Examining the State, Local IT Connection to National Infrastructure (Industry Perspective)

Organizations at all levels of government play an important role in protecting critical systems from cyberattacks.

by Rachel Eckert / February 17, 2016
Major data breaches have affected Medicaid, DMV and school district information systems. Shutterstock

When people talk about protecting critical infrastructure, they typically think about the U.S. Department of Defense, cyber-resiliency and the targeting of cyberthreats. In fact, state, local and education (SLED) organizations play an important role in protecting critical infrastructure from cyberattacks.

That’s because cyberattacks aren’t just a problem at the federal government or private industry levels —  SLED governments are at risk as well. Our state and local governments collect and maintain immense amounts of our personal data: health records, tax records, driver’s license information and more.

It doesn’t take too much digging to uncover major data breaches of state systems in Medicaid, the Department of Motor Vehicles (DMV) and school district information systems. American citizens have more interaction on a daily basis with their local and state governments than with the federal government, so while SLED data breaches may not receive as much front-page coverage, they are no less devastating.

In 2012, as reported by The Salt Lake Tribune, Utah suffered a massive breach of its Medicaid eligibility and Children’s Health Insurance Program files that affected the sensitive information of 780,000 individuals, forcing the state to spend $9 million on security audits, upgrades and credit monitoring for the victims. In 2015, both Texas and North Carolina suffered breaches of their Medicaid data as well, as reported by The Statesman in June 2015 and WRAL in October 2015, respectively. Texas is now providing credit and identity management services to victims for one year, while North Carolina is urging concerned parties to closely monitor their statements and credit cards.

Prime Threats to SLED

Most U.S. critical infrastructure is managed by private industry. However, health care and public health, transportation systems, and government facilities are critical infrastructure sectors where SLED is more directly involved. Let’s drill down into these infrastructure components and see how SLED may be affected by cyberattacks.

Health care and public health. State and local governments run critical health systems and maintain vital health information exchanges used by nearly all of their citizens in some capacity, from registering for health insurance to filing a Medicaid claim. These systems connect the state government to local health departments to your local doctor through electronic health records. And as we now know, data breaches at the state level have put hundreds of thousands of citizens’ Social Security numbers, dates of birth and health information at risk.

Transportation. For most of us, our interaction with the transportation critical infrastructure sector occurs at the state government level. State governments maintain massive networks of highways and roads. The DMV license citizens to drive this network of roadways in systems containing sensitive and vital information. In 2014, California’s DMV experienced a wide-ranging credit card data breach related to online payments, putting thousands of people’s credit card and driver’s license information at risk, as reported by The San Francisco Chronicle in March 2014. California notified affected customers as quickly as possible, advising them to monitor their credit card statements for fraudulent activity.

Government facilities and education facilities. Many local school districts input and share information with the state government through collaborative Web-based or cloud systems. These systems track everything from school demographics to individual student and teacher progress, to include names, addresses, dates of birth and even Social Security numbers. States such as New Jersey, Pennsylvania and South Carolina have all experienced breaches in their systems putting their students’ and employees’ information at risk.

Partnerships and Preparation

SLED governments collect and maintain sensitive information in areas we touch every day. Protecting that information and the systems that house it is therefore of paramount importance. To help SLED governments manage their cyber-risk and develop a more consistent cybersecurity posture and infrastructure, the U.S. Department of Homeland Security (DHS) has shared several resources that facilitate collaboration among SLED governments.

For example, the State, Local, Tribal and Territorial Government Coordinating Council provides cross-jurisdictional strategic coordination through the DHS, SLED governments and critical infrastructure owners/operators to support planning, implementation and execution against the nation’s critical infrastructure protection mission. Members represent more than 20 state and local governments.

Other partnerships also help SLED governments defend against cyberattacks. The Multi-State Information Sharing and Analysis Center — or MS-ISAC as it’s more commonly known — helps its 689 members identify, defend and respond to cyberincidents as the DHS-designated center for information sharing related to cybersecurity in state, local, tribal and territorial governments. The MS-ISAC is the go-to organization for many SLED governments when it comes to staying up to date on the latest cyberthreats and -responses. 

The FBI has partnered with private industry to form InfraGard, which has the mission of helping its members across 84 districts in 50 states defend their critical infrastructure. The organization provides tools like a Malware Investigator to help SLED governments monitor and defend their systems.

SLED governments have documented plans to defend their critical infrastructure and key resources, which are often maintained by the state emergency management or homeland security office, but they don’t always incorporate response plans to cyberattacks. SLED governments protect vital aspects of everyday life for U.S. citizens, including schools, roads and medical care. Ensuring that these increasingly Web-based systems are protected from cyberattacks is vital to protecting the nation’s critical infrastructure.

While the DHS, MS-ISAC, InfraGard and other organizations exist to support our SLED government’s efforts, more collaboration among private, federal and SLED governments is needed. Protecting critical infrastructure isn’t just a federal or private issue — it’s a SLED thing too!

Rachel Eckert is a market intelligence senior analyst with immixGroup (an Arrow company), which helps technology companies do business with the government. Rachel focuses on the state, local and education government markets. She can be reached at Rachel_Eckert@immixgroup.com, or connect with her on LinkedIn.