The cyber-attack using the SolarWinds vulnerability raised alarms throughout the federal government as many agency networks data were presumably compromised. The extent of the damage from Solar Winds (and other recent breaches) are still being investigated and mitigated. The cyber breach not only impacted federal systems, but also state, local, and Tribal governments (SLTG) and data bases. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), posted on its website that, the SolarWinds hacking campaign was “impacting enterprise networks across federal, SLTG governments, as well as critical infrastructure entities and other private sector organizations.”
Clearly, SLTGs have become a fresh and lucrative target of hackers, and the SolarWinds breach highlights that reality in an increasingly connected world. But the systematic cyber-attacks did not start with the SolarWinds incident. The trend over the past few years had witnessed a significant increase those attacks, particularly with the use of ransomware. Also, in the last few years dozens of counties and municipal government institutions have been the victims of ransomware extortion attacks. Ransomware is not new, but with the advent of cryptocurrencies, it became a profit vehicle for a lot of the criminal enterprises. Many criminal gangs are now using ransomware as a weapon of choice as the risks are low of being prosecuted and the monetary rewards can be high.
In 2020, an unprecedented number of ransomware and other destructive cyber- attacks targeting state, local, and Tribal governments were reported (including attacks on Baltimore and Atlanta) and the numbers just keep soaring in 2021. Last year the cybersecurity firm BlueVoyant published a report that disclosed State and Local Governments saw a 50% increase in cyberattacks from 2017 to 2020. The report also noted that the 50% increase in attacks is likely a fraction of the true number of incidents because many go unreported. The BlueVoyant report also found that risk with small governments is like the same risks as small and medium businesses. State & Local Government Cyberattacks Up 50% – Business 2 Community
FORBES Contributor Dr. Oren Eytan, CEO of Israeli startup Odix and who previously led a top IDF cyber defense unit, provides a succinct analysis of why local governments are top targets of hackers. “Standing at the intersection of vast consumer data and vulnerable yet poorly managed “secure networks,” municipalities are the ideal target for cybercriminals aiming for the quintessential low-hanging fruit of the data universe. As the gatekeepers for voter records, tax information, social security numbers and essential access information to the full range of critical infrastructure managed in the municipality’s workload, it is of little surprise that they have become a focal point of cyberattacks.” Municipal Cyberattacks: A New Threat Or Persistent Risk? (forbes.com)
Despite the serious threat profile that Dr. Eytan describes, until recently, the mindset of local and county government officials has not been focused on cybersecurity strategies and protective measures. This is a result of a lack of understanding of threats, expertise, and austere budgets. This is now changing because of the stakes combined with the rapid changes in the information technology landscape where connectivity of cyber devices and communications have grown exponentially. As a result of digital transformation trends and work from home from Covid-19 that greatly expanded the cyber-attack surface compelling forward-thinking county and local officials to rethink the restructuring of priorities and missions of government operations.
The Need for a strong SLTG Risk Management Approach
In view of the growing number of threats, a refocus on strengthening cybersecurity requires sound investments, resources, expertise, and capabilities. But first, leaders need to know where and what vulnerabilities they face. Performing a cybersecurity risk assessment should be a critical part of every government’s practices. These assessments are critical for leaders to determine the likelihood of an attack against the jurisdiction, potential impact a cyberattack could have on a jurisdiction’s reputation, finances and overall communal health. The assessment will provide leaders with a better understanding of their systems vulnerabilities and where to dedicate already limited resources.
Cybersecurity involves many components, many of which can be easily overlooked. While county and local leaders may not be aware of any risks that threaten their jurisdiction, that does not necessarily mean that none exists. Cyber risk assessments are designed to give business leaders the data and resources they need to navigate potential risks and identify areas that may have been missed in the past. A new risk management approach at the SLTG levels designed around employing a stronger risk management stakeholder approach of integrating technologies, processes, and people to meet emerging threats.
SLTGs should be proactive in creating comprehensive risk management strategies that adapt to the needs and capabilities of stakeholders. Cyber risk management is the nexus for helping best secure cyberspace. This will require creating a framework that will assess situational awareness, align policies & training, optimize technology integration, promote information sharing, establish mitigation capabilities, and maintain cyber resilience in event of incidents.
To be successful, a cybersecurity risk management framework needs to be adapted to meet growing challenges and needs to be comprehensive and tested and re-tested. Accordingly, the framework should be defined by the most basic elements and best practices in managed risk: Layered vigilance (intelligence, surveillance); Readiness (operational capabilities, visual command center, interdiction technologies); and Resilience (coordinated response, mitigation and recovery).
The specifics of a security framework approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.
To create a framework, it will be essential to have comprehensive data, research, and insights. Having visibility of the threat vectors and identifying the myriad of threats to government operations and activities, and options to address gaps is a good first step in the risk management process. There are a variety of risk management architectures, solutions, services, and protocols to evaluate and consider as no one size fits all.
The example list below incorporates some of the over-arching elements that should be discussed for creating State, Local, and Tribal Governments Cybersecurity Frameworks:
• Carry out vulnerability assessments of all devices (including work from home devices) connected to governing networks.
• Carry out comprehensive scanning and testing to detect malware in code and configurations than can be exploited, especially with legacy systems.
• Use multi-layered and in-depth cybersecurity protections including strong passwords, multi factor authentication, and strong end-point protections. Encrypt sensitive assets, especially data in transit. Use firewalls, anti-virus detection software, and continually audit networks.
• Backup all critical data and assets, especially data potentially targeted by ransomware.
• Create policies and visibility (secure routers, WIFI) and remote work protocols for all work from home activities of SLTG employees.
• Update and patch vulnerabilities to both SLTG networks and devices.
• Compartmentalize all devices to minimize attack surfaces. Consider adding security software, containers, and devices to “digitally fence” network and devices.
• Establish privileged access for SLTG networks device controls and applications (Use authentication and perhaps biometrics for access control).
· Ensure mobile device security and interoperability for law enforcement and first responders.
• Continually monitor and share cyber threat intelligence across SLTG jurisdictions (could be done via fusion centers).
• Implement cybersecurity hygiene and awareness training employees (this is essential as most breaches are the result of phishing attacks, and/or negligence).
• Create cybersecurity incident response and communications plan, especially for ransomware attacks (also consider creating a SLTG Ransomware task force).
• Determine what is required for resilience in cyber incident response and disaster recovery planning while removing “single points of failure”.
• Consider augmenting efforts with managed security and outside subject matter experts.
• Consider Cloud security as a service.
• Evaluate emerging cybersecurity automation and machine learning technologies.
• Plan for compliance and regulatory requirements.
In addition to sharing best practices for risk management framework, a good path forward to mitigate cyber gaps, should be enhanced SLTG collaboration with the federal government, industry and vendor partners. Such collaboration could help to ensure production of upgraded hardened devices with software packages with cybersecurity features to counter newer and more sophisticated hacker threats, especially to First Responders. Also, access and identity management of connected devices need to be strengthened and enforced through new protocols and processes. Effective Privileged Access Management software is available from industry.
A risk management Framework of course applies to everyone, including the Federal government, and especially to industry. However, without the resources and expertise available to others, SLTGs must recognize that they are primary targets and can no longer afford to remain unprepared to the multitude of cyber-threats. Creating a cybersecurity framework is an imperative for SLTG toward meeting the challenges posed by an expanding, hyper-connected and increasingly dangerous cyber-attack ecosystem.
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity issues. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has also been featured author in technology and cybersecurity blogs & events by IBM, AT&T, Microsoft, Cylance, Xerox, Malwarebytes, General Dynamics Mission Systems, and many others. He recently presented to the G20 on Energy Cybersecurity.
Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Risk Programs. In government, Chuck was a “plank holder” at The Department of Homeland Security (DHS) serving as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. He has an M.A from the University of Chicago and a B.A. from DePauw University
Follow Chuck Brooks on LinkedIn and on Twitter: @ChuckDBrooks