Cybersecurity Panel Quick Take: The threat landscape for state & local governments
Government communications have improved in the fight to address cyber attacks on public resources. While it is difficult for state and local governments to fight the barrage of rapidly changing cybersecurity threats, there is help for them
Ransomware attacks, security of election systems and connected devices were all top of mind at the Route Fifty Cybersecurity Roadshow held in Boston as several public sector security leaders offered insights and discussed collaboration and resource opportunities for state and local governments.
Jim Condos, secretary of state for Vermont and president of the National Association of Secretaries of State, praised the gains that have been made in election security communications and reported that "vast amounts of work has been done -- and it's paying off." Condos said there is, and will continue to be, a critical need for federal funding that is sustainable during the event keynote. Appropriations every 15 years cannot assure the safety of election systems from cyber attack threats that grow everyday, he said.
It's the imperative that government services do everything possible "to protect the private data of the people we serve," said Condos. While the Threat Landscape Panel is an ominous title, there were positive insights and important cybersecurity tips for state and local governments detailed in the following event takeaways.
The Threat Landscape panel, included the following participants:
- David Farrell, Cyber Program Assistant Special Agent in Charge, Boston Field Office, Federal Bureau of Investigation
- Shannon LeColst, Cybersecurity Liaison, Metro Boston Homeland Security Region, City of Boston
- Maria Barsallo Lynch, Defending Digital Democracy Project (3DP), Belfer Center, Harvard Kennedy School
- Brendan Harris, Cybersecurity Specialist, Volpe Center, Department of Transportation
- Moderator: Mitch Herckis, Senior Adviser for Urban Technology, New York City Cyber Command
4 Key Cybersecurity Takeaways for State & Local Governments
#1 Cybersecurity literacy can be gained.
Lynch said it's critical to create a culture of security leadership in local jurisdictions because, "you can gain literacy in this space," she said. During the conversation she explained:
"When you're new to cybersecurity it can be daunting," but public service staff should be given the space to believe that its okay to escalate a potential security issue when they are not sure.
She said cybersecurity literacy is gained through:
3DP, which focuses on developing foundational knowledge of cybersecurity practices at the local level, develops best practices, tools and resources for state and local governments. The organization's Election Cyber Template Communications Plan Template for state and local election officials, which can be reviewed and downloaded below, contains cyber crisis communications and cyber breach incident response information that local governments can use now.
#2 Cyber hygiene is a weekly task -- and there is low- to no-cost help.
LeColst, who works with nine Metro Boston cities and towns and their individual departments on their cybersecurity postures and certified information systems, said that the municipalities that she is working with are focused on best next steps and spreading awareness through their organizations that risks go beyond elections, homes and work places to every sector.
While there has been considerable local government procurement for precincts and elections, municipalities seek state authorities for guidance.
"Leadership is something that [municipalities] look for," she said, adding that though they want innovative technologies ("the shiny new thing") -- they are asking about cybersecurity risks before they buy.
Harris advised looking to trade associations that establish common goals around procurement. In a world where Smart City technologies offer solutions to urban challenges, he also cautioned that connected devices are not typically built with cybersecurity protections, and that Internet of Things (IoT) devices are not well tested. Harris said for these reasons, he has called IoT the "Internet of Trash."
Lynch added that when it comes to IoT, there is a need for baseline legislation to regulate the risks.
Aside from the risks of high tech innovations, local governments have long existing cybersecurity vulnerabilities:
We have systems running on XP. It's scary," said one local government IT professional at the event.
Farrell encouraged local governments to build fences around their legacy systems and during the keynote, Secretary Condos shared the following key cybersecurity measures for state and local governments:
- Implement weekly cyber hygiene scans.
- Perform penetration testing and use a different company each time.
- Establish multi-factor authentication.
- Perform daily backups.
- Provide training.
- Develop contingency plans.
- Bake cybersecurity requirements into government RFPs.
Through partnerships and programs with the Department of Homeland Security, other agencies and organizations, there is help for municipalities and local departments that do not have the budget, but want to establish cyber hygiene programs and pursue advanced risk assessments, said LeColst.
That's a big disconnect -- understanding there are resources available to them," she said.
#3 Establish cyber emergency response protocols.
LeColst said ransomware is rampant and municipal governments are particularly vulnerable, especially ones that do not have daily back-ups implemented -- they'll consider the ransom.
"Without backup, there is no recovery," she cautioned.
Harris addressed the importance of setting up the organizational call chain, so it's ready when a cyber breach happens.
To develop a larger cyber incident response plan, it's important for municipal organizations to have regular discussions in a group that includes leadership and security talent.
Lynch added that 3DP has a crisis communications checklist that describes actions to be taken up to, and in the days following, a cyber breach. The checklist is contained in the Elections Cyber Incident Communications Plan Template, available below.
#4 Involve help early on.
Farrell said that federal cybersecurity investigators are finding foreign influence threat actors as well as criminal elements, and a blending of both types as threat sources. Federally, cybersecurity is tracking and sharing information with partners across the country. When Herckis asked, "are we fighting the last war?," in reference to the 2016 Election, Farrell responded, no.
We're up for the challenge," he said.
The FBI offers weekly briefings and in addition to support, the agencies and its offices are working on cybersecurity intelligence gathering.
"You might have a small piece of the puzzle," he said. "If you need something, please let us know," Farrell told state and local government attendees.
The event also included presentations by:
- Fabio Duarte, Research Scientist, Senseable Laboratory, Massachusetts Institute of Technology
- Ben Lavallee, Specialist Team Manager, Cloud Customer Engineering, Google Cloud
- Stephanie Helm, Director, MassCyberCenter
Review and download the DP3's template: