As cybersecurity practitioners who have spent decades in the battle to protect our country’s digital space, we must admit that we’re still talking about the same challenges year after year. At the top of the list is lack of visibility of cyber threats. Even though we have seen state, local and educational organizations make incremental changes and improvements in securing their networks and citizen data, we are, quite frankly, still far behind the adversary.
On a high level, we have yet to share real-time threat data as cyberattacks occur. Incidents are on the rise, with ransomware running rampant. Since 2016, more than 400 cyberattacks targeting local and state municipalities have been reported publicly, and that might be a fraction, because many might not even be reported. State and local agencies are direct targets of ransomware thanks to technical debt created by legacy infrastructure, a lack of resources, and lack of collaboration between governing bodies not only to protect shared data and networks but also to exchange real-time, early-warning insights on unknown threats hitting the public sector. While adversaries are launching sector-wide and supply-chain attacks to get the biggest bang for their buck, we’re fundamentally still defending on an individual basis. We need to shift to collective defense and create a “cyber radar view” for states to track and eliminate cyberattacks as they evolve.
On an operational level, most SLED organizations face human resource constraints, funding challenges, and training gaps. This current state keeps well-intended security advocates playing a constant game of “whack-a-mole.” Security practitioners often put out fires until the next attack pops up, rather than step back to detect threats proactively, make better security and operational decisions, and look at cybersecurity not as an IT expense but as part of broader digital transformation efforts. These efforts are intended to serve citizens better – from securely managing online utilities payments to taking advantage of digital-first learning environments; from evolving smart cities to ensuring safe water and reliable power.
What is a “whole-of-state” approach to cybersecurity?
Cyberattacks know no boundaries. So why should cybersecurity? It must transcend jurisdictions and historically compartmentalized agencies and organizations. It is understandable that most states struggle with a lack of authority as decision-making flows down to local governments and the education space. From a cybersecurity perspective, SLED organizations must take a more collaborative and informed approach to security not only to overcome this obstacle but also to realize the greater value of defending together instead of in isolation.
We call this strategy a “whole-of-state” approach to cybersecurity — one that breaks down the silos and enables real-time, cross-jurisdictional collaboration across the entire state to improve the cybersecurity posture of all stakeholders.
Greater visibility of the threat landscape
The greatest reward of this approach is broader, sharper visibility of the threat landscape. While we have seen an uptick in applying a whole-of-state approach, each state is iterating on this strategy in different ways. Visibility, however, is a common core aspect. After all, you can’t protect what you can’t see.
For some states, visibility means ingesting as many logs as possible. For others, who may be hesitant to place a network device on their infrastructure, visibility may mean leveraging scoring organizations to get a better sense of their vulnerabilities or deploying endpoint detection and response systems.
To us, visibility means automating threats across a collaborative cybersecurity ecosystem and building a real-time view of cyber threats during an attack’s early stages — not weeks after, as is traditionally the case. Right now, about one-third of local governments or counties wouldn’t even know they are under attack. We are committed to leveraging the cloud to create a radar-like view of the threat landscape at any given time.
At present, however, there is much fear, uncertainty and doubt about both the cloud itself and the threat information sharing needed to create a dashboard based solely on anonymized metadata and crowdsourced insights. It is therefore crucial to think of visibility not only from a tooling perspective but also from a data-centric mindset. Having a strong data strategy is fundamental. That means understanding what the personally identifiable information data is, who has access to it, whether it sits on-premises or in the cloud), and whether it’s encrypted at rest.
Gaining a clear understanding of the data strategy, as well as what is being exchanged and to whom, will help to alleviate the concerns about sharing anonymized threat information within a whole-of-state collaborative to build a real-time threat picture based on alerts that are automatically correlated.
Without a fundamental mind shift in cybersecurity all of us will still be talking about the same security challenges decades from now, as the threats continue to increase.
Pooling resources to upskill and train security personnel
With better visibility of unknown threats hitting the SLED sector, leaders can identify where the security gaps are for cyber defense and, accordingly, where to focus efforts to future-proof their teams through upskilling and targeted training.
By crowdsourcing and knowledge-sharing, already-strained security practitioners within a whole-of-state cybersecurity community, state agencies, local organizations, and schools can alleviate some of the personnel limitations that weaken their security posture. Even better, automating cybersecurity playbooks as much as possible through AI can take tedious workloads off analysts to enable them to focus on more strategic, proactive defense.
Getting ahead of the enemy through collective defense
As we all know, cybersecurity is never a one-and-done effort. It is continuous and always evolving. We have the collective defense technology available, including a secure cloud backbone and attack intelligence platform, to work together, as well as a call to action in the form of the State and Local Government Cybersecurity Act of 2021. We should aggressively pursue this objective.
We strongly believe that a whole-of-state approach to cybersecurity will get us all ahead of the adversary, now and well into the future.
Gen. (Ret.) Keith B. Alexander is the former director of the National Security Agency and founding commander of U.S. Cyber Command. He is currently the chairman and co-chief executive officer of IronNet, Inc.
Maria Thompson is the former chief risk officer for the State of North Carolina and a 20-year veteran of the U.S. Marine Corps, retiring as the cybersecurity and information insurance chief for the Corps. She is currently the state and local government leader for cybersecurity at Amazon Web Services.