Cybersecurity nonprofit addresses 2016 threats for states, localities

The head of the Multi-State Information Sharing and Analysis Center shares what he's hoping to educate governments about in the new year.

With the dawn of a new year comes the emergence of cybersecurity threats both old and new for state and local governments, according to the nonprofit Center for Internet Security.

As 2016 opens, Thomas Duffy, chair of the Multi-State Information Sharing and Analysis Center that’s run by the nonprofit, walked StateScoop through the threats he’s hoping to prepare government IT workers to face over the coming months.

He noted constant growth in the attack surface available to hackers, as “we continue to develop technology at a much faster rate than our ability to secure it,” but he believes there are some concrete themes emerging for the new year.

In particular, he’s predicting a “growth in malware, such as ransomware” attacks in 2016, following a “big spike” in that area in 2015.


“There are more new variants that are getting harder to detect and harder to mitigate, and it’s been a tremendous challenge for small- and medium-sized local governments, which often don’t have mature cybersecurity practices in place,” Duffy said. “Even the larger cities and the states are certainly challenged by the work required and workforce skills required to secure the huge infrastructure they’re responsible for.”

[Read more: Cyber attackers turning toward states — StateScoop]

Another trend Duffy believes will continue in 2016 is attacks on major state universities, and he’s cautioning IT workers to keep them in mind when developing their security strategies.

“The universities are home to an awful lot of valuable intellectual property, so a lot of the major research universities are prime targets for attackers,” Duffy said. “There was a lot of activity in 2014, 2015, and we don’t expect that to slow down in 2016.”

Duffy issued a warning about vulnerabilities in content management websites at the National Association of State Technology Directors’ annual conference in August, and he reiterated that government IT workers need to vigilantly patch their sites to avoid creating any openings for attackers.


“All this software and all those plug-ins, they all need to be updated on a regular basis,” Duffy said. “We’ve gotten pretty good at updating the operating systems, but often the content management systems are forgotten about, or if they do patch them, they forget about the plug-ins and all the component pieces of the web server need to be patched and kept up to date.”

But more than anything, Duffy believes the ever-expanding complexity of government networks requires staffers to constantly evaluate their security concerns.

“Our networks have grown exponentially over the last few years, not just from the Internet of Things, but adding new technologies such as dual factor authentication and VPN connections,” Duffy said. “It gets very challenging, and a lot of it gets down to a workforce issue.”

Indeed, Duffy believes that all governments suffer from the lack of “an adequate cybersecurity workforce in the nation” and bolstering it can help them confront these various threats more effectively.

He commended Virginia Gov. Terry McAuliffe’s push to establish “scholarships for service” for cyber students as part of his new budget proposal, requiring scholarship recipients to take positions with the state once they graduate, as a step in the right direction in this area. However, he believes states and localities need to do their best to engage children at a much earlier age.


“Colleges have been trying to develop programs, but they’re primarily populated with foreign nationals, which will tell you our K-12 system is not preparing students for these types of careers,” Duffy said.

That’s why Duffy said his group will spend the next few months not only talking to government workers about cybersecurity threats, but also about how they can better engage the next generation of security staffers.

“Often we focus on the need for cool technology solutions, but we really need a trained workforce to implement the existing solutions that we do have,” Duffy said. “If you have young teenagers looking for a career, get them interested in STEM, we really need a renewed focus on that at the K-12 level. That’s where the jobs are.”

Contact the reporter who wrote this story at, or follow him on Twitter at @AlexKomaSNG.

Latest Podcasts