- Associated Press - Monday, December 15, 2014

OLYMPIA, Wash. (AP) - Tests done earlier this year at five state agencies show Washington state needs to improve compliance with security standards to guard against cyberattacks, an audit released Monday found.

The audit by the office of state Auditor Troy Kelley showed that of 1,035 components tested over several months earlier this year, investigators found close to 350 instances in which the agencies were not in full compliance with security protocols.

“We’re not specifically concerned only with those five agencies,” Kelley said. “We thought they were indicative of state government across the board.”

The auditor’s office said the areas that had the highest noncompliance risk involved application security, data security and operations management. They also ran application security tests to assess whether applications and their underlying infrastructure were vulnerable to attack and found 46 issues at the five agencies, seven of which were deemed a critical risk, meaning that the effect would be wide and “almost certain to be exploited.” Another 12 were found to be of high risk, meaning they could be exploited by an attacker with minimal skills.

All of the agencies have either fixed, or are working to working to fix the issues, the auditor’s report said.

The agencies tested were not disclosed, nor were detailed findings, because of concern that hackers could use the information to attack the state.

Michael Cockrill, the state’s chief information officer, said that at the end of the audit “we had a better, stronger security posture than at the beginning.”

“If there’s one key message that everybody should hear is that the keeping state’s data safe takes coordination and cooperation, and that’s what you’re seeing here,” he said.

Kelley said that separately, the auditor’s office did a review of its own standards. The results were similar to what was found with the agencies that were tested. Because of that, Kelley said they’ve since hired a chief information officer to ensure their protocols are up to date and followed.

Last year, state officials alerted the public that the Washington state Administrative Office of the Courts was hacked sometime between the end of 2012 and early 2013. A state audit earlier this year found that confidential data, including Social Security numbers and tax information, was on some surplus state computers that had been set aside for sale or donation.

Cockrill wouldn’t say whether there have been recent successful attacks, saying that by talking about specifics, “What I would be doing is increasing the risk.”

“Every organization is constantly under attack,” he said. “There are different levels of that threat. What we do every day is continue to mitigate that threat.”

The audit’s recommendations include having the state’s chief information officer revise the state’s security standards and to evaluate and revise current processes used for agencies to report the status of their compliance yearly.

Also Monday, state Rep. Zack Hudgins, D-Tukwila, said he is drafting a package of bills to address cybersecurity issues. The 105-day legislative session begins Jan. 12.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2019 The Washington Times, LLC.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide