Thursday, February 4, 2021

2021 is the Year of Civic Tech!

The Colorado Digital Service was an experiment that began with a simple hypothesis; if we could attract tech talent using a “tour of service” model and couple it with modern software delivery practices, like product management and human-centered design, we could help to improve the experience for people engaging with government services.

We’ve shown that this model works. The bet that Governor Polis and the Legislature placed on us has delivered a solid return on investment. Here are some highlights from 2020:
With strong technology talent within the Office of Information Technology (OIT) and vendor teams, it has been argued that experiments like the digital service aren’t necessary. This year has proven that it takes a village to deliver great services to Coloradans — from state agency delivery teams with strong product, UX, and engineering talent to collaborating with other states and working with volunteer tech corps like the U.S. Digital Response.

It used to be that an expert in public health or Medicaid or criminal justice could run a program that delivered a service to residents. Now, this program needs a website, which requires a login, Google Analytics, and security that prevents ransomware attacks. That service needs a strategy set by a product owner and must meet the needs of the people it serves. The team is being asked about APIs and data-driven decisions. They are reading articles about machine learning and ethics and wondering how to apply it to their program.

As software continues to eat government, there’s a strong need for technology talent at every level and in every agency.

As anyone in civic tech will tell you, delivering on agency projects is just one piece of the puzzle. We want to help rethink how the government buys digital services and bring top tech talent into civic service. And we want to create momentum in unique ways that complement all of the great work Colorado is doing.

After a little more than a year, the digital service remains a small but mighty, multidisciplinary team that combines procurement, product, user experience, and engineering. But we’ve also managed to build a superpower that helps us scale — an incredibly strong civic tech network of policy wonks, full-stack developers, bureaucracy hackers, UX designers, devops engineers, and more from New Jersey, California, Massachusetts, Florida, New York, etc. by working closely with the U.S. Digital Service, 18F, and with volunteer teams like the Citizen Software Engineers, Code for America, and the U.S. Digital Response. We’re all working on solving the same problems and the national civic tech network continues to open doors for us and accelerate our thinking.

CDS wants to say thank you to all of those who’ve supported us this past year and given guidance. Thank you to all of the State of Colorado employees that partnered with us. And, thank you to those of you that continue to follow us and be interested in our work. We know that you have allowed us to work on projects that impacted Coloradans and saved millions of dollars.

So, what’s next?

  1. We’re hiring an Engineering Lead, join us! If now’s not the right time, then follow us on GitHub, Linkedin, or Twitter to stay connected and to help us share our work in Colorado and beyond.
  2. In 2021, we’re focusing on: 
    • Continuing to bring great tech folks into government;
    • Continuing to support the COVID-19 response;
    • Supporting Colorado’s child welfare program;
    • And more!

Today's blog comes from the Colorado Digital Service team

Friday, December 11, 2020

Don’t Let Grinches Ruin Your Holiday Shopping

The holiday season is often proclaimed the most wonderful time of the year, but it also brings out those who could best be described as follows, and I quote: “Stink, stank, stunk!”

It happens every year: Grinches try to take the joy out of the holidays. With more people shopping online and avoiding malls, email and texting scams are on the rise. In fact, one cyber company cites that the number of shipping-related phishing emails increased 440% in just one month (from October to November)! Here are a few things to watch out for to avoid being scammed:

Fake Delivery Texts or Emails

You’ve likely done more shopping from your couch this year, and bad actors are trying to catch you dozing with fake texts and emails impersonating shipping companies asking for confidential credentials to confirm or track deliveries. Rather than responding, visit the online retailer or shipping company's website.

Texts or Emails from Unknown Retailers

If you receive an email or text from a retailer you haven’t visited or don’t recognize, or get a deal that seems too good to be true, rather than clicking on a link, search for and visit the retailer’s website or call the customer service number posted on the site (not in the email or text).

Requests for Personal Information

Background checks aren’t required to land a PlayStation®5. Sites asking for too much information or security details (e.g., a code word, your mother’s maiden name) to complete a purchase are highly likely to be phishing scams. 

Saving Payment Details

Don’t allow a site to save your payment details unless you shop there regularly. The 30 seconds you save isn’t worth the risk.


  • Keep your accounts secure. Use strong passwords and two-factor authentication.

  • When shopping online, make sure the connection is secure. Look for a padlock or “https” in the URL.

  • Read our “Shopping Tips for the Holidays” for information about other holiday scams.

  • To report scams or learn more about staying safe online no matter the time of year, visit our COVID-19 & Cyber Tips posted on TechU.

Today's blog comes from Deborah Blyth, OIT's Chief Information Security Officer

Thursday, November 19, 2020

Two-factor authentication (2FA) is the extra layer of security our customers need in COVID times

Cybercriminals and hackers are eager to acquire online passwords, especially as COVID-19 runs rampant and many organizations are attempting to push the majority of their business operations online. An unprotected password can allow cybercriminals to fraudulently gain access to systems, and the important data stored in those systems. Personally identifiable information (PII) is one type of data cybercriminals are always trying to find. PII is any data that could potentially identify a specific individual, including one’s SSN, date of birth, driver license number and/or email address, to name a few. Protecting PII is essential for personal privacy, data privacy and protection, information privacy and information security. With just a few pieces of an individual's personal information, thieves can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to a criminal. 

What is 2FA?

Two-factor authentication (2FA) is another method of identity validation layered on a traditional identity and password (lock and key) access method, which offers several benefits:

  • Provides an extra layer of security for individuals and systems where it has been applied, reducing the risk of unauthorized access. 

  • Protects the people who have data in the system by allowing only those with legitimate business purposes to access that data, preventing criminals from using it for fraudulent purposes. 

  • Ensures that you are the only person who can access your account, even if someone knows your password.

How does it work?

Two-factor authentication requires the additional step of entering a passcode along with a username and password, making it much more difficult for someone with bad intent to obtain login information and access the data of the clients you serve. There are multiple ways a passcode can be provided to staff, including through the vendor app, a text message, a phone call or through the use of a hardware token. 

What is a hardware token?

Hardware tokens are physical devices, typically keychain-sized, that allow individuals to secure access systems remotely by generating an authentication key in the form of numbers or letters. Users input the key after an initial login to access the system.

Colorado, through the state’s Interoperability Program, is working on turning on 2FA for several state-run applications including The Child Care Automated Tracking System (CHATS), Colorado Child Welfare Training System (Trails), and the Colorado Benefits Management System (CBMS). Earlier this fall, 2FA was successfully turned on for Colorado’s Automated Child Support Enforcement System (ASCES).

Turning on two-factor authentication is just another step the state is taking to keep Coloradans’ data safe. It’s something that we encourage everyone to take advantage of to protect their own data with their personal email accounts, applications, online banking and everything in between.

Today’s blog comes from Megan Tobias, Communications Manager

Tuesday, October 27, 2020

It's a trap! Take these quick actions to avoid being an easy target for cyber criminals

A while back, I received a call from someone claiming to be from a company where a mail order of mine was delayed. They said they had a solution: If I gave them my full credit card number, instead of the final digits they had, they could send my order right away. I wasn’t believing it, so they reassured me that I could call customer service, but that they could save me time. I said “No, thanks” and hung up. When I called customer service, they had no record of anyone contacting me, but fixed the issue with my order and had it to me in no time. I later Googled the number of the person who called, and it had been associated with fraud.


Use my story as a reminder to remain suspicious of calls, emails or texts asking for personal or financial information. There’s no harm in hanging up to find the legitimate customer service number, verifying the organization contacted you and confirming there’s an issue (by the way, your social security number can’t be suspended!).


This same cautious approach will help you protect your information online. Here are some ways to protect your information and prevent cybercrime:


  1. Shield your credit/debit cards. After I experienced credit card fraud for the third time in a year, the customer service representative said I might want to use radio-frequency identification (RFID) wallets. The chip on credit/debit cards has a frequency used by some point-of-sale devices when making purchases, opening a window for thieves holding a radio frequency scanner within 10 feet of you to skim your account information. For the most part, RFID wallets can shield your cards and I haven’t had further instances of credit card fraud since I started using one. Read more on this and how to prevent other types of credit/debit card fraud

  2. Set alerts for your credit/debit cards and bank accounts. Get notified via email, phone or text when transactions exceed a specified amount. Then let your credit card company know when and where you travel so they don’t block your card (thinking it’s a fraudulent charge). This also helps them act faster on any suspicious charges while you’re away.

  3. Back up your data. Regularly back up data on your devices to a secure cloud service and/or external storage. Nowadays, portable drives are small, can hold lots of data and are reasonably priced. Most ransomware attacks occur when you click on a link in an email or text, which installs ransomware that encrypts your device or data. Having a backup of your data ensures you don’t have to pay the perpetrators to unencrypt your data.

  4. Protect your devices and internet connections. Install antivirus software on your devices (including your home Wi-Fi) for real-time protection against viruses and malware, and use two-factor authentication for your email and any important accounts that offer the option. Additionally, use a virtual private network (VPN) to encrypt your online connection and protect your private data from prying eyes, especially when using public Wi-Fi.

  5. Keep your devices updated. Maintain the current operating system on your devices to prevent cybercriminals from exploiting vulnerabilities, which they can use to gain access to your devices and data.

  6. Use complex passwords. Systems and their passwords can and do get compromised. Apply a strategy of increased password complexity based on the value of the account and data at stake. For those with a high value, make passwords more complex and change them more frequently. Best practice is to create a password of at least 10 characters with a combination of letters, symbols and numbers, while avoiding dictionary words, even if you replace certain letters with numbers or symbols—ideally not using the same password on multiple sites. You may want to try an application that generates random and complex passwords, or a password management application that can securely store your passwords.

  7. Don’t go phishing. Be careful not to click unsolicited emails. That alone may give a third party access to your contacts, which exposes them to spam and phishing. Clicking a link within the unsolicited email also may install a virus.

  8. Avoid advertising your information on social media. Cybercriminals may be able to access your accounts with just a few data points. If you share personal information on social media, such as the names of pets or family members, criminals might be able to guess the answers to security questions for your accounts. Also, if you share where you’re vacationing, perpetrators will know your current location and that you’re not home, which makes both locations vulnerable. Use caution and consider announcing where you traveled and posting your photos after you return home.

  9. Stay alert for security breaches. About 3.5 billion people had their personal data stolen in the two biggest breaches of this century. If you have an account with an organization that experiences a breach, find out what data was stolen and immediately change your password. Take advantage of any free subscriptions to identity protection services offered by the organization and if you can afford it, consider paying for your own subscription—most services will reimburse you for financial loss due to identity theft and provide legal protection.

  10. Protect your children. Instead of blocking channels, talk to your kids about how to safely use the internet and let them know they can talk to you if they experience online bullying or harassment. Protect their devices as you would your own, and look into applications that protect them from accessing malicious and inappropriate sites.

  11. Report it. If you think you’ve been a victim of cybercrime, fraud or identity theft, alert the local police, FBI (in some cases) or the Federal Trade Commission. This helps authorities stop criminals from victimizing others in the future. Then notify the organizations where your accounts may have been compromised or stolen. Also, request a copy of your credit report.

Today’s blog comes from Scott Davis, Security Risk & Compliance Senior Analyst