A group of local-government cybersecurity leaders agreed Thursday that their organizations’ cultural attitudes pose some of the greatest roadblocks to more secured systems.
The challenges, they said, include walled-off agencies, employees’ discomfort with mandatory trainings and users’ unease with increasingly standard procedures like multi-factor authentication and single-sign-on protocols. But those mindsets can ease the path for malicious actors seeking to freeze up government networks with ransomware or disrupt critical infrastructure like power and water facilities.
“The biggest issue is culture,” Shannon Lawson, the chief information security officer of Phoenix, said during an online event hosted by Data Connectors, a professional network for the cybersecurity industry. “We have a lot of siloed departments. We have a lot of people who still think this problem isn’t going to happen to us. These mistakes are costly.”
Dallas CISO Brian Gardner said his job has been made somewhat easier thanks to statewide regulations that require cyber hygiene training at least once annually for all state- and local-government workers. The regulations, which went into effect with a 2019 law, also give officials like Gardner the power to restrict network access for employees who refuse the trainings.
“It’s a little bit of a mountain to climb,” he said. “I got lucky.”
But training requirements with teeth only go so far. Maricopa County, Arizona, CISO Lester Godsey said the upheaval in government technology brought on by COVID-19 has brought many challenges related to how people interact with digital services, which have radically changed the user experience.
“We’ve all faced challenges with the accelerated availability of cloud services due to the pandemic,” he said.
Kristen Sanders, the CISO of the Albuquerque-Bernalillo County Water Utility Authority, in New Mexico, said that one step cyber officials can take is to make clear to both internal and external users the purpose of the controls they implement.
“It’s being seen as providing security as a service, rather than a hinderance,” she said. “The more restrictive you are, the more people will figure out how to go around your controls.”
Gardner agreed, saying that providing explanations of steps like multi-factor authentication and single-sign-on “makes [people’s] lives easier.”
“Now they can make their user experience a whole lot better,” he said.
Sanders did say that greater media coverage of ransomware and other threats has been one positive cultural trend, especially when it concerns critical infrastructure facilities like the ransomware attack on the Colonial Pipeline, which instigated nationwide panic-buying of gasoline, or the network breach last February of a water-treatment plant in Florida, which was found to be the result of weak password protocols. Both incidents dominated national and international headlines for several days.
“It definitely brought a lot of attention on bringing security into the operational technology side,” Sanders said. But the spotlight, she added, needs to be ongoing. “Not only having these recent events getting people interested, but making sure the focus isn’t just during Cybersecurity Awareness Month.”