State and Local Organizations Under Attack from Cyber Criminals
Even before Russia’s invasion of Ukraine, cyberattacks were increasing in severity and targeting our nation’s most critical companies and organizations. These attacks, which now include ransomware attacks that disrupt operations, in addition to data theft, have skyrocketed further in the past year.
One sector that remains particularly vulnerable is state and local government entities. Reports show that attacks on state and local agencies were up 50 percent in 2020 over previous years, with ransomware and other attacks taking entire cities offline or threatening critical infrastructure utility networks.
Last month, Governor Hochul and Mayor Adams, along with the mayors of the five major upstate cities, unveiled a Joint Security Operations Center (JSOC) to provide a statewide view of the cyber-threat landscape and improve coordination on threat intelligence and incident response. With the JSOC announcement and these rising threats in mind, I sat down with former FireEye and McAfee CEO and NightDragon Managing Director, Dave DeWalt, who shared his view on the current threat landscape based on his more than 25 years of experience responding to cyberattacks. Here is an excerpt from that conversation:
We’ve seen a lot of attacks over the past year. What is the most concerning to you?
We are living in the highest threat environment in history. In 2021, we saw an unprecedented number of ransomware attacks, averaging about 4,000 a day. These attacks targeted hospitals, schools, food, and fuel suppliers and more. Within state and local organizations, we are seeing a ransomware attack every 33 seconds, on average. Some of these attackers are given safe harbor in countries like Russia, China, and other places around the world where there will not be any law enforcement response.
The other area I am extremely concerned about is critical infrastructure. The breach that we saw at the Oldsmar Water Treatment facility in Florida last year is a poignant example of the devastating effects that could potentially result from attacks targeting our water systems, power grids and other critical infrastructure.
How do you see the technology landscape evolving to address this new challenge?
This is an important area for state and local organizations to consider: how are you positioning your teams to identify and implement the latest cybersecurity technologies? There are approximately 3,700 companies around the world offering cybersecurity solutions – the most in history. The pace of innovation has never been higher, but we need to get these technologies in the hands of the IT and cybersecurity leaders that need them in a strategic and thoughtful way.
One challenge for many organizations in adapting new technologies is that we face a drastic talent shortage in IT and cybersecurity. Organizations everywhere are struggling to find the people they need to evaluate these technologies, implement them, and then maintain them on a regular basis. This is where we need to continue investing in artificial intelligence, data analytics, and automation to help offload some of those responsibilities to technology where we can. It’s also why we need to invest in cyber-training programs like Governor Hochul and Mayor Adams announced would be coming as JSOC moves forward.
How have you seen organizations, including state and local governments, mature their approaches to cybersecurity?
Ten to fifteen years ago, I would say policymakers across state and local governments weren’t well-enough educated on technology or didn’t necessarily have a good appreciation for how it could help support their goals. We’ve seen a shift in these attitudes as new modern digital products and services bring new benefits to our state and local governments. In fact, some states have Chief Information/Technology/Data Officers who are faster to adopt certain new technologies than their federal counterparts.
You’re also seeing increased awareness that with these new digital benefits comes new cybersecurity risk. As a result, we are starting to see some advanced state and local organizations really acknowledging the problem and starting to align the people, process, and funding to reduce risk. We still have a way to go, but we are starting to see those stars align. This represents an immense and growing market opportunity for many of the cybersecurity vendors I work with, but they also take very seriously the need and opportunity to support the States’ security missions.
I would like to point out that many people are watching closely State of California’s new CALSECURE plan. A document like this is extremely useful not only for the State to map out its cybersecurity goals for the coming months and years, but it also helps providers of cybersecurity products and services understand and plan and get organized to best serve the State because they now know what it intends to procure and what they’re will presumably be budget for.
What do we need to know about the federal funding for cybersecurity that was just appropriated to the states, counties, and cities?
Last November, Congress enacted the $1.2T infrastructure spending bill (HR 3684, the Infrastructure Investment and Jobs Act). The bill appropriates $1 billion over four years to help state, local, tribal, and territorial governments to improve cybersecurity needs by securing their networks, assessing their cybersecurity vulnerabilities, and building up their cybersecurity workforce. We can assume these funds will be in the hands of the states potentially in the second or third quarter of 2022. There is a cost share provision whereby states provide 10% of the cost of projects in year one, 20% in year two, and so on and so forth until end of program. States must submit cybersecurity plans, which will be reviewed by the Cybersecurity and Infrastructure Agency (CISA) at the Department of Homeland Security and must establish planning committees (if they haven’t yet) to aid in the development of these plans. Local governments are eligible for the funds and will receive 80% of total funding, but the States are responsible for distributing the funds.
My suggestion is that, while states engage in the planning process relating to this funding, they should pay attention to the ways that the U.S. government has architected its cybersecurity continuous monitoring program, the Continuous Diagnostics and Mitigation program (CDM). The U.S. government began investing in this program around 2013. Through CDM, CISA vetted — and continues to vet — a wide range of technologies that best satisfy the various categories of the National Institute of Standards and Technology (NIST) controls that form the foundation of CDM. Right now, among CDM’s priorities are implementing endpoint detection and response across the .gov and ensuring the federal agencies improve their logging capabilities according to the Administration’s new guidelines. States, counties and cities could learn a lot from this program both in terms of what and how technologies were chosen, as well as how they were architected together. This knowledge could help them prioritize their own investments.
How can state and local governments address the immense talent challenge around cybersecurity?
If you ask any CIO or CISO – no matter the industry or organization – what their biggest challenge is, the vast majority will likely say finding, recruiting, and retaining the right cybersecurity talent. This is truly one of the biggest challenges facing our industry today and, honestly, our national security. This high demand logically drives the salaries for qualified individuals up significantly, which can present a challenge for many state and local organizations.
Public-private partnership is one way to address this challenge. You’re seeing a lot of great efforts happening in the non-profit world and elsewhere to try and foster a pipeline of talent from local schools, universities and even retraining individuals from other careers to get into cybersecurity. This is something we will need to continue to stay focused on in the coming years. My company, NightDragon just made a major investment in a technology platform that offers cyber education programs to universities and enterprises, with a focus on hands-on skills training. We are not going to effectively address the cyber workforce shortage in this country unless we leverage technology.
How did the pandemic change how state and local organizations needed to approach cybersecurity?
Just like many of us around the world, employees at state and local organizations picked up their computers and took them home during the pandemic. While this allowed us to continue to work safely, it also presented new challenges. Suddenly, our corporate or government-owned devices were connecting from the home office or the coffee shop, mingling with unsecured networks or with dozens of other unknown connected devices. There was an immediate need for improved digital solutions to enable this new world, including cybersecurity. We also realized that some of the tools we relied on before were not up to the task anymore. The Virtual Private Network (VPN) provides one good example. Why should employees have to route their connections through an on-premises gateway when they can connect safely to your cloud applications using tools like secure access service edge (SASE)?
What do you see as the key for state and local organizations to address these rising threats?
Adopting the right technologies and hiring staff are an important piece of the equation. But I think equally – if not more important – is the idea of public private partnership. We need private companies working hand in hand with state, local and federal leaders. It takes a village to solve this problem. We’re seeing a commitment to improving the way we do this at the federal level, and I hope to see this increase at the state and local level as well.
We also need to ensure that cybersecurity is a priority in every department, every office across the government. It only takes a single weak link from any connected device including a video surveillance camera, an HVAC system, or an individual opening a corrupt e-mail to cause significant disruption or damage. Let’s consider the sheer size of New York State government entities, the vast services they provide, and the people they serve. The State is divided into 62 counties (five of which are boroughs of New York City). Within these counties are 62 cities (including New York City), 932 towns, 555 villages and 697 school districts (including New York City). In addition to counties, cities, towns, and villages, “special districts” meet local needs for fire and police protection, sewer and water systems or other services. We need to ensure cybersecurity is being handled effectively across all these different areas and the Joint Security Operations Center is a great first step.
Ron Greenberg, Senior Advisor at Brown & Weinraub, brings to the firm nearly two decades of experience in New York State government in various senior appointed positions, including first deputy budget director to three governors, deputy of Enterprise Shared Services, and assistant deputy commissioner of tax policy.
Dave DeWalt is Founder and Managing Director of NightDragon. NightDragon invests in and advises late-stage and growth companies, providing a platform of growth for the next-generation of cybersecurity, safety, security and privacy companies.