Lawmakers want more transparency involving state cyber incidents


by ANDY PIERROTTI / KVUE News and photojournalist DEREK RASOR

Bio | Email | Follow: @AndyP_KVUE

Posted on August 8, 2013 at 10:21 PM

Updated Friday, Aug 9 at 11:29 AM

AUSTIN -- A state lawmaker plans to take action in direct response to a KVUE Defenders investigation. It involves state and public information potentially compromised by hackers.

According to a report from by the Department of Information Resources, state agencies reported a nearly 1,000 cases of stolen computer equipment since 2009. During that same time period, there were more than 4,700 reports of someone gaining unauthorized access to its computer systems.

"Obviously, gaining keyboard access or logical access to the system is much different than just getting into the room," said Brian Engle, DIR’s chief information security officer. 

State Representative Allen Fletcher, a Republican from Cypress, says the information the Defenders uncovered is concerning. He’s the vice chairman on the state’s Homeland Security Committee.

"This is a priority. I think this is a future problem for our country, for our state," said Fletcher.

The KVUE Defenders also discovered state agencies requested law enforcement's help 649 times for cyber security issues since 2009. When KVUE requested more information about those threats, most state agencies said no.

The Department of Public Safety is one of them. The agency wrote KVUE, "We believe some or all of the records may be excepted from required public disclosure." It’s now "seeking a ruling from the Attorney General's office."

Fletcher says DPS should be more transparent. He now plans to ask the agency to disclose some of its cyber threats.

"That information should be available to you, and it should be to my constituents, and the public, so we know what's going on," said Fletcher.

The Texas Workforce Commission is the only state agency that responded to the Defenders' requests. “We certainly want to be responsive about security. We want people to know how their information being protected," said Lisa Givens, spokesperson for TWC.

In March 2012, someone stole a TWC laptop containing internal agency information from a car in Houston. At the time, Givens didn’t know specifically what kind of information was stored on the computer but told KVUE that the agency has a lockdown mechanism in place for when things are stolen. It doesn't allow people to access information from computers that are taken.

Six months later at the same agency, an employee accidently distributed a list of names to the public, compromising nearly 50 Texans' personal information. "My understanding is that it did have social security numbers, addresses and perhaps email addresses," said Givens.

Some cases involve state employees. In 2009, a TWC employee “conveyed sensitive information to a former employee.” The employee was terminated, but no charges were filed.

Givens argued the cases the Defenders obtained account for a small number of cyber incidents the agency combats each day. She said TWC’s security systems block approximately 4.2 million network attacks per day. Attacks could include malware, malicious scans, hacking attempts.

According to a 2012 Texas cyber security report, "There is a general lack of awareness regarding securing the cyber infrastructure." The report also said, “there is an insufficient number of qualified, trained cyber security personnel" in state government and the private sector.

"I've always felt that the state was not as prepared as it could be to protect itself," Senator Leticia Van de Putte told KVUE last week.

The Democrat from San Antonio believes state agencies need more resources to combat threats.

She also says agencies should release more information about its cyber incidents. “I think it's important for the public to know when there have been instances, but I also think we need to take it on a case-by-case basis. We don't want to risk further penetration of the networks,” she said.

Last year, Texas ranked third in the nation for the number of complaints involving cyber crime.

The attorney general's office is expected to make its decision in the next few weeks on whether at least a dozen agencies will have to release information on cyber security incidents.

Austin Defenders Investigative News Video
More Video