IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Auditors Find Cyber Weaknesses Across Kansas Government

Roughly half of Kansas government agencies — including key departments, public universities and K-12 schools — investigated by state auditors have significant information security weaknesses.

Digital illustration of a yellow lock in a circle surrounded by yellow lines and arrows.
Shutterstock/deepadesigns
(TNS) — Roughly half of Kansas government agencies — including key departments, public universities and K-12 schools — investigated by state auditors in recent years have significant information security weaknesses, despite efforts to guard against a major hack or breach.

The shortfalls collectively place Kansas at greater risk of cyberattacks and other security incidents, according to a report released this week by the Legislature’s auditing arm.

Auditors found “significant weaknesses in several security control areas” across the 20 audited agencies, the report says.

The window into Kansas’ information technology security situation comes at a time when examples are regularly emerging of government agencies, major organizations and businesses across the United States falling prey to hacks and ransom attacks that hold sensitive data hostage.

Nearly all of the Kansas agencies didn’t adequately scan or patch computers to keep them secure, according to the report. More than half didn’t have adequate plans to respond to an incident or guarantee continuity of operations, or didn’t appropriately test their plans.

Most entities failed simulated phishing email attacks. In phishing, attackers send emails and other communications that appear genuine to convince the recipient to provide sensitive personal or financial information or click on links that allow attackers to gain access to a computer.

Almost half didn’t provide adequate security awareness training or had significant “management, contract, or policy-related weaknesses.” At one agency, auditors found employee names, dates or birth and Social Security numbers in locked but overflowing shred bins. At another agency, a password was written on a whiteboard.

In keeping with the secrecy that typically surrounds IT security, the report doesn’t identify which agencies had specific problems. But the report does list all 20 entities audited, which include the Kansas Department of Transportation, the Kansas Department of Labor, Kansas State University, Blue Valley Schools and the Kansas Attorney General’s Office.

The new report from the Kansas Legislative Division of Post Audit offers a high-level overview of the vulnerabilities auditors found examining IT security in 20 government agencies over the past three years. The document says nearly half of the agencies “did not substantially comply with applicable IT security standards and best practices.”

“State and local entities could face significant consequences if hackers are able to access an entity’s network or confidential data because of poor security controls. A significant security breach could disrupt an entity’s mission-critical work and their reputation would be sorely damaged,” the report says.

Cybersecurity experts who spoke to The Star said the results weren’t surprising and that many of the issues identified are common in both government and business. Still, they said that shouldn’t detract from the importance of bolstering security.

Marty Edwards, the deputy chief technology officer for operational technology at the cybersecurity firm Tenable, said the findings are typical of agencies that under-invest in security.

“Organizations that have really strong and healthy investment in personnel and technology usually don’t have these kind of findings,” Edwards said. “But this is very indicative of either an organization that’s early on their journey on cybersecurity or organizations that just are underfunded, under-invested in.”

Doug Jacobson, director of the Center for Cybersecurity Innovation & Outreach at Iowa State University, called security training a “critical piece” because attackers are increasingly directing their efforts toward people. As computer systems themselves become better protected, attackers have turned to phishing and other techniques to deceive individuals into essentially opening the door for them.

“My guess is a lot of states are in this position,” he said.

The report is not the first that has raised concerns about electronic vulnerabilities within Kansas government. A 2021 state audit found that K-12 schools are unprepared for a cyberattack and are not doing enough to protect student data. Of 147 districts (roughly half the school systems in the state) that responded to a survey, 69% didn’t have a response plan in the event of cyber attack and 28% hadn’t installed anti-virus software on all school computers.

Additionally, an external review of security at the Kansas Department of Labor performed by consultant BKD Cyber found earlier this year that the agency had only partially implemented the majority of the National Institute of Standards and Technology’s best practices for cyber security.

“Overall, the state, it doesn’t seem like we’re making any progress,” state Rep. John Barker, an Abilene Republican, said at a legislative committee hearing on Monday where the Legislative Post Audit summary report was discussed.

In Kansas alone, cyberattacks vandalized dozens of county websites in 2019 and Wyandotte County systems were crippled by an attack earlier this year. At a rural water system in central Kansas in 2019, an ex-employee was able to remotely shut down the facility’s cleaning and disinfecting procedures because a shared passcode hadn’t been updated.

The Post Rock Rural Water District in Ellsworth relied on a shared GoToMyPC account to allow remote access to the system after hours. The system used a shared pass code to access software that controls the plant. The passcode wasn’t updated after the employee resigned.

The case received national attention and highlighted electronic weaknesses within critical infrastructure. Still, auditors found similar vulnerabilities at Kansas agencies, according to the report.

“Most entities did not disable accounts belonging to former employees in a timely manner or at all,” the report says, adding that one agency left the accounts of two former employees open for more than five months.

Kansas has made a concerted effort to improve its cybersecurity in recent years. In 2018, legislators passed a cybersecurity law creating a state chief information security officer and a Kansas information security office. Gov. Laura Kelly also named Secretary of Administration DeAngela Burns-Wallace the state’s chief information technology officer.

For the past four years, the Kelly administration has also held cybersecurity summits. More than 100 people participated in the latest summit in October. The event included a tabletop exercise that forced participants to grapple with a simulated ransomware attack and how they would respond, Jeff Maxon, the state’s chief information security officer, told lawmakers last month.

State Sen. Rob Olson, an Olathe Republican who was at Monday’s hearing, said the state’s information security situation appears to be improving.

“We’re not probably where we need to be but we’re getting there,” Olson said.

The Kansas Department of Administration declined to comment on the audit report. Burns-Wallace is set to depart the agency in January as Kelly, a Democrat, begins her second term.

“We have made a ton of progress in the past four years since the statute has been in place and we continue to make progress,” Maxon told lawmakers in November, referring to the 2018 cybersecurity law.

In the report, auditors acknowledge that Kansas has taken steps to b eef up information security, including the cybersecurity law. Still, “more needs to be done to create a stronger security posture within state agencies and school districts.”

© 2022 The Kansas City Star. Distributed by Tribune Content Agency, LLC.