The state of Idaho has been working since the appointment of Jeff Weak, director of information security, in January to improve the security of its online information.
“We have to have somebody way up in the food chain” of state government to be able to respond to cybersecurity threats, said Lt. Gov. Brad Little, who served as chairman of a task force that recommended the creation of the new digital office.
One recommendation was training. Employees under the executive branch – because the governor doesn’t have control over the staff of constitutional officers, the Legislature, and the Judiciary, Weak said – had to complete cybersecurity awareness training by March 30. The program was run by the state’s human resources department and was tied to staff raises, he said. By early April, the completion rate was 98.5 percent among the 19,329 employees. “We had a few stragglers,” he said – including one in the governor’s office, whom he didn’t name.
The training was provided by KnowBe4, a Clearwater, Florida, company the state hired through an invitation to bid by specifying parameters and accepting the lowest bid that met all of them. The training, which cost $40,000, takes 30 to 45 minutes to complete.
Previously, there was no overall cybersecurity awareness training for state workers, Weak said.
“There were pockets of training,” in agencies that dealt with personally identifiable information such as Social Security numbers and medical information under the Health Insurance Portability and Accountability Act (HIPAA).
Managers and executives also undergo the new training. “They’re the targets for a lot of these criminals,” he said. “We didn’t exempt anyone.”
Little was one of the first government staffers to take the cybersecurity training. “I didn’t get a hundred the first time through,” he admitted. “I missed some things.”
Another change is the reorganization of the state information technology and cybersecurity administration into a new office, the Office of Information Technology Services, directly under the governor, Weak said. That will take effect on July 1, and then, “immediately we’ll start to look at efforts for further consolidation across the state,” Weak said, noting that some services may be duplicated 50 or 60 times now in Idaho.
While some agencies will still have their own projects, like the Department of Transportation’s “Internet of Things” highway sensors, Weak’s goal is to provide commodities such as internet service and email, so agencies can focus on day-to-day business, he said. That could mean saving money through consolidating procurements, as well as improving security by having a single point of contact for installing and maintaining hardware and software.
That could also mean consolidating the servers themselves, perhaps in a few centralized data centers or in the cloud, Weak said. “If you have 2,000 servers, that’s 2,000 attack surfaces,” he said. “That’s 2,000 servers you have to patch.”
First, Weak has to meet and work with all the agencies to find out what works best for each one, he said. Some agencies already have fairly robust cybersecurity setups, while some other agencies with just one or two information technology people don’t have enough time to do cybersecurity thoroughly. “It’s hard for them to get into the weeds on a security issue or migrate a new product,” he said.
Now, Weak is going through a vulnerability assessment provided by the National Institute of Standards and Technology. The assessment checks system configurations and performs virus scans. This summer, that will likely be followed up with “penetration testing,” where the state hires a third party to try to break into the state system, he said.