Ohio CIO says pandemic prompted statewide cybersecurity push
When Ohio Gov. Mike DeWine sent the bulk of his 51,000 government workers home at the start of the COVID-19 pandemic in early March, one of the first things they were all required to do was go through the state-mandated cybersecurity training, even if they had done it recently.
“One of the things we instituted right away was taking the cybersecurity trainings, even if they had just taken them,” Ervan Rodgers, the statewide chief information officer, said during a panel discussion at an online conference Wednesday.
Speaking during CrowdStrike’s Fal.Con for Public Sector Conference, produced by FedScoop and CyberScoop, Rodgers echoed many of the findings his colleagues in government IT leadership have made during the health crisis about how the sudden and ongoing shift to mass telework has upended their practices. While he said Ohio’s pivot to remote work helped the state mitigate the coronavirus’ reach, Rodgers, who worked in the private sector before first joining government in 2014, said the public sector had to make adjustments much more quickly than it’s used to.
“As we have folks that are working remotely, unlike when I was in the private sector where it was second nature, in government it’s the total opposite,” he said. “When we got the call at the top of the pandemic it was ramping up from 5,000 people to 10,000 people to 40,000 to get those people to work from home so we could flatten the curve.”
A rapid move
But as other CIOs and information security chiefs have noted, moving workers from their desks at government offices with managed networks to kitchen tables and spare bedrooms connected via a home Wi-Fi connection has greatly broadened the target area for malicious actors.
“There was a rapid move of much of our lives online,” said Tonya Ugoretz, the deputy assistant director of the FBI’s cyber division. “A lot of us had to move to these platforms faster than we’d put in security measures in an ideal situation.”
One upshot of the pandemic is that reports to the FBI’s Internet Crime Complaint Center have surged. Between Jan. 1 and the second week of June, Ugoretz said, the IC3 had received as many complaints as it did in all of 2019, including at least 20,000 related to the coronavirus. Many of the complaints revolve around scams claiming to have cures for COVID-19, promoting phony charity drives or impersonating the Treasury Department with messages about stimulus checks and other financial relief programs.
But she said the cyberthreats raised by the pandemic go beyond obvious scams.
“We know what comes into IC3 is just a small fraction of the activity out there,” Ugoretz said. “At the same time we’ve seen other actors, including nation-states, scanning for vulnerabilities, conducting reconnaissance, conducting intrusions and attempting to steal data from U.S. universities and research institutions that are trying to deliver in response to the pandemic.”
Shared burden
But Rodgers and Ugoretz both said there’s also been a greater effort to share information about coronavirus-related threats between the federal and state governments and the private sector. U.S. authorities have issued multiple advisories about foreign governments and criminal groups attempting to take advantage of the health crisis.
“I take advantage of all the advisories,” Rodgers said, adding that he also relies on notices from the various information-sharing groups he belongs to, such as the MS-ISAC, and conversations with his counterparts in other states through the National Association of State Chief Information Officers. “We’re able to move information very quickly to warn one another or talk about an advisory that just came out.”
In Ohio, Rodgers said he’s also made efforts that cybersecurity practices flow downstream to the rest of the government and the public. State employees’ Outlook accounts, for instance, are configured with a button that allows them to report a suspected phishing attempt.
“I’d rather you tell me something and it turn out to be a false positive rather than it being something and you not telling me,” Rodgers said.
He also mentioned the CyberOhio program, which is aimed at sharing threat information and best practices with the state’s private sector.
“We’re pushing those trainings not only to government agencies, local counties, but we’re also sharing with the small businesses,” he said. “It’s everyone’s, not just IT’s, burden to bear.”