The Washington PostDemocracy Dies in Darkness

Opinion Maryland has your Social Security Number. Is it safe?

Bryan Mroz, left), then the assistant secretary of the Maryland Department of Health, speaks at a news conference with Maryland Gov. Larry Hogan (R) about distribution of the coronavirus vaccine at the Maryland State House on Dec. 8, 2020, in Annapolis. The department was recently the victim of a cyberattack that may affect its coronavirus reporting. (Michael Robinson Chavez/The Washington Post)
Placeholder while article actions load

Katie Fry Hester, a Democrat, represents Howard County in the Maryland Senate, where she serves on the Senate Education, Health & Environment Committee and is the Senate chair of the Joint Committee on Cybersecurity, Information Technology & Biotechnology. Ben Yelin is the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security. He chaired the research team for the 2021 Maryland Cybersecurity Council study.

Though details of the recent cyberattack on the Maryland Department of Health are scarce — including implications for coronavirus reporting and Medicaid applications — malicious actors targeting state and local governments with sophisticated cyberattacks is nothing new. This incident follows a long line of incursions, including an attack against Baltimore City (which cost an estimated $18 million), MedStar and Baltimore County Public Schools, which prevented hundreds of thousands of Marylanders from accessing medical care or their classes.

What is the price of trust? Based on recent recommendations from the Department of Legislative Services, $150 million would be a start to safeguard personally identifiable information (PII) and critical infrastructure from malicious cyberattacks. With a $2 billion budget surplus and $7 billion of additional federal funds scheduled to arrive, now is the time to invest.

Marylanders have given state agencies their social security numbers and other PII. This data is pure gold on the Dark Web, yet many state agencies still struggle to protect it. Between 2016 and 2019, the Office of Legislative Audits issued 77 reports, covering 69 units of state and local government, and found 84 concerns related to weak PII controls. These reports indicated 37.9 million records were susceptible to improper disclosure.

Maryland has underfunded cybersecurity for years. In a 2018 letter to the governor, Attorney General and Maryland Cybersecurity Council (MCC) Chair Brian E. Frosh (D) suggested that cybersecurity be prioritized in the budget and noted that the Department of Information Technology’s (DoIT) "cybersecurity budget is just $3.8 million. DoIT estimates that a mature cybersecurity capability would require a $28.9 million investment in FY2019 with an annual, inflation-adjusted sustainment budget of $14 to $15 million each year thereafter.” Since that letter’s publication, the recommendation has not been met.

One of the authors, Hester, is the Senate chair of the Joint Committee on Cybersecurity, Information Technology, and Biotechnology (JCCIB), and is committed to implementing recommendations from the MCC’s forthcoming report — due December 16 — which is the result of extensive stakeholder engagement, including local governments, school systems, health departments, emergency managers, state agencies and subject matter experts nationwide. Highlights from the initial data are concerning, but not insurmountable:

  • 34 percent of state agencies do not have complete inventories of their IT systems, and almost half have at least one legacy system that does not meet current cybersecurity requirements.
  • Most local county governments require additional funding and state assistance in obtaining resources (tools, software, hardware, and personnel).
  • Just 21 percent of respondents reported their local school system has a Disaster Recovery Plan and an Incident Response Plan that have been tested within the past 12 months.

House and Senate leadership have requested that we focus the committee’s work on three main areas: state capacity, modernization and local support. We are drafting legislation for the 2022 session to provide solutions:

1) Centralize: We must consolidate responsibility, accountability and authority under the Department of Information Technology. Current cybersecurity budgets would similarly consolidate, and cybersecurity staff for each agency would report to the Chief Information Security Officer. This would clarify and standardize agency requirements and give DoIT enforcement authority.

2) Modernize: Legacy systems are expensive and risky to maintain. We must upgrade these systems statewide and leverage available federal funds, guided by a five-year strategic road map and independent advisory group. Upgrades should be based on a framework of technical fit (security risks, dependencies on other systems or data), business fit (agency objectives), customer experience and cost.

3) Support: The state must do more to protect our units of local government, ranging from assessments and response plans to training and model policies. We should also establish a Local Cybersecurity Support Fund that leverages federal money and provides financial assistance. Expanding the scope of the Security Operations Center to include local governments and coordinating the procurement of managed cybersecurity services under state vehicles would provide similarly robust aid.

We must centralize cybersecurity staff, modernize legacy systems, strengthen state agencies and support local governments. The $150 million recommendation is a good starting point to protect the data entrusted to us by Marylanders, and I hope to see it reflected in the fiscal 2023 budget proposal. Otherwise, the cost of inaction will only grow.