Call to Order and Roll Call
Thesecond meeting of the Interim Joint Committee on State Government was held on Wednesday, July 24, 2013, at 1:00 PM, in Room 154 of the Capitol Annex. Representative Brent Yonts, Chair, called the meeting to order, and the secretary called the roll.
Present were:
Members:Senator Joe Bowen, Co-Chair; Representative Brent Yonts, Co-Chair; Senators Walter Blevins Jr., Ernie Harris, Stan Humphries, Christian McDaniel, Morgan McGarvey, Gerald Neal, R. J. Palmer II, Albert Robinson, and Damon Thayer; Representatives Kevin Bratcher, Dwight Butler, John Carney, Leslie Combs, Joseph Fischer, Derrick Graham, Mike Harmon, Kenny Imes, James Kay II, Martha Jane King, Jimmie Lee, Mary Lou Marzian, David Meade, Brad Montell, Sannie Overly, Darryl Owens, Tanya Pullin, Tom Riner, Steven Rudy, Sal Santoro, Kevin Sinnette, Diane St. Onge, John Will Stacy, Tommy Thompson, John Tilley, Tommy Turner, Ken Upchurch, Gerald Watkins, and Jim Wayne.
Guests: Kentucky Auditor of Public Accounts Adam Edelen; Thomas Pageler, DocuSign; and Lieutenant General Harry Raduege, Jr. (USAF, Ret.).
LRC Staff: Judy Fritz, Kevin Devlin, Alisha Miller, Karen Powell, Shantez Riley, and Peggy Sciantarelli.
Recognitions
Representative Yonts welcomed Representative James Kay, new member of the General Assembly and the Interim Joint Committee on State Government, and Shantez Riley, new graduate fellow.
Approval of Minutes
The minutes of the June 19 meeting were approved without objection upon motion by Senator Bowen.
Cybersecurity Challenges
Representative Yonts advised that Elliot Schlanger, Secretary of Information Technology and Chief Information Officer (CIO) for the state of Maryland, was unable to attend the meeting, but his written testimony is included in the meeting folders. Mr. Schlanger said that Maryland has often been recognized as an epicenter of cybersecurity subject-matter-expertise and best practices. Maryland has created state cybersecurity law (MD Senate Bill 676). The law specifies that state and local government units, as well as state contractors and service providers, must implement and maintain “reasonable security procedures and practices” that are set forth in written information security policy. Maryland shares cyber information; collaborates on cyber security issues with internal and external stakeholders; has key cybersecurity partnerships with the Maryland Air National Guard, Baltimore FBI Cyber Security Unit, and NSA Cyber Command; and also promotes extensive cyber training, awareness, and education. Mr. Schlanger said he would be glad to appropriately share best practices and lessons learned with his colleagues in Kentucky.
Representative Yonts welcomed Auditor of Public Accounts Adam Edelen and complimented him for bringing this important topic forward. Mr. Edelen said he feels his office should be a force for modernization and reform in state government. The role of the Auditor’s Office (APA) as cyber watchdog has been established for many years. The Office conducts cyber (IT) audits and vulnerability assessments for state and other agencies in which technology has a significant impact on the processing and reporting of confidential information. The audits in many instances find that agencies continue to have IT concerns identified year after year with limited attention or resolve. Shining additional light on the issue may assist in focusing more attention toward resolving risks to cybersecurity. Kentucky is one of only four states without a breach notification law; if an agency in state government inadvertently releases confidential information about Kentucky taxpayers, the Commonwealth is not required by law to notify the taxpayer. APA hopes to do all possible to ensure that Kentucky does not suffer a data breach similar to the 2012 breach in South Carolina, where critical information for every taxpayer and business holder in the state was released to the public and so far has resulted in a cost of over $30 million. Opportunities exist to strengthen the security of Kentucky’s systems and data. APA will work for enactment of a breach notification law for Kentucky state agencies, as well as other laws to strengthen cyber security. Having the weight of law may play an important role in achieving the desired level of security. It is also important that any future requirements placed in statute are achievable.
Mr. Edelen said it is also APA’s goal to strengthen its relationship and the policies that are in place with the Commonwealth Office of Technology (COT). He commended the recent hiring of COT’s new CIO, James Fowler, and suggested that he, too, would welcome the opportunity to share his perspective with the Interim Joint Committee on State Government. Many states already mandate ongoing review of cyber policies, and so should Kentucky. APA wants to continue working closely with COT to ensure that systems and data are properly secured and to identify new opportunities as the state continues the consolidation of IT resources and functions under COT. APA also wants to continue evaluating IT testing areas and methodology and addressing the evolving risks posed by the ever changing IT environment. APA plans to release a separate report of its IT findings and recommendations; the report will be written in layman’s terms and presented in a manner that will not jeopardize the Commonwealth’s security. APA also wants to work with the Legislative Research Commission, the National Governors’ Association (NGA), and other organizations in the forefront of policy making. NGA will be releasing policy recommendations relating to cybersecurity in September 2013.
Mr. Edelen introduced the other guest speakers and stated that they represent two of the best and brightest minds in the field of cybersecurity: Thomas Pageler, Chief Information Security Officer, DocuSign, and Lieutenant General Harry Raduege, Jr. (USAF, Retired), Chairman, Deloitte Center for Cyber Innovation.
Before joining DocuSign, Mr. Pageler served as Deputy Chief Information Security Officer for JPMorgan Chase, where he led cybersecurity, fraud prevention and protective intelligence for the firm. Prior to his role at JPMorgan Chase, he was the Head of Risk Assessments and Director of Fraud Control for Visa. He served as a special agent with the United States Secret Service before going to private industry.
Mr. Pageler’s discussion and PowerPoint presentation focused on the importance of cybersecurity, cybersecurity adversaries and their methods, a brief history of cyber warfare, future trends in cybersecurity, government sector data breaches, and costs of the cyber threat and how to defend against it. Mr. Pageler said cyber threats are increasing and becoming more pervasive, sophisticated and organized. Cyber adversaries include fraudsters and hackers; organized crime; protestors and hacktivists whose motive is not financial; and “nation state actors.” Third party threats come from outside entities intending to disrupt business or steal data. Internal threats, also known as employee misuse, could be attempted extortion or accidental. He explained the structure and hierarchy of organized crime in the cyber world and profiled four notorious cyber fraudsters: Roman Vega, Dmitri Godvbov, Albert Gonzales, and Vladislav Horohorin. He also discussed major cyber attacks that occurred internationally between 1970 and 2012, underground cyber fraud markets, exploitation techniques, and the response cycle for detecting existing and emerging threats. Malware, compromised accounts, threats against industry, and politically motivated threats are the main areas of focus. The attack by Russian cyber criminals on Georgian web sites during the 2008 Russian/Georgian war is an example of state-sponsored attacks.
Cybersecurity has elevated in priority. Methods to counterattack future cyber threats include a Cybersecurity Executive Order; state and federal laws and initiatives; industry forums; new regulations; and offensive capabilities yet to be determined, such as possible revision of federal laws relating to cyber attacks. The government sector has experienced a steady increase in the number of records exposed. From January 1, 2009, to May 31, 2012, there were 268 breach incidents in government agencies involving over 94 million records containing personally identifiable information. Portable devices are the leading type of records breach.
According to the Verizon Data Breach Report, which is done jointly with the U. S. Secret Service every year, the cost of a data breach can be as high as $100 million. Bankruptcy, though rare, was the result of four recorded incidents in 2011. Regulatory fines from a recent breach at Stanford University have reached about $90 million. Ponemon Institute’s 2011 Cost of Data Breach Study assessed the cost at $194 per lost record. Cybersecurity preventive measures are expensive but much less costly than the alternative.
Mr. Pageler explained the security systems and services provided by DocuSign, the leader in encryption of customer data and recognized globally as a leader in security. He also suggested consulting with officials in South Carolina, where they are learning from past mistakes and will be implementing stronger security measures.
General Raduege said he joined Deloitte after retiring from 35 years in the U. S. military, where he worked in the area of technology that included telecommunications, space, information, and network operations. He served more than 17 years in joint duty assignments and was a four-time federal activity CIO. In his last position, he led Department of Defense netcentric operations as the Director of the Defense Information Systems Agency. In his seven-plus years with Deloitte, he has continued to work in the information technology/information management and cyber space arenas. In January 2008 he also was appointed as one of four co-chairs of the special presidential Commission on Cybersecurity.
General Raduege’s PowerPoint presentation included information on threats, targets, and counters in the world of cybersecurity; what global experts are thinking about cybersecurity; President Obama’s February 2013 Executive Order entitled “Improving Critical Infrastructure Cybersecurity” and Presidential Policy Directive (PPD-21); critical infrastructure; and Deloitte’s 2012 NASCIO (National Association of State Chief Information Officers) Cybersecurity Study.
General Raduege said that everyone should assume their information network has or will be compromised—not if, but when. He reviewed the types of threats to cybersecurity: identity theft, information manipulation from malicious software (Malware), cyber assaults/bullying, advanced persistent threats from malicious software that extracts information over a period of time, credit card fraud, insider threats, espionage, cyber attacks, transnational threats, attacks of software “boomerangs,” and the potential for terrorism. Targets include federal, state, and local governments; industry; universities and colleges; and individuals. One way to counter cybersecurity threats is through creation of a cyber workforce in which employees are trained and educated to have cyber awareness. Other counters include network access controls like firewalls and anti-virus software, monitoring of outbound activity, dynamic situational awareness, open source information, and forensic analysis that can be shared with others. Substantial research is underway in the field of cyber analytics. Experts differ on the benefits of legislation as a counter.
The East West Institute is preparing for its fourth Worldwide Cybersecurity Summit. In surveying global experts and senior leaders from government and industry who are aware of cybersecurity issues, the Institute found that 54 percent of experts doubt their organization is capable of defending against a sophisticated cyber attack, and 61 percent fear losing global connectivity. Sixty-six percent think home users need to take more responsibility for cybersecurity, and 66 percent view their government’s maturity as low regarding international cooperation. General Raduege said he is working with various nations on the possibility of an agreement to designate certain critical infrastructure as off-limits. Sixty-six percent of experts surveyed think a cyber warfare treaty is needed or overdue.
General Raduege said that South Carolina’s Department of Revenue was a target-rich environment for a cyber attack. When it occurred, the information of 1.6 million individuals from 1996 forward was compromised. The attack had been at work for approximately one month before being discovered. Data loss from government impacts citizen trust and potentially impacts state business. High-profile cyber attacks from loose-knit, politically motivated groups are increasing. The dynamic “battlefield” is constantly changing. Recent developments have elevated cybersecurity to a governor-level issue, and a number of governors have taken a strong stand.
The goal of the Executive Order (EO) and PPD signed by the President on February 12, 2013, is to improve cybersecurity information sharing and develop and implement risk-based critical infrastructure standards through a public-private partnership. The National Institute of Standards and Technology (NIST) is leading a public-private collaboration to build a cybersecurity framework for the nation that will hopefully be in place in February 2014. The new EO defines “critical infrastructure at greatest risk” as infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
General Raduege reviewed key milestones of the EO for the public and private sectors. The near-term 150 day milestones have been reached. A preliminary cybersecurity framework for the public sector should be ready for review in October 2013. The final framework is to be issued in February 2014, along with reports relating to program participation, privacy risks, and regulatory requirements. The Federal Department of Homeland Security and other federal agencies will likely play a pivotal role in information sharing. State and local governments need to look for funding opportunities from the federal government to implement a cybersecurity framework. The EO will be a catalyst for the Commonwealth of Kentucky to embrace a cybersecurity framework and its potential impact on critical infrastructure. Deloitte has been an active participant in a National Policy Council for State Cybersecurity formed by the National Governor’s Association and has been helping shape policy recommendations for governors.
There are 16 industry sectors defined as critical infrastructure, with 85 percent in private sector hands. Critical infrastructure examples include agriculture and food; communications; dams; emergency services; health care and public health; transportation systems; and water and wastewater systems. In addition, other operations and activities are indirectly involved with critical infrastructure sectors.
General Raduege said that Deloitte’s 2012 update of its NASCIO Cybersecurity Study is available in print and electronic format and is downloadable from www.deloitte.com. He believes the potential for a “perfect storm” is here. States routinely rely on the Internet and hold the most comprehensive collection of personally identifiable information. State and local government agencies account for more than 20 percent of data breaches reported in the United States. Cyber crime is more prevalent and more insidious than any other crime, and cyber criminals are more organized and effective than ever. The President and his cabinet have made cybersecurity a national priority. Key messages for the Commonwealth of Kentucky are to understand the state’s risks, start and sustain an information security program, and establish laws for reporting cyber risks. Cybersecurity is about risk management. Protection cannot be complete, but it begins with identification of critical infrastructure and databases. The concluding slide presented by General Raduege outlined a cybersecurity state “roadmap”: assess the risk and share results with business stakeholders; strategize to address risks and threats; invest in cybersecurity solutions; and educate, measure, report, and share your story.
When Representative Owens asked what states can do to combat the problem, Mr. Edelen said it is important to view it with the mindset of a risk management business. The challenge is to continue to build a protective wall more quickly than the fraudsters can build tools to scale the wall. The process requires vigilance from everyone and assurance that policymakers and others who have a role in serving the public are doing everything possible to build the wall a little taller each day.
When Senator Harris questioned the safety of home users’ electronic products, many of which are made overseas, General Raduege said that is a valid concern. Even American-made products often contain foreign components, and it is important to buy from trusted vendors. He cautioned that thumb drives—often handed out free of charge and probably foreign made—have been found to automatically transmit information without the user’s knowledge as soon as plugged in. Counterfeiting of products is also a growing concern.
Senator Bowen asked about the estimated cost of providing adequate security for Kentucky state government systems and whether any states might serve as models. Mr. Edelen said that attaining full encryption is part of COT’s business plan but that the agency’s new CIO could better address questions about cost. The state of Maryland has been a leader in the cybersecurity effort.
When Representative Riner asked about the potential impact of an electromagnetic pulse (EMP) attack that could disable power grids and all electronic devices, General Raduege said that is big concern. Depending on the position of an EMP attack, it could have devastating effects. Sophisticated attacks via the Internet can also have devastating effects.
Rep. St. Onge asked about the “sleeper” element when personal information is infiltrated and how to prevent stolen personal data from being used at some time in the future. Mr. Pageler said that the victim’s credit should be monitored, ideally for two years. Theft of only a name and account number is easier to repair; however, in cases where someone’s complete identity is stolen, the retrieval process is time consuming and could take years. The cause of the initial data breach needs to be determined to prevent reoccurrence and in order to “close the door” in the vulnerable software.
General Raduege said that cybersecurity is a dynamic environment that is constantly changing. He proposed four simple terms applicable to cybersecurity: people, processes, technology, and policy. All four must work together and evolve continually to address concerns that can arise in cyber space. The Commonwealth of Kentucky and other states can work together through organizations like NASCIO and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in order to learn from others and address current and future security issues.
Representative Carney voiced concern about the safety of electronic data in the school system. General Radeuge said that is a great point. He also said it is important to make children aware that today’s Facebook entry is tomorrow’s resume—it will never go away. People should also be aware that information that is general public knowledge can also be of concern. Mr. Pageler suggested that the Commonwealth evaluate areas of priority for encryption; perhaps Department of Education data would be rated a top priority.
Representative Watkins referred to the recent case of former National Security Agency employee Edward Snowden, a high school dropout who leaked classified information. He said it seems that both government and industry should be more thorough in hiring and monitoring of employees in highly sensitive positions. General Raduege said it is important to know an employee’s personal habits, and maybe the investigative procedures were not as strong as they should have been in this particular case. People given access to classified information undergo rigorous security clearance background checks. He personally was subjected to a thorough investigation recently for renewal of his security clearance. He believes security and investigation procedures have been stepped up and will become increasingly more rigorous.
When Representative King asked where Kentucky state government stands with respect to anti-malware and data encryption, Mr. Edelen said that security measures are currently somewhat a “hodgepodge.” Not all state government data is encrypted. However, COT is executing a plan to reach full encryption within the next two or three years. He emphasized that cybersecurity is everyone’s business and not just within the purview of technical experts. He urged that policymakers enact a breach notification law so that Kentucky will not among the four states that lack this provision.
Representative Yonts thanked the speakers and said they have gotten the committee’s attention. Several members previously commended the speakers’ presentations and expressed thanks.
Subcommittee Report
Senator Bowen, Co-chair of the Task Force on Elections, Constitutional Amendments, and Intergovernmental Affairs, read the report of the Task Force’s July 23 meeting. The report was adopted without objection, upon motion by Senator Thayer.
Adjournment
Representative Yonts announced that the committee will not meet in August due to the scheduled special session. Business concluded, the meeting adjourned at 3:00 p.m.