Latest news with #stateauditor
Yahoo
4 days ago
- Business
- Yahoo
Ohio lawmakers want local governments to create cybersecurity plans
Government requirements and culture can make upgrading aging computer systems difficult, experts say. (Getty Images) Ohio House lawmakers got a stark warning Tuesday from a leading cybersecurity firm: potential threats are changing 'dramatically' in terms of 'sophistication, speed and complexity.' The presentation came on the heels of lawmakers introducing a bill requiring municipalities to develop their own cybersecurity policies. House Bill 283 is a response to wave of cyber-attacks aimed at relatively low-level government agencies. The bill's co-sponsor, state Rep. Haraz Ghanbari, R-Perrysburg, explained in April last year, the state auditor reported at least 23 cyberattacks against government offices in the last 12 months. 'In Licking County,' Ghanbari added, 'just one attack resulted in the theft of more than $700,000.' The measure directs local governments to review their systems and identity risks and detection strategies. The also have to develop training programs and create plans for repair, and response and in the event of an attack. Ghanbari's co-sponsor, state Rep. Adam Mathews, R-Lebanon, said locals would have to inform state safety officials within seven days and the state auditor within 30. 'This will ensure prompt and accurate information is relayed to the proper authorities involved in the response,' he said. The proposal also puts added pressure on local response to ransomware attacks. Under the proposal, Matthews said, municipal governments would be prohibited from paying a ransom unless it 'formally and out in the open' approved legislation to that effect. 'This requirement bolsters transparency and ensures constituents are both aware of the incident's occurrence and have an opportunity to provide feedback on the best use of their taxpayer dollars,' he said. Thomas MacLellan from the cybersecurity firm Palo Alto Networks, told lawmakers that governments, agencies and businesses aren't defending against a random hacker. 'Ransomware is now a business,' he said. 'It is a business where they actually have help desks.' And just as the sophistication of attacks has grown, so has the speed. 'In 2021, it took about nine days to exfiltrate data,' he said of bad actors removing information. 'In the latest attacks now leveraging artificial intelligence, it literally only takes hours.' Beyond these kinds of ransom attacks, where an actor holds critical data or access hostage in exchange for money, MacLellan described several other threats, including attackers exploiting industrial control systems. 'Those are the things, the switches that turn on things that are connected to the internet,' MacLellan said, 'that turn on bridges and dams and traffic lights and hospital systems.' SUBSCRIBE: GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX In terms of preparing for attacks, he suggested state lawmakers get a security firm on retainer. 'You need a bat phone,' MacLellan said, 'to be able to pick up and say, we need some help, because we are overwhelmed, we've been hit by something.' Notably, Palo Alto Networks could be the one on the other end of that phone line. He also argued the state needs to be aggressive about understanding and monitoring its exposure — what MacLellan termed 'attack surface management.' A computer, router or other piece of hardware running out-of-date software could be a vulnerability, he said, and organizations need to make sure to find and fix those problems. MacLellan added that some states have begun developing joint security operations, effectively a state-run cybersecurity team to protect state and local governments in the event of an attack. He repeatedly argued the biggest challenge in cybersecurity is workforce; centralizing talent could allow for greater reach and impact. State Reps. Ismail Mohamed, D-Columbus, and Ron Ferguson, R-Wintersville, asked HB 283's sponsors about a statewide approach to cybersecurity planning. 'Why isn't there a centralized place,' Mohamed asked, 'instead of requiring each subdivision to have their own cyber program?' Ghanbari and Matthews said they would leave the finer points up to local governments to maintain local control and allow greater flexibility. Highlighting a well-publicized cyberattack against Columbus last year, Rep. Christine Cockley, D-Columbus, asked about the cost prevention compared to the cost of response and recovery. She noted the city has faced significant costs investigating what happened and providing safeguards for people impacted by the breach. MacLellan acknowledged he didn't have hard and fast numbers to offer, but said 'when you begin to look at the cost of remediation versus the cost of actually putting together a good system, the delta is pretty significant.' SUPPORT: YOU MAKE OUR WORK POSSIBLE SUBSCRIBE: GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
Yahoo
07-05-2025
- Business
- Yahoo
NC House OKs expanding Republican auditor's powers to hire, fire and investigate
The North Carolina House on Tuesday passed a bill expanding the powers of the state auditor, a typically low-profile office that Republican lawmakers have repeatedly sought to embolden since November, when it was won by a Republican for the first time in 16 years. 'It ensures the state auditor can do the job the voters elected him to do: protecting taxpayers, detecting fraud and holding public spending to account,' House Majority Leader Brenden Jones, the bill's sponsor, said. House Bill 549, which passed along party lines, would empower Auditor Dave Boliek to investigate any non-governmental organization that receives public funds, and would greatly expand his office's access to state databases. The bill would also give him more flexibility over hiring and firing staff in his office — a move critics warned could turn merit-based state jobs into political appointments. Starting July 1, the bill would exempt new hires in the auditor's office from the State Human Resources Act — a broad law which establishes protections for state employees. It would give current employees the choice to exempt themselves from the act. 'What you're saying, if you are seeking to make these positions exempt, is that political preferences should take precedent over merit — but for the employees in this office only,' Rep. Tim Longest, a Wake County Democrat, said. Longest attempted to amend the bill to remove the HR exemptions, but Republicans blocked that change. The State Employees Association of North Carolina also came out strongly against the bill's HR changes. 'I can think of no agency where it's more important that someone be impartial, nonpolitical — that somebody be a professional employee,' SEANC Executive Director Ardis Watkins told reporters last week. 'We want the best, not the best connected, working for the state of North Carolina.' Jones acknowledged the bill may require changes, but said they just needed to pass it before Thursday — which marks an important legislative deadline — and that they could make changes once it got to the Senate. 'This is not a bogeyman bill, as it's being presented,' he said. 'There's some issues on it and it's going to be worked through ... We all believe in our state employees, we all want to do what's right for the state employees — no one's trying to deny that.' Democrats also raised concerns about a portion of the bill that would give the auditor 'continuous and unrestricted view of databases, datasets, and digital records necessary for any purpose within the authority of the auditor.' House Democratic Leader Robert Reives questioned what could happen if a political appointee in the auditor's office were to investigate a business and had 'an ax to grind.' 'That's a lot of sensitive information that is suddenly available that has never been available before to anybody at any time under these type of circumstances,' he said. 'And that really makes me uncomfortable.' Wednesday's vote comes after Senate Republicans advanced their own proposal to expand the auditor's powers with a bill called The DAVE Act — a reference to Boliek's first name. It would give Boliek more power to recommend job cuts or the complete elimination of state agencies — though the legislature would still have the final say. The DAVE Act passed the Senate earlier this month almost entirely along party lines, with former Senate Democratic leader Dan Blue being the only member of his party to vote in favor of it. Last year, Republican lawmakers passed a bill stripping the governor of his appointments to the State Board of Elections and transferring them to the auditor instead. That bill, which the Court of Appeals allowed to take effect last week after a lower court had blocked it, makes Boliek the only auditor in the country with election oversight powers.
