The terms vary — phishing, hacktivism and whaling are just a few — but they all represent serious cybersecurity threats increasingly menacing state governments throughout the U.S., some Texas state senators were told Wednesday.
“Unfortunately, the bad guys are getting very, very innovative in their approaches” to stealing data or disrupting an organization’s functions, said Doug Robinson, executive director of the National Association of State Chief Information Officers.
Robinson made his comments at the state Capitol during the inaugural meeting of the Senate Select Committee on Cybersecurity, a newly created panel studying the cybersecurity risks and vulnerabilities facing Texas state agencies. Along with a similar House committee, the panel is charged with reporting its findings and recommendations for improvement to the full Legislature by Jan. 13, 2019.
State Sen. Jane Nelson, chairwoman of the Senate committee, noted at the start of the event that state government collects “mountains” of sensitive information and must ensure its safety.
“Cybersecurity will be one of the greatest challenges of our time, because data is becoming the new oil in terms of its value,” said Nelson, R-Flower Mound. “Our personal data is at risk like never before.”
Nancy Rainosek, chief information security officer at the Texas Department of Information Resources, said the state already blocks “billions of malicious attacks coming in each month” — an assertion that took some committee members aback and prompted them to ask her if she had misspoken.
Rainosek said “phishing” has been among the most serious threats faced by the state. Phishing is a scam in which a culprit attempts to obtain sensitive information — such as passwords or user names — by pretending to be trustworthy.
“Whaling” is similar, except the culprit masquerades as a high-ranking official.
However, Robinson said that hackers and other cyber criminals are constantly innovating and changing tactics. So it’s critical for state governments throughout the U.S. and other stewards of sensitive information to do so as well to stay ahead of them, he said.
“This (threat) is going to be with us, and we are going to have to pay more and more attention to it” nationwide, he said. Assessing and curbing cybersecurity threats “is not a project that is going to end.”
He also told the panel that most state governments aren’t spending enough on cybersecurity, although he didn’t comment on Texas’ spending specifically.
“We believe the funding (for cybersecurity) is inadequate and not commensurate with the risk” in most states, Robinson said in a brief interview outside the meeting room. But he said it might be possible for some states to address the issue by redirecting money currently being spent on information technology to cybersecurity.
The Texas Cybersecurity Act — which created the new Senate and House committees studying the issue — was approved by the Legislature in the spring and signed by Gov. Greg Abbott over the summer. Among other things, the new law mandates increased cybersecurity training, continuous monitoring and auditing of the state’s computer systems and development of a response plan to be used by the state when cyberattacks occur.
A separate new law signed by Abbott — the Texas Cybercrime Act — established new classes of criminal offenses, including for “electronic access interference,” “electronic data tampering” and “unlawful decryption.”
News on Open Source is free and unlimited. Access to the rest of 512tech.com comes with an American-Statesman digital subscription, which also includes myStatesman.com and the ePaper edition. Subscribe at statesman.com/subscribe.