Protestors in Budapest, Hungary, demonstrate in Guy Fawkes masks, the official face of the international hacktivist group Anonymous, which is one of many persistent threats to computers at all levels of government. (AP file photo by MTI, Janos Marjai, February 2012)
Update: Mark Myers resigned from his position on November 23, 2016.
Mark Myers, the man in charge of protecting Arkansas’s high-tech digital archives, knocks on old-fashion low-tech wood when he talks about his job.
So far, “knock on wood,” Mr. Myers told his audience at the 2016 NWA Technology Summit in Rogers, his team has fended off the rising number of cyber attacks against Arkansas computers. In September, he said, hackers made a record number 80,000 attempts a day to pry into state systems.
“But you always worry about your weakest link,” he said.
The state stores 2.1 million tax records on its servers, about 1.5 million medical records that involve services such as Medicaid, and myriad other records, including every school district’s grade books, and real estate and criminal records, said Mr. Myers, director of the Arkansas Department of Information Systems.
The security of all these records, many of which include social security numbers and addresses and other valuable private info, is tenuous, he said, because Arkansas depends on outdated technology ~ “We have one agency … that still uses Windows Vista.” ~ and his department doesn’t have enough manpower or money.
At the time he spoke, he had one vacancy on his 14-person staff. His department needs $12 million now, and an additional $6 million per year to adequately protect the state from cybertage.
“I’ve got folks trying to break into the state police [records] literally while I’m standing here right this second,” Mr. Myers said in his October talk.
Each breach of a system – a single tax return, for instance – costs the state about $200 to address and rectify, he said. The breach of a single medical record costs an average of $384. So, if hackers breached 1.5 medical records, the cost would total $576 million.
“Let me just assure you ~ there’s not that much money in the state budget to fund that today,” Mr. Myers said. “If we were to get broken into like that, there would be massive layoffs and services we could not provide.
“That’s what worries me at night.”
Hackers operate at three basic skill levels, he said. The amateurs, who are trying to break in “just to see if they can.” The professional criminals, who hope to steal and sell data. And the “advanced persistent threats,” primarily enemy nations. “You all know who they are,” he said, “but we’re not supposed to say their names. They have reasons to want to get in.”
The difference in skill level between the amateurs and the international professionals is closing, he said. “Enough tools exist out of the public space, on the dark web, to make a handful of people — some [group] like Anonymous — almost as effective as a nation-state.”
In 2012, hackers breached South Carolina’s tax agency and exposed personal information, including credit card and debit card numbers, of nearly 700,000 businesses and 4 million taxpayers.
So far, South Carolina has spent about $52 million for cleanup and security improvements since that breach and is still paying, he said. “That would be one-third of my agency’s entire budget.”
And there is the less-quantifiable cost of a loss of trust in government, which could translate into a drop in state revenue, Mr. Myers said. “If all of your financial records get stolen, how trusting would you be …?
“If this happened to your county, you might think about moving counties. This could have real economic impact.”