Herbert is not alone in his concern. National Security Agency Director Gen. Keith Alexander, who is also head of the U.S. Cyber Command, said in an address at the American Enterprise Institute that these losses from cyberespionage are the "greatest transfer of wealth in history." Alexander cited Symantec estimates that intellectual property theft cost the U.S. $250 billion per year, and McAfee statistics that $1 trillion was spent last year in remediation. “That is our future disappearing in front of us,” said Alexander.
Local governments are likewise under attack, and smaller cities and counties are especially vulnerable, many being short staffed and lacking a chief information security officer (CISO). Seattle CISO Michael Hamilton said he sees an increase in targeted attacks on the city and in the region. “And frankly, we see a lot of countries with very dubious law enforcement controls, knocking on our door all the time.”
Hamilton said that while attacks are increasing, one of the biggest vulnerabilities is the exponential increase of end points. “This bring-your-own-device stuff and the proliferation of consumer devices that are now everywhere around us, we don’t have control over anything resembling a perimeter. … The horse has left the barn.” So now, it’s important to focus resources on assets that are critical infrastructure to city and county government, he said. “We manage transportation, all the signal timing, signage, cameras — that’s a big IP network. We manage communications that tie together different law enforcement organizations. We deliver energy, water, we remove sewage, and those are all control systems.”
Under those circumstances, said Hamilton, “It’s very important for us to quit thinking about ‘How am I going to control every one of those end points?’” Instead, Hamilton is building what he calls “mini-moats” around critical infrastructure, requiring that staff members who use personal devices do so through a mobile device management platform, participating in a regional consortium of local governments, using available federal government resources to monitor and share information on attacks and vulnerabilities. In addition, enforcing standards and making common-sense policy are key. Building a proactive strategy is important, he said because there are no security standards for local government, only what he calls the “stick approach.”
“In local government we don’t have regulatory requirements. Nobody says, ‘Here’s this standard you need to meet.’ The only thing that is in place is the stick: If you lose these kinds of records, you are going to have to pay a lot of money and go fall on your sword. I don’t think ‘stick only’ is a good way to go; I think we could use a few regulatory requirements.”
But Hamilton said there is good news as well. Local governments are doing a lot of things right, such as regionalizing and embracing shared services, which allows pooling of security resources. King County, Wash., for example, has a multifactor authentication system that any of the region’s jurisdictions can use. And jurisdictions in the region have established the Public Regional Information Security Event Management System. “Right now, Seattle, Bellevue, Lynnwood, Kirkland, Redmond, Kitsap County, Thurston County, Seattle Children’s Hospital, Snohomish [Public Utility District], six maritime ports, etc., they all send their logs to one place. So we watch the region, the attack surface of the region, and we’re all connected. We have trust relationships.”
Hamilton gets backup from the federal government, especially from the U.S. Department of Homeland Security, Multi-State Information Sharing and Analysis Center and Center for Internet Security. He recommends the DHS’ Cyber Resilience Review and Cyber Security Evaluation Tool, as well as regional risk assessment tools available to local governments.
Hamilton also serves as a member of the State, Local, Tribal and Territorial Government Coordinating Council (SLTTGCC). Members of the council work directly with the federal government through DHS' Office of Infrastructure Protection. Working groups assist DHS in focusing programs and products that are available to local governments such as the Regional Risk Assessment Program (RRAP), which includes an evaluation of risk to critical cyber resources. "Members sit down directly with the federal government," he said, "and discuss what's working, what could be improved, funding issues, and maintain a coordinated focus on how we protect infrastructure and achieve resilience."
Hamilton said some local governments are making good use of open source security technology such as the Open Web Application Security Project testing tools for website security and low-cost penetration testing services such as Trustwave. “I can’t say lots of local governments are doing this,” he said, “but these are some of the things I’m trying to help promote in my community of local governments up through the [Association of County and City Information Services] and through regional briefings and all the people I work with around here.”
Hamilton thinks that there is a lot of disruptive change occurring now, including cloud computing and the transition to IPv6. “We’re going to have to find out how this is all going to shake out. It’s cloud everything right now. That’s got a different security model with it, which is not fully mature yet.”
He thinks cloud security is going to depend on strong authentication and authorization, auditing and encryption. “You are strongly authenticating and forcing authorization controls around everybody who has access to your data, and all that stuff gets audited, you always get a report on touches to the data. So as this change occurs, it may be making our jobs easier.”
In spite of increasing attacks, disruptive change, the threat of the big stick hanging over potential breaches, Hamilton remains pretty upbeat. “I’m not all gloom and doom about it,” he said. “If I was, I’d go out and grow blueberries.”
