Audit: State computers at risk in hacking attacks

Jonathan Oosting
Detroit News Lansing Bureau

Lansing — A Michigan department tasked with managing the state’s vast computer network did not follow best practices to limit access, respond to vulnerabilities, test risks or update firewalls to protect data and equipment from cyber threats, according to a critical new state audit.

The three-year review by the Office of Auditor General, which concluded last fall, uncovered a series of “material conditions,” the most severe description of a problem used by state auditors.

The Department of Technology Management and Budget told auditors it has already made some improvements. And a spokesman told The Detroit News that “the data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem.”

Recommendations by auditors included additional “phishing” exercises to measure the effectiveness of cyber security awareness training for state employees, which can reduce the risk of identity theft, unauthorized account use, stolen information and “damage to credibility, all which may take years for an organization to fully recover.”

Auditors conducted their own phishing experiment by sending out a fake email to 5,000 state workers. Of those, 32 percent opened the email, 25 percent clicked a link in the email and 945 shared their credentials, putting personal and government information at risk.

Gov. Rick Snyder, a former computer industry executive, has emphasized cyber security during his nearly eight years in office. Detroit has been the site of North American International Cyber Summits in recent years.

Snyder has argued that Michigan is leading cybersecurity efforts.

“Technological threats are constantly evolving, and that’s why cybersecurity is both so important and so challenging.” gubernatorial spokeswoman Anna Heaton said in a Friday email. “The governor is proud of Michigan being a model in developing responses to this type of threat, but this shows there are ways in which we can improve and we will ensure the department has the resources to do that.”

The new audit concluded the state technology department was “moderately sufficient” at designing and administering a secure information technology network, and had “moderately effective” security monitoring and access controls in place.

The department did not implement controls to ensure only authorized devices could access the state’s IT network, the audit said. It did not fully create an efficient process to update operating systems on network devices such as routers and firewalls to protect against “unintended weaknesses that could allow an attacker to compromise the availability, confidentiality, and integrity of the network.”

Senate Minority Leader Jim Ananich, D-Flint, said the audit revealed “yet another instance of incompetence” by the Snyder administration. It turns out, “business people just aren’t that good at running government,” he said in a statement.

Auditors reviewed 45 network devices and found five access accounts for employees who no longer worked for the state. It also determined the state government did not conduct required “authenticated vulnerability scans” on any of them and had conducted unauthenticated scans on six.

A scan requested by auditors revealed 82 high-risk and 167 medium-risk vulnerabilities on the 45 network devices, “a significant number of vulnerabilities supporting the need for regular scans.”

The audit recommended the state increase “penetration” testing efforts and attempt to duplicate the actions of potential adversaries who could carry out hostile cyber attacks.

The department agreed, saying that since the audit concluded in October 2017 it has been implementing a new system to scan vulnerabilities with “border protection and core devices, which helps ensure critical data infrastructure is protected.”

“Most potential attacks” are stopped there, DTMB said, indicating it uses a “risk-based approach.”

The audit release coincides with a push by Secretary of State Ruth Johnson to create a new online voter registration system, like 38 other states, that would rely on electronic access to Michigan’s voter information database. The Senate approved enabling legislation Thursday in a 35-1 vote.

The audit didn’t uncover any data exposure and was not focused on elections systems, Johnson spokesman Fred Woodhams said in a Friday email.

The Bureau of Elections is “using the latest defenses against unauthorized access” and is “continuously monitored for suspicious activity,” Woodhams said. “Defending against hackers is a never-ending effort because the bad guys are constantly evolving their methods, and the state of Michigan must as well.”

The proposed online voter registration system will be built using the latest technology to verify individuals with added features that go beyond current systems, he said.

“Michigan voters should be confident in our elections system because we have many checks and balances built in throughout, and ultimately, all voters use paper ballots,” Woodhams said. “If ever there is a question about the results of an election, we can go back and hand-count them.”

The technology department disagreed with some findings in the audit and highlighted various new and updated security protocols, including use authentication required to access state systems and multifactor authentication required for administrative access.

The department agreed with the audit finding that it had not established effective controls over the management of firewalls, including periodic review of rulesets used to protect the network from threats. The technology and management department told auditors it implemented an automated firewall rule audit process in early 2015 and is working to decommission older rules.

“The auditor general did a thorough job of reviewing our complex network environment,” said spokesman Caleb Buhs. “The recommendations that they made reflect best business practices, many of which we have already began to implement. This audit provides us with a good roadmap for prioritizing future technology infrastructure investments.”

(517) 371-3662