Tuesday, September 18, 2018
Respond to this story


Audit: From taxes to payroll, state government data not safe

Larger view
Gopal Khana, chief information officer in Minnesota, says internal access issues are being addressed, and external security measures are working. (MPR Photo/Tim Pugmire)
For the second time this year, government investigators are warning about potential security problems in state computers. Hackers have not yet breached any computers since the weaknesses were highlighted last spring. But a new report issued on Wednesday by the Office of the Legislative Auditor says the private data stored by various state agencies are still at risk.

St. Paul, Minn. — Eight months ago, a state investigation found serious security flaws in the Department of Public Safety's system for online renewal of vehicle license tabs. There was no evidence that any hackers had gotten in and stolen motorists' private information, but state officials shut down the Web site to fix the problems. Other department Web sites were also checked for security weaknesses.

With the release of his latest report, Legislative Auditor James Nobles told lawmakers that the state's most important computers remain vulnerable.

"It's mainframe computers. Those are the big machines that store a lot of data and perform many core state functions. and because they're not adequately secured, that means that data in those machines are subject to too much risk, to too much unauthorized access and to too much abuse," he said.

Those three mainframe computers are critical to the state's business operations, which include social service programs, tax collection, licensing and state employee payroll.

Chris Buse, of the Office of the Legislative Auditor, says one of the security weaknesses comes from granting too much access. He says many state workers can view private information that is not required to perform their jobs. Buse says he also found security measures for some programs could be easily bypassed.

"Security controls in state government in general are unacceptable," he said. "We are guarding too many fronts with too few resources without sufficient planning or leadership. That's the current state that we're in today."

Buse says the state needs more computer security specialists. But he says those professionals are in high demand, and state salaries can't compete with what they can earn in the private sector.

Oversight of the mainframe computers now falls under the responsibilities of the Office of Enterprise Technology -- OET. The 2005 Legislature created the new agency to fill that missing leadership role over state government computers.

Gopal Khana has been on the job at OET for just three months as its chief information officer. He says he generally accepts the Legislative Auditor's assessment but not the magnitude of the actual risk. Khana says internal access issues are being addressed, and external security measures are working.

"We monitor the systems on an ongoing basis to make sure that there is no external breach. Now, do people try and get into the systems? Sure. Any computer anywhere in the world is constantly being attacked now. What that level of activity is has to be managed on an ongoing basis by any security program that's in place," he said.

Khana says he's preparing a comprehensive plan that will spell out the goals and the needs of the Office of Enterprise Technology. He's also looking to hire a security officer for the agency.

Sen. Warren Limmer, R-Maple Grove, says the ultimate responsibility still rests with the Legislature.

"Essentially we're the ones that control the keys to the data that the state of Minnesota collects. We're the ones that are going to have to ultimately be the keepers of those keys, and make sure that despite all of the modern opportunities to gain more information through unvirtuous means that we have to be on guard for it," Limmer said.

Meanwhile, the Department of Public Safety continues working a new version of its online vehicle registration system. Deputy Commissioner Mary Ellison wouldn't specify a date, but she told members of the Legislative Audit Commission that a secure Web site should be ready soon.