SACRAMENTO (AP) — California lawmakers at a hearing Wednesday accused officials from the Department of Technology of failing to protect state agencies considered vulnerable to hacking.
The review follows a critical report by state Auditor Elaine Howle, who found holes in the online security of 73 of 77 agencies she reviewed last year. The technology department has not been providing agencies with sufficient training or qualified workers to keep up with cybersecurity protocols, Howle said Wednesday.
Three California departments have particularly troubling information security gaps: the judicial branch, the Public Utilities Commission and the Board of Equalization, Howle told lawmakers Wednesday. Those offices are not subject to the same standards other agencies must follow.
“This is horrible,” Assemblywoman Jacqui Irwin, D-Thousand Oaks, said. “It’s just unacceptable for the State of California to have these types of results — that departments are not complying and protecting our residents’ information.”
Members of the Assembly Committee on Privacy and Consumer Protection and the Select Committee on Cybersecurity pressed technology officials to acknowledge the risks and clarify what is being done. They said the state Department of Technology has failed to hold meetings with state agencies, does not have enough qualified staff and is not updating lawmakers on its efforts.
“This audit is very disturbing to all of us,” said Irwin, chairwoman of the cybersecurity committee.
Michele Robinson, the chief information security officer for the state technology department, said the state’s cybersecurity is not as bad as the auditor claims.
Robinson said some cybersecurity safeguards are insufficient, but she defended her department’s approach and said a new program being implemented in the next six months may allow her team to better identify vulnerabilities.
“I think we’ve made great strides and we’re working very diligently to address all of the findings and the problems that were identified,” Robinson told reporters after speaking to the committees. “I agree there are legitimate concerns, and we are working diligently to address them.”
The department asked the Legislature for an additional $1.5 million this year to pay for 11 full-time positions focusing on auditing state agencies’ attempts to protect sensitive information.
Currently, most agencies self-report their cybersecurity infrastructure. Howle’s audit in August found that of the 41 agencies that self-identified as compliant last year, 37 were actually not adequately equipped.
Assemblyman Ed Chau, D-Arcadia, said the Legislature could have provided aid sooner if the department had asked.
Assemblyman Jim Cooper, D-Elk Grove, asked Robinson to explain why the department has been flying groups of agency employees to Sacramento for training instead of sending technology experts to the agencies.
“We have not traveled to departments in the past, but we are willing to do that,” Robinson said.
Gov. Jerry Brown’s emergency services director, Mark Ghilarducci, told lawmakers a task force created last year may have a rough plan to coordinate California’s cybersecurity plans in early March.
Chau said cyberattacks are not theoretical risks. Hollywood Presbyterian Medical Center paid $17,000 in ransom to computer hackers earlier this month. In January, hackers threatened to target Sacramento if political demands were not met.