A consultant hired by Gov. Kate Brown to conduct an independent assessment of management practices and security vulnerabilities at the state data center is instead using the bulk of the contract to help the state’s administrative department overhaul the way it charges other government agencies for technology services.
Brown called for the independent review of the data center in March, at the same time she revealed that hackers gained access to information about how data was stored at the center. It was the third high-profile state data breach in 13 months.
The data center stores information for government agencies including tax returns and health care records. The data center also stores state email correspondence and although Brown did not mention it in her announcement about the independent review, state officials were also trying to figure out who leaked thousands of former Gov. John Kitzhaber’s emails to the Willamette Week newspaper.
The state signed a contract worth nearly $300,000 with the financial and management consultant The PFM Group on May 26, and the consultants immediately set to work interviewing more than 70 state employees and other people with an interest in the state’s centralized technology services to learn how the system could be improved.
By June 15, The PFM Group had completed its review of the data center’s management and security vulnerabilities and presented the results to the Governor’s Office.
Consultants summed up their findings in a 12-page slideshow document that lists general conclusions, for example, that the technology division had inadequate internal controls, lacked a formal quality assurance function and had “high levels of critical unfilled positions.” The PFM Group also concluded “the events of the last few months have their root causes in predominantly three areas: finances, management, leadership.”
The PFM Group presentation did not discuss the causes of the data breach Brown revealed in March. Matt Shelby, a spokesman for the Department of Administrative Services, which operates the data center, said the breach “was more of a structural issue.”
Shelby said The PFM Group’s work resulted in a couple of changes at the data center. Although the state already had an administrator in charge of security, Chief Information Security Officer Stefan Richards, security was just one component of the job for data center employees and no one at the center was completely focused on security.
“One of the things they found that they articulated to (State Chief Information Officer Alex Pettit) was the responsibility for security was spread out over a large number of individuals,” Shelby said.
Based on The PFM Group’s recommendations, Shelby said, the Department of Administrative Services reassigned some existing employees to focus on security and assigned the employees to work at the data center.
It was not a new idea. State auditors at the Secretary of State’s office had been looking into security problems at the data center since December 2014, and were wrapping up their work by the time The PFM Group began its review. Auditors, who had repeatedly identified security problems at the data center dating back to 2006, wrote that “when developing the data center, planners stressed the importance of establishing specific security functions, roles and responsibilities within the data center. However, this did not occur as planned.”
Auditors identified security problems at the data center in six previous public audits and at least as many confidential audits shared only with state officials due to security concerns about the specific details included. A consultant also identified some of the same concerns in 2008. However, the Department of Administrative Services never addressed many of the vulnerabilities, including management problems.
“In earlier audits, we found that management did not resolve security weaknesses because they did not clearly define or communicate security standards, or assign overall responsibility for managing the security function,” auditors wrote in the most recent audit. “Many identified security weaknesses continued to exist simply because nobody had the authority or responsibility to resolve them.”
The audit report was released in August, after the Department of Administrative Services finished writing its response to the review.
Unlike The PFM Group, state auditors did identify a long list of technical failures that caused security vulnerabilities at the data center.
For example, the Department of Administrative repeatedly purchased systems to detect cyber intruders but never fully implemented them. The data center also used obsolete devices, including a type of network device that was already outdated when the facility opened in 2006. Obsolete technology is more vulnerable to hackers, because the manufacturers soon stop providing updates to patch vulnerabilities.
“In 2014, the department requested and received additional funds from the Legislature to replace the hardware and other computing equipment,” auditors wrote. “Management indicated that they are hiring contracted staff to accelerate the replacement of the obsolete equipment, but the project will continue well through 2016.”
Meanwhile, The PFM Group continues to work on the new methodology for the Department of Administrative Services to charge other government agencies for technology services. Shelby said the goal is to make it more clear what services agencies receive when they pay for centralized technology services.
“That work needs to be wrapped up by the end of this year because we need to present a new rate structure and budget request to the Legislature in (February),” Shelby wrote in an email.