Key Cybersecurity Threats to State and Local Agencies
The main cybersecurity dangers IT influencers see when they look at the threat landscape can be broken down into a few buckets.
One is phishing or social engineering attacks, which are still successfully targeting government agencies. “Phishing and socially engineered attacks are also being widely used and are, unfortunately, very successful,” says Texas CIO Amanda Crawford.
Emily Yates, smart city director of Philadelphia, agrees. “The biggest cybersecurity threats faced by government are phishing and ransomware,” she says. “They are connected: Phishing is often used to gain access to the environment to deploy a ransomware attack.”
Ransomware is growing more pernicious and costly. Thirty-four percent of local governments said they had fallen victim to ransomware in the past year, according to a Sophos report.
Local government is the sector where organizations are most likely to have their data encrypted in a ransomware attack (69 percent), according to the report.
This is probably due to the double whammy of weaker defenses due to lower IT budgets and stretched or limited IT staff and the fact that attackers consider government agencies lucrative targets, according to the report.
“The biggest cybersecurity threat we have right now is the threat of ransomware disabling our systems, keeping us from providing much needed government services to our constituents,” says Virginia Chief Data Officer Carlos Rivero.
Crawford agrees and says that “data exfiltration and ransomware continue to be the biggest threat throughout all levels of government, but especially at the local level. “
Another threat grows from the IT supply chain, which was the culprit in last year’s SolarWinds attack. “Another rising threat is supply chain attacks, where a vendor is compromised and used to attack its business partners, including government entities,” Yates notes. “With the release of President Biden’s executive order on improving the nation’s cybersecurity, there is more focused attention on this issue, but it’s still a looming threat for municipalities.”
How Government Agencies Are Bolstering Cyber Defenses
Despite the multifaceted threat environment, IT influencers say their agencies are taking a range of steps to improve cybersecurity defenses. It all starts with user training.
“As it stands now, some state agencies choose to hold their own security training, but we cannot stress enough the importance of making sure that security training is taken seriously by all segments of government in Iowa,” Iowa CIO Annette Dunn says.
Dunn notes that the security operations center her office runs “has been a major contributing factor to the combatting cybersecurity threats” and that she hopes to extend the SOC to run 24/7, but there is currently not enough state funding to do so.
“There have been discussions for a while to extend the hours, but this is, as of yet, not in practice,” she says. “We are also implementing additional end-to-end detection devices and software management capabilities that ensure we maintain the latest patches on all software.”
Rivero says Virginia is “consistently investing in our cybersecurity technology infrastructure, monitoring and surveilling systems, setting policies, creating security controls, and training people.”
He stresses that constantly monitoring the IT environment is an essential element of cybersecurity, including “having automated processes that continuously monitor security controls as configurations change,” Rivero says. “Waiting for a monthly scan is not enough. We need continuous monitoring.”
Crawford notes the Texas Legislature recently passed a law that directs the state’s Department of Information Resources to “expend resources to help local entities improve their security posture.” As a result, DIR now has the authority to stand up a regional network security operations center to help protect local jurisdictions. Additionally, she says, when a cyberattack happens, “we can bring on vetted, background-checked, trained volunteers from around the state to assist with the response.”
Finally, the Texas Legislature appropriated funds to allow DIR to provide endpoint detection and response technology to state agencies at no cost to the agencies, and continued funding for no-cost multifactor authentication services to state agencies as well.
In North Carolina, Chief Data Officer John Correllus notes that the state’s efforts involve “a whole-of-state approach to prevent and prepare for cyber incidents, as well as to respond quickly and effectively at both the state and local government levels.” This involves information sharing and collaboration across state and local government agencies, he adds.
North Carolina lawmakers have also passed legislation requiring local governments to report cyber incidents, which can help mitigate the impact of an attack, according to Correllus. “Currently, there’s also proposed legislation being considered that would prevent governmental agencies from paying ransom in response to ransomware attacks. This would reduce the likelihood of repeat attacks,” he says.
Although the new state budget isn’t finalized, Correllus says there is an agreement on “a significant appropriation in recurring cybersecurity funds that have not been seen in the state previously. This is a great start, and most of the previous funding was nonrecurring or one-time in nature.”
No matter how many protocols and measures are in place, he adds, “protecting our infrastructure, awareness and education is always going to be critical. To that end, hardening the ‘human firewall’ is a top priority. Cybersecurity is everyone’s responsibility.”