By MADISON HIRNEISEN
THE CENTER SQUARE STAFF REPORTER
(The Center Square) — California state agencies lack assurance that their information is secure due to a lack of oversight by the California Department of Technology, according to a state audit released Tuesday.
The audit found that CDT has been “slow to assess the information security status” of all 108 state entities that report directly to Gov. Gavin Newsom. The department has “failed to proactively expand its capacity” to perform compliance audits of these entities, the report said.
As a result, the lack of oversight has “limited (the state’s) progress toward ensuring the security of its information,” wrote Acting California State Auditor Michael Tilden.
In its role, CDT is responsible for creating policies and procedures related to information technology and overseeing information security development among the state’s reporting entities.
The oversight shortcomings mean California lacks a clear picture of the status of its information security. Without proper information security, the audit notes that the state could be susceptible to cyberattacks that could “result in the disclosure of confidential information or the shutdown of critical information systems.”
During the pandemic, security threats intensified as cybercriminals targeted several California entities.
In June 2020, UC San Francisco paid out $1.14 million in ransom to cybercriminals targeting its School of Medicine, Forbes reported.
Criminals also targeted several county entities across the state. On Tuesday, Sacramento County announced it experienced 360 million unauthorized attempts to connect to county information systems in 2021 – equivalent to nearly one million attempts per day.
“It is now our reality that all U.S. government agencies, big or small, are a target for cybercriminals from all over the globe,” CIO and Director of Sacramento’s Department of Technology Rami Zakaria said in a statement. “We make every effort to be one step ahead of the millions who try to break in.”
In its response to the audit, CDT pushed back on many of the conclusions, noting that during the pandemic, the cybersecurity threat landscape “nearly quadrupled in the sophistication of attacks.” CDT said it anticipated the threat and “immediately scaled up” to support technological aspects of the pandemic response.
The department said that the pandemic “upended the conventional standards for evaluating cybersecurity threats,” noting that it is in the process of reevaluating the “metrics in the context of the cybersecurity ecosystem.”
“CDT has been cognizant of its oversight responsibilities even while pandemic response has taken priority over compliance audits,” officials wrote.
To address potential security issues, the state auditor recommends that the Legislature require CDT to submit an annual report on statewide information security, including a plan to help entities improve their security measures.
Additionally, auditors are recommending that the CDT increase its capacity to perform timely audits, which could include hiring more staff. Auditors also suggested the CDT use the information from entities’ self-assessments to identify key areas of improvement pertaining to security development.
Madison Hirneisen covers California for the Center Square.