CHARLOTTE, N.C. — In an era of highly-publicized breaches of personally identifiable information, technology officials at all levels of government are looking to find ways to best protect the data on their networks.
For chief information officers and information technology directors in counties across the country with even more limited budget authority than state governments, that best practice comes through collaboration.
At the annual meeting of the National Association of Counties, chief information officers identified cybersecurity as their top priority for the coming year, something that Ralph Johnson, the chief information security and privacy officer for King County, Washington, said needed to continue.
“We need to make sure that [cybersecurity as a priority] stays that way and that we are getting the level of support that we need,” Johnson said. “We have to work together.”
Soon, county officials will be able to turn to NACo for cybersecurity advice. At the conference’s meeting of NACo’s Information Technology Committee, the group announced it would move forward with taking its current cybersecurity task force and transitioning it into a more permanent body within the IT committee.
Former NACo president Chris Rogers, who helped begin the process that led to the establishment of a more permanent cybersecurity agenda for the association, said that managing cyber risk was just like managing other critical infrastructure issues in counties.
“We protect ourselves from water, from fire, we protect ourselves from air, but the simplest thing that could happen to a county is hitting the wrong button on your phone,” Rogers said. “My main point was to really make this cyber message come to county commissioners. My hope was that if commissioners got it, it would help you when you needed the money.”
But that mission is still evolving, Rogers said. And the resources available through public and private entities can allow counties to best prepare themselves for the looming cyber threats that face local governments without significant budget investment. Oakland County, Michigan CIO Phil Bertolini plugged the G2GMarketplace, which the county launched and supports. The website contains several cybersecurity white papers and guides, in addition to the free CySafe assessment of a government’s cyber posture.
County CIOs encouraged their counterparts to work alongside multi-sector organizations to find low-cost best practices to help counties guard themselves against the threats cyber attacks present — a good place to start, according to Johnson, is the federal Department of Homeland Security.
According to Erin Meehan, DHS’ program director for state, local, tribal and territorial engagement in the agency’s cybersecurity and communications office, the department offers a series of assessments and technical services for state and local governments, including a cyber hygiene assessment and a risk and vulnerability assessment. Counties and other local governments can also go through a DHS-developed full scale incident tabletop exercise as a part of the National Cyber Exercise and Planning Program.
DHS’ assessments are built from experience gathered through similar assessments done through the department’s cybersecurity efforts at multiple levels of government.
The Multi-State Information Sharing and Analysis Center — a DHS funded effort through the Center for Internet Security — works alongside states that need help on cyber preparedness at no cost, according to Andrew Dolan, the center’s member services manager for partner engagement. By working with multiple levels of government, MS-ISAC gathers and provides actionable intelligence based on lessons learned from cyber incidents in multiple sectors and levels of government.
Dolan advises counties and states that reach out to MS-ISAC to start with a single step: making sure systems are current. As of July 14, support for Microsoft’s Windows Server 2003 ended — a pressing concern for governments, Dolan said.
“We need to make sure that we’re using equipment that’s as up to date as possible,” Dolan said. “If anyone is still using [Server 2003], you need to make plans to get off of it in the next month.”
By updating systems, Dolan said counties can address one of the biggest problems in cybersecurity: people.
“It’s a people problem,” Dolan said. “Whether it’s hackers coming at us or the training of our employees.”
According to Dolan, by leaving systems outdated and vulnerable, states are leaving themselves open to attacks from hackers that “are not geniuses.”
“These are people who are trying to victimize us,” Dolan said. “This is affecting all aspects of our life. No sector is safe.”
The focus at the annual conference on cybersecurity comes after the organization’s winter legislative conference encouraged counties to take the lead on cybersecurity — almost in a way that would inspire states to act further.