State and local governments are constantly confronted with shifting priorities that each demand space at the top of the to-do list. Recently, cybersecurity has catapulted itself to the top of that list as public officials at all levels are faced with threats to sensitive information, public infrastructure, and even personal cyber attacks as hacking becomes a form of protest. New data is now emerging on how widespread the threats can be and how difficult it can be to protect against them.
Merely 24% of chief information security officers (CISOs) at the state and local level are very confident in their states’ ability to guard data against external threats, according to the newly released 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study. In a similar report released from Verizon Business examining threats based on data collected as an enterprise security provider, data there shows that 174 million records have been compromised since 2011 – a number that is likely on the mind of CISOs.
Moreover, while some threats to state information technology (IT) security diminished since 2010, the increasing sophistication of cyber-attacks presented a new set of challenges to state officials tasked with safeguarding citizens’ personally identifiable information (PII). As CivSource has reported, following a breach of such information in Utah, a technology director there resigned and a new Health Data Security Ombudsman was appointed by the Governor.
“Citizen trust in government is severely impacted when the data is compromised and hence it is not just an information technology issue, but an issue that could adversely impact elected officials and the credibility of governments,” explains Srini Subramanian, principal, Deloitte & Touche LLP and leader of its security and privacy practice to state governments. Trust is not the only issue when it comes to cybersecurity, building and maintaining a technology infrastructure that is responsive to these threats requires significant time, talent, and expenditure – factors that are typically scarce in the public sector.
According to the Verizon report, attacks designed to go after intellectual property (IP) are on the rise in both public and private sector especially in areas where data can be profitable if sold like health care and financial services. This can have a compounding effect for public sector officials if their private sector vendor partners are faced with a breach that falls outside of government security efforts. The Verizon report notes that, finding and identifying the work of IP theft is highly difficult and specialized. Many of these breaches go undetected until long after the damage has been done, and it often takes quite a while to successfully contain the breach. IP attacks often include collusion between insiders and outsiders. Regular employees accounted for the largest percentage (two-thirds) of insiders. Outsiders often acted directly and maliciously, but also regularly solicited and aided insiders.
“Compliance with security requirements doesn’t always equal 100% security,” says Marc Spitler, Senior Analyst, Risk Team, Verizon Enterprise Solutions, in an interview with CivSource. “It’s impossible to have a silver bullet approach to this, risk analysis across the organization is necessary. Principles have to look at the threats and what can be contained in a very realistic way. The conversation has to be ongoing and evolutionary.”
More than half of CISOs in the Deloitte/NASCIO survey said that it is exactly these threats and this type of ongoing response that keeps them up at night, with a lack of budget resources being listed as the primary concern. 86% of CISOs in the survey said that insufficient funding posed the most significant barrier to addressing cyber security issues at the state level. These officials are also faced with a significant talent gap as state government IT positions often pay less than their private sector counterparts, and require working more slowly with older machines.
The National Institute on Standards and Technology (NIST) and Venafi recently issued a security bulletin that discusses the issue of fraudulent website certificates, these certificates may be accepted and users may be working as though everything is normal without knowing that the fake certificate is stealing sensitive information. These kind of attacks can be unleashed anywhere, and are difficult to prevent or respond to without proper equipment and staffing.
At the state and local government level, constant staff turnover also creates a challenge. The inadequate availability of cyber security professionals ranked among the top five barriers to addressing cyber security in the Deloitte/NASCIO study. As new administrations move in and out at the top resource planning priorities change. At the department level, staffers also move in and out with new administrations, positions get cut, individuals choose to return to private sector work or retire. Yet, the overarching security priorities of IT shops remain the same and threats continue to evolve. Staff training becomes more important as does more detailed screening of appointees and candidates for hire.
To deal with this, Spitler recommends focusing on developing privledged user access, “privledged users can be a way to contain access to certain levels but monitoring of these individuals is more than just knowing what they have permission to access. Organizations have to be aware of insider threats,” he says. Many of these attacks if done remotely can take a few minutes to a few hours – the timeline can be shorter if its being executed by an individual at a workstation who already has access.
Looking into the future, the top four threats anticipated by CISOs to have the greatest impact on state governments include: phishing, pharming and other related variants; social engineering; increasing sophistication and proliferation of threats, such as viruses and worms; and mobile devices.
Both reports recommend developing high-touch public-private partnerships that bring in a range of stakeholders to have candid security discussions up and down the chain. “It’s very hard to legislate security. Organizations and users have to be aware, you have to focus on human assets and understand that many of these attacks are done socially or physically. Communication and monitoring are two of the most important aspects to this,” Spitler says.