Over the past few weeks, there have been several high-profile breaches announced involving state government systems - one in South Carolina and one in Utah. I say “high-profile” because the coverage of both incidents has been widespread, with tech magazines, blogs and even major newspapers and TV stations covering the situations in detail. The headlines have not been very encouraging for our respected government colleagues, with Computerworld reporting that the Utah breach 10x worse than originally thought.
My first reaction, and the thoughts of many government CIOs, CTOs, CISOs and CSOs around the nation, was to think: “There but for the grace of God go we.” Anyone who thinks they are not susceptible to similar cyber incidents (whether from insider threats or external hackers) has not been paying close enough attention to the growing threat in the cyber world we live in. (I covered this topic briefly in the piece: Is America Outgunned in Cyber?)
My thoughts go back to about this time last year when we experienced two major computer outages in Michigan, and the national spotlight was shining on us. True, those were mainframe computer outages and not the same as a data breaches. But I can tell you that you don’t sleep much and it is not a fun time. To be fair, Amazon, Google, Microsoft and others have also experienced extended outages and large corporations such as Sony have experienced major breaches.
As far as breaches go, Alabama, the CIA and other federal, state and local government agencies have also faced similar headline-grabbing breaches. These are very serious situations that affect citizen data, and I am confident that the matters are being handled professionally and with care.
Here are some additional thoughts and comments that I have:
1) Although these two (Utah and South Carolina) breaches were very different (in cause), they were similar in that they involved Medicaid systems. One involved an internal disgruntled employee and the other an external attack made easier by a lack of appropriate system controls. Regardless, government technology teams around the nation are now on alert and checking their systems for specific protections and appropriate processes.
2) The national network of cyber coordination and controls got the word out fast and organizations like the MS-ISAC have kept people informed on a “need to know” basis. The call from government officials to “double-check” and “take additional precautions” has been loud, because citizens are asking “what are we doing to ensure that our systems are protected ….?”
We all need to be “plugged-in” to the right organizations, since we are in this global cyber battle together.
3) These are teachable moments. We need to take this (and every other) breach opportunity to demonstrate the importance of cyber protections to our extended IT teams. Make lemonade out of these lemons. Communicate more by sending out newsletters, alerts, emails or whatever you need to do to get the attention of the appropriate people to reinforce the policies around people, process and technology to secure systems. Have you made your IT teams aware?
4) Breaches will happen again. We need to keep asking: are we ready? What do we need to do to prepare? Where is our cyber program? Is there a sense of urgency?
5) The pundits who say that state governments are not targets are wrong. Preparation as a top priority is needed from CIOs, CTOs, CISOs and others in government.
6) The mid-year NASCIO conference will provide an opportunity for CIOs to be briefed by intelligence community officials on cyber threats facing the nation. These types of briefings are important for all government technology and cyber leaders. Do we understand the threat? What is our risk level?
7) Someone asked me once: What does it feel like when major outages or breaches occur on your watch? Answer: It hurts. Like the pain you feel after losing a championship game in sports, your team regroups and commits to never let it happen again. But you wonder: can you get the genie back in the bottle? It’s tough with your reputation being tarnished a bit.
I could say more, but I have no desire to “pile-on” or criticize these states. They have excellent technology teams, and incidents like these are very difficult to stop over the long run. They will no doubt get better and learn from their particular situations as Virginia did after their major outage a few years back.
One final thought: I just returned from speaking at the CSO Confab event in California this week, and I had the chance to speak with CSOs and cyber leaders from the top companies and security teams in America. The mood is pretty pessimistic, with many speakers acknowledging that we have failed –so far. Several of the side conversations with consultants and other experts were equally as depressing – with stories of major US companies that were recently breached and are now recovering and rethinking their approaches to cyber attacks and business processes. This trend is happening to most major enterprises – whether government or private sector.
Bottom line, the cybersecurity battle has not yet peaked or turned the corner in my view. If your government is not taking this threat seriously yet (and I mean top-level attention), now is the time to act aggressively. We each need a pragmatic cyber plan to improve. I believe that we are still in the opening innings of a long baseball game, and we (as a nation) are behind by more than a few runs. Unlike baseball, the public trust in government and other institutions is at stake.
What are your thoughts on these incidents?