Information Technology Department Commissioner Denis Goulet is recommending NuHarbor Security Inc. of Essex Junction, Vt. to conduct the near-$500,000 review over the next year with a one-year renewal option at the consent of both parties.
The state's two-year public works or capital budget is paying for the $499,000 contract.
NuHarbor was chosen from among 12 regional and national experts in the field who competed for the job.
"Cybersecurity is hot now and we ended up with a roomful of responses," said Goulet of the request for proposal process that started last January. 'What we are looking for is what is the best fit for New Hampshire and think we have found it."
The council will take up the contract at its meeting Wednesday morning at the Seacoast Science Center in Rye.
Goulet said its privacy controls get audited "almost continually" by commercial and government actors from the credit card industry and the FBI to the IRS and the Centers for Medicaid and Medicare Services.
"All of them are looking at security and compliance and we do fine in those audits. They are all focused on their little segment of the world. This is more comprehensive," Goulet said.
"We want this looking at strategy and activities around those policies; not only are our policies effective but are there any soft spots? I expect the findings to teach us how we can improve our cybersecurity posture in New Hampshire.
"I operate under the principle that we can always get better."
Last May, the council confirmed Goulet to a second four-year term as IT chief and both Republican and Democratic governors have recommended him for the post.
The bids ranged from a low of $111,000 to more than $500,000. NuHarbor's core bid was $259,000 but Goulet is asking for the council to allow him to use other activities beyond the basic risk assessment that would include the cost to fix any flaws that are found in the system.
"As a public entity, the State of New Hampshire is exposed to the full range of cyberthreats on a continual basis: malware, botnets, ransomware, and denial of service attacks do not discriminate - any network connected to the Internet is exposed to these threats," Goulet wrote in a memo to the council on the contract.
"The old boundaries of cybersecurity and cyberattacks are disappearing — from the network perimeter, to distinct types of malware, to nation-state tactics vs. that of the cybercriminal."
The bad actors are getting more and more creative, he said.
"These actors doing the ransomware continue to get more sophisticated and this is a real challenge for municipalities that is a real budget crunch for them," Goulet said
The state on its own would not be able to do this assessment, he said.
"In addition to determining gaps or shortfalls in the State's cybersecurity posture, a key outcome of this assessment will be a roadmap to improve the security, readiness and effectiveness of the state of New Hampshire's cybersecurity posture," Goulet said.
"The alternative - without this contract - would leave DoIT and the state executive branch agencies with minimal ability to assess cybersecurity gaps and vulnerabilities across our enterprise networks, servers and applications that contain sensitive and confidential citizen and state data."
Last July, federal officials with the U.S. Secret Service began a criminal investigation after hundreds of computers with Strafford County were infected with a virus believed to have originated overseas.
In 2017, the Weare Police Department reported it had been the victim of a hack and malware cyberattack for an entire week and attackers were selling sensitive data including payroll information for cryptocurrency.
Goulet's agency is working with Margaret M.L. Byrnes, executive director with the NH Municipal Association, on co-hosting a cybersecurity summit for local officials.
In late July, the Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) all issued a joint advisory to local government partners.
"The leading authorities refer to the big three to keep your operations safe. Backup your systems, do cyberawareness training and have an incident response plan so you know what you are going to do when bad things happen," Goulet added.
©2019 The New Hampshire Union Leader (Manchester, N.H.). Distributed by Tribune Content Agency, LLC.