<p><a href="https://www.the-chesapeake.com//wp-content/uploads/2014/05/Patrol-car-computer-St.-Marys-Sheriff.jpg"><img class="alignleft size-medium wp-image-4221" src="https://www.the-chesapeake.com//wp-content/uploads/2014/05/Patrol-car-computer-St.-Marys-Sheriff-300x224.jpg" alt="Patrol car computer St. Mary's Sheriff" width="300" height="224" /></a></p>
<p><strong>By </strong><a title="Posts by Mike Denison" href="http://cnsmaryland.org/author/mdenison91/" rel="author"><strong>Mike Denison</strong></a><br />
<strong><em>Capital News Service</em></strong></p>
<p>ANNAPOLIS – Maryland government entities have suffered at least six cyberattacks since the beginning of 2013, according to incident reports from the Department of Information Technology.</p>
<p>The heavily redacted reports, obtained by Capital News Service through a Maryland Public Information Act request, reveal that data-hungry hackers and scammers aren’t only going after retailers like Target and Neiman Marcus — they’re targeting state agencies.</p>
<p>“Our government doesn’t move as quickly as the private sector … and the private sector isn’t moving as quickly as it should be,” Sen. Catherine Pugh, D-Baltimore, said in an interview.</p>
<p><a href="http://cnsmaryland.org/wp-content/uploads/2014/04/sen-pugh-resized.jpg"><img class="size-medium wp-image-21161" src="http://cnsmaryland.org/wp-content/uploads/2014/04/sen-pugh-resized-300x167.jpg" alt="" width="300" height="167" /></a></p>
<p>The report said a phishing scam that hit the Department of Labor, Licensing and Regulation affected “more than 100 users,” and two other incidents affected an estimated “more than 10 users.”</p>
<p>Elliot Schlanger, the state director of cybersecurity, said specific numbers of affected users are often difficult to pin down, particularly with phishing attacks. Phishing involves sending a large number of emails asking for sensitive information, like passwords, under the guise of a legitimate sender.</p>
<p>One incident on the report involved the Maryland State Police in September. Last year, the police were bombarded with thousands of gun applications ahead of incoming stricter firearm laws. To reduce the massive backlog, volunteers from the departments of <strong>Health and Mental Hygiene, Transportation, Public Safety and Correctional Services, Human Resources and Juvenile Services</strong> offered to help out with data entry, according to a police press release.</p>
<p>According to a <strong>National Rifle Association</strong> press release, some state agencies’ computers were not adequately secured to handle gun applications, which include sensitive information.</p>
<p>Elena Russo, director of the police’s communications department, said the incident on the Department of Information Technology report was merely a notification of a potential security risk.</p>
<p>“It was not a security breach, it was not a cyber breach, there were no hacks and no data brought forward by the Maryland State Police,” she said.</p>
<p>Similarly, <strong>Maureen O’Connor, director of media relations for the Department of Labor Licensing and Regulation</strong>, said that no personnel data was stolen in a phishing attack on her department. However, a malicious program known as a “ransomware” encrypted department information, demanding that money be sent to a specific account to unlock the data.</p>
<p>The attack began when an employee ignored a department-wide warning not to open a suspicious email. O’Connor said the malware was eliminated and the data restored within four days.</p>
<p>The document also said that three Department of Human Resources servers were attacked on Oct. 22. Brian Schleter, director of communications for the agency, said the attack was launched on a department website used to post press releases. No data was compromised.</p>
<p>The proposed budget for fiscal year 2014 notes that no “substantial disruptions” of state network services have occurred since 2011, when records of disruptions began.</p>
<p>The state has taken steps to teach its employees about best practices in cybersecurity. In February, Isabel FitzGerald, secretary of the Department of Information Technology, told the House of Delegates that the department had begun monthly cybersecurity training courses for more than 40,000 state employees and contractors.</p>
<p>“They endeavor to make sure all the employees of all the agencies are aware of the possibilities of attacks,” said O’Connor, who has taken the course.</p>
<p>The state’s vulnerabilities aren’t new. The <strong>Office of Legislative Audits</strong> has outlined weaknesses in many agencies’ cybersecurity plans over several years. An audit of the state police from February 2009 to December 2011 found that some servers that guarded personal information, including about 176,000 Social Security numbers, were insufficiently secured. In a March 2013 response to the audit, the police insisted the auditors misunderstood a security measure, and personal information was secure.</p>
<p>The audit also found that police networks lacked systems designed to detect intrusions. The response said that those systems were added after the audit.</p>
<p>Similar audits found more cyber vulnerabilities in the departments of Labor, Transportation and Education as well as the State Archives.</p>
<p>Pugh aimed to promote state cybersecurity even further during the recently-ended 2014 legislative session. She authored a bill to adopt an overarching cybersecurity plan based on a similar document published by the National Institute of Standards and Technology. The Senate passed the bill unanimously, but it died in the House of Delegates in committee.</p>
<p>Pugh said the bill arose out of concerns for the state’s long-term condition, citing the growing amount of information that state entities and contractors transfer online. A 2012 hack into South Carolina records that exposed 3.6 million tax returns, according to the South Carolina Department of Revenue, encouraged her to make sure Maryland didn’t suffer a similar fate.</p>
<p>“If this can occur in other states, it can occur here,” Pugh said.</p>
<p>While the Department of Information Technology’s information security policy currently encourages following National Institute of Standards and Technology recommendations, Pugh said that her bill would have given state departments incentive to ensure they were actually following best practices.</p>
<p>Costis Toregas, a computer science professor at The George Washington University, warned that the government reports may not tell the full story. He said that there are “probably hundreds of thousands” of attempted attacks on Maryland agencies every day that don’t get public attention.</p>
<p>“We penalize people for coming forward and saying something bad happened…there’s no sharing of information happening,” he said.</p>
<p>According to state information technology policy, agencies do not need to report viruses or malware that have been automatically thwarted by anti-virus software.</p>
<p>The Heartbleed security bug, first discovered on April 7, also may have a serious impact on government operations. The bug is a vulnerability in OpenSSL, a security protocol used to protect information on about two-thirds of all web servers, according to the technology website Ars Technica. Hackers can exploit the bug to steal passwords and other sensitive information.</p>
<p>Toregas said even if they aren’t vulnerable to <strong>Heartbleed</strong> on their own, state agencies could still be seriously affected by it if they interact with vulnerable businesses.</p>
<p>“We live in an interconnected world. At some point the government will come into contact with a commercial entity on the web,” Toregas said. “We’ve become too interconnected to draw a rigid line between commercial [and government entities].”</p>
<p>Schlanger said after the Heartbleed outbreak, the <strong>Department of Information Technology</strong> shared strategies to deal with the bug with state information officers, some of which may have affected users. He added that the department would continue to keep tabs on potential fallout from the bug.</p>
<p>“Continuous monitoring of the cyber threatscape is one of the fundamental tenets of our cybersecurity program,” Schlanger wrote in an email.</p>
<p>The Department of Information Technology report also included three incidents that were not cyberattacks, in addition to the police’s risk warning. These included a stolen computer, a former employee sending an email from another’s account, and an employee’s home computer being infected with<strong> malware</strong>.</p>
<p>What the phishers and would-be hackers were looking for in state agency computers remains a mystery. Mark Cather, director of communications and security at the <strong>University of Maryland, Baltimore County</strong>, said they were likely seeking employees’ personal information “because they can turn identities into cash.”</p>
<p>Hackers might also have tried to use government computers as a resource, utilizing their processing power to crunch numbers or launch further attacks, Cather said. He added that some may have sought trade secrets or other information worth selling, but it was unlikely because few state agencies make anything with patents or trademarks that would be worth selling.</p>
<p>Regardless of their objectives, hackers aren’t going to leave state agencies alone anytime soon. Pugh hopes that legislators will take a more active role in promoting cybersecurity.</p>
<p>“I look at the government from the perspective of a business,” Pugh said. “…What do want the state to look like three years from now? I don’t think we do enough of that kind of thinking and planning.”</p>
<h2 class="left_heading ">About the Author</h2>
<div class="author ">
<div class="icon"><img class=" avatar avatar-75 photo user-182-avatar" src="http://cnsmaryland.org/wp-content/plugins/user-avatar/user-avatar-pic.php?src=http://cnsmaryland.org/wp-content/uploads/avatars/182/1397051470-bpfull.jpg&;w=75&;id=182&;random=1397051470" alt="" width="75" height="75" /></p>
<div class="title"><a title="Posts by Mike Denison" href="http://cnsmaryland.org/author/mdenison91/" rel="author">Mike Denison</a></div>
<p><!-- #title --></div>
<p><!-- #icon --></p>
<div class="authorcontent">
<p>Mike Denison is a senior in the University of Maryland Philip Merrill College of Journalism, covering science, technology and health care in Annapolis. He has interned with <a href="http://www.usatoday.com/">USA Today</a>, where he assisted in managing the web site&#8217;s News section, and <a href="http://www.thedailyrecord.com/">The Daily Record</a>, where he covered business news in the Baltimore area. Follow him on Twitter <a href="http://www.twitter.com/mdenison91">@mdenison91</a>.</p>
<div id="metaslider-id-3609" style="max-width: 750px;" class="ml-slider-3-100-1 metaslider metaslider-flex metaslider-3609 ml-slider ms-theme-default" role="region" aria-label="Advertisers" data-height="500" data-width="750">
 <div id="metaslider_container_3609">
 <div id="metaslider_3609" class="flexslider">
 <ul class='slides'>
 <li style="display: block; width: 100%;" class="slide-11695 ms-image " aria-roledescription="slide" data-date="2016-08-03 00:11:16"><a href="https://www.facebook.com/lindascafelpcity/" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2016/08/Lindas-On-The-Go-side-604x403.jpg" height="500" width="750" alt="" class="slider-3609 slide-11695 msDefaultImage" /></a><div class="caption-wrap"><div class="caption">One incident on the report involved the Maryland State Police in September. Last year, the police were bombarded with thousands of gun applications ahead of incoming stricter firearm laws. To reduce the massive backlog, volunteers from the departments of Health and Mental Hygiene, Transportation, Public Safety and Correctional Services, Human Resources and Juvenile Services offered to help out with data entry, according to a police press release.

According to a National Rifle Association press release, some state agencies’ computers were not adequately secured to handle gun applications, which include sensitive information
</div></div></li>
 <li style="display: none; width: 100%;" class="slide-1464 ms-image " aria-roledescription="slide" data-date="2011-04-03 01:26:27"><a href="http://allpawnandguns.com/" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2011/04/All-Pawn-March-2011-Ches-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-1464 msDefaultImage" /></a><div class="caption-wrap"><div class="caption">One incident on the report involved the Maryland State Police in September. Last year, the police were bombarded with thousands of gun applications ahead of incoming stricter firearm laws. To reduce the massive backlog, volunteers from the departments of Health and Mental Hygiene, Transportation, Public Safety and Correctional Services, Human Resources and Juvenile Services offered to help out with data entry, according to a police press release.

According to a National Rifle Association press release, some state agencies’ computers were not adequately secured to handle gun applications, which include sensitive information
</div></div></li>
 <li style="display: none; width: 100%;" class="slide-15651 ms-image " aria-roledescription="slide" data-date="2019-05-28 19:45:10"><a href="https://read.amazon.com/kp/embed?asin=B07S8F7WF6&;preview=newtab&;linkCode=kpe&;ref_=cm_sw_r_kb_dp_NqC7CbPH5FBPA&;tag=stmarystodaonlin" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2019/05/MurderUSA_AUDIO-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-15651 msDefaultImage" title="boy screams opening the mouth" /></a></li>
 <li style="display: none; width: 100%;" class="slide-16578 ms-image " aria-roledescription="slide" data-date="2021-05-07 14:29:41"><img src="https://www.the-chesapeake.com/wp-content/uploads/2021/05/Buzzs-Marina-2019-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-16578 msDefaultImage" title="Buzzs Marina 2019" /></li>
 <li style="display: none; width: 100%;" class="slide-16742 ms-image " aria-roledescription="slide" data-date="2021-10-24 22:51:01"><a href="https://www.facebook.com/lindascafelpcity" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2024/02/Lindas-Cafe-Now-Open-at-new-location-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-16742 msDefaultImage" title="Lindas Cafe Now Open at new location" /></a><div class="caption-wrap"><div class="caption"><div>Linda's Cafe new location now open</div></div></div></li>
 <li style="display: none; width: 100%;" class="slide-16901 ms-image " aria-roledescription="slide" data-date="2022-01-15 22:19:57"><a href="http://floridafishingkayaks.com/" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2022/01/Wavewalk-Kayaks-1-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-16901 msDefaultImage" title="Wavewalk Kayaks" /></a></li>
 <li style="display: none; width: 100%;" class="slide-17596 ms-image " aria-roledescription="slide" data-date="2023-08-11 22:30:44"><img src="https://www.the-chesapeake.com/wp-content/uploads/2023/08/Press-pass-OConnor-email-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-17596 msDefaultImage" title="Press pass O&#039;Connor email" /><div class="caption-wrap"><div class="caption"><div>WHISTLE BLOWERS WANTED</div></div></div></li>
 <li style="display: none; width: 100%;" class="slide-17916 ms-image " aria-roledescription="slide" data-date="2024-08-03 21:43:22"><a href="https://www.huntplumbingheatingandairconditioning.com/" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2024/08/HUNT-Plumbing-Heating-and-Air-Conditioning-750x500.jpg" height="500" width="750" alt="" class="slider-3609 slide-17916 msDefaultImage" title="HUNT Plumbing Heating and Air Conditioning" /></a><div class="caption-wrap"><div class="caption"><div>Click to website for Special Offers</div></div></div></li>
 <li style="display: none; width: 100%;" class="slide-28836 ms-image " aria-roledescription="slide" data-date="2024-11-06 20:52:51"><a href="https://www.amazon.com/dp/B0D17J3VS7?binding=kindle_edition&;ref_=dbs_s_ks_series_rwt_tkin&;qid=1730944414&;sr=1-2" target="_blank" aria-label="View Slide Details" class="metaslider_image_link"><img src="https://www.the-chesapeake.com/wp-content/uploads/2024/11/32-Book-Series-THE-CHESAPEAKE-TODAY--381x254.png" height="500" width="750" alt="" class="slider-3609 slide-28836 msDefaultImage" title="32 Book Series THE CHESAPEAKE TODAY" /></a></li>
 <li style="display: none; width: 100%;" class="slide-28898 ms-image " aria-roledescription="slide" data-date="2025-05-12 08:27:53"><img src="https://www.the-chesapeake.com/wp-content/uploads/2025/05/FITZIES-IS-BACK-FOR-2025-556x370.jpg" height="500" width="750" alt="" class="slider-3609 slide-28898 msDefaultImage" title="FITZIES IS BACK FOR 2025" /></li>
 </ul>
 </div>
 
 </div>
</div>
</div>
</div>