Attacks dog state systems

The Abercrombie administration is asking the Legislature for $120 million over the next two years to modernize the state government’s information technology systems, including armoring them against hackers.

State Rep. John Mizuno told the Star-Advertiser that state IT employees have detected probes and attacks on the state’s computer systems — attacks that he said have been traced to China, European countries and elsewhere.

Mizuno’s remarks came as The and The Wall Street Journal reported Thursday that Chinese-based hackers had infiltrated their computer systems.

"Make no mistake, these are very sophisticated enemies we are dealing with," state Chief Information Officer Sanjeev "Sonny" Bha­go­wa­lia said in an interview Friday. "They’re ranging from states, to hackers who are doing it for profit, to insiders doing it maliciously or otherwise. It’s a combination of all these things, and that’s why we are really ramping up (our efforts)."

The $120 million funding request was drafted long before Thursday’s news about hacks of the Times and Journal computers. Cyberprobing by hackers of Hawaii’s state government systems is nothing new, Bha­go­wa­lia said. No personal or sensitive information has been compromised, he said, but probes continue to occur systemwide, with a few departments targeted more than others. He declined to be more specific.

The administration has requested $60 million in each of the next two fiscal years, those ending in June 2014 and June 2015, for information technology improvements included in a business and technology transformation plan released last October by the state Office of Information Management and Technology.

An eighth of that money would go toward addressing cybersecurity concerns, with $6.5 million in fiscal year 2014 and $8.5 million in fiscal year 2015, Bha­go­wa­lia said.

Hawaii’s cybersecurity apparatus is "in the bottom third" among U.S. states, he said.

"We’re there because we’ve got 30 years of underinvestment in technology, and you know you can’t fix that overnight," Bha­go­wa­lia said. "We’re just a couple of disasters away or breaches away from some major challenges. I’ve said that that will happen here just because of the state of the security I’ve found here."

This fiscal year Bha­go­wa­lia plans to spend $1.5 million to shore up current cybersecurity projects to "fix the little pukas and triage," he said.

Mizuno said, "It’s concerning that (hackers) were able to get through a level; that first layer of protection wasn’t good enough. They (the probes) were nothing major, but provide us with a lot of concern. That’s why we’re coming back and putting more funding into IT infrastructure."

Anthony Giandomenico, director of solutions marketing at Referentia Systems Inc., a Hawaii cybersecurity firm, said, "Probes into the state network from China are really common. The head of cybersecurity for the FBI said there are two types of companies: ones that have been hacked by China and ones that don’t know they’ve been hacked by China."

Giandomenico, whose company does work for the federal government and the energy and health care industries, said states are prime targets because "there’s a lot of sensitive information they (hackers) are looking to get."

Bhagowalia added, "Hawaii’s strategic position between Asia and the mainland U.S., I think, is of some interest. Like they say, we’re the tip of the spear. We’re on the front line."

Bhagowalia said internal threats pose an even larger problem than external threats.

"The inside threat problem is actually even more dangerous than the external one," he said. "The external ones you can kind of track. Insider breaches have happened here before, with the tax system and other cases around the world. So insider breaches can actually be more dangerous."

To further address state cybersecurity, both the state House and Senate are considering two bills, HB 767 and SB 1003, that would give the state CIO the authority to safeguard state data.

"It’s currently all over the place," Bha­go­wa­lia said. "We’re asking that it be put in someone’s kule­ana and authority, with resources to make it happen."

A hearing on the Senate bill is scheduled for Tuesday at 1:15 p.m.

Other improvements to state IT systems, such as centralizing systems that are currently fragmented, will also improve security, Bha­go­wa­lia said.

"I think fewer is better and less complexity is better," he said. "When you can know exactly what you’re in control over, you have what they call the confidentiality, integrity and availability of information."

Gov. Neil Abercrombie said in a statement, "Improving the State of Hawaii’s cyber and information security posture is extremely important and my administration is addressing the issue. Under our first full-time Chief Information Officer, Sanjeev "Sonny" Bha­go­wa­lia, the state has developed a comprehensive Business and Information Technology/ Information Resource Management Transformation Plan that includes a security and privacy plan.

"The state has begun to execute the plan, but much more investment must be made in order to fully address the security issues. Sonny’s past experience with federal government security agencies gives the state a unique perspective on protecting our information assets."