BOSTON – When a Republican governor starts likening part of state government to an invasive vine, some might see that as the prelude to a swing of the hatchet.
But Gov. Charlie Baker, who addressed a cybersecurity forum Thursday, said he does not want to cut back the array of computer systems that sprouted through state government over the past couple decades. He wants to protect them by establishing systemwide security protocols.
"It's a lot like kudzu. It just kind of grew up all over the place," Baker said, describing the spread of technology among state agencies.
The governor told an audience at Harvard Business School that state government has accumulated about 6,000 servers, and he said only about 10 percent of that computing capacity is actually being used.
The drumbeat of concerns over data security and system integrity has reached a roar over the past year or two.
Russian operatives hacking of the Democratic National Committee added a disturbing wrinkle to last year's presidential election. More recently, criminals were able to cart off personal information belonging to 143 million people from the credit reporting firm Equifax, and cybersecurity firm Symantec said earlier this month that hackers could gain the "means to severely disrupt" operations in the energy sector of the United States and Europe.
That atmosphere of risk was a major thrust behind Baker's decision to establish a new secretariat to handle technology services and security, which is led by Secretary Mark Nunnelly.
"I think the biggest issue is ensuring that everybody's using what I would describe as the most up-to-date standards and with that, the most up-to-date software and security protocols for dealing with that stuff," Baker told the News Service.
The executive branch is implementing universal security protocols, the governor said.
While state computer systems have had meltdowns — the problems with the Health Care Connector implementing the Affordable Care Act being the most prominent— Massachusetts government has been spared a data breach on par with the high-profile hacks on Sony, the U.S. Office of Personnel Management or TJX.
"I've said before that this issue keeps me up at night," Baker said. "We spend a lot of time focusing on it and worrying about it, and we have pretty solid strategies for dealing with this."
He said the bad actors now are mostly state sponsored and organized, and they are constantly working on more sophisticated methods so state government needs to keep pace.
Baker described how cybercriminals play on people's behavior to gain access to their systems by "poking" around online and pretending to be an IT professional or some other legitimate person.
"Like any large enterprise, people are attacking us all the time," Nunnelly told the News Service.
"Our job in today's world is to make sure we're defending against it," he said. "You don't stop it in today's world."
Nunnelly said state employees receive training to defend themselves and state servers against attackers but it is "not enough and we're working on it."
Baker's new technology secretariat is expected to host about 20 employees and plans to implement online cybersecurity training for state employees this fiscal year.
A Baker spokesman said there is no universally mandated cybersecurity training program for state employees but that the Executive Office of Technology Services and Security would implement training programs "as part of their cross-secretariat role."
Illinois Gov. Bruce Rauner last month signed a law requiring executive branch employees to undergo annual cybersecurity training. Illinois claims to be the 15th state in the nation to adopt mandatory cybersecurity awareness training for state employees.
Cybereason, an Israeli firm with a Boston headquarters, announced Wednesday the establishment of SecureMA to help smaller organizations protect themselves.
"Obviously, any organization can be hacked, and health care is very high on the list," Dr. David Torchiana, president and CEO of Partners Healthcare, told the News Service.
Partners is the largest private employer in Massachusetts. Torchiana, who attended Thursday's talk, said, "The thing that we worry about the most is just malicious destruction and the abuse of data that would make it very dangerous and precarious to deliver patient care because we're so dependent on the electronic side of things, and fortunately we've not had an event in that realm."
Torchiana said it is important for businesses that are successfully attacked to share information about the cyber assault "so that you can hopefully educate others and in a collaborative way prevent future events."
Baker told the CEO Cybersecurity Forum that as the MBTA modernizes its infrastructure and makes it more interconnected, that will improve service but once more of the transit system "becomes smart, it's going to become vulnerable."
At the Massachusetts Water Resources Authority, which provides water and sewer services for 2.5 million people in the state, officials have a "healthy paranoia about a cyberattack," according to Executive Director Fred Laskey.
"We spend a lot of money on cybersecurity," Laskey told the News Service. "But you never say never."
The greatest risk at the MWRA is if a hacker gained the ability to disrupt "the flow of water and the quality of water," Laskey said.
On Thursday afternoon, the CEO Cybersecurity Forum planned to hold a presentation about the breach of Target as a case study.