After the state paid out up to $466 million in fraudulent unemployment benefits, an oversight council tasked with ironing out issues doesn’t know the status of correcting critical cybersecurity issues.
“I just don’t have a lot of confidence right now in the security of the system,” said Sen. Caryn Tyson, R-Parker, “and I’m afraid for Kansas citizens.”
Contractor FORVIS performed a cybersecurity audit, broken into a risk assessment report and a penetration testing report. The firm also performed a forensic audit of unemployment insurance, estimating up to $466 million in fraudulent payments.
The council released a redacted version of the penetration testing report this month. The risk assessment report hasn’t been publicly released. Officials said the risk assessment identified 31 recommendations, including six of a high priority, 11 medium and 14 low.
The agency didn’t disclose an update on any of the six high priority recommendations, telling lawmakers the information could only be discussed in secret. The medium and low priority items are a mix of completed, in progress, require additional funding or are a policy determined by the state’s technology office.
“It’s got to be noted that there are 206 vulnerabilities listed in this report, of which 43 of them are critical, 74 are high and 89 are medium,” said Rep. Sean Tarwater, R-Stilwell, in apparent reference to the confidential risk assessment report from April.
Tarwater chairs the Unemployment Compensation Modernization and Improvement Council, which keyed in on cybersecurity issues at the Kansas Department of Labor during a Sept. 19 meeting.
“This report has been out for months, and it is extremely disappointing that we are still vulnerable,” Tyson said. “We just received this,” Labor Secretary Amber Shultz said. “It hasn’t been several months; it’s been a couple of months.”
Officials said both cybersecurity reports were provided to the department in April — or five months ago. “I’m not going to put Band-Aids or more bubblegum on a system that already has its own issues,” Shultz said. “So we are being very diligent on what systems we are putting in to secure our overall systems.”
Some of the problems should be eliminated through a $41-plus million technology overhaul of the unemployment system, which is built around a 1970s-era mainframe that is a decade older than the videogame Tetris. However, Tata Consultancy Services is not expected to have the new cloud-based system until at least summer 2024.
“Certainly I don’t know that we want to sit vulnerable for another two years,” said council member Phil Hayes. “I completely agree with you,” Shultz said, “that we’re not going to be waiting 24 months to get these implemented. … We are going to secure our system with due diligence.”
In comparing KDOL to national technology and cybersecurity standards, “We were 78-100% fully or partially implemented” across five categories, Shultz said.
“It’s disconcerting that the percentage is 78-100%,” Tyson said. “On some items, I would like more detail, especially on the high priority items.”
That sentiment was bipartisan on the council and became a major theme of questioning.
Unsatisfied council members pressed the auditors and officials in Gov. Laura Kelly’s administration on how long it will take to implement fixes.
“What’s the timeframe moving forward to button up our house?” Hayes asked Jeff Maxon, the state’s chief information security officer.
“It’s hard to give an exact number and what that looks like,” Maxon said. “But it does depend on the finding, what type it is, if it’s a managerial finding, operational finding or technical finding. That does dictate how long it takes to necessarily remediate those. I will say technical does require usually funding and sometimes takes time; the operational and managerial can sometimes be quicker or longer, depending on what the finding is.”
Some fixes require a reconfiguration of existing systems. Others can be done through existing state contracts, while some require procurement of new systems or tools.
More money will be required to implement other fixes, which likely would not be available unless legislators put it in the budget next year or Kansas gets federal grants. Sen. Jeff Pittman, D-Leavenworth, said legislators “often don’t prioritize” cybersecurity resources.
Hayes again asked for an ETA or a target timeframe, which Maxon reiterated that it depends on the specific finding. Some issues may take one to six months, while others are 18-24 months.
Maxon said items that are more likely to be exploited get priority, regardless of their criticality. “We’re seeing (as a national trend) a lot of bad actors go back and actually targeting some of the lower priority stuff because they’re easier to exploit,” Maxon said.
Sen. Renee Erickson, R-Wichita, grew frustrated by the lack of specific answers to when security vulnerabilities will be fixed. She said that Kansans deserve concrete answers.
“We still can’t have open and transparent discussions with our reports because of ongoing issues,” Erickson said. “What I hear from all of this conversation — while Kansans are still sitting out there, we still have these issues — is it takes time and funding and it depends. It’s like trying to figure this out is like trying to nail Jell-O to the wall. To hear that it’s complicated and it’s a moving target, to me, it’s not acceptable.”
“Maybe it sounds smarmy and maybe it doesn’t sound solid,” Pittman said, “but just because something’s complicated doesn’t mean that things are being hidden.”
He urged to refer the reports to a separate committee tasked with IT security, on which Pittman serves as the top Democrat.
But Pittman also pressed at times for more concrete answers himself. He wanted to know the timeline for remediating a specific critical finding in the penetration report.
“When you see critical, that immediately makes our red flags go up and we want to know that it’s being fixed immediately,” Pittman said.
Ron Hulshizer, of the contractor FORVIS, did not have a specific answer, noting that “it varies not only in time, but in cost.” Pittman again pressed on timelines for the highest priority items. “I have not heard back about what those timelines may be,” said Dwayne Tucker, of FORVIS.
He explained that issues are rated based on probability and impact, but implementation decisions are made on a case-by-case basis as clients evaluate and mitigate issues based on their own internal situation.
“I guess the short answer is I don’t have a good timeline for you,” Tucker said. Hulshizer compared cybersecurity efforts to closing windows and doors.
“I feel like our doors and windows were open,” said Rep. Susan Estes, R-Wichita, and that “hundreds of millions of dollars walked out of our front door. Citing five separate findings in the risk assessment, she asked Shultz, “How were such important things overlooked?”
“Cybersecurity is so complicated that it’s never done,” Shultz said.
“Certainly some things were overlooked,” she continued. “But we were in the middle of a pandemic. We were getting just annihilated by fraud. And we were trying to stop the bleeding and try to get a multifactor authentication system on board. So all in all, I think that it’s a fair report. We’re doing what we can now to close those windows and doors and we won’t stop looking for those open windows and doors.”
While the entirety of the risk assessment remains confidential, the penetration report has been released with heavy redactions to the findings. “The whole report is pretty much redacted,” Tarwater said.
The Labor Department has contended such secrecy is necessary to prevent malicious actors from using public information to compromise the agency’s network. Kansas open records law allows the government to keep cybersecurity information confidential, including vulnerability assessments.
Council members asked for percentage to completion and target completion dates for each of the top priority items. Maxon said such tracking information should be available, at least confidentially, because of federal requirements.
Tarwater set another meeting for Oct. 5 with the intention of going through a redacted version of the risk assessment. He contends that KDOL has had enough time to address many of the 206 vulnerabilities.
“Everything that you have addressed so far can be unredacted at that point, because it’s no longer a vulnerability,” he said. “We need to know. That way we can be more transparent.”
As reported in the Topeka Capital Journal
