When website hacking hits home [Editorial]

Howard County Times

For those already skeptical about hopping on the Internet to pay bills or order merchandise, last weekend's hacking of Howard County government's website is likely to validate their concerns about security.

The county executive was quick to issue a statement that there "was no breach of data and no personal information was compromised" when a pro-Islamic State group that claimed credit for the cyberattack hobbled the site and posted propaganda.

Nevertheless, the attack took the site offline for almost a full day and has prompted broader questions about the security of government-operated websites. The group that apparently mounted the attack on Howard's site also posted similar messages on government sites in Ohio, New York and Washington state.

Cyberattacks and data breaches in the private and public sectors continue to climb. Data breaches documented on federal government systems in 2006 were 5,503 and reached 77,183 in 2015, according to a report to Congress by the Government Accountability Office.

Another GAO report noted "malicious attacks on computer systems are happening at alarming rates and are posing serious risks to key government operations." That report was written 19 years ago.

While there has been progress in strengthening firewalls and other security software against malicious attacks, a paper presented last month by researchers at Carnegie Mellon University's Security and Privacy Institute, one of the nation's premier computer security centers, said "the state of operational network security continues to be abysmal."

Howard County's website provides the convenience of transactional services, a fancy way of saying taxes, parking tickets or water bills can be paid via an online interface. These services are provided by third-party vendors who have contracts with the county and collect a fee for processing the money.

What was lacking in the county's statement on the weekend breach is a broader overview of how those vendors are protecting personal data, how strong their defenses are to cybercriminals and who's liable if personal information is stolen and used by identity thieves.

If hackers can get in the front door of a basic government website like Howard's, it's conceivable they can go deeper inside other government and private systems that control traffic lights, telecommunications, utility plants, financial records and more.

The county's new chief technology officer, who will head the Department of Technology and Communications Services, starts on the job July 10. One of her first duties needs to be providing assurances that the county's systems are as safe as they can be.

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad