How to Fix Utah’s Cybersecurity Problem

This op-ed originally appeared in Salt Lake Tribune on October 27, 2023. It was authored by Caden Rosenbaum, Tech and Innovation Policy Analyst at Libertas Institute, and was co-authored by tech and innovation policy intern Gavin Hickman.

Governments are experiencing an uptick in cyberattacks because they don’t have the resources to ward off attacks.

Even in the grand scale of data points we willingly hand over on the web, the most sensitive information is often in the hands of government agencies. However, despite numerous consumer data privacy laws taking effect in multiple states, none of them apply to data policies within government agencies.

Worse, governments are experiencing an uptick in cyberattacks because they don’t have the resources to ward off attacks. Whether it’s ransomware attacks, DDOS attacks or general data leaks, an alarming trend of targeted attacks on state agencieslocal governments and critical infrastructure have resulted in massive disruptions to peoples lives, the loss of irreplaceable stores of data and the breach of sensitive information.

The Beehive State is no exception.

Recent audits of Utah’s cyber resilience and information practices found that Utah state and local government agencies have inadequate employee training or vague protocols. Levels of completion of cybersecurity awareness and readiness training varied between state agencies and the judiciary, leaving much to be desired in terms of basic completion.

Cybersecurity frameworks and protocols, which would ordinarily serve as guidelines for handling cyberattacks, were also found to be either vague or outdated — if the entity adopted them at all. Cities especially lagged behind, experiencing the highest rate of successful cyberattacks, likely due to inadequate vulnerability scanning that results when cities don’t have policies in place.

To add to the problem, the amount of information Utah’s state and local agencies collect is sometimes unnecessary.

For example, hospital visitors seeking birth certificates were given copious amounts of paperwork in order to receive this basic service. Some of that information was voluntary and used for research. But in many cases, it was unclear that a person could opt out of responding.

Where Utah Stands

In a perfect world, the solution would have three parts: (1) mandatory cybersecurity training for state and local employees with clear cybersecurity frameworks and protocols; (2) updated software and network infrastructure; and (3) clear notices when a person may opt out of responding. The auditor’s recommendations expressed as much.

But in reality, as technology advances, new threats will emerge over the horizon that require frameworks and protocols we can’t anticipate. That’s where regular statewide audits play a vital role.

In this sense, Utah actually leads the country in being proactive about cyber resilience. The state may have raised some concerning red flags, but because it has taken the step to audit and identify problems, it’s now perfectly positioned to solve them. That’s more than many other states have done. If Utah implements some of the auditor’s recommendations, it could wind up leading the country in cyber resilience.