Cyberattacks against U.S. state and local government agencies have increased significantly in recent years. Roughly 44% of ransomware attacks worldwide are now targeting municipalities. Ransomware struck at least 2,354 governments, healthcare facilities and schools in 2020 alone. Too often, these attacks succeed because municipal governments, K-12 schools, and other small government agencies lack the staffing, tools, and expertise they need to defend themselves adequately.
What is a Whole-of-State cybersecurity strategy?
To help defend municipalities and other local governments from these attacks, some state governments are now adopting a Whole-of-State approach to cybersecurity. In a Whole-of-State strategy applied at the state level, the state government collaborates with smaller local governmental organizations to ensure that everyone is protected from threats. As part of this collaboration, state governments share training, threat intelligence, tooling, and other resources with municipalities and other local organizations to strengthen cyber defenses.
Let’s look at what’s driving this new approach to cybersecurity and the three key components — governance, implementation, and validation — that are needed to make it work.
Watch this “To the Point” video interview as Jennifer Pittman-Leeper explain what a Whole-of-State cybersecurity strategy is and how to get started.
An urgent need for better cyber hygiene
Numbers vary from survey to survey, but it’s clear that a disproportionate number of ransomware and other attacks are directed at state and local governments.
Why target these organizations? Some of the attacks are probably random, the result of attackers taking a “spray and pray” approach to targeting and just happening to hit state and local agencies.
In other cases, attackers might be targeting agencies because they suspect they have cyber insurance policies that will pay the ransoms and any necessary remediation costs. There’s some truth to this. In fact, when ransomware victims decide to pay, state and local agencies end up paying 10 times the amounts commercial entities pay.
Attackers might also be targeting municipalities and other small agencies, because they know that cybersecurity defenses are weaker at the state and local level. Most states spend only 1-2% of their IT budgets on cybersecurity, while federal agencies and commercial businesses spend 5-20%.
Finally, many local government services are considered essential, giving government leaders a strong incentive to pay ransoms and resolve an attack quickly. For example, when a ransomware attack shut down government services for the City of Baltimore in 2019, the effects on the city were widespread and costly. Property transfers, for example, couldn’t be processed, dragging down the real estate market. Citizens were locked out of the websites they used for paying their water bills, property taxes, and parking tickets. Remediating the effects of the attack took months and eventually cost the city at least $18.2 million.
With cautionary tales like that one, it’s not surprising that other municipalities and other government organizations want to avoid falling prey to ransomware or other types of cyberattacks.
State governments realize they can help. Recognizing that municipalities and other local agencies are short-staffed and underfunded, some state governments are adopting a Whole-of-State strategy, pooling resources and sharing information to protect government organizations from the city to the state level.
“State governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response, and statewide cybersecurity awareness and training,” the National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) wrote in their 2020 report, Stronger Together: State and Local Cybersecurity Collaboration. Since then, this movement has only gained momentum.
“State governments are increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response, and statewide cybersecurity awareness and training.”
The components of a Whole-of-State cybersecurity strategy
A Whole-of-State cybersecurity strategy offers three practices that work together. You can think of them as the legs of a stool. You need all three to make the strategy work.
These three practices are:
- Governance and policy making
Let’s explore each of these in turn.
Governance and policy making
Good IT leaders will look to established policies and frameworks such as CIS or NIST for laying the groundwork for a robust cybersecurity program. These frameworks help organizations establish standards for good cyber hygiene, determine acceptable thresholds for risks, and define policies that can be enforced over time to realize those standards and address those risks.
In many states, consultants such as global system integrators have done much of this policy work. More recently, some states have brought this work “in-house” to the state’s Department of Homeland Security or a similar organization.
In general, it’s a good idea to separate the work of policy-making from the work of implementation. That way, policies can be thought through and developed based on industry-wide best practices, rather than being developed to accommodate the existing toolsets and practices (and habits) of a particular IT team.
This is the “action” phase of a Whole-of-State strategy. In this phase, IT engineers and managers administer the policies developed in the policy phase.
It’s also a common area for cybersecurity strategies to break down. That’s because, without sufficient coordination between the policy team and the implementation team, policies might be too sweeping or too expensive to implement. Policies should be rigorous, even bold, but they should also be practical.
To truly implement a multi-agency, Whole-of-State strategy, agencies, municipalities and other local organizations need to standardize on the toolsets and processes they’ll use for implementing policies.
If a new software vulnerability is announced, how quickly can the whole state – from the state government down to its municipalities – inventory all its IT assets to understand which endpoints need to be updated? If one IT agency develops a best practice, how easily can that best practice be shared across the state? Chances are, if toolsets aren’t standardized, sharing knowledge and techniques is going to be more difficult.
Implementation, ultimately, requires joint decision-making and coordinated investments across organizations to pay off.
Validation is the ongoing work of monitoring policy implementation.
To ensure that cybersecurity is not just “paper thin,” it’s important that the people responsible for validating the implementation of policies don’t just check a box on a form, self-attesting compliance. Rather, they should be able to demonstrate compliance by generating reports that reflect the real-time status of all IT assets under management. In other words, teams should validate compliance with hard data from security tools, rather than word-of-mouth assurances from colleagues.
Comprehensive, real-time monitoring and reporting give all stakeholders a clear view of the current strengths and weaknesses of any Whole-of-State strategy. And if reports end up showing that additional investments are needed, the factual, digital nature of the reports will be more compelling than self-attestations or general remarks.
In the coming weeks, we’ll be publishing more blog posts on the benefits of adopting a Whole-of-State strategy. In our next posts, we’ll take a closer look at each of the three practices – governance, implementation, and validation – required for putting a Whole-of-State cybersecurity strategy into practice.