Government Technology recently spoke with Texas CIO Todd Kimbriel and George Spencer, AT&T Public Sector Assistant Vice President – Texas, about how the MSS contract helps Texas agencies respond to an increasingly hostile security environment.
Q: How has the cybersecurity landscape shifted over the past few years?
Kimbriel: Cyber threats continually evolve and we now know that cybersecurity is a lifetime commitment. The sophistication of attacks requires thoughtful planning and response. This has led to a growing maturity and awareness across Texas. Our state leadership has made it clear that cybersecurity is a priority. We just had a 22-page cybersecurity bill pass that outlines 16 new requirements and is driving new activity for DIR around expanding reporting and managing risk. Cybersecurity is part of the underlying fabric of everything we do, and as a state we have decided we would prefer to respond rather than react.
Q: What security services are available through DIR’s MSS contract?
Spencer: The MSS offering consists of three major components — security monitoring and device management, incident response, and risk and compliance — each of which includes multiple services that agencies can choose to meet their IT security needs.
Security monitoring and device management includes network and web application firewalls, intrusion detection and prevention, and end-user device management. Incident response includes services that help agencies plan and prepare upfront to manage security incidents. It also offers an automated service that lets agencies request incident response help through DIR’s MSS portal. Risk and compliance includes penetration testing to analyze where security vulnerabilities might exist, enabling agencies to address weaknesses before cybercriminals exploit them. This category also includes services to help agencies understand and comply with complex security regulations.
These capabilities are provided through a pre-vetted, pre-competed contract for security services. Agencies can go to the DIR portal, identify the services they need and place an order for them. This model also simplifies the management of security services because DIR monitors vendor performance and sees to it that contractors comply with contract terms.
Q: Why is the MSS contract so important versus going it alone?
Kimbriel: Consistency of service and strategy is an important component for us. Some of our agencies have the resources and capabilities to manage cybersecurity in house and some don’t, so how do you protect the state in that environment? One of the things we provide through this service is assurance that the contracts we issue with organizations like AT&T have been thoroughly vetted so the customers using these don’t have to do that themselves. Another advantage is having a bird’s eye view of the whole environment. For instance, if our managed security services vendor delivers a certain cyber service to one agency and detects a threat, it immediately can apply a solution to all agencies who use its services. Or there may be an advanced persistent threat against several agencies but it only impacts each one minimally and wouldn’t catch the attention of an individual CISO. The managed security services provider has the bigger picture to intervene and improve the overall security posture.
Q: Explain how AT&T can provide this ‘bigger picture’ threat intelligence.
Spencer: As a global network provider, we’re uniquely positioned to understand the cyber threat environment. The AT&T global network carries more than 200 petabytes of data traffic on an average business day. A single petabyte is like streaming
an HD movie for 45 years — it’s a phenomenal amount of data. This traffic is monitored in our Global Network Operations Center, where we can see early warning signs and react quickly to threats. From that vantage point, we can spot changes in
worldwide network traffic and identify potentially harmful activities, and then share that intelligence and take steps to help mitigate potential attacks. In addition, AT&T has eight Security Operations Centers (SOCs) worldwide that operate 7x24x365 to protect our managed security services customers. There’s really no way a single government agency is going to get that perspective on its own.
Q: Who can participate in the MSS contract?
Kimbriel: In addition to state agencies, the MSS contract is available to any taxpayer-funded organization in Texas. This was a key part of the strategy because smaller, funding-challenged organizations, for example, may not know what to do when they experience an attack. To have a qualified incident response team step in and guide their reaction is monumental. We don’t expect everyone to be interested in the services, but it’s advantageous to those organizations that don’t have a CISO or trained cyber professional on staff.
Q: Why is it important for small and medium-sized agencies to strengthen security protection?
Spencer: There was a time when agencies could do cybersecurity by obscurity because they were too small to be a target. But with the automation of threats, everyone is at risk. The bots and malicious programs aggressively come after all vulnerabilities.
The MSS contract gives government entities throughout Texas easy access to powerful threat intelligence and security capabilities through a simplified procurement model. It also delivers long-term benefits because agencies only pay for the
portion of a service they use, and they don’t need to make a big capital investment in capabilities they may not need.
Q: Can this be applied to any type of infrastructure?
Kimbriel: There is no particular type of infrastructure targeted for this. We have a consolidated data center program that many state agencies participate in that’s based on an on-premises infrastructure, and this contract can deliver services to those customers. We also have our hybrid cloud where we connected the on-premises consolidated data center program to five cloud environments and these services are also available to any customers that participate in that. For the most part, the infrastructure environment is not relevant to the services available.
Q: What does the cyber landscape look like in the future for Texas state and local governments?
Kimbriel: Cybersecurity will continue to be a key area for us; and mitigating risk associated with cyber will continue to be high on the priority list. We are looking forward to interacting with state leadership and giving them the information they need for informed policy decisions. The bill from last session required us to set up a Texas ISAO (Information Sharing and Analysis Organization), so we are looking for our cybersecurity coordinator to spearhead that effort. This ISAO will deliver threat dissemination services, forensic analysis and other services — many of the same capabilities offered through the MSS contract — but this is through a nonprofit organization that is primarily focused on the private sector. We haven’t seen anyone else put together something as broad or comprehensive as what we are envisioning, so it’s exciting to see that come to reality and bridge the gap between public and private sector.
