Cybercriminals like easy targets. Enterprises and governments with a disjointed approach to cyber hygiene fill that role perfectly. While the U.S. federal government has a robust approach to cybersecurity, state and local governments are more vulnerable.
The statistics bear witness. Cyberattacks against these agencies have increased significantly recently. Approximately 44% of ransomware attacks worldwide are now targeting municipalities. Ransomware struck at least 2,354 governments, healthcare facilities, and schools in 2020 alone. Too often, these attacks succeed because local government agencies lack the staffing, tools, and expertise they need to defend themselves adequately.
A perfect example occurred in 2019 when the City of Baltimore was hit by a widespread attack that shut down essential services. The city couldn’t process property transfers. Citizens weren’t able pay water bills, property taxes, and parking tickets online. It took months and at least $18.2 million to remedy.
There needs to be a better way for state and local governments to strengthen their cybersecurity posture.
Take a whole-of-state approach
State governments should lead the way by developing a whole-of-state approach that provides visibility for all government entities and a standard toolset that local and municipal governments can deploy to thwart cybersecurity attacks. The whole-of-state approach doesn’t seek to centralize all cybersecurity under the domain of state government; rather, it provides a framework that can offer municipalities better visibility, seamless data exchange, and reduced IT complexity.
Instead of sending surveys that ask municipalities and boards of education to check a box saying they are compliant, a whole-of-state approach allows all parties to access real-time compliance data and benchmarking from one tool. This makes it easier to standardize next steps and best practices.
Start by framing the issue
The first step to taking a whole-of-state approach is to lay the groundwork. Both CIS and NIST offer guidelines, frameworks, and a prioritized set of actions that organizations should take to lay the groundwork for a robust cybersecurity program. These frameworks help organizations establish standards for good cyber hygiene, determine acceptable thresholds for risks, and define policies that can be enforced over time to realize and address those standards.
Using these frameworks as a starting point, states can create policy templates that local governments can use and begin to explore ways to fund the tools and services that every government entity in the state needs. States can apply for federal grants or create hybrid chargeback models to help fund the program. The goal is to create a program that lowers costs for everyone.
To hammer out the policy details, states can either rely on in-house talent (like a homeland security group with cybersecurity experts) or seek to engage vendor-neutral consultants. Why vendor-neutral? Because it’s good to separate the work of policy-making from the work of implementation. That way, policies are based on industry-wide best practices rather than being created to accommodate the existing toolsets and practices of a particular IT team or a system integrator’s preferred toolset.
Coordinate early to succeed at the implementation stage
This is the action phase of a whole-of-state strategy, and the stage where things break down. Policies should be rigorous, even bold, but they should also be practical. If there isn’t sufficient coordination between the policy and implementation teams, policies might be too sweeping or too expensive to put in place.
During the early stages of implementation, stakeholders need to define a set of tools, how they will be selected, and how they should be used.
The goal is a holistic view. If a new software vulnerability is discovered, how quickly can the whole state—from the state government down to its municipalities—inventory all its IT assets to understand which endpoints need to be updated? If one IT agency develops a best practice, how easily can that best practice be shared across the state? If toolsets aren’t standardized, sharing knowledge and techniques will be more difficult.
Implementation, ultimately, requires joint decision-making and coordinated investments across organizations to pay off.
Validation is more than a checkbox
Validation is the ongoing work of monitoring policy implementation. To ensure that cybersecurity is not tissue thin, it’s vital that the people responsible for validating the implementation of policies don’t just check a box on a form, self-attesting compliance.
Instead, they should be able to demonstrate compliance by generating reports that reflect the real-time status of all IT assets under management. Teams must be able to validate compliance with hard data from security tools rather than word-of-mouth assurances from colleagues.
Comprehensive, real-time monitoring and reporting give all stakeholders a clear view of the current strengths and weaknesses of any whole-of-state strategy. The generated reports can also show factual, digital data that can make the case when additional investments are needed. This is much more compelling than self-attestations or general remarks.
The key to success? Collaboration
Tim Roemer, director of Arizona’s Department of Homeland Security and State CISO, understands that cybersecurity is too complex of a problem for each government agency to manage independently. With a mandate from the Governor and financial support from the state, he’s been tasked with implementing a framework and standard set of tools to create a unified view of cyber threats across the state.
His agency has set up a Cyber Command Center located within its Arizona Counter Terrorism Information Center. He says the key to success is teamwork and collaboration.
“We are not mandating what has to happen, as much as listening to them on what their needs are, providing them with solutions, and then finding ways to implement those solutions and those tools in a manner that is most effective for them,” Roemer explains. “The good news for them is we have great enterprise tools, and we get to use state purchasing power, which is a great deal for our taxpayers.”
Learn how to secure state and local governments with Tanium here.