On Sept. 12, Oregon Governor Kate Brown issued an executive order for state agencies to initiate plans to centralize information technology security functions by Nov. 1. The order is a response to the antiquated computer systems used by the state that house sensitive information and ultimately is an effort to understand and address cyber security threats to the state. In an interview with Statesman Journal, Oregon’s Chief Information Officer Alex Pettit explained these computers are vulnerable to cyber attacks.
“What we’re doing today is fundamentally not working,” Mr. Pettit noted. “Who knows what’s out there. Some of these systems are easily 25 years old.”
Mr. Pettit is right. Governments are coping not only with outdated systems, for which full documentation may no longer exist, but also with the rapid expansion of mobile services to provide the public with access to governmental data and services through tablets and smartphones. Add to this issue the rapid growth in cloud computing, where storage and processing may be outsourced to remote systems, and government agencies are facing a potential perfect storm of cyber risk.
The situation is rife with vulnerability to a cyber attack that could cause irreversible damage to the state, beyond the state’s ability to manage. This risk prompted the urgency of Gov. Brown’s order for state agencies to not only submit cyber security documentation in such a short time frame, but also to reassign all IT security employees to work in collaboration with the state’s CIO. The goal is for each agency to create a cyber security strategy around unified cyber security protocols.
The order is significant, as it reflects a trend occurring across the United States where more states and municipalities are starting to strengthen their defenses against cyber attacks.
Multiple risks driving calls for stronger cyber security
With cyber threats becoming more sophisticated and frequent, state and city CIOs are feeling the pressure to change and modernize the technologies they oversee.
A 2016 National Association of State CIOs (NASCIO) report stated that cyber security is now at the forefront of state CIO priorities. The issues fueling this prioritization include aging infrastructures, budget constraints, growing number of sophisticated threats, and shortages in IT professionals, particularly given government pay grades in contrast to private sector IT (and especially IT security) salaries.
“As state and local governments manage massive amounts of personal information, they should consider steps such as Oregon’s move to create a centralized cyber security agency,” stated Alan Brill, Senior Managing Director in Kroll’s Cyber Security and Investigations practice. “We applaud the efforts of Oregon’s leaders, but caution them and any state looking to update systems to avoid setting too aggressive timelines and deadlines, which often encourage shortcuts in order to declare ’victory.’ We recommend taking a two-track approach that puts some immediate key controls in place — such as end-point threat monitoring, white-listing to prevent key systems from executing unauthorized programs, or reviews of accounts authorized to access sensitive data — while simultaneously developing a long-term plan to overhaul cyber security systems and processes in a more meaningful way.”
States struggle with budget constraints, decentralized systems
Cyber attacks on federal government computers have made the headlines recently, but states have had their share of major data breaches. State agencies in South Carolina, Utah, and Arizona have all been victims of data breaches in recent years. Although these potentially costly data breaches and leaks are on the rise, and many states claim to make cyber security a priority, 83 percent of states have less than 2 percent of their IT workforce devoted to cyber security, according to the 2016 NASCIO report.
With security budgets constrained, it is difficult to implement effective cyber security programs. Moreover, the decentralized way most state technology is managed is an additional complication. Many agencies run their own computer systems, while other states have one agency oversee all technology. This decentralization is an intrinsic cyber security problem.
That is the complex cyber legacy Gov. Brown’s executive order seeks to address. Unified cyber security strategy is one of the best ways that states can have the skills and resources to combat sophisticated threats.
This is a particularly pressing issue this year, with national Election Day looming on Nov. 8. In fact, recent reports have raised alarms on how election systems may be vulnerable targets of cyber attacks. According to Daniel “DJ” Rosenthal, Associate Managing Director of Kroll’s Investigations and Disputes practice, and a former Obama administration cyber security official, cyber attacks have the potential to significantly impact the election.
“In the run-up to elections this November, the prospect of these attacks is unsettling both the idea of actual manipulation of voter information, and the fear that just the potential for such attacks could undermine the legitimacy of an election or create the conditions for losers to cry foul,” DJ explained.
While governments will likely always be targeted for cyber attacks, DJ recommends that states evaluate current procedures to minimize and mitigate the risk of such attacks on a variety of systems.
Cyber security priorities for states
With many states prioritizing cyber protection efforts, there are several key components worth their focus, including:
- Security infrastructure. First and foremost, states should consider whether they have the necessary resources and infrastructure to detect and prevent sophisticated data breaches and cyber attacks.
- Risk management. States should prioritize risks and invest in data protection, security tools, and training. The cyber security framework published by the National Institute of Standards and Technology, part of the United States Department of Commerce, is a recognized guide, particularly for critical governmental infrastructure.
- Incident response. Comprehensive security strategies plan for the effects of cyber attacks with robust response and recovery protocols. These responsive data breach services include post-incident notification as well as identity monitoring and restoration to help individuals whose data was compromised.
A 2015 report from Salve Regina University's Pell Center for International Relations and Public Policy, titled “State of the States on Cybersecurity,” highlighted how prepared eight states were for cyber attacks. This wasn't just a random sample of states — it was the group considered to be at the head of the “cyber pack.” Even among this collection of states, only two of the eight (Michigan and Washington) had a full cyber security strategic plan in place.
While time has passed since the release of the Pell Center’s assessment, Gov. Brown’s executive order shows how far some states still may need to go in preparing for cyber threats. Fortunately, more and more states are prioritizing the actions needed to increase security for years to come.