The Washington Post

Audit: Maryland cyberdefenses lacking, finds residents’ data may be at risk

As home to the U.S. Cyber Command and more than a dozen other military and government agencies conducting classified Internet work, the Free State is routinely touted by Maryland Gov. Martin O’Malley (D) as the nation’s cyber capital. But an audit report released Tuesday cites serious trouble in Maryland’s dot-gov domain.

Under O’Malley’s administration, state agencies have not consistently or adequately protected personal identifiable information, such as residents’ Social Security numbers. They also have not consistently reported data breaches, according to the state’s nonpartisan Department of Legislative Audits.

Auditors said they did not uncover instances in which personal information had been compromised, but they said a state system lacking in central control and reporting requirements might make it impossible to know of every problem.

Over a two-year period ending last year, agencies that control residents’ personal information reported just five Internet attacks to the state department responsible for cybersecurity — a fraction of the total that workers told auditors they had identified internally.

The report also says two agencies that have authorized state employees to use laptops or tablets to store and access residents’ personal information, including personal health data, did not adequately protect the information, such as by having it in fully encrypted files.

Those agencies were the Department of Health and Mental Hygiene, which maintains Medicaid, health-care data and vital records, and the Department of Human Resources, which administers scores of state programs, including foster care and child support.

Varying levels of weaknesses were also found at the offices of the Maryland comptroller, which controls tax information; the Department of Public Safety and Correctional Services, which oversees sex-offender and criminal records; and the Department of Motor Vehicles, which issues driver’s licenses.

“Although state law assigns [the Department of Information Technology] the responsibility for enforcing information security, DoIT had delegated this responsibility to the individual agencies,” the report says. “Consequently, DoIT had not established a formal oversight process for ensuring that state agencies took appropriate actions to protect information systems and data.”

Raquel Guillory, a spokeswoman for O’Malley, said the administration’s information technology department had considered the audit to be “diagnostic in nature” and has agreed to implement most of the recommendations.

“In the IT security field, continuous diligence, audit and improvement is a good process.”

Auditors said that a revision to the administration’s cybersecurity policy that was approved in April should help address problems of reporting Internet attacks to DoIT. And in a response to the audit, Secretary of Information Security Elliott H. Schlanger agreed to implement many of the auditors’ proposed recommendations to tighten security.

Although auditors urged DoIT to monitor cybersecurity effectiveness at state agencies, Schlanger said the department lacked the resources to do so. Only four DoIT employees are tasked with cybersecurity, the audit found, and each has other responsibilities, too.

In short, the audit criticized the administration for not following some of the same cybersecurity rules that the General Assembly has mandated for businesses that operate in the state.

More broadly, the audit report suggests that in the realm of cybersecurity, O’Malley’s administration has not instituted the sort of top-down and real-time data review for which it has won accolades in other areas, including crime and environmental monitoring.

Aaron Davis covers D.C. government and politics for The Post and wants to hear your story about how D.C. works — or how it doesn’t.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
What can babies teach students?
Unconventional warfare with a side of ale
A veteran finds healing on a dog sled
Play Videos
A fighter pilot helmet with 360 degrees of sky
Is fencing the answer to brain health?
Scenes from Brazil's Carajás Railway
Play Videos
How a hacker group came to Washington
The woman behind the Nats’ presidents ‘Star Wars’ makeover
How hackers can control your car from miles away
Play Videos
Philadelphia's real signature sandwich
Full disclosure: 3 bedrooms, 2 baths, 1 ghoul
Europe's migrant crisis, explained

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.