iStock 000003872659 Lar fmt

May 2016

HOW DMVS ARE STRIVING FOR STRONGER PROTECTION OF DIGITAL DATA

As technology advances, bringing more users and devices into the mix, cybersecurity will continue to be a top concern for everyone—from major corporations battening down their intellectual property to individuals attempting to thwart identity theft.

According to the Department of Homeland Security (DHS), cyberspace and its underlying infrastructure are vulnerable to a wide range of risk, including threats in both the physical and digital realms. Cyber-based criminals and nation-states have been exploiting vulnerabilities to steal information and money, and are continually developing new capabilities that can disrupt and threaten essential services.

All manner of traditional crimes are being perpetrated through cyberspace now. This includes financial fraud, child exploitation, extortion and holding information “hostage” until a payment is received to release it. Compounding the problem, criminals can operate from anywhere in the world, creating difficulties for law enforcement when it comes to tracking them down.

For AAMVA members, these cybersecurity threats can be particularly toxic. Not only do agencies face the threat of losing highly valuable data, but they also may be vulnerable to multiple attacks that can spread throughout an entire system.

“Cybersecurity isn’t new, but it’s getting more attention—for good reason,” says Philippe Guiot, chief information officer at AAMVA. “DMVs are critical when it comes to protecting information because criminals realize that their databases hold sensitive data. Jurisdictions are realizing that they need to step up protection, and they need to do it now.”

seeing the Challenges

Although cybersecurity safeguards are vital, many AAMVA members face a unique set of challenges when it comes to digital security practices. Many are attempting to integrate technology resources with training strategies, but they also need to deal with legacy systems; follow state, provincial and federal mandates; handle extremely sensitive user data; and hope for enough funding from legislatures.

One of the most pressing needs for many DMVs is the replacement of older equipment. “To do things right, you need money for more modern technology,” Guiot notes. “Some agencies are still trying to work with 40-year-old systems that don’t work with encryption and newer security controls. Even some [systems] that are only a decade old present challenges.”

Older machines may not have proper encryption, sophisticated access controls or up-to-date software with the latest security patches. Washington State has an array of legacy systems, says Ann Bruner, chief information officer, Washington State Department of Licensing. But IT and the security leadership team have been doing regular reviews to determine what needs to be swapped out. “At least once a year, we look at all technology pieces with an intention to upgrade or replace what needs to be changed for better security,” she says.

Even if a DMV recognizes the need for newer, more secure equipment and services, financial resources may be lacking. “Unfortunately, funding is always an issue,” Guiot says. “Part of the problem is that financial resources for cybersecurity vary from jurisdiction to jurisdiction. But if you have uneven protection, we’re all made more vulnerable.”

Many jurisdictions have been successful in working together with legislatures to highlight cybersecurity concerns and garner funding, based on recognition that security at the DMV contributes to more protection across all state and provincial agencies. For example, the California Department of Motor Vehicles received $1.7 million from its legislature in late 2015 to establish a data security center, and with those funds, it is refining processes and adding more training that wouldn’t have been possible before.

Security Strategies

Even with significant challenges like legacy equipment and funding, many DMVs are working to expand their resources and put systems that lower their cybersecurity risks in place.

In addition to tactics like creating an asset map and centralizing information (see sidebar on the right), DMVs are finding they can lower vulnerability with approaches that stack up security controls and put proactive measures in place. One particularly effective strategy is to view employees as gatekeepers instead of security risks.

When a breach occurs, it’s just as likely to be human error as a technology stumble, which underscores the importance of training, according to Bernard Soriano, deputy director of Risk Management for the California Department of Motor Vehicles. Security training should include aspects of technology usage, but it also should emphasize safe information handling in other ways, he notes.

For instance, training in California includes proper procedures for filing paper, or for what should be handed to customers. All employees also learn about identity theft risks. “We have over 10,000 employees, and they all need to recognize that the information we hold for our citizens could be misused,” says Soriano. “They also learn that they have a responsibility to protect that data—it’s not just up to the technology to keep it safe.”

Along with training, security policies are vital for better cybersecurity protection—as long as the language isn’t vague or confusing. Also, the policies need to be updated regularly and must be specific when it comes to what employees can and cannot do.

For example, Washington State specifically prohibits the use of non-encrypted flash drives, Bruner says. This prevents employees from taking work home and potentially exposing data through loss or theft of the drive. The policy also sets rules about what devices can connect to the network, information about regular software scans, email best practices and mandatory security training.

Another strategy that’s growing in popularity in the corporate sector is managed services, an approach that involves outsourcing numerous—and sometimes all—technology functions, such as data management, cloud-based data storage, information recovery, intrusion detection and even employee training.

One implementation worth keeping an eye on will be the Florida Department of Highway Safety’s move toward a managed services model, made possible by a recent legislative action. According to Boyd Dickerson-Walden, chief information officer of the department, about $700,000 will go toward implementing a managed security service that includes monitoring traffic and firewalls, incident response and security advisory services.

“We’re not just handing them the keys and saying, ‘Let us know when there’s a problem,’” he says. “We will have a stringent reporting structure and multiple controls in place. This is more about forming a partnership than simply outsourcing everything.”

Dickerson-Walden adds there are multiple benefits in pursuing managed security, such as reducing the need for a larger, in-house IT staff—an important consideration when data security professionals are in high demand—and gaining more robust intrusion detection and prevention services than they would have been able to afford otherwise. “We think this is a great step toward keeping up with emerging threats and getting what we need in place,” he says.

Looking ahead

One major factor for developing more cybersecurity is a mandate at the federal level for better digital protection. Guiot notes there are ongoing efforts in Congress to assess what should be done with cybersecurity for government agencies, as well as for the private sector.

According to ISACA, an organization focusing on IT governance professionals, there are currently 22 federal bills related to cybersecurity that are deemed “worth watching” as they make their way through the legislative process. “There are already good regulations at the federal level around data, privacy and reporting, but we’re going to see more ongoing efforts in Congress around cybersecurity,” Guiot says.

Other technology and policy advances, such as mobile driver’s licenses and online access to DMV databases by consumers and employees, likely will create more concern over data security. With initiatives and changes like these, Guiot suggests that AAMVA members make cybersecurity a priority now, rather than waiting for more federal mandates. “Every jurisdiction needs to see this as a call to action,” he says.

A good first step for any DMV is simply to start talking about cybersecurity, suggests Sjon Woodlyn, infrastructure branch chief at the California Department of Motor Vehicles. “So many of us operate under assumptions of what security might be, or what risks look like,” he says. “There’s a paradigm shift around cybersecurity that needs to occur, and that begins with understanding what we’re facing and how we can protect ourselves.”