(The Sentinel) — More than two years after Kansas became the No. 1 state for unemployment fraud in the nation, a new IT audit finds massive security issues persist within state computer systems.
A report published earlier this month by the Legislative Division of Post Audit (LPA) paints a damning picture of agencies that still don’t take the problems seriously.
LPA selected 12 state agencies and three school districts as part of the audit, and chose 15 IT security controls across three IT control areas. Those areas were security awareness, account security and incident response. Additionally, LPA evaluated two best practices and evaluated IT controls already codified in the state’s security policy.
LPA recommendations have been ignored for almost a decade
Nearly 10 years ago, LPA recommended the Legislature create a more enterprise-level approach to IT security to help improve agencies’ security posture. The Legislature responded by creating the Cybersecurity Act in 2018. This included the new Kansas Information Technology Office (ITEC) and a state Chief Information Security Officer position. The 2023 Legislature further strengthened the Cybersecurity Act. ITEC also approved several updates to its policies, including the statewide IT security policy, in recent years.
“Despite these improvements, we continue to identify weaknesses with state agencies’ basic security controls,” the report reads. “In this audit, we selected several smaller state agencies as well as larger ones.”
More than half of the 15 entities audited did not substantively comply with selected IT standards and best practices
Nine of the 15 entities did not substantively comply with IT standards and best practices in at least two of the three subject areas evaluated. Indeed, according to the report, only one entity received a score of 100% in any area.
“This is noteworthy because most controls we evaluated were ITEC standards that had been in place since at least 2019,” the report reads.
Eight of the 15 entities did not substantively comply with selected security awareness training controls, 10 entities did not substantively comply with selected account security controls, and eight did not substantively comply with selected incident response controls.
Moreover, while the Cybersecurity Act made agency heads responsible for their agencies’ security compliance, LPA said they, “continue to think that agency leaders don’t know or sufficiently prioritize their IT security responsibilities. Agency leaders also may not sufficiently monitor whether their staff implement controls adequately. This could be because the Act does not include consequences for noncompliance.”[emphasis added]
Most of the agencies at least said they have plans to comply with the recommendations made by LPA; however, the Kansas State Department of Education (KSDE) flatly refused to even consider them.
KSDE makes excuses
LPA recommended KSDE “require all school districts to adopt basic security standards based on current industry standards. Given funding and local control issues, those standards could include an exemption section to allow districts to identify controls they cannot yet meet.” It’s unclear what ‘funding’ issues could exist since schools are constitutionally fully funded.
KSDE responded they had no legal authority to force districts to do so and conflated physical security and cybersecurity.
“The Kansas State Board of Education adopted four strategic, targeted goals at its May 2023 board meeting. The goals and related outcomes are the result of the Board’s retreat sessions in February and March. One of the four goals is to ‘enhance the safety and security of school districts in Kansas.’ The desired outcome is to diminish the threat and severity of school violence and cybersecurity attacks on school districts.”
The State Board of Education could effectively force compliance if it wanted, however, as KSDE requires school districts to be in compliance with state laws and regulations to be accredited.
Another LPA recommendation for KSDE was that the department “should help connect districts with necessary resources or grants, encourage collaboration among districts, and request authorization for additional agency staff to provide such assistance.”
KSDE then stated they simply didn’t have the staff, despite the recommendation that the department request authorization to hire the staff.
“The Information Technology (IT) team at KSDE was established and staffed to meet the data collection and management needs of the Department, rather than school districts,” KSDE wrote. The level of support necessary to implement this recommendation would be a significant undertaking and is not possible with the current level of IT staffing at KSDE.”
Unlike other state agencies, KSDE is not under the direct control of the Governor and the Legislature because the state constitution vests the general supervision of the school system with the State Board of Education. Ignoring state regulations and audit recommendations is a persistent habit of KSDE and the State Board, as documented in Giving Kids a Fighting Chance with School Choice.
Problems nothing new
Throughout the pandemic, Kansas consistently ranked high in identity theft, and cybersecurity seemed to be low on the priority list for Gov. Laura Kelly’s administration.
In 2019, Kansas ranked 39th in the nation in identity theft on a per-capita basis. But Kansas shot up to #1 in 2020 and #2 in 2021 largely due to rampant incompetence at the Kansas Department of Labor and the Kelly administration, according to sources who have seen confidential internal reports.
Per Federal Trade Commission numbers, there were just 78 reports per 100,000 residents in 2019 or 2,273 total complaints. In 2020 there were 1,483 complaints per 100,000, or 43,211 in total; an increase of 1,801%.
Things improved marginally in 2021, with Kansas falling to No. 2 in the nation but still reporting an additional 39,461 total complaints of identity theft for a total of 82,672 reports for the two years. In other words, with approximately 1.6 million adults between 18 and 65 in Kansa, roughly one in 20 found themselves victims of identity theft.
Kansas was also the second-worst state in the nation last year, with 1,335 identity theft reports per 100,000 of population. That is still more than 39,000 complaints. Kansas also has four spots on among the ten-highest metro areas for identify theft in the nation – Lawrence, Topeka, Wichita, and Manhattan.
These problems were brought to the attention of Kansas Governor Laura Kelly’s administration in 2020, and the immediate solution — identity verification for the online claims system — was not implemented until January of 2021. That was fully eight months after business leaders — and the federal government — warned states that fraud was going to be an issue during the pandemic.
As the Sentinel reported more than two years ago, the Kelly administration simply didn’t take the unemployment fraud and identity theft problems seriously — despite Kelly herself being a victim.