ome to a network full of sensitive data about their citizens, state government computer systems are increasingly attractive targets for hackers.
“I think the threat to state and local government networks is pretty high,” said Michael Kaiser, executive director of the National Cyber Security Alliance. “State networks likely have more information about their residents than even the federal government does.”
Across the country, state networks often contain personal information for millions of residents that could be used by identity thieves. The computer systems often house Social Security numbers linked to state income taxes, birth and death records, driver’s license numbers and real estate records. If people use a credit card to pay a state agency, those records are also likely in the state network.
“The cyber criminals want to go where the data is,” Kaiser said. “They want to find places where networks are softer and easier to get into, and in a lot of cases, government networks are not as secure as they should be.”
Massachusetts is no exception and faces the same dangers threatening computer systems in the federal government, other state governments and the corporate world. There are nearly constant attempts to monitor, probe and infiltrate the commonwealth’s government networks, according to Massachusetts cyber security officials. The threats often come from international crime syndicates.
A Sept. 20 report by the National Association of State Chief Information Officers and consulting firm Deloitte & Touche found cybersecurity is the top priority for state IT officers across the nation. While funding, training and attracting qualified talent remain problems nationally, awareness of cybersecurity issues is rising throughout all levels of state governments, according to the report.
“Importantly, we have found that the message that ‘cybersecurity is everyone’s responsibility’ is seeing some traction,” NASCIO president Darryl Ackley said in a statement accompanying the report.
In Massachusetts, state IT officials and the Baker administration have identified cybersecurity as a major information technology priority. State cybersecurity officials say they have sufficient funding and resources to combat the threat and are working on expanding training programs for state employees.
The report from NASCIO and Deloitte & Touche surveyed chief information officers from 48 states and predicted “phishing” and “pharming” schemes targeting state employees would be among the most widespread threats to network security.
In a phishing scam, a criminal sends a fraudulent email to an unwitting state employee, hoping to get them to visit a fake website, where they are prompted to enter their network passwords or personal information.
Criminals engaging in a pharming scheme will tamper with an authentic website so it redirects internet users to a phony website that looks legitimate. As is the case with phishing, the goal of the scam is often to steal passwords and personal information.
Phishing and pharming schemes are also increasingly used to trick unwitting internet users into downloading malicious software, which can give hackers access to a network.
Cybercriminals also sometimes use the technique to install “ransomware” on a network. Last year, the Tewksbury Police Department fell victim to a ransomware attack and paid a $500 Bitcoin ransom to hackers in order to regain access to the files on the department’s computer network.
Swansea police were victimized by a similar ransomware program in 2013 and ended up paying hackers $750 in Bitcoins to get access back to their files.
In South Carolina, hackers breached the Department of Revenue’s computer network in 2012, stealing tax return records for 3.8 million residents, including their unencrypted Social Security numbers.
“When you think about the kinds of information that sits on state and local networks in various places, we just hope states don’t have to end up learning the hard way,” Kaiser said.