Cyberattacks on federal, state and local government networks have become an increasing problem over the past several years, with no end in sight. Examples of recent high-visibility attacks abound. Perhaps the most notable was the attack on the U.S. Office of Personnel Management (OPM) discovered on April 15, 2015. The OPM fends off over 10 million attempted cyber intrusions every month. These are usually “commonplace” phishing and spam attacks familiar to every large organization. This attack was different, and when the attackers were eventually repelled about two weeks later, the complete personnel files of 4.2 million employees, past and present, had been grabbed, along with approximately 5.6 million digital images of government employee fingerprints. Many other government agencies have their own horror stories, including the Internal Revenue Service, which has been a regular target.
The alarming trend was confirmed in a cybersecurity analysis, the “2017 U.S. State and Federal Government Cybersecurity Report,” released on August 24, 2017, by the SecurityScorecard, a security rating service. The Report analyzed 552 federal, state and local organizations and ranked the government 16th out of the 18 industries analyzed, ahead of only telecommunications and education. Industries ranking better included health care, transportation, financial services and retail. Fortunately, while the report focuses on uncomfortable government failures, it also provides a thoughtful path to improvement. The Report is a must-read for government board members. The most prevalent risks for cyberattacks of government organizations include:
- Government organizations tend to struggle with “basic security hygiene” issues, such as password reuse on accounts. Adherence to outmoded password update protocol is a significant issue. No one has escaped the frustration of using, remembering and updating passwords for the growing number of devises, sites and apps in use every day. It is estimated that on a given day, the world collectively spends an equivalent of 1,300 years simply typing passwords. One study concluded that an average user has 6.5 different passwords, 25 accounts requiring passwords and enters an average of eight passwords a day. Recent suggestions that changing passwords regularly can, in fact, cause more problems have not been fully embraced. Government organizations are frequently delinquent in updating or replacing outdated software, patching current software and installing individual endpoint defense protections.
- Poor management of both older, rarely used devices and newer ones exposed to the public Internet, from laptops and smartphones to Internet of Things (IoT) units. “Even things like emergency management systems platforms from the mid-2000s were available to the public,” said Alex Heid, SecurityScorecard’s chief research officer. “There were more IoT connections available from government networks than I would have expected,” Heid said. Each device, from government vehicles monitored by the organization to automated security entrances, is also capable of becoming an entry point for hackers to a much larger government universe. Forbes simplified this: “If it has an on and off switch then chances are it can be a part of the IoT.” BI Intelligence predicts that there will be “more than 24 billion IoT devices on Earth by 2020.” That equates to about four devices for every person on the planet.
- Many government organizations have simply not kept up with the new cybersecurity environment and have not developed the capabilities to combat the threat. Ironically, large government agencies are often the most aggressive investors in new technology. The problem seems to be that complexity and bureaucratic delay prevent massive cybersecurity technology platforms from ever being fully implemented. When newer and better solutions appear, as they do more frequently today, the older technology remains. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions,” said Heid.
Risks for Government Groups
For government groups, SecurityScorecard’s Report determined that cybersecurity deficiencies are consistent across large and small organizations alike. State and local agencies have seen a corresponding increase in serious cyberattacks. In October 2014, the City of Phoenix’s network was shut down for an hour as the result of a denial of service (DoS) attack. The attack blocked all access to the city’s website and online services and disrupted the police department’s computers. In that same month, the Oregon Employment Department (OED) was required to notify more than 850,000 individuals registered with WorkSource Oregon Management Information System that their personal information—including Social Security numbers—might have been compromised.
The silver lining here is that because the similar cybersecurity issues are experienced at the local, state and federal levels, the same types of strategies can potentially be applied widely in an effective way. For example, governing boards at all levels can and should pay close attention to federal cybersecurity legislation and regulation. The National Institute of Standards and Technology (NIST) published The Cybersecurity Framework (NST CSFW) in February 2014. The stated goal of the group was to develop a framework that would support organizations in their management of cybersecurity risk primarily in the nation’s critical infrastructure, such as power grids, utilities and bridges. Subsequent regulations and executive orders have refined the protocol for addressing cyber threats.
Local and state governing boards can also look to successful approaches in other local jurisdictions. Many states have found solutions through the work of specially formed commissions, boards, working groups and task forces to gather information from federal and other state resources and to develop plans to address cyberattacks. For example, in 2013, the State of New York created the Governor’s Cyber Security Advisory Board. The board was tasked to “…advise the administration on developments in cyber security and make recommendations for protecting the state’s critical infrastructure and information systems.”
In October 2015, Michigan released a remarkable report, the Cyber Disruption Response Plan (CDRP). The Plan was generated over a period of years, with extensive collaboration among various state agencies. The CDRP was praised by many, including federal partners, other states’ corresponding leaders and IT professionals, and serves as a hopeful example for other states and localities.
The question now is how effectively legislation, successful state and local initiatives, and growing awareness of the threat can help in the development of state, local and federal policy. This challenge is the crux of government boards’ awesome responsibility.