Kansas labor department cybersecurity audit keeps findings secret
State employees are working to implement 31 security recommendations identified in a cybersecurity audit of the Kansas Department of Labor.
Some policymakers also expressed concern that a leak of the security audit to a lobbyist organization's media arm was tantamount to a security breach of a committee tasked with ensuring security.
The Unemployment Compensation Modernization and Improvement Council
reviewed the BKD Cyber audit report in executive session on Tuesday.
Council chair Rep. Sean Tarwater, R-Stilwell, said the report was deemed confidential ahead of the meeting, even though it was not considered confidential when it was sent to council members a week earlier.
"It's confidential in nature because in the right hands, it could be a roadmap to how to hack into our system," Tarwater said after the meeting.
The Kansas Sentinel, which is owned by the Kansas Policy Institute, published information about the confidential report around the same time the council ended its executive session.
Leak is tantamount to security breach
Non-legislative member Jake Miller said the leak undermines the council's integrity.
"The article is just blatantly not what was even told or discussed to us in either the reports or what was said in executive session," he said.
The labor department did not immediately respond to a formal open records request from The Topeka Capital-Journal. But agency spokesperson Becky Shaffer said KDOL and the state's information security office determined that making the report public "would violate Kansas statutes related to systems security."
More:Legislators sign off on permanent KDOL leader, amid hope that agency is on improved track
Rep. Stephanie Clayton, D-Overland Park, said the leak is tantamount to a security breach.
"We can be transparent about our proceedings and about our issues while still respecting the fact that the taxpayers and employers of Kansas have a lot invested into us having a secure and functioning system," she said after the meeting.
"So as members of the unemployment modernization council, it's incumbent upon us to be the first in the line of defense of security for this system to prevent us from being the victim of further overseas cybercrime," Clayton added.
Tarwater later said he didn't know why the report was deemed confidential, adding that he asked officials the night before the meeting if they should close the discussion "just in case it is confidential." Tarwater said council members had the report for about a week before it was deemed confidential.
"Who knows who else was sent to?" he said.
Phil Hayes, a non-legislative member of the council, said the auditors had previously "indicated that all of their reports will be written in a manner that it wouldn't be confidential, there wouldn't need to be redaction."
Shaffer said that the firm that drafted the audit has agreed to writing another report that can be released to the public.
"While the findings do not identify any major vulnerabilities, the state takes seriously the responsibility to keep its systems safe," Shaffer said. "Many of the attacks that states have faced have come from sophisticated criminal rings, so advertising even low-level findings could provide a technical advantage to bad actors and increase the likelihood for attack."
Full audit of security issues to come in September, preliminary presented
The preliminary report was prepared by BKD Cyber and presented by the firm's managing director, Ron Hulshizer. A full report, including a forensic audit of unemployment fraud, is expected in September.
There appeared to be unanimous agreement that the recommendations are good. Hulshizer indicated during a public portion of the meeting that one of the notes in the audit is that KDOL has no comprehensive list of hardware or software.
Most of the recommendations can be implemented relatively quickly, Tarwater said, though some will "require an investment for some tools." He said the problem is personnel competency issue that can't be blamed on the decades-old technology.
Agency officials disagreed.
"The auditors noted that the majority of these recommendations were a direct result of the agencyâs need to rely on an outdated legacy system," Shaffer said. "If the previous administration had not abruptly halted the last modernization project in 2011, the state would have been able to avoid much of this headache that was caused by the current patchwork of systems."
Modernization efforts have already begun with Tata Consultancy Services, which entered into a $41 million contract with the state last month.
Three lawmakers who attended remotely, including Rep. Susan Estes, R-Wichita, were excluded from the executive session.
Estes asked how quickly the agency could respond to the most critical recommendations. She said she was "disturbed by everything that I read in the report."
Deputy Labor Secretary Peter Brady offered to have a private meeting with her to get into specifics.
"The agency has got a path forward, the state of Kansas has a path forward," Brady said. "And while there's things we need to work on, I wouldn't say it's as alarming as it may have seemed just from reading the report."
Agency officials later said that work has already begun to address the issues. Shaffer said all of the audit findings are being taken seriously and the agency is committed to mitigating them, regardless of their level of risk.
Hulshizer said BKD could follow up on whether the recommendations are implemented, but it may be best to wait six months to give the agency time to implement the more complex recommendations. The simpler ones should be "completed much more before that."
Audit discussion takes political turn
Tarwater accused KDOL of downplaying and lying to lawmakers about the risk of a data breach.
"We were very concerned about a data breach," Tarwater said, "and every report led with 'we were not breached, we were not breached, we were not breached.'
"And then when we're presented with an audit, that shows how easily it would be to breach and that they would have no idea that somebody breached them, coupled with the fact that we're number one in the nation for identity theft.
"You bet they would certainly try to downplay that, because they lied to us."
Hayes presented Federal Trade Commission data during the meeting that shows Kansas had the most per-capita reports of identity theft.
Brady theorized that Kansas numbers looked worse than other states because KDOL directed victims to report identity theft to the FTC.
Shaffer said the council's audit team found no evidence of a data breach.
Clayton said she was surprised at "how little fraud was actually found" and is pleased with KDOL.
"They have shown good due diligence in making sure that our new system is secure, that our proceedings and installing this new system are secure," she said.
Tarwater said many of the recommendations were "kindergarten-level IT things" that should have been caught by Labor Secretary Amber Schultz. She was appointed by Gov. Laura Kelly and confirmed by the Senate in large part because of her technology background.
More:Kansas governor vetoes freeze on Medicaid contracts, calling it 'corruption' from closed-door deals
"What surprised me was a lot of them were simple things that are kind of common sense," Tarwater said. "And the fact that we hired a secretary specifically for her IT background, I would think that a lot of those things would have been caught by now.
"But I'm glad we did the audit to bring them to her attention."
Clayton said such potshots are not appropriate, and she accused colleagues of trying "to score political points."
"We understand that the chairman is frustrated â but we implore him to work with us to identify solutions to help move the process forward rather than engaging in unnecessary name calling," Shaffer said.
Trust fund solvency could lead to tax cut
The trust fund has nearly $1 billion and has effectively returned to its pre-pandemic level. Kansas is one of only 16 states that has a trust fund meeting the U.S. Department of Labor's minimum solvency standard.
Because of the health of the trust fund, Brady said, "our employers are likely to see a tax reduction at the state level, if not this year probably the next year for sure." Agency officials said that could materialize with a 0.2% tax rate decrease.
Hayes said employers may see upwards of $70 million in tax cuts for calendar year 2023 thanks to the burgeoning trust fund.
Jason Tidd is a statehouse reporter for the Topeka Capital-Journal. He can be reached by email at jtidd@gannett.com. Follow him on Twitter @Jason_Tidd.
Gloss