Jerome Smith – North Carolina Department of Revenue

The building may look like a veritable fortress, but the cybersecurity assault is unrelenting—and all eyes are upon the North Carolina Department of Revenue (DOR), monitoring their next move.

What happens here in terms of protecting state and federal tax information and financial data could be a first in a nationwide initiative, according to Jerome Smith, the deputy chief information security officer who is leading the charge at the DOR.

Most state IT departments, he explains, tend to implement the one-size-fits-all model when it comes to IT security—which is enough for most government departments, but could lead to drastic consequences such as a breach at a tax agency. To take security to the next level, Smith and the DOR are adopting and implementing the highest IRS security policy standards—which are much higher than state IT policies, according to him—and acting independently to mitigate this risk, something that hasn’t been attempted before.

No pressure for Smith to be a trailblazer in this regard. He and his team thrive on hunting down risk management threats and detecting potential attacks by cybercriminals, he says. While billions of dollars flow through the DOR annually, it’s not money these black hat hackers want, he says, but intellectual property they can sell to the highest bidder on the Dark Web.

Lessons learned

One does not have to go too far back in time to look at the landmark case of South Carolina’s security breach debacle. It certainly a situation of once-bitten twice-shy in which nobody wants a repeat of the $14 million breach that smacked its neighbor to the south hard.

According to reports, the crisis cost the state more than $14 million, compromised the personal and financial data of millions of residents, and led to the resignation of a South Carolina official.

Reports claim the attack was most likely caused internally by an employee who unwittingly unleashed malware after clicking an email link. That opened Pandora’s box, allowing the attacker to pilfer legitimate credentials and gain access not only to account passwords, but also to databases of personal information and 44 state systems before the attack was finally detected and shut down months later.

With a lot of finger-pointing going on, the blame game was in full swing, with the state officials blaming the IRS for not mandating encrypted social security numbers. Others claimed the state was at fault for declining an offer to implement free breach detection services from the state’s IT department.

To prevent such a lightning strike in North Carolina, Smith ran a diagnostic to find the landmines of potentially failed controls. From there he developed a new plan that does such things as amping-up highly stringent new IRS auditing procedures and standards, while folding in additional regulations and services from the Department of Homeland Security.

“Basically any system you want to put in production on this network has to go through an extensive certification and accreditation process that’s highly specialized and very unique within this arena—and we’re among the first ones doing it on the East Coast,” Smith says.

His goal? It’s all about creating a more agile, redundant system to prevent the cross-contamination of data between state and federal agencies thus safeguarding both first here, then hopefully everywhere.

“When I started, the IT security field was wasn’t proactive—it was more reactive. But now with AI and smarter tools, we’re in a much more proactive phase,” Smith says.

Circling the wagons

With cyberattacks, Smith says, often agencies are fighting an enemy they can’t see, with cybercriminals using technology to give them a cloak of invisibility. Thankfully, he says, there’s always a clue or two to hunt them down.

To better wage this war, Smith brought in Leo Chavez, director of consulting services at Enterprise IT Solutions in Charlotte who had been on the frontlines of South Carolina’s cyberattack. After being instrumental in solving the crisis there, he moved on to develop his own company based on lessons learned.

Now, Chavez will join forces with Smith’s staff of 13 and every workday, the team will focus on a seek-and-destroy surveillance mission looking for any threats to the network and its infrastructure.

And given the changing landscape of ever-changing technology, new threats are created, it seems, on a daily basis. Smith sees to it that his team is getting the latest sophisticated cyber training opportunities.

Risk management—an enemy within?

Smith knows whereof he speaks. He cut his teeth in IT at huge banking institutions, including Credit Suisse, and was additionally involved in federal sector consulting and working with health care installations. Having visited banks in different countries around the world to assess risk, that was his first order of business coming into the government sector.

“The biggest change I’ve seen in risk management is that before, one would always look at front-access and encryption issues, but now the threat comes from within through insider threats,” he says. “The risk becomes even greater now because everything is digitized.”

That’s more than a bit disconcerting, Smith says, to think that the enemy at hand might be a trusted employee, contractor or vendor. That seemingly trusted source can lift taxpayer information, like a social security number, and destroy someone’s life. Smith is implementing a specific insider threats program with intense background checks and fingerprinting, for example, as a proactive initiative toward these types of threats.

What’s next?

With the data protection project in full swing, Smith and the team are migrating data to a new data center and upgrading applications.

The group is also planning to branch out to develop an internal forensics program for tax fraud cases.

“Probably the biggest requirement for a project of this size and scope is to have a lot of patience and to team up with good vendors and partners,” Smith says. “By reaching out to other agencies, and other states, the power lies in asking good questions and anticipating the needs and threats and adapting each system.”