How vulnerable are Florida government agencies to a cyberattack?
It’s a question state leaders hope to be able to answer by this time next year. The state’s newly-appointed Florida Cybersecurity Task Force convenes next week to begin a year-long analysis of the state’s cybersecurity health.
Its goal is to identify areas for improvement and prioritize digital threats against the state.
“These threats continue to increase in complexity,” said Eman El-Sheikh, director of the University of West Florida Center for Cybersecurity. “We need to be prepared with a long-term solution that not only keeps our information and citizens secure, as well as our critical infrastructure, but maintains that in years to come.”
Chaired by Lt. Gov. Jeañette Nunez, the committee consists of 13 members from both the public and private sectors who have backgrounds in security. El-Sheikh is one of seven private sector members appointed by Gov. Ron DeSantis at the end of September.
She joins security experts from sectors including health care, energy, entertainment and retail.
Government participants range from Florida Department of Law Enforcement members to Florida’s chief information officer and chief information security officer and a member of the Florida Division of Emergency Management.
The committee was created as part of a law the state Legislature passed in June. During its audit, the task force will recommend how Florida’s government agencies can better secure their data and systems, propose procedures to help identify threats as they emerge and protect against someone accessing or destroying data without authorization. It will also identify current weak areas in agencies’ security.
Florida joins several other states in creating such a committee. About 24 states have similar bodies, the first of which was formed by New York in 2013.
Though the analysis hasn’t yet begun, members expect that some of the threats government agencies will face are similar to those that plague other industries.
One such threat is social engineering, when an attacker masquerades as someone helpful, such as a member of a company’s IT department, to convince an employee to give over sensitive data, such as login credentials or company payment card information. Another is ransomware, where malicious software prevents someone from accessing files or a device until they pay whoever is behind the software a fee.
Attacks that use social engineering and ransomware are “an easier way to generate revenue versus stealing a lot of data and then trying to sell it,” said committee member Jason Raymond. Raymond is the chief information security officer for Guidewell Mutual Holding Corp., insurer Florida Blue’s parent company.
Ahead of its first meeting, it is unclear if the committee will cover election security.
Sri Sridharan, director of the state-created Cyber Florida center at the University of South Florida, said time is of the essence to fix any issues the committee finds to prevent them from being exploited.
“Once the information is exposed or breached, the cat’s out of the barn already,” he said.
The committee’s first meeting will be held in Tallahassee on Tuesday. It expects to present its final report by November 2020.