Collaboration Tips for State & Local Government Cybersecurity Spotlight Underwritten by
Introduction
State and local governments have become favorite targets of malicious actors. The persistent attacks and growing ransom demands have made it urgently critical for agencies to secure themselves and their data.
“Data doesn’t just sit in the state; it sits everywhere,” said Maria Thompson, Chief Risk and Security Officer of North Carolina.
One of the sure-fire ways for agencies to protect themselves better is through improving collaboration methods.
To help your agency, we put together this spotlight resource on cybersecurity with a focus on collaboration tips. You will find statistics, best practices and thought leadership on how to best collaborate for a more robust cyber defense.
Unfortunately, only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program in 2020, according to a report by the National Association of State Chief Information Officers (NASCIO).
7% - Unidentified in report
28% - Extensive collaboration with local governments
GovLoop Community Insights In January 2021, we surveyed over 400 GovLoop community members to learn what’s top of mind around cybersecurity.
Are you interested in learning about cybersecurity? 65% - Limited collaboration with local governments
13% State
(Source: Deloitte-National Association of State Chief Information Officers Cybersecurity study)
“We used to say it was nice to collaborate. Now, I think it’s imperative,” said Jim Richberg, Field Chief Information Security Officer (CISO) for Fortinet, a cybersecurity company. Richberg is referring to how IT and security teams must be able to coordinate to ensure security is a baked-in priority, not an afterthought. But collaboration is not only crucial within agencies but across agencies too. North Carolina, for example, was able to effectively respond to ransomware threats and boost its cybersecurity defenses by partnering with county IT teams in a “whole-of-state” approach.
3% Local
Is cybersecurity a top concern for your agency?
16% State
23% Local
2
Only 13% of state government and 3% of local government respondents picked cybersecurity as one of the top three items they were most interested in learning about.
However, 16% of state government and 23% of local government respondents said cybersecurity is one of the top three priorities for their agencies.
What Did State & Local Governments Contend With in 2020? Cybersecurity
#1
Cybersecurity and risk management is the number 1 priority for state chief information officers (CIO). (Source: NASCIO)
What services does the state CIO organization offer to local governments? 1
2
3
4
5
59% Network services
55% Data center hosting mainframe, servers
50% Geographic information system (GIS)
48% Telephony/ VoIP
48% Security infrastructure/ services
Ransom Demands Ransom demands rose from an average of $30,000 per attack in 2017 to $380,000 in 2019. (Source: BlueVoyant State and Local Government Security report)
2017
$30,000
2019
$380,000
Within the GovLoop community, data security is a topic of highest interest within cybersecurity among state and local government employees. (Source: Internal 2021 GovLoop survey)
Collaboration Tips for State & Local Government: Cybersecurity Spotlight | 3
Employment Local government lost 1.3 million jobs between March and May (Source: National Association of Counties)
Digital Divide 3.7 million households lack internet access and 4.4 million lack consistent access to a device. (Source: Census Bureau’s “Household Pulse Survey”)
Telework More state and local government employees were teleworking than the rest of the labor force. (Source: Bureau of Labor Statistics)
Government Employees Teleworking Because of COVID-19 Federal
State
Local
All gov.
Entire economy
60% 50% 40% 30% 20% May
June
July
August
Morale Morale has suffered in municipalities of all sizes, but particularly in smaller ones, since COVID-19. (Source: Atlas’ “Local Government’s Next Normal” survey)
4
Population > 100K
YES
NO
Population < 100K
YES
NO
Has morale improved?
18%
79%
Has morale improved?
9%
90%
Best Practices
How North Carolina Built a State & Local Partnership From Scratch The onslaught of ransomware attacks in 2020 forced states like North Carolina to acknowledge that they could no longer operate separately from their local counties. Ultimately, what affects the counties affects the state too. “You have to adopt a whole-of-state approach to cyber,” said Maria Thompson, Chief Risk and Security Officer. Counties must be open to sharing their cyber incident data with the state, and the state must be willing to offer the support and resources it has to secure local government. “Data doesn’t just sit in the state; it sits everywhere,” Thompson said. “And even though we [the state] can’t govern those entities, we have to work together. We’re seeing that more counties are open to reporting [incidents]. We can’t operate in silos of excellence.”
Ultimately, North Carolina’s IT department didn’t have to go far or do much to increase its capacity to respond to local cyberthreats. It just had to partner with a group already doing that work — the IT Strike Team — and provide support along the way.
2. Exchange Carrots (Not Sticks) “It’s not just a relationship based on [local government] reporting to us, and [state government] will only step in when there is an incident,” Thompson said. “It’s also about helping them with tools… so we can all protect ourselves.” Thompson began attending the association’s biannual conferences to spread awareness of state cybersecurity initiatives and resources that counties could take advantage of.
1. Connect
3. Codify Information Sharing
To start, agencies must connect, ideally by leveraging relationships they already have.
In August 2019, the state legislature passed a law that required county incident reporting to the state government, with efforts to expand this to schools. The law helped clarify the relationship even further.
Like many states, North Carolina didn’t have an established relationship with local counties at first. So Thompson reached out. Leveraging local publicsafety relationships, she connected with Randy Cress, a county CIO and a leader at the North Carolina Local Government Information Systems Association (NCLGISA). An association of local IT professionals, NCLGISA had a team of volunteers called the IT Strike Team. The volunteers provided IT support alongside the state emergency management department for local agencies hit by cyberattacks.
“When preparing an incident response plan, it can be overwhelming to know who to contact. Having that legislative piece opens the door for organizations that are just trying to manage it internally,” Cress said at NASCIO’s conference. There are huge benefits to sharing information across county lines. “If you can get one or two counties to share information and sanitize that data, there’s so much value in having an authoritative voice in what you should be concerned about,” Cress said.
Collaboration Tips for State & Local Government: Cybersecurity Spotlight | 5
6
Industry Spotlight
How Security Goes Undercover An interview with James Richberg, Field Chief Information Security Officer, Fortinet For state and local agencies experiencing budget shortfalls and budget cuts due to the pandemic, a common course of action is to preserve core mission capabilities by absorbing cuts in other areas. Unfortunately, this mindset and action have historically meant “support elements” such as IT and security often get a disproportionate share of cuts. For instance, consider a local government that determines it can fully fund only two of these three initiatives: public safety, waste pickup and IT modernization. Which is most likely to be left out? “That’s the risk we run,” said James Richberg, Field Chief Information Security Officer (CISO) at Fortinet, a cybersecurity company. “It’s especially tempting for organizations to cut funding in the area of security, since doing so doesn’t seem to produce adverse consequences — until a significant malicious incident occurs,” said Richberg, a former National Intelligence Manager for Cyber at the Office of the Director of National Intelligence. “That’s why I think security has to almost go undercover. You need to make it integral to the broader solutions that agencies adopt,” Richberg added.
‘Like Siamese Twins, Joined at the Hip’ The COVID-19 pivot to remote telework has proven how relevant IT is to the agency mission, but what about the future? To take advantage of this momentum, it’s vital that IT and security teams are aligned and collaborating.
If IT and security teams can partner to 1) identify key productivity-enhancing technologies and 2) shape the discussion of solutions for agency stakeholders to consider, they can both maximize the “bang for their buck” for expanded digital services and ensure that the choices prioritize security from the start. Take software-defined wide-area networking (SDWAN) for example. SD-WAN is a flexible networking technology that enables fast connection to the cloud, a capability that may be attractive to amany agencies as the remote workforce and digital services have ramped up. It offers cost savings, operational flexibility and a better user experience. In earlier versions of this technology, security was left out or treated as an afterthought. But some of the latest SD-WAN products include security as part of an integrated solution, so that a single device performs network management, router and security functions. Because these integrated products reflect technological progress made since the early days of SD-WAN, they typically offer higher performance in addition to cost savings. To find efficient and cost-effective solutions, the chief information officer (CIO) and CISO need to have a “synergistic relationship where they’re almost like Siamese twins, joined at the hip,” Richberg said. A number of jurisdictions already operate in this way, but it can run the gamut. “If you’re an organization trying to build these bridges, the best way to do it is to start from the top. Otherwise, inertia will sabotage it,” Richberg said.
“We used to say it was nice to collaborate. Now, I think it’s imperative,” Richberg said.
Collaboration Tips for State & Local Government: Cybersecurity Spotlight | 7
Next Steps Collaboration is a critical component to state and local cybersecurity strategies. Here are more resources to start building and strengthening those relationships and, in turn, your organizations’ cyber postures. • National Governors Association (NGA) and NASCIO “Stronger Together: State and Local Cybersecurity Collaboration” • National League of Cities “State and Local Partnerships for Cybersecurity: A State-byState Analysis”
Other Resources • Cybersecurity and Infrastructure Security Agency (CISA) Resources for State, Local, Tribal, and Territorial Governments • Homeland Security Department’s State and Local Government Offerings, Products, and Services • Login.gov’s Expanded Availability for State & Local Government • Secure and trusted .gov domains through the DOTGOV Online Trust in Government Act
If you found this resource helpful, check out our full guide, “Resilience Lessons From State & Local Government: A GovLoop Guide.”
8
1152 15th St. NW Suite 800 Washington, DC 20005 P (202) 407-7421 | F (202) 407-7501 www.govloop.com @GovLoop
Collaboration Tips for State & Local Government: Cybersecurity Spotlight | 9