California Agencies Long Overdue for Major Cybersecurity Upgrades, Experts Say

Identity theft, fraud, ransomware: Cybercrime has become a grim fact of life for schools, utilities, government agencies — really, any operation that uses networked computing. Even here in tech-saturated California.

Ancient software, understaffing and mismanagement have plagued state and local agencies for years. That was painfully evident during the height of the pandemic when the California Employment Development Department was caught completely unprepared for a massive surge in demand, as well as a surge in hackers keen to get a piece of the action.

The agency's vulnerabilities were fully exposed last fall when district attorneys from across the state announced that some 30,000 fake unemployment claims had been filed in the names of people incarcerated in California.

The unprecedented infusion of federal funds into unemployment insurance programs across the country last year "gave individuals and organized criminal groups a high-value target to exploit," according to the U.S. Labor Department.

According to the Federal Trade Commission, identity theft complaints in California jumped from 101,614 in 2019 to 147,386 in 2020, a nearly 50% increase. Specific complaints about government documents and benefits fraud soared during that time, from 3,407 to 14,875.

And although the problem flared during the coronavirus pandemic, it's been mounting for decades.

"It’s hard to make it tangible until it’s too late," said Matt Masterson, who teaches at Stanford’s Internet Observatory, following a stint as a senior adviser at the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "All your systems are locked up, and those same people that have been asking for support either end up getting fired or being moved along because 'How could you let this happen?' "

High-profile, massively disruptive cyberattacks in the U.S. — like the recent SolarWinds and Colonial Pipeline hacks — have effectively underscored the vulnerability of the nation's critical infrastructure. Acknowledging this, President Biden just signed a broad executive order that aims to strengthen cybersecurity for federal networks and outline new security standards for commercial software used by both business and the public.

But in their recent op-ed in The Hill, Masterson and former CISA Director Chris Krebs also emphasize the need for federal funding to help state and local agencies around the country get up to speed. The U.S., they argue, needs a new approach to the “new normal of cyber enabled malicious activity.”

"Whether it’s at the grid level, whether it’s water-treatment plants, whether it’s county sheriff’s offices, right? That’s a matter of public safety," Masterson said. "Investment in this, like any infrastructure, has to be ongoing, but man, now’s the time to have this conversation."

Sure enough, a bipartisan group of House lawmakers this week reintroduced a bill to provide state and local governments with $500 million annually to defend against cyberattacks. (It was passed by the House last year, but did not get a vote in the U.S. Senate.)

But some California lawmakers, like Silicon Valley Democratic Rep. Ro Khanna, worry that providing money without direction for how to spend it won't solve the problem.

"Money is not sufficient," he said. "The question is the execution. We need far more expertise from actual technologists than relying on the same people who 'specialize' on technology in the Beltway that aren’t up to date on what the latest techniques are. It’s really going to take a partnership with leading technologists, leading people in design, a move away from some of the legacy systems."

Khanna has hit on an obvious first fix, some experts say. State and local agencies could start by switching to commercially available software and systems. And although those wouldn’t be impervious to hacking — no system is — they carry the benefit of receiving the close attention of software engineers all over the world.

"How do we help move some of these institutions, for instance, off of running their own email servers [and getting them] up into the cloud — where we know that you can provide greater protection — where companies that provide that support have more advanced security apparatus?" Masterson said.

Even internationally funded cyberterrorists, he adds, commonly take advantage of easy opportunities like weak passwords and old software. "All they're doing is exploiting already known vulnerabilities: systems that aren't updated, systems that aren't patched, systems that aren't supported anymore," Masterson said.

Given California's unexpected budget surplus this spring, not to mention the glut of in-state IT talent, some are also asking why the state needs to wait for help from the federal government.

"We have all the tools to solve this. We have outstanding people at universities. We have extraordinary people in the private sector," Khanna said. "We need to think about how we get people in technology to answer the nation's call to service at a time we're going through a digital revolution."