Texas Tribune held a symposium on cybersecurity and privacy on December 9, 2015 at the University of Texas San Antonio’s downtown campus. This report covers panels on Privacy and the Cloud in State Government, Cybersecurity in Communities, and Cybersecurity and Privacy in the Medical Field.
Panel on Privacy, the Cloud and State Government
The Panel was lead by Evan Smith, and included Senator Judith Zaffirni, Representative Larry Gonzales, Todd Kimbriel (Interim Executive Director of Information Resources) Jesse Rivera (Information Security Director for Comptroller of Public Accounts)
Smith asks Rivera about the 2011 “breach” at the comptroller’s office, which was actually a human error.

  • Individual failed to properly secure lists that were left open to the internet for a year – they were not hacked and no information was taken
  • When we found out, we secured information, monitored credit, and implemented steps to monitor human error
  • Engaged with Gardiner Security Group for cybersecurity purposes and implemented multi-media experience training for employees
  • We test our own users with fake emails and give users specialized training

Smith asks Zaffirini if she is satisfied that we are in a good place with cybersecurity

  • Never satisfied – we are doing well but could do better
  • We have passed meaningful legislation to become leader in cybersecurity in the wake of 2011
    • State agencies all have to have plans for cybersecurity
    • Legislation requiring training for agencies
    • Legislation for biennial report from agencies
    • Department of Information Resources study

Smith asks Gonzales if he agrees with Zaffirini

  • We are doing well, but we can always do better
  • We need the money to make it happen and can do better on the appropriating side
  • Feels really good about funding provided in the 84th, we will have interesting conversations in the 85th

Smith asks Kimbriel asks if we are as attentive to this as we ought to be

  • We have made great progress and are listed in top 8 in cybersecurity readiness
  • Every agency produces cybersecurity strategic plan
  • We produce overall report to state leadership which shows we are in a great place, but there is more to be done
  • There is awareness about cybersecurity

Smith asks Rivera asks if the Comptroller’s Office has the resources necessary

  • I have the resources at CPA – there are never enough resources and time to do everything that needs to be done
  • There may need to be some type of requirement making heads of state agencies responsible for cybersecurity

Smith asks Zaffirini about the notification from the CPA which did not have the Comptroller’s signature

  • Upper management has to be responsible
  • Filed bill that died in house to make upper management responsible for cybersecurity
  • Cybersecurity is being held like customer service that there is just one department instead of the responsibility being at the top
  • Gonzales echos the idea that responsibility should migrate up
  • Gonzales says he does not have a lot of house colleagues that helping with cyber security

Smith asks Kimbriel if it will take time to get buy in since there are a lot of state employees from older generations

  • Zaffirini interjects that she disagrees because it takes everybody mentions that she is almost 70 and I am at the forefront of this
  • 45% of the threats are external, but people do not realize that this is an internal problem as well either because of bad actors or because of people making a mistake

Smith asks Kimbriel how much DIR does to get culture of agencies to bend towards the times

  • We work through Information Security Officer at agencies
  • We have set up an academy to increase intelligence of agencies and employees have to go through training

Smith asks about new legislators and how we train them

  • Kimbriel says they would be more than happy to do that, but they currently do not

Smith asks Kimbriel if he is comfortable with his information being stored by a state agency

  • We have a very high level of security at large agencies and not as high at smaller agencies but we are in a good place for now

Smith asks Rivera about the challenge to evolve with quickly evolving technology

  • If you have the right organization, you can keep up with technology
  • Conflict of interest between information technology and information security – we took security out from under technology at CPA to right under the comptroller so technology and security do not compete for resources
  • We are always looking at new processes for security

Smith asks if Rivera could wave a wand to fill in any gaps in his work, what he would change

  • You need to know where your sensitive data is and it should be in the middle of concentric circles on a diagram
  • Anybody can decrypt passwords now so you need to encrypt your data
  • You also need to patch your system so you know when somebody breaks in
  • You have to have a strong foundation
  • Zaffirini and Gonzales both say that the multi-level encryption is important
    • Gonzales says it varies from agency to agency as far as appropriations needed to get to a certain standard

 Smith asks Gonzales if Zaffirini is correct in saying that threat is as much internal as it is external

  • Yes – internal risk varies – you have to worry about mistakes and bad actors
  • Contracting can provide problems because you have to ensure that the contractors’ information is secure and that transfers of information are secure

Smith asks Kimbriel how concerned he is about the cloud

  • There is a limit to how much we can protect the cloud
  • Not all cloud providers are the same – buyer beware
  • SAS is much more mature today than cloud service because provider is completely responsible for information safety

Smith thinks it is interesting that we generally do not trust the government, yet they have all of our information

  • Zaffirini says this is a risk vs. reward proposition because you can either give them your information or simply not engage
  • Government needs to improve relationship with the private sector
  • We have to look at technology, personnel, and cybersecurity throughout the organization
  • Biggest need is to share information about cybersecurity threats

Smith asks Rivera if their employees get their training from inside or outside CPA

  • The training comes from multiple different outside organizations
  • It is important to get as much training as possible

Audience Questions
Are there any state-sponsored cyberuniversities for state employees that universities could take part in to teach?

  • Kimbriel says there is an academy for agency employees
  • There too many cybersecurity jobs available so it is important to have universities get involved in cybersecurity as UTSA has
  • Texas needs to become heart and soul of cybersecurity industry
  • Zaffirini says everybody should go through training,  but the training needs to be personalized because different agencies have different needs

What are we currently doing to protect small businesses?

  • Gonzales says we are looking at comprehensive contracting rules right now
  • Legislature has the drawback of meeting 5 months every 2 years
  • This will be a big deal in the 85th legislature

Cybersecurity in Communities
The Panel was lead by Dr. Gregory White (Director of Center for Infrastructure Assurance and Security at UTSA) and included David LaPlante (Chief Information Security Officer for Houston), Hugh Miller (Chief Technology Officer for San Antonio), Chris Cook (Principal with SA Cyber Consultants), Mary Dickerson (Chief Information Security Officer for University of Houston)
White asks what the threats to our communities are

  • All panelists say there are a variety of threats including foreign actors, hackers and independent organizations, and insider threats
  • Insider threats consist of bad actors and also simple human error

White asks Miller about the threat to the community of San Antonio as opposed to the city government in San Antonio

  • We have a lot of health science and financial organizations in San Antonio, so it is difficult to tie these industries together to protect consumers
  • We are growing and opening up communication to protect the community, but we have a long way to go
  • Cities are not forced to refine themselves to compete, so they tend to lag behind sometimes

White asks LaPlante what it means to be cyber secure in his mind

  • We need to identify what needs to be protected as well as vendors that provide information to the city
  • We’ve worked with DHS to put a implement cybersecurity framework in the city and we are part way through that process
  • We took what we’ve learned and have provided a tool for municipalities around us to help assess risk
  • White asks Dickerson asks for a description of Texas Cybersecurity Education Economic Development Council is and what it means to have secure communities in the state
  • Council formed in 2011 by the legislature to see what is going on from infrastructure perspective for state agencies
  • How could state benefit by attracting businesses and creating environment for cybersecurity
  • How are we educating citizens and kids to be good cyber citizens
  • Council came up with 10 recommendations, some of which have been implemented and some of which are in progress

White asks Cook what steps a city should take to become more cyber-secure

  • All communities should establish cybersecurity as a priority
  • Find ways to help cities work together and partnerships of trust within the city to come up with plans
  • Cities are busy responding to events but cybersecurity has to be a part of actions

White asks about the cost associated with cybersecurity in cities

  • LaPlante says Houston is facing budget issues, so we will have to see what the new Mayor will do when they are decided
  • It has been difficult to get the attention and funding necessary for cybersecurity at times – we look for local assistance as well as federal assistance
  • Miller says this has been a progressive sell in San Antonio and is becoming more and more important to leadership
  • Overarching need is for education for employees
  • Often times cybersecurity is invisible until something bad happens

White asks Cook about low cost actions that can be taken by communities

  • White says working with available sources is important and calling upon those entities for help
  • Setting foundation and getting awareness is important
  • There is moral and legal liability for officials to make sure that the community is prepared
  • Dickerson adds that communication is one of the most effective things you can do to raise awareness for yourself and others – we should constantly be learning about new threats and how to improve
  • Dickerson says it is important to be training the current and future workforce via communication

White asks LaPlante how we are doing on having cities communicate with each other

  • LaPlante says he has been in this role for over a year so he has not seen too much of that as of yet
  • He has met with Chief Information Security Officers (CISOs) in other cities
  • Cook adds that we need to focus on the municipal level – they are becoming more aware of this problem
    • San Antonio will be doing audits of municipal level on cybersecurity, working in the education space, and in community preparedness

White asks Dickerson what the state’s role is in preparing communities

  • Agencies have done a lot to bring attention to the issue of cybersecurity
  • It is a benefit to the state and can help bring business into the state
  • Security should be seen as a positive and a benefit

White asks Miller if this is more of an IT issue or an “everybody issue”

  • It will always be an IT issue of sorts, but responsibility is pushing through all realms
  • The cybersecurity maturity process grows as technology continues to grow – it is more of a holistic responsibility
  • LaPlante says this is becoming more holistic in Houston as well because of education
  • People need to understand how security applies to their life everyday
  • Big name breaches tend to cause more awareness

White asks Dickerson what citizens’ responsibility is regarding cybersecurity

  • We are all responsible for cybersecurity
  • It is in your vested interest in not giving out your personal information
  • Just as we lock our front doors when we leave, people need to do the same thing in the cyber world and teach your kids to do the same

Audience Questions
What is the greatest risk for utilities moving forward?

  • Cook says there is a lot of evidence that utilities may be attacked in the future
  • Utilities will need help of others moving forward whether it comes from the state and federal government
  • We cannot afford to not work on the issue because it is going to happen
  • Miller adds that part of the complexity with this issue is the various ways utilities are set up

Do state and local governments focus on cybersecurity in the wake of natural disasters?

  • Dickerson says within Harris County they do exercises for different emergency events
  • Emergency management teams have to realize that cybersecurity plays a role in all emergencies

Cyber Security and Privacy in the Medical Field
The panel includes Dr. Suzanne Barber (Director of the Center for Identity at University of Texas, Austin), Nora Belcher (Executive Director at Texas E-Health Alliance), Deborah Peel (Founder and Chair of Patient Privacy Rights), Sheila Stine (Chief Privacy Officer, HHSC)
Why should millennials care about medical record safety?

  • Barber says that today convenience trumps privacy
  • We have to focus on visibility and control because hiding is not an option
  • Belcher says we have to protect ourselves online
  • Care organizations have to work together over data that is protected such as substance abuse – how much do we share? The patient has to come first.
  • Peel explains that people think information they give doctors stays with the doctors, but this is not the case
    • Information is in millions of health databases that is inaccessible to patients
    • Hidden discrimination exist
    • We don’t know where our own information is
  • Stine says when your medical identity is stolen, there are no processes to help you clear up your record individually
  • Stigma for mental health and substance has been reduced some, but there is still a lot of stigma for STDs.

Who holds the responsibility for patient privacy?

  • Barber says we need more education to empower patients with tools and knowledge
    • Patents should be at the center of this issue
    • Currently holders see information as a corporate asset
  • 99% of identity theft are local cases – not national reaching breaches
  • Peel says we need encrypted data that can be shared only where it needs to be shared
  • Once we have our own data, we ourselves can decide who to share it with
  • Belcher says we are working towards a culture of patient controlled information in baby steps
  • Under Federal Meaningful Use Program – medical providers are supposed to set up portal to get patients involved, but with multiple doctors, patients have a lot of information to go through in each separate portal
    • This will evolve, but it takes time

Considering the asset is valuable, how do we prevent breaches?

  • Stine thinks it is impossible to completely prevent these breaches but anybody who collects medical information routinely needs to be prepared with a plan
  • You need to look for people with expertise in responding to breaches
  • You need to let patients know right away and then fix the problem and prevent it in the future
  • Barber says if organizations don’t respond within 72 hours, the damage caused escalates for all parties involved
  • ID360 scorecards let organizations to tell how prepared they are
  • About half of privacy issues that come up are not cyber related but human error related

What if there is a public sector breach where there is less choice for consumers to choose who holds their information

  • Stine says we serve the public and it is a large responsibility for us to take care of their privacy
  • Belcher says the state has to work on privacy extensively because the federal government does not always do enough
  • Texas is strong in medical privacy
  • Peel moves out of the public sector question but says there needs to be more accountability – patients should always know who is accessing their records, but this has never been turned into regulation
  • Stine says there are protections for patients, but they are limited
  • Belcher explains that once patients lose trust in providers, it is difficult to get that trust back

Audience Questions
What is being done in Texas that is different from other states such as California?

  • California is actually a leader in patient security
  • We talk a lot about the issues with technology, but we also need to talk about the benefits that health information exchanges have
  • Peel says most hospitals have between 150 and 650 software programs that use data in different ways – these technology companies have access to this information
  • There are technology solutions, but there is a problem with the architecture of these systems as well
  • Barber says we have to understand the true liability in the case of a breach – how is all of your information connected
  • Hot spots for attacks are Florida, Texas, California, and New York
    • People go after children and senior information because their information is more vulnerable – there are a lot of children in Texas and a lot of seniors in Florida
    • It is estimated that 50% of small businesses have had some type of breach of some type of data