Rep. Jason Murphey
Perhaps no effort to shrink the size of state government has been more aggressive than the attempt to consolidate the state’s massive information technology infrastructure. As part of this reform, we included a robust reporting requirement in the legislation that mandated the reform.
This requirement asks state officials to submit a report detailing the progress of the consolidation. We must collect this data in order to ensure the legislation is having its intended consequence and change the consolidation laws as needed to maximize cost savings and increase efficiency.
Every three months, State Chief Information Officer Alex Pettit has released an update to this report. The just released 1st quarter report highlights the savings from the reform and describes various cost-saving aspects of the plan.
The report also provides accountability as it details the IT agency’s performance metrics. These metrics clearly show how IT employees are performing in their efforts to assist state agency employees and taxpayers who interface with state government. Last year, the Legislature passed our modernization agenda’s performance metrics proposal and I believe the IT agency is the first to apply these important transparency processes
Seeing how state officials are aggressively cutting through and eliminating expensive processes is inspiring and encouraging.
But here’s the scary part
Towards the back of the report, the reader is updated on the consolidated IT operation’s efforts to address the state’s IT security needs. This section features an infographic detailing each consolidated state agency’s security shortcomings. The graphic is alarming because prior to the consolidation, many agencies have been operating without appropriate security procedures
Consider the case of a well-known state agency. Prior to consolidation, the agency was operating without a firewall, no antivirus, no incident response criteria or endpoint encryption, and no network monitoring. In fact, out of 11 security indicators, this agency only complied with one.
What was the result? Every point-of-sale terminal operated by the agency had been compromised. This meant that taxpayer credit card information and identities were subject to theft from a state agency’s website. And, to make things worse, parts of the agency’s network were under the control of hackers from China
Here are some other examples
A state agency delivered background check information in an unencrypted plain text format via a publicly accessible interface. And, consider this: a state agency charged with adjudicating state employee medical claims operated without a firewall, making the agency susceptible to data theft through trojan horse injections. This meant that hackers could have accessed the unencrypted medical information of state employees. In addition, one of the state education agencies exposed personal identity details of students
Here is the even scarier part. While everything described above has been mitigated because of consolidation, approximately one-third of state agencies have been consolidated to date. This means some of the largest state agencies are likely still putting your information at risk
Even though it is now clear that these agencies have been putting taxpayer information at risk for years, far too many agency directors refused to cooperate with consolidation and determinedly fought against the passage of legislation and its implementation. Did they realize what they were doing all during this time? Was their opposition in part due to their fear that these facts would come out?
At some point, I suspect and hope that media entities are going to discover and act on this information. The public needs to become aware of what has really been going on all this time. They must know how inefficient and unwise government practices have placed them at such risk.
This also makes the point for a smaller state government. A smaller, less intrusive government has much less need for your personal data. The best way to keep state government from losing data is to eliminate the processes requiring its collection.
Perhaps no reform would go further to reducing the government’s dependence on your data than the complete elimination of the state income tax. But that is a subject for a future article.