Nathan Loura, chief information security officer at the Rhode Island Division of Enterprise Technology Strategy and Services, is seen through a glass door at the Warwick Municipal Annex during a meeting on Jan. 17, 2025. (Photo by Alexander Castro/Rhode Island Current)
Software, hardware, firewalls. The flow of network traffic and files between state and federal computers. The apps admins used to make changes remotely, right down to the version numbers.
In blue, green and gray rectangles, a diagram shows how RIBridges, the public benefits eligibility and application system used by Rhode Islanders and state workers, is built.
Anyone could have gotten a basic idea of how the RIBridges system works from the document posted publicly to the state’s procurement website — at least until Tuesday afternoon, when the Rhode Island Department of Administration finished scrubbing the document from not just one location, but two, after inquiries were made by Rhode Island Current.
The document was a scope of work attached to a 2024 request for proposals (RFP), posted in September 2024, which asked potential vendors to modernize the public benefits and health insurance system.
“I wouldn’t say it was best practice,” said Nathan Loura, the state’s chief information security officer, when asked about the sensitive information then still on the state’s website as he left the Warwick Municipal Annex on Friday, Jan. 17 around 2 p.m.
Loura had just finished discussing the RIBridges breach, after leading a meeting of the Rhode Island Cybersecurity Planning Committee, which he co-chairs. Fifteen members of the committee spent 40 minutes of the approximately hourlong meeting behind closed doors discussing the details of the breach.
Loura asked the public to leave the community room “because we may talk details, and may mention system names and confidential information.” Loura added that the executive session was valid under state public records law on grounds of discussion of security-related matters — in this case, specific IP addresses.
Loura was addressing the committee and the two members of the public who attended the meeting: A reporter, and a retired data architect.
The RIBridges system has been in the spotlight for over a month after falling victim to an approximately one-terabyte-large data breach by cyber criminals in December. Letters containing free credit monitoring information have started to arrive in mailboxes of the up to 657,000 people who may have been affected.
Talking outside after Friday’s meeting, Loura, who works in the state’s Division of Enterprise Technology Strategy and Services, said he was aware of the RIBridges schematic being online — “I don’t want to say it was news to me” — noting that state officials were having “internal discussions” on the topic. But he also saw the need for the state to inform potential vendors about the systems they’re bidding to improve.
Sometime between Loura’s interview with Rhode Island Current on Friday and 5 p.m. on Saturday, the scope of work attachment was removed from the current RFP listing. Other files which do not contain the system diagram remain.
Friday’s encounter wasn’t the first time Rhode Island Current asked about the scope of work’s presence online. An email to the Department of Administration on Monday, Jan. 13, asked why potentially sensitive information was made public as part of the procurement process. A Department of Administration spokesperson replied that same day that she was working on the request. A follow-up request on Friday afternoon after the Cybersecurity Planning Committee meeting prompted a response from the department’s Deputy Director Brenna McCabe at 8:49 p.m.
“At this time, we have no additional information to share and the State cannot comment on any perceived or potential security risks,” McCabe wrote.
A search Tuesday of the state procurement website found the same scope of work and same diagram in a request for information posted in June 2024. After Rhode Island Current notified McCabe that this document was still available around 1 p.m., it appeared to have been taken down around 3 p.m.
‘The matter of security’
Cybersecurity follows many of the same principles as defensive warfare — or hiding “in the most secret recesses of the earth,” in Sun Tzu’s ancient phrasing.
But the Rhode Island Cybersecurity Planning Committee was hiding in plain sight when they went into executive session during their first meeting of the year on Friday, and its first since the breach. The executive session, which was not on the agenda, took place behind a door with a large glass opening that allowed anyone to look in.
At the start of the meeting the committee asked anyone from the public attending to sign in and introduce themselves. Richard Langseth, the retired data architect, said he was “a citizen concerned about cybersecurity.” He reminded the committee to hold a roll call vote before going into executive session.
Speaking in the municipal building lobby afterward, Langseth, a Warwick resident, lamented “the fiasco with Deloitte” and how the state manages IT with outside vendors.
Normally, the Cybersecurity Planning Committee discusses municipal IT department grant requests before they’re sent to the federal government. The grant program is co-administered by the Federal Emergency Management Agency and began in 2022 to help municipalities get the often expensive resources they need to strengthen their network security.
Langseth wasn’t too sure of that model either. “What they’re doing at the statewide, if not the federal, level, to allow the cities and towns to do their own cybersecurity is beyond the abilities of the staff of the town,” he said.
A tale of two architectures
The RIBridges system diagram’s version and model information could have provided insights for IT folks and hackers alike. Tech companies publicize known vulnerabilities in their products so that patches, if available, can be installed to block off possible points of system entry. That’s why most cybersecurity guidelines, including federal ones, include diligent updating of software.
RIBridges relies on older versions for several software components, although some apps have been updated or added since the system’s inception.
The intertwining of older and newer technology is part of why the state wants to modernize the RIBridges system, which debuted in 2016. Its development goes back even further to former Gov. Lincoln Chafee’s administration. Chafee left office in 2015.
“Achieving the strategic objectives is becoming more challenging due to the age and architecture of the system which are triggering larger efforts and investments,” according to the 2024 RFP.
GET THE MORNING HEADLINES.