Caden Rosenbaum and Gavin Hickman: How to fix Utah’s cybersecurity problem

Governments are experiencing an uptick in cyberattacks because they don’t have the resources to ward off attacks.

(Tony Gutierrez | The Associated Press) Signs on a bank of computers tell visitors that the machines are not working at the public library in Wilmer, Texas, Thursday, Aug. 22, 2019. Cyberattacks that recently crippled nearly two dozen Texas cities have put other local governments on guard.

Even in the grand scale of data points we willingly hand over on the web, the most sensitive information is often in the hands of government agencies. However, despite numerous consumer data privacy laws taking effect in multiple states, none of them apply to data policies within government agencies.

Worse, governments are experiencing an uptick in cyberattacks because they don’t have the resources to ward off attacks. Whether it’s ransomware attacks, DDOS attacks or general data leaks, an alarming trend of targeted attacks on state agencies, local governments and critical infrastructure have resulted in massive disruptions to peoples lives, the loss of irreplaceable stores of data and the breach of sensitive information.

The Beehive State is no exception.

Recent audits of Utah��s cyber resilience and information practices found that Utah state and local government agencies have inadequate employee training or vague protocols. Levels of completion of cybersecurity awareness and readiness training varied between state agencies and the judiciary, leaving much to be desired in terms of basic completion.

Cybersecurity frameworks and protocols, which would ordinarily serve as guidelines for handling cyberattacks, were also found to be either vague or outdated — if the entity adopted them at all. Cities especially lagged behind, experiencing the highest rate of successful cyberattacks, likely due to inadequate vulnerability scanning that results when cities don’t have policies in place.

To add to the problem, the amount of information Utah’s state and local agencies collect is sometimes unnecessary.

For example, hospital visitors seeking birth certificates were given copious amounts of paperwork in order to receive this basic service. Some of that information was voluntary and used for research. But in many cases, it was unclear that a person could opt out of responding.

In a perfect world, the solution would have three parts: (1) mandatory cybersecurity training for state and local employees with clear cybersecurity frameworks and protocols; (2) updated software and network infrastructure; and (3) clear notices when a person may opt out of responding. The auditor’s recommendations expressed as much.

But in reality, as technology advances, new threats will emerge over the horizon that require frameworks and protocols we can’t anticipate. That’s where regular statewide audits play a vital role.

In this sense, Utah actually leads the country in being proactive about cyber resilience. The state may have raised some concerning red flags, but because it has taken the step to audit and identify problems, it’s now perfectly positioned to solve them. That’s more than many other states have done. If Utah implements some of the auditor’s recommendations, it could wind up leading the country in cyber resilience.

Caden Rosenbaum

Caden Rosenbaum is the technology and innovation policy analyst at Libertas Institute in Lehi, Utah.

Gavin Hickman

Gavin Hickman is a technology and innovation policy intern at Libertas Institute in Lehi, Utah.

The Salt Lake Tribune is committed to creating a space where Utahns can share ideas, perspectives and solutions that move our state forward. We rely on your contributions to do this. Find out how to share your opinion here, and email us at voices@sltrib.com.