The State of Idaho’s Cybersecurity

I’ve spent more than two decades working in the tech sector and know that, as important as cybersecurity is in keeping an organization secure and in business, it is easily overlooked. When up against deadlines and budgetary constraints, security can easily be put on the back burner. However, when the organization in question is the Idaho State government, it’s a much larger problem that could compromise our personal information like tax records, DMV, and voter data, to name only a few important examples. More than identity theft is at risk–we also are exposing the state to the monetary theft of our taxpayer money, resources, and funds that would be spent on an emergency response to a cyber attack.

A recent study by IBM estimates that a data breach costs $7.91 million dollars.

While the stakes are high, it’s very hard to know if security is being neglected. It’s quite easy to tell if a roadway is being underfunded: after a few winters, the road will be full of potholes that create hazardous conditions and require taxpayers to spend tens of thousands of dollars in repairs to their vehicles. Unfortunately, it’s not so obvious when cybersecurity is being underfunded. With recent compromises of Idaho government systems, however, we see clear signs that there are serious “potholes” in Idaho’s cybersecurity program:

Webroot states that Idaho is the ninth riskiest state for cybersecurity in the nation.

Lieutenant Governor Brad Little has established the Idaho cybersecurity initiative to protect Idaho’s intellectual properties, state resources, and data systems, but is it working?

Knowing the importance of cybersecurity, I’ve engaged cybersecurity leaders in Idaho who have confirmed that several state websites, including the cybersecurity initiative site itself, have known, easily identifiable, and preventable vulnerabilities. My Chief Security Officer, Jerry Decime, responsibly disclosed these vulnerabilities to State Chief Information Security Officer Lance Wyatt on August 25, but as of today, September 6, they are still not resolved.

A state employee who logs into this or several other state websites could be fooled by a fake log-in prompt into passing their credentials to an attacker who could further compromise state systems.

When it comes to cybersecurity, there is a very important difference between saying you care about it and actually achieving and maintaining secure online systems. As your Lieutenant Governor, I will ensure the state’s cybersecurity initiative gets the attention and support it needs to keep Idaho government systems and data safe. Let’s make #IdahoStronger and #VoteForTheVet Kristin Collum on Nov. 6th!