BOISE — Idaho plans to hire a new director of Information Security to help oversee cybersecurity at state agencies and address vulnerabilities to hacking or attacks.
The creation of the new position, which would be part of the governor’s office, stems from the recommendations of the Cybersecurity Task Force and is one of 10 cybersecurity-related measures Gov. C.L. “Butch” Otter promulgated by executive order Monday.
Among other points in the order, Otter is also ordering state agencies to implement a new cybersecurity framework, and he is directing executive branch agencies to submit employee cybersecurity and training plans to the new director of Information Security. The Department of Administration is being directed to create a state cybersecurity website and to facilitate annual testing of the state’s systems.
“This is trying to get some uniformity,” said Lt. Gov. Brad Little, who headed the task force and who had experience in cybersecurity from his previous work in banking.
The task force was created in July 2015 and included state agency directors and specialists from the private sector.
In summer 2016, a hacker breached the Idaho Department of Fish and Game’s data and accessed people’s personal information as part of a hack hitting people in several other states as well, prompting Fish and Game to suspend online sales of hunting and fishing licenses.
“I appreciate the diligence and hard work of the members of the task force in addressing this critical and urgent issue,” Otter said in a statement. “We learned this past year, firsthand, just how real the threat of cyberattacks is when the Department of Fish and Game’s licensing vendor was hacked. Having a comprehensive plan to protect the personal information of our citizens must be a top priority.”
Some of the larger state agencies, such as the departments of Health and Welfare, Labor, and Transportation, do their IT and cybersecurity work in-house. Ones that receive large amounts of federal dollars, Little said, have to comply with certain requirements — Health and Welfare for example, he said, has to do seven cyber-audits a year.
Smaller agencies often either leave the work to the Department of Administration or contract it to outside vendors. Fish and Game’s licensing site, for example, is run by a company based in Texas.
“It’s a mixed bag,” Little said.
Little said ensuring cybersecurity is a more important part of state government than ever, both as more government data is stored online and as hacking proliferates. People need to be confident, he said, that when they perform transactions with the state online their personal information will be safe.
“This is us assuring them that their privacy and their data will be secured,” he said.