Scaling Down Security: How Local Cyberleaders Are Approaching Today’s Threats

A smaller staff and a smaller budget don’t lessen the cybersecurity burden. Here’s what leaders at the local level are doing to protect their IT environments.

by Lisa Kopochinski / October 13, 2016
Steve Monaghan, CIO, Nevada County, Calif. Jessica Mulholland/Government Technology

Nobody lives the refrain “do more with less” more faithfully than local government. In the area of cybersecurity, CIOs and chief information security officers (CISOs) in cities and counties across the country are faced with the daunting task of finding new and unique ways to protect themselves against evolving threats and keep hackers at bay.

Steve Monaghan, CIO of Nevada County, Calif., cites the biggest cybersecurity issue his agency faces as keeping up with the pace of change and learning what they don’t know. 

“Counties have a very broad breadth of technology with multiple interconnections to the state, feds, schools, cities, courts, consortiums, CBOs [community based organizations], and SaaS [cloud] providers,” he explained. “Counties are also in a constant state of motion with changes continuously occurring with new programs, services, locations and collaborations. These all drive a constantly changing technical environment.”

Add to this a fluid environment of regulations and an increase in new state laws focused on technology. 

“Prudent cybersecurity is built on a solid foundation of knowing your environment,” Monaghan said. “The pace of change is greater than our shop’s ability to keep up with the demand for change, let alone to know everything we really need to know to effectively secure all the changes.”

Michael Finch, CIO of Lane County, Ore., said one big challenge is educating key partners in a variety of different lines of business about the security implications of their decisions. 

“They must be educated enough about technology to understand the risks they accept when they make a business decision that involves technology or funding for it,” he said.

Some of the precautions taken by the Lane County Information Services Department are providing core workstation, network and server security infrastructure that includes antivirus protection, Internet proxy services and encryption. These services are managed by the Security and Audit Division, which was re-established in 2015 after being cut in 2012 for budgetary reasons. The division, which is working on implementing a centralized security model, is now focused on secure access principles, incident response and business continuity, among other things. It’s a tall order for a group of four full-time employees and less than 5 percent of the county’s IT budget.

Monaghan said that this year, Nevada County is pushing to modernize its IT security infrastructure. And the proof is in the budget. The county CEO and Board of Supervisors have earmarked $250,000 for the effort. The sum represents about a 5 percent increase to the annual IT budget, which is used for infrastructure upgrades.  

Job No. 1 is to build a countywide culture of cybersecurity/IT risk awareness and sensitivity. 

The Cybersecurity Landscape: Then and Now

What a difference five years makes. When asked how cybersecurity issues have changed for their departments between 2011 and 2016, these CIOs offered their take.

“Lane County has recognized two important things. First, the business must drive the acceptance of risk/benefit when it comes to technology and how it’s used. Second, our users are our greatest asset — and our greatest threat. The difference between 2011 and today is a far more mature governance model, as well as a focus on training and awareness for all our users and customers.” — Michael Finch, CIO, Information Services Department, Lane County, Ore.

“The cloud has had the biggest impact. Data can live anywhere now, and trying to keep a handle on where data is living, and how employees across the enterprise are storing and moving data, is much more fluid and complex. Add in data classifications and the regulations around breach notifications, and an organization has more exposure now, and the costs of a data breach are much greater.” — Steve Monaghan, CIO, Information and General Services Agency, Nevada County, Calif.

“We are too small to codify this into every policy and procedure, so we need every county employee — from line staff in the customer departments to every IT employee — to be cybersecurity sensitive,” Monaghan said. “That way, as they take on new projects and implement changes, they are thinking about cybersecurity and IT risk impacts. We are working cybersecurity and IT risk management into our processes such as change management, project charters and contracting. However, it all has to first have a solid cultural foundation across the countywide organization.”

Adding to the challenge faced by local cybersecurity teams is having to achieve compliance with the many regulatory requirements imposed by higher governments. Federal rules include CJIS, which governs criminal justice information systems, and the Health Insurance Portability and Accountability Act. Accepting citizen payment for taxes, permits and other services administered by local government also necessitates compliance with Payment Card Industry standards. Adhering to regulations like these (or noncompliance with them), of course, is costly. 

“Additionally local governments face the threat of cyberactivism/hacktivists that may occur due to an unexpected local controversial event unfolding,” said Finch. “While this exists at many levels, resources at the local level are far less than at other levels. Additionally, governments must serve a wide array of businesses — from building roads to running jails to providing health care. This creates an extremely diverse set of technologies and requirements that most businesses don’t have to deal with.”

Finch also added that the issues his department faces are very similar to those faced by the state of Oregon, although compatibility between systems can be a challenge.

“That being said, we are also users of many of their systems, so it’s important that services we are required to use that are provided by the state run on the latest operating systems and browsers,” he said. “Funding is also one of the biggest differences. Counties are very limited on what they can tax or derive revenue from, where the state has far more options.”

Riverside County, Calif., CIO Steve Reneker said his department invests about 3 percent of its IT budget on security, such as staff, tools and services. The main cybersecurity issues unique to local government, from his perspective, are impacts to emergency services and targets as a result of providing public safety services (officers, jails, public records).

“Local counties keep records of residents on welfare, unemployment, [who] owns property, [have] committed a crime, medical records, who is in jail, who is in the hospital, criminal history, foster care, child support, food stamps — [all of] which drive cyber-risks.”

With this in mind, Reneker’s department has tightened email security using Symantec Brightmail, and a sophisticated five-person cybersecurity team focuses on additional security tools and remediation. Their task lacks a clear end game. Reneker said new strategies are needed to adapt to the ever-changing cyberlandscape and suggested the need for 24/7 monitoring and notification systems.

Michael Finch, CIO, Information Services Department, Lane County, Ore.

“We also need more employee training to protect them at work and home,” he stressed. “We need to invest in dedicated staff and tools to proactively block and eradicate malware active in place or attacking systems. We need to create a security operation center to actively monitor threats and show your customers that you take these issues seriously and that you have programs in place to help protect threats from impacting day-to-day operations. Annual audits and penetration tests [are also needed] to learn best industry practices and to ensure your environment is secure.”

For Monaghan, Nevada County has a wide breadth of technology, spanning 25-plus business lines. “We have very specialized and critical technology that needs to operate flawlessly 24/7/365, such as 911 dispatch, mobile officer data systems, jail control systems, suicide hotlines and wastewater treatment plants,” he said.

Jelani Newton, director of survey research for the International City/County Management Association, echoed a common concern among public-sector IT professionals at all levels: Local governments are having difficulty offering cybersecurity professionals salaries that are competitive with the private sector. The organization is currently studying the issue in conjunction with the University of Maryland, Baltimore County.

Newton said cybersecurity is becoming increasingly important as more local governments seek to use technology to improve service delivery and operating efficiency. 

“As jurisdictions increasingly rely on social media, cloud-based solutions, smart city platforms and other new technology solutions, new cybersecurity challenges need to be considered,” he explained. “Every discussion about enhancements in information and communication technology should include consideration of the potential cybersecurity threats, and plans to address or avoid them.”

So, in today’s ever-threatening cyberworld, what is a local government IT department to do?

Kevin Haley, director of product management for Symantec security response, said there are two cybersecurity issues he thinks will have the greatest impact on agencies in the coming year. 

“First, agencies must protect their records from targeted attacks, both from insiders and hackers outside the agency. Second, agencies must protect critical files and data from crypto-ransomware attacks, which according to Symantec’s 2016 Internet Security Threat Report, grew by 35 percent in 2015, and are now more focused on enterprises rather than individuals.”

In order to combat these threats, Haley said agencies are going to have to step up to implement best practices to keep their data safe.  

“It is also important that they understand where their critical data is, and back it up,” he said. “Finally, if an agency has never tested its backup strategy and processes, now is the time to do it, before an attack takes place.”

Finch made a good point when he said that security and — in particular — breaches, need to be treated more like a public health outbreak instead of a blame game. 

“Currently whenever a large breach occurs, it’s often a game of victimizing the victim and firing people instead of going after the bad guys who broke the law and stole data,” he said. “This does not foster a collaborative approach between all organizations in going after the law breakers. Instead, attacks should be treated more like an outbreak in health, where people are free to share information without fear of retribution to ensure an informed, collaborative approach to ending the problem. This must change before any organization can hope to overcome this threat permanently.”