HARRISBURG – The Senate Communications and Technology committee, chaired by Sen. Tracy Pennycuick (R-24), brought together information technology experts Monday for a public hearing on securing cloud-based data held by state and local governments.
“State and local governments are entrusted with our constituents’ sensitive data. Keeping this information secure and protected must remain our top priority,” Pennycuick said. “The world is full of bad actors looking to exploit our vulnerabilities and gain access to this information. The matters we discuss today will help us stay ahead of incessant cyber thieves.”
With cloud storage, digital data is stored on servers in off-site locations. The servers are maintained by a third-party provider responsible for hosting, managing and securing data. This data includes personally identifiable information such as tax records, unemployment claims, social security numbers, driver’s licenses and more.
Cloud-based storage and applications generally offers unique benefits, including enhanced security when compared to traditional legacy systems.
Testifiers said the threat to cybersecurity is constant. Pennsylvania’s acting Chief Information Security Officer Christopher Dressler testified that, in a recent month, there were approximately 38 billion unauthorized attempts to connect to the state network. He said cloud computing presents cybersecurity benefits for the commonwealth, such as intrusion prevention, malware protection, identity and access controls and encryption. Like other technology innovations, cloud computing also creates new challenges.
“Cloud implementations require organizations to enable appropriate cybersecurity controls and maintain a level of active management to help mitigate risks,” Dressler said. “Proper configuration of the cybersecurity controls in a cloud environment is essential to ensuring adequate protections of resources and data are in place.”
Maria Thompson of Amazon Web Services said that while service providers play a lead role in protecting the data they store, governments and other cloud service customers have a responsibility for security within their cloud storage. Human error is a top cause of security breaches. Thompson recommended state personnel receive special training to avoid errors.
Representatives from Unisys information technology services noted the various levels of funding other states put into cybersecurity, and said having a robust incident response and recovery plan is crucial.
John Alwine of Unisys said, “The legislature and administration must seek out increased coordination amongst state IT users, foster greater recognition of security risks for state agencies, hold government IT leaders accountable in establishing a security path forward, but also provide the resources necessary to implement such a strategy.”
Representatives of the County Commissioners Association of Pennsylvania said that cloud storage allows counties to reduce on-premise technology and provides features for disaster recovery and security patches. The cost of cybersecurity is an ongoing expenditure, however.
Verizon’s 2022 Data Breach Investigations Report stated that public sector organizations were involved in one in five cyber incidents, amounting to roughly 2,792 cyberattacks. It also revealed that approximately 47% of public sector data breaches were not discovered until years after the initial attack.
Monday’s hearing was the latest in a series by the committee examining cybersecurity and data breaches. Last week, the committee approved legislation to protect the information by prohibiting state-owned devices from downloading and using TikTok. The bill was approved by the full Senate.
“Ensuring procedures are in place to protect citizen data held by governments is critically important,” Pennycuick said. “That has been a focus of this committee in the past, and we are going stay on top of this issue in the current legislative session.”
You can view video and written testimony from today’s hearing here.
CONTACT: Lidia DiFiore