Source: vska via Alamy Stock Photo
COMMENTARY
Threat actors have paid particular attention to the public sector recently, increasing efforts where they know defenses are low and valuable personal data is available and potentially vulnerable. A CloudSEK XVigil report says cyberattacks on government agencies skyrocketed in 2022 by 95% over the previous year.
Unfortunately, security is a tougher job here than in the private sector because these organizations are intentionally exposed to deliver critical services to the public, and there is more personal identifiable information in play. These increased risks are compounded by public funding challenges that leave leaders with far fewer resources than would be accepted in the private sector.
Public Sector: Bigger Challenges, Fewer Resources
When thinking about how many people public sector organizations must secure, consider that the average US county has a population of 106,007, according to census data, analogous to all of Procter & Gamble's 107,000 employees. LinkedIn shows 403 P&G employees with the word "security" in their title — surely that's a larger staff than that of LaSalle County, home to more than 108,000 Illinoisians.
LaSalle's fiscal year 2023 budget for the entire IT function is just under $400,000, and its staff has done solid work in the face of a serious attack. This is the challenge the public sector faces routinely.
Beyond staffing levels, the organizational structure of state governments hasn't evolved with technological advances. IT remains a consolidated function that keeps the lights on by ensuring core infrastructure is running. A central IT group may operate on behalf of many agencies, but that level of integration and authority doesn't typically extend to cybersecurity, creating a patchwork of protection and a heavy burden for local IT administrators.
Increases in interconnectivity, remote employees, and citizen demand for online services mean this model doesn't work anymore.
A whole-of-state (WoS) cybersecurity strategy emphasizes information sharing, partnership, and collaboration in an environment of cost savings through economies of scale and centralized functions. It allows state leaders to assist in mitigating cybersecurity threats across municipalities, providing a cohesive approach and united front.
This type of blueprint is used in other areas of the government: Individual cities don't have the resources or expertise to deal with large storms like hurricanes, but if they do hit, the Federal Emergency Management Agency is there to assist.
Cybersecurity should also work this way, particularly as technology evolves and the number of tools grows. States like Oregon and Minnesota are adopting this framework and, as public sector attacks continue to proliferate, WoS (much like "whole of government") is emerging as an essential strategy.
Changing the Thinking
A breach at one organization can have far-reaching impacts across interconnected systems, like a 2018 cyberattack in Atlanta that crippled the city for a week and forced multiple services to revert back to pen and paper. Despite the frequency of attacks expanding to other agencies, many continue to cling to the notion that they can manage threats independently with limited resources and expertise.
The fundamental mindset must shift from the virtues of independence to the very real requirement for cooperation. Attackers are increasingly working together, developing an economic ecosystem to support the development and delivery of these attacks. No single municipality or agency can compete with that level of investment, and it's unreasonable to expect them to anticipate and prepare for today's vast range of cyberattacks, or to find, hire, and retain the talent needed to defend against threats from sophisticated actors.
Pooling resources and capabilities under centralized state leadership expands the impact of threat intelligence, early warning systems, and rapid response. Statewide officers are in a position to raise the tide and lift all the ships. Though risks may materialize locally, underlying vulnerabilities and threat actors know no borders. A collective defense posture led by the state is not about ceding control but empowering local agencies to punch above their weight class.
For WoS cybersecurity to work, both sides need to buy in. Municipalities have to raise their hands and ask for help, and states need to be willing to provide it.
How to Pull It Off
The State and Local Cybersecurity Grant Program (SLCGP) provides funding to address the most pressing cyber-risks that threaten tribal, local, and state governments. The Department of Homeland Security has allocated $374.9 million to fund the program this fiscal year.
Through SLCGP funding, eligible agencies and organizations can develop and enhance their cybersecurity capabilities including network security, incident response capabilities, risk assessments, and cybersecurity awareness and training programs. Grants for this fiscal year begin at $500,000.
Once states and municipalities agree to develop and support a WoS strategy, it's important to increase and adopt efforts incrementally. Security training and phishing campaign awareness are lightweight efforts that serve as a great first step with WoS cybersecurity. With maturity and support from legislatures and municipalities, having all web traffic pass through the state's domain might be a logical early step.
Local leaders need to take an active role in ensuring their specific needs and goals are covered and advocate for their own most pressing needs. In Ohio, for instance, the Secretary of State required cybersecurity training for boards of elections before the election cycle, supporting efforts to improve and demonstrate the integrity of the system and its results.
Last year, 210 local governments and school districts in Massachusetts received grants to fund cybersecurity training for their employees, improving their cyber hygiene and measurably increasing their resilience.
Forming a United Front Against Attackers
Collaborating to take a WoS cybersecurity approach can create similar benefits anywhere. These strategies recognize the challenges posed by complex digital infrastructure and emphasize the shared responsibility of securing it. WoS cybersecurity is a united front to defend against threat actors, harden security posture, and protect the constituents who depend on government services.