SALEM, Ore. -- Gov. Kate Brown issued an executive order directing state agencies to completely overhaul their cybersecurity systems — and they'll have less than two months to figure out how to do it.
The reason? Computer systems used by the state to protect private or sensitive information from hackers are "antiquated" and remain vulnerable to the "unrelenting threat of cyberattack," Brown wrote in an email Monday to state agency directors.
The executive order requires agencies to hand over their cybersecurity system documents and reassign all information technology security personnel to work for the state chief information officer by Nov. 1.
Agencies will also have to develop a plan to unify cybersecurity protocols across state government — a long overdue step for Oregon's outmoded systems, said state Chief Information Officer Alex Pettit. Some agencies and all state universities are exempt from the executive order.
State agencies hacked since 2014
Oregon Department of Transportation
Department of Veterans Affairs
Secretary of State's Office
Department of Land Conservation and Development
Department of Agriculture
Department of Fish and Wildlife
Construction Contractors Board
Source: Department of Administrative Services
The executive order tasks Pettit with leading the overhaul and he'll be boss to the borrowed employees until at least June 2017. The agencies sending IT security workers to Pettit will still pay the 40-some employees' salaries.
Pettit said he welcomes the changes — and that they're not coming a moment too soon. During an interview at his office in Salem, Pettit, the state CIO since 2014, said many IT security systems used by the state are disjointed, ineffective and obsolete a generation ago.
"What we're doing today is fundamentally not working," he said. "Who knows what's out there. Some of these systems are easily 25 years old."
The result is that confidential information held on state government computers — like Social Security numbers, financial records and login information — is vulnerable to cyberattacks.
Cyberattacks remain a threat in Oregon
Hackers have taken notice. At least eight state agencies have fallen victim to hacks in just the previous two years, Pettit said.
"Even though they're small attacks, they've had a big effect on us," Pettit said. "We have folks that attack for political, financial, reputational reasons."
He gave a hack of the Construction Contractors Board as one example. Digital thieves were able to steal login information of ODOT employees — a massive agency compared to the relatively tiny Contractors Board.
In another situation, Social Security numbers entered by state employees registering for health care through the Public Employees Benefit Board website were left vulnerable to hacks, Pettit said. Officials stepped in and prevented a breech, but the consequences could have been severe if a cyberattack had begun before the intervention.
Officials to pursue funds for IT security
Monday's executive order is one step among a larger push by officials to improve state cybersecurity systems. Pettit said there are plans to build a one-size-fits all security system for use across state government.
He said the state will ask lawmakers to fund a "Cybersecurity Center of Excellence" — a physical space in Corvallis where public and private entities would share resources on IT security. Intel, Hewlett Packard, the Department of Homeland Security, the FBI and and Oregon State University have been asked to participate, Pettit said.
Officials will ask the Legislature to fund the cybersecurity center during the 2017 legislative session, which begins in February. The amount to be requested remains unclear.
Send questions, comments or news tips to email@example.com or 503-399-6653. Follow on Twitter @GordonRFriedman.