COLUMBIA, SC — South Carolina state computer chiefs gave low marks for their agencies’ ability to prevent data breaches and called for centralized computer security management in a report issued Tuesday.
And state agency computer information officers expect a high threat level of more breaches over the next five years.
“What scares me is what I don’t know,” an unnamed agency computer officer was quoted as saying in an interim report from the S.C. inspector general.
The report, ordered by Gov. Nikki Haley after hackers stole personal information belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue, calls for ending state agencies running their own computer security
“This decentralized approach prevents the state from understanding, let alone managing, statewide (information security) risk,” the report states.
South Carolina should adopt a system used in most states, in which agencies operate under the same computer security policies run through a central authority. The system, known as federated, gives state agencies independence to run their own computer security networks but with a set of standards to meet.
The state should hire a chief information security officer and a consultant to help install the system, the report said. No costs were given. In the meantime, the state should designate an interim leader and create a steering committee to push stricter information security measures
Haley agrees with the report’s findings, her office said, and plans to discuss naming an interim security boss at the next full State Budget and Control Board meeting Dec. 12.
South Carolina has an agency, the Division of State Information Technology, that provides computer system services at a cost, but other state departments are not required to use them. Before the breach, the revenue department was not fully using the division’s free network monitoring system
The report recommends putting the new chief information security officer outside the division because of some historic friction with state agencies. The division’s director is scheduled to testify today during a hearing of a special Senate committee examining the cyberattack.
Sen. Kevin Bryant, an Anderson Republican who co-chairs the special committee, said he agrees with having a statewide security standard, but he said a private firm might be better able to help with cybersecurity.
“Technology is changing all the time,” he said. “Is a government agency capable of keeping up pace to protect my data?”
The inspector general’s report was sent to Haley’s office and top legislators to decide the next steps, S.C. Inspector General Patrick Malley said.
The report was based on discussions with managers of agency computer systems from South Carolina and other states and experts from universities, private consulting firms and industry trade groups.
Hackers stole tax information belonging to 3.8 million people with 1.9 million dependents and nearly 700,000 businesses in mid-September.