A CONFLUENCE of cybersecurity buzz-generators entrepreneurial, serendipitous and opportunistic conspired to thrust the state Revenue Departments failure to protect our most sensitive financial information back into the spotlight this week.
The entrepreneurial reminder came when Experian, the credit bureau that the state gave an emergency $12 million contract last fall to provide credit monitoring for a year, sent out another round of come-ons trying to convince South Carolinians to buy its service. The notices were emailed three days before we could start signing up for the monitoring that we already paid for through our state taxes, provided by a cheaper contract that the state negotiated with CSIdentity Corp. A contract Experian had refused even to bid on. At least this months sales pitch didnt imply that the state wasnt providing credit monitoring, as the one in September had.
The serendipitous reminders came from two Republican constitutional officers observing National Cyber Security Awareness Month. And how did we miss that irony last year, when Gov. Nikki Haley announced, in the middle of it, that cyberthieves had lifted the tax returns (think Social Security and bank account numbers) of 6.4 million individuals and businesses from her Revenue Department?
Attorney General Alan Wilson invited law enforcement to a training session on identity-theft investigations, and in the weeks most bizarre move, Superintendent Mick Zais Education Department held an Employee Document Shred Day. Thats certainly useful for protecting important paper documents, which lots of us dont do so well, but Im not sure what it has to do with cybersecurity. The Revenue Department could have shredded every last piece of paper it possessed, and cyberthieves still would have our data in a far more dangerous form than paper.
The opportunistic reminder came from the state Democratic Party, which held a week-long series of silent vigils to call attention to the one-yearish anniversary of what party officials call Gov. Haleys failure to protect our financial data, followed by a 16-day cover up before she announced the breach. (The attack occurred in September, the federal government informed the governor Oct. 10, and she announced it on Oct. 26.)
The questions of whether the governor was responsible for the fiasco and whether she was honest in its immediate aftermath are legitimate topics for debate in the gubernatorial campaign. And I have no doubt that they will be debated.
What Im more pessimistic about, a year on, is whether the larger issues will be addressed.
For all we heard about whos to blame and how to sign up for credit protection (go to scidprotection.com or call 855-880-2743), what we didnt hear a thing about from the governor or the Republicans in the Legislature or the Democrats in or out of the Legislature was how we fix the systemic problems that ultimately invited the largest breach of state government data in the country to occur here in South Carolina.
Simply fixing the security procedures at the Revenue Department to make sure that no one else steals our financial data is necessary and indications are that this has been done but its not adequate. Neither is it adequate for every government agency in South Carolina to review and update its own cybersecurity policies though that too is necessary, and incomplete.
What we need, what we have a right to expect, is a system that requires smarter security and that can recognize the absence of that long before our vulnerabilities turn into disasters.
Yet the Legislature failed this session to create such a system; in fact, even though the Senate passed a bill that moves in that direction, no one even put forward a plan that includes all of the elements we need. Instead, legislators essentially threw up their hands in despair because all this cybersecurity stuff feels so foreign, the language so daunting.
But the Legislature doesnt have to design a cybersecurity plan. It has to come up with a governance plan. And the principles are straightforward.
Our states central information technology division has no authority to set standards, much less enforce them, so the Revenue Department was free to ignore its recommendations. As are all state agencies.
We got hacked because no one was taking computer security seriously enough. The people in charge of the Revenue Department didnt know or apparently care much about it.
What we need is a central office that can set and enforce security standards across state government. It should report directly to the governor rather than a commission, because having one boss instead of multiple bosses leads to faster and surer responses to problems.
And the Legislature needs to start acting like a Legislature and provide oversight of state agencies not just the Revenue Department, but the entire state government. That starts with knowing enough about how each agency operates to recognize its vulnerabilities, which our Legislature simply is not capable of today.
Ms. Scoppe can be reached at firstname.lastname@example.org.