A top federal cybersecurity official said Wednesday the Department of Homeland Security often lacks a clear picture of state and local governments’ network security, even as foreign adversaries increase their attempts to disrupt all levels of the public sector. And while federal agencies are getting better at working with state and local authorities, they face an ongoing challenge of staying ahead of an evolving threat landscape.
“We don’t have good visibility in the state and local dot-gov [domain],” Rick Driggers, the deputy assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Agency, said at FedScoop’s FedTalks event in Washington.
Driggers said one of the most immediate steps state and local governments can take is to enact more robust information sharing with federal cybersecurity authorities. He said hackers, especially those backed by foreign governments, have increased their focus on state and local governments, raising the threat that a local population could suffer the brunt of a successful cyberattack.
“We’ve seen in the last couple years more focused attention from nation-state adversaries, particularly with ransomware to attack or cause disruption at the state and local level,” he said. “At the end of the day, the state and local governments provide a lot of very valuable critical services to their populations. Those services going down causes a lot of disruption.”
Many ransomware attacks on local governments have cut off residents from city services, including Atlanta, where municipal functions screeched to a halt in March 2018 after being attacked by the SamSam virus, and Baltimore, which was infected last month by RobbinHood malware, is still working to recover employee email, water billing services and real-estate transactions. That kind of disruption has the potential to instill fear in local populations, Driggers said, making the need for collaboration with the federal government more urgent.
But local governments aren’t always willing to accept help. Following his on-stage remarks, Driggers said DHS has offered its cybersecurity services in response to the Baltimore ransomware attack, but so far city officials have yet to take up that assistance. The attack is being investigated by the FBI, however, and the city has hired vendors to help recover its systems.
“We want to work with them to offer them our services and capabilities,” he said. “All the localities are different in terms of the laws and the resources they have to cover down on cybersecurity. The ability to hire and retain and pay cybersecurity professionals to be engaged, to work day in and day out, is a huge challenge.”
The workforce challenge is especially acute at lower levels of government. A Deloitte report commissioned last year for the National Association of State Chief Information Officers found that most states commit just 1 to 2 percent of their overall IT budgets toward cybersecurity, a figure far lower than that seen at most federal agencies.
Driggers pointed to CISA’s recent work with state and local election authorities securing voting systems as an example of the new partnerships being developed, but he said there’s plenty other work to be done.
“There’s also a lot of other infrastructure that the state and local community either owns or operates or they share a partnership with their local private sector,” he said. “And we want to make sure they’re leveraging the services and capabilities that we have and that we understand what the risk profiles are so we adjust the services and make sure that we are working on them.”
But even though cyber adversaries are becoming more persistent and expansive in targeting governments, he said, the means of attack often remain “low risk and high yield,” such as exploiting unpatched operating systems and using phishing schemes. That means cybersecurity improvements should go beyond acquiring new equipment and recruiting talented personnel.
“It’s not just about implementing technology solutions and having subject matter experts,” he said. “We need to make sure state and local employees, federal employees and, quite frankly, the nation understand basic, simple cyber-hygiene.”
Still, the benefits of information-sharing run both ways, Driggers told StateScoop. State and local governments that relay the malicious activity they’re seeing back to DHS helps the department protect federal networks, he said.
“They can share things they’re seeing around tradecraft and [tactics, techniques and procedures] of the adversary so we can help them mitigate,” he said. “It also helps us because it may be a unique indicator we can use to protect our federal dot-gov. We’re trying to work with anyone at the state and local level that will want to enter into an information-sharing agreement.”
CyberScoop’s Sean Lyngaas contributed reporting.