Think back to the early days of the pandemic. State and local governments immediately ramped up essential services online as fast as possible—to help people locate things like vaccines, testing, childcare, and unemployment benefits. At the time, I was part of the Arizona Department of Administration and saw firsthand the urgency to launch critical services.
Consider unemployment benefits, for instance. All of a sudden, we had a massive influx of unemployed people desperately needing help, which overwhelmed legacy systems sometimes written in decades-old programming languages.
By and large, governments did heroic work to respond to the crisis. But IT workers in state government weren’t always able to thoroughly secure new sites or online services, or vet them to protect the valuable personal data these systems contain. That opened up big security gaps that hackers rushed to exploit.
At least 79 ransomware attacks targeted state, local, and tribal entities in 2020, according to the most recent figures available. The attacks led to downtime in 30 states and affected 71 million citizens, according to a report by the consumer security site Comparitech.
Some of the biggest dangers involved third-party applications. Some were on legacy systems that are difficult to patch. State agencies have old architecture and infrastructure, cobbled together over decades, and they don’t know how a new tool is going to react in that environment until they start using it.
Frequently, agencies are connected through a shared network. But networks are only as safe as their weakest link. Even if a department does every bit of patching and IT hygiene it needs to do, it remains vulnerable if the next agency down the line hasn’t done its job.
And many state and local governments don’t even know how many systems they have, or what they are connected to. I know of one Arizona state agency that did a remodel but left some computers plugged in and connected to the old network—and they literally built walls around them. Until we had modern endpoint protection services, no one knew they were there. And that obviously made them impossible to secure.
Imagine trying to secure your house but you don’t know how many doors and windows you have, or which ones may be left open. If you’re not bothering to understand your security vulnerabilities, it’s not hard for criminals to get in and take whatever they want.
A lack of cybersecurity professionals
It’s refreshing to see that state and local governments are finally catching their breath and putting a renewed emphasis on cybersecurity. Unfortunately, they are understaffed, often to a shocking degree. There’s a worker shortage across the board in cybersecurity. Many governments simply don’t have the people to do the work.
They often don’t even know how many people they have. For instance, in Arizona, we didn’t have a centralized cybersecurity staff. Big agencies, like the state Department of Transportation, had their own teams. When I became administrator of the enterprise security program in charge of Arizona’s cybersecurity, we wanted to find out how many cyber professionals worked for the state. We asked the state HR team multiple times. And the answer we received was: “We have no idea.”
I know of one state agency that left computers plugged in—and they literally built walls around them. No one knew they were there.
Job titles could be very loose and might be different across agencies. In some places, people asked to cover cybersecurity had no formal background or training. They were just doing the best they could.
Meanwhile, government cybersecurity teams are working more hours for less compensation than they could get from a private company. Workers could get a job in the private sector in a heartbeat and double their pay.
And the pressure on them is enormous. They are protecting the “crown jewels.” State and local governments have some of the most attractive data to hackers: names, Social Security numbers, birth dates, addresses, bank account information, health records. It’s like an all-you-can-eat buffet for cybercriminals. Understaffed teams are working hard every day to protect sensitive data, but they are tired and overwhelmed.
Around the country, I have seen a renewed emphasis on bringing in more resources and people. When I was in Arizona, we started a college internship program to attract talent. We placed interns in our Cyber Command Center and also rotated them around different cybersecurity teams to give them a well-rounded experience. We also talked to students at high schools about going into cybersecurity and gave them tours of Cyber Command. And while we were doing that, we worked to close the gender gap in IT by talking to girls about their career options in the field.
Elevate the role of cybersecurity within leadership
States are finally recognizing the importance of cybersecurity. Arizona and New Jersey moved the CISO position out from underneath the CIO, for example. The Arizona CISO runs the state Department of Homeland Security, while New Jersey’s CISO is part of the state’s Office of Homeland Security and Preparedness.
These moves are important because CIOs are responsible for making things go and getting services out there. But CISOs are responsible for stopping things that are not secure. The two leaders can face competing priorities. By separating the CISO from the CIO, governments can create that separation of duty.
We wanted to find out how many cyber professionals worked for the state. The answer we received was: ‘We have no idea.’
Arizona Gov. Doug Ducey actually made the CISO a Cabinet-level position reporting directly to him. That put cybersecurity on par with providing emergency services, food stamps, and everything else the state offers. I think the field is going to see more of that.
Governments must make cyber hygiene a priority
New federal funding is available to help states and local entities, but money alone won’t solve the problems. How you spend what you have makes a big difference.
State and local governments are turning to outside help. They are looking to replace their outdated specific-point solutions for each type of threat vector with easily expandable platforms. With modern, scalable endpoint solutions from Tanium, Arizona was able to patch about 326,000 vulnerabilities in a 72-hour window. That was more than we had been able to do in the prior six months, after we had gone fully remote.
The good guys have to be right 100% of the time. The bad guys only need to be right once.
The situation we faced in Arizona is similar to what exists in other state and local governments. But people don’t understand the challenges they face. I sometimes ask, “What is your confidence level in your patching?” And leaders respond, “We’re probably at 95% patched.” Then we look at their network and discover that they are indeed 95% patched on what they can see, but they are not patched on at least 30% of the endpoints they cannot see.
The bottom line: You can’t protect what you can’t see. How are you protecting yourself if you don’t have a clue what to protect? Without visibility, you will never be able to secure your environment.
After all, the good guys have to be right 100% of the time. The bad guys can take a day off. They only need to be right once. It’s time for state and local governments to take that warning to heart.