Helping State Governments Respond to Cybersecurity Incidents

When it comes to cybersecurity incidents, states bear a lot of the burden. They are responsible for protecting countless resources that provide essential services to citizens – from transportation and roadways, to school systems and Medicaid systems, to the energy grid and voting infrastructure. Here, Tanium’s EDR Director Jason Truppi shares his guidelines for how state governments can effectively respond to cyber attacks.

(Image: Jorge Guillen / Pixabay)

Ten states realized they had a cybersecurity problem earlier this year. A multi-state job board had been hacked, exposing the social security numbers, names and dates of birth of millions of members. When breaches like this occur, the obvious question is: how do you respond?

I discussed the topic of cybersecurity response plans with state officials and experts at the National Governors Association’s (NGA) regional cybersecurity summit in San Jose, Calif., in March. My fellow panelists included:

• Michael Garcia, Policy Analyst, Homeland Security and Public Safety Division, National Governors Association David Cagigal, Chief Information Officer, Wisconsin David Behen, Director, Department of Technology, Management and Budget, and Chief Information Officer, Michigan Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte*

When it comes to cybersecurity, states bear a lot of the burden. They are responsible for protecting countless resources that provide essential services to citizens – from transportation and roadways, to school systems and Medicaid systems, to the energy grid and voting infrastructure. The wide variety and geographic location of these facilities only adds to the complexity. That’s part of why NGA chair and Virginia Governor Terry McAuliffe made cybersecurity his signature initiative, titled Meet the Threat. As McAuliffe said recently, states cannot wait for the federal government.

Throughout our discussion, one theme kept resurfacing: how important it is for states to have a response plan in place for when a cyber incident inevitably happens. While creating a response plan from scratch may seem overwhelming, fortunately, states don’t have to. The NGA examines the commonalities and differences in the cybersecurity response plans of 26 states in this white paper. And state CIOs and CISOs can refer to their statewide emergency operations plans as a template, or even write their plan as an annex.

Essentially, there are three key components to creating an effective incident response plan:

• Define the processes. Each type of potential incident should have its own set of clearly defined processes, because each type requires a different response. Not all incidents are breaches, and so, states must define a taxonomy of incidents, and the appropriate response for each. For example, someone losing their government-issued phone will not have the same response plan as an attack on the state’s energy grid.
• Establish and assign key roles. A response plan should establish who is responsible for each component of the response, and who the backup is. The responsibilities of each role need to be clearly defined so there is no overlap or confusion in responsibilities. Key roles should include legal advisors, managers, public relations, law enforcement liaisons and responders who have specific expertise, such as a network forensic expert.
• Practice the response. The old adage that practice makes perfect is a cliché for a reason. Practicing until your response is second nature can help states handle incident response without mistakes. A number of third party organizations have created cyber ranges that launch real incidents into a test environment, and push security staff to respond accordingly. IT staff should know what a breach looks like, and how they can use their own tools and processes in their own environment to quickly respond when needed.

Along with having processes and roles in place and experience responding to real incidents, one factor not always included in response plans is the technology itself. When responding to cyber incidents, speed is the critical factor. The quicker governments can remediate an incident, the more they can minimize the damage. With perennially understaffed IT departments, having technology that can automate tasks and quickly contain incidents can free up valuable manpower.

For more information, states can also refer to NIST Computer Security Incident Handling Guide and the National Association of State CIOs Cyber Disruption Planning Guide.

Learn more:

• Government IT leaders recognize need for speed
• NIST cybersecurity framework updates emphasize supply chain, metrics
• Why IT is failing at security hygiene

---

About the Author: Jason Truppi, director of technical account management at Tanium, is a career technologist and former FBI agent. Jason has many years of experience working in information systems and security. Prior to joining Tanium, Jason worked as an FBI Cyber Agent in New York City, where he worked on some of the nation’s largest national security and criminal cyber intrusions. He was later promoted to the role of Supervisory Special Agent in Washington D.C. where he was responsible for investigating major data breaches, hactivism and cyber extortion cases. At Tanium, Jason is helping to advance our cybersecurity products to enable corporate network defenders on an even larger scale. He is applying his skills and experience in incident response, penetration testing, analysis and threat intelligence to help solve the cybersecurity fraud epidemic of today.