SALEM — Three years after state auditors identified security weaknesses at Oregon’s main data center in Salem, the state has yet to fix some of the problems.
The vulnerabilities were outlined in a secret March 2012 letter to Michael Jordan, who was at the time director of the Department of Administrative Services, which manages the data warehouse. The facility stores data for multiple state agencies.
The extent of the problem remains unclear, because the agency declined to release the letter in response to a public records request from the EO Media Group/Pamplin Media Group Capital Bureau. Auditors are in the midst of another periodic review of security at the center and they expect to complete the report this summer.
State agencies have struggled for years to keep Oregonians’ data secure. Earlier this month, the EO Media Group/Pamplin Media Group Capital Bureau reported that outdated security protocols on state websites left Oregonians vulnerable to attackers when they paid child support, filed unemployment claims and completed other online transactions.
One reason the Department of Administrative Services does not want the public to see the 2012 letter is that attackers could take advantage of security weaknesses at the data center that it has not fixed.
Matt Shelby, a spokesman for the Department of Administrative Services, wrote in an email that “... there is little beyond the header that we would release because it discusses past and current security issues at the State Data Center.”
Nonetheless, Shelby said in an interview Tuesday that according to state Chief Information Security Officer Stefan Richards, employees have addressed approximately one-third of the security issues cited by auditors.
“The other two-thirds, we’ve made significant progress,” Shelby said. “By that, I mean 50 percent to 75 percent of what we think we need to do.”
Shelby said the Department of Administrative Services agreed with all the auditors’ recommendations, which called for the agency to purchase new tools as well as define and document its security processes.
Hackers recently accessed data at the center, Gov. Kate Brown revealed last month, but Shelby said that breach was unrelated to the security problems auditors identified. However, Shelby said one of the of the suggestions auditors laid out in the letter would have helped IT staff to more quickly assess which types of data attackers accessed.
The state data center had not yet installed centralized log management software, which would have allowed employees to more quickly assess the scope of the data breach, Shelby said.
“You find out that the door’s unlocked, or a window’s open,” Shelby said. “The next step is to find out if anything’s been taken or moved.”
The data center is now in the process of installing the centralized log management software, an improvement that was planned before the breach. IT employees ultimately learned hackers had accessed metadata about the movement of information across the state computer network.
The public portion of the 2012 data center security audit only hinted at the security vulnerabilities that auditors found. It focused on improper handling of media tapes and incomplete or not fully tested recovery programs used after events such as major computer crashes.
The only mention of weaknesses that could leave the center vulnerable to hackers was a single sentence that stated findings of a security review, one of the two objectives of the audit, were summarized in the confidential letter to Jordan.
The report was unusual because state auditors usually provide at least a general description of the range of problems they found and analysis of the causes. For example, a 2010 audit of security at the data center clearly stated there were problems.
“In our prior audits of the (state data center) we identified significant security weaknesses that collectively heightened the risk that applications hosted at the (state data center) could be compromised,” auditors wrote. “During this audit we confirmed that most of these security issues continued to exist.”
A spokeswoman for Brown, who was secretary of state and oversaw the Audits Division in 2012, referred questions about why the 2012 security concerns were kept secret to the current Secretary of State Jeanne Atkins. Tony Green, a spokesman for Atkins, said it would require a fair amount of research to figure out why auditors disclosed security concerns in 2010 but not in 2012.
“But generally speaking, auditors weigh the security risks known at that time against the best way to get the recommendations implemented,” Green wrote in an email. “Between 2010 and 2012, the risk/benefit analysis produced different answers.”
The Secretary of State’s Office also declined to release the 2012 letter.
“If you publish a report that says this agency is vulnerable to a hack that’s kind of like printing an invitation to hack it,” Green wrote.
Brown’s communications director Kristen Grainger said that as secretary of state and now as governor, Brown has also shared the concern that identifying security weaknesses could make it easier for attackers to access Oregonians’ data.
“I think to a certain extent she wants to be very careful not to bring this to the attention of hackers or people who would do harm to the state’s IT efforts,” Grainger said.
However, Grainger said Brown wants to address what has become a “long line” of data breaches at state agencies — hackers accessed databases at the Secretary of State’s Office and the Oregon Employment Department in 2014 — and that is why the governor wants to hire an independent expert to review state IT management and vulnerabilities.
The Capital Bureau is a collaboration between EO Media Group and Pamplin Media Group.