the answer is yes."

Pending legislation seeks to fix the problem, but Washington shouldn't wait for legislative gears to finish turning. Gov.  Jay Inslee  should order his agencies to conduct an immediate audit of the state's tech environment.

Months after hackers breached the 20-year-old file-transfer platform used by the State Auditor's Office, the state's central IT experts don't have a complete picture of the risks and vulnerabilities across state government. Each agency is responsible for managing its compliance with state security standards. About 98% self-report yearly inventories to the state Office of the Chief Information Officer, according to WaTech, but that requirement doesn't include the Legislature, judicial branch or most of higher education.

Washington's consolidated technology services agency, WaTech, which is charged with setting strategic direction for IT security, has little authority to make sure those standards are followed. It tries to encourage best practice by offering services like free security design reviews, security and vulnerability assessments. Clearly, that is not enough.

In a March 4 hearing before the Senate Labor, Commerce and Tribal Affairs committee, the Auditor's Director of Administrative Services  Janel Roper  said the agency had no evidence it was using "an old or outdated product" or that it was taking a risk using the legacy software.

But, in a news release, Accellion's Chief Information Security Officer  Frank Balonis  said the company had been encouraging FTA customers for three years to migrate to a new, more secure platform, called kiteworks. The Auditor's Office made that shift in January — too late for Washingtonians whose Social Security numbers and banking information were exposed in the breach.

Engrossed Substitute Senate Bill 5432 would give WaTech's Office of Cybersecurity to develop a centralized cybersecurity protocol for state government and provide formal guidance on best practices. The bill, sponsored by Sen.  Reuven Carlyle , D- Seattle, passed the Senate unanimously and has been referred to the House Committee on State Government and Tribal Relations.

Nevertheless, once enacted, the law would take months to take effect. The cybersecurity office would have until July 1, 2022, to present a plan to lawmakers, including possible accountability measures to ensure agencies are meeting security standards. It orders an independent audit of state agency information technology to be completed by Aug. 31, 2022. Bad actors could create a lot of havoc in the interim.

Inslee must use his authority to ensure state data and systems are secure.

(c)2021 The Seattle Times. Distributed by Tribune Content Agency, LLC.