The state of Michigan would not be able to recover its information systems or sustain its businesses processes if it were hit by a cyberattack, according to Michigan’s auditor general.
The auditor general published a report that said the state didn’t have a sufficient plan to restore critical IT infrastructure and didn’t prioritize the systems that would need to be restored in the event of a technological emergency, such as a cyberattack. Michigan’s state servers are attacked 2 million times a day, according to the state’s auditors.
The state developed a Red Card, which was supposed to contain critical IT systems that could be restored once connected to a new device. As of December 2015, the Red Card included 72 systems and 12 IT infrastructure services. However, the auditor general found that the Red Card didn’t contain all of the critical systems, especially systems managed by government contractors. The report also found that not all of the backup servers had the technology to transfer to the Red Card’s systems. The auditor general suggested that the state add these programs to the Red Card.
The report said that the state agencies needed to coordinate plans more efficiently in the event of a cyberattack to ensure that all critical systems would be up and running as soon as possible. Michigan has assigned only five people to coordinate disaster recovery planning and one person to coordinate business continuity planning for the state’s approximately 1,700 IT systems.
The state also didn’t review its plans for cyber disaster recovery to ensure they would be effective. That resulted in crucial IT systems being left out of the plans. The auditor general recommended that a review process be put in place to ensure all of the necessary systems are accounted for in the plans.
The staff in charge of the recovery plans also did not have access to test and update the recovery plans. The plans were not stored correctly, and multiple versions of the plans existed, making it difficult to know which version should be followed.
Michigan has begun making improvements such as building a new data center 50 miles away from the old one, which has more information that is remotely accessible. The state is also working on a new critical ranking method to prioritize its IT systems. So far, Michigan has not suffered from any major system breaches.
