For state governments, cybersecurity is getting more complex
State and big-city governments have stepped up their cybersecurity policies considerably over the past few years, officials said this week at a Department of Homeland Security conference outside Washington.
Several chief information security officers and homeland security advisers painted a rosy picture of state and local governments getting serious about enhanced training for public workers, more partnerships with other rungs of government and the private sector, and revising emergency response plans to cover cyberattacks. But they also acknowledged they face an expanding threat landscape that endangers everything from government IT functions to critical public infrastructure.
“In cyber, the risks, challenges, sheer reliance across all sectors integrates everything,” Shawn Talmadge, Virginia’s assistant secretary of public safety and homeland security, said Friday at the DHS Cybersecurity and Infrastructure Security Agency’s summit. “Cyber is no different, I would argue, than any other public safety challenge.”
Talmadge said that, increasingly, states need to respond to cyberattacks similarly to how they treat natural disasters — with a comprehensive approach that includes roles for federal, state, local and private-sector stakeholders. More states are drafting or revising emergency response plans to include cyberattacks that target government IT or other critical infrastructure. Two of those states — Colorado and Louisiana — invoked them after ransomware attacks, setting a template that could be replicated elsewhere.
But like so many other IT initiatives, elevating the role of cybersecurity is dependent on building relationships. Pennsylvania CISO Erik Avakian said that while he’s confident his office provides good services to the rest of the state government, he needs to reach out to the local government agencies that aren’t as self-sufficient.
“We’re working with the counties, cities, school districts because we know those users don’t have the same capabilities [as the state],” he said.
Avakian said his team now offers regular security awareness training like anti-phishing exercises to county and local governments, particularly the small and rural jurisdictions that lack robust IT budgets. Along with hopefully improving those local officials’ security knowledge, Avakian said there’s a financial benefit to Pennsylvania as adding more software licenses brings down the state’s cost per license for its own IT assets.
Plenty to keep busy with
Even with expanded cybersecurity policies, there are still plenty of threats to keep CISOs and security advisers up at night, said Bradford Willke, the acting assistant director of CISA’s stakeholder engagement division. Ransomware captures much of their attention right now, but there are other concerns, too.
Jared Maples, the head of the New Jersey Office of Homeland Security and Preparedness, said he gets “seven to 10” reports of ransomware somewhere in the state every week. But he also said that he worries about parts of New Jersey like mostly rural Cumberland County, particularly when it comes to safeguarding election-related systems.
“I’m not sure people think of New Jersey as rural, but we are the Garden State,” Maples said. “If you said that in 2016 that Cumberland County, which is in the middle of nowhere in South Jersey, would be the target of election hacking, you would’ve been crazy. But it’s real and we have to give them the tools.”
Maples said he doesn’t lack for concerns in New Jersey’s more populated regions. He said he often supports the Port of New York and New Jersey — 70 percent of which lies on his side of the Hudson River — and Wall Street firms, many of which keep the servers on which securities trades are actually conducted in New Jersey. A 2017 ransomware attack against the Dutch shipping firm Maersk, which controls one of the Port of New York and New Jersey’s four shipping terminals, was particularly troubling, Maples recalled.
Talmadge also worries about shipping facilities in the southeastern corner of his state.
“The Port of Virginia is a huge piece of critical infrastructure that is cyber-enabled,” he said. “And that whole thing feeds the Midwest. The cranes that offload those boats are cyber-enabled and subject to attack. We’ve got to find those stakeholders and make sure our state plan ensures that critical infrastructure can continue.”
When Maples does get an alert, it typically goes through the New Jersey Cybersecurity and Communications Integration Cell, a statewide fusion center modeled on DHS’s National Cybersecurity and Communications Integration Center. Maples said the NJCCIC, which is overseen by New Jersey CISO Mike Geraghty, runs on a “full-scale, all-hazards approach” that includes federal, state, local and private-sector representatives. It also publishes security alerts and advisories that it makes available to the public for free.
‘A right to cybersecurity’
Public engagement is becoming an increasingly important part of government cybersecurity activities as things like ransomware and digital attacks on critical infrastructure enter the popular lexicon, several of the speakers at the CISA summit said.
Speaking on a panel Thursday, New York City CISO Geoff Brown said his office, New York City Cyber Command, had both internal and outward-facing duties.
“We have two real missions,” he said. “We defend the technologies that deliver critical services to New Yorkers. Our second mission is to bring better awareness and even solutions to citizens.”
Brown pointed to a mobile app his office launched last October called NYC Secure, which alerts users if they are connecting to unsafe websites or unsecured Wi-Fi networks. It’s also billed as not collecting any personal identifying information — such as location or device serial number — from its users.
“We said if you’re a New Yorker, you have a right to cybersecurity,” Brown said.
Communications is even more important while a cyberattack is happening and disrupting government services. Talmadge said Friday that Virginia’s fusion center typically has media relations staff to avoid bungling information a worried population might need.
“Engaging the public and giving them timely updates is good, especially when things are going kind of weird,” he said.