Recently, the National Association of State Chief Information Officers (NASCIO) took the unusual step of publicly endorsing proposed federal legislation, in this case the State and Local Cybersecurity Government Act of 2019. That bill, which was introduced in June by a bipartisan team, would amend the Homeland Security Act of 2002 to improve how federal, state and local governments can collaborate and share resources to stem the tide of cyberattacks.
It’s easy to see why this endorsement received so much attention. NASCIO cites cybersecurity as the top technology imperative for U.S. states, and nary a week goes by that a state or local agency isn’t in the headlines for a newly discovered attack, Baltimore’s ongoing ransomware cleanup being just one example.
But as I read through both the proposed legislation and NASCIO’s endorsement of it, something questionable caught my eye.
As StateScoop reported, “Access to new funding and federal technology would be a windfall for state CIOs … who struggle to adequately fund their cybersecurity efforts. The majority of states don’t have a dedicated budget for cybersecurity, according to NASCIO’s metrics, meaning it must come out of general IT funding … The CIOs and the CISOs don’t have enough manpower to make sure they are able to deal with every threat they face.”
All of the above is accurate, but problematic. For state and local government organizations, having the resources to acquire more technology on top of pieces of the existing technology stack that go unused or are improperly deployed may seem like a windfall, but won’t solve the fundamental challenges that leave them open to disruption in the first place. You can’t “buy your way out” of threat vectors; most successful breaches occur because organizations haven’t taken the right steps to improve IT hygiene, patch vulnerabilities and properly configure their environments for least privilege access.
As our Americas CISO, Chris Hallenbeck, described to me, one way to look at this legislation is that it would better equip CIOs. Another way is that it would create a blame game when something bad occurs.
“CIOs can grow their IT budget through assistance from federal dollars or blame incidents on not getting what was promised to them by the federal government,” Chris said. “Now, most state CIOs act with the highest integrity and want to protect their systems and constituents from relentless and ever-present cyber threats. But the way the bill is presently constructed doesn’t inspire the right behavior that will ultimately make their environments more resilient to disruption.”
Do you need all of those tools? Are they the right tools?
As Chris notes, more benefit would come from budget relief if it’s directed in the right areas. If states are to receive federal money, they might spend it on historically under-funded or largely-ignored issues relevant to IT hygiene, especially patch management, asset inventory and access control. Government agencies are aware they need to improve in these areas; Phase 1 of DHS’ Continuous Diagnostics and Mitigation (CDM) program is one initiative underway. But let’s ensure there are controls in place that keep CIOs and CISOs answerable for outcomes, not finger-pointing, when an incident occurs.
Our SLED teams here at Tanium spend a lot of time with state and local technology leaders that have invested in handfuls of point product and security tools, incur disruptive events, and then spend weeks, months and even years in heated discussions with their vendors wondering why those tools didn’t help. Throwing more resources at security and IT operations doesn’t solve problems. It still comes down to executing a plan with the right aims in mind.
Federal technical assistance would make the most difference if used by states for training and assessments. These would include identifying hygiene initiatives, and performing a gap analysis to understand where currently deployed tools overlap and what capabilities are still missing as a result. Proactive state CIOs and CISOs could use this analysis as an opportunity to consolidate and reduce their overall number of tools.
Reporting the right things
The most important question I have on the bill is what the new legislation will provide for reporting requirements. Much in the way of technical assistance and training is already available to states today from the Department of Homeland Security. The legislation specifically calls for DHS to report to the Senate Homeland Security and Governmental Affairs Committee (HSGAC) every two years about the security posture of each state.
But DHS will only be able to report to the extent that states voluntarily provide useful data, and states won’t be incentivized to report if they think all Congress will do is compare them with their peers. If DHS wants to make reporting effective–and help states truly improve how they secure their IT environments–the legislation should insist on mandatory reporting if states want access to federal funding. This can be done in aggregate.
If, upon measuring, there is an indication that some states are lagging considerably despite funding and access to resources, then the legislation be revised to require specific, state-by-state reporting. But above all, this legislation should be about inspiring the right behavior to actually solve the challenges of relentless cyberattacks.
You can’t protect what you can’t see
State technology leaders, like all technology leaders, get bombarded with messaging, and empty promises from vendors of all sizes to solve their problems by buying the latest tools and services. But when challenged by limited budgets, limited staff and sometimes unreliable technology, leaders need to make better choices, and invest in what’s actually going to make their environments more resilient to disruption.
Tanium provides a true platform solution enabling SLED organizations to improve cyber hygiene with real-time visibility and control of endpoint devices. We invite you to check out our latest webinar on adapting to the NIST framework—come see what you’re missing!
For more, head to our resources page for State & Local Government.
Tyker Fagg is Vice President, U.S. State and Local Government and Education Programs at Tanium.