The 2019 year-end recap episode of StateScoop’s Priorities podcast touches on several of the most outstanding stories of the year — from the bizarre dealings of a company called Transparent Business that is lobbying for states to buy its monitoring software to track the every mouse click and key tap of their third-party vendors, to the year’s unprecedented 25 state CIO transitions — but talking with Doug Robinson, executive director for the National Association of State Chief Information Officers, made two things clear above all else: 2019 was the year of ransomware and there’s little time to dwell on it — 2020 promises even greater threats.
“No one’s immune from this,” Robsinson says on the podcast. “The bad actors are becoming more sophisticated. They are using more sophistication in terms of their approaches in social engineering. They’re using social media, using knowledge of the organization, so we’re seeing a lot of that, which is certainly problematic. They’re using AI to look to have more insight into the organizations that they’re targeting.”
State agencies have proven better prepared to handle the escalating barrage of cyberattacks and are increasingly finding ways to support under-resourced counties, cities and municipal districts that are each week blindsided, adding to a growing tally of victims.
Henry Sowell, director of solutions engineering at the software company Cloudera, who joined Robinson on the podcast, says many of the government organizations he works with need more help protecting themselves.
“We still see several state and local agencies that are highly reactive,” Sowell says. “A lot of that is based on budget constraints in their environments and it makes it difficult for them to get ahead on these initiatives.”
Though state governments can provide localities affected by cyberattacks with resources such as checklists and remediation services, they’re unlikely to provide funding to ensure the victims are better protected, Robinson says. If funding is to come from anywhere, he says, it will be via federal policy.
“Certainly we are hoping we see something in 2020 around potentially federal funding around state and local cyber assistance and cyber resilience,” Robinson says.
The likelihood of additional cybersecurity funding for state and local government becoming available is encouraged by state government’s evident progress in working with federal officials to change cybersecurity regulations. For several years NASCIO has been asking federal agencies for a more unified set of regulations instead of the conflicting array of requirements state agencies are currently asked to follow — coming from the FBI, IRS and everywhere in-between.
Though progress is slow and that many of the disruptive consequences of these federated regulations persist — such as state technology offices being repeatedly audited for the same projects, but by different federal agencies, sometimes within the span of several months — Robinson says he expects the Government Accountability Office to release a report in early 2020 that nudges the discussion another step closer to NASCIO’s target of a “harmonized” regulatory environment for cybersecurity.
NASCIO will also release its revised federal advocacy priorities in January, Robinson says, among the first in a chain of notable events sure to arise in the coming presidential election year.