In the face of threat actors who are gaining more and more advanced capabilities using artificial intelligence, Massachusetts IT officials are combating fraud and other crimes through six specific initiatives, the commonwealth’s chief operating officer told a panel of the National Association of State Chief Information Officers Midyear Conference on Tuesday.
The increasing use of AI by threat actors has significantly enhanced their cyberattack capabilities, reducing the time required to exploit vulnerabilities, compromise data and build ransomware, said Donald Chamberlain, COO and assistant secretary for security and operations at the Massachusetts Executive Office of Technology Services and Security.
“I knew that things were getting bad, but I had no idea that it was like this — by 2026, a threat actor will be able to exploit a vulnerability in 60 minutes” compared with one week today, Chamberlain said, adding that AI solutions will also give bad actors “the ability to compromise and exploit data in 20 minutes or build ransomware in 15 minutes.”
As a consequence, state governments face a growing threat of fraud — particularly in benefits systems, such as unemployment insurance — and significant financial losses, he said. Technical debt, poor identity verification and legacy business processes allow threat actors to impersonate individuals or create synthetic identities that result in “substantial fraudulent payouts.”
State governments face challenges with technical debt due to old applications, poor identity authentication and verification, and legacy business processes (including manual steps and siloed data), all of which leaves them vulnerable to AI-enabled attacks, Chamberlain said.
Click on the banner below to follow our NASCIO 2025 coverage.
Massachusetts Mitigates Vulnerabilities With Robust Approach
To mitigate potential vulnerabilities that threat actors could attack with AI tools, Massachusetts EOTSS supports six initiatives, Chamberlain said.
- Application modernization: Some legacy applications run on operating systems as old as Microsoft Windows 2008, and EOTSS is working to uniformly upgrade the commonwealth’s Microsoft environment, Chamberlain said. The commonwealth follows the “six R’s”: rehost, refactor, rearchitect, rebuild, replace and retire, he said.
- Regular system updates and patches: “Modernizing and patching really go hand in hand,” he said. “We’re modernizing these applications, and we’re moving them to more modern technology services. We’re integrating vulnerability management into everything that we do there.”
- Implementing multifactor authentication: “MFA is definitely not a silver-bullet solution,” Chamberlain said. “It’s not going to solve every problem. ... but it will rule out the bit players. It will take the bit players out of the way. Putting MFA in there makes them move on.”
- Centralized identity management supported by a robust, AI-enhanced identity management solution: “We’ve mandated that all applications, all systems, have to leverage our central identity platform,” he said. “We’re supporting that identity authentication with an AI-enhanced identity verification solution.”
- Eliminating legacy business processes: “This is one of the toughest ones to resolve. It really requires a lot of buy-in from the business, requires a lot of top-down support, and defeating the mentality of ‘that’s the way we’ve always done it,’” Chamberlain said.
- Required employee training and awareness: “Several years ago, we mandated that all executive branch employees have to go through cybersecurity awareness training,” he said. “We have modernized that training over time as the threats against us change.”
Click the banner below to access security insights based a survey of your peers.
Takeaways for Combatting Fraud
At the end of his session, Chamberlain emphasized how robust cybersecurity measures and proactive fraud detection systems are more critical now than ever.
He advised states to:
- Focus on patching and vulnerability management to protect against known cyberthreats
- Modernize applications, eliminate legacy business processes and centralize identity management with AI-enhanced identity verification and MFA solutions to strengthen security, prevent fraud and streamline citizen interactions
- Mandate cybersecurity awareness training and monthly phishing tests for all employees to education them on recognizing and avoiding phishing attempts
“We all face time and budget constraints, but we can start by setting 30-day goals and building on them,” he said.
Keep this page bookmarked for our coverage of the NASCIO 2025 Midyear Conference. Follow us on the social platform X at @StateTech and the official conference account, @NASCIO. Join the conversation using the hashtag #NASCIO25.
eyecrave productions/Getty Images
