In his January State of the Union address, President Obama called for a strong bipartisan effort to address cybersecurity challenges nationwide, touching on such issues as student privacy, breach notification and information sharing. Many applauded the president’s proposals and welcomed the widespread exposure for these urgent issues. Given the current political climate, however, no one is expecting Congress to enact comprehensive cybersecurity legislation anytime soon.
While the federal government works on big-picture solutions, state and local government agencies are under tremendous pressure to secure critical data, infrastructure and services. In fact, cybersecurity is the No. 1 strategic IT priority in 2015 for state and local agencies, according to the National Association of State Chief Information Officers.
A constant stream of high-profile attacks by organized crime, hacktivists and state-sponsored agents against both commercial and government entities has raised awareness and created a heightened sense of urgency. Organizations of all types and sizes are deeply concerned about data breaches by politically motivated bad actors and the all-too-real potential for highly sophisticated state-sponsored or terrorist attacks on critical public infrastructure and services.
Moreover, the massive amount of valuable data housed by state and local agencies is an attractive target for cybercriminals seeking financial gain. Hackers steal, then sell or leverage, sensitive data including Social Security and driver's license numbers, credit card information, and health-care records, among other things. This creates havoc for compromised citizens. Likewise, intellectual property, trade secrets and contract negotiations are lucrative targets, and a successful breach at this level could bring an enterprise, industry or public agency to its knees. It doesn’t take much imagination to envision an array of devastating scenarios.
The IT organizations inside state and local agencies are focused like never before on keeping their networks — and the data of the citizens they serve — secure against cyberthreats. But they face some critical challenges in doing so.
The iSheriff cyberthreat lab is seeing rapid growth in the number of threats being released every day. For example, we have seen more than a quarter of a million different ransomware variants over the past year, with as many as 60,000 new variants in a single day. Our team has been called into several local government agencies to assist with remediating these attacks.
Ransomware is an example of a large-scale cyberthreat that acts like a trawling net — casting broadly to snare as large a number of victims as possible in one attempt. These threats have become increasingly complex, conducted over multiple threat vectors in combination. Although somewhat “vanilla” on the spectrum of cyberattack complexity, the results of such an attack can still be devastating. Because many organizations do not back up their data off-network, for example, a ransomware attack can result in catastrophic data loss data.
At the other end of the cyberthreat spectrum are targeted threats, designed to attack a specific organization or even a specific individual within an organization. Unlike a typical malware-based infection, targeted attacks are very difficult to block with traditional security products. A persistent adversary will attempt to utilize techniques that “fly under the radar” in order to achieve their objectives.
The typical state or local government agency spends less than 5 percent of its IT budget on cybersecurity, compared to over 10 percent in the typical commercial enterprise. If we bear in mind that some of the world’s most prominent enterprises have been successfully hacked, and that government agencies are faced with precisely the same security challenges as their commercial brethren, it is alarmingly clear that state and local agencies’ cybersecurity efforts are woefully underfunded.
Unfortunately, state and local governments have been let down by the security industry. Security has become too complex for the average agency. Mulitple products from multiple vendors don’t readily integrate and require prohibitively expensive installation and ongoing management. A typical agency doesn’t have the budget to effectively deploy and maintain all the required components.
In addition to budgetary concerns, government agencies are faced with a security staffing and know-how problem. Given the rapid growth in cyberthreats over the last few years, and the increasing corporate focus on addressing this problem, demand has created a substantial premium on cybersecurity skills. Public-sector organizations are hard-pressed to compete for talent, given the wide disparity in compensation levels.
One of the unfortunate byproducts of the proliferation of security point products within the IT environment is an avalanche of security events and alerts, making alert overload one of the banes of agency IT staffs’ existence. In fact, a whole new category of products and services has grown up in an attempt to bring order to this chaos (referred to as Security Information and Event Management, or SIEM for short). Managing security through alerts, however, has been described as analogous to driving a car down a busy highway at night by looking through a frosted rear-view mirror: It is not only misleading, but will likely end in disaster for all involved.
In an effort to enforce better levels of protection for citizen data and greater transparency when breaches occur, federal and state government agencies have introduced an array of new regulations. These include the FBI, IRS, HIPPA, OCSE, FSSA and the NIST Cybersecurity Framework. For small IT organizations with limited security expertise, enforcing compliance with these regulations can be an onerous level of additional overhead on top of their substantial core responsibilities.
The benefits of more secure government agencies — from the corner post office to the U.S. Department of Defense — are multifaceted. Defending our essential infrastructure and government services, our intellectual property, and our citizens’ safety are paramount to preserving our way of life. The risks created by improperly protected government assets are enormous and urgent — and mounting every day.
Traditional, perimeter-focused security approaches are no longer sufficient or practical. Especially at the local and state levels, IT teams do not have the resources to address each threat vector in isolation. Integration, automation and flexibility are essential to maintaining a comprehensive defense against complex and proliferating threats. Scalable solutions help teams maximize their financial and staff resources, delivering higher value and better protection from limited budgets.
Unable to compete with enterprise IT salaries, agencies are universally short on expertise. They need a solution that is simple to set up, run and monitor, with a “single pane of glass” view across the agency’s network. Enhancing the simplicity of solutions leaves more time to address the complexity of threats. Instead of wrangling with software and hardware, cybersecurity defenders must be free to focus on managing risk and response.