Oped: Time to improve Pennsylvania's cybersecurity

Pennsylvania State Representatives

Nearly four months after it occurred, a security incident involving the Pennsylvania Department of Corrections that exposed the personal information of employees and inmates is just now coming to light from the administration of Gov. Tom Wolf. A few weeks ago, a data breach at the state Department of Human Services left unprotected the full name, date of birth, citizenship and all reported employment information of more than 2,000 individuals. It occurred on the heels of a cyber-attack that caused the Department of Health’s Bureau of Vital Statistics computer system for birth certificates and death certificates to go offline for seven days. The Wolf administration has yet to offer a full explanation of why these incidents occurred.

In response, we believe House Bill 1704, cybersecurity legislation we co-authored, is primed for a vote when we return to session. This issue needs to be debated and, hopefully, signed into law as soon as possible to ensure the safety and security of our citizens’ personal information.

More:Pennsylvania reveals cyber intrusion in birth, death records

House Bill 1704, which is currently in the House State Government Committee, would further empower the Office of Information Technology (OIT), which was created two years ago by the governor under executive order.  OIT oversees investments in, and performance of, the Commonwealth’s IT systems. The office establishes and implements policies, standards and guidelines regarding planning, management, acquisition and security of IT assets in all Commonwealth agencies under the governor’s jurisdiction.  OIT is responsible for the issuance and management of IT procurement, including hardware, software, services and telecommunications. It also oversees enterprise-wide initiatives, such as IT consolidation, Commonwealth shared services and cyber security, as well as enterprise IT technology support.

Passage of this bill would ensure Pennsylvania’s cybersecurity standards meet or exceed industry standards. It would require more frequent testing of our security systems and establish a committee to regularly evaluate risks associated with emerging cyber threats. The legislation also grants the OIT director elements of financial oversight currently not in place.

This latest data breach, as well as the glaring examples of fiscal mismanagement in the Department of Revenue and Unemployment Compensation call centers, wouldn’t have occurred if this bill had become law. It also would have prevented last year’s cyber-attack in the Senate Democratic Caucus that brought operations to a grinding halt for two months.

These are NOT victimless attacks. In 2016 alone, the cost of online crimes to victims in the United States topped $16 billion. When businesses are attacked, we, the consumers, often pay the price. Target, the world’s third-largest retailer, suffered a nearly $20 million blow as a result of the 2013 cyber-attack, further affirming the fact that no business or government entity is too big to be placed in the crosshairs of cyber criminals.  

Members of the General Assembly learned of the Department of Health data breach at the same time (July 13) the public learned of it through an Associated Press article. The Department of Corrections was alerted of its breach on April 9 but, nearly four months later, the public, and legislators, are just now learning what occurred. This is completely unacceptable. The General Assembly, which is working to improve cybersecurity and protect the health and well-being of residents and their important personal information, should have been alerted to the breach by Gov. Wolf’s administration, instead of reading about it in the newspaper.

In response to this lapse of appropriate communication, a group of House Republican committee chairmen sent a letter to Attorney General Josh Shapiro, asking him to conduct a full and independent investigation of the breach. We applaud and join them in calling for a thorough investigation into this troubling matter. Further, we look forward to House Bill 1704 becoming law, so state government can fully engage in the protection of every Pennsylvanians’ personal data they are compelled to provide to our government. 

Our residents must be protected through fast, accurate identification, risk assessments, threat analytics and routine testing of IT systems. They deserve to go to bed each night, knowing their personal information is shielded from criminal attack.

— This essay was written by state Reps. Seth Grove (R-Dover), Kristin Phillips-Hill (R-York Township) and Jason Ortitay (R-Washington/Allegheny).