Lessons from Utah's Massive Data Breach
Utah's former CIO Steve Fletcher says cybersecurity is everyone's job.
Just a few years ago, Utah CIO Steve Fletcher was garnering recognition and praise from his peers for leading the state's enterprisewide IT consolidation and centralization. He was even named a 2010 Public Official of the Year by this magazine. Today, he's looking for a new job -- a casualty of a cybercrime epidemic that's rapidly becoming a Catch-22 for technology officials.
Fletcher submitted his resignation in May, after Utah IT officials discovered that health and Medicaid data for nearly 800,000 residents -- including 280,000 Social Security numbers -- had been stolen from a poorly secured server operated by the state's Department of Technology Services. The massive breach couldn't have come at worse time for Fletcher, whose boss, Gov. Gary Herbert, is running for re-election. Along with accepting his CIO's resignation, Herbert launched a statewide security audit and appointed a new health data security ombudsman.
For Fletcher, the new focus on information security obviously comes too late. "Until you have a breach, nobody really wants to step up and pay extra money for security," he says.
In the four months preceding the event, cyberattacks against state information systems had spiked by 600 percent, leaving IT staff stretched dangerously thin. "We had so many attacks that we were fighting those fires as opposed to spending resources to scan our network," Fletcher explains.
He says the state's 18-month budget cycle makes it tough to react to quickly evolving cyberthreats-and eliminating security risks is flat-out expensive. In a perfect world, for instance, the health information sitting on that compromised server would have been encrypted, so that even if hackers got to the data, they couldn't read it. But that would have cost an extra $10 million to $12 million the state didn't have.
What's the solution? Better data classification, Fletcher says. Instead of trying to provide high-level protection for all information collected and used by agencies, governments need to get better at sorting data into categories based on its sensitivity and importance. Once those categories are established, they can be matched to the right security measures-highly sensitive records get the best, most expensive safeguards; mundane stuff gets less attention.
Many agencies balk at the idea because sorting and classifying the mountains of data they collect is much harder than it sounds. But good classification schemes, coupled with clear-eyed risk analysis, would go a long way toward both strengthening information security and making it more affordable. "That would be so much more effective and people would sleep a lot better," Fletcher says.
For that to happen, however, cybersecurity can't be just the CIO's problem. Agency managers and policymakers will need to be part of the solution. Until then, IT security remains a no-win situation for public CIOs.
Ironically, Fletcher says it's a testament to Utah's security organization that the state could spot abnormal traffic on its computer network, which led to the discovery of the breach. In some other organizations, he says, the situation could have gone unnoticed.
But that's cold comfort for the highly regarded CIO -- and I suspect many of his peers will be tossing and turning at night until cybersecurity is a business problem instead of a technology problem.