How secure are Idaho’s online systems?

A hacker found a vulnerability in the online licensing system used by Idaho’s Department of Fish & Game last month and used it to access the personal data of as many as 788,000 licensees.

But he might have been more of the “white hat” variety hacker. Rather than sell the data he accessed from Idaho’s system and those in three other states, the intruder might have hacked in as a warning that the systems were vulnerable. After getting in, he informed authorities and site administrators of the breach, and he didn’t identify the sites he accessed until the security holes were closed or the sites taken down.

The matter is under criminal investigation by federal authorities, and Fish & Game isn’t saying much more about it for now. But the incident raises some questions on the security of the state network and how the many public-facing systems interact, or don’t.

Does the Fish & Game data breach mean other state systems might be at risk?

Not from the same exploit, certainly, which has been closed. Also, the Fish & Game licensing operation is separate from other state systems.

Still, those systems were double-checked after the latest breach was discovered. To understand better, here’s a short drill-down into the basics of the state’s online presence:

Idaho’s method of offering online services is decentralized. Most online services are part of Access Idaho, which runs the overall state site, idaho.gov, and everything under it. Created in 1999, Access Idaho is run by the Idaho Information Consortium, a subsidiary of the National Information Consortium, a Kansas-based, publicly traded company that works with 3,500 federal, state and local agencies in the U.S., including 27 state governments.

After the Fish & Game breach was discovered, Access Idaho “started a deep monitoring of their system for a day and a half to make sure that this wasn’t a broader kind of attack against Idaho,” said Bill Farnsworth, who works in the state Department of Administration’s chief information officer’s office and chairs the Access Idaho steering committee. Though officials are scanning all the time for trouble, they found no unusual traffic or activity, he said.

The state website lists nearly 200 requests, services or other actions you can process online, such as renew a license, pay child support, or order and obtain documents. Most online services offered through state agencies are managed by Access Idaho, although agencies are not required to go that route. The Fish & Game licensing system, and the Parks and Recreation reservation system, are two that are not managed by Access Idaho. The state Tax Commission uses a system called Gentax, made by Fast Enterprises.

“From my perspective, we encourage agencies to use Access Idaho because they have the expertise and the level of security and everything else to take this on,” Farnsworth said.

So what’s the status of the Fish & Game licensing system now?

The system is still offline, although the vulnerability was patched the day it was discovered. The matter is still under investigation by the FBI and the Department of Homeland Security, and both the vendor and the state want to ensure that the site is secure before bringing it back.

Why were only pre-2008 licensees affected? Whose data is potentially at risk, and how can I know if mine is?

The current vendor, Active Network, took over the operation that year and changed the way records were kept. Anyone who registered before that changeover is potentially affected, regardless of whether they obtained their license online, by mail or in person. Active Network will be contacting all affected users directly by mail.

Is Idaho taking steps to review and improve security?

Yes, and they predate the latest breach. Gov. Butch Otter formed the state Cybersecurity Task Force in July 2015. The panel, chaired by Lt. Gov. Brad Little, has been meeting since last September. It gave a presentation to legislative budget writers in February.

Central to the group’s discussion: Should control and oversight of all online services under Idaho government auspices be centralized? Or should agencies continue to have the option to set up their own outside arrangements, as in the case of Fish & Game?

“We’ve got a subcommittee working on it,” Little said Friday. The latest incident “just kind of put an exclamation point on it.”

So how secure are government computer networks? Are Idaho’s more or less secure than other states?

Not to be facetious, but the most accurate answer might be: As secure as possible. Cybersecurity is a constantly moving target. There’s a reason that an annual report on data breaches prepared by Verizon notes that no locality, industry or organization is bulletproof. Idaho, being a smaller state, is possibly a lower-value target. And financial transactions, such as payment processing, are handled by outside systems.

In terms of public sector sites overall, the 2016 Verizon report catalogs more than 100,000 incidents and 3,141 confirmed data breaches in 82 countries in 2015. Verizon analyzed about 64,000 of those and found that more than 70 percent of them involved public sector institutions. That number is somewhat inflated because government has more requirements to report breaches.

“One of the real problems with this is that people don’t like to admit they’ve been hacked or breached, and bad guys share their stuff,” Little said.

But public sector hacks were largely unsuccessful. Of the 2,260 confirmed breaches Verizon looked at, just 193, or 8.5 percent, involved governments or public agencies. More than one-third of the successful breaches involved financial services companies.

That makes scary sense, given that the No. 1 motivation for hacking, by far, is for financial gain, followed by espionage.

Way behind, in the No. 3 spot, is “Fun.”

This story was originally published September 5, 2016 at 11:15 PM with the headline "How secure are Idaho’s online systems?."