There has been a great deal of concern lately regarding how U.S. entities and suppliers work with foreign technology companies, with Chinese telecommunications firm ZTE negotiating a deal with the U.S. Commerce Department to lift a ban on ZTE working with American companies.
County governments are constantly faced with decisions about which IT solutions they deploy to drive innovation and help residents. While many try to buy American-made technology products and services, they often do purchase foreign hardware and software.
There are several best practices that county IT leaders can follow to ensure that all of their technology solutions — whether foreign-made or not — are as secure as possible, and how they can respond if they do run into a cybersecurity issue. County IT leaders and technology experts, speaking on a panel at the National Association of Counties 83rd Annual Conference and Exposition in Nashville, Tenn., said that county governments must always be vigilant around IT security, no matter where they get their hardware and software.
The best practices include vetting IT solutions, following cybersecurity frameworks, holding vendors accountable, ensuring that cybersecurity is part of every solution, and having an incident response team and plan in place. Here is a primer on the advice the experts offered.
1. Ensure IT Solutions Comply with Cybersecurity Requirements
Michael Dent, CISO of Fairfax County, Va., noted that the county tries to buy American-made IT products and services, but it’s sometimes difficult to do since there are so many foreign companies involved in the world today. The key is that the county has a vetting process when it purchases solutions and products, and it ensures that they adhere to the county’s own standards and policies.
“What is the solution for? What is the data it is going to be accessing?” Dent said.
Fairfax County uses the same standards as the federal government’s Federal Risk and Authorization Management Program (FedRAMP) to vet cloud services, Dent said. FedRAMP provides a consistent process for the evaluation and approval of cloud vendors across federal agencies, relieving agencies of the burden of independently evaluating vendor security practices and providing a common level of vendor assurance across the federal government.
Dent said the county asks cloud vendors if they are certified through FedRAMP. “If they say ‘no,’ then we have to do a lot more on the back end to ensure we’re getting what we want from a cyber perspective,” he said.
Darren May, CISO for Tarrant County, Texas, said the county has an acceptable-use policy for its IT solutions. Government users are not allowed to bring software or hardware from home into the county’s IT environment, he said, adding that the county has a “tight vetting system.”
If someone is trying to buy an IT service, the request is routed through the county’s enterprise resource planning system. May and the county’s IT business manager review those requests to ensure that any software is on the county’s whitelist and whether the county already has such a solution in-house. “We will literally hold up a purchase order,” he said.
2. Follow the Advice of Cybersecurity Frameworks
The National Institute of Standards and Technology publishes a Cybersecurity Framework (CSF) with comprehensive guidance on cybersecurity issues that can form the foundation of any cybersecurity program in the public or private sectors. This framework classifies cybersecurity activities into five major functions:
The CSF then provides policies, standards and best practices for organizations to follow as they implement and manage each of those five cybersecurity functions.
Jennifer Kady, director of security solutions for the U.S. public-sector market at IBM Security, noted on the panel that while “no one likes to be regulated,” the NIST CSF provides a “great framework” for cybersecurity, especially for identifying and contracting with vendors.
From left: Stefanie Dreyer, Michael Dent, Andrew Dolan, Jennifer Kady and Darren May discuss cybersecurity at NACo 2018. Photo: Phil Goldstein
Andrew Dolan, director of stakeholder engagement at the Multi-State Information Sharing and Analysis Center, which seeks to improve the overall cybersecurity posture of the nation’s state, local, tribal and territorial governments, noted that there are other frameworks that county governments can follow. For example, the Center for Internet Security, which manages the MS-ISAC where Dolan works, offers a set of critical security controls.
“These types of roadmaps are the kinds of things we need to be getting behind,” he said.
3. Hold Technology Vendor Partners Accountable
County governments should also hold all of their technology partners accountable, Kady said.
Vendors should be able to show IT leaders where solutions are manufactured, who is manufacturing it, and which entities have access to any software that goes into the products. The same is true for cloud vendors, she said. They must be able to show counties how cloud services are secured.
“County governments have a right to understand” all of that information, Kady said.
Dent said Fairfax County has a cybersecurity checklist and makes sure that all prospective vendors fill it out. “Whatever goes in my enterprise has to meet certain standards and attest to my policy,” he said. “I don’t care if it’s coming from the U.S. or a foreign country,” he said, adding that, unfortunately, many American IT products “still have a lot of problems.”
4. Bake Cybersecurity into All IT Devices and Services
Counties should take a “defense in depth” approach to all of their IT solutions, Dent said. Cybersecurity needs to be layered and applied to all technology solutions.
“If you issue cell phones and mobile devices, you need to put on anti-virus and anti-malware” software, he said. “When you are deciding to use technology, you have got to remember the cyber piece of that.”
Beyond technologies like firewalls, county governments also need to raise awareness and ensure employees are practicing good cyberhygiene. “Employees are the weakest link,” Dent said, adding jokingly, “Technology can’t fix stupid.”
5. Create (and Practice) a Cybersecurity Incident Response Plan
If there is a cybersecurity incident, counties must act quickly, Kady said, not only to save money but to maintain the confidence of county residents. Even if there’s no malicious attack, if a server just ran out of storage and caused a website to go down, counties must respond quickly because perception can become reality.
“The quicker you are to be able to respond and react and have an action plan, the better you are going to be at safeguarding that constituency,” she said, emphasizing that speed and pre-planning are key.
Counties should have emergency response teams in place or contract with companies like IBM to get those services. However, counties must also perform tabletop cybersecurity exercises ahead of time and conduct security testing.
Dent agreed that incident response plans are critical. Fairfax County has such a plan it can invoke at any time and that it practices.
“If you’re a small jurisdictional and you don’t have a cyber office or team, you need to look out there and find what companies can provide those services,” he said. “It gets more expensive if you wait until a breach occurs than if you get that in place ahead of time.”
The ransomware attack that hit Atlanta’s city government earlier this year cost the city about $2.7 million, Dolan noted. “This is something that costs you,” he said. “You need to know who your first few calls are going to be.”
Dolan said counties need to look at incidents as a way to focus on how they can improve cybersecurity. “These things are going to keep happening,” he said. “We need to make sure we’re improving after each one.”
Often after a cybersecurity incident, whether it is small or large, “people forget to come back together and talk about what happened and how you can be better,” May said, adding that county IT security teams must hold those post-mortem meetings to improve their security.
Follow StateTech magazine's coverage of the NACo 2018 conference at our conference landing page.