Audit: State of Michigan computer systems are vulnerable to attack

LANSING – Michigan’s auditor general says the State of Michigan’s computer systems are vulnerable to attack because of weaknesses in the state’s cybersecurity systems.

The highly critical audit was released Friday amid heightened concerns about hacking of government systems, including election systems, by Russia and others, and as Gov. Rick Snyder has tried to position Michigan government as a leader in the cybersecurity field.

The report made no specific findings about the state's voter database or any other specific systems, instead addressing vulnerabilities across all departments, where the computer network and devices are the responsibility of the Department of Technology, Management and Budget.

Though the department handles computer security for the Michigan Secretary of State, which oversees elections and the voter database, it does not handle security for voting machines and tabulating systems, which are operated by local governments.

State government also collects and holds information related to income tax returns and applications for unemployment insurance and social programs such as welfare, all of which contain highly personal and confidential information.

Concerns cited in the report ranged from security settings on state routers, switches, and firewalls to access to the state network by unauthorized laptops and other devices, as well as use of outdated operating systems that don't receive new security patches and a lack of cybersecurity awareness among state employees.

The agency has not established and implemented adequate management controls "to ensure that the State's network devices are securely configured," said the report by Auditor General Doug Ringler.

Such controls on routers, switches and firewalls — electronic devices used to build data networks and ferry information from one computer to the next — "directly impact DTMB's ability to protect the State's network from threats and vulnerabilities," the report said.

The state agreed or partially agreed with most of the auditor's findings, but disagreed with how serious some of the findings are, insisting it has strong measures in place to protect its systems from outside attacks.

"The data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem," said Caleb Buhs, a spokesman for DTMB.

"The recommendations that they made reflect best business practices, many of which we have already began to implement. This audit provides us with a good road map for prioritizing future technology infrastructure investments."

But Senate Minority Leader Jim Ananich, D-Flint, said the audit is "yet another instance of incompetence shown by this administration," after the Flint drinking water crisis, crumbling state roads, and other problems.

Snyder used to head a computer company, and "there is just no excuse for why Michigan's top officials have failed to protect our state from hackers," Ananich said.

The audit didn't cite any examples of successful hacking of the state's system, which it said is generally stable. But it did identify many vulnerabilities.

The report found that DTMB failed to:

Formally adopt industry best practices for securing network devices. Instead, the agency told the auditor it used vendor-recommended settings and internal experts to create "configuration checklists" for securing network devices.

Configure systems in accordance with best practices. The auditor reviewed 45 routers, switches and firewalls in the state network and found that 100% of them had deviations from vendor guidelines and DTMB standards. The auditor found between six and 26 deviations on each device. "The configuration of an information system and its components has a direct impact on the security posture of the system," the auditor said.

Adequately raise cybersecurity awareness among state employees. The auditor conducted a "phishing exercise" — similar to ones used by hackers to gain unauthorized access to computer systems — on 5,000 state employees. The test involved an e-mail about an expired password, requesting employees to click on a link and enter their credentials. Of the employees tested, 32% opened the e-mail, 25% clicked the link, and 19% entered their credentials, the auditor found. "The potential consequences from being phished include identity theft, unauthorized use of accounts, stolen information, and damage to credibility, all of which may take years for an organization to recover," the report said.

Conduct a "risk assessment" of the network, which the auditor says should be conducted at least annually. The auditor reviewed 45 state network devices and found that the agency had not conducted vulnerability scans, which are supposed to be completed every 30 days, on any of them.

Ensure that only authorized devices —- such as laptop computers or phones —access the state's information technology network. As of June 2017, about 87,000 different IP addresses were connected to the state's system, but "DTMB did not implement sufficient processes to determine whether each of the connected IP addresses represented authorized devices."

Implement an effective system for managing updates to device operating systems. The auditor said it reviewed vendor-issued security advisories for four operating systems that are running on 1,361 of the state's 3,126 network devices. The auditor looked at 28 vulnerabilities the vendor had classified as medium- or high-risk and found that the state had not addressed 10, or 36%, of them. Also, state devices use about 140 different operating system versions, "which can increase the complexity of managing updates and reviewing these security advisories," the report said.

Make sure that only devices still supported by vendors are operating in the state's IT system. The auditor reviewed hardware and software information for 3,876 network devices and found 745, or 19%, of the devices, were no longer supported by the vendor and 190, or 5%, were running operating systems that were no longer vendor-supported. "Unsupported network devices become obsolete and security patches or technical support may no longer be available," the report said. "This results in an increased risk of network failure, which could negatively impact the availability of the State's critical systems."

Implement a system to make sure the network is protected against threats presented by unauthorized wireless access, which can include the forced shutdown of the system by overwhelming it with information requests and capture of sensitive information by unauthorized parties.

and capture of sensitive information by unauthorized parties. Ensure state employees responsible for securing the network are adequately trained. The agency "was unable to provide historical training records for all staff to demonstrate that staff had received the necessary training and that it was evaluated for effectiveness," the report said.

Establish and implement effective controls over management of the state's computer firewalls, which put up threat protection barriers between a local network and the Internet and filters between the network it is protecting and other networks. A review of 48 firewall rule changes found a lack of proper documentation and/or approvals in between 7% and 29% of the cases.

The audit said the state failed to develop internal security configuration checklists, consistent with best practices, for all routers, switches and firewalls.

More: Does your body ache from hitting potholes? 5 reasons Michigan has lousy roads

More: Michigan prison closing after state's inmate population drop

The state also failed to establish a formal process to review and update security settings for those network devices, the report said. The auditor said security configurations on such devices should be reviewed and updated at least every 90 days, but DTMB said it performed updates in response to major events and on an "as-needed" basis.

The audit said DTMB failed to establish a process to routinely monitor network device security configuration settings. The agency said it monitors changes to the configuration of about 3% of the 3,876 network devices, but the auditor said DTMB should be monitoring all of them to make sure they are in compliance.

Anna Heaton, a spokeswoman for Snyder, said "technological threats are constantly evolving, and that’s why cybersecurity is both so important and so challenging."

Snyder "is proud of Michigan being a model in developing responses to this type of threat, but this shows there are ways in which we can improve and we will be sure the department has the resources to do that," she said.

In its response, the agency said it is finalizing a standard that will adopt industry best practices for secure configurations and expects that to be completed in April. The agency disagreed the security issues are as serious as the auditor said, saying that because it uses many layers of security, weaknesses pointed out regarding any one layer are less serious.

"Think of it like a medieval castle," Buhs said. "There is a moat, and then high walls on the outside, and archers on the wall and hot oil to dump on enemies."

As far as access to the state system, DTMB again disagreed that the findings were as serious as the auditor said.

The agency said it is has a limited pilot study under way to explore implementing a "network access control" plan to assure only authorized devices connect to the system. But it said there are many other methods it already uses to prevent unauthorized users, such as use of system firewalls, disabling network ports that are not regularly used, requiring user authentication, and monitoring traffic for hacking and viruses.

The agency said it agreed with the recommendations about updating operating systems and expected to have an improved system in place this month.

On replacing network devices that are no longer vendor-supported, "fiscal resources will limit the replacement of unsupported network devices until 2019, but the management process will be in place" to do so.

The agency disagreed with the auditor's finding that it needs to implement an effective risk management plan, saying it has already done so. Although its systems don't perform the type of scans for vulnerabilities the auditor was looking for, it does perform other types of scans to search out security weaknesses, the department said.

On the auditor's test "phishing" attack, the state said the test e-mail was reported to its security tips mailbox multiple times, and other controls are in place to limit the effectiveness of such attacks. But the agency said it is working to improve its cybersecurity training and monitor the effectiveness of that training.

Contact Paul Egan: 517-372-8660 or pegan@freepress.com. Follow him on Twitter @paulegan4.