DAS wants $16.9 million to beef up cyber security, project management

Published 12:00 am Thursday, May 28, 2015

Oregon’s administrative agency wants lawmakers to spend roughly $16.9 million over the next two years to upgrade computer systems and hire 24 new IT employees.

Officials at the Department of Administrative Services want to improve management of major IT projects and state cybersecurity, after several high-profile project failures and data breaches. Gov. Kate Brown announced earlier this year that hackers accessed metadata about the movement of information across the state computer network, and attackers also broke into databases at the Secretary of State’s Office and the Oregon Employment Department in 2014.

The Department of Administrative Services, where the state data center and chief information office are located, presented two separate requests to lawmakers working on the next two-year budget. The agency asked for $13.5 million to implement the findings of audits of state cybersecurity and IT operations, and nearly $3.4 million to hire a dozen new state IT employees to better manage IT projects.

“(The Department of Administrative Services technology staff) is responsible for the management of over 2,300 UNIX, Windows and Linux servers, a mainframe computer which is larger than that used by the New York Stock Exchange, more than 3,600 networking devices and firewalls, and enough data storage capacity for 700 copies of the Library of Congress,” the agency wrote in its security-related budget request. “These devices are not only located in the (state data center) facility but at over 600 statewide agency locations. In addition, (the division) is responsible for the software that runs agency applications on each of these computing platforms.”

The agency has been slow to fix problems identified by state auditors, including in the last audit in 2012. The Legislature did approve approximately $900,000 two years ago for the agency to improve security, including to address weaknesses found by auditors, Deputy Director Sarah Jo Chaplen wrote in an email.

The agency also wants to improve oversight after the failure of Cover Oregon and other major projects in recent years. State auditors have described Cover Oregon’s failure to launch as planned in October 2013 as “arguably the worst computer development failure in state history.”

“Technology has one of the greatest impacts on the state’s ability to deliver services to Oregonians,” staff at the chief information office wrote in their funding request to the Legislature. The agency also explained “Oregon has historically lacked a functional, modern” system of oversight.

Matt Shelby, a spokesman for the Department of Administrative Services, said the Department of Administrative Services already has started to work on improving oversight, through a pilot program using employees temporarily loaned by other state agencies. An audit released by the Oregon Secretary of State’s Office in March found that effort was understaffed and incomplete.

Shelby said five of the employees would be strategic technology officers who would serve as “broker, traffic cop (and) enforcement officer” to make sure IT projects meet the state’s needs and comply with state policies. Larger state agencies have individual IT departments, while smaller agencies are more likely to rely upon the chief information office. But all agencies must comply with the state’s policies on management of IT projects.

“It’s just a tighter connection between central IT services that we provide and policies we enforce, and … all state agencies,” Shelby said.

The additional employees also would work to improve coordination and efficiency of state IT spending, so that individual agencies do not each purchase separate software when they could all use the same system. For example, Shelby said the state already has transitioned to a single payroll program and could eliminate duplication in other areas.

“We have something like 30-some odd different email systems across Oregon state government,” Shelby said. Approximately one-third of state employees currently use a Microsoft Outlook system maintained by the Department of Administrative Services.

It also might make sense for the state to centralize more of its cybersecurity work, Shelby said, although state auditors have found the Department of Administrative Services has failed to fix some of the security issues auditors identified years ago.

hborrud@eomediagroup.com