Arizona, like every other government entity around the world, is facing a steadily growing barrage of online threats. According to the Arizona Department of Administration, cyberattacks against the Grand Canyon (and Cactus) State include (on average):
200 brute force attempts per day; 500 Trojan attacks per day; 35,000 malware attacks per month; 500 SQL injection attacks per month So what’s being done to improve online defenses in Arizona government?
Back on March 1, 2018, Arizona Gov. Doug Ducey issued an executive order to create the Arizona Cybersecurity Team (ACT). This diverse group of experts from state, local and federal government; the private sector; and higher education to work together to protect Arizonans from these cyberattacks.
In the government press release announcing the new executive order, you will find these words: "We must think outside the box, and work together with the public and private sector,” said Mike Lettman, state of Arizona chief information security Officer. “The ACT team puts us in the right direction to accomplish just that.”
Who Is Mike Lettman?
In addition to Gov. Ducey’s urgent priority focus on cybersecurity, Arizona has another huge asset to help them fight and win cyberbattles each and every day. Mike Lettman, who is the state cybersecurity leader, has been Arizona’s chief information security officer (CISO) since July 2012, a time period that spans two different governors.
Lettman’s background as a security leader is impressive indeed. He is one of a handful of CISOs that have led state government cybersecurity efforts in two very different states. His professional background can be seen here.
I first got to know Mike while he was CISO in Wisconsin from June 2004 until June 2012. It was immediately clear he “knew his technology stuff” and was an excellent tech leader for Wisconsin government. He was one of the early security leaders who worked with Will Pelgrin and me and several other state CISOs to grow and strengthen the initial MS-ISAC organization nationwide.
He also had (and still has) strong and outgoing mannerisms that are bold, funny and likeable at the same time. No doubt, he developed this unique management style during his many years leading technology and security for the Department of Justice in Wisconsin government.
For example, Mike would often email me a big picture of “Bucky the Badger” (The University of Wisconsin mascot) with his own hand-written caption underneath “GUESS WHO’S COMING TO TOWN?” This was when his beloved UW team was playing either Michigan or Michigan State (MSU) in football (and sometimes basketball) — even though he knew I was mainly an MSU fan.
I admire this very competitive side of Mike — showing he can argue sports (and other topics) with the best of them. He still loves his Badgers, even though he lives in the Southwest desert heat — far from his BIG TEN roots. Nevertheless, Mike takes that same passion and applies it to everything he does, including his leadership over cybersecurity efforts in Arizona.
On his professional roles in Arizona, he served as acting Arizona CIO for a time. He also conducted this interview with govtech.com early last year. He has been a part of the wider push for Arizona to become the next cybersecurity cluster, and is also one of the leaders in Gov. Ducey’s cybersecurity team.
Interview with Arizona CISO Mike Lettman
Dan Lohrmann (DL): What are your top priorities as the CISO in Arizona? Please elaborate on your journey.
Mike Lettman (ML): When I came to Arizona six years ago as their next CISO I inherited a multitude of problems. Arizona was federated, there was almost no interaction between the state and federal cyberpartners, the fusion center, local and county government, the other state agencies or Infragard. There was no visibility into cyberattacks, cyber-risk, or any attempts to enterprise and guide the agencies on how to protect themselves and their data against cyberattacks. The effort I started here in Arizona was to:
1) Build visibility of cyberattacks and build partnerships —
I built the partnership with the federal agencies and the state, making contacts in the FBI, U.S. Secret Service, U.S. Dept of Homeland Security, the MS-ISAC, several major universities in the state, and the ACTIC (Arizona Counter Terrorism Information Center, the state fusion center). We shared cyber nformation back and forth and helped each other with incident response and cyberexercises. With DHS we became one of the first states to share attack information nationwide. We became one of the most cyberexercised states in the nation with our federal partners. I also built relationships with the private sector via Infragard and we formed ACTRA (Arizona Cyber Threat Response Alliance), which was one of the first nationally recognized information sharing and analysis organizations that shares cyber information between the public sector and the private sector. Many of us in ACTRA were interviewed by both Johns Hopkins and the think tank New America as a working model to adapt across the country for cyber information sharing between public and private sector. The New America report is here.
As a part of the ACTRA partnership we built the relationship with private sector, working together along with the military at Cyber Guard to defend the environment.
We also built visibility of cyberattacks in our network by teaming up with our network vendor and adding multiple enterprise products at our perimeter to monitor and identify attacks and malicious downloads and communications. We used that information to alert the agencies and prevent compromises or ex-filtration of data.
2) Close cybergaps in the agencies — at first we implemented one or two enterprise security controls at a time to help protect agency data. Soon, due to our success, we started an effort via the Governor’s Goal Council of agency directors to implement 13 enterprise cybercontrols in 35 cabinet agencies for a total of 455 security controls. These were common controls identified by agencies, to satisfy parts of the National Cyber Security Framework, and begin to address the CIS top 20 Critical Security Controls. All 13 controls had to map to those two frameworks in some way. In addition, we looked at how we are being attacked from the visibility effort I talked about earlier. We also determined that the controls we put in place also had to address the most common cyberthreats and attacks against the state of Arizona.
We found that as a state we did not have an unlimited budget, and agencies either did not have the budget or the resources, or the knowledge to better protect their data. So we worked together to implement enterprise security controls together, educate together, and save money together by building efficiencies and economies of scale. We estimate that we were able to redirect about $2.5M in savings by eliminating duplicate products and direct the money toward other IT efforts. In addition, we estimate that we saved millions more in cost avoidance because we reduced the number of servers needed to run the security controls. We did this by focusing our resources efficiently and eliminating duplicate efforts to manage and maintain the controls and systems. After about a one-year effort we had roughly 446 controls in place.
Today we have a total of 14 enterprise controls and we are looking to add three more in the next fiscal year. In addition, we are expanding the 14 controls beyond the cabinet agencies on to our other agency, boards, and commissions.
Each year we continue to enhance and improve these efforts. We (the agency information security officers and my team) identify the cybersecurity needs and concerns of the enterprise and choose two to four enterprise security controls to fill the organization gaps and mitigate risk.
3) Identify and lower the cyber-risk to the state of Arizona — the problem was we had no idea who was accepting risk in the state, how we were accepting it, which agencies were accepting it, and exactly what the risk meant to the state. As a part of the 13 controls mentioned above, we implemented a product called Risksense to give us visibility into vulnerability risk in each of the agencies. Risksense reports risk based on credit score, so everyone from the end user all the way up to the agency director knew what it meant if we said the agency had a risk credit score of 632, or 732.
In addition, we developed a process to identify risk with our cloud vendors. We are a cloud-first state, and I was told we are the state with the most significant presence in Amazon. I had no idea how our cloud vendors were protecting our data. At the time we had measurements from CSA (Cloud Security Alliance) which was mainly subjective, to FedRAMP (federal gov’s cloud framework) which required vendors to go through a lengthy expensive process to get certified. We desired something in between. Some needed a way to determine issues and risk. So we developed the AZRamp process for cloud vendors. We based the criteria on NIST and required our vendors to respond and provide documentation showing that they:
Met 35 basic controls to continue to bid on our projects or protect our data Met 125 basic controls to protect public data Met 325 basic controls to protect sensitive data From that process, we would determine for the business the “top 10” security concerns that we have, and give a “passing” grade, or “non-passing” grade from security. If the vendor received a non-passing grade, the agency would need to sign a risk acceptance form, acknowledging the security concerns, and documenting ways they would reduce that risk to the state. The business leader, CISO, CIO and director all have to sign the form accepting the risk for the agency. This process helped us to understand where we were accepting risk and what that means to the organization.
DL: Arizona Gov. Ducey issued an executive order regarding cybersecurity. Tell us about that and how it impacts your team.
ML: The governor is very concerned about cyber-risk and protecting state data. He fully understands that we cannot solve this problem alone. He wants the state to move at the speed of business. He wants to build efficiencies and economies of scale, and he recognizes the problem is much larger than just the state of Arizona. The governor made it clear in his executive order that he wants public and private sector working together to come up with ideas on how we can all protect our data better and provide ideas on how we can continuously improve and inform the public of the risks of cyberattacks. The executive order team will address cyber in three areas: new technology (IoT, smart cities, etc), cyber intel sharing and awareness, and workforce development and education.
My team has been collaborating with the private sector and the university system during the past five years. I believe the EO will give us opportunities to validate the progress we have made and the direction we are going. We will continue to embrace ideas on how we can improve and work together. Some of the things we already do between public and private sector here in Arizona are a model for the entire country (via the New America report and Johns Hopkins analysis). I believe there are cyberissues, process, and solutions that both public and private sector can learn from each other.
DL: How do you measure your cyber-risks in government? Any tools that help you?
ML: At this time we are using the Risksense tool to measure risk in the state of Arizona. As a part of the 13 controls, we rolled out Risksense to the 35 cabinet agencies. We are now monitoring cyber-risk for 91 agencies, boards and commissions, tracking over 98,000 assets and 152 applications. Risksense measures risk in the form of a credit score, so everyone in the agencies understand the difference between a cyber-risk score of 650 verses a cyber-risk score of 725.
We received recognition from the president and CEO of Risksense, acknowledging our efforts and journey to improve cyber-risk in the state, and he said we appear to be handling cyber-risk better than fortune 500 companies. We currently have a statewide cyber-risk score of 768. This tool gives us the ability to drill down into our assets and determine where we should focus our efforts to lower risk and make the most efficient and effective use of our time. In addition, if a major vulnerability is discovered or announced ,we have the ability to review all 98,000 assets and determine which ones are vulnerable to a potential attack. Having this info allows us to be proactive and act quickly to mitigate or remove the vulnerability in our assets.
DL: How are security results communicated to agencies and other clients?
ML: The agencies have the ability to log in to the tool to view their own data, vulnerabilities, and concerns. They can use the tool to prioritize their resources and focus them on solving the largest risks to the organization first, addressing externally facing resources and any resources with exploits available in the wild. Basically the tool tells them which assets have the most serious problem and pose the largest risk.
DL: What security controls do you have in place to help you in your governance role? How does that work with other parts of IT?
We have 14 enterprise controls (about 25 tools) in place serving 35 cabinet agencies or a little over 90 percent of the state employees in the executive branch. We are expanding that to the rest of the agencies, boards and commissions. These tools give us the ability to monitor the agencies, help prevent attacks, and help the agencies with any issues that come up. On average we get about 8.5M attacks from the Internet on a monthly basis trying to compromise our systems. This is comparable to other states that I have talked with.
DL: You were CISO in Wisconsin before Arizona. Tell us how your jobs are similar and different.
ML: It’s warmer in Arizona. No seriously, the jobs are similar because like every other state CISO we are responsible in guiding the agencies to help protect their data. There are also similarities in the risk that every state CISO has to be responsible for, and the changing number and sophistication of the attacks. The differences are that in Wisconsin, we were performing some cutting-edge things with enterprising our security and systems. I learned a lot from the good things we did (in Wisconsin) and had many lessons learned. I have been able to apply that knowledge here in Arizona to improve the security, enhance the journey and avoid some of the setbacks.
DL: Is being a government CISO in 2018 different than in 2010? How? Where do you see things going in the future?
ML: Yes I think it is. In 2010, most of us were really reactive, playing whack-a-mole every day trying secure our data and protect our systems. It was all very reactionary due to the lack of technology, budget, resources and knowledge. In addition, most of us housed or controlled our data and our perimeter. Today much of our data is moving to the cloud (other people's data centers). Today the attacks are more sophisticated, more concentrated, and more targeted than ever before. Today we have the ability to be more proactive in protecting our systems. We have better awareness tools for our users, we have better prevention tools, and we do a better job of sharing cyberinformation so we can proactively stop an attack before it turns into a serious situation. In addition, we have better understanding throughout the organization of the risk of cyberattacks. It’s very visible because it seems to be in the media every day. That exposure draws a lot of attention and support today, making cyber the No. 1 concern on many people's list.
For the future, I do not see the attacks stopping or getting less sophisticated anytime soon. As long as it is profitable for the bad guys, they will continue to attack. If we do not work together and share information, the bad guys will continue to win. I think we will have additional challenges as IoT, smart cities, and autonomous stuff matures and expands in our networks. I find myself working closer with the general services division today as they add IoT to our network with devices for elevators, doors, HVAC monitoring, thermostats, cameras and even smart cars in our fleet. In IT we have the changing perimeter or soon to be nonexistent single perimeter, and identity as major issues to deal with. We must be able to ensure the person accessing our data is who they claim to be, and that they have legitimate access to our data. Unlike in 2010, we no longer have a single perimeter, we are dealing with perimeters on our phones, our customers' phones, our organizations, our data centers, our cloud systems, our vendors and our partners or supply chain.
DL: I’d like to thank Mike Lettman for answering my wide-ranging questions. I'd also like to recognize his wider Arizona cyberteam for their efforts, since it takes a unified, talented and cohesive group to accomplish what they have. Finally, I want to highlight Mike for his public service to Arizona government and Wisconsin government and the nation as a whole. Well done!
I apologize for the extra-long blog, but I wanted to give readers a close-up look at one of the top security programs in state government in the country. The personalities involved and the specific skills demonstrated by your leadership is vital to success, and Mike has shown the rare ability to succeed and persevere despite transitions across multiple administrations and states.
While changing CISO roles in the private sector between companies is now commonplace, and quite a few CISOs eventually go from the public sector to the private sector, it is much less common for CISOs (and CIOs) to move from one state enterprise to another at the same level.
I encourage federal, state and local security leaders to take a look at Arizona’s security efforts and Mike’s wider career path to learn and grow in your journey.