How states can improve cybersecurity on a budget
October 19, 2017
Commentary: Isaac Kohen, CEO of Teramind, says some of the biggest threats come from inside the organization and provide an accessible opportunity to tighten the perimeter.
A majority of respondents to a recent industry-led poll said they doubted government's ability to keep their information safe or to prosecute those who steal private data.
Colin Wood is the managing editor of StateScoop. Before that, he was a staff writer for Government Technology magazine. Before that, he taught Engl...
New survey results released on Monday by research firm Accenture show that citizens generally lack faith in the ability of government to keep information safe and are calling for stronger protections.
Most — 74 percent — said they lacked confidence in their government's ability to keep citizen data private and secure, and 65 percent said they lacked confidence in the ability of law enforcement to investigate and prosecute on cybercrime cases.
Stronger policies and security measures are one path to renewed confidence, the data reveals. Sixty-six percent of respondents said they would sacrifice convenience for increased data security, and 63 percent said they would feel more confident if government agencies and service providers would create "stronger" data-privacy and security policies. Biometrics like fingerprinting were less popular, with just 47 percent reporting that such a solution would make them feel more confident.
Accenture's state and local security advisor, Lalit Ahluwalia said this survey confirms that "cyber insecurity" remains pervasive and bolsters the existing belief among government agency leaders that cybersecurity should be a top priority. Indeed, cybersecurity was named as the top priority for state chief information officers for the fourth year in a row, according to an industry list.
In an email to StateScoop, Ahluwalia said most states have either developed or are in the process of developing security policies and manuals based off NIST or ISO frameworks.
"In some cases, these have been further tailored to meet the compliance requirements for datasets like PHI and IRSs data," he said. "The main challenge though is around keeping them updated on a regular basis and consistent application of those policies to state infrastructure and applications."
The City of Boston's data security policy provides an example of how more sophisticated government technology organizations handle data security — the document categorizes data into three sensitivity categories, each with their own policies for transmission, legal requirements, storage, audit controls, and backup and recovery.
Andrew Therriault, chief data officer for the City of Boston, told StateScoop that his city is now working on a more "in-depth" process for opening government data while maintaining its privacy and security. The city is leading these efforts through the use of the Open Data Privacy playbook, a practical guide published by the Berkman Klein Center for Internet & Society in February, he said.
Ultimately, policies are just words on paper — agencies "need to act," said Lee Tien, senior staff attorney and Adams Chair for internet rights at the Electronic Frontier Foundation, in an email to StateScoop.
Having a policy doesn't mean an agency is being responsible with citizen data, he said.
"Does the agency actually have a good IT department that routinely patches and upgrades software and operating systems whenever security weaknesses are discovered?" he said. "Equally important, does the agency allow the IT department to do its job?"
The June 2015 Office of Personnel Management breach that compromised more than 21.5 million records may have fallen victim to this, Tien said.
"I’ve heard rumors that … the IT folks were trying very hard to upgrade people’s machines, but of course that means being without your laptop while they patch it. … So they were chasing people trying to make their machines more secure, but it’s not clear that the management of OPM made that a high enough priority for it to actually happen."
Maria Thompson, chief information risk officer for the North Carolina Department of Information Technology told StateScoop in an email that, indeed, government agencies must look beyond policy and include governance, training and awareness, technical controls and continuous monitoring as part of their data protection efforts.
"Each control works in harmony with the other to fill the gaps where one may fail," she said. "A key aspect to the governance structure is accountability. We need to ensure those charged with the responsibility for the protection of the data understand the risks, and work together to ensure, not just availability, but that the confidentiality and integrity of the data remains sound. This can no longer be looked at as a security risk/issue alone, it is also largely a business risk."
A suspicious track record
Distrust of government's handling of private data is supported by data breaches and hacks on state and local government agencies reported weekly. Earlier this month, North Carolina officials accidentally disposed of records containing social security numbers. As many as 4.8 million users had their personal records compromised in March following a security breach of a workforce development service used by 10 states. Last year, a California government report showed that the records of more than 49 million citizens had been exposed within a four year period.
Government's data privacy governance is increasingly undertaken outside the IT office and from within the legislature. A repeal of Obama-era FCC privacy protections signed by President Trump earlier this month threatens to expose a different set of personal data. The policy reversal allows internet service providers to sell data that includes browsing history, location, financial and medical data to advertisers.
The privacy protection approved under Obama's administration was never enacted, so while Trump's reversal did not change how companies handle data, the media's treatment of the issue boosted privacy's profile sufficiently to create new interest in privacy.
Civil rights advocates have long referred to privacy as one of the few truly bi-partisan issues, but a Republican-led Congress' support of the new rule has prompted increased legislative activity at the state level, mostly by Democrats.
New legislation in Illinois would make it easier to find out what information companies are collecting about citizens online.
California and Connecticut both recently updated laws that restrict government access to online communications, like email, while New Mexico may soon follow suit, the New York Times reported.
Nebraska and West Virginia passed laws limiting how employers are allowed to monitor employees' social media accounts.
Legislators in Alaska stand by their decision to repeal Obama's privacy protections, calling the legislation "confusing" and a "a major bureaucratic power grab by the FCC that would have created a patchwork of policies regulating internet privacy."
Politics aside, the Accenture report shows that those most likely to express confidence in the government's ability to protect data were millennials — people aged 18 to 35 — at 35 percent, while senior citizens — those 65 and older — expressed the least confidence, at just 16 percent.