Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Washington auditor amps up cybersecurity efforts

By William L. Spence Tribune News Service

In an expansion of its traditional accounting-based services, the Washington state Auditor’s Office has begun offering cybersecurity audits to local units of government as a way to uncover vulnerabilities in their computer systems.

Auditor Pat McCarthy said the voluntary risk assessments can help protect taxpayer data and improve public confidence in system security.

“We in government know your Social Security number, we know your mother’s maiden name,” McCarthy said. “We’re the keepers of your private information, and we have a responsibility to protect that information.”

At the same time, she said, government offices are trying to become more accessible and user-friendly. Yet, something as simple as letting customers pay for marriage licenses with debit cards requires changes to the computer system that may lead to technological vulnerabilities.

“It’s opening Pandora’s box,” McCarthy said. “We need to find the sweet spot (between security and accessibility).”

The audits include what’s often referred to as a “penetration test,” where hackers try to gain unauthorized access to a computer system, as well as an evaluation of security standards and protocols.

“It’s quite thorough,” said Erin Laska, chief information security officer for the auditor’s office and leader of its 10-person cybersecurity team.

“We have IT people who specialize in security controls, and alongside them we have specialists with knowledge of applications, networks and infrastructure,” Laska said. “Every agency has a different network, different devices, different systems, so we’ve created a mixed team of security specialists and outside contractors (to look for vulnerabilities).”

The auditor’s office first began conducting cybersecurity assessments in 2014, focusing specifically on state agencies. The work proved so beneficial, the office decided to expand the service to local governments. Since then, several other state agencies and about a dozen local governments have requested risk assessments.

“I’ve been doing audits for 18 years, and these are the only audits I’ve seen agencies ask for,” Laska said.

Given the critical nature of computer security, as well as the varied nature of the threats, McCarthy thinks demand for the cybersecurity audits will become an increasingly larger component of the service her office provides.

“I see it as a growth area for us,” she said.

With traditional financial and accountability audits, it’s relatively unusual for state auditors to uncover any serious mistakes or wrongdoing by local governments.

Of the 100 audits released over the past two weeks, for example, only 13 total findings were reported, and only two of those were by cities. Most were mistakes made by local school boards.

With cybersecurity audits, however, the likelihood is much greater that an existing or potential vulnerability will be discovered.

“The threats change on a daily basis, (so) no system can be completely safe,” Laska said. “These audits offer a snapshot in time, but we try to give them a good idea (about their security levels).”

Because of the sensitive nature of the topic, McCarthy said, there’s necessarily less transparency regarding the results of a cybersecurity audit than there is for a normal financial audit. The public will learn if auditors discover any issues with the system, but the details likely would only be provided to local officials in executive session.

“We really don’t want to say anything that could be used by malicious outsiders,” Laska said. “We haven’t seen any agencies that don’t want to remedy a situation.”

Funding for cybersecurity assessments is provided by Initiative 900, which voters approved in 2005. It authorized the auditor’s office to conduct performance audits of local governments and allocated a small portion of the state sales tax to that effort.

The initiative generates about $40 million annually, McCarthy said, but the Legislature currently only appropriates about $20 million of that to her office for a wide range of performance audits.

If demand for cybersecurity audits grows, “it’s incumbent upon us to make the case to lawmakers that we need more money,” she said. “And we do see (the demand) growing.”