Two months into his new role as Washington’s chief information officer, Bill Kehoe said he’s wrapping his head around the most important projects he’ll face in the coming months, with the state’s transition to an enterprisewide approach to cybersecurity topping the list.
Kehoe, who spent seven years as King County, Washington’s, CIO and then four years as CIO in Los Angeles County before starting as the head of Washington Technology Solutions on Aug. 1, told StateScoop this week that agency adoption of the state’s new cybersecurity services is high. That’s promising, he said, because beyond the technical intricacies that lie ahead, the main hurdle to achieving an enterprisewide approach to cybersecurity will be consolidating the disparate approaches, or cybersecurity “cultures,” that have spawned across the state over the years.
”My past experience is that when you’re federated around security services, each agency has its own culture and its own sense of urgency around security and how they view security,” Kehoe said. “When they move that to an enterprise service perspective, you’re trying to get a high level of monitoring and urgency throughout the whole state.”
So far, he said, the state’s new enterprisewide security services include a standardized solution for end-point security; a security information and event management service, which aggregates device data to warn of potential threats brewing in the organization; and new identity services, which Kehoe said are particularly important given the recent attack patterns of bad actors.
“If they can compromise an identity, especially a privileged identity, then they can get into your email and try to traverse your network,” he said.
Many ransomware attacks, which have spiked to all-time highs in state and local government, begin with phishing attacks, which if successful, allow an actor to gain access to a privileged user’s identity and load malware that can download ransomware onto the government system.
But ransomware isn’t the state’s only concern. Though Washington’s been transitioning its cybersecurity services to an enterprise model since 2019, Kehoe said, the work was given an additional boost by news in February that Accellion, a file-sharing and collaboration software vendor used by the Office of the Washington State Auditor, had been breached. That scare sparked legislation, which Gov. Jay Inslee signed into law in May, formally establishing the state Office of Cybersecurity as the leading organizer of cybersecurity efforts across the state and creating new reporting and auditing requirements.
“It’s a common model now to transition from a reactive approach, which is never good, to where you have more of an enterprise proactive visibility into the devices and the services that are connecting to your network and you have visibility into how secure those devices are and if they have the right security controls,” Kehoe said.
Kehoe said Washington has other priorities, too, including improving civic engagement — a necessity made particularly evident by the work performed by health agencies during the pandemic to rapidly stand up convenient services for COVID-19 test sites and, more recently, vaccine verification. And improvements to identity and access management, he said, bridge the state’s needs for improved cybersecurity and improved citizen services. But asked how he’ll go about consolidating the state’s cybersecurity culture, Kehoe said there is no magic solution.
“It takes time, it takes a lot of investment in the people side of the equation and just ensuring we’re all on the same page around critical vulnerabilities and making sure we’re remediating those as quickly as possible,” he said.