County & Local

Counties need to inspire states to tackle cybersecurity

As cyber attacks grow in sophistication and quantity, county governments should take the lead inspiring state governments on cybersecurity, says a Virginia county CISO.

By Jake Williams

February 26, 2015

While cyber threats continue to press government and corporate officials to take greater counter measures, those challenges take on an added dimension for the nation’s 3,069 counties.

Even as budgets return to prerecession levels, the public’s rising expectations for digital services and the growing skill of hackers to exploit data targets make cybersecurity a top issue for executives who attended the National Association of Counties’ Chief Information Officer Forum held in Washington, D.C., last week.

“It’s a world that has changed dramatically over the last two years,” Phil Bertolini, the CIO in Oakland County, Michigan, said during a cybersecurity panel at the association’s annual legislative conference. “We thought we had the proper controls, but that all shifted dramatically as people found new ways to come after our data and our systems.”

David Jordan, the chief information security officer for Arlington County, Virginia, said the U.S. was “way behind” on cybersecurity.

Jordan told the audience that effective cybersecurity typically accounts for at least 1 percent of a county’s information technology budget, and that counties need to lead the way to inspire states to act more on the issue. Jordan even suggested that NACo form a lobbying group for cybersecurity issues.

“It’s going to require some regulation and some legislation to help secure our country,” Jordan said. “It has to start at the county level and the local government level. The awareness in the counties needs to drive this up to the states.”

Jordan cautioned that the time for action on cybersecurity is 15 years overdue.

“Most governments are failing that mission to their constituents,” Jordan said. “IT, if you think about it, is the bastard child in government. We didn’t exist 20 years ago — it was an IBM mainframe and a couple of operators keeping everything running. Now, it’s an expensive organization.”

Wanda Gibson, the chief technology officer in Fairfax County, Virginia, said the county has had a cybersecurity strategy since 2004 and currently works to ensure that cybersecurity is involved in every part of how the county operates — from the request for proposal for a new technology to the actual rollout.

“Security has got to be laced in every single area of the architecture,” Gibson said.

Now, as some counties are racing to catch up with cybersecurity, Jordan said officials should start treating the issue, and information technology as a whole, as critical infrastructure.

“The blood of the government is actually IT,” Jordan said. “Take away IT, everybody’s organization slows down.”

But in order to be the “blood” of government, IT programs at all levels need to stay focused on their IT and security goals, Jordan said. Effective IT is not a choice but a necessity. To retain that effectiveness, governments need to not get distracted by new, untested and nonsecure technologies.

“We spend a lot of time going out and getting the most interesting technology and pushing it into the organization. It’s wonderful, I’m all about new technology, but it doesn’t take much more effort to ensure that new technology is inherently secure,” Jordan said.