State and local governments host vast amounts of sensitive data — nothing top secret, but information that contains the intimate details of their citizens’ lives: children’s school records, driving records, voter registration information, contacts with police and paramedics, the list goes on. As more communities lean on the internet and the cloud to create efficiencies and to save money, that data becomes more vulnerable.
The promise of smart cities programs and interconnected federal/state/local databases can be dashed if the information is not secure. State and local government officials know this, and work to ensure their networks are as protected and stable as possible even as their security challenges grow more sophisticated.
It’s not a simple task for them. In my experience, state and local agencies find that the important work of IT modernization can also be expensive, complicated and time-consuming for their IT staffs, and that they need help managing the security of their new investments. I’ve helped numerous customers draw a roadmap to better security through services such as vulnerability assessments.
The current focus for cities, counties and states is on these areas:
The Internet of Things
The National League of Cities reported in 2017 that 66 percent of U.S. cities have invested in smart-city technology, such as smart streetlights that do everything from adjusting their own brightness to detecting illegally parked cars, or smart grids that enable utilities to distribute energy more efficiently.
The more systems that are connected, however, the more endpoints a government has to protect. There’s already concern about hackers attempting to disrupt a rush hour by taking over a traffic control system, for example, or polluting a water system by remotely changing water treatment protocols. A 2013 cyberbreach of a small dam in Rye, N.Y., could have given hackers control of the flood gates, except that a critical control cable had been physically disconnected at the time.
Agencies must ensure that they have appropriate security controls in place to separate IoT networks and devices from the rest of their systems, and that they control access to the devices from a secure operating environment.
The damage done by employees can be serious — but it’s not always intentional. Unless an agency trains workers to avoid falling for phishing attempts or other forms of social engineering, malware can enter a system with an unwitting click on a link in legitimate-looking email. Verizon’s 2018 Data Breach Investigations Report found that email is the primary entry point for malware.
These breaches can reveal personal information such as driver’s license numbers, Social Security numbers and credit card or bank account numbers, as happened in email hacks of Idaho’s Transportation Department and Tax Commission in 2018. The exposure of personally identifiable information could put a state or other locality at risk of a lawsuit, although most legal action linked to hacks has so far been on a national level, against companies involved in high-profile breaches affecting millions of consumers.
Phishing emails are also a primary method for ransomware to enter and paralyze government systems. This year already, cities such as Atlanta and Farmington, N.M., have experienced ransomware attacks.
As agencies across the country begin to connect to FirstNet, a national broadband network dedicated for first responders during emergencies, and as more communities begin to implement the digital Next Generation 911, the security of public safety systems becomes even more critical. FirstNet alone has nearly 30,000 connections into its network from smartphones, in-vehicle modems and other devices.
An overview of the two systems published by the National Association of State 911 Administrators notes that each is being coordinated at a different level: FirstNet by the federal government and Next Generation 911 by state and local governments. Ensuring seamless communications and interoperability between the systems is essential, especially at this early stage of the process.
State and local agencies must also be aware of modernization efforts happening at the national level. Federal agencies are required to comply with ever-stricter approaches to security, such as the Trusted Internet Connections program and the Federal Risk and Authorization Management Program. Local agencies interacting with the federal government must be able to integrate with these new, more secure systems as they share information and data.
The state of Missouri — which must defend itself against an average of more than 2 million cyberattacks each month — provides one example of a successful cybersecurity program, with a nationally recognized training program that has reached more than 40,000 employees, the creation of a statewide vulnerability management program and security solutions from more than 30 vendors. IT staff are now able to resolve incidents in about 5 hours, down from more than 110.
As Missouri has discovered, cybersecurity is an ongoing process. Searching for solutions to only the most recent problems may cause you to lose sight of the bigger and more dangerous picture.