Director: State data safe despite audit findings
Lansing — The state’s chief information officer assured legislators Thursday that the state’s computer network was safe despite audit findings indicating 14 weaknesses in the system.
“The data held within the state government network is safe,” Dave DeVries said during a hearing Thursday. “I can say that unequivocally as CIO and as director of Department of Technology, Management and Budget.
“I know that our data is secure and, if it’s not, the first call will be to the governor and the second will be to the legislators.”
DeVries told legislators on the House oversight committee Thursday that he is updating the state’s policies and procedures regarding cyber security. He said the department is working to implement and properly document the execution of cyber security policy.
DeVries’ testimony came after a more than 50-page report from the Office of Auditor General that noted cyber security weaknesses in the state’s technology department. Testimony regarding the issue is expected to resume next week.
The March audit report found the DTMB did not follow best practices to respond to vulnerabilities, limit access, test risks or update firewalls, leaving state data and equipment vulnerable to cyber threats.
The DTMB has an annual budget of $1.4 billion, has roughly 3,000 employees and is responsible for services for more than 49,600 state employees.
“Given the nature of the data held by the state, this type of security breach would have significant ramifications if that were to occur,” Doug Ringler, director of the Office of Auditor General, told legislators. “The public needs to be able to trust the state won’t compromise on data security.”
Ringler and his team went through each of the audit findings, noting that cyber security threats are “rapidly evolving” and the audit’s findings come from a “place of abundant caution.”
In one instance cited in the March report, auditors sent out a fake “phishing” email to 5,000 state workers. Of those workers, 32 percent opened the email, 25 percent clicked a link in the email body, and 945 shared their credentials.
In another instance, auditors reviewed 45 network devices and found five access accounts for employees who no longer worked for the state.
DeVries, who started in his role in September, previously spent three years as the deputy chief information officer for the Department of Defense and, in 2016, became chief information officer for the U.S. Office of Personnel Management.
DeVries said he was thankful for the audit’s proposed changes, but he emphasized the state’s network data was safe because of the multiple layers of protection in the network’s “ecosystem.”
“The auditors come in and they evaluate you against your policies,” DeVries said. “That’s how they measure us so if I haven’t kept up to date on my policies and I’ve changed my procedures, that’s a finding and that’s where I got to resolve those things.”
He said some of the audit findings stem from the fact that many of the procedures audited were under the jurisdiction of individual agencies, but have since migrated under the DTMB.
Auditors on several occasions Thursday declined to answer some of the legislators’ questions, citing “sensitive” information that could put the network and data at further risk.
Rep. Joe Graves, chairman for the oversight committee, said he has spoken privately with auditors to understand the risks considered too sensitive for disclosure.
Graves, R-Argentine Township, said the committee’s review of the issue will be slow and methodical given “the difficulties of understanding the IT world.”
“I’m not confident that we’re safe and secure yet, but I think we’re getting there,” he said.