Apr 22 2024

Rethinking the Weakest Link in State Government Cybersecurity

Agencies should take a whole-of-state approach to implementing zero trust.

Recent cyberattacks in Fulton County, Ga., Contra Costa County, Calif., and the Office of the Colorado State Public Defender have prompted widespread delays and forced state and local entities to shut down voter registration, phone, tax, court and other essential systems — underscoring the urgent need for secure digital transformation.

Ransomware attacks targeting cities, states, municipalities, law enforcement and other public entities are expected to grow, according to Zscaler’s latest Ransomware Report. These entities often have a very low security posture to protect critical data and systems and typically rely on legacy technologies, making them attractive targets for cybercriminals seeking easy payouts or valuable information that they can sell. Attacks like these often significantly disrupt important public services and expose large caches of sensitive information.

The legacy network-centric architecture has served us well for more than 30 years, but now our applications are moving everywhere, and users are becoming more mobile. As adversaries are modernizing, this architecture no longer works. With the rise of remote work, cloud computing and sophisticated cyberthreats, the concept of trust needs to be dynamic and adaptable.

That’s why zero trust is at the center of recent cybersecurity guidelines that recommend changes to legacy systems and infrastructure to keep up with sophisticated cyberthreats: Secure digital transformation requires a zero-trust architecture.

Click the banner below to consider cultural shifts in adopting zero trust.


Without collaboration, each state and the many smaller units of local government within it must defend their IT systems and data from attackers independently. Every resident in a state is likely served by several levels of government for critical services. For example, the state might provide driver services and ensure that state highways are maintained; the county might maintain smaller county roads and manage property taxes; and a city might provide municipal water and sewer service to homes and regulate zoning.

These levels of government work together to seamlessly provide services to residents. Operation of streets, roads and highways requires coordination and partnership. Similarly, collaboration between layers of government to protect IT systems is critical.

Uniting entire states behind a common mission of protecting IT systems to ensure that services remain available to residents via a whole-of-state approach presents enormous opportunities to standardize security, which can translate to improved response capabilities, cost savings and resource allocation.

It means coordinated defense and response between layers of government, with states providing leadership. It is intended to foster collaborative risk mitigation efforts and leverage state resources in building or strengthening local government cybersecurity defenses. It can also sustain them over time as the threat landscape continues to become more complex.

State and Local Agencies Benefit from Strength in Numbers

While state and local governments have limited resources for cybersecurity initiatives, the combined purchasing power of whole-of-state programs enables participating organizations to obtain more and better cybersecurity tools.

From funding and skilled staff to tools and training, collaborating to leverage resources can serve as a force multiplier in the ongoing battle to stay a step ahead of cyberthreats. Addressing expertise and resource deficiencies at the local level is critical to improving security for the whole state, from small towns and municipalities to statewide entities.

Whole-of-state approaches also help states to efficiently and effectively use their designated share of funding from the State and Local Cybersecurity Grant Program. The U.S. Department of Homeland Security’s program for state and local governments to enhance their information systems offers $1 billion in grant funding over four years.

The program requires that 80 percent of the funds flow down to local governments, and 25 percent of that to rural areas. Successful whole-of-state programs will demonstrate the value in continued grant funding to provide common defense to all levels of government.

READ MORE: Arizona CISO Ryan Murray discusses whole-of-state cybersecurity.

Governments Can Fortify Defenses by Embracing Zero Trust

States have tens of thousands, if not hundreds of thousands, of endpoints to secure. The resources that states support cover a wide variety of residential services across healthcare, public safety, food security, transportation and environmental protection, and they often do so at a scale rivaling those of federal agencies, large corporations and many nation-states. Unfortunately, many state and local governments lack comprehensive visibility into their cybersecurity environment because they depend on legacy technologies that are difficult and expensive to secure, patch and maintain.

For example, traditional network security architecture relies on building a perimeter around the ever-growing network, the proverbial hard candy shell. This approach was effective for users who were in state and local offices and residents who were being served in person. Now, users are everywhere, applications are moving beyond the data center, and the internet is the new connectivity layer. This new reality breaks legacy perimeter-based security models and calls for the rapid adoption of zero trust.

Replacing outdated systems with modern tools and platforms offers improved security capabilities, agility to rapidly respond to new requirements and visibility into the many critical systems that serve residents. As with many identity and access management solutions, zero-trust initiatives not only greatly enhance security but also greatly improve the user experience.

Whole-of-state approaches to cybersecurity are incredibly focused on trust. Successful programs involve building relationships and establishing trust between state governments and local governments — allowing local governments to maintain independent security policies while the states provide common services and advanced expertise. This in turn encourages residents to find government applications and websites trustworthy. Adding zero trust to whole-of-state programs will accelerate and strengthen these initiatives because it incorporates transparency, auditability and explicit verification that the transactions between partners are, in fact, trustworthy.

LEARN MORE: Identity and access management supports zero trust.

Adoption of Zero Trust Occurs from Top to Bottom

IT decision-making and operational models vary widely by state. In some cases, all IT support is centralized under one agency. In others, there is no central authority over IT or cybersecurity decision-making. The difference in operating models is the result of different leadership and priorities within each state. As such, implementing a successful whole-of-state strategy can look very different from one state to another. Successful programs tend to share a few common characteristics: collaborative leadership from state IT agencies, participation and sponsorship by key local government entities, and a strong sense of community mission between the state and local governments on issues related to cybersecurity.

Collectively, state and local governments can identify and respond to emerging threats more effectively by sharing threat intelligence, best practices and resources. Working together means that all parties have more resources available to prevent and respond to cybersecurity incidents.

As has happened in many states over the past few years in areas such as threat intelligence sharing, incident response planning and statewide security operations centers, state agencies need to develop and operate increasingly mature cybersecurity programs including zero-trust adoption. The continued success of whole-of-state programs relies on large state agencies to keep progressing their defenses.

The journey is long, the work is not nearly done, and our adversaries are motivated. But our collective strength lies in our ability to work together to stay ahead of evolving threats.

AF-studio/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT