Rising cyberthreats prompt new techniques in Virginia, CISO says

In the past 12 years that Virginia Chief Information Security Officer Michael Watson has been serving the Commonwealth of Virginia, technology — and cybersecurity especially — have changed dramatically.

On StateScoop’s Priorities podcast, Watson says it’s been “fascinating” to watch as the once-obscure field of protecting computers from hackers has become a mainstream concern and has captured the attention of a widening circle of policymakers within government.

“We’ve moved from this environment long ago of the basic blocking of ‘I don’t like this IP address,’ to these user-behavior analytics and trying to figure out attacks before they actually compromise an environment. It is an incredibly different world from where we started,” Watson says.

In Virginia’s cybersecurity environment, things have changed substantially, too, in recent months. The state ended its longstanding contract with its sole IT service provider, Northrop Grumman, and settled its lawsuit with the company last year, agreeing to pay $35.8 million to the company, roughly half of the $72 million the vendor claimed it was owed when the state tried to leave its contract early.

Now the state instead has a handful of smaller contracts with vendors under a new multi-sourcing model, led by the services integrator SAIC. On the podcast, Watson tells StateScoop this new model has complicated, but ultimately improved, the state’s cybersecurity operations.

“Artificial intelligence and machine learning and everything else is to identify the outliers or the ghosts in the machine, the items that need special attention, to find where the deviations from the standard are,” Watson says on the podcast. “I’ve had to learn more statistics than I like in my current role just looking for those types of things.”

The types of things Watson is looking for include ransomware, a growing threat for state and local governments that he says he’s definitely worried about. The heightened threat of ransomware and other types of cyberattacks has also forced states to offer support more frequently to their local governments. In Virginia, Watson says they’re still figuring out how to do that effectively.

“It’s not a great situation to be in,” he says.

Within the state itself, though, he says the technology office is making headway on raising cybersecurity awareness. Watson says doing “silly things” — like hosting game show-style quiz sessions and posting public service announcements in unexpected places — is often the most effective means of grabbing the attention of state employees who don’t initially believe that they’re prime targets for bad actors.

But ultimately, Watson says, the cybersecurity basics — like enabling network segmentation and two-factor authentication for applications — are often still the most effective means of stopping attacks — that, he said, and having a plan.

“On our side, we just do a lot of preparedness,” Watson says. “We do our best to make sure that if something like that were to happen, we understand what our steps would be. We have all of our information controlled correctly, we know what we would do. What I don’t know is the question of: ‘Do you pay the ransom or not?’”

On the podcast:

• Michael Watson, chief information security officer, Virginia
• Colin Wood, managing editor, StateScoop & EdScoop

Things to listen for:

• Watson explains that cybersecurity has changed dramatically in the past decade and now includes more work to preemptively detect threats using more sophisticated technologies.
• Though cyberattacks are also getting more advanced, the basic precautionary measures are still highly effective at stopping them, Watson says.
• Watson outlines how Virginia’s new multi-supplier model has complicated cybersecurity management, but that it’s advantageous.
• If a locality is truly struggling, the state will help, Watson says, but ultimately there aren’t effective and sustainable mechanisms for the Commonwealth to assist.

Produced in partnership with the National Association of State Chief Information Officers, Priorities dives deep into each of the top 10 priorities of state CIOs outlined in NASCIO’s annual list.

Listen to archived episodes of Priorities from Season 4 (2019), Season 3 (2018), Season 2 (2017) and Season 1 (2016). Catch all of StateScoop’s podcasts on Soundcloud, Apple Podcasts, Spotify, Google Play, Stitcher or Alexa’s TuneIn.