Oklahoma Official Says State Is Burdened by Myriad Federal Cybersecurity Regulations
The state's top information technology official says benefits of Oklahoma government’s IT consolidation are being obscured by federal cybersecurity regulations.
Chief Information Officer Bo Reese told a U.S. Senate committee Wednesday streamlining state agencies' online operations has saved Oklahoma $283 million, but too much time is being spent complying with thousands of pages of varying federal regulations.
"IRS Publication 1075 and FBI both protect very high-risk information, but their password policies vary enormously," Reese said. "Additionally, the FBI requires us to keep audit logs for one year. The IRS requires us to retain audit records for seven years."
Reese said time spent on compliance could be spent getting ahead of threats. Reese said the emphasis on compliance discourages cybersecurity experts from staying in public service.
"We find the scenario kind of like a well-trained physician who's gone to school for many years and practiced and wants to go heal people, and he finds himself in a practice where he's being told, 'Just put a Band-Aid on it and move on. You don't have time to treat the illness, you've got to just put a Band-Aid on it,'" Reese said.
Reese also said the lack of a point person, a federal equivalent to a chief information officer, is a real problem when technology outpaces cybersecurity regulations. For example, the Oklahoma Tax Commission was recently switched to an internet calling system.
"We found ourselves struggling with trying to determine what set of standards do we use," Reese said. "Is it the voice regulations? Or is it the cloud-based or hosted solution–type regulations? They don't match. And so, we end up seeking guidance, and we — it takes months."
Reese was one of several IT officials on Wednesday to tell the U.S. Senate Homeland Security and Governmental Affairs Committee they spend too much time on compliance when they should be addressing threats.