The Infosec Education of Nikki HaleyBreach Turns S.C. Governor into Student, Teacher, Advocate
South Carolina Gov. Nikki Haley is starring in her own reality series, shown on YouTube, that could be dubbed "Breach Response."
The Republican governor has been out in front in the response to a breach of the state tax system, disclosed Oct. 26 [see South Carolina Revenue Department Breached]. She has appeared before reporters - and cameras (she has her own YouTube channel) seven times over the past three weeks - with a supporting cast that features the directors of technology and revenue and the state inspector general.
These attackers are very creative and as we start to put up stopgaps, they're going to keep getting more creative.
Haley's top billing in response to the breach is uncharacteristic of most other chief executives, whether in government or the private sector, who often use press spokespeople, an underling or a chief information officer to answer questions about such an incident.
In the latest episode of "Breach Response," Haley explains an executive order she issued Nov. 14 that requires cabinet agencies to use state-provided computer monitoring. There are two elements to the monitoring:
- A manned, around-the-clock service from the Division of State Information Technology that will monitor activities in all 16 agencies' IT systems, looking for suspicious activities or malware. "International hackers are not going to do this 9 to 5," Haley says.
- Deployment of an appliance from IT security provider Mandiant that state officials christened "The Hand," which monitors for anomalies and can automatically shutdown computers if it detects unexpected activities. The cost of The Hand is a onetime payment of $560,000 and a $65,000 annual licensing fee.
Those costs don't include the $500,000 South Carolina is paying Mandiant to investigate the causes and impact of the breach, which exposed unencrypted Social Security numbers and bank account data. Most of the credit and debit card numbers accessed were encrypted. The state has upped the number of affected taxpayers to 3.8 million from an original estimate of 3.6 million, as well as 657,000 businesses.
Other costs of the breach include $100,000 for outside lawyers and $150,000 for a public relations firm, the Associated Press reports, as well as an expected $741,000 to mail letters to some 1.5 million out-of-state taxpayers. The state also has agreed to pay the credit-monitoring firm Experian $12 million to provide taxpayers with one year's worth of credit monitoring services.
This has proven to be a costly education for Haley, but one that she's taking seriously. Just look at the videos of her press conferences [see Silver Lining in South Carolina Tax Hack]. It's clear that she's learned a lot about IT security, and the student has transformed into a cybersecurity teacher, advocate and leader.
She understands that the solution put forward is "no silver bullet" to prevent future hacks. "Let me be clear," she says in the latest episode of "Breach Response." "Everyone has told me that there is no way to say that this could have been prevented. What my goal is: How many layers can we put on top of it to make it incredibly hard for these people to get into our systems?"
In one monologue in her latest press conference, Haley explains her evolution on cybersecurity.
"Think back to Hugo," Haley says, referring to the September 1989 hurricane that caused an estimated $7.9 billion (in 2012 dollars) damage to South Carolina communities. "It wasn't until Hugo that we brought in an EMD (Emergency Management Division) and emergency situations to deal with it. This is my way of dealing with my Hugo ... it's an eye opener that this could happen."
Haley says that when she took office she assumed everything was fine with IT security. "Then, when something goes wrong, that's when you notice," she says, adding that it's the governor's responsibility to assure that going forward the state must be prepared to not only defend itself from cyberattacks, but be ready to effectively respond to them. It's something she says she must constantly address.
"I would hope this is as much like any policy that you always keep looking at it, that you always keep saying, 'Are we doing enough?' ... These attackers are very creative, and as we start to put up stopgaps, they're going to keep getting more creative. I think it would be important for us to look at this annually and just make sure we're protecting ourselves as much as we can. I plan on making this a huge part of the cyber plan that every other state should look at because every other state is just as susceptible to this."
No doubt "Breach Response" will not be canceled. Stay tuned.