An internal battle has erupted between county officials over checking for cybersecurity vulnerabilities in the Orange County agency that sets the official values for more than $600 billion in local properties.
County auditors haven’t checked the assessor’s computer systems for security vulnerabilities since at least 1995 – if ever, officials said this week. And over the past year, Assessor Claude Parrish, who is elected, has not let county auditors do such a review.
Now, Parrish wants to postpone the cyber review to next July – citing his office’s move this month to a new building and a need to focus on setting property values for the first half of 2020.
“We’re putting literally all of our county departments at risk with regard to the transport of information [and] data moving back and forth,” Supervisor Lisa Bartlett said during a discussion of the issue at Tuesday’s county Board of Supervisors meeting.
“If there’s a cybersecurity breach in one department, that could affect literally other departments and virtually the entire county.”
Parrish said he’s agreed to an audit – if the auditors show how their process meets best practices to protect “sensitive and confidential information” from becoming public.
“They want to disclose the results of the audit and make it a public information,” Parrish said in an interview Wednesday. “This isn’t going to protect the citizens of Orange County’s social security [numbers] or anything else. It’s a roadmap for hackers.”
“This is like a little kid trying to tell somebody that knows what they’re doing – we have people that have worked in my department for 20, 25 years. IT people. And some are new, some are not. It’s actually harassment,” he added.
The county’s internal audit director, Aggie Alonso, said his team already has procedures to prevent confidential information from being released: keeping it out of public reports.
“Internal audit already has a process for sensitive reports where we redact any information which could be a potential privacy or security concern. So we believe we have a solution regarding his concerns,” said Aggie Alonso, who has been the county’s internal audit director since April.
After the assessor’s IT systems were identified as “high risk” more than a year ago, county supervisors approved a plan in September 2018 to audit them for security vulnerabilities.
“Since that time, we’ve made various, numerous efforts to try to start the audit. We haven’t had success. We’ve tried memos and emails. We’ve had meetings and numerous attempts,” Alonso said.
In a letter earlier this month, Parrish said the earliest an audit could start is July 2020, because his office is in the midst of moving to a new building and then has to conduct the next round of value assessments from January to June.
“I am going to allow them in,” Parrish said in the interview, adding he would have a discussion with auditors in November on next steps.
But the audit director said there’s no valid reason to hold off.
“We see no practical reason to postpone it, almost two years later from the time we identified it as high-risk,” Alonso said.
The tussle comes as local governments and service providers have faced crippling breaches of computer security that have at times shut down their ability to provide basic public services.
One of the most severe attacks forced hospitals to shut down in the United Kingdom, when hackers seized control of their computers and demanded ransom payments.
OC hasn’t been spared.
In 2017, the Orange County Transportation Authority was hit with ransomware that held its computers hostage for days. Dozens of computer servers were disabled, shutting down email, voicemail and numerous other services. Officials didn’t pay the ransom, but the agency’s insurance company paid more than $600,000 for consultants and staff to regain control of the computers.
And in 2016, the private information of about 56,000 OC residents – including names, demographic information, and in some cases social security numbers – was downloaded on to a thumb drive by an employee leaving their job at the county’s CalOptima health insurance agency.
Days later, the drive was returned by the former employee, and the agency offered free credit monitoring for a year for people whose data was breached. And CalOptima officials promised to put in place procedures to prevent such breaches in the future.
The county has been reviewing its cybersecurity safeguards over the past couple of years, and in 2017 found a series of problems in a review of its central IT systems.
Auditors found that county officials had failed to implement essential protections that left the county unnecessarily vulnerable to hacking and other malicious activity until the problems were uncovered by the comprehensive audit.
Among the wide-range of problems auditors discovered with central IT: several critical computer systems did not have up-to-date antivirus software, despite officials being able to automatically deploy security updates across the network. And former workers continued to be allowed access to the back-end of county computer networks even after they left their jobs.
In one case that was fixed after auditors discovered it, the county failed to revoke high-level network access from a former county contractor who had been terminated the prior year. By logging in, he would have been able to enter the county network undetected, weaken protections against cyber attacks, and cover his tracks, they wrote.
And almost 25 percent of security access badges to enter the county’s sensitive central data center were assigned to employees who either were inactive or terminated. This too was fixed after the auditors found it, according to what county officials told the auditors.
The county’s chief executive, Frank Kim, emphasized cybersecurity reviews are being done for all county departments, not just the assessor’s office.
“We’re not singling out any one department, but this is something that we’re doing countywide,” Kim said, adding it stems from a Board of Supervisors directive from two years ago.
Those reviews have already been done for the county’s central IT systems, and the computer systems for county agencies run by two other independently elected officials: the Sheriff’s Department and Auditor-Controller’s Office, according to Alonso.
“We’re making our rounds to all the departments,” he said.
Parrish says he’ll let the county do its review for two months starting next July, after his office moves and the property assessments are done.
“We’re going to allow you to meddle in our system for a couple of months after the roll closes, for two months,” he said.
That delay would put the county further at risk, said Bartlett, the county supervisor.
“This is something that has been postponed by Assessor Parrish, and we’re going to have to figure out what to do going forward,” Bartlett said.
“We need to have the internal audit completed so we know where we have weaknesses in our system and what we need to do on a moving-forward basis to fix those weaknesses – especially with the data being transferred to other departments as well,” she added.
“We can’t put our whole security network at risk for the County of Orange.”
Nick Gerda covers county government and Santa Ana for Voice of OC. You can contact him at ngerda@voiceofoc.org.