June 2020
Dear Washingtonians!
A lot has been in the news lately about bad actors taking advantage of the COVID-19 pandemic, including imposters filing for unemployment benefits across the country using personal information obtained from large scale breaches.
While imposter fraud is a serious problem, it represents only a small part of the overall threat. Sometimes we spend so much time on the pressing issues in front of us that we don't stop to consider the bigger picture. Instead, we rush on to the next pressing issue.
For example, the latest round of imposter fraud raises several broader questions, such as: How did the bad actors acquire all the personally identifiable information (PII) being used to file for unemployment benefits in several states? Who else has access to that information? Who is selling the data, and how? What else do we need to be thinking about that we currently are not?
As a nation, we are still on a learning curve when it comes to the complexities of cybersecurity and understanding the problem's breadth and depth.
Our goal now must be to come to terms with this reality, truly understand what we are facing, and put in place the tools and methods needed to stop these bad actors.
This is not an easy journey. One important thing we need to do is streamline our approach and be very strategic and very collaborative.
With that in mind, the state Office of Cybersecurity, with input from state agencies, is undergoing a redesign. This is a deliberate, purpose-driven approach. I will provide more details on this later.
Moving forward, I see three key areas that need to be addressed in state government:
Policy: Review state policies to ensure they are current and address the evolving threat environment. Policy governs behavior and sets the stage for standards. Do we have a standardized approach to cybersecurity in the state of Washington?
Support: Ensure appropriate resources are in place to protect the state government network from new and evolving cyber threats. Are there new technologies and models that we can put in place to continue improving our security posture? Are staffing levels commensurate with the need?
Authority: Security must be baked in, not bolted on. The state needs to ensure the correct level of authority exists to address security issues as they arise. This is an area that needs more attention.
Here is my question for you: What discussions do you believe are needed in the weeks ahead regarding policy, support and authority?
I welcome your thoughts and ideas and look forward to our continuing partnership to serve this great state. Thank you for all that you are doing.
Vinod Brahmapuram
State Chief Information Security Officer