Alaska Gov. Mike Dunleavy last week dismissed the state’s chief information security officer, Shannon Lawson, following an order that all of the state’s at-will employees offer their resignations following the governor’s inauguration. Lawson learned Thursday that Dunleavy, who was elected last November and sworn in Dec. 3, accepted his resignation, effective immediately, he told StateScoop in a phone interview.
Lawson, who has held IT security positions with the U.S. Navy, the National Security Agency, Science Applications International Corporation, and spent nearly a decade with the Space and Naval Warfare Systems Command, joined Alaska as its top cybersecurity official in September 2017. At the Office of Information Technology, Lawson worked alongside then-Chief Information Officer Bill Vajda, who resigned in September.
Lawson also said that in addition to his departure, Dunleavy is making quick changes to the state’s information technology office. Shortly after taking office, the new governor hired Peter Zuyus, a long-time telecommunications industry professional, as Alaska’s new CIO. (According to a resume provided to StateScoop, Zuyus has worked in various executive leadership roles for Boston Communications Group, Novatel, Voice Systems Technology, Inc., and other firms in the U.S. and Canada. The document also shows he served three years in the U.S. Navy in the 1960s, and provided technical support for the Mars probe working out of the Jet Propulsion Laboratory in Pasadena, California.)
But Lawson said the biggest change underway is a result of one of the biggest projects he undertook during his tenure: the creation of a master agreement that allows all public entities throughout the state to purchase cybersecurity tools using the state government’s purchasing power. A three-year $11.6 million contract awarded in October to Evotek represents “the largest state spend of cybersecurity ever,” Lawson said.
Through the agreement, Alaska’s state agencies, courts, cities, boroughs, tribes, libraries and universities can purchase tools offered by 12 vendors selected by the technology office, including Akamai Technologies, RiskSense and Zscaler.
“This is huge, huge, huge,” Lawson said.
Previously, the state held an agreement with McAfee as its sole IT security vendor. Extending that agreement would have cost the state $5 million for an additional three years, and though the new agreement is more than double the cost, Lawson said, it comes with increased capabilities and gives public entities a new option to bolster their defenses.
A ransomware attack last year crippled email and other systems in the Matanuska-Susitna Borough, forcing employees onto typewriters. The city of Valdez paid its ransomers nearly $26,000 in bitcoins to regain control of its systems and data. The state’s new security agreement is a “direct response” to those two incidents, Lawson said.
“Nothing like this has ever been done before [in Alaska],” he said. “But it’s necessary. The state as a whole is very, very vulnerable.”
The final results of an internal review of the state’s cybersecurity posture have not been made public, and Lawson would not reveal any details except that they were “not good.”
While the new cybersecurity framework was much-needed, establishing it was difficult, Lawson said, because the state has two “preferred vendors” — World Wide Technology and SHI International Corp — that have been made easier to buy from. Deviating from these vendors requires additional paperwork and a rationale for the deviation, he said, but noted that he didn’t want to use them because World Wide Technology isn’t a security company and SHI is a software reseller.
“Going through the RFP process is harder but keeps things fair,” he said.
Other security changes put in place during Lawson’s time with the state include a security operations center that was completed in Juneau in October. The state also deployed a new email tool from a company called Proofpoint that Lawson said has caught two instances of “Emotet,” the same malware that took out Matanuska-Susitna. And a team of five security engineers was assembled to ensure security is baked into agency projects from the beginning.
“[Most agencies] don’t have qualified security engineers,” Lawson said. “They don’t even have unqualified security engineers.”
The state has also created an incident response plan and now holds a company on retainer that can help manage operations and communications during major attacks like the two last year.
Each of these upgrades is a step in the right direction for the state, Lawson said. The new statewide security agreement with its menu of security tools will go a long way in particular, he said, to preventing future incidents, even if it won’t fix the state’s security issues overnight.
“If you can at least buy a few of these things,” he said, “you’re a whole lot better off than you are now.”
Editor’s Note: This story was updated on February 7, 2019 to correct an error regarding Peter Zuyus’ past employment.