Kansas lawmakers want to strengthen the state’s online security of sensitive information by consolidating its information technology systems.
The planned overhaul calls for moving the state's various cybersecurity and data systems into a centralized structure over the next several years.
But experts caution if the state is not careful, it could expose its whole network to significant hacks. Alex Bardas, a computer scientist at the University of Kansas, said a centralized system needs to be flexible with the ability to close off parts of itself to protect sensitive data and continue to provide vital services when hacks occur.
“If we're putting everything into one big thing,” Bardas said, “it will grow and it will outgrow us — not in a good way.”
The Kansas Legislature passed a law earlier this year outlining the plans to consolidate, moving oversight of the state’s systems under chief information technology officers for each branch of government. The law also requires standardized security policies for all state agencies.
Republican Rep. Blake Carpenter of Derby helped craft the new law. He recently told lawmakers on the state’s Joint Committee on Information Technology that the state has a duty to protect the information of Kansas residents.
“If we don’t start taking the necessary steps now,” Carpenter said, “our citizens could end up feeling it.”
The plans also come less than a year after the state’s court system was hacked by foreign cybercriminals.
The Kansas Supreme Court said its review of the hack found stolen data included court administrative files and some confidential court case records. The attack led to the court shutting down its statewide information systems and its document e-filing system for several months.
Carpenter said cyberattacks are becoming more common in modern warfare, and state and local governments are often targets. Those attacks could also focus on slowing down important services.
For instance, last month a water treatment facility in Arkansas City, Kansas, was hacked. The city said enhanced measures were enacted to keep the facility operational and services were not disrupted.
Earlier this year, a hospital in Wichita diverted patients from some of its emergency rooms and postponed some elective surgeries because of an expansive cyberattack on its nonprofit owner.
Carpenter said those are examples of what would be targeted if the United States ends up in an armed conflict.
“With modern warfare the way it is today,” Carpenter said, “we have to take steps in order to make sure that our citizens are protected.”
New security risks
A centralized system comes with its own caveats that may make it even easier to attack. Bardas said a lot of hacks occur when attackers are able to slip into a system after a user with high-level access makes an error.
He said the state could defend against massive exposure by putting sensitive information and services in modules within the centralized system so they can be closed off from one another when hacks occur.
“That module can actually be moved separately from the entire system,” Bardas said, “and you can continue to be functional to do your services.”
Otherwise, he said, a large framework without separation becomes too large to handle and difficult to protect. Bardas compared it to a soup with many ingredients — if it tastes bad, it’s hard to determine which ingredient is causing the problem.
Republican Sen. Caryn Tyson of Parker, who has a background in software engineering, voiced that concern during a committee hearing.
“I have grave concerns over this centralized system that we're moving to,” Tyson said. “I just caution one size doesn't always fit all.”
The law requires state agencies to present plans to lawmakers on how they will comply with the consolidation by 2026. The agencies are also required to develop new security programs under the state’s new standards by 2030.
Dylan Lysen reports on social services and criminal justice for the Kansas News Service. You can email him at dlysen (at) kcur (dot) org.
The Kansas News Service is a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio focused on health, the social determinants of health and their connection to public policy.
Kansas News Service stories and photos may be republished by news media at no cost with proper attribution and a link to ksnewsservice.org.