Tim Smith, The Greenville News
Columbia, SC - Not all cabinet agencies have fully implemented cyber security protections that some experts and lawmakers say are basic steps in protecting taxpayers' information, almost three months after a foreign hacker conducted a massive data breach at the state Revenue Department.
Some agencies surveyed by GreenvilleOnline.com said they use two of the protections - encryption and a multi-password system - in parts of their system or were working toward full implementation. Others said they are considering such steps or that their systems did not have the level of personal data in their computer systems that would require full implementation.
Only one agency responding to the survey - the state Department of Probation, Pardons and Parole - responded without qualifications it had the full basic protections experts say could have significantly reduced the chances of a data breach at DOR.
Their responses underscore the fact that nearly three months after the DOR breach was publicly disclosed, officials do not know the exact state of cyber security at all state agencies. Some legislators have argued that the state must centralize its security policies and enforcement so that all agencies follow the same procedures to protect their data.
All of the cabinet agencies surveyed reported their systems were being monitored or were in the process of being monitored in accordance with an executive order by Gov. Nikki Haley.
And five agencies reported attacks by hackers on their websites, the most recent of which was the publicized defacement of the website for the state Department of Employment and Workforce on Dec. 22.
Two agencies - the State Law Enforcement Division and the Department of Motor Vehicles - declined to respond to the survey citing security concerns.
"Any state agency that answers these questions is making themselves more vulnerable to hackers," said Beth Parks, a DMV spokeswoman. "We do not discuss our security measures or systems to ensure we don't open ourselves up to intrusions."
Other agencies responded to the survey but expressed concerns that showing their individual answers might make them more vulnerable to attack.
Rep. Bruce Bannister of Greenville, House majority leader and chairman of the House committee investigating the DOR breach, said the responses by cabinet agencies to the GreenvilleOnline.com survey highlights how fragmented and inconsistent cyber security is in state government.
Sen. Kevin Bryant, who chairs the Senate committee looking into the breach, said agencies that are not implementing encryption and a multi-password system may be forced to by lawmakers.
"I'm alarmed that hasn't been done already," he said of agencies implementing the protections. "It's not optional. I would bet the legislation that forced them to would be unanimous."
Rob Godfrey, a spokesman for Haley, said the fact that cabinet agencies had complied with the governor's order requiring network monitoring "will greatly enhance our security."
"As to the rest of the questions, we have hired an IT Security consultant to study South Carolina's vulnerabilities and make recommendations for changes - and we look forward to working with the General Assembly to implement them as soon as they are delivered," he said.
The survey did not include DOR, which at the time of the September 2012 breach was not using a multi-password system, did not encrypt all its sensitive data and had declined free monitoring services by the state's information technology office for its network. Experts have told lawmakers that those steps are considered basic by many organizations with large databases of sensitive information and could have significantly reduced the chances of the agency's data being breached.
DOR has since begun implementing full encryption and a multi-password system, though a former cyber security officer with the agency told lawmakers last week that he doesn't believe the agency as yet has fully encrypted all its PCs and laptops.