The cyber threat landscape within state, local, tribal, and territorial (SLTT) government is unique. These agencies are charged with managing and protecting some of the most sensitive citizen data there is, from arrest records to tax documents and more. SLTT agency networks are decentralized and amorphous in nature, spanning multiple public offices and making them difficult to secure.
The work of SLTT agencies is vital to protecting our nation’s critical infrastructure and ensuring the well-being of the communities they serve, but talent shortages, tight budgets, and legacy technologies create significant barriers to success. It is clear that a new approach is needed – one that enables agencies to work together for their mutual success, more commonly referred to as whole-of-state cybersecurity.
Cyber threats in SLTT government
Before discussing any new strategies for strengthening the cyber defense posture of SLTT agencies, it’s important to establish an understanding of which cyber threats present the greatest challenges.
According to a Sophos report published in May, nearly 7 in 10 IT leaders at state and local government agencies have faced ransomware in the past year with most attacks originating through an unpatched system or stolen password. Attackers are becoming increasingly savvy, no longer simply holding a network decryption key for ransom, but stealing incriminating information and using it to blackmail their victims on a personal level.
Additionally, nation-state actors, whether motivated by financial gain, espionage, or activism, are becoming increasingly skilled at infiltrating systems and remaining undetected for weeks or even months. Research suggests that the average data breach takes 206 days to identify, allowing attackers unfettered access to confidential, personally identifiable information they can use to exploit their victims in resell markets and on the dark web.
It’s important to note that cyber threats can originate from within an agency’s walls as well. Whether intentional and malicious or simply the result of careless online behavior, data loss at the hands of agency employees is a costly issue that highlights the importance of network visibility.
What is whole-of-state cybersecurity?
A whole-of-state strategy for cybersecurity entails consolidating all security services under the leadership of one state chief information security officer (CISO). This approach enables SLTT agencies to leverage a uniform set of security tools, teams, and systems to strengthen their cyber defenses.
By centralizing cybersecurity operations, underfunded agencies can pool their resources and improve their defenses in ways they may not be able to afford on their own. This approach reduces the risk of duplicative work and improves visibility into who is on a network at any given time and what they’re doing – strengthening and expediting incident response.
Additionally, many elements of our nation’s critical infrastructure including power grids and gas pipelines span multiple cities and states, presenting tremendous vulnerabilities when agencies are not in alignment on how to best secure them. Standardizing the approach as much as possible is an effective way to ensure that critical infrastructure always remains operational.
Challenges to implementing a whole-of-state strategy
By nature, adopting a whole-of-state strategy requires individual agencies to relinquish some degree of control. They may need to put their individual initiatives on the back burner and surrender portions of their budget to a centralized security agency. At any level of government there is bound to be some level of friction and that friction has the potential to create barriers to smooth adoption.
According to a NASCIO/Deloitte study, 64 percent of state CISOs have limited to no collaboration with local agencies. Building relationships with agencies and effectively communicating the vision behind whole-of-state cybersecurity to agency leaders may prove challenging for some state CISOs.
Recommendations for whole-of-state adoption
So, what can agency leaders and state CISOs do to help move toward the goal of whole-of-state cybersecurity? Here are a few suggestions that can be implemented immediately:
- Communication and standardization are key – when disparate teams and their data come together to develop a common security posture, standardizations need to be made. State CISOs and agency leaders need to work together to decide on factors such as data storage format, incident response protocols, etc. Once those decisions are made, the lines of communication must be kept open as agency leaders disseminate that information to their team members.
- Recruit with intention and work to retain talent – the cybersecurity skills gap is growing, and its impact is felt most acutely in SLTT government where employers are typically not equipped to offer salaries competitive with federal agencies or private-sector organizations. Once a strong IT team has been established, it’s important to provide training and resources to get them proficient with data-sharing technology, help them understand the work they’re being asked to do, and entice them to stay the course.
- Automate every task you can – to further mitigate the effects of the talent shortage within SLTT government, automation is key. Automating as many repetitive tasks as possible allows employees to focus on higher-value work while driving efficiency, promoting ease of data sharing, and potentially even cutting costs over time.
- CISOs need to adopt and promote a communal spirit – the whole-of-state approach is all about agencies coming together for their overall betterment. Sentiments such as “if an attacker tries to take down one of us, they’ll have to take down all of us” and “we are all in this together” can act as rallying cries that get hesitant leaders on board with the vision.
- Lean on strategic partners to fill in technology gaps – many SLTT agencies do not have the technology readily available to implement fail-safe practices when it comes to data security and storage. Leaning on private-sector partners to fill in those gaps enables agencies to leverage functions such as cross-cluster search, which allows data to be searched where it resides. This minimizes the need for data to be moved outside an agency’s own network while still allowing analysts at the state level the visibility needed to access, search, and analyze that data in order to detect threats, identify patterns, and remediate as needed.
At the end of the day, cyber attackers do not discriminate between different levels of government. The whole-of-state approach acknowledges the shared cyber risk between organizations within the same sector and offers actionable steps leaders can take to mitigate those risks for themselves, their fellow leaders, and the citizens they protect.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.
