Editorial: Legislature must overhaul cybersecurity

THERE HAS been universal agreement that we would overhaul our state’s approach to cybersecurity ever since Gov. Nikki Haley announced that her Department of Revenue had been infiltrated by hackers, who made off with the Social Security numbers and other sensitive financial information of 6.4 million individuals and businesses in our state.

House and Senate leaders appointed special panels, which heard days and days of testimony from state officials and national security experts. The Senate panel wrote a plan to reduce our vulnerabilities, and the Senate passed it.

The bill creates a central authority to set and enforce IT security standards across the government. It’s not written perfectly, but it’s a lot better than our disjointed status quo, which allows each agency to determine how careful to be with our private data, even though agency directors aren’t experts in cybersecurity and might not want to spend money or adopt time-consuming security procedures.

Meantime, the House panel kept meeting. And producing nothing.

Then Ways and Means Chairman Brian White rolled out two proposals to create a whole new agency to oversee cybersecurity in state agencies. One would be overseen by a legislatively controlled commission; the other would pretend to be overseen by a director appointed by the governor, but would empower a legislatively controlled commission to veto his decisions. On Tuesday, after three meetings, the committee gave up; representatives said they didn’t want to rush into adopting something just to adopt something.

Rush? Not to put too fine a point on it, but the notoriously ponderous Senate managed to pass a plan. A month and a half ago.

It’s true that the language of cybersecurity can be daunting. But the Legislature doesn’t have to come up with a cybersecurity plan. It has to come up with a governance plan. And the governing principles are pretty straightforward:

Our state’s central information technology division has no authority to set standards, much less enforce them, so Revenue was free to ignore its recommendations.

We got hacked because no one was taking computer security seriously enough. The people in charge of the Revenue Department didn’t know or apparently care much about cybersecurity. They knew about taxes, much as the people in charge of most agencies know about the service they provide.

What we need is a central office that can set and enforce security standards across state government. It should report directly to the governor rather than a commission, because having one boss instead of multiple bosses leads to faster and surer responses to problems. And the governor ought to be able to hire and fire that director.

It would be extremely difficult for the House to pass such a bill in the three days left in the regular session. Difficult, but not impossible.

The cybersecurity attack at the Revenue Department will haunt South Carolinians for decades.

There is money in the budget for credit monitoring, but that’s restitution, not solution. It is inconceivable, and unacceptable, that our Legislature would leave town without putting the mechanisms in place to protect us from further attacks.