City

State and local IT officials aim to follow Biden cybersecurity order, survey finds

SolarWinds found that while not bound to it, many state and local IT officials are trying to adopt parts of the White House's cybersecurity directive.

By Benjamin Freed

January 11, 2022

President Joe Biden speaks during a memorial service for the late US Senate Majority Leader Harry Reid at The Smith Center for the Performing Arts in Las Vegas, Nevada, January 8, 2022. (Saul Loeb / AFP / Getty Images)

A heavy majority of state, local and education IT officials say their organizations are likely to follow the practices laid out in the sweeping executive order President Joe Biden signed last year targeting the federal government’s cybersecurity, according to a survey published Tuesday by the network-monitoring software company SolarWinds.

The survey, which interviewed 100 state and local officials and 100 education-sector officials, found that 67% are “somewhat likely” to adopt practices and activities outlined in Biden’s order, while another 19% said they are “very likely” to do so.

The order Biden signed last May 12 targeted strengthening breach-notification rules for federal contractors, establishing incident-review processes, including a review board, and mandating that government agencies implement practices such as multi-factor authentication and stronger data encryption.

While the White House order is only binding at the federal level, the survey suggests it’s had a downstream effect in the eight months since its implementation. Some state CIOs have said in recent months that they try to adapt directives like the cybersecurity order to fit their agencies, even if there’s little guidance for doing so.

“You get these executive orders but they don’t come with any road rules for how to implement them at the state level,” New York CIO Angelo “Tony” Riddick said during a November event. “Generally we parallel federal government with regards to regulations, policies and rules.”

Biden signed the order after several major breaches against critical-infrastructure suppliers and government technology vendors, including SolarWinds, which in late 2020 was discovered to have had malicious code injected into its software-update supply chain in an incident that the United States has formally blamed on Russia.

The survey SolarWinds released Tuesday made no mention of the breach, but the company did ask its pool of IT officials to name who they see as the most consistent threats to their cybersecurity. And while nation-state operators were named as the most likely threat by the 200 federal officials SolarWinds queried, state, local and education officials were more likely to name the “general hacking community” and careless or untrained insiders, such as employees who mistakenly click on phishing links that can trigger financial scams or ransomware infections.

Sixty-three percent of state and local respondents named the hacking community as a top threat, followed by 51% who said untrained insiders and 46% who cited foreign governments. The results were slightly different in education, where untrained insiders led with 53%, followed by hackers and malicious insiders.

But overall concerns about cyberthreats is rising across the entire public sector, the survey found, with 66% saying the ransomware threat has grown over the past year, while 60% said their organizations have not improved their response times when an incident occurs. Meanwhile, half of state officials who responded said their organizations’ budgets are insufficient for maintaining or improving IT security.

Those concerns track with the National Association of State CIOs’ most recent survey of chief information security officers: In 2020, states on average allocated just 3% of their tech budgets toward cybersecurity.