AI, zero-trust and outages: CIOs say cybersecurity is getting harder
It’s become an industry truism that cybersecurity threats are growing more sophisticated, but the last few years have sped the pace of work to a hurried rate.
State technology officials told StateScoop that the recent advances in generative artificial intelligence, along with the shift to zero-trust security models and more frequent service outages have their departments hustling. Alan Fuller, Utah’s chief information officer, summarized the state of cybersecurity today by saying it’s “a very, very dangerous world,” in which hackers in China, Iran, North Korea and Russia exhibit diligence and creativity as they continually wield new tools.
“We’re way past the days when people think cybercrime [is] like this teenage kid who hacks into the national defense system or something like that,” Fuller said. “It’s not that. We’re talking about sophisticated, professional, well-funded organizations where they have hundreds, if not thousands of people who show up to work every day in a nearly corporate-like environment to do cybercrime.”
But government’s not yet being overwhelmed: State officials also said that a heightened sense of danger has government, industry and the general public taking cybersecurity more seriously, an invaluable asset in a digital environment where bad actors are searching for any opening formed by carelessness or apathy.
“We’ve had these big oceans that protected us from physical attack,” Fuller said of traditional warfare. “It’s just hard to get here, and you take a place like Utah, especially, an interior state, we don’t think much about advancing armies, but with the rise of the internet and the rise of this cybercrime, a small town in rural Utah can get hammered by criminals from Russia or Iran or North Korea.”
A report from the nonprofit Center for Internet Security unsurprisingly showed that cyberattacks on state and local governments rose 148% between 2022 and 2023. Fuller said he’s noticed recently that email phishing campaigns, a common way bad actors try to steal credentials, have grown harder to detect, likely a result of generative AI’s capacity to rapidly draft unique texts that are convincingly human.
“We saw an attack that had over 400 emails. No two emails had the same subject, no two emails had the same body,” Fuller said. “And these phishing emails used to look like they were written by Nigeria or something — you know, bad grammar, they were off. Nowadays, phishing emails are good. It’s all too easy.”
‘Hard, very hard or impossible’
Government agencies aren’t only busy scanning their email inboxes. Virginia CIO Robert Osmond told StateScoop that everything about his job has become more complex as technology has advanced in recent years.
“I think IT in general is getting harder,” Osmond said. “It’s either hard or it’s very hard or impossible. And those are your three choices.”
Part of the heightened difficulty, he said, has been the state’s move away from the once widely used “defense in depth” security model, to zero-trust. If defense in depth is like locking up a house by installing alarms and putting bars on the windows, zero-trust is like installing cameras in every room.
And though the switch to zero-trust has proven a necessary change, Osmond said one troublesome upshot of the new paradigm is that there’s way more stuff IT teams must track.
“It’s a way of thinking about the problem, it’s a business process of how to approach cybersecurity, it’s a mentality,” Osmond said. “And so it’s a pivot, and it’s very common in many places, particularly banking. They’ve been leaders in terms of understanding that, and I think there’s a lot of things we can learn in the state government to do that more effectively.”
‘A little scary’
When CrowdStrike last July pushed out a faulty update to users of its Falcon security software, it disabled many computer systems around the world, grounding airplanes and halting news broadcasts. It wasn’t the world’s first major IT outage, but its breadth, owed to Crowdstrike’s large customer base, was noticed by state and local technology officials, who are tasked with forming plans that ensure their agencies can continue providing basic services to residents under conditions of all sorts.
Illinois CIO Sanjay Gupta was among those who couldn’t help notice the outage, which is part of a trend he judged to be “a little scary.”
“I think we’re seeing a little bit more of the larger service providers having unplanned outages — and it’s not just cybersecurity, it’s across the board — and then tend to cause quite a disruption,” he said. “The idea was to rely on the service providers and they have reliable and robust services, and resilient services, but it turns out that’s not necessarily the case.”
Adam Meyers, CrowdStrike’s senior vice president of counter adversary operations, last month apologized for the outage before Congress, where he said the company is willing to cooperate with the federal Cyber Safety Review Board. He also outlined steps the company will take to mitigate future burps in service, including rolling out updates gradually, and giving customers more control over how they install updates.
Just the same, Gupta said, recent outages have led him to think more carefully about his assumptions regarding technology, and he expressed hope other policymakers will also. He noted that it’s not tenable for state governments to purchase redundant products for all their services.
“I think we all as an industry should be questioning that,” he said of companies’ service delivery models. “I’m not suggesting the models are wrong, [but] I think the industry at large needs to look at that and see what can be done to ensure the resiliency of those. When you become a large player and you’re a large service provider, I think it behooves you to have a more resilient service delivery model.”
‘Bad stuff,’ good things
“It’s no longer hard for threat actors to do bad stuff,” New Jersey Chief Technology Officer Chris Rein told StateScoop.
But he said the constant pressure placed on government by its adversaries hasn’t been all negative — that pressure also brought welcome changes in the industry.
The severity and frequency of attacks has made it normal for technology companies to lace all of their products with cybersecurity features: “It’s never an afterthought anymore,” Rein said. And with bad actors finding success attacking everything from AT&T to the Los Angeles Unified School District, cybersecurity professionals have had ample opportunity to contemplate where others went wrong.
“There’s a recognition in the cyber world that you can’t fix or improve cybersecurity with tech only,” Rein said. “You can’t just buy this product or buy this feature or buy that add-on, but it’s so clearly now people and process as much as technology.”
The norm of tumult has also upset the nascent industry of cybersecurity insurance, the cost of which continues to rise and in 2022 rose by more than 25%, surpassing the premium hikes of all other types of insurance. With rates often reaching into the millions, Rein said he’s seeing more states opting instead to stick their cash in savings.
“We are not one of the self-insured states, but we are looking harder at it now than we ever have with our treasury department and our risk-management folks,” he said. “The underwriters and the insurance companies, they’re becoming more and more aware, probably because they got burned more than a few times and started saying, hey this wasn’t an anomaly, this was a trend.”
Rein said he’s also noticed that insurers are being more careful, too. Where they once used to ask whether his state “uses multi-factor authentication,” actuaries now ask a more specific question: “Does every single user have multi-factor authentication enforced?”
‘It’s not secure enough’
State and local governments may have yet to feel the full force of AI-powered cyberattacks, but IT leaders aren’t out of ideas to defend their networks. They’re using the latest technologies to reinforce their cyberdefenses, too, such as by using AI to passively hunt for threats.
Fuller, Utah’s CIO, estimated that the days are numbered for the username and password authentication scheme.
“It’s just not cutting it,” he said. “It’s not secure enough. We need to go to a decentralized identity model where the user holds their own credentials. It’s a verifiable, [meaning] the issuer with the credential issues cryptographic codes stored in a verified data registry, there are public keys so a user can scan and verify that credential as both the issuer and the holder of the credential are accurate. Without having that, our online stuff is going to continue to be a big risk for fraud.”
In Virginia, Osmond said that when considering cybersecurity, he reminds himself not to reinvent anything, because there are already lots of sophisticated tools out there.
“I get a tremendous benefit from talking to vendors,” he said. “This is their business and their livelihood. … Understanding that no one vendor has all the answers. You’re gonna have to talk to a lot of people, but as you stitch it together you find that everybody has a piece of the puzzle.”
And with all the rapid changes in technology, Nevada CIO Timothy Galluzi said training staff on the latest cybersecurity practices remains one of his most important initiatives. In that respect, he’s in the majority. A recent survey from the National Association of State CIOs showed that training was the most common use of federal cybersecurity grant funding.
“What we’re doing is really educating our folks to really just stick to your processes,” Galluzi said. “Stick to your procedures. If someone tries to get you to go outside those procedures, you really need to double check that.”
This story was featured in StateScoop Special Report: Cybersecurity 2024
