The overwhelming majority of California’s state agencies are ill-prepared to defend against cyberattacks, according to the state auditor, putting Social Security numbers, health records, and income tax information at risk for millions of Californians.
In a report issued on Tuesday, state auditor Elaine Howle said 73 of 77 state agencies that her department reviewed had not achieved compliance with cybersecurity standards. The California Department of Technology, responsible for ensuring the integrity of the state’s information systems, “does not provide adequate oversight or guidance to reporting entities,” Howle wrote.
So as not to provide a guide for hackers on which agencies to target, they were not identified by name. While four reported full compliance with security standards, one reported complete noncompliance, and the rest reported partial compliance.
Asked by the Washington Examiner how California had managed to avoid any major breaches of their computer systems to date, Howle responded, “I really don’t have an answer to that question.” The important thing going forward, she said, is “to make sure state agencies follow the guidelines and the standards that are out there so that we mitigate any breaches.”
It was an unexpected outcome of the audit. Agencies self-report their level of compliance with the standards by responding to a questionnaire, and in 2014, most had stated that they were having no problems. Auditors said the technology department “was unaware that many reporting entities had not complied” with its standards, with 37 out of 41 reporting that they were in compliance last year. Auditors said it was because questionnaires were too difficult to understand and that questions were too broad.
“We literally went to the State Administrative Manual,” Howle told the Examiner, referencing the manual that contains the state’s guidelines on cybersecurity. “We developed a survey document electronically that would allow us to itemize … specific details about each and every standard.”
The audit also found that security guidelines also posed a problem for interviewees. “One survey respondent stated that provisions of the security standards contained in the State Administrative Manual are ambiguous, confusing, and complex,” the audit stated.
Agencies expected to comply with the standards reviewed by the state auditor are those reporting to the governor’s office. Five prominent agencies do not fall within that jurisdiction, including the state treasurer, the state controller, the Department of Justice, the Secretary of State’s Office, and the California State Board of Equalization, which administers miscellaneous tax programs. Additionally, 20 agencies chose not to respond to the assessment.
The report recalls the federal cybersecurity breach disclosed this year involving the theft of personnel files on 22 million people from the Office of Personnel Management’s systems. As the eighth largest economy in the world, the report says, “the state presents a prime target for similar information security breaches.”
The auditor’s office recommended that the Department of Technology do more to assert itself in the affairs of noncompliant agencies. It asked that the department do more to monitor whether agencies were in compliance, and recommended that the legislature pass a law enabling the department to take over other agencies’ cybersecurity budgets as it deemed necessary.
In spite of the difficulties, the report also notes, California’s data centers still manage to repel “thousands of hacking attempts every month.”
