Hurricane season is upon us, and many state and local governments are preparing their emergency response teams. But even as agencies prepare for high winds and flooding rains, they are already feeling the effects of a different type of storm: a cybersecurity cyclone that has been gathering steam for years and is now right at their doorsteps.
Just like the named storms that churn out in the Atlantic, the cybersecurity cyclone is comprised of competing forces. There are the hackers, ever determined to compromise state and local networks through ransomware, malware, and other malicious types of threats. Then there are the mechanisms put in place to combat these bad actors, including cybersecurity plans designed to fortify state and local IT networks.
Cybersecurity readiness is so important that many states are now being graded on their efforts. SecurityScorecard, for example, assigns letter grades to states based on their overall security postures. Spoiler alert: the 2018 report shows that there’s still a lot of room for improvement.
That’s because states are playing catch up. Unlike federal agencies, which have been dealing with and preparing for escalating cyber threats for decades, the impact on state and local governments is a fairly recent phenomenon. But with election hacks and data breaches becoming the new normal, they are realizing that there is a growing clear and present danger. Just ask the city of Atlanta, which is still recovering from a massive cyber attack that occurred earlier this year. Or the state of Texas, which deals with an average of billions of attempted cyber attacks every month.
Reinventing the cybersecurity wheel
Many states have responded by developing their own homegrown cybersecurity plans but, in doing so, they’re actually spending time and money reinventing a wheel the U.S. government already created. For several years, federal agencies have successfully employed initiatives like the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Federal Risk and Authorization Management Program (FedRAMP) to bolster their security postures.
In fact, these programs establish cybersecurity standards that can be just as effective at the state and local levels as they are for national agencies. So why haven’t states adopted these measures? Why are they spending time, money, and resources creating their own security plans when a solid foundation already exists?
First, many state and local government representatives are not even aware of their existence. For instance, I recently had the pleasure of speaking with some of the senior leaders in a particular state about their cybersecurity plans, which were eerily similar to the federal government’s Federal Information Security Act (FISMA). One problem: they had never heard of FISMA. As such, they didn’t know that many of the plans that they had painstakingly developed had already been outlined by Congress in 2002.
Second, many state and local officials in charge of developing their agencies’ cybersecurity protocols are political appointees who have not spent their entire careers living and breathing security. While most come from IT backgrounds, they may not have spent decades tracking ever-evolving cyber threats and how government and industry have already addressed these challenges.
Third, many of those who are aware of the federal programs tend to view them as too complex or buttoned-down for their needs. They may say, “Well, that’s great that the NSA has all of those protocols in place for national security, but why should I need those for my state’s health department?” And they’re right. They may not need to check all of the security boxes that the NSA or the Department of Defense needs to mark off.
But that’s not the point. The point is that those larger federal agencies have created a viable template upon which state and local organizations can develop their own security programs, without reinventing the wheel.
Passing down security standards
Over the years, the federal government has engaged in an active effort to standardize security procedures so that they can work for all agencies, not just federal organizations. For instance, FedRAMP, the government’s program focused on the security of cloud products and services, is not exclusively for federal agencies. It is applicable to any agency that purchases cloud solutions. Meanwhile, FISMA provides a single model, process and set of security controls that can ease the burden of security management regardless of agency size or scope.
The open source software community has played a large role in simplifying and standardizing cybersecurity protocols so they may be easily adopted by all agencies, including those at the state and local levels. Several years ago, open source developers and industry helped NIST build a shared knowledge base of threat information called the National Vulnerability Database, effectively creating a scalable and centralized source of cybersecurity threats applicable to state and local governments.
The community has also worked with organizations like the NSA Information Assurance, NIST, and 18F, the agency that teaches government to act more like a startup organization, to standardize cybersecurity measures at the local level. The community worked with the FBI to open source the “Criminal Justice Information Systems” baseline, which is comprised of security standards identified by the FBI as helping local police departments, state-level court systems, and others in charge of protecting criminal justice information. It has also developed technology that lets local healthcare Chief Information Security Officers decipher highly complex information required to meet federal and state-level cybersecurity requirements. The open source community has also worked with 18F to create the OpenSCAP, ComplianceAsCode, and OpenControl projects to document security protocols in standardized ways.
An open page from the federal playbook
It’s taken some time, but the fruits of that effort are starting to be realized. States like Virginia, Massachusetts, Minnesota and Texas have all begun drafting plans that draw heavily from federal security programs. And, as they continue to modernize their IT infrastructures, they are doing so with solutions that do not compromise security for speed.
Many of these solutions are open source software, which makes sense. The open source community was there at the beginning, helping to formulate security policies for federal agencies. Now, it is there for state and local organizations, providing them with consultation and security-hardened software that can accommodate their private, public and hybrid cloud environments.
As state and local agencies prepare to navigate the stormy cybersecurity waters, they can take heart in knowing that others have already navigated this journey. Indeed, federal agencies, in tandem with the open source community, have already charted a course. Instead of going it alone and building programs from scratch, state and city governments can simply follow their lead.
By Shawn Wells, Chief Security Strategist, U.S. Public Sector, North America, Red Hat
The Gallery is a forum for ideas and examination of matters facing state and local government. Readers, members of the media, academics or the business community are invited to submit guest columns to bailey{at}civsourceonline{dot}com. Member of the public sector? We’re interested in hearing from you too. CivSource does not endorse the views presented in The Gallery, but offers them in an effort to present more diverse coverage. CivSource will review all submissions but does not guarantee publication of all works submitted.
